Last reviewed 12 May 2026

Privacy notice.

A plain-English account of what personal information we hold about you, why we hold it, how long we keep it, and the rights you have under UK data protection law.

1. Who we are

The Pershore Nashdom and Elmore Trust ("the Trust", "we", "us", "our") is a registered charity in England and Wales (charity number 220012), incorporated by Memorandum and Articles of Association dated 13 November 1937. We are the data controller for any personal information you give to us through this website, in writing, by telephone or in person. Our registered address is Sarum College, 19 The Close, Salisbury, Wiltshire SP1 2EE.

Our designated data protection lead is the Bursar, Mr. John Rushmore FCA. You may write to him at [email protected] or by post at the above address (marked private and confidential) for any matter relating to your personal data. We are not required to appoint a Data Protection Officer under Article 37 of the UK GDPR — our processing is neither large-scale nor of special-category data on the scale that would trigger that requirement — but we have nonetheless adopted, by trustees' resolution of June 2021, the equivalent practices set out below.

2. The data we collect, and how

We collect personal data in five circumstances, and only these five.

  1. When you make a donation. We collect your title, full name, postal address, email address, the amount of your gift, the date of your gift, and (if you choose) your Gift Aid declaration. If you donate by debit or credit card, our payment processor (CAF Donate, a service of the Charities Aid Foundation) handles your card details directly; we never see and do not hold your card number, expiry date or security code. If you donate by bank transfer or standing order, our bank (CAF Bank) records the transaction; we receive a monthly statement.
  2. When you write to the office. We collect the name, contact details and contents of your message in order to reply. If your enquiry leads to an ongoing relationship — for example, an arranged retreat or grant application — we keep the correspondence on file.
  3. When you apply for a small grant. We collect the legal name of your charity, the contact details of your application's nominated lead, the supporting documents you provide (which may include financial accounts, a project budget, references), and our internal notes on the application.
  4. When you apply for a bursary or to become an oblate. We collect the personal information necessary to assess your application — typically name, contact details, a short personal statement, and one or two references.
  5. When you subscribe to our quarterly letter. We collect only the name and email address you give us. You may unsubscribe at any time by clicking the link in any issue, or by writing to the office.

3. Why we use it — our lawful basis

Under Article 6 of the UK GDPR, we must have a lawful basis for processing your personal data. The lawful bases on which we rely are these.

  • Consent (Article 6(1)(a)) — for subscribing you to our quarterly letter, and for processing any special-category data you choose to share with us (for example, a dietary requirement on a retreat booking).
  • Contract (Article 6(1)(b)) — for arranging a retreat or processing a grant on which you are the applicant.
  • Legal obligation (Article 6(1)(c)) — for keeping financial records as required by HMRC, the Charity Commission and our auditors.
  • Legitimate interests (Article 6(1)(f)) — for the simple administration of donor relationships (sending a personal letter of thanks; recording a Gift Aid declaration; alerting you to a Trust event you have previously attended). We have considered, in writing, whether your interests or fundamental rights override these legitimate interests; we are satisfied that they do not, but you may object at any time.

4. Who we share it with

We share your personal data, very sparingly, with a small number of organisations who help us do our work. We share it on the basis of written agreements that require them to treat it confidentially and to delete it when no longer needed.

  • HM Revenue & Customs — if you have signed a Gift Aid declaration, we provide HMRC with your name, address and the amount of your gifts when we make a quarterly Gift Aid claim.
  • The Charities Aid Foundation — our payment processor and our bank.
  • Sopher + Co LLP — our independent auditors, who see donation records as part of our annual statutory audit.
  • The Charity Commission for England and Wales — if our trustees deem it necessary to make a serious incident report under their statutory guidance.
  • The Information Commissioner's Office — if required by law (for example, in the event of a notifiable data breach).

We do not, and will not, sell or rent your personal data to anyone. We do not share it with other charities, fundraisers, data brokers or commercial parties. We do not exchange donor lists.

5. How long we keep it

We keep your personal data for the minimum time necessary to fulfil the purpose for which we collected it.

  • Donation records: seven years after the date of the last gift, which is the minimum HMRC retention period for charities claiming Gift Aid (and matches the Charities Act 2011 audit retention requirement). After seven years, we anonymise transaction records for our long-term statistical archive.
  • Correspondence: three years after the last contact, unless our relationship is ongoing.
  • Grant applications: six years after the decision, whether successful or unsuccessful, which matches the limitation period for any related civil claim.
  • Quarterly letter subscriptions: until you unsubscribe, after which we keep only a suppression record (your email address, marked do not contact) so as not to write to you again by mistake.

6. How we keep it safe

Personal data given to us in writing is held in a locked filing cabinet in the office at Sarum College, accessible only to the Bursar and to the office administrator. Personal data held electronically is stored on a UK-based, encrypted cloud service (Microsoft 365 for Business, with two-factor authentication enabled on every account) and on a single password-protected laptop kept in the office. We carry out a written annual review of our data security arrangements every January.

We have, in our institutional history of holding personal data — going back at least to the 1937 incorporation of the Trust — never had a personal data breach of any significance. Were one to occur, we would notify the Information Commissioner within 72 hours and, if there were a real risk to your rights, we would notify you as well.

7. Your rights

Under the UK GDPR you have, in respect of personal data we hold about you, the following rights.

  • The right to be informed about how your data is used — fulfilled, we hope, by this notice.
  • The right of access to a copy of your data, ordinarily within thirty days of a written request.
  • The right to rectification of inaccurate or incomplete data.
  • The right to erasure of your data, save where we have a legal duty to retain it.
  • The right to restrict processing in certain circumstances.
  • The right to data portability — to receive your data in a structured, machine-readable format.
  • The right to object to processing based on legitimate interests, including direct marketing (in our case, the quarterly letter).
  • Rights in relation to automated decision-making and profiling — we do no automated decision-making.

To exercise any of these rights, please write to the Bursar at [email protected] or by post to the office address above. We do not charge a fee, and we will reply within thirty days. If we cannot for some reason fulfil your request, we will tell you why.

8. Cookies

This website uses a very small number of strictly necessary cookies, which are described in our separate cookie policy. We do not use analytics, advertising or tracking cookies of any kind.

9. Children

The Trust's work does not ordinarily involve children. We do not knowingly collect personal data from anyone under the age of eighteen. If a child writes to us, we will ask their parent or guardian to make contact instead. If you believe we hold personal data about a child without parental consent, please write to the Bursar; we will delete it on confirmation.

10. International transfers

We do not transfer personal data outside the United Kingdom or the European Economic Area. Our cloud provider (Microsoft 365 for Business) is configured to store our data in UK data centres only. Our payment processor (CAF) is UK-based. If, for an exceptional reason, an international transfer became necessary — for example, if a donor wrote to us from outside the UK and we replied by email — we would rely on the appropriate UK GDPR safeguards (typically Article 49(1)(b), processing necessary for the performance of a contract with you).

11. Changes to this notice

We review this privacy notice annually, in May, and revise it as necessary to reflect changes in law, in our practice, or in feedback we have received. The date at the top of this page indicates when the current version came into effect. Significant changes will be flagged on the home page and in the quarterly letter.

12. Complaints

If you are unhappy with how we have handled your personal data, please tell us first; we would much rather know and put it right. Write to the Bursar at the address above. If we cannot resolve your concern to your satisfaction, you may complain to the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — or by their online complaint form at ico.org.uk/make-a-complaint.

Document control. Version 4.3 · Adopted by the trustees, 12 May 2026 · Next review due May 2027 · Owner: Bursar.