Legal
Privacy Policy
Last updated: 1 February 2026
This Privacy Policy explains how The Well Foundation, a Scottish Registered Charity (No. SC040105), collects, uses, and protects your personal data in connection with the WFCS Online Auction platform. We are committed to handling your data lawfully, transparently, and in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
The data controller for this platform is:
The Well Foundation
Building 2, Unit C, Ground Floor, 4 Parklands Way, Eurocentral, Holytown, ML1 4WR
Registered office: 211B Main Street, Bellshill, ML4 1AJ, Scotland
Charity Registration No. SC040105
Email: info@wellfoundation.org.uk
As the data controller, we are responsible for deciding how and why your personal data is processed. If you have any questions or concerns about our use of your personal data, please contact us using the details above.
2. Data We Collect
2.1 Account and Registration Data
When you register on the platform, we collect your:
- Full name;
- Email address;
- Password (stored as a one-way hash — we never store your plain-text password); and
- Whether you are a UK taxpayer (for Gift Aid purposes).
2.2 Bidding and Transaction Data
When you place bids or make purchases, we record:
- The lots you bid on and amounts bid;
- Your winning bids and payment status; and
- A delivery address, where you provide one for fulfilment.
2.3 Payment Data
Payments are processed securely by Stripe, our payment processor. We do not store your card number, CVV, or full card details on our systems. Stripe processes payment data as an independent data controller subject to its own privacy policy. We receive only a transaction reference and payment status from Stripe.
2.4 Gift Aid Declarations
If you opt in to Gift Aid, we record your declaration, the date made, and the relevant transaction. This information is shared with HMRC when we claim Gift Aid and is retained for six years as required by HMRC.
2.5 Technical Data
We collect limited technical data for security and performance purposes, including IP address (at login and bid placement) and session identifiers via essential cookies.
3. Legal Basis for Processing
We process your personal data on the following legal bases:
- Contract performance (UK GDPR Article 6(1)(b)): to create and manage your account, process bids, and arrange collection or delivery of won lots;
- Legal obligation (UK GDPR Article 6(1)(c)): to retain Gift Aid declarations and payment records as required by HMRC (six and seven years respectively);
- Legitimate interests (UK GDPR Article 6(1)(f)): to maintain platform security, detect and prevent fraud, and improve the platform — where our interests are not overridden by your rights; and
- Consent (UK GDPR Article 6(1)(a)): where we send you optional communications such as auction reminders, which you may withdraw at any time.
4. How We Use Your Data
We use the data we collect to:
- Operate and maintain your account and bidding history;
- Notify you when you are outbid or have won a lot;
- Process payments and arrange fulfilment of won lots;
- Administer Gift Aid declarations and submit claims to HMRC;
- Detect and prevent fraudulent or abusive activity; and
- Send auction-related notifications (with your consent where required).
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
5. Sharing Your Data
We do not sell or rent your personal data to third parties. We share data only as follows:
- Stripe: to process payments securely. Stripe is certified to PCI-DSS Level 1;
- HMRC: Gift Aid declarations and relevant donor information, where Gift Aid is claimed;
- Fulfilment: your name and delivery address may be shared with a donor or courier where necessary to arrange delivery of a won lot; and
- Legal requirement: where we are under a legal obligation to disclose data (for example, to OSCR or law enforcement).
All third parties with whom we share personal data are required to handle it securely and in accordance with applicable data protection law.
6. Data Retention
We retain your personal data for the following periods:
- Account data: for as long as your account is active, plus 12 months following closure, to allow for any disputes or queries;
- Gift Aid declarations: six years from the end of the financial year in which the relevant claim was made, as required by HMRC;
- Payment and transaction records: seven years, in line with HMRC guidance on financial record-keeping; and
- Security logs (IP addresses, login events): 90 days.
After the applicable retention period, data is securely deleted or anonymised.
7. Cookies
We use only essential session cookies — small text files stored on your device to keep you logged in during your visit. We do not use advertising, tracking, or analytics cookies. No cookie consent banner is required as we rely only on strictly necessary cookies.
You can control cookies through your browser settings, but disabling session cookies will prevent you from logging in to the platform.
8. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right of access: to request a copy of the personal data we hold about you;
- Right to rectification: to request correction of inaccurate or incomplete data;
- Right to erasure: to request deletion of your data, subject to our legal obligations to retain certain records;
- Right to restriction: to request that we limit how we use your data in certain circumstances;
- Right to data portability: to receive your account data in a structured, machine-readable format; and
- Right to object: to object to processing carried out on the basis of legitimate interests.
To exercise any of these rights, please contact us at info@wellfoundation.org.uk. We will respond within one calendar month. We may ask you to verify your identity before processing your request.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, at ico.org.uk.
9. Data Security
We take reasonable technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include encrypted data transmission (HTTPS/TLS), hashed passwords, and access controls limiting who can view personal data within our organisation.
No method of transmission over the internet is completely secure. While we strive to protect your data, we cannot guarantee its absolute security and you provide it at your own risk.
10. International Transfers
Our platform and data are hosted in the United Kingdom. Stripe may process payment data in the United States or other jurisdictions where Stripe operates, subject to appropriate safeguards (including standard contractual clauses or adequacy decisions). We do not otherwise transfer your data outside the UK.
11. Children's Privacy
The WFCS Auction platform is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the platform. The date at the top of this page shows when it was last revised. We will notify registered users of significant changes by email.
13. Contact Us
For any data protection enquiries, requests, or complaints, please contact:
The Well Foundation
211B Main Street, Bellshill, ML4 1AJ, Scotland
Email: info@wellfoundation.org.uk
Also see our Terms of Use