Last updated: 18/05/2025
This page sets out how Makor Hayim (“we”) collect personal data, how we use data about you that we collect from you and other sources, how we store your data safely, and our obligations to you.
If you are reading this, it is likely that we hold at least some personal data about you. Depending on your exact relationship with us, this data may be as uninformative as an IP address or social media username, or as sensitive and confidential as your bank details, health information, or safeguarding issues you are affected by.
The law is clear that you are in charge of how organisations such as Makor Hayim use your personal data. Moreover, as a community built on relationships, we believe trust in us is paramount. For these reasons, we set out below how we use your data, and welcome questions, suggestions, and requests to exercise your data rights.
What follows is exhaustive and legally binding – in other words, we will not (and legally cannot) collect or use your data except as explained below. We may update it from time to time, in which case we will let you know. It is not a full privacy policy (which is much more technical and includes details like rules for our staff), data audit or data impact assessment – we will make these available on request.
- Section 1, Our Commitments, explains your legal rights (and our commitments to you beyond the legal minimum) and how you can exercise them.
- Section 2, Why We Process Data, explains the legal grounds on which we hold your data, and our obligations to you (which vary depending on how and why the data was collected)
- Section 3, What Data We Collect, sets out exactly what personal data we hold about different categories of people.
- Section 4, Data Sharing with Third Parties, describes the limited circumstances under which we may share your data with others.
- Section 5, Data Retention and Deletion, explains how long we keep your data for and what happens when we no longer need it.
- Section 6, Data Security, sets out our commitment to making sure your personal data is safe, explains our security processes, and how we will respond in the unlikely event that your personal data is compromised.
Our commitments, legislation, and your rights
We hold ourselves to the highest standards of data privacy and security.
Like any company, we are governed by applicable law, which includes the European Union’s General Data Protection Regulations (GDPR), the UK Data Protection Act 2018 (which incorporates GDPR), the California Consumer Privacy Act, and the UK Privacy and Electronic Communication Regulations (PECR).
We are also governed by our values of Chesed (kindness) and Tsedek (justice) and by our conscience.
As a data subject (i.e. a person about whom we hold personal data), you have the right to:
- Be told whenever we intend collect or use your personal data (“right to be informed”)
- View personal data we hold about you (“right of access”)
- Receive a copy of personal data we hold about you (“right of data portability”)
- Have us correct data which is incorrect or inaccurate (“right to rectification”)
- Stop us from using your data in certain ways* (“right to restriction” and “right to object”)
- Have us delete data we hold about you* (“right to erasure”)
- Only receive marketing from us, or have your data used for marketing purposes, if you have explicitly agreed to this.
*These two rights have some exceptions; if we need to legally refuse a request under these rights we will explain why and, wherever possible, offer an alternative resolution.
If you want to exercise any of these rights, you have two options:
- For common tasks, such as updating your details or changing how we communicate with you, we have digital tools to help you manage your data yourself
- For anything else, please speak to our Data Protection Lead (Natalie Clingman) or email email data@makorhayim.org.
All of these rights are legally binding on residents of the UK and EU and some of them on California residents. We aim to honour all these rights regardless of where you live. However, depending on your place of residence, you may have legal recourse if we do not adequately comply with requests. If your jurisdiction gives you a legal right not mentioned above we will also comply with requests made under those rights.
Why we process data
How we process – i.e. collect, store and use – data depends on why we acquired it. Under GDPR there are six reasons (called “lawful bases”) why personal data can legally processed, and we are required to tell you which lawful basis or bases apply to any processing of your personal data. Two are not applicable to Makor Hayim. The other four are below. Click on each to read more.
Where we are required by law to do something, and we need to process your data in order to do it (“legal obligation”)
If we are processing based on a legal obligation, we will likely be following guidance and have little room for discretion.
Wherever possible, before collecting, using or sharing data based on a legal obligation, we will let you know first. However, sometimes this may be impractical, or conflict with the legal obligation itself. For example, we have a legal duty to prevent children or vulnerable adults coming to harm (called safeguarding). If we receive an allegation that a child is at risk of harm from a named adult, our safeguarding duties will likely require us to act without seeking the child’s consent, and without even informing the adult, as to do otherwise would increase the risk to the child.
