Document: CPL-POL-001  ·  Version: 2.0  ·  Effective: May 2026  ·  Next review: May 2027

The short version. Thank you for trusting Capital Pride London with your information. In plain English: we collect your name, email and (if you donate) some basic details — only to do the things you've asked us to do, like processing your volunteer application or your donation. We use a small set of well-known third-party tools to run the website, send emails and accept donations. We never sell your data. You can ask to see, correct, or delete it at any time. The rest of this Policy is the legal detail behind that.

1. Who we are

Capital Pride London (“we”, “us”, “our”) operates the website capitalpridelondon.com (the “Service”). The .org domain redirects to .com. This Privacy Policy explains how we handle personal data we collect through the Service and through our community activities. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 as amended (PECR).

Capital Pride London is the data controller responsible for your personal data.

Privacy enquiries: data@capitalpridelondon.com

We are not required to appoint a Data Protection Officer under UK GDPR. Privacy enquiries are handled by the Board.

2. Why we are allowed to process your data

We process personal data under one or more of the following lawful bases set out in Article 6 of the UK GDPR:

• Consent — you have given clear consent for us to process your data for a specific purpose (for example, signing up to our newsletter).
• Contract — processing is needed to fulfil a contract with you, or to take steps at your request before entering one.
• Legal obligation — processing is needed to comply with the law.
• Legitimate interests — processing is necessary for our legitimate interests as a community organisation, where these are not overridden by your rights.

2.1 Special category data (Article 9)

As an LGBTQIA+ community organisation, some of the data we hold may reveal information about your sexual orientation, gender identity, ethnicity or health (for example, accessibility requirements in a volunteer application). Under Article 9 of the UK GDPR this is “special category data” and needs an additional lawful basis. We rely on one of the following, depending on the context:

• Explicit consent — for volunteer applications and event registrations where you actively tell us this information.
• Carried out in the course of our legitimate activities as a not-for-profit body (Article 9(2)(d)) — for member and supporter records, where the information stays with us and isn’t shared without your consent.
• Information you have manifestly made public yourself (Article 9(2)(e)) — for example, comments you post publicly on our social channels.

3. Information we collect

3.1 Information you give us

• Name, email address, and (where relevant) phone number or postal address.
• Details you provide on volunteer or partnership application forms, including any accessibility needs you choose to share.
• Event registration and attendance information.
• Communications you send us (emails, form submissions, social media messages).
• Your communications preferences.

3.2 Information collected automatically

When you visit capitalpridelondon.com, we automatically collect limited technical information through cookies and analytics:

• IP address, browser type and version, operating system, time zone setting.
• Pages you visit, time spent on pages, navigation patterns and referring URLs.
• Anonymised analytics data via Google Site Kit / Google Analytics 4.

3.3 Payment information

When you make a donation, payment is processed by Fundraise Up. Your card or bank details are entered directly into Fundraise Up’s PCI-compliant payment infrastructure. We do not see, store or process your payment card information. We do receive non-sensitive donation metadata (name, email, amount, date, designation).

4. Cookies and similar technologies

Our website uses cookies to make it work, to remember your language preference, to measure how the site is used, and to protect against spam. We comply with PECR; you control non-essential cookies through the consent banner that appears on your first visit. You can change your preferences any time by clicking “Manage cookie preferences” in the footer.

4.1 Types of cookies we use

• Essential cookies — required for the site to function (session, security, language preference). These do not require consent.
• Analytics cookies — Google Analytics 4 (set by Google Site Kit) collects anonymised usage data so we can understand which content is useful. Disabled until you opt in.
• Functional cookies — used by features like our donation modal (Fundraise Up) to remember choices during your visit.
• Marketing cookies — set by HubSpot (which captures form submissions to our CRM) and Google reCAPTCHA (which protects forms from spam). Disabled until you opt in.

You can also control cookies through your browser’s privacy settings. Blocking all cookies may stop some features from working.

5. Who we share your data with

We share personal data only with the third-party services we need to operate. Each provider is contractually bound to process your data in line with our instructions and applicable law.

5.1 Current subprocessors

• Bluehost (US) — website and email hosting.
• Microsoft 365 (UK / EU / US) — email mailboxes (hello@, board@, volunteer@, data@), document storage.
• HubSpot (US / EU) — Customer Relationship Management. Form submissions on our site are automatically captured to HubSpot as contact records.
• Fundraise Up (US) — donation processing. They take card details directly; we receive only non-sensitive donation metadata.
• Google LLC (US) — Site Kit / Google Analytics 4 (anonymised usage analytics), reCAPTCHA v3 (spam protection on forms).
• Brevo / Sendinblue (EU) — transactional and marketing email delivery.
• TranslatePress (EU) — website translation plugin operating on our hosting.
• Elementor and Contact Form 7 — form plugins operating on our hosting; submissions stored in our own WordPress database.

