Legal

Privacy Policy

How we handle your personal data.

Last updated 18 May 2026

Who we are

This privacy policy explains how Torah Action Life (TAL, "we", "us", "our") collects, uses, and protects your personal data when you use our website at torahactionlife.com and the services attached to it.

Torah Action Life is a charity registered in England and Wales (charity number 1145908) and a company limited by guarantee (company number 07771068). Our registered office is 1-4 Belmont Parade, Finchley Road, London NW11 6XP. We are registered with the UK Information Commissioner's Office under reference CSN9880506.

For any data-protection question, please contact our data-protection lead, Simy Vaz Mouyal, at info@torahactionlife.com or 07792 460 986.

The laws we follow

We process personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

What we collect, and why

We only collect data we genuinely need. The categories below are everything we hold:

  • Contact details: name, email, phone. Collected when you book a ticket, make a donation, sign up to our newsletter, apply for a vacancy, or send us a contact enquiry. Lawful basis: contract (to fulfil what you've asked for) or consent (newsletter).
  • Address: only when you tick "Gift Aid" on a donation, so we can claim the tax back from HMRC. Lawful basis: legal obligation (HMRC requires it).
  • Attendee details for events: first name, last name, email, optional date of birth, dietary requirements, and notes. Collected at checkout for each ticket holder. Lawful basis: contract. Dietary requirements are special-category data; we hold them solely to keep you safe and healthy at the event.
  • Donation history: amount, frequency, date, and (if you've ticked it) Gift Aid declaration with a timestamp and version stamp. Lawful basis: contract and legal obligation.
  • Account data: if you sign in via our magic-link system, we store your email, a magic-link token (expires in 15 minutes), and the IP address + user-agent of the device that requested it (used for spam-mitigation only, purged after 30 days).
  • CV uploads: when you apply for a vacancy, we store the PDF you upload in a private filesystem outside the public web root. Only the admin reviewing your application can access it. Lawful basis: consent.
  • Audit logs: we log admin actions like XP adjustments and account role changes for fraud-prevention and accountability. Lawful basis: legitimate interest.

How we use Stripe for payments

Every payment on this site (ticket sales, donations, recurring gifts) is processed by Stripe Payments UK, Ltd., our payment processor. We never see or store your card number. You enter it on Stripe's hosted Checkout page. We receive back from Stripe only: payment status (paid / failed / refunded), the last four digits of the card, and the Stripe customer + payment-intent identifiers we use to match the transaction to your order.

Stripe is GDPR-compliant and acts as a joint data controller for the limited data it needs to process the payment. Their privacy policy is available at stripe.com/privacy.

Other services we use

  • Plesk SMTP: our transactional email server (sends magic-link sign-in emails, donation receipts, order confirmations, vacancy notifications). Operated as part of our own hosting; we don't share your data with a third-party mail provider.
  • Hebcal API: we make server-to-server calls to hebcal.com to fetch Shabbat and yom-tov times for the TAL Minyan page. No personal data is sent, just our venue's coordinates.
  • Google Maps embed: the maps on our Contact, TAL Minyan, and Venue Hire pages are served from google.com/maps. When you visit those pages your IP address and basic browser data are visible to Google. Their privacy policy: policies.google.com/privacy.
  • Google Fonts & Cloudflare cdnjs: we load Montserrat, Open Sans, Frank Ruhl Libre, and Font Awesome from these CDNs. Your IP address is visible to them on first-load only.

What we do not use

To remove any doubt, we currently do not run any of the following on this site:

  • Google Analytics, Google Tag Manager, or any other analytics tracker
  • Facebook Pixel, Twitter / X conversion tracking, or other social-network trackers
  • Hotjar, Mouseflow, or other session-recording tools
  • AddThis, ShareThis, or other social-sharing trackers
  • PayPal, Worldpay, Square, or any payment processor besides Stripe
  • Mailchimp, Mailgun, SendGrid, or any third-party email marketing platform

If we add any of the above in future we will update this policy and where required, ask for your consent.

How long we keep your data

  • Ticket orders + attendees: 6 years after the event, for HMRC and accounting purposes.
  • Donations + Gift Aid declarations: 6 years after the donation, as required by HMRC for Charities Online.
  • Magic-link tokens: 15 minutes, then permanently disabled. The pending-link audit row is kept for 30 days for spam analysis, then purged.
  • User accounts: kept for as long as you have an account. You can ask us to delete it at any time (see "Your rights" below).
  • Contact enquiries + vacancy applications: 2 years from receipt, then deleted.
  • Venue hire enquiries: 2 years from receipt, then deleted.
  • CV uploads: deleted alongside the application record at the 2-year mark, or immediately on request.

Your rights under UK GDPR

You can ask us to:

  • Access the personal data we hold about you
  • Correct anything that's wrong
  • Delete your data (right to be forgotten), unless we're legally required to keep it (e.g. paid orders for HMRC)
  • Restrict what we do with it
  • Receive a copy in a portable format (CSV / JSON)
  • Object to processing based on legitimate interests
  • Withdraw consent (e.g. unsubscribe from the newsletter); we honour this immediately

To exercise any of these, email info@torahactionlife.com. We respond within 30 days. If