Thank you for using Brevio and helping to make the third sector more effective! Brevio has developed a platform standardising grant application forms, increasing efficiency and reducing wastage.

This Policy describes how Brevio collects, uses, and handles your personal data when you use the Brevio website and platform, it also explains your rights under the law relating to your personal data.

Brevio understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of all of our data and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law.

Who We Are
Brevio is a social enterprise and limited company registered in England and Wales under the Companies Act 2006 (company number – 11984387). Our registered address is 39 Berwyn Road, Richmond, Surrey, United Kingdom, TW10 5BU.

Personally identifiable information will be collected from individuals and organisations and used in the matching process to help funders and charities form mutually beneficial relationships.

Brevio only collects the data it needs for the platform to function optimally and limits its data collection to the essential. The data we collect will vary according to how you use our site:

1.1 Website information
When you visit the website and platform, we use cookies, for details about how we use cookies and your options to manage them, please see our cookie policy in section 6.

1.2 Newsletters
When you sign up to newsletters, the following information is collected:
- Name
- Organisation
- Email address

1.3 Platform information
When you use our platform, the following information is collected:
- Name
- Email address
- Financial information
- Financial documents
- Organisational data
- Governance and policy information
- Activities and focuses
- Operating geography
- Projects and funds
- Details regarding ongoing works or funds, including values, descriptions, applications made and received

1.4 Subscription details
When you purchase a Brevio subscription, using Stripe, you have the choice to pay by card or BACS direct debit.
The following information is collected in Stripe Card payments:
- Name
- Email address
- Card number
- Expiry date
- CVC
- Postcode
The following information is collected in Stripe for BACS direct debit payments:
- Name
- Email address
- Sort code
- Account number
- Full address

1.5 Employee information
Brevio processes personal information on employees as detailed in their employment contracts.

1.6 Surveys and Feedback
From time to time Brevio will send out surveys and other feedback requests to our platform users. While the type of data collected may vary from time to time, the purpose of its collection is to improve the performance and experience of Brevio.

Under the GDPR, we must always have a lawful basis for using personal data. This may be because the data is necessary for our performance of a contract with you, because you have consented to our use of your personal data, or because it is in our legitimate business interests to use it. Your personal data may be used for one of the following purposes:

2.1 To provide charities and funders with the best matches for funding as possible allowing us to:
- Build a profile about your organisation which can be used in the application process
- Use your profile information to assess whether you are eligible for certain funders/charities and match you to them
- Share your personal information to eligible funders/ applicants to enable them to contact one another
- Email you updates with new platform users and offerings
- Use data science/ artificial intelligence (AI) for analytics to increase the ease and efficiency of usage of Brevio, as well as offer insights into your organisation and the sector. These will be used by a number of stakeholders, such as applicants, funders, associations, academics, Government, etc, who have signed onto the Brevio platform
- Please note that when applicants/charities ask us to share information with eligible funders via the platform, those funders become independent Data Controllers for that information. This means that they may determine the purposes and means of processing your personal data and you are advised to review their own privacy notices for details about how they process your data.
‍
‍2.2 Brevio does not share your information with 3rd parties outside the platform.
There are two exceptions to this:
a)When you fill out a form on Brevio, it may send personal / company data to third party validation tools to ensure that eligibility and correct information have been submitted.
b)If we are legally required to share certain personal data, which might include yours, for example if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
c)When you fill out a form on Brevio, we may display some of your organisations funding need information to provide potential grant givers with funding need data for research, and for marketing purposes. This data will not include any PII.
‍
‍2.3 We process your data under our legitimate interests to help us carry out our work providing useful tools and fundraising resources to all types of charities across the UK to save them time and money when researching and applying for funding grants.

‍2.4 If you purchase a Brevio subscription in Stripe, the following information is sent from Stripe to Brevio via a secure API:
- Brevio subscription status (e.g. active or inactive.)
- Brevio subscription product (e.g. Non-Profit or Grant-Maker.)
- Current subscription period
- Subscription start date
This information will allow Brevio to update user access and the graphical user interface according to a users subscription level. The processing of this data is necessary for our performance of a contract with you.
Stripe shares Personal Data as they believe necessary: (i) to comply with applicable law, (ii) to comply with rules imposed by payment method in connection with use of that payment method (e.g. network rules for Visa); (iii) to enforce their contractual rights; (iv) to secure or protect the Services, rights, privacy, safety and property of Stripe, you or others, including against other malicious or fraudulent activity and security incidents; and (v) to respond to valid legal process requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.
For more information, see Stripe’s Privacy Policy at https://stripe.com/gb/privacy
‍‍
Before doing this we will also carefully consider and balance any potential impact on you and your rights. Some typical examples of when we might use the approach are for direct marketing, maintaining the security of our system, data analytics, enhancing, modifying or improving our services, identifying usage trends and determining the effectiveness of our campaigns. When we contact you under our legitimate interests, we will always give you the option to stop receiving these types of communication.

