Who we are
The OurJay Foundation is a UK charity registered with the Charity Commission for England and Wales under registration number 1200846. Our registered postal address is available on request via the contact details below.
For the purposes of UK GDPR, the OurJay Foundation is the data controller for the personal information processed through this website and our charity activities.
Note: the foundation's ICO registration number will be published here once confirmed. If you need it urgently for a regulatory enquiry, please email privacy@ourjay.org.uk.
Contacting us about your data
For any privacy enquiry - data access, correction, deletion, objection, or to raise a concern - email privacy@ourjay.org.uk. We aim to respond within 30 days, in line with the UK GDPR.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) ico.org.uk/make-a-complaint.
What we collect and why
1. Contact form submissions
When you submit the contact form at /get-in-touch, we collect the information you provide directly: typically your name, email address, an optional phone number, and the message itself.
- Purpose: to respond to your enquiry, follow up if needed, and run the day-to-day of the charity.
- Lawful basis: legitimate interest (UK GDPR Art. 6(1)(f)) - responding to people who have contacted us about the charity's work.
- Retention: contact-form messages are kept for up to 24 months from the date of last correspondence on that thread, then deleted, unless the thread is operationally required for longer (for example, an ongoing partner relationship).
- Sharing: form submissions are processed by Netlify (our website host) for delivery, and then forwarded to OurJay Foundation mailboxes hosted on Microsoft 365. Microsoft holds the message after that for as long as the charity does.
2. Donations
Donations are handled entirely by Donorbox, a third-party donation platform. The OurJay Foundation never receives or stores your card details or bank information. Donorbox provides us with the donor's name, donation amount, and (if you choose to share it) your email address and Gift Aid declaration - which we need to claim Gift Aid back from HMRC.
- Purpose: to administer the donation, acknowledge it, and (where eligible) claim Gift Aid.
- Lawful basis: contract (UK GDPR Art. 6(1)(b)) for processing the donation itself; legitimate interest for acknowledgement; legal obligation for the HMRC Gift Aid record.
- Retention: Gift Aid records are kept for 7 years (HMRC requirement). General donor records are kept for 7 years to support our audit and reporting.
- Sharing: with Donorbox (donation processing), the underlying payment processor (Stripe / PayPal, depending on your choice at Donorbox checkout), and HMRC for Gift Aid claims. See the Donorbox privacy policy for their own processing details.
3. Analytics, cookies, and the defib map
This website uses Google Analytics 4, Google Tag Manager, and Google Search Console to understand how the site is used and to improve it. These services set cookies in your browser and may collect:
- Pages you visit and the order you visited them in.
- Approximate location (city / region) derived from your IP.
- Device and browser type, screen size, and operating system.
- How you arrived at the site (search engine, referrer, campaign link).
We use Google Consent Mode v2. Until you
give consent through the cookie banner, analytics is loaded
in a privacy-preserving mode that does not set cookies and
does not collect identifiers. If you accept analytics
cookies, Google Analytics begins setting its standard
cookies (_ga, _ga_*) and sending
full event data.
- Purpose: understand traffic and improve the website.
- Lawful basis: consent (UK GDPR Art. 6(1)(a) and PECR for the cookies themselves). You can withdraw consent at any time using the "Cookie settings" link in the footer.
- Retention: Google Analytics data is retained for 14 months by default at the Google end.
- Sharing: with Google (Ireland and the US under the EU-US Data Privacy Framework).
The interactive defib map at /map loads
map tiles from OpenStreetMap / OpenFreeMap
and pulls anonymous, aggregated defib data from the OurJay
admin platform at portal.ourjay.org.uk. These requests are not
tied to your identity. The map also queries the What3Words API server-side (so the W3W key
never reaches your browser) when you zoom in for the
3-metre grid.
The OurJay mobile app
The OurJay app (iOS and Android) lets you find defibrillators, follow our campaigns, and keep up with our news and events. You do not need an account, and you do not have to sign in to find a defibrillator. The app is built to collect as little as possible.
1. Your location
The app can ask permission to use your device location so it can centre the map on you and show the defibrillators nearest to you.
- Your location is used on your device to show nearby defibrillators. It is not sent to, or stored by, the OurJay Foundation.
- You can decline and the app still works - it simply won't auto-centre on you. You can change the permission at any time in your device settings.
- Purpose: show the defibrillators closest to you. Lawful basis: consent (the permission you grant your device), with the location processed only on your device.
2. Photos you send us
During an event such as the OurJay Festival, you can send us a photo through the app. To do that, the app asks permission to use your camera or your photo library. The app only opens them when you choose to add a photo.
- When you submit a photo it is uploaded to the foundation, along with anything you choose to add: your name, a caption, and your confirmation that you are happy for us to use it.
- Submitted photos go into a private review queue seen only by the event team. We use them to share moments from the event. Because events may include children, we only use a photo where that consent has been given.
