Privacy policy

Who are Factary?

The Factary (Factary) is Europe’s leading prospect research agency, offering a range of research and consultancy services to non-profit clients which helps them devise and implement successful fundraising strategies. Our aim is to bring fundraisers, non-profits and philanthropists together and share knowledge for good. Other pages on this site give further detail about Factary and our services. Factary processes personal data and is registered with the Information Commissioner’s Office (ICO).  Our registration number is: Z6137967.

What is this policy for?

This privacy policy describes the way Factary (“we”, “us”) gathers, uses, manages and discloses the personal data we collect through research using publicly available sources, and any personal data or information which is provided to us by our customers (“clients”). By using Factary website, you consent to the collection and use of your personal information as set out in this privacy policy.

Our approach to data protection and privacy

Factary is committed to safeguarding and protecting all forms of personal data. Factary complies with both the Data Protection Act 2018 (DPA) and with the UK General Data Protection Regulation (UK GDPR).

How Factary uses data

Data we collect from you

We use the information we collect from you via cookies in accordance with our Cookies Policy, which sets out the type of personal data we collect via our website. Our use of cookies helps us to provide you with a good experience of our website, and also allows us to help improve its design and content.  When you first visit the website we will ask you whether you agree to our use of cookies; if you do not agree then you may continue to use the website but your browsing experience may be somewhat affected. We may use the information supplied by you to engage with you, to administer or improve our site, for internal operations, or as part of our efforts to keep our site safe and secure. Information that you supply to Factary, whether via our website, by email, or by other means, will be securely stored by us. We will only use this data to contact you about projects we may be undertaking for you or services we provide to you, or to send you details of Factary services or publications that may be of interest to you. This data we hold will only be disclosed to third parties if we are required to do so by law or in the event that we sell or buy any business or assets. Should you wish to opt out of our mailing lists please let us know by emailing DataProtectionOfficer@factary.com.

Data we collect for research purposes

Factary undertakes research as a data processor for its clients. This research is used by clients in their fundraising as a way to understand and build better and more meaningful relationships with individuals, companies, trusts or other potential funders. Research undertaken by Factary combine client data with publicly available data sources, for example:
  • registers of personal and corporate information (e.g. Companies House, Debrett’s People of Today, Who’s Who);
  • newspaper sources, both current and archived (e.g. The Sunday Times Rich and Pay Lists, Dow Jones Factiva);
  • philanthropy datasets (e.g. the Charity Commission, Factary Phi, Factary NTU, Trustfunding); or
  • geodemographic and statistical data (e.g. ONS and census data)
We provide elements of this data to clients to help with their fundraising, together with categories of wealth and gift capacity information relating to donors. This is based on publicly available data such as company annual accounts, career history (including remuneration and shareholdings), published rich lists, property values, land registry information and news articles. We may also research the known philanthropic and charitable interests of donors, key professional interests and networks together with society and club memberships. Factary processes personal data as a data processor on behalf of its Clients (the data controllers).  Factary will ensure that all its processing and research is carried out lawfully on behalf of the client and with their explicit permission and instruction.  This will invariably involve processing data available in the public domain. (either disclosed by the data subject themselves or which has been reported by reputable research & media sources). Where data classified as ‘sensitive’ is processed, this is warranted for the purposes of due diligence. For example, information such as details of past legal proceedings or criminal accusations will be used in our research and passed to clients as part of a due diligence processes.  This enables our client to identify potential risks associated with a gift acceptance and which may cause reputational harm. Factary encourages its clients to use the research it provides in an ethical and responsible manner, and to reflect this in all their fundraising practices. We expect all data subjects to be treated lawfully and for clients to respect their wishes and expectations with regards to personal privacy. Factary only use the information it collects from publicly available sources to:
  • carry out the research services we provide to clients;
  • maintain Factary’s internal database of trusts, charities, and publicly known donations; and
  • maintain Factary’s internal database of UK demographic data.

Data sent to us by clients

Factary understands that a non-profit’s fundraising data is one of its most important organisational assets. Clients enter into contract with Factary for the provision of research services.  In many cases this will involve providing Factary with its data (the “client data”). This might include various research services (for example, a Database Screening).   In such case Factary will manage the security and processing of that data.  It will do so to the highest of standards and in accordance with the law, ensuring full data compliancy with the DPA and UK GDPR. Factary will carry out its services as Data Processor and the client will remain the Data Controller throughout the processing agreement. All data processing including other data management processes for which Factary takes a part in, (e.g. data breaches, SARs etc.), are done so in collaboration with, and under full instruction of the client (the Data Controller). All electronic file transfers between client and Factary are done so using a secure ftp (file transfer protocol) process.  These file transfers are encrypted both in transit and at rest using 2048-bit Secure Socket Layer (SSL) certificates, and 256-bit AES encryption over https:/.   All sftp logins are password protected, and logins and file transfers are monitored by us.  Data held on the sftp server is removed as soon as possible after the transfer is complete and therefore stored on the sftp server for the minimum amount of time necessary. Client data is kept no longer than necessary for the research project. This means that, unless otherwise authorised by clients, client data will be deleted from our servers no later than 6 months after the data is initially received – or earlier/later if instructed and authorised by the client. Factary will not pass on, or disclose, any information contained within client data to a third party unless authorised to do so by the client (Data Controller) or if required to do so by law. In short, we only use the information provided by clients to:
  • carry out agreed and confidential research services for clients;
  • create and maintain a sales and marketing database which includes details about clients and client contacts only; and
  • contact and correspond with clients about our products and services and about issues impacting the non-profit sector.

How we make sure we stay compliant

All Factary staff are cyber and GDPR trained.  They undertake their tasks lawfully and by following accepted best-practice policies and Factary policy procedures when processing personal data. Data protection reviews are regularly carried out and all staff are made aware of current trends with regards to cyber threats which are highlighted in various sector reports and other sources such as those published on the Information Commissioner’s Office website. Factary has a comprehensive range of data protection policies together with guidelines and procedures which all staff adhere to. All personal data is processed by staff of Factary in the strictest confidence, and is stored on encrypted hard drives on servers which are UK-based and managed. Only authorised staff have access to our servers.

If you’d like to access your personal information

You have the right to know if Factary holds any data about you. You also have the right to obtain a copy of this data; this is known as a ‘subject access request’ (SAR). There is no fee for this. If you would like to submit a SAR to us then please email us or write to:

Data Protection Office Factary Brunswick Court Brunswick Square Bristol BS2 8PE

You also have the right to request that any information be changed if it is out of date, inaccurate or untrue. Factary will consider all such requests seriously, and will follow a strict protocol when dealing with all subject access or change requests. It is our responsibility and legal obligation to amend any inaccuracies brought to our attention which might exist, wholly or in part, with regards to any personal data stored by Factary, whether this is Client data, or data under Factary’s control. If you are a client and receive any marketing communications from us, you have the right to be unsubscribed from such communications on request. There is no fee for this.  Please contact our Data Protection Officer with the subject heading ‘Mailing list opt-out’, using, or otherwise citing, the email you wish to unsubscribe.

Updates to this privacy policy

Any changes we make to this privacy policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to this privacy policy. All enquiries should be made to the Data Protection Office (contact details shown above). This privacy policy was last reviewed and updated on 5 March 2025.