To fulfill a contract with you (this may be a formal written agreement or it may be an informal one, such as if you make a request of us)
If we are processing based on a contract, the terms of data collection, use, retention and deletion will be specified in the contract. Some contracts can be cancelled and the associated data deleted. In other cases, we may need to keep data beyond the end of the contract (for records, or to protect our interests), or the contract may oblige you to allow us to process your data (for example, if you owe us a debt).
Necessary for Makor Hayim’s “legitimate interests” – this refers to anything we need to do in order to carry out our functions as a Synagogue.
Because legitimate interest processing includes routine activities where it would be impractical (and annoying) to communicate to you each time it happens, in order to find out what legitimate interest processing may affect you, you should refer to the remaining sections of this notice.
If we are using your data for legitimate interest purposes, we will first inform you that we have it, and set out how we intend to use it (usually by way of a link to this page). You also have the right to object to the processing of your data, as set out above.
Otherwise, we will first ask your permission, and only proceed if you have given it.
If we are relying on your consent, we will have explained to you what data we were collecting and why, and given you a free choice. If you were not given a full explanation or were pressured or incentivised to agree, your consent may not be valid. You are also free to withdraw consent at any time, without giving a reason. We will only use data as described when consent was given. If we need to change the way we use your data, we will ask for consent again.
What data we collect
Exactly what data we hold depends on how you interact with us. In this document, we refer to the following categories of people. In most cases, it should be clear which category you are in, but you can contact us to check if you are unsure.
- “Website Visitors” – people who visit the Makor Hayim website
- “Contacts” – people who subscribe to our email communications, engage with us on social media, and/or have communicated with us by post, email, telephone, social media, or other means
- “Guests” – people who have attended (or registered to attend) Makor Hayim event(s), either physically or online
- “Builders” – members of Makor Hayim, who have entered into a membership agreement and (usually) made a financial contribution
- “Volunteers” – people who have signed up to a formal volunteer role, contribute to Makor Hayim’s activities on an ad-hoc basis without a formal role, and/or serve as Trustees
- “Staff” – salaried employees and paid contractors.
The lawful basis in all cases is legitimate interest except where stated otherwise.
Makor Hayim is a member of the Movement for Reform Judaism (MRJ) and the Jewish Joint Burial Society (JJBS). These acronyms are used below.
Data we collect directly from you
Contacts
- Your full name
- Contact details, such as phone number, postal address, or email
- Records of any meetings, phone calls, emails or messages sent by you or to you
- Any other information you communicate directly to us by phone, email or message
- If you consent to receive email newsletter(s), a record of your consent will be stored
Guests
All information collected from Contacts, plus:
- A history of events you have attended (whether in person or online)
- For Zoom events, we may preserve Zoom chat history
- Details of allergies, dietary requirements, or access needs shared by you (to ensure guests’ safety and comfort we will keep records of these indefinitely unless deletion is requested)
- With your consent, photographs featuring you taken at the event
Builders
All information collected from Guests, plus:
- All information provided on your Builder application form,
- Any other information you communicate to us (verbally or in writing) during the application process that informs how we handle your application
- Your halachic status (whether you are Jewish according to the rules of the MRJ)
- Payment details, as necessary to take payment for your Buildership
- Gift aid declarations, if provided
- The name, relationship to you, and contact details of a next of kin
- Where other family members are also Builders, your relationship to them
Volunteers and Staff
All information collected from Builders, plus:
- A history of current and past roles held or tasks undertaken
- Records of training undertaken in connection with current or past roles
- Where required for the role, information provided as part of your application, interview, and/or as required by HR relating to your role
- Where required for the role, the results of background checks (such as DBS checks) as well as data required for submitting background check applications
- Records of volunteer contracts
- Where a salary, contractors’ fees, or expense reimbursements are paid, bank details for receiving the payment
Data we collect from other sources
- If you interact with us via social media, we will see your social media profile.
