PRIVACY POLICY

Save the MBR Beagles (“we”, “us”, “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website at savethedogs.uk.

This policy is provided in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR) 2003.

Please read this policy carefully. By using our website, you acknowledge that you have read and understood this Privacy Policy.

The data controller responsible for your personal data is:

We are an independent campaign and are not affiliated with any other organisation. If you have any questions about how we handle your data, please contact us using the details above.

We collect different categories of personal data depending on how you interact with our website:

3.1 Account Registration

When you create an account, we collect your name, email address, phone number, postcode, and a password (stored in hashed form only — we never store your password in plain text).

3.2 Newsletter Subscription

When you subscribe to our newsletter, we collect your name, email address, phone number, and postcode.

3.3 Write to Your MP Tool

When you use the Write to Your MP tool, we process your name, email address, postcode (to identify your MP via the TheyWorkForYou API), and the content of the letter you write. Your postcode is sent to the TheyWorkForYou API solely to look up your MP’s details. The letter is sent from your email address via our email service provider.

3.4 Rescue Operation Signup

When you express interest in participating in rescue operations, we collect your name, contact details, and the risk tier you select.

3.5 Foster/Adoption Applications

When you submit a foster or adoption application, we collect your name, contact details, and information about your household and ability to care for an animal.

3.6 Specialist Support Applications (Vets, Vet Nurses, Legal Counsel)

If you apply to offer specialist support, we collect your profession, whether you are qualified and on a relevant professional register, your qualifications, years of experience, specialism, employment status, optionally your practice or firm name, the region you can cover, whether you can travel, and free- text notes about what you are willing to help with. We understand this information is professionally sensitive: it is visible only to a small number of named administrators and we will never contact your employer, regulator or professional body without your prior written agreement.

3.7 Internal Messaging and Contact Form

Logged-in users can send messages to site administrators through the internal messaging system or the contact form. These messages are stored in our database and protected by encryption in transit (HTTPS) and by access controls, but they are not end-to-end encrypted — we, as the operator of the platform, can read them. Please do not send anything in internal messages that you would not be comfortable having read by a site administrator or, in the event of a lawful production order, by law enforcement.

3.8 Pack Portal (Vetted Activists Only)

If you are invited into the Pack Portal — a restricted area for activists who have been vetted and assigned to a logistics pack — we process additional data so the pack can coordinate safely:

• Pack & den information: the pack you belong to, your role within it (anchor or member), and addresses of dens you have been granted access to. Den addresses are stored encrypted at rest using AES-256-GCM and are only decrypted on request by users with the appropriate role.
• One-time login codes: a six-digit code is emailed to you each time you sign in to the portal. Codes are hashed in our database, expire after a short window, and are invalidated as soon as they are used.
• Audit log: sensitive actions inside the portal (viewing a den address, downloading a file, triggering the panic button) are logged with your user id, a timestamp, and the IP address of the request. This is so we can detect compromise and respond to it.
• Files you upload: documents and images uploaded to the portal are stored in a private location, are not publicly addressable, and can only be fetched through a gated endpoint that checks your portal membership on every request.

3.9 Internal Admin Notes

Administrators can attach private notes to user records and flag accounts for follow-up. These notes are not visible to you in your account, but they are part of your personal data and will be included if you make a Subject Access Request under Section 9. We instruct administrators not to record opinions or information that would be inappropriate to share with the data subject.

3.10 Technical Data

When you visit our website, we automatically collect certain technical information, including your IP address, browser type and version, operating system, referring URL, pages visited, and timestamps. This data is collected through server logs and is used to maintain the security and performance of the website.

Under the UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:

We use your personal data for the following purposes:

• Providing our services: managing your account, processing applications, enabling the Write to Your MP tool, and managing rescue signups
• Communications: sending you campaign updates, newsletters, calls to action, and important operational information via email or SMS (with your consent)
• Website security: monitoring for and preventing unauthorised access, abuse, and technical issues
• Campaign improvement: understanding how the website is used so we can improve it (using anonymised, aggregated data only)

We do not use your personal data for automated decision-making or profiling.

We do not sell, rent, or trade your personal data to any third party. We share your data only in the following limited circumstances:

6.1 Email Service Provider

We use an email service provider with an EU data processing agreement to send emails, including campaign communications and letters sent via the Write to Your MP tool. The provider processes your email address and name to deliver these emails. Their servers are located in the EU and their processing is governed by a Data Processing Agreement with UK GDPR-equivalent protections.

