Privacy policy

Who are we?

Mercy Corps is powered by the belief that a better world is possible. It works with people to put bold solutions into action – helping them triumph over adversity and build stronger communities from within. We are also committed to respecting and protecting the privacy rights of our donors, supporters, and visitors to our website, and to being transparent about what we do with your data. The following information details how Mercy Corps Europe collects, protects, manages and uses the data we receive.

Mercy Corps Europe is a registered charity in Scotland (SC039570)

How can you contact us?

If you have any questions or concerns regarding our Privacy Policy or our processing of your personal information, please contact:
The Data Protection Officer
Mercy Corps Europe
96/3 Commercial Quay

Personal information

Personal information is information that relates to an identified or identifiable living person and Mercy Corps Europe records and processes personal information every time it receives support for its charitable projects throughout the world. It also holds information about some of those who benefit from the work of the charity and its team members.

Mercy Corps Europe realises how important it is to protect people’s privacy, to be transparent about how it uses personal data and to keep that data secure.

This is how Mercy Corps Europe looks after personal information

When we record personal information we will: 

  • Let you know why it is needed, where it is not obvious
  • Be transparent about the use to which it is put
  • Only ask for what is necessary and not information that is excessive or irrelevant
  • Make sure nobody has access to it who should not
  • Ensure that those handling the information are given guidance on their responsibilities
  • Share it with other organisations only where permission has been given or where the law allows
  • Keep it only for as long as it is needed. We, in turn, rely on you to give us accurate information.

How do we obtain your personal information?

Mercy Corps Europe collects information in the following ways:

When you give it to us directly
You may give us your information when you make a donation, are acting as a representative of a company who is supporting or working with Mercy Corps Europe, respond to a communication from us, sign up for an event, or join our mailing or email list. Some of the ways we receive this information includes on a secure form on our website, when you contact us by phone, post or email, speaking to you in person, when you provide information to us via one of our social media channels, including Instagram, LinkedIn, Facebook or X/Twitter.

When you give permission for a third party to share it with us
Your information may be shared with us by third parties. This includes online fundraising websites and online campaigning websites. The information we receive will depend on the privacy preferences you have set on each platform and the privacy policies of each platform. To change your settings on these platforms, please refer to their privacy notices.

When providing your information to us via these channels, you should check the privacy policy and settings of these companies to understand how they will use and share for processing any information you have provided to them.

What information do we collect?

Personal information is any information that can be used to identify you. For example, this can include your name, address, telephone number, email address, age, date of birth, location, gender, your prior involvement with our fundraising campaigns, contact preferences and consents, gift aid status, reason for donating/fundraising, your school or organisation name, your charity activity, details of executors and beneficiaries and your family relationships, bank details, and credit or debit card details. We only collect personal information that is relevant to the type of interaction you have with Mercy Corps Europe. For example, we will collect your credit or debit card details to process a donation or purchase but will not keep or store these after the transaction has completed.

Prospect research

In our efforts to tailor our engagement with individuals and organisations who may wish to give a gift to Mercy Corps, we may supplement any information we have about you by seeking publicly available personal information. This can include personal information, including contact details and opinions, relevant to our work that has been made publicly accessible on websites, professional directories, or social media platforms such as LinkedIn. We use this solely for purposes that align with our mission, such as researching levels and areas of potential engagement and/or donation, information dissemination, and networking. When using publicly available information, we ensure that our activities are compliant with data protection laws. We also regularly review our practices to align with best practices in data protection and privacy.

We may use third parties, such as Dataro, to assist with segmenting and analysing our database of supporters. This information helps us target our fundraising to reach new potential supporters, ensuring we reach out to those likely to be interested in our work with the ability to financially support our organisation.

We are committed to respecting the privacy and preferences of individuals. You have the right to opt out of certain types of processing, to opt out of any communications from us, request a copy of data that we hold on you or ask for your data to be deleted.

Your credit or debit card information

If you use your credit or debit card to donate to us, we pass your card details securely to our payment processing partner as part of the payment process. We do this in accordance with the Payment Card Industry Security Standard, and don’t store the details on our website or databases.

If you’re under 16

If you’re aged under 16, you must get your parent/guardian’s permission before you provide any personal information to us.

Why are we allowed to process your personal information?

Our Privacy and Cookie Policies take into account several laws, including:

