Council and its projects such as Cut My Tax.
The Tax Reform Council (“the TRC”) understands that your privacy is important to you and that
you care about how your personal data is used, and will only collect and use personal data in
ways that are described here, and in a manner that is consistent with our obligations and your
rights under the law.
This policy applies both to our websites and to any of our activities.
The TRC (and trusted partners acting on our behalf) use your personal data:
• to pursue our objectives
• to provide goods and services to you;
• to make tailored websites available to you;
• to enable us to work with each other to help achieve particular policy objectives
• to manage any registered account(s) that you hold with us;
• to verify your identity;
• for crime and fraud prevention, detection and related purposes;
• with your agreement, we also use your personal data to contact you electronically about
products, services, concepts and policies which we think may interest you;
• for promotional and marketing purposes and to tailor and personalise products and
• to train and manage our people and develop products and services;
• for customer insight and market research purposes – to better understand your needs;
• to enable us to manage customer service interactions (including refunds) with you, and
• where we have a legal right or duty to use or disclose your information (for example in
relation to an investigation by a public authority or in a legal dispute).
The TRC uses your personal data for electronic marketing purposes (with your consent) and may
also send you postal mail to update you on the latest TRC products and services. You have the
right to opt out of receiving promotional communications at any time, by making use of the
“unsubscribe” link in emails or by contacting us via the contact channels set out in this policy.
Sharing data with third parties
In order to make certain services available to you, we may need to share your personal data
with some of our service providers, particularly for delivery of goods and services and
communications with you.
The TRC only allows its service providers to handle your personal data when we have confirmed
that they apply appropriate data protection and security controls. We also impose contractual
obligations on service providers relating to data protection and security, which mean they can
only use your data to provide services to the TRC and to you, and for no other purposes.
Aside from our service providers, the TRC will not disclose your personal data to any third party,
except as set out below. We will never sell or rent our customer data to other organisations for
We may share your data with:
• email service providers (such as Microsoft, Mailchimp and Mailjet) where necessary for
• payment processing providers when necessary for making payments
• other service providers needed to assist in the carrying out TRC functions
• government bodies, regulators, law enforcement agencies, courts/tribunals and insurers
where we are required to do so in order to comply with our legal obligations or to
exercise our legal rights (for example in court cases), or for the preventions, detection
and investigation of crime or prosecution of offenders, and to safeguard and protect our
employees, customers or other individuals
To deliver products and services to you, it is sometimes necessary for the TRC to share your data
outside of the European Economic Area. This will typically occur when service providers are
located outside of the EEA, or if you are based outside of the EEA. These transfers are subject to
special rules under data protection laws. If this happens, we will ensure that the transfer will be
compliant with data protection law and all personal data will be secure.
In addition to the above, and with your explicit opt-in consent, we may share your data with
third parties to facilitate customised ad campaigns on other platforms (such as Facebook).
How long do we keep your data?
We will not retain your data for longer than necessary for the purposes set out in this Policy.
Different retention periods apply for different types of data, however the longest we will
normally hold any personal data is six years.
What personal data do we collect?
The TRC may collect the following information about you:
• your name, date of birth and gender;
• your contact details: postal address including billing and delivery addresses, telephone
numbers (including mobile numbers) and email address;
• purchases, orders, donations and subscriptions made by you;
• your online browsing activities on our websites
• your social media usernames
• your username and password(s) when this functionality is created;
• your communication and marketing preferences;
• your profession;
• your location;
• your policy interests;
• the body of your message, when you use our websites to send messages to others;
• your correspondence and communications with the TRC and its campaigns, and
• other publicly available personal data, including any which you have shared via a public
platform (such as a Twitter feed or Facebook page).
This list is not exhaustive and, in specific instances, we may need to collect additional data for
the purposes set out in this policy. Some of the above personal data is collected directly, for
example when you set up an online account on our website, or send an email to us. Other
personal data is collected indirectly, for example your browsing, purchasing or donation activity.
We may also collect personal data from third parties who have your consent to pass your details
to us, or from publicly available sources.
