Privacy Policy

Information You Provide to Us

Your privacy is important to us. By providing personal information such as your name, e-mail address and telephone number via the forms on this website, you agree to us contacting you with regard to the information you request.

Some forms on our website also include a check box asking you for permission for us to add you to our mailing list. This is an opt-in mailing list and your personal information will be used solely by us. Under no circumstances will your personal information be sold, rented, shared, or gifted to any other organisation without your explicit consent.

From time to time, we may include links in our e-mails to other websites which we think may be of interest to you. Each email communication you receive from us will have the option to remove your e-mail address from our list.

Information We Monitor about Visitors

During the course of any visit to our website, the pages you see, along with a short text file called a ‘cookie’, are downloaded to your computer. Many websites do this, because cookies facilitate useful features such as the ability to identify whether a user has successfully logged into the site or to find out whether the computer (and probably its user) has visited the website before.

Legal Basis for Personal Data Processing

Article 6 of GDPR requires that the lawfulness of data processing be advised. Citizen Heart uses “legitimate interests” as the basis for the secure processing and storage of its customer data in order to deliver a service to them. This includes the communication of direct marketing information related to our services or similar matters. We occasionally communicate with non-customers and will only do so based upon the “explicit consent” which we have been provided with by the data subject, either through a positive confirmation on a web form, or by their communication preferences shared from social media channels. We provide clear methods for data subjects to remove or vary their consent if they wish to do so.

Legitimate Interest Statement

CHL is a business with an alternative cash management model for the Not for Profit and Charities sectors for providing higher returns on their cash deposits than the current bank rates. To grow and generate income, CHL need to sell and market its products and services to new potential customers (prospects), additional products and services to existing customers and attract partners who want to market our products. Generating income and profits will mean that charities and good causes will be benefiting from incremental income and enable CHL to contribute to the economy by paying taxes in the UK, pay its staff and reward them for the great work they do and reward its investors for having the confidence to invest. To achieve these aims CHL have a legitimate interest to process personal data to identify potential customers and partners who are in job roles that are likely to require its products and services and communicate this to them, either by phone, email or post. To establish Legitimate Interest as a lawful basis for processing personal data for these purposes a Legitimate Interest Assessment was conducted. You can request a copy of this LIA by contacting our Data Protection Manager at the address listed below.

Data Controller

Citizen Heart acts as a Data Controller (as per GDPR Article 24) for (i) the personal data relating directly to its customers and (ii) for its own employee management purposes.

Data Subject Rights

Articles 15-21 of GDPR provide data subjects with several rights in relation to their personal data, including:

  • Right of access by the data subject (Art.15)

  • Right to rectification (Art.16,19)

  • Right to erasure (Art.17,19)

  • Right to restriction of processing (Art.18)

  • Right to data portability (Art.20)

  • Right to object to processing (Art.21)

Where Citizen Heart is acting as Data Controller (see above), then it will receive, validate, record, progress and respond to any such data subject requests received.

Should a data subject decide to exercise their rights, they should contact Citizen Heart as indicated below.

Declaration of Sub-Processors

Citizen Heart confirms its use of:

  • Squarespace to host its website. Squarespace is based in New York, New York and has a validated entry under the EU-US Privacy Shield Agreement as well as being registered with the Irish Data Protection Commissioner.

  • GSuite by Google for managing and distributing marketing communications. GSuite is based in the USA and has a validated entry under the EU-US Privacy Shield Agreement.

  • HubSpot for the purposes of tracking and progressing customer engagement with Citizen Heart. It is based in Ireland and therefore falls under the requirements of the EU General Data Protection Regulation. HubSpot also has a validated entry under the EU-US Privacy Shield Agreement.

Citizen Heart confirms that:

  • It has undertaken applicable due diligence and validation on each of the declared sub-processors to ensure that they are aware of and able to deliver their applicable requirements under the EU General Data Protection Regulation.

  • It will not vary or replace any of the declared sub-processors without having first given advanced notice to all applicable customers.


Citizen Heart Limited is registered with the Information Commissioner’s Office  – registration number ZA220050 applies.

If a Citizen Heart customer or data subject believes that Citizen Heart has not delivered upon its obligations under GDPR, they have a right to make a complaint to the ICO. They can be reached by telephone on 0303 123 1113 or by using the contact form on their website.

Contact Citizen Heart

Data Protection Manager
Citizen Heart
3 Shortlands



W6 8DA

Tel: 0203 488 3260