  • the Data Protection Act 2018
  • the UK General Data Protection Regulation
  • the Privacy and Electronic Communications (EC Directive) Regulations 2003
  • General Data Protection Regulation (EU) 2016/679
    • Generally, our processing of your personal information as described in this policy is allowed by these laws based on one or more lawful grounds, including:
  • Where you have provided your consent to us using your personal information in a certain way.  For example, we only use your information to send you marketing communications by email or text with your consent.  We also may ask for your explicit consent if you share sensitive personal information with us.
  • Where the processing is reasonably necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract. For example, we may rely on this basis where you apply to work for us.
  • Where the processing is reasonably necessary to comply with a legal obligation to which we are subject. For example, we may rely on this basis where we are obliged to share your personal information with a regulator or HMRC.
  • Where the processing is reasonably necessary for the purpose of a legitimate interest pursued by us or a third party and your privacy rights do not override the legitimate interest.
    • For example, we rely on legitimate interests for activities such as sending marketing communications by post or telephone unless you have told us that you would prefer not to hear from us in this way, contacting you as a representative of an organisation about charity partnerships or in order to organise an event, analysing your interaction with us to improve our internal business processes, and keeping lists of people who no longer wish to be contacted (known as a suppression list) to ensure that we do not unintentionally contact them in the future.
    • Where we are relying on legitimate interests to process your personal information, we will consider any potential impact on you (positive or negative), your rights under data protection laws, and will not use your personal information for activities where the impact on you overrides the legitimate interests in the processing.
    • Where we process sensitive personal data, we will make sure that we only do so in accordance with one of the additional lawful grounds for processing that type of data, such as where we have your explicit consent or you have made that information manifestly public.

Our lawful basis for processing

Whenever we use your information we must have something called a “lawful basis” for what we do. The different lawful bases we rely on are:

  • Consent – you have told us you are happy for us to use your information for specific purpose(s) e.g., direct marketing. You can withdraw your consent at any time by contacting us.
  • Legitimate Interest – the use of your information is necessary for us to conduct our business, but not where our interests are overridden by your interests or rights.
  • Performance of a contract – we must use your information to be able to provide you with one of our services or products.
  • Legal obligation - we are required to use your information by law.

How do we use your information?

How we use your information largely depends on the reason you have provided it to us. We may use your information in the following ways:

  • To keep a record of your relationship with Mercy Corps Europe and for internal purposes, such as administration and accounting.
  • To look into complaints or legal issues.
  • To claim Gift Aid on your donations.
  • To give you information you have asked for, update you on our work and provide you with opportunities to support and get involved with Mercy Corps Europe (see section on Direct Marketing below).
  • To understand your needs and wishes in order to give you the best possible personalised service.
  • To carry out analysis and research which helps us understand how we are doing and improve our communications with you.
  • To undertake ethical screening and to minimise risk.

To conduct our research most effectively, we may share your information with third party fundraising service providers working under our instructions. We do not allow these providers to use your data for their own purposes or disclose it to other parties. These service providers are carefully selected and vetted to ensure that they comply with our data protection standards and all relevant data protection legislation.  

If we have concluded that an individual, foundation, or company could have the means or interest to support Mercy Corps with a significant donation, we may use information you have provided and/or we have found through publicly available sources and fundraising service providers to make personalised contact with you and/or to find links between you and our other supporters.

We may also use your information to produce short biographies of people who are due to meet with our development team, our leadership or attend an event that we may be hosting. This helps our people to understand more about those we engage with, and their interests or connection to us.

The system used to manage the administration of our contact database is called The Raiser’s Edge and is provided by Blackbaud. Their privacy policy can be found here.

We may use your information to send you communications about our work and ways that you can get involved and provide your support. This includes information about our fundraising appeals, volunteering opportunities, updates on our work, taking part in events and other ways to support Mercy Corps Europe.

This is different from times when we are required to contact you, for example: to enable us to administer and/or confirm receipt of your donation, to reply to your questions, or to provide you with administrative updates. This section relates to fundraising and marketing communications and does not cover administrative communications such as these.

Any time you provide your details to us, we will always include clear questions asking you about your preferences regarding our communications with you. You can also let us know if you wish to withdraw your consent; opt out of communication or if you want to change your preferences at any time by contacting or by calling 0131 662 2377. You can also contact us in writing at the address below. Further information about communicating with you in different ways is outlined below.

Data for some of our direct marketing appeals will be shared with carefully vetted suppliers for the purposes of fulfilling the appeal. These “data processors” will only act under our instruction and are subject to pre-contract scrutiny and contractual obligations containing strict data protection clauses. We do not allow these suppliers to use your data for their own purposes or disclose it to other third parties without our consent and we will take all reasonable care to ensure that they keep your data secure.

Contact by email
We will only contact you by email for fundraising and marketing purposes if you have given us express permission to do so. This means you have provided your email address to us and said that we can contact you by this means. We will hold a record of your consent which can be withdrawn or changed at any time you wish to do so.

We will never conceal our identity when contacting you by email and we will always respect your preferences regarding contact of this kind.

How do we look after your personal information?

We will always take appropriate physical, electronic and organisational measures to ensure that we keep your information secure, accurate and up to date, and that we only keep it as long as is reasonable and necessary.

Although we use appropriate security measures once we have received your personal information, the transmission of information over the internet is never completely secure. We do our best to protect personal information, but we cannot guarantee the security of information transmitted to our website, so any transmission is at the user’s own risk. However, any payment card details (such as credit or debit cards) we receive on our website are passed securely to our payment processing provider according to the Payment Card Industry Security Standards.

How long do we keep your information?

We will hold your personal information on our systems for as long as is necessary for the relevant activity. For example, we will keep a record of donations subject to Gift Aid for six years after the accounting period relating to that donation to comply with HMRC rules.

We will generally treat any consent that you give us as lasting no more than 36 months (3 years) from the date you give your consent, or from the date of your last donation or interaction you have with us.

