Privacy Policy

1. Introduction

The Social Change Nest CIC (SCN) is committed to protecting your personal data and upholding your privacy. This notice explains how we collect, use, store, and share personal information, and your rights in relation to that data.

This notice applies to anyone who interacts with SCN outside an employment relationship – including funders, grantees, collective members or administrators, financial contributors, newsletter subscribers, platform users, and members of the public.

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Who We Are

The Social Change Nest CIC

Registered address: All Saints Church Hall, Carnegie St, London N1 9QW. 

General enquiries: hello@thesocialchangenest.org 

Report a concern: reporting@thesocialchangenest.org 

SCN is a data controller when processing personal data for its own purposes. In some contexts – such as hosting collectives or working with funders – we act as a data processor, only handling data under instruction. 

3. What Data We Collect

Depending on how you interact with SCN, we may collect:

  • Name, contact details, job role, organisation
  • Financial data (e.g. payment details, donation history, grant information)
  • Information submitted via Identity Verification checks, forms, surveys, or applications
  • Communication preferences
  • Website usage data (e.g. IP address, browser type, cookies)
  • Special category data (e.g. health, safeguarding) where necessary and lawful
  • Due diligence data (e.g. publicly available Social Media content, online search engine results, news articles, blogs, public statements, organisational websites or public registers) where necessary and lawful

4. Children’s Data

SCN’s services are not directed at children. We do not knowingly collect personal data from individuals under the age of 18 without verified parental or guardian consent.

If we become aware that data has been collected from a child without proper consent, we will delete it promptly and take any necessary safeguarding steps.If you believe we have inadvertently collected information from a child, please contact: hello@thesocialchangenest.org.

5. When We Collect Your Data

We collect your personal data when:

  • You apply to be fiscally hosted by us
  • You donate, apply for funding, or engage with a hosted collective
  • You complete a form, submit an expense, or use Open Collective or any of our other services
  • You sign up to a newsletter or event
  • You visit our website (via cookies and analytics)
  • You communicate with us directly

6. Cookies and Website Analytics

When you visit our website, we may collect limited data using cookies and similar technologies. These help us:

  • Understand how users interact with our site (e.g. through Google Analytics)
  • Improve functionality and performance
  • Monitor aggregate trends and content engagement

You can control or disable cookies through your browser settings at any time. By continuing to use our site, you agree to our use of essential cookies unless you opt out through your browser.

7. Why We Collect Your Data

We only process your data when there is a lawful basis (under Article 6 of UK GDPR) to do so, such as:

  • Consent – for newsletters or optional communications
  • Contract – to manage grants, collective services, or other agreements
  • Legal obligation – for regulatory, safeguarding or financial compliance
  • Legitimate interest – in due diligence for funding/hosting, for communicating our work or improving our services
  • Vital interest / public task – in rare and exceptional circumstances, such as protecting someone from serious harm or fulfilling a safeguarding duty, we may process data without consent. This is only done when necessary and proportionate, and where seeking consent would be unsafe or cause harmful delay.

8. Use of Platforms and Third Parties

We use Open Collective Inc. to deliver transparency and financial infrastructure for hosted collectives. This means:

  • Public contributions, expenses, and names may appear on collective pages unless anonymised
  • Data submitted through Open Collective is processed by both SCN and Open Collective under separate privacy terms
  • Payments are handled via third-party processors such as Stripe, Wise and XE, who are responsible for their own compliance with UK GDPR and PCI-DSS standards

Other third-party tools we use may include:

  • Google Workspace (cloud storage, email)
  • HubSpot (CRM and communications)
  • Zapier/Make.com automating processes
  • BrightHR (HR)
  • Xero and Sage (finance)
  • Typeform, WebinarPress

 

We ensure all providers meet appropriate data protection standards.

9. Hosted Collectives and Collective Administrators

Where SCN acts as a fiscal host, we may process data on behalf of a hosted collective. In this context, SCN typically acts as an agent, handling data and finances under the direction of the collective’s administrators. As such:

  • SCN may be a data processor, not a controller, when acting solely on a collective’s instructions.
  • Collective administrators may access data you submit (e.g. expense claims, contact details).
  • Collective administrators are responsible for their own data protection compliance and communications.

If you are a collective administrator, you must:

  • Only collect and share personal data with a valid legal basis (e.g. consent or legitimate interest).
  • Be transparent with your community about how their data will be used and stored.
  • Avoid retaining or sharing data unnecessarily or insecurely.

SCN provides guidance and secure infrastructure but is not responsible for the data handling practices of hosted collectives beyond our role as fiscal host and agent.

10. Sharing Your Data

We do not sell or rent your data. We may share it with:

  • Trusted third-party service providers who help us operate (e.g. payment processors, platforms)
  • Regulators or auditors, where legally required
  • Collective administrators (where relevant)
  • Legal or safeguarding authorities, where necessary

We only share the minimum information needed and ensure all parties meet strong data protection standards.

11. Data Security and Retention

We store personal data securely, using:

  • Encrypted systems and two-factor authentication
  • Access controls and secure cloud platforms
  • Password managers for internal access (e.g. Dashlane)

We keep data only for as long as needed. Typical retention periods include:

  • Finance and grant records: at least 7 years (audit/legal requirements)s
  • Legal or safeguarding data: as required by law
  • Due diligence data: at least 7 years

We delete or anonymise data when it is no longer needed.

12. International Transfers

Some service providers (e.g. Open Collective, Google) may store data outside the UK or EEA. In such cases, we ensure:

  • Standard Contractual Clauses (SCCs) or equivalent safeguards are in place
  • Only trusted providers are used

Your rights are protected in line with UK GDPR

13. Your Rights

You have the right to:

  • Access your personal data
  • Correct or delete it
  • Object to or restrict its processing
  • Withdraw consent (where relevant)
  • Complain to the Information Commissioner’s Office (www.ico.org.uk)

To exercise your rights, contact: hello@thesocialchangenest.org 

14. Changes to This Notice

We review and update this Privacy Notice regularly. The latest version will always be available on our website.