Social Finance UK
Social Finance International

Our use of cookies

This website would like to set analytics cookies. These send information about how our site is used to a service called Google Analytics. We use this information to improve our site.

Read more about the cookies we use on our Cookies page.

Accept all cookies Reject additional cookies

Privacy Policy

Last Updated: 15th September, 2025.

Social Finance Limited, registered in England and Wales (No. 06402143) and regulated by the FCA (No. 497568). We are the data controller of your personal data.

Contact us about your data rights:

  • Email: dpo@socialfinance.org.uk
  • Postal address: Data Protection Team, Social Finance Ltd, 3rd Floor, Colechurch House, London Bridge Walk, London SE1 2SX, UK
  • You may also use our online contact form, but the dedicated email provides a clear record and supports faster handling.

Data Protection Officer (DPO):
The role of DPO is covered by our Information Governance Lead and virtual Chief Information Security Officer. For all data queries, please use the contact details above.

This notice applies to personal data we collect through our website, events, and business interactions, unless a separate notice is provided. Investors and funders may receive a separate privacy notice directly, as they are not the primary audience for this website.

Some Social Finance projects may need to process personal data about children (under 18). We always follow strict legal requirements and apply extra safeguards to protect children’s privacy, as set out in UK data protection law and ICO guidance.

  • We use clear language in any information given to children or their parents/​carers.
  • For children under 13, we get consent from a parent or legal guardian before collecting or using personal data.
  • We only collect, use, and share children’s data for the purpose of specific projects, and only what is necessary.
  • We regularly review and update protection measures for children’s data.
  • Any project using children’s data will provide further details and contact information for questions or to exercise data rights.

If you have questions about a particular project involving children’s data, please contact dpo@socialfinance.org.uk for more information on how we protect and manage such data.

Processors: We use third-party processors” (such as IT support, software providers, professional advisers, or payroll services) who handle personal data only under our instructions and must keep it confidential.

Joint controllers: If we ever jointly decide with another organisation how and why your data is used (for example, in a partnership), we will clearly state the arrangement and share the main details in Annex One; this may also include a link to specific notice. At present, Social Finance acts as sole data controller except where otherwise advised.

We only process personal data where we have a lawful basis. The table below sets out the purposes, the data involved, and the lawful bases relied upon:

Purpose

Data Processed

Legal Basis

Providing services and managing relationships

contact details, correspondence, service records

Performance of a contract; legitimate interests (manage stakeholder relationships)

Events, webinars and training

name, contact details, employer, dietary/​accessibility needs

Performance of a contract; explicit consent for special category data

Newsletters and marketing

name, email address, communication preferences

Consent; PECR soft opt-in for existing contacts; opt-out available

Enquiries

name, contact details, enquiry content

Legitimate interests (respond to enquiries about our work)

Investor and funder relations

contact details, financial information, compliance records

Performance of a contract; legal obligation; legitimate interests (due diligence, communication)

Website analytics and performance

IP address, browser type, device identifiers, usage logs

Legitimate interests (strictly necessary cookies); consent (analytics and non-essential cookies)

Security and improvement

system logs, technical data, feedback

Legitimate interests (maintain security and improve services)

Public sources

information from Companies House, electoral register, other public records

Legitimate interests (due diligence, verification); legal obligation (where required)

Statutory/​contractual data:
If we require your data by law or contract and you do not provide it, we may not be able to offer you our services. We will explain at the relevant time if this applies.

CookiesWe use cookies to improve our services and measure performance.

  • Consent is obtained via our cookie banner, which presents Accept all” and Reject all” with equal prominence.
  • No option is pre-selected, consent must be actively given.
  • You can manage or withdraw your preferences anytime using the cookie control icon visible on each page.
  • Strictly necessary cookies are used without consent, based on legitimate interests.

Further details are set out in our cookies policy..

We share your data (only as needed) with:

  • IT and systems support
  • Advisors, consultants, and professional service providers
  • Payment providers and banks
  • Marketing partners (with your consent)
  • Event organisers (where relevant)
  • Regulators, authorities (like HMRC, FCA), or government bodies
  • Project partners — where clearly defined, with agreements to protect privacy

All partners and suppliers are under contracts requiring them to keep your data secure and confidential. We do not sell personal data.

Where we transfer personal data outside the UK, we ensure it is protected by agreements approved under UK data protection law, or to countries with adequate protection.

  • Transfers to countries subject to UK adequacy regulations.
  • Use of the UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs.
  • Transfers to the United States via the UK–US Data Bridge where recipients are certified.

We can provide details of the specific mechanisms and countries involved on request.

We retain personal data only as long as necessary:

  • Enquiry data: up to 2 years after last contact.
  • Marketing data: until you withdraw consent or opt out.
  • Investor/​funder records: relationship duration plus 7 years for legal and audit obligations.
  • Recruitment data: for statutory periods.
  • Event records: up to 2 years after the event unless required longer.

We review and delete data when it is no longer needed, taking legal requirements into account.

We apply technical and organisational measures to keep your data secure and restrict access on a need-to-know basis. We are accountable for protecting your personal data and, if a breach occurs, we will notify you and the ICO where required by law.

You have the following rights under data protection law:

Here are the rights, rewritten in plain English and suitable for privacy notices:

  • See your data – You can ask us for a copy of your personal information and find out how we use it.
  • Correct your data – If anything we hold about you is wrong or incomplete, you can ask us to fix it.
  • Delete your data – In some cases, you can ask us to delete your personal information.
  • Limit how we use your data – You can ask us to pause or limit our use of your data, such as while we check if it’s accurate.
  • Move your data – You can ask for your personal information in a format you can use elsewhere, or have it sent directly to another organisation.
  • Say no to how we use your data – You can object if we use your information based on our legitimate interests.” You always have the right to stop us from using your data for direct marketing.
  • Change your mind about consent – When we rely on your consent (for example, for newsletters, cookies, or health information), you can withdraw it at any time, just as easily as you gave it. If you do, it won’t affect anything we did with your information before you withdrew it.
  • Automated decisions – We don’t make decisions about you using only computers or automated systems that have a legal or significant effect on you. If this ever changes, we’ll let you know about your rights.

These rights may not apply in every situation and depend on the reasons why we are using your data.

You can make a request free of charge, unless the request is clearly unreasonable or repeated too often.

We will usually reply within one month, but if your request is complicated, we may need up to two more months and will let you know if that’s the case.

If you’re unhappy with how we use your data, contact us first. You can also complain to the Information Commissioner’s Office:

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Tel: 0303 123 1113

Website: ico.org.uk

We may update this policy from time to time. When we make material changes, we will post a clear notice on our website and, where appropriate, contact you directly. Where new consent is required, we will seek it explicitly.

You can request earlier versions of this policy by contacting us at dpo@socialfinance.org.uk.

Project specific variations

Project

Girls and Young Women Local Groups Fund

Data source

Data subjects

Data description

Name and email address (work)

Social Finance Role

Joint data controller with The Mayor’s Office for Policing and Crime (MOPAC)
Personal data will only be processed by Social Finance.
MOPAC will receive pseudonymised and aggregated data from Social Finance.

Purpose of processing

Notify of upcoming market engagement webinars and provide information about the fund

Lawful Basis

Consent
MOPAC have commissioned Social Finance to design and launch the grant fund.

Retention period

Until 31st December 2025

Contact

dpo@socialfinance.org.uk

Stay up to date

Sign up to our mailing list for regular updates.

We'll keep your data secure and won't share it outside of Social Finance, ever. For more details read our privacy policy.