Website Privacy Policy

1. Introduction

In this Policy where you see the words “Rufford Foundation”, or “we”, “us” it refers to The Rufford Foundation, who are the designated data controller for the personal data we collect from you.

We are a charity specifically established for the development of Rufford Small Grants for Nature Conservation (RSGs) and our grants fund nature conservation projects across the developing world (“Grants”). We also run an event programme, in order to encourage the sharing of knowledge and practice online and throughout the developing world (“Events”).

This Policy sets out how Rufford Foundation collects and uses personal data when you:

visit our websites such as www.rufford.org and apply.ruffordsmallgrants.org, which we refer to in this Policy as “our Websites”;
Apply for our Grants (“Applicant”) and are successful (“Grantee”);
Apply for or attend our Events;
Apply for a job with us;
Act as a referee for a grant or job application;
Are referred to in a grant application (e.g. as part of a project team); and
Contact us with any queries

collectively (“You”) in this policy.

Our websites are not intended for children. We do not knowingly collect or maintain the personal information of children under the age of 13. If you are under the age of 13, you may use our websites only with consent from a parent or guardian.

2. Policy Overview

Scope of this policy

This Privacy Policy concerns all the personal data that we collect, use and otherwise process about you.

Policy updates

We keep this Privacy Policy under regular review to make sure we are being transparent about how we use your personal data. Any changes to our Privacy Policy will be reflected at https://www.rufford.org/privacy_policy.

3. About Us

Who are we?

We are The Rufford Foundation, a registered charity in the UK with registered charity number 1117270. You will find our registered address below.

How to contact us

If you have any questions about this Privacy Policy or the ways in which we handle your personal information, please contact us as follows:

FAO:	Stuart Paterson, Chief Executive
Address:	6th Floor, 250 Tottenham Court Road, London, W1T 7QZ
Email:	Please use the website contact form to submit an email request.

4. What Personal Data Do We Collect About You?

The type of information we collect about you depends on the nature of your interactions with us. Depending on the circumstances, we collect any of the following:

Details about you. Your name, email address, address, telephone number, date of birth, job title, gender, nationality, education details, work experience, financial details (which may include bank account details in order to pay grants), social media handles and any information to the extent that it is relevant for your application for a grant, provided by a grant applicant in order for you to act as their referee, provided by a grant applicant because you are a part of their project team or when you contact us to organise or attend an event;
Identification documents. Identification documents in order to verify your identity such as passports, utility bills and national identity cards;
References. Opinions from your referees about you as part of your application for a grant or job;
Opinions. Opinions from third-party conservation experts for the external assessment of your grant application;
Your interactions with us. Information about your interactions or conversations with us and our people, including when you make enquiries to us, attend our Events and make applications to us;
Information contained in correspondence. For example, if you contact us using a query button on our website or by email or telephone or social media, we may keep a record of that correspondence;
Job applications. If you apply for a job with us, your CV, work history, educational details, the role you’re applying for, references and any other such similar information;
Account profile data. If you’re registering for an account you may also provide a username, password, email address;
Your use of our systems and services. Details of the way in which you use our site and/or social media pages (please see the “Cookie Use Policy” section below for further details).

5. How We Collect Personal Data About You

How we collect information about you will depend on how you interact with us.

We usually collect personal data from you directly, such as:

When you apply for a grant;
When you provide a reference for a grant applicant or job applicant;
When you organise an event with us;
When you browse our Websites;
When you contact us via social media, post or email;
When you register to attend and/or attend any Events we host or hosted in connection with us by a third party;
When you ‘follow’, ‘like’, or ‘post’ on our social media accounts, including Facebook, Instagram and LinkedIn; and/or
When you submit content to be used on the site or on our social media accounts (for instance, project updates and reports, reviews, photographs, videos, posts).