3.1 Brevio takes great care to ensure that personal / company data is securely stored on reputable storage systems

3.2 Brevio takes all reasonable steps to ensure that data is secure and protected to the highest possible standards. Information is protected using a variety of hardware and software measures. Within our office, our internal security policy ensures that all physical pieces of data are managed securely and appropriately. You are responsible for passwords for the platform and recommend using complex passwords and not sharing them with anyone.

3.3 Stripe is a PCI Service Provider Level 1. All card numbers are encrypted at rest with AES-256. Stripe forces HTTPS for all services using TLS (SSL) and uses HSTS to ensure that browsers interact with Stripe only over HTTPS.

3.4 For how long do we hold your information?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.

Our normal business practice is to store your personal data in the UK/EEA. This means that it will be fully protected under the GDPR. However, we also use the services of a CRM service, Salesforce, which has implemented safeguards to ensure an adequate level of data protection where your Personal Data is transferred to countries outside the EEA, such as standard contractual clauses for the transfer of Personal Data as approved by the European Commission (Art. 46 GDPR). We also use the services of a payment provider, Stripe, which is a global business. Stripe may transfer the Personal Data to countries other than our own country. Stripe has implemented measures to comply with applicable data protection laws related to such transfers.

5.1 It is important that Brevio makes clear to all platform users, stakeholders, and interested parties, what the data protection rights concerning Brevio are. Users of the platform are entitled to the following:
‍a. The right to be informed about the personal data the Company processes on you;
b. The right of access to the personal data the Company processes on you;
c. The right to rectification of your personal data;
d. The right to erasure of your personal data in certain circumstances;
e. The right to restrict processing of your personal data;
f. The right to data portability in certain circumstances;
g. The right to object to the processing of your personal data that was based on a public or legitimate interest;
h. The right not to be subjected to automated decision making and profiling;
i. The right to withdraw consent at any time.

‍5.2 How Can I Access My Personal Data?
‍
If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
‍
There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
‍
We will respond to your subject access request within one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
‍
All subject access requests should be made in writing and sent to the email or postal addresses below:
‍
Email: hello@brevio.org
‍
Address: Brevio, The Granary, Upper Baggridge, Wellow, Bath, BA2 8QP
‍
5.3 You also have the right to raise concerns with Information Commissioner’s Office on 0303 123 1113 or at https://ico.org.uk/concerns/, or any other relevant supervisory authority should your personal data be processed outside of the UK, if you believe that your data protection rights have not been adhered to.

6.1 What are cookies?
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. When you visit Brevio’s website and platform, Brevio collects information from you automatically through cookies, or similar technology.
‍
For further information on cookies visit: https://www.allaboutcookies.org/
‍
6.2 Brevio uses cookies in a number of ways which are aimed to improve the user experience on the website and platform. These uses include:
i. Keeping users signed into the platform if they leave the platform and wish to return quickly
‍
ii. Understanding how users are interacting with the website and platform which can help Brevio build an easier, more user-friendly website and platform.Brevio does not use cookies related to its own, or third party, advertising or marketing.
‍
6.4 How to manage cookies
You are able to set up your internet browser in a way that does not accept cookies, and the URL at the above-mentioned website (Section 6.1), outlines how to do this. However, in some cases, some of Brevio’s website/platform features do not function as a result of removing cookies. An example is that Brevio may not be able to maintain your logged in status.
‍
6.5 Usage of Hotjar
We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymised user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.
‍
For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.

6.6 Usage of MouseFlow
We use Mouseflow: a website analytics tool that provides session replay, heatmaps, funnels, form analytics, feedback campaigns, and similar features/functionality. Mouseflow may record your clicks, mouse movements, scrolling, form fills (keystrokes) in non-excluded fields, pages visited and content, time on site, browser, operating system, device type (desktop/tablet/phone), screen resolution, visitor type (first time/returning), referrer, anonymized IP address, location (city/country), language, and similar meta data. Mouseflow does not collect any information on pages where it is not installed, nor does it track or collect information outside your web browser.
If you'd like to opt-out, you can do so at https://mouseflow.com/opt-out.
If you'd like to obtain a copy of your data, make a correction, or have it erased, please contact us first or, as a secondary option, contact Mouseflow at privacy@mouseflow.com.

For more information, see Mouseflow’s Privacy Policy at http://mouseflow.com/privacy/.
For more information on Mouseflow and GDPR, visit https://mouseflow.com/gdpr/.
For more intormation on Mouseflow and CCPA visit https://mouseflow.com/ccpa.

Brevio’s website and platform contains links to other websites, such as funders, applicants websites, and social media pages. Brevio’s Privacy Policy applies solely to the Brevio website and platform. Therefore, if you follow a link from Brevio’s website or platform to another website, please read the other website’s respective privacy policy to ensure that you are happy with its approach to usage, security, and compliance.

Brevio continually reviews its Privacy Policy, along with its security measures and compliance and may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection. Any Privacy Policy updates will be shown here. This version of the Privacy Policy was last updated in July 2023.