Privacy Policy
1. Introduction
This Privacy Policy explains how ThirdSectorIntel.ai (“we”, “us”, “our”) collects, uses, and protects personal data in connection with our charity sector intelligence platform available at thirdsectorintel.ai (the “Service”).
ThirdSectorIntel.ai is operated by ThirdSectorIntel.ai Limited, a company registered in England and Wales (company number 17146515), with its registered office at Unit A5284, 6 Greatorex Street, London, E1 5NF. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ThirdSectorIntel.ai Limited is the data controller for the personal data described in this policy.
We take data protection seriously. If you have any questions, please contact us using the details in Section 12.
2. Who this policy applies to
This policy covers personal data relating to:
- Users of the Service (our clients, their employees, and anyone who registers for an account or signs up for email alerts).
- Third-party individuals whose information appears in our database — principally senior staff, trustees, and fundraising leaders at UK charities, nonprofits, schools, and universities — gathered from publicly available sources for the purpose of sector intelligence and executive search.
- Website visitors who browse thirdsectorintel.ai without creating an account.
3. Personal data we collect
3.1 From Users
- Name, job title, employer, and work email address.
- Account credentials and authentication data.
- Billing and contact information.
- Communications with us (support tickets, emails, meeting notes).
- Usage data — pages viewed, searches run, filters applied, reports exported.
3.2 From third-party individuals (charity sector professionals)
- Name, job title, and employer.
- Professional email address and LinkedIn profile URL where publicly available.
- Career history and professional background.
- Association with a UK charity, nonprofit, school, or university.
This data is compiled from sources such as the Charity Commission register, organisational websites, Companies House, LinkedIn, news sources, and enrichment providers.
3.3 Technical data
- IP address, browser type, device identifiers.
- Session logs and cookies (see Section 9).
4. How we use personal data and our lawful basis
| Purpose | Lawful basis |
|---|---|
| Providing and administering the Service to Users | Contract (UK GDPR Art. 6(1)(b)) |
| Authentication, security, and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Sending service announcements and alerts | Contract / legitimate interests |
| Sending marketing communications to prospective clients | Legitimate interests or consent, with opt-out provided |
| Compiling sector intelligence on UK charities and their senior personnel | Legitimate interests — to enable executive search, sector research, and nonprofit benchmarking |
| Complying with legal and regulatory obligations | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have carried out a legitimate interests assessment balancing our interests and those of our users/clients against the rights and freedoms of data subjects. A copy is available on request.
5. How we obtain third-party personal data
Personal data about senior staff and trustees at UK charities is compiled from:
- The Charity Commission for England and Wales public register.
- Companies House filings.
- Publicly accessible organisational websites and annual reports.
- Publicly accessible LinkedIn profiles.
- Published news and press releases.
- Licensed third-party enrichment providers.
We process this data in reliance on our legitimate interests in providing professional intelligence services to the UK charity sector, and we respect the rights of data subjects to object, correct, or be erased as set out in Section 8.
6. Sharing personal data
We share personal data only where necessary:
- With service providers who support the Service — including Amazon Web Services (UK hosting, eu-west-2 London), Cloudflare (DNS / CDN), Google (OAuth sign-in, Workspace APIs at customer direction), and AI model providers under no-training API terms (currently Anthropic — Claude; with OpenAI — GPT and Google AI — Gemini named as alternates so we can route to whichever model is best-suited to a given task). All subprocessors are bound by data-processing agreements. The full and current list, the categories of data sent to each, and the safeguards relied on for any transfers outside the UK are published at /data-residency.
- With our clients — Users of the Service access intelligence about UK charities and their senior personnel as part of the product.
- With professional advisers (accountants, lawyers) where reasonably required.
- With law enforcement or regulators where legally compelled.
We do not sell personal data.
7. International transfers
Some of our service providers are based outside the UK. Where personal data is transferred internationally, we rely on UK adequacy regulations, the International Data Transfer Agreement, or Standard Contractual Clauses together with any required supplementary measures.
8. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request erasure (“right to be forgotten”) in certain circumstances.
- Object to processing based on legitimate interests.
- Restrict processing in certain circumstances.
- Data portability.
- Withdraw consent where we rely on it.
To exercise any of these rights, please contact us (Section 12). We will respond within one month.
You may also lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.
9. Cookies
We use cookies and similar technologies for:
- Strictly necessary — authentication, session management, security.
- Analytics — to understand how the Service is used.
You can control non-essential cookies through your browser settings or our cookie banner.
10. Data retention
- User account data: retained for the duration of the contractual relationship and for up to six years after closure to meet legal obligations.
- Third-party personal data (charity sector professionals): retained for as long as the individual remains in a role relevant to our intelligence service, or until we receive a valid objection or erasure request.
- Technical and usage logs: retained for up to 24 months.
11. Security
We take appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, secrets rotation, and regular security review. No system is completely secure, but we work continuously to protect the data entrusted to us.
12. Contact us
Data Controller: ThirdSectorIntel.ai Limited (company number 17146515)
Email: [email protected]
Registered office: Unit A5284, 6 Greatorex Street, London, E1 5NF, United Kingdom
If you are a data subject in our database and wish to be removed, corrected, or access your data, email [email protected] with the subject “Data Subject Request” and we will respond within one month.
13. Changes to this policy
We may update this policy from time to time. Material changes will be notified to Users by email and posted on this page with a revised “Last updated” date.