Project 53: Data Protection & Privacy Policy

Effective Date: January 25, 2026

1. Our Mission and Data Philosophy

Project 53 ("the Charity") delivers excellence in crisis response and community resilience. Whether you are a responder in the field or a supporter visiting our online store, we treat your data with the highest level of security. We operate under the principle of Data Minimisation—we only collect what is essential for safety, mission success, and service delivery.

2. Privacy Notice (External: Members, Customers & Visitors)

2.1 The Data We Collect

• Charitable Operations: Name, contact details, CV, nearest city (for regional mapping), emergency contacts, and medical data relevant to deployment safety.

• Operational Comms: Mobile numbers and user-initiated Live Location.

• E-Commerce (Powered by Shopify): Shipping/billing addresses, financial information (credit/debit cards), account credentials, and transaction history.

• Digital Interaction: IP addresses, device information, and "usage information" regarding how you navigate our Web Services.

2.2 Our WhatsApp Ecosystem

To maintain real-time coordination, Project 53 utilises a WhatsApp Community.

• Announcement Channel (Mandatory): For mission-critical alerts & Organisation Wide Messaging. This Channel is a condition of membership.

• General Sub-Groups (Optional): For Networking & Operations. Members are added via a "Soft Opt-in" but have the right to opt-out/leave at any time without affecting their membership.

2.3 Lawful Basis for Processing

• Recognised Legitimate Interests (DUAA 2025): For Emergency Response and Public Safety.

• Contractual Necessity: To fulfill orders placed on our store, manage membership agreements, and process payments.

• Legal Obligation: For DBS vetting and health & safety compliance.

• Explicit Consent: For sensitive Medical Data and promotional marketing (email/SMS).

2.4 Children’s Data (Ages 13-18)

Our Charitable Services involve young volunteers. We act in the best interests of the child, providing age-appropriate privacy information. However, our E-Commerce Store is not intended for use by children under the age of majority. We do not knowingly collect financial data from minors.

3. Internal Data Governance (Staff & Leads)

3.1 Data Protection by Design

• Access Control: Access to sensitive data (Medical/Financial/Vetting) is restricted to designated Leads and authorized Shopify staff only.

• Breach Procedure: Any suspected data breach must be reported to info@project53.org within 2 hours. If a breach puts individuals at risk, the Data Controller will notify the ICO within 72 hours.

3.2 System Architecture & Security

We utilize a "Cloud-First" approach with vetted providers:

• Google & Jotform: Primary storage on EEA-based servers (Germany/Netherlands).

• Shopify: Hosted globally. Information submitted via the store is shared with Shopify to facilitate transactions and fraud prevention.

• WhatsApp: End-to-end encrypted for operational security.

3.3 Data Retention & Disposal

• Store Account Data: Retained as long as the account is active.

• Unsuccessful Applicants: Deleted after 6 months.

• Active Members: Duration of membership + 1 year (for insurance and audit).

• ID Photos: Deleted immediately upon termination of membership.

4. Technical Appendix & Transfers

4.1 Approved Data Processors

4.2 Governance & DPO

The Data Protection Officer (DPO) is appointed and overseen by the Board of Trustees.

5. Your Rights and Complaints

Depending on where you live, you have the right to access, correct, delete, or port your data.

• Withdrawal of Consent: You can withdraw consent for medical data or marketing at any time.

• Complaints: We provide an Electronic Complaint Form [Link] for quick resolution. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

6. Contact Details

Data Controller: Project 53

Address: 13 Freeland Pk, Lytchett Matravers, Poole, ENG, BH16 6FH, GB

Email: info@project53.org