Privacy notice
Privacy Notice
Introduction
Scotland’s Charity Air Ambulance (also referred to as ‘the charity’, ‘we’, ‘our’ or ‘us’) is the Data Controller over any personal data we process about you for the purposes set out in this Privacy Notice (see below). This notice outlines what personal data the charity collects and processes about you in various situations, which we have explained below. This notice does not cover personal data we process about our staff, workers, or volunteers.
The categories of data subjects whose personal data is covered by this privacy notice include; patients and victims of accidents, patients’ next of kin, supporters, donors, participants in fundraising events, third-party healthcare employees, employees of public authorities, employees of corporate partners, individuals who make enquiries or purchases of our products or services, such as through our life saving lottery, via our website or over the phone or email.
Please read through the privacy notice to understand how the charity uses and processes your personal data. If you have any concerns about our processing of your personal data or you have a general enquiry in relation to data protection please contact our Data Protection Officer at dpo@scaa.org.uk
What is personal data?
Personal Data: means any information relating to an identified or identifiable living person (‘data subject’); an identifiable living person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Category of Data: means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
When we use the term ‘personal data’ we mean both personal data and special category of data.
Our Processing
Personal Data is collected in several different ways dependent on your interaction with the charity. The table below sets out what personal data we process about you, where we get it from, why we use it, our legal basis and who we share it with. Otherwise we will only share your personal data:
1. where we are required to share your personal data in accordance with law e.g. such as to assist with investigations carried out by the police, other authorities or any regulatory requirement to which the charity is subject;
2. where we use third parties to undertake certain services on our behalf and in doing so they require to process personal data in order to do this. If so, we will ensure that adequate arrangements are in place to protect your personal data. These third parties include: our professional advisors, our DPO, our website host provider, cloud storage suppliers, CRM suppliers, marketing platforms (including parties used for sending email marketing communications), lottery agents, IT infrastructure suppliers, payroll provider, donation site, payment bureau provider, postal mailing housing, fundraising management sites, fundraising event organisers;
3. where we have your consent.
Purpose | Personal Data | Where do we get it from? | Legal Basis | Will we share it other than as set out above ? |
To enable SCAA to process donations from you. | Name, email address, postal address, telephone number, bank details, transaction description and payment amount. | From you | Legitimate Interest to process donations for the benefit of the charity. | Donations will be operated by two separate payment providers including:
|
To process and deliver your order from our online shop (operated by Shopify at shop.scaa.org.uk) | Name, email address, postal address (including billing address and shipping address), phone number, bank details, any information you provide to us, any username and password you create, answers to security questions and any information you provide to us. | From you | Performance of a contract with you | Yes with Sage pay, Access Paysuite and Shopify |
To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy notice (b) Asking you to leave a review or take a survey | Name, email address, postal address, phone number, any information you provide to us. | From you | Performance of a contract with you Necessary to comply with a legal obligation Necessary for our legitimate interests (to keep our records updated and to study how customers/supporters use our products/services) | Yes with telemarketing company or other agency |
To respond to enquiries (online and otherwise) or indications of wishes to support the charity. | Name, Email address, any information you provide to us. | When you submit an enquiry on our website, use our online forms, email, text, telephone, post or when we meet you face to face. We may also receive personal data from independent event organisers e.g. the Edinburgh Marathon and fundraising sites (e.g. Just Giving) where you have given them this information and indicated you would like to support our charity. | Legitimate Interest – it is in our legitimate interest to respond to enquiries, requests and information within feedback forms so that we can engage with individuals to the benefit of the charity. Consent | No |
To facilitate and manage your participation in fundraising events that we run. | Name, postal address, telephone number, email address.