We may collect personal data about you from a variety of other sources too, such as:

from information we generate about you during our relationship with you such as: footage and recordings from online meetings and through our use of cookies and similar technologies; and
from information we collect about you from third parties such as: referees, third parties who help us such as conservation experts for the external assessment, UK Government designated persons checks and social media checks. This may include publicly available sources too, such as online news pieces and scientific journal articles.

6. In What Circumstances Do We Need to Collect Your Special Category Personal Data?

We will ask you to provide information that is deemed sensitive, and additionally may indirectly collect such data. This is most likely to include information of a sensitive nature you may give us in connection with your application, although we do not request such information. This may include information about your health, for example if you require any assistance with your application or with participating at an event, and information such as religion or race which you may have provided to us in your application.

We seek to limit any special category personal data that we collect and, unless we have other specific lawful reasons to use this information, we will ask for your consent to collect it.

7. How We Use Your Personal Data

We’ll use your personal data for a variety of different purposes, some of which will depend on what you engage us for. Please see the table below for more information.

On what grounds will we process your personal data?

We will use your personal data for the purposes listed above, either:

When it is necessary for the performance of a contract;
To comply with a legal obligation we have;
For our legitimate interests (we explain what we mean by this below);
With your consent; and
For establishing, exercising or defending legal claims.

What do we mean by “legitimate interests”?

As outlined above, in certain circumstances we may use your personal information to pursue legitimate interests of our own or those of third parties, but this is provided your interests and fundamental rights do not override those interests. By “legitimate interests” we mean our interests in conducting and managing our charitable activities and to ensure that we are guaranteeing the best service and experience for you. This involves:

Ensuring that our systems and Websites are secure;
Determining the effectiveness of our Website / tools / services and improving the security and optimisation of our network, Websites and services;
Communicating with you about your grant application or event you are interested in organising;
Personalising, enhancing, modifying or otherwise improving the services and/or communications that we provide to you;
Detecting, monitoring and preventing fraud or other unlawful acts, and operating a lawful charity.

Your personal data may be used by us for the following purposes and lawful bases. Please note if you fail to provide certain information when requested, we may not be able to perform the contract we propose to enter into with you (such as considering your job application), or we may be prevented from complying with our legal obligations (such as to ensure safety).

