Privacy Policy
Last updated: April 2026
1. Who we are
Give Time (“we”, “us”, “our”) provides volunteer management software to UK museums and cultural organisations. In data-protection terms:
- Give Time acts as a data processor — we process volunteer data on behalf of museums, strictly under their instructions.
- The museum or organisation you volunteer with is the data controller — they determine why and how your personal data is used.
Questions about this policy? Contact us at hello@give-time.org.
2. Data we collect
We collect the minimum data necessary to operate the service:
- Identity: your full name and email address
- Volunteering activity: shift bookings, cancellations, and swap requests
- Notifications: in-app notification records and your notification preferences
- Push tokens: device push-notification tokens (if you enable push notifications)
- Cookies: a single session cookie to keep you signed in (see section 7)
- Consent record: timestamp of when you agreed to these terms on application
3. Lawful basis for processing
- Legitimate interest (Article 6(1)(f) UK GDPR) — operating the volunteering platform, preventing fraud, and ensuring service security. We have conducted a legitimate-interest assessment balancing our interests against your rights.
- Consent (Article 6(1)(a) UK GDPR) — for push notifications. You may withdraw consent at any time in your profile settings.
- Legitimate interest — when your account is deactivated by an administrator, we process the deactivation notification (including the administrator's name and the list of affected shifts) to inform you of changes to your volunteering status.
4. Sub-processors
We use the following third-party sub-processors to deliver the service:
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database & auth | EU-West-2 (London) | UK adequacy / EEA |
| Resend | Transactional email | US | Standard Contractual Clauses (SCCs) |
| Vercel | Hosting & edge functions | EU | UK adequacy / EEA |
| cron-job.org | Scheduled jobs | Germany (EU) | UK adequacy / EEA |
5. Data retention
| Data type | Retention period |
|---|---|
| Active volunteer account | Indefinite (while active) |
| Inactive volunteer account | Maximum 3 years from last activity |
| Rejected applications | 6 months from rejection |
| Notification logs | 12 months |
| Audit logs | 7 years (legal obligation) |
| Deactivated account shift history | Retained for inactive account period (up to 3 years), included in data export |
When an account is deactivated, all future shift assignments are automatically cancelled and the volunteer is notified by email. The notification includes the volunteer's name, affected shift details, and the deactivating administrator's name. Historical shift records are retained per the schedule above. You may request a full data export or deletion at any time by contacting us at hello@give-time.org.
6. Your rights
Under UK GDPR you have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your data (“right to be forgotten”)
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interest
You can download your data directly from your profile page using the “Download my data” feature. To exercise any other right, contact us at hello@give-time.org. We will respond within 30 days.
You may also lodge a complaint with the Information Commissioner's Office (ICO).
7. Cookies
We use a single, strictly necessary session cookie to keep you signed in. This cookie is deleted when you sign out or close your browser. We do not use any tracking cookies, analytics cookies, or third-party advertising cookies.
8. Changes to this policy
We may update this privacy policy from time to time. We will notify you of material changes by email or by posting a notice in the app. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of Give Time after changes take effect constitutes acceptance of the updated policy.