| From you | Legitimate Interest – it is in our legitimate interest to manage participation in our fundraising events. | Yes, with third party event providers who assist us in running our events (e.g. Zone Events). |
To enable SCAA to provide you with our direct marketing communications by email or text. | Name, email and telephone number | From you | Consent | No |
To enable SCAA to provide you with our direct marketing communications by telephone or post. | Name, telephone number and address. | From you | Legitimate interest, which is to promote our charitable objectives and to increase fundraising. | No |
To enable third party partners to provide you with direct marketing about SCAA in electronic communication form such as targeted online (including on social media platforms) or TV marketing. | Name, address, email address. | From you | Consent | Third-party marketing and media (including social media) platforms (such third parties may use third parties to verify your identity). |
To inform our marketing strategy by analysing and profiling our marketing database and to identify others that may be interested in hearing from us (called Lookalike audiences). This helps us to understand our donors better. | Name, address, email address, donation. | From you | Our Legitimate Interest to inform and maximise our marketing strategy with a view to further supporting the charity. | Third parties providing data analytic services. |
Managing our donor database and our relationship with donors and keeping our donors database up to date | Name, address, email address, telephone. | You and/or third party publicly available resources such as the Royal Mail’s National Change of Address database. | Our legitimate interests of keeping our database up to date, accurate and relevant. | Third-party data cleaning service providers |
To conduct research using publicly available sources to estimate your ability and/or likelihood to donate at certain levels to us – see “Research Profiles” paragraph below. | Name, address, property/business ownership, visible assets, employment history, history of charity giving | You and publicly available sources such as corporate websites, public social media accounts, the electoral register and Companies House | Our legitimate interests in in understanding our donors further in order to raise more money in the most effective and appropriate ways. | No |
To ask you to make introductions to your networks with the aim of being introduced to potential high value donors we have identified. | Name, address, social media activity and contacts, Board membership, community involvement | You and publicly available sources such as corporate websites, public social media accounts, the electoral register and Companies House | Our legitimate interests in in understanding our donors further in order to raise more money in the most effective and appropriate ways and to grow our network of donors. | No |
Processing gift aid | Name, postal address, email address, telephone number, bank details, the fact you are a UK tax payer, the reason for your donation and whether it is in memory of another person. | From you | Legitimate Interest to process donations for the benefit of the charity. Legal obligation to process direct debit under direct debit agreement. | HMRC for purposes of Gift Aid. Payment bureau provider administering the payment. |
Organise and manage the life-saving lottery operated by SCAA including the distribution of prizes and publicising of winners. | Name, postal address, email address, date of birth. | Third-party lottery organiser. | Legitimate interest to generate income for the benefit of the charity. | Third-party lottery provider called Tower Lotteries Payment bureau provider administering the payment (Access PaySuite). |
Case studies | Name, email, phone number details of the call out. | From you or third parties involved in a call out. | Consent | With the public (i.e. for news articles, fundraising campaigns, social media posts). |
Will writing service | Name, postal address, email address, telephone number, data relating to your enquiry. | From you | Consent | Watermans Legal Ltd. |
Managing relationships with our corporate partners. | Name and contact details of our point of contact at the corporate partner. | From you | Our legitimate interest of managing our relationship with our corporate partners. | No. |
Cookies | Data about your use of our website. | From you | Legitimate interest to understand use of our website in order to maximise its usability. Consent for non-essential cookies. Please visit our Cookie Notice for further information. For specific information about the cookies which are in use on our online shop, operated by Shopify, see https://www.shopify.com/legal/cookies. | Google Analytics, Facebook Pixel, Hotjar, Shopify |
To record who visits our premises. | Name, contact details, company/organisation, date and time of visit, vehicle registration number | From you | Our legitimate interest of documenting visitors to our site for security and fire safety purposes. | Babcock International Group, The Civil Aviation Authority, Aberdeen Airport |
Research on donors
We may carry out research to identify individuals who have potential as high value donors. We do this by researching some of our existing donors and their networks with the aim of asking existing donors to introduce us to potential high value donors we have identified.
We may estimate your ability and/or likelihood to give at certain levels, based on information about you that we have obtained from publicly available and reputable sources, including Companies House, social media and the electoral register. We may segment our existing donor database by putting supporters into groups with similar characteristics, and tailor communications to these groups to make them more relevant. Examples could include referencing a campaign this group have already supported or highlighting an event in their local area.
In terms of asking existing donors to introduce us to potential high value donors we have identified, we may use information to prepare for one-to-one meetings and bespoke events where supporters are in attendance, to ensure you and any potential new donors have the best experience possible.
Information used to conduct searches will include the name and address of donors. This information is provided by you when you make a donation. We will rely on you to update us if your name and/or address changes.
As a charitable organisation funded by donations, this processing is undertaken on the basis that it is in our legitimate interests in understanding our donors further and to raise more money in the most effective and appropriate ways by identifying and researching potential high value donors using the methods described. This will also allow us to better tailor marketing communications to donors and to invite you to events that may be of interest to you.
We will only ever use social media platforms (being LinkedIn, Facebook and X) in accordance with their own terms and conditions and only to collect information from the last 12 months. Information we collect is limited to your contacts list, followers and following lists and connections (where these are publicly available), basic account information and pages you have ‘liked’ or followed. If you have an account on one of these platforms, you will have agreed to these terms and conditions yourself. All social media platforms must comply with data protection laws when processing or storing the personal data of individuals and have a responsibility to store and process data in a fair and transparent way.
If you would prefer us not to use your personal data in this way, please contact our Data Protection Officer at dpo@scaa.org.uk.
Fundraising Events
You may give us your information directly when you sign up to participate in an event run by SCAA. We may share this with our with third party event providers who assist us in running our events (such as Zone Events).
You may give us your information indirectly when you sign up to participate in fundraising events run by third parties or contribute to SCAA via fundraising sites like JustGiving or Enthuse. These independent third parties will pass your data to SCAA where you have indicated that you wish to support SCAA and have given your consent.
Will we share your Personal Data outside of the UK?
Some of our service providers process personal data we give them outside of the UK. Where this happens and the recipient country is not deemed adequate by the UK Government, then we will put in place additional measures to protect your personal data by using specific contracts approved for use in the UK which give personal data the same protection it has in the UK.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Retention
SCAA shall keep your personal data for as long as is necessary and in accordance with our Data Retention Archiving, and Erasure Policy. In short, we retain general correspondence and emails for 1 year from receipt; inactive donor records for 3 years, after which we will archive your record; active donor records for as long as required until 3 years inactive, after which we will archive your record; financial records for up to 6 years.
Your rights
You have certain rights under data protection law, which are summarised below. You can exercise these by contacting our DPO on dpo@scaa.org.uk:
- you can withdraw your consent (including for marketing) at any time, at which point we shall stop processing your personal data in that way. Please note this does not affect the legality of our processing up to the date of your withdrawal of consent.
- you can seek to restrict our processing of your personal data, ask us to rectify any personal data we hold about you or object to us processing your personal data for the purposes stated above.
- you have the right to access personal data held by us about you.
- in certain circumstances you have the right to ask us to provide you with your personal data in a structured, commonly used and machine-readable format to allow you (or us on your behalf) to transmit this information to another party.
- in certain circumstances you have the right to ask us to erase the personal data we hold about you. We will consider any such request in line with UK GDPR. Please note this is not an absolute right and there may be circumstances where we choose not to delete all of the personal data we hold about you.
- you have the right to lodge a complaint with the Information Commissioners Office (ICO) if you think that we have infringed your rights. You can find more information about reporting a matter to the ICO at the following link: https://ico.org.uk/
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Website
The SCAA website www.scaa.org.uk may contain links to other websites. Please note that SCAA has no control of websites outside our domain. The charity is not responsible for the protection and privacy of any sensitive information provided to a website linked to scaa.org.uk
Changes
We reserve the right to amend this privacy notice from time to time.
Last Updated: August 2025