We do not sell your data. We do not allow third-party providers to use your data for their own marketing.

5.2 Other circumstances

• Event partners — only with your explicit consent and only for the specific event purpose.
• Legal requirements — law enforcement, courts, regulators or government authorities where we are legally compelled to disclose, or where disclosure is needed to protect rights and prevent harm.
• Business changes — if our activities transfer to a successor entity (for example, on incorporation as a CIO), data may transfer with appropriate safeguards.

6. International transfers

Some of our subprocessors are based outside the UK, primarily in the United States and the European Union. Where we transfer data outside the UK we rely on one or more of:

• Adequacy decisions (for example, EU/EEA countries and UK-recognised adequacy regimes).
• UK International Data Transfer Agreement or the UK Addendum to EU Standard Contractual Clauses.
• Other recognised safeguards approved by the Information Commissioner’s Office.

7. How long we keep your data

We only keep personal data for as long as we need it. When deciding how long to keep something we consider the amount and sensitivity of the data, the purpose we collected it for, and any applicable legal requirement.

7.1 Indicative retention periods

• Volunteer application data: kept while you are an active volunteer and for two years after your involvement ends, then deleted unless you ask us to keep it longer.
• Event registration data: three years after the event.
• Donation and financial records: seven years from the date of donation, once CPL is formally incorporated and registered (in line with charity and HMRC requirements). Until incorporation, we retain only what is necessary to operate.
• Newsletter contacts: until you unsubscribe or ask us to delete.
• Website analytics: 26 months (the maximum default in Google Analytics 4).

8. Photography at events

Our public events are visual community moments, and we routinely take photographs and video for use in news, social media, supporter communications and future event promotion. By attending you should expect to appear in general crowd, atmosphere or scene shots; we don’t seek individual consent for these.

For close-up or identifiable individual portraits, we ask first. If you appear in an image and would like it removed, email data@capitalpridelondon.com and we’ll take it down from our channels.

9. Your rights

Under UK GDPR you have the following rights:

• Right to access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct anything that is inaccurate or incomplete.
• Right to erasure — ask us to delete your data, in certain circumstances.
• Right to restrict processing — ask us to pause processing in certain circumstances.
• Right to data portability — ask us to send your data to another organisation, in a structured, commonly used, machine-readable format.
• Right to object — object to processing based on legitimate interests, direct marketing, or research and statistics.
• Right to withdraw consent — where we rely on your consent, you can withdraw at any time. This doesn’t affect anything we did legitimately before you withdrew.

To exercise any of these rights, email data@capitalpridelondon.com. We’ll respond within one month. We may need to verify your identity first. For unusually complex requests we may extend by up to two further months — we will tell you if that applies.

You can lodge a complaint with the Information Commissioner’s Office (ICO) if you believe we have not complied with data protection law:

• Information Commissioner’s Office — Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
• Helpline: 0303 123 1113
• Website: ico.org.uk

10. How we protect your data

We use appropriate technical and organisational measures to protect your data against unauthorised or unlawful processing, accidental loss, destruction or damage. These include:

• HTTPS encryption for all traffic to and from the website.
• Access controls and multi-factor authentication on administrative accounts.
• Vendor due diligence on each subprocessor, including their security posture.
• Regular reviews of who has access to what.
• An incident response process for suspected data breaches.

If a data breach occurs that is likely to result in a high risk to your rights and freedoms, we will notify you and the ICO without undue delay, in line with the legal timeframes.

11. Children’s privacy

The site is not aimed at children. We do not knowingly collect personal data from anyone under 13 (the age of consent for information society services under UK data protection law).

Separately, our Volunteer Code of Conduct sets a minimum volunteering age of 18. If you are under 18 and want to support Capital Pride London, please contact us and we’ll suggest age-appropriate ways to help.

If you are a parent or guardian and believe we have collected information about your child, please contact data@capitalpridelondon.com and we will remove it.

12. Marketing communications

If you opt in to our newsletter, we’ll send you occasional updates about Capital Pride London — events, fundraising and community news. Each marketing email includes a one-click unsubscribe link. You can also email data@capitalpridelondon.com to be removed.

13. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The “Effective” date at the top tells you when it was last revised. Material changes will be flagged on the website and, where appropriate, by email.

14. Contact us

Privacy enquiries: data@capitalpridelondon.com
General enquiries: hello@capitalpridelondon.com
Board / safeguarding / raising concerns: board@capitalpridelondon.com

© 2026 Capital Pride London. All rights reserved.