- Purpose: collect event photos you choose to share with us. Lawful basis: consent. Retention: we keep submitted photos for up to 24 months, or remove them sooner if you ask. Sharing: photo files are stored on our own storage (Cloudflare R2) and are not shared with advertisers or sold.
- You can ask us to remove a photo you sent at any time by emailing privacy@ourjay.org.uk.
3. The defib, map and news data you see
The defibrillator, map, news and event information shown in the
app is the same public, privacy-safe data served by our platform
at portal.ourjay.org.uk. Browsing it does not
identify you. The private contact details of defibrillator
guardians and owners are never exposed through
the app.
4. In-app donations and the shop (Stripe)
The app links to our donation page, and we are adding the ability to donate and to buy OurJay merchandise directly inside the app. When those features are available, payments are handled by Stripe.
- The OurJay Foundation never sees or stores your full card number. Stripe processes the card details directly and securely.
- We receive only what we need to complete your order or donation: your name, the amount, the items, a delivery address for physical goods, your email for a receipt, and (for donations) any Gift Aid declaration you make.
- Purpose: take payment, fulfil orders, acknowledge donations, and claim Gift Aid where eligible. Lawful basis: contract for the purchase or donation; legal obligation for the HMRC Gift Aid record. Retention: order and Gift Aid records are kept for 7 years (HMRC and audit requirements). Sharing: with Stripe (payment processing) and HMRC (Gift Aid claims). Purchases of physical goods and donations are handled through Stripe rather than the App Store or Google Play billing.
5. What the app does not do
- No advertising, no third-party trackers, and no analytics software development kits are built into the app.
- No account or sign-in is required to find a defibrillator.
- We never sell your data, from the app or anywhere else.
Cookies on this site
The site uses the following cookies once you give consent through the cookie banner:
| Cookie | Set by | Purpose | Lifetime |
|---|---|---|---|
_ga | Google Analytics 4 | Distinguishes unique visitors | 2 years |
_ga_* | Google Analytics 4 | Maintains session state | 2 years |
ourjay_consent | OurJay Foundation | Remembers your cookie banner choices so we don't ask again on every visit | 12 months |
We do not use:
- Advertising or marketing cookies.
- Social media trackers (Facebook Pixel, etc.).
- Cookies that profile you across other websites.
Children's data
The OurJay Foundation runs CPR and AED training sessions for community groups, schools and workplaces. Where children under 13 are present at a session, any consent for the taking of photographs, the recording of attendance, or the sharing of stories is handled at the session itself - in person, through the school or organising body - not through this website. This website does not knowingly collect any personal information from children under 13.
Note: a more detailed children's data section will follow once the foundation has finalised the in-session consent process. If your child has attended a training session and you'd like to know what (if anything) we hold, please email privacy@ourjay.org.uk.
Your rights under UK GDPR
You have the right to:
- Be informed about how we use your data (which is what this page is for).
- Access a copy of the personal information we hold about you.
- Rectify data we hold that is inaccurate.
- Erase ("right to be forgotten") personal data we hold about you, subject to our legal obligations (e.g. HMRC retention for Gift Aid records).
- Restrict our processing of your data in certain circumstances.
- Object to processing where we rely on legitimate interest.
- Data portability - receive a structured copy of data you have provided to us.
- Withdraw consent at any time for consent-based processing (including analytics cookies).
To exercise any of these rights, email privacy@ourjay.org.uk.
How we keep data safe
- Email mailboxes are hosted on Microsoft 365 with multi-factor authentication required for trustee access.
- The website is hosted on Netlify with HTTPS enforced for every page.
- We only share data with the specific third parties listed above, each of whom is contractually required to protect the data they handle.
- We do not sell personal data to anyone, ever.
Third-party services we use
Our website and operations rely on the following third-party processors. Each has its own privacy policy linked below:
- Netlify (website hosting, contact form delivery) - netlify.com/privacy
- Cloudflare (DNS, edge caching) - cloudflare.com/privacypolicy
- Microsoft 365 (charity email) - privacy.microsoft.com
- Google (Analytics 4, Tag Manager, Search Console) - policies.google.com/privacy
- Donorbox (donation processing) - donorbox.org/privacy
- Stripe (payment processing for in-app donations and the shop) - stripe.com/privacy
- Cloudflare R2 (storage for photos you submit through the app) - cloudflare.com/privacypolicy
- OpenStreetMap / OpenFreeMap (map tiles for the defib map) - osmfoundation.org/Privacy_Policy
- What3Words (geocoding) - server-side only; your IP never reaches their servers. what3words.com/privacy-policy
Changes to this policy
If we make material changes to this policy we'll update the "Last updated" date at the top, and - for significant changes - notify you via a notice on the homepage or by email if we hold one.