6.2 TheyWorkForYou API

When you use the Write to Your MP tool, your postcode is sent to the TheyWorkForYou API operated by mySociety to identify your local MP. Only your postcode is transmitted for this lookup — no other personal data is shared with mySociety.

6.3 Law Enforcement

We may disclose your personal data if required to do so by law, or if we believe in good faith that such disclosure is necessary to comply with a legal obligation, protect our rights or safety, or prevent fraud or abuse.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

Our website uses a minimal number of cookies and local storage items. We do not use advertising cookies or third-party tracking cookies. Analytics cookies are only loaded with your explicit consent.

8.1 Authentication Cookies

We use session cookies set by NextAuth.js to manage your login session. These are strictly necessary cookies that allow the website to recognise you as a logged-in user. They do not track your behaviour and are deleted when your session ends or expires. Under PECR Regulation 6, strictly necessary cookies do not require consent.

8.2 Analytics Cookies (Google Analytics)

If you give consent by clicking “Accept All” on our cookie banner, we load Google Analytics to understand how visitors use the site. Google Analytics sets the following cookies:

These cookies are only set if you choose “Accept All” on our cookie consent banner. If you choose “Essential Only”, Google Analytics is not loaded and these cookies are not set.

Google Analytics data is processed by Google. For more information, see Google’s privacy policy. We use Google Analytics solely to understand aggregate usage patterns and do not use it for advertising or cross-site tracking.

8.3 Local Storage

We use your browser’s local storage to save non-sensitive preferences (such as form drafts or UI state). This data stays on your device and is not transmitted to our servers.

8.4 Managing Cookies

You can control and delete cookies through your browser settings. You can also change your analytics cookie preference at any time by clearing the cookie_consent item from your browser’s local storage, which will cause the consent banner to appear again on your next visit. Please note that disabling authentication cookies will prevent you from logging in to your account. For more information about managing cookies, visit aboutcookies.org.

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

• Right of access (Subject Access Request): You have the right to request a copy of the personal data we hold about you. We will respond within one month of receiving your request.
• Right to rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
• Right to erasure (“right to be forgotten”): You have the right to request that we delete your personal data where there is no compelling reason for us to continue processing it. We will comply unless we have a lawful reason to retain the data.
• Right to restrict processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as while we verify its accuracy.
• Right to data portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV), and to transmit it to another controller.
• Right to object: You have the right to object to the processing of your personal data where we are relying on legitimate interests as the lawful basis.
• Right to withdraw consent: Where we rely on your consent as the lawful basis for processing, you have the right to withdraw that consent at any time. This does not affect the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, please contact us at [email protected]. We will respond to all legitimate requests within one month. In exceptional circumstances, we may extend this by a further two months, in which case we will inform you and explain why.

You will not have to pay a fee to exercise your rights. However, we may charge a reasonable fee or refuse to comply if your request is clearly unfounded, repetitive, or excessive.

This website is intended for adult supporters. You must be at least 18 years old to create an account, subscribe to the newsletter, sign up for rescue operations, submit a foster or adoption application, offer specialist support, or use the Pack Portal.

Members of the public under 18 may read the website’s public pages (campaign updates, evidence, legal information, gallery), but we do not knowingly collect personal data from anyone under 18 in any form. If you believe we have inadvertently collected personal data from someone under 18, please contact us at the address in Section 2 and we will delete it.

Our website is hosted on UK-based servers and your data is primarily stored and processed in the UK.

Our email service provider processes data on servers located in the European Union under an EU data processing agreement. The EU is recognised by the UK government as providing an adequate level of data protection under UK GDPR, meaning your data is afforded equivalent protections when processed in the EU.

We do not transfer your personal data to any country outside the UK and EU that does not have adequate data protection safeguards in place.

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it, including:

• Encryption: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS)
• Password hashing: Passwords are hashed using bcrypt before storage. We never store passwords in plain text.
• Access control: Access to personal data is restricted to authorised administrators only
• Session management: Authentication sessions are managed securely through NextAuth.js with JWT tokens and CSRF protection
• Server security: Our server is maintained with regular security updates and is protected by firewall rules

While we take all reasonable steps to protect your data, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your data.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, where required under UK GDPR Article 33
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required under UK GDPR Article 34
• Document the breach, its effects, and the remedial action taken

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection:

We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first if possible.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make material changes, we will update the “Last updated” date at the top of this page.

Where changes are significant, we will make reasonable efforts to notify you (for example, by email or a notice on the website). We encourage you to review this policy periodically.

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how we handle your personal data, please contact us: