Last updated: 19/07/2025
You are welcome to contact us at any time for further information, to see what data we hold about you, to update, amend or remove your details, or to exercise any other data rights. Please email our data protection officer at dataprotection@makorhayim.org or speak to any staff member/volunteer.
This page sets out how Makor Hayim (“we”) collect personal data, how we use data about you that we collect from you and other sources, how we store your data safely, and our obligations to you.
If you are reading this, it is likely that we hold at least some personal data about you. Depending on your exact relationship with us, this data may be as uninformative as an IP address or social media username, or as sensitive and confidential as your bank details, health information, or safeguarding issues you are affected by.
The law is clear that you are in charge of how organisations such as Makor Hayim use your personal data. Moreover, as a community built on relationships, we believe trust in us is paramount. For these reasons, we set out below how we use your data, and welcome questions, suggestions, and requests to exercise your data rights.
What follows is exhaustive and legally binding – in other words, we will not (and legally cannot) collect or use your data except as explained below. We may update it from time to time, in which case we will let you know. It is not a full privacy policy (which is much more technical and includes details like rules for our staff), data audit or data impact assessment – we will make these available on request.
- Our Commitments, explains your legal rights (and our commitments to you beyond the legal minimum) and how you can exercise them.
- Why We Process Data, explains the legal grounds on which we hold your data, and our obligations to you in respect of the data we hold. These vary depending on how and why the data was collected.
- What Data We Collect, sets out exactly what personal data we hold about different categories of people.
- Who Holds My Data, explains who in the community has access to your data, and what to do if you have concerns about a specific individual’s access to information.
- Data Sharing with Third Parties, describes the limited circumstances under which we may share your data with others.
- Data Retention and Deletion, explains how long we keep your data for and what happens when we no longer need it.
- Data Security, sets out our commitment to making sure your personal data is safe, explains our security processes, and how we will respond in the unlikely event that your personal data is compromised.
Our commitments, legislation, and your rights
We hold ourselves to the highest standards of data privacy and security.
Like any company, we are governed by applicable law, which includes the European Union’s General Data Protection Regulations (GDPR), the UK Data Protection Act 2018 (which incorporates GDPR), the California Consumer Privacy Act, and the UK Privacy and Electronic Communication Regulations (PECR).
We are also governed by our values of Chesed (kindness) and Tsedek (justice) and by our conscience.
As a data subject (i.e. a person about whom we hold personal data), you have the right to:
- Be told whenever we intend collect or use your personal data (“right to be informed”)
- View personal data we hold about you (“right of access”)
- Receive a copy of personal data we hold about you (“right of data portability”)
- Have us correct data which is incorrect or inaccurate (“right to rectification”)
- Stop us from using your data in certain ways* (“right to restriction” and “right to object”)
- Have us delete data we hold about you* (“right to erasure”)
- Only receive marketing from us, or have your data used for marketing purposes, if you have explicitly agreed to this.
*These two rights have some exceptions; if we need to legally refuse a request under these rights we will explain why and, wherever possible, offer an alternative resolution.
If you want to exercise any of these rights, you have two options:
- For common tasks, such as updating your details or changing how we communicate with you, we have digital tools to help you manage your data yourself
- For anything else, please speak to our Data Protection Lead (Natalie Clingman) or email email data@makorhayim.org.
All of these rights are legally binding on residents of the UK and EU and some of them on California residents. We aim to honour all these rights regardless of where you live. However, depending on your place of residence, you may have legal recourse if we do not adequately comply with requests. If your jurisdiction gives you a legal right not mentioned above we will also comply with requests made under those rights.
Why we process data
How we process – i.e. collect, store and use – data depends on why we acquired it. Under GDPR there are six reasons (called “lawful bases”) why personal data can legally processed, and we are required to tell you which lawful basis or bases apply to any processing of your personal data. Two are not applicable to Makor Hayim. The other four are below. Click on each to read more.
Where we are required by law to do something, and we need to process your data in order to do it (“legal obligation”)
If we are processing based on a legal obligation, we will likely be following guidance and have little room for discretion.
Wherever possible, before collecting, using or sharing data based on a legal obligation, we will let you know first. However, sometimes this may be impractical, or conflict with the legal obligation itself. For example, we have a legal duty to prevent children or vulnerable adults coming to harm (called safeguarding). If we receive an allegation that a child is at risk of harm from a named adult, our safeguarding duties will likely require us to act without seeking the child’s consent, and without even informing the adult, as to do otherwise would increase the risk to the child.
To fulfill a contract with you (this may be a formal written agreement or it may be an informal one, such as if you make a request of us)
If we are processing based on a contract, the terms of data collection, use, retention and deletion will be specified in the contract. Some contracts can be cancelled and the associated data deleted. In other cases, we may need to keep data beyond the end of the contract (for records, or to protect our interests), or the contract may oblige you to allow us to process your data (for example, if you owe us a debt).
Necessary for Makor Hayim’s “legitimate interests” – this refers to anything we need to do in order to carry out our functions as a Synagogue.
Because legitimate interest processing includes routine activities where it would be impractical (and annoying) to communicate to you each time it happens, in order to find out what legitimate interest processing may affect you, you should refer to the remaining sections of this notice.
If we are using your data for legitimate interest purposes, we will first inform you that we have it, and set out how we intend to use it (usually by way of a link to this page). You also have the right to object to the processing of your data, as set out above.
Otherwise, we will first ask your permission, and only proceed if you have given it.
If we are relying on your consent, we will have explained to you what data we were collecting and why, and given you a free choice. If you were not given a full explanation or were pressured or incentivised to agree, your consent may not be valid. You are also free to withdraw consent at any time, without giving a reason by contacting us or speaking to any Makor Hayim staff member of volunteer. We will only use data as described when consent was given. If we need to change the way we use your data, we will ask for consent again.
What data we collect
Exactly what data we hold depends on how you interact with us. In this document, we refer to the following categories of people. In most cases, it should be clear which category you are in, but you can contact us to check if you are unsure.
- “Website Visitors” – people who visit the Makor Hayim website
- “Contacts” – people who subscribe to our email communications, engage with us on social media, and/or have communicated with us by post, email, telephone, social media, or other means
- “Guests” – people who have attended (or registered to attend) Makor Hayim event(s), either physically or online
- “Builders” – members of Makor Hayim, who have entered into a membership agreement and (usually) made a financial contribution
- “Volunteers” – people who have signed up to a formal volunteer role, contribute to Makor Hayim’s activities on an ad-hoc basis without a formal role, and/or serve as Trustees
- “Staff” – salaried employees and paid contractors.
The lawful basis in all cases is legitimate interest except where stated otherwise.
Makor Hayim is a member of the Movement for Reform Judaism (MRJ) (soon to be superseded by Progressive Judaism (PJ)). It is also a member of the Jewish Joint Burial Society (JJBS). These acronyms are used below.
Data we collect directly from you
Depending on your exact circumstances, we may hold some or all of the items in the following lists:
Contacts
- Your full name
- Contact details, such as phone number, postal address, or email
- Records of any meetings, phone calls, emails or messages sent by you or to you
- Any other information you communicate directly to us by phone, email or message
- If you consent to receive email newsletter(s), a record of your consent will be stored
Guests
All information collected from Contacts, plus:
- A history of events you have attended (whether in person or online)
- For Zoom events, we may preserve Zoom chat history
- Details of allergies, dietary requirements, or access needs shared by you (to ensure guests’ safety and comfort we will keep records of these indefinitely unless deletion is requested)
- With your consent, photographs featuring you taken at the event
Builders
All information collected from Guests, plus:
- All information provided on your Builder application form,
- Any other information you communicate to us (verbally or in writing) during the application process that informs how we handle your application
- Jewish identity and halachic Jewish status
- Payment details, as necessary to take payment for your Buildership
- Gift aid declarations, if provided
- The name, relationship to you, and contact details of a next of kin
- Where other family members are also Builders, your relationship to them
Volunteers and Staff
All information collected from Builders, plus:
- A history of current and past roles held or tasks undertaken
- Records of training undertaken in connection with current or past roles
- Where required for the role, information provided as part of your application, interview, and/or as required by HR relating to your role
- Where required for the role, the results of background checks (such as DBS checks) as well as data required for submitting background check applications
- Records of volunteer contracts
- Where a salary, contractors’ fees, or expense reimbursements are paid, bank details for receiving the payment
Data we collect from other sources
- If you interact with us via social media, we will see your social media profile.
- If you join us us from another Reform Synagogue and/or as an existing member of a burial scheme, we will receive information from that synagogue and/or burial scheme in order to facilitate transferring your membership to Makor Hayim and JJBS.
- If you interact with us online via a third party service (see “Data Sharing” below), we may receive limited data from that third party about your interaction (such as the date and time of the interaction) in addition to what you explicitly provide.
- If you attend an event where your attendance was registered by someone else, we will record any data they provided as part of your registration.
Interaction with our website
This website does not set cookies simply by visiting the website.
Where specific functions, such as logging in or leaving a comment, involve setting cookies, this is indicated.
Comments published to posts are displayed publicly.
Collection of Sensitive data
Makor Hayim sometimes holds categories of data that are particularly sensitive. This includes “special category” data, for which we have specific legal obligations, and other types of confidential information.
For sensitive data, we will:
- Only collect this data about (current and former) Builders and volunteers/staff
- Only retain and use this data as required to carry out our basic functions as a synagogue
- Apply the strictest possible security measures when handling this data
- Never share this data with others without your explicit consent.
Sensitive data we process is:
Jewish identity
This is your personal relationship with Judaism: whether you consider yourself Jewish religiously or culturally. It may
We ask this information of all Builders in order to ensure our community’s cultural and spiritual needs are met. You are free to provide as much or as little detail as you like and can amend or redact this information at any time.
Halachic Jewish status
This is whether you are considered Jewish according to religious law (halacha). The rules are set out by the Bet Din of the MRJ, our parent organisation.
We require this information of all Builders as well as non-Builders who undertake certain roles in services, in order to make sure we are compliant with Jewish law. We can amend this information if it is incorrect or out-of-date, but only the Bet Din can determine or change your halachic status.
According to progressive halacha, you are Jewish if either of your parents is Jewish, or if you have formally converted. This means we will likely know:
- Your family background, and by implication, your ethnic origins (“race”)
- Whether you were “born into” Judaism or converted.
Conversion status is confidential. Where Makor Hayim’s administration is aware that you have converted, we will never share that information with anyone (though you are free to make it known if you wish).
Health or (dis)ability
We collect and store information on allergies and access requirements in order to keep our event attendees safe and ensure we are a comfortable and welcoming environment for everyone.
We only collect data which you provide us directly.
When you register for an event, we may share your access needs with the event host(s) and/or organiser(s) in order to ensure you can safely and comfortably participate at the event. We will advertise who the host(s) and organiser(s) are when we publicise the event. If you are uncomfortable with a host or organiser having access to this information, please let us know so we can make alternative arrangements.
Family circumstances
If your relatives are Builders or involved in the community, we are likely to know your relationship to them. This means we will likely know:
- Whether you have children
- Your marital status
- Your sexual orientation, to the extent that it can be inferred from the identity(ies) of your partner(s) (we do not explicitly ask or record this).
Gender
We record the gender and preferred pronouns of people who we interact with in order to address them and talk about them respectfully.
You are free to update or amend this information at any time, and we won’t ask any questions.
If we become aware of your gender history (for example, if you became a Builder before transitioning, or show us documents that use a previous name or gender), this information is confidential and we will never share it unless you explicitly request us to.
For more information see our inclusion policy.
Who holds my data
Like any small and close-knit community, there is a good chance that the staff and volunteers who handle your data may also be acquaintances, friends or relations. These acquaintances may therefore know information about you that you told Makor Hayim, but didn’t tell them directly. We recognise it’s important to know whether your acquaintances have access to information in this way, and to be able to prevent such access if desired.
The people in the community with access to certain types of data are listed below. If you have concerns about any individual’s access to your data, please contact us to make alternative arrangements for the processing of your data.
- The Office Team is Amita, Stacy, Natalie and SR Yael
- The Finance Team is Dan W and our accountant, Debra
- The Safeguarding Team is Stacy and Amita. Safeguarding emails are also monitored by Natalie
- The Chesed Team is being assembled. Chesed emails are monitored by Natalie in the meantime
Staff members and volunteers are trained on how to handle information about individuals with whom they interact in other contexts. We have put measures in place to ensure that to the best of our ability, data is not shared with individuals where this would be detrimental either to that individual or to the data subject. However, this is not always possible, for example if a staff member/volunteer reads an email that unexpectedly contains the information. If this happens, one of our team will contact you to discuss the best way forward. For details see our Prejudicial Information Policy.
| Data type | Who has access |
|---|---|
| Buildership information | Office team |
| Financial information, including details of where bespoke fees have been arranged | Finance team |
| Access requirements and allergies | Office team Hosts and organisers of any events you register to attend |
| Safeguarding referrals | Safeguarding team SR Yael and/or trustees will sometimes be informed |
| Chesed emails, messages, phone calls | Some or all of the Chesed Team, as most appropriate SR Yael Safeguarding team, where a safeguarding concern is identified |
| Bereavements | Stacy SR Yael Chesed Team where additional support is required |
*Due to shared systems, our office team and finance team have technological access to each other’s data. Our policies prevent them from accessing data not relevant to their own work.
Data sharing with third parties
Makor Hayim shares limited personal data about Builders, Volunteers and Staff:
- With its partner organisations, the MRJ and JJBS (or their successors)
- With consent, publicly on our website, newsletter and social media
- As required by law in order to fulfill our safeguarding duties
With MRJ, for the legitimate interest of meeting our obligations to MRJ as a member Synagogue, we share:
- With consent, Builders’ names, emails, and halachic status
- Aggregate data about our Builders’ ages, halachic statuses, and family arrangements
With JJBS, to fulfill our contract with Builders who are (or wish to become) JJBS members, we share:
- TBC
Public use of personal data
For publicity purposes we share information, which sometimes includes personal data, on WhatsApp (with Builders only), in our email newsletter (with all subscribers), on our social media profiles and on our website (with the general public). This includes naming individuals and photographs
We will not share personally identifiable information about you publicly unless:
- You have consented to the information being shared;
- You were informed of the content of the publicity item before being asked for consent;
- Associating you with Makor Hayim or the context of the publicity item has been assessed not to pose a physical or reputational risk to you
- If a child under 18 is identifiable, we require that the parent(s) have consented, the child has been informed and has consented (if able to do so) or else has not objected, and that there is a significant benefit to sharing the information that cannot be achieved by sharing about adults only.
Although we restrict membership of the Makor Hayim WhatsApp Community to Builders only, it is easy for information shared within the Community to be re-shared to a wider audience. Builders should not share in WhatsApp groups anything they would not want shared with the general public. Members of the WhatsApp Community automatically share their display name, profile picture, and (in most cases) registered phone number with all other members of the Community. For more information and advice see our WhatsApp Policy.
We share in our fortnightly newsletter:
- Birthdays occurring that fortnight
- Yahrzeits (anniversaries of bereavements) occurring that fortnight
- The names of Builders who are experiencing illness.
We also share news of deaths within the community. We do this so that we can celebrate birthdays, mourn our late community members, give well wishes and support, and in the case of deaths, support the bereaved by attending the funeral and shiva.
If you do not want this information shared please let us know.
Use of third-party data processors
We use various third-party service providers to store and handle data on our behalf. These services are legally prohibited from using the data themselves (and in most cases the data is encrypted so that they do not have access to it at all). We choose our third-party providers with privacy and data security as a top priority. However, please note that:
- There is a very small risk of a service provider suffering a data breach leading to your data being leaked
- If you interact with the service provider directly, they may collect data about you for themselves in addition to the data they collect for us. This data collection is beyond our control and is governed by the service provider’s own privacy policy. (Makor Hayim neither has nor seeks access to this data.)
Our data processors are:
Click for full list
| Processor | Uses and categories of data processed |
|---|---|
| Beacon | CRM |
| Eventbrite | Event registration and ticketing |
| Bank | All payments to/from Makor Hayim |
| Xero | Accounting |
| Stripe | Payments by bank card |
| GoCardless | Payments by direct debit |
| Google Workspace | Company emails, calendar, cloud storage, the Chesed Line (using Google Voice) |
| Zoom | Online and hybrid events: – Video and audio recordings of both in-person and online attendees – Display names of online attendees – Contents of chat function |
| Gandi | Web hosting |
| Jetpack | Website analytics |
| Canva | Graphics: – Personal data contained within graphics will be stored on Canva’s servers |
| Meta | – Facebook and Instagram accounts – Staff and Chesed WhatsApp accounts – Personal data contained in messages sent using WhatsApp between MH Volunteers and Staff |
| Sendgrid | Sending automated and bulk emails: – Records of all emails sent – Records of recipient actions (opening of emails and clicking of links) |
| Simple Calendar | Calendar synchronisation – Displays personal information contained in event publicity |
| Zapier | Automation – Transmits all categories of personal data between other platforms |
| DBS Service | Conducting background checks on staff/volunteers |
Data retention and deletion
Coming soon
Data security
Coming soon