- If you join us us from another Reform Synagogue and/or as an existing member of a burial scheme, we will receive information from that synagogue and/or burial scheme in order to facilitate transferring your membership to Makor Hayim and JJBS.
- If you interact with us online via a third party service (see “Data Sharing” below), we may receive limited data from that third party about your interaction (such as the date and time of the interaction) in addition to what you explicitly provide.
- If you attend an event where your attendance was registered by someone else, we will record any data they provided as part of your registration.
Interaction with our website
This website does not set cookies simply by visiting the website.
Where specific functions, such as logging in or leaving a comment, involve setting cookies, this is indicated.
Comments published to posts are displayed publicly.
Data sharing with third parties
Makor Hayim shares limited personal data about Builders, Volunteers and Staff:
- With its partner organisations, the MRJ and JJBS (or their successors)
- With consent, publicly on our website, newsletter and social media
- As required by law in order to fulfill our safeguarding duties
With MRJ, for the legitimate interest of meeting our obligations to MRJ as a member Synagogue, we share:
- With consent, Builders’ names, emails, and (indirectly) halachic status
- Aggregate data about our Builders’ ages, halachic statuses, and family arrangements
With JJBS, to fulfill our contract with Builders who are (or wish to become) JJBS members, we share:
- TBC
Public use of personal data
For publicity purposes we share information, which sometimes includes personal data, on WhatsApp (with Builders only), in our email newsletter (with all subscribers), on our social media profiles and on our website (with the general public).
We will not share personally identifiable information about you publicly unless:
- You have consented to the information being shared;
- You were informed of the content of the publicity item before being asked for consent;
- Associating you with Makor Hayim or the context of the publicity item has been assessed not to pose a physical or reputational risk to you
- If a child under 18 is identifiable, we require that the parent(s) have consented, the child has been informed and has consented (if able to do so) or else has not objected, and that there is a significant benefit to sharing the information that cannot be achieved by sharing about adults only.
Although we restrict membership of the Makor Hayim WhatsApp Community to Builders only, it is easy for information shared within the Community to be re-shared to a wider audience. Builders should not share in WhatsApp groups anything they would not want shared with the general public. Members of the WhatsApp Community automatically share their display name, profile picture, and (in most cases) registered phone number with all other members of the Community. For more information and advice see our WhatsApp Policy.
Use of third-party data processors
We use various third-party service providers to store and handle data on our behalf. These services are legally prohibited from using the data themselves (and in most cases the data is encrypted so that they do not have access to it at all). We choose our third-party providers with privacy and data security as a top priority. However, please note that:
- There is a very small risk of a service provider suffering a data breach leading to your data being leaked
- If you interact with the service provider directly, they may collect data about you for themselves in addition to the data they collect for us. This data collection is beyond our control and is governed by the service provider’s own privacy policy. (Makor Hayim neither has nor seeks access to this data.)
Our data processors are:
Click for full list
| Processor | Uses and categories of data processed |
|---|---|
| Beacon | CRM |
| Eventbrite | Event registration and ticketing |
| Bank | All payments to/from Makor Hayim |
| Xero | Accounting |
| Stripe | Payments by bank card |
| GoCardless | Payments by direct debit |
| Google Workspace | Company emails, calendar, cloud storage, the Chesed Line (using Google Voice) |
| Zoom | Online and hybrid events: – Video and audio recordings of both in-person and online attendees – Display names of online attendees – Contents of chat function |
| Gandi | Web hosting |
| Jetpack | Website analytics |
| Canva | Graphics: – Personal data contained within graphics will be stored on Canva’s servers |
| Meta | – Facebook and Instagram accounts – Staff and Chesed WhatsApp accounts – Personal data contained in messages sent using WhatsApp between MH Volunteers and Staff |
| Sendgrid | Sending automated and bulk emails: – Records of all emails sent – Records of recipient actions (opening of emails and clicking of links) |
| Simple Calendar | Calendar synchronisation – Displays personal information contained in event publicity |
| Zapier | Automation – Transmits all categories of personal data between other platforms |
| DBS Service | Conducting background checks on staff/volunteers |