Purpose	Types of personal data we may use	Lawful bases
To process grant applications as an Applicant or job applications	Name, date of birth, home address, email address, telephone number, gender, financial details, CV, job title, education details, work experience including institution names, references, opinions from referees or conservation experts	Legitimate interests (Art 6(1)(f) UK GDPR) – necessary to assess the eligibility, suitability, and viability of grant applications or job applications in line with the organisation’s charitable objectives. Necessary for the recruitment process to identify and evaluate suitable candidates for employment or contractual roles within the organisation. To prepare to enter into a contract with you (Art 6(1)(b)) UK GDPR
To pay grant money to recipient organisation as a Grantee	Bank account details of recipient organisation	Performance of a contract we entered into with you (Art 6(1)(b)) UK GDPR
To display project details for public access	Name, conservation project details, email address, social media handles	Performance of a contract we have entered into with you (Art 6(1)(b)) UK GDPR such as the grant agreement which refers to the fact that we will need to display project details for public access as part of the agreement. Legitimate interests (Art 6(1)(f) UK GDPR) – necessary where the agreement does not refer to the need to display project details for public access, in order to promote the project.
To evaluate and analyse funded projects	Name, project details, opinions from conservation experts, gender, education details, employer (if relevant) and the name of the organisation receiving the grant	Legitimate interests (Art 6(1)(f) UK GDPR) – necessary to evaluate the impact, effectiveness and outcomes of projects funded by grants. We also process such personal data for analysis purposes so we can analyse the education level of grantees, or how long between finishing higher education and applying for a grant.
To assist in organising Events	Name, email address, contact details, gender, accessibility needs, food preferences/intolerances, personal bank account information	Legitimate interests (Art 6(1)(f) UK GDPR) – necessary to provide support for individuals or organisations seeking to organise or collaborate on Conferences. Substantial public interest (Article 9(2)(g) UK GDPR, Schedule 1, Part 2, Paragraph 6 DPA 2018) – necessary for reasons of substantial public interest, specifically to promote equality of opportunity or treatment for individuals with different needs (e.g., accessibility or food preferences/intolerances). Explicit consent (Art 9(2)(a) UK GDPR)
To invite you to an Event	Name, email address	Legitimate interests (Art 6(1)(f) UK GDPR) – if you are in the UK, when you have previously supported or worked with us or interacted with us, it is in our legitimate interest to send you emails or SMSs about our conferences, projects, organisation or other news which we believe may be of interest to you.
To communicate updates regarding applications	Name, email address, correspondence	Legitimate interests (Art 6(1)(f) UK GDPR) – necessary to keep applicants informed about the status of their applications, ensuring smooth communication and transparency in the recruitment or grant process.
To respond to enquiries	Name, email address, correspondence	Legitimate interests (Art 6(1)(f) UK GDPR) – necessary to provide timely and effective responses to queries related to Conferences, grants, jobs and the organisation.
To register user accounts	Name, email address, username, password	Performance of a contract we have entered into with you (Art 6(1)(b) UK GDPR) – such as our terms and conditions and terms of use.
To provide access to the Websites	Technical data and usage data collected from your device when you are browsing on our Websites, or our digital communications such as emails. This includes: your IP address, your location (by country, state and city), device type, browser type, operating system, interaction with, and responses to, our marketing communication and activity on our Websites. Please see our cookies policy for more information.	Legitimate interests (Art 6(1)(f) UK GDPR) – necessary to ensure the website functions effectively, securely, and provides an optimal user experience.
To respond to social media interactions	Social media handles, correspondence	Legitimate interests (Art 6(1)(f) UK GDPR) – necessary to engage with individuals interacting with the organisation on social media platforms to address questions, provide information, or manage public relations.
Relationship management	Name, email address, correspondence	Legitimate interests (Art 6(1)(f) UK GDPR) – necessary to maintain ongoing relationships with grant recipients, event organisers, or other stakeholders. Includes notifying individuals of changes to terms or policies or collecting feedback to improve services. Performance of a contract we have entered into with you (Art 6(1)(b) UK GDPR). Compliance with legal obligation (Art 6(1)(c)).
Fraud prevention for job applications, Applicants and Grantees	Identification documents (e.g., passport, ID card, utility bill)	Legitimate interests (Art 6(1)(f) UK GDPR) – necessary to ensure grants and organisational resources are used lawfully, prevent fraudulent activity, and verify the identity of recipients or applicants. Recognised legitimate interests (Art 6(1)(ea) UK GDPR) of ours such as where the processing is necessary for the purposes of detecting, investigating or preventing crime.
Legal compliance	Personal data required to comply with legal obligations (e.g., requests from authorities, legal compliance, charity laws)	Legal obligation (Art 6(1)(c) UK GDPR)
Analytics	Technical data and usage data collected from your device when you are browsing on our Websites, or our digital communications such as emails. This includes: your IP address, your location (by country, state and city), device type, browser type, operating system, interaction with, and responses to, our marketing communication and activity on our Websites. Please see our cookies policy for more information.	Legitimate interests (Art 6(1)(f) UK GDPR) – necessary to analyse and improve the organisation’s website, marketing strategies, and user experience. Consent (Art 6(1)(a) UK GDPR) – to deploy non-strictly necessary cookies such as functional cookies to help a video play. You have the right to withdraw your consent for this specific processing at any time without affecting the lawfulness of any processing undertaken prior to you withdrawing such consent.
Processing special category data for grant or job applications	Health data, religion, race (if disclosed by the individual)	Legitimate interests (Art 6(1)(f) UK GDPR) – necessary to accommodate specific needs (e.g., accessibility requirements) or for diversity monitoring in line with the organisation’s mission. Employment or social protection law (Art 9(2)(b) UK GDPR). Consent (Art 6(1)(a) UK GDPR). Explicit consent (Art 9(2)(a) UK GDPR).
To promote our organisation, projects and events	Name, email address, correspondence, technical data, usage data	For postal marketing: it is in our legitimate interest to add you to our postal marketing list and send you postal marketing on the understanding that our conferences, projects, organisation and other news may be of interest to you. For digital marketing such as email: if you are in the UK, when you have previously supported or worked with us or interacted with us, it is in our legitimate interest to send you emails or SMSs about our conferences, projects, organisation or other news which we believe may be of interest to you. When you sign up to receive emails or SMSs from us – it is on the basis of your consent to receive such digital marketing communications. For advertising technologies such as advertisements you may see on other websites such as social media: we rely on your consent to deploy non-strictly necessary cookies such as analytical and advertising cookies to deploy advertisements that are more personalised and relevant to you. You have the right to opt-out of receiving any of our marketing communications at any time without affecting the lawfulness of the processing before its opt-out.