If at any time you withdraw your consent or change your preferences, your wishes will be acted on immediately and will take effect within the timescales laid out below.

Who do we share your information with?

Mercy Corps Europe will only use your information within our organisation for the purposes for which it was provided and for our own planning and analysis. We will not, under any circumstances, sell your personal data to any third party, and will only share data with our suppliers for the purposes described below. You will not receive marketing from any other companies, charities or organisations as a result of giving your details to us.

Our suppliers
We may need to share your information with carefully selected service providers and suppliers who help us to deliver our projects, fundraising activities and appeals. For example, we share name and address details with mailing houses to allow them to print and post our letters to our supporters. Such “data processors” will only act under our instruction and are subject to contractual obligations regarding their data protection standards and policies. No data we hold about you is retained by any third party after it has been used for the purposes advised by Mercy Corps Europe and all personal data belonging to us is erased by a third party following the termination of a supplier contract.

International transfers

In some cases, we may transfer your personal data to Mercy Corps locations and third-party service providers who are located outside of the European Economic Area (EEA).

If your personal data is transferred internally within Mercy Corps or third-party service provider outside the European Economic Area (EEA), this will occur under a safeguard mechanism recognized by the European Commission as providing adequate protection for your personal data.

Accessing and updating your personal information

If you let us know about any changes to your personal circumstances, we will always comply with your wishes. Our service levels for different types of communication are:

  • Email – 2 working days from the receipt of your request
  • Telephone – 2 working days from the receipt of your request
  • Mail – 28 days from the receipt of your request. Due to the production timescales for our postal communications, it can often take longer for this type of change to take effect. In most cases we would expect the change to be effective much more quickly and will do our best to stop any further communications within this period, where we can.

Sometimes we may have to contact you about something that is not related to fundraising or marketing. For example, if you have a direct debit with us, we are required to let you know about any changes to your direct debit. Opting out of postal communications will not stop this type of communication unless you cancel your direct debit. If you have any concerns about this type of contact, please get in touch with us.

Cookies, web beacons, and similar technologies


A cookie is a piece of information in the form of a very small text file that is placed in an internet user's local storage, e.g., a user’s hard drive. It is generated by a webpage server, which is the computer that operates a website. The information the cookie contains is set by the server and it can be used by that server whenever the user visits the site.

Mercy Corps uses cookies for the essential running of its websites and web applications, as well as for marketing and advertising purposes. Use of cookies for these purposes is described on our Cookies page. To learn more about the EU cookie law, click here.

When you enter our website, you are prompted to accept or decline cookies, but are not prevented from navigating the site without doing either. If you accept, a suite of cookies is placed on your machine. If you decline, only cookies necessary to the operation of our website are set.

Your rights

Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. Where we rely on legitimate interest as our legal basis for processing your personal information, you have the right to opt out. This includes the right to ask us to stop using your personal information for marketing or fundraising purposes or to unsubscribe from our email list at any time. You also have the following rights:

  • Right of access – you can write to us to ask for confirmation of what personal information we hold on you and to request a copy of that personal information. Provided we are satisfied that you are entitled to see the personal information requested and we have successfully confirmed your identity, we will provide you with your personal information subject to any exemptions that apply.
  • Right to rectification – if you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated. You can also ask us to check the personal information we hold about you if you are unsure whether it is accurate/up to date.
    Right to erasure (‘right to be forgotten’) at your request we will delete your personal information from our records as far as we are required to do so. In many cases we would propose to suppress further communications with you, rather than delete it.
  • Right to restrict processing – you have the right to ask for processing of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage.
  • Right to object – you have the right to object to processing where we are (i) processing your personal information on the basis of the legitimate interests ground, (ii) using your personal information for direct marketing or (iii) using your information for statistical purposes.
  • Right to data portability – to the extent required by the GDPR, where we are processing your personal information (that you have provided to us) either (i) by relying on your consent or (ii) because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contact, and in either case we are processing using automated means (i.e. with no human involvement), you may ask us to provide the personal information to you – or another service provider – in a machine-readable format.

You are further entitled to make a complaint about us or the way we have processed your personal information to the data protection supervisory authority in your home country. In the UK, the data protection authority is the Information Commissioner’s Office – For further information on how to exercise this right, please contact us using the details below.

How to contact us

Please let us know if you have any questions or concerns about this Notice or about the way in which we process your personal information by contacting us at the following channels:

Post: Mercy Corps Europe,96/3 Commercial Quay, Edinburgh, EH6 6LX
Telephone: +44 (0)131 662 5160

Information Commissioner’s Office

If we have been unable to deal appropriately with your question or complaint you have a right to refer the matter to the Information Commissioner’s Office (ICO). Their contact details are:

By post: Information Commissioner's Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113 or 01625 545745

More information about the ICO and about how to make a complaint, or ask a general question about data protection, is available on their website.

We may change our privacy notice from time to time. If we make significant changes in the way we treat your personal information, we will make this clear on the Mercy Corps Europe website or by contacting you directly.  This privacy notice was last updated in May2024.