Privacy Policy

Effective Date: March 2026

Introduction

BAK UP CIC ("we", "our", "us") is committed to protecting and respecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy explains how we collect, use, store, and protect personal data when you use the BAK UP E-Voucher App.

Organisation Details

  • Organisation: BAK UP CIC
  • Registered Address: Enterprise Centre Warth Park Raunds, NN9 6GR
  • Contact Email: admin@bakupcic.co.uk
  • ICO Registration Number: ZB394154

Who This Policy Applies To

This policy applies to:

  • Individuals / Beneficiaries receiving support
  • Charitable organisations and referral partners
  • Schools and educational institutions
  • Shop owners, retailers, and local farmers participating in the scheme

Personal Data We Collect

Individuals / Beneficiaries

We may collect:

  • Full name
  • Address / postcode
  • Contact details (phone/email)
  • Household composition
  • Financial / vulnerability information
  • Referral details
  • Voucher usage history

Charitable Organisations / Schools

We may collect:

  • Organisation name and registration details
  • Contact persons
  • Email and phone numbers
  • Referral records and case notes
  • Safeguarding-related information (where applicable)

Shop Owners / Local Farmers

We may collect:

  • Business name and address
  • Owner/operator details
  • Bank/payment details
  • Transaction records
  • Product/service categories

How We Use Your Data

We use personal data to:

  • Deliver and manage the E-Voucher scheme
  • Verify eligibility and prevent fraud
  • Process referrals and allocate support
  • Facilitate transactions between users and vendors
  • Monitor impact and outcomes
  • Improve services and user experience
  • Meet legal and safeguarding obligations

Lawful Basis for Processing

We process data under:

  • Consent (Article 6(1)(a))
  • Contractual necessity (Article 6(1)(b))
  • Legal obligation (Article 6(1)(c))
  • Legitimate interests (Article 6(1)(f))
  • Substantial public interest (for sensitive data, Article 9)

Data Sharing

We may share data with:

  • Local authorities and funders
  • Partner charities and referral organisations
  • Schools and safeguarding bodies
  • Payment processors
  • Retailers and participating vendors

We will never sell personal data.

Data Retention

We retain data:

  • Only for as long as necessary
  • Typically, between 1–20 years, depending on:
    • Funding requirements
    • Legal obligations
    • Safeguarding considerations

Data Security

We implement:

  • Encrypted systems and secure servers
  • Access controls and role-based permissions
  • Regular security reviews
  • Staff training on data protection

Your Rights

Under UK GDPR, you have the right to:

  • Access your data
  • Rectify inaccurate data
  • Request erasure ("right to be forgotten")
  • Restrict processing
  • Data portability
  • Object to processing

Safeguarding and Sensitive Data

We may process sensitive data (e.g. health, vulnerability) to:

  • Provide appropriate support
  • Ensure safeguarding
  • Prevent harm

All such data is handled with strict confidentiality.

Complaints

You can complain to:

Information Commissioner's Office (ICO)

Website: https://ico.org.uk