In connection with the purposes and on the lawful grounds described above, where relevant, we share your personal information with the following third parties:

The general public on your project page on our site. To provide information about the project for which you have received a grant and to provide you with a platform to showcase your work to the general public. This is on the basis of our legitimate interests to promote the projects and our organisation. Such general public may be based both inside and outside the EEA and we rely on adequacy decisions to safeguard the transfer of such personal data.
Social media organisations. To post details of projects (including new projects, project updates and reports) on our social media accounts (including Facebook, Instagram and LinkedIn) to promote projects and provide additional exposure for your work. This is on the basis of our legitimate interests to promote the projects and our organisation. The social media organisations we share your personal information with are based in Ireland and we rely on adequacy decisions to safeguard the transfer of such personal data.
Third-party conservation experts. To provide us with an external assessment of your grant application. The third-party conservation experts we share your personal data with are based in the UK/EU and we rely on adequacy decisions to safeguard the transfer of such personal data.
Third-party non-governmental organisations. For identity verification, fraud prevention and detection services based in the UK/EU. This is on the basis of our legitimate interests and of third parties, to carry out our services.
Other third-party suppliers that we work with in connection with our business. We share your information with third-party suppliers that provide us with services in connection with our business and the provision of our services to you. This is on the basis of our legitimate interests and of third parties, to carry out our services. This includes for example: IT developers, service providers and hosting providers, third parties that process our grants, and banks, based in the United Kingdom and the USA. For the USA, we rely on various mechanisms to safeguard the transfer of personal data such as: standard contractual clauses such as the UK International Data Transfer Agreement with such third parties, certified frameworks such as the UK-US Data Privacy Framework with third parties certified to the framework and other derogations such as your consent or for the performance of a contract with you.
Authorities, Courts or advisors. We share your information with other international third parties (including legal service providers, accountants, auditors, insurers and other professional advisors, tax authorities (including HM Revenue & Customs), regulatory authorities, courts and government agencies) where necessary to enable us to enforce our legal rights, for the establishment, exercise or defence of legal claims, to protect our business, or where such disclosure may be permitted or required by law or for compliance with a legal or regulatory obligation, or otherwise to protect our rights or the rights of a third party.
Group companies and other organisations we work closely with: for security, assistance, improving our organisation, and reporting, based on our legitimate business interests.
In the context of a transaction. Your information may be disclosed to any successors of our charity, in the event of a re-organisation, merger or sale, negotiation, or completion of a corporate transaction in which we are acquired, or we sell or transfer all or a portion of our assets or organisations. This is on the basis of our legitimate interests for our business operations and the legitimate interests of third parties such as those in connection with the transaction.