Another aspect of our priority is adding protection for children while using the internet. We
encourage parents and guardians to observe, participate in, and/or monitor and guide their
The TRC does not knowingly collect any Personal Identifiable Information from children under
the age of 16. If you think that your child provided this kind of information on our website, we
strongly encourage you to contact us immediately and we will do our best efforts promptly to
remove such information from our records.
How we protect your data
Our security measures include encryption of data, penetration-testing of systems and security
controls which protect our systems from external attack and unauthorised access.
You have the following rights:
• the right to ask for a copy of personal data that we hold about you;
• the right (in certain circumstances) to request that we delete personal data held on you,
where we have no legal reason to retain it;
• the right to ask us to update and correct any out-of-date or incorrect personal data that
we hold about you;
• the right to opt out of any marketing communications that we may send you and to
object to us using or holding your personal data if we have no legitimate reason to do
• the right (in certain circumstances) to ask us to “restrict processing of data”, which
means that we would need to secure and retain the data for your benefit but not
otherwise use it (the right to restrict processing); and
• the right (in certain circumstances) to ask us to supply you with some of the personal
data we hold about you in a structured machine-readable format and/or to provide a
copy of the data in such a format to another organisation (the right to data portability).
If you wish to exercise any of the above rights, please contact us using the contact details set
Legal basis for using data
Generally, the TRC collects and uses customers’ personal data because it is necessary for:
• the pursuit of our legitimate interests (as set out below);
• the purposes of complying with our duties and exercising our rights under a contract for
the sale of goods to a customer, or
• complying with our legal obligations.
In general, we only rely on consent as a legal basis for processing personal data in relation to
sending direct marketing communications to customers and other stakeholders via email or text
message. Customers have the right to withdraw consent at any time. Where consent is the only
legal basis for processing, we will cease to process data after consent is withdrawn.
Our legitimate interests
The normal legal basis for processing customer data, is that it is necessary for the legitimate
interests of the TRC, including:
• pursuing the interests of our organisation in running our activities, including campaigns,
events and the production of publications so that you know about them and can engage
• selling and supplying goods and services to our customers;
• protecting customers, employees and other individuals and maintaining their safety,
health and welfare;
• promoting, marketing and advertising our activities, products and services;
• promoting our objectives, as explained on our websites
• sending promotional communications which are relevant and tailored to individual
• understanding our customers’ behaviour, activities, preferences, and needs;
• improving existing products and services and developing new products and services;
• complying with our legal and regulatory obligations;
• preventing, investigating and detecting crime, fraud or anti-social behaviour and
prosecuting offenders, including working with law enforcement agencies;
• handling customer contacts, queries, complaints or disputes (including managing
• protecting the TRC, its employees and customers, by taking appropriate legal action
against third parties who have committed criminal acts or are in breach of legal
obligations to the TRC;
• handling any legal claims or regulatory enforcement actions taken against the TRC;
• fulfilling our duties to our customers, colleagues, and other stakeholders.
media features and to analyse traffic to the site. This includes information about browsing
behaviour by people who access our websites. It also includes information about pages viewed,
products purchased, the customer journey around our websites and whether marketing
communications are opened. We also share information about your use of our site with our
trusted social media, advertising and analytics partners. Detailed information is set out in
Data protection officer
Our Data Protection Officer helps us to ensure we protect the personal data of our customers
(and others) and comply with data protection legislation.
If you have any questions about how the TRC uses your personal data that are not answered
here, or if you want to exercise your rights regarding your personal data, please contact our
Data Protection Officer using the following means:
• email, at firstname.lastname@example.org, or
• post, at Data Protection Officer, The Tax Reform Council, Suite 2193, Unit 3A, 34-35
Hatton Garden, Holborn, London, EC1N 8DX UK
You have the right to lodge a complaint with the Information Commissioner’s Office. Further
information, including contact details, is available at https://ico.org.uk.
We may update this policy from time to time. You are strongly encouraged to read this policy
and check back regularly. This policy was last updated in August 2022.