Where we do share your information with third parties, we will require them to maintain appropriate security to protect your information from unauthorised access or processing, unless we have no ability to do so (for example, where we are sharing information with government agencies).

Marketing from third parties

When you’ll hear from third parties

We will share your contact details with third-party event organisers to invite you to Events that we think might be of interest / relevant to you if you have indicated that you are happy for us to do so. This is on the basis of your consent to us to share your name and email address with third-party event organisers for direct marketing purposes.

Opting out of or withdrawing your consent in relation to marketing from third parties

If you no longer want to hear from such third parties, you should contact them directly.

9. Our Website and Cookies

What we collect when you interact with our Websites

As you may already know, most sites collect certain information automatically in log files about the way in which you interact with them. This might include your IP address, geographical location, device information (such as your hardware model, mobile network information, unique device identifiers) browser type, referral source, length of visit to the site, number of page views, the search queries you make, and similar information.

This information may be collected by us or by a third-party site analytics service provider and will be collected using cookies.

As we’ve described above, where we do collect this information, we use this information to help improve our functionality and services, run diagnostics, analyse trends, track visitor movements, gather broad demographic information and personalise our services.

What do we mean by “cookies”?

Cookies are small amounts of information in the form of text files that we store on the device you use to access our site. Cookies allow us to monitor your use of our services and improve them. For example, a temporary cookie is also used to keep track of your “session”. Without that temporary cookie you will not be able to use some services via our site.

Cookies selection

We may use strictly necessary cookies which are essential in order to enable you to move around the Website and use its features, such as accessing secure areas of the Website. The Website cannot function properly without these cookies.

We may use cookies for site analytics purposes. We may use this information to try to improve the relevance and tone of our future communications to ensure we’re serving you as best as we can. These cookies enable us to monitor and improve the performance of our Website. For example, they allow us to count visits, identify traffic sources and see which parts of the site are most popular.

Although you make your cookie preferences when you first visit our Websites, you can change your preferences at any time.

If you do not want cookies to be installed on your device, you can change the settings on your browser or device to reject cookies. For more information about how to reject cookies using your internet browser settings, please consult the “Help” section of your internet browser or visit http://www.aboutcookies.org. Please note that if you do set your Internet browser to reject cookies, you may not be able to access all of the functions of the site.

For details of all of the cookies that we use and the purposes we use them for, please visit https://www.rufford.org/cookies.

Links to third-party websites

Our Websites also contain content and links to other sites that are operated by third parties that may also operate cookies. We do not control these third-party sites or cookies and this Privacy Notice does not apply to them. Please consult the terms and conditions and Privacy Notice of the relevant third-party site to find out how that site collects and uses your information and to establish whether and for what purpose they use cookies.

10. Your Rights

Overview of your rights

In certain circumstances, you have certain rights in respect of the personal data that we hold about you, including:

The right to be informed of the ways in which we use your information, as we seek to do in this Privacy Policy and our Cookies Policy;
The right to request the deletion of your personal data that we hold about you;
The right to request access to the information that we hold about you;
The right to request that we correct or rectify any information that we hold about you which is out of date or incorrect;
The right to ask us to stop using information about you;
The right to exercise a data protection complaints process – if dissatisfied with our response, individuals have the right to escalate their concerns to the Information Commissioner’s Office (ICO);
The right to lodge a complaint about us to the UK Information Commissioner’s Office (https://ico.org.uk/);
The right to opt-out of receiving any of our marketing communications at any time without affecting the lawfulness of the processing before its opt-out;
The right to object to our using your personal data on the basis of our legitimate interests (or those of a third party); and
The right to receive a copy of any information we hold about you in a portable format (or request that we transfer this information to another data controller) in a structured, commonly-used, machine-readable format.

Please note that most of these rights are not absolute and are limited to certain defined circumstances. Accordingly, we may not be able to comply with any such request.

If the basis of our processing of your personal information is ‘consent’ you have the right to withdraw your consent at any time without affecting the lawfulness prior to the withdrawal of your consent. However, note that your data may also be being processed subject to another lawful basis as set out above.

Please note we will keep your personal data for as long as we need to in line with our retention criteria taking into consideration: legal obligations, best industry practice, limitation periods, our business needs and for the establishment, exercise or defence of legal claims. For those participating in our projects, we are likely to retain your personal data for as long as is necessary in order to produce, exhibit, exploit, distribute, advertise, publicise and promote the project in accordance with our legitimate interests and legal obligations.

We also need to send you service-related communications, e.g. updates relating to your website user account, changes to our terms and conditions and privacy notice. These are important updates (and are not marketing communications), so you will receive these communications even where you have requested not to receive marketing from us.

How to exercise your rights

Contacting us

You can exercise your rights by contacting us using the details in the “About Us” section above, or in the case of preventing processing for marketing activities also by checking certain boxes on forms that we use to collect your data to tell us that you do not want to be involved in marketing.

What we need from you to process your requests

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Keeping us informed

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us by updating your account information or contacting us via the contact details below.

11. Where Is Your Personal Data?

Our organisation is based in the United Kingdom. However, in certain circumstances information that we collect about you will be transferred to and held by us in countries outside of the EEA/UK where we work with suppliers and service providers that are either based outside of the EEA/UK or have servers based outside of the EEA/UK.

Wherever your personal data is transferred to organisations outside the UK, we will ensure that appropriate safeguards are in place to protect personal data as required by data protection laws. Such safeguards include: standard data protection clauses, legal exceptions, adequacy decisions, recognised frameworks (e.g. the EU-US Data Privacy Framework).

Please contact us using the contact details at the top of this Privacy Notice if you want further information or a copy of the specific mechanism used by us when transferring your personal data out of the UK.

12. How Long We Keep Your Personal Data For

We keep your personal data for as long as is reasonably necessary to enable us to process your grant application, to comply with any legal obligations that require us to keep information, or for as long as we reasonably require for our legitimate interests, including for example for the purposes of exercising our legal rights or defending ourselves against claims. We operate a data retention policy and retention criteria taking into consideration: legal obligations, best industry practice, limitation periods, our business needs and for the establishment, exercise or defence of legal claims. For those participating in our projects, we are likely to retain your personal data for as long as is necessary in order to produce, exhibit, exploit, distribute, advertise, publicise and promote the project in accordance with our legitimate interests and legal obligations.

13. Complaints

If you have any comments, questions or concerns about the contents of this Privacy Policy or the way in which we use your information, we encourage you to contact us using the details in the “About Us” section above to see if we can help resolve the issue in the first instance.

In the UK, if you are unhappy with a response received from us in relation to data protection, you are required to escalate the matter and raise a complaint directly with us via a complaints process. We will acknowledge the complaint within 30 days, make enquiries into the complaint without undue delay and make an appropriate level of enquiries.

After an escalation to the complaint procedure has been exercised, you may then lodge a complaint by contacting the Information Commissioner. In the EU, individuals do not need to first escalate via a complaint procedure and instead can lodge a complaint to a supervisory authority in the country they live or work in.

However, if you would still like to make a formal complaint or have concerns regarding the ways in which we use your information, you can contact the Information Commissioner’s Office (also known as the “ICO”). The ICO is an independent authority and the UK’s supervisory authority for information rights.

You can lodge a complaint about your concerns on the ICO site: https://ico.org.uk/concerns/handling/

You might end up providing personal data directly to third parties as a consequence of your interactions with our Websites. For example, your name and other personal data will be shared with other Website users when you correspond with them using the contact details provided on a project or comment on our posts, or you may attend an event hosted by us where you communicate personal information directly with other attendees.

Please be responsible with personal data of others when using our Website and the services available on it.

15. Third-Party Links

The Website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Website, we encourage you to read the privacy notice of every website you visit.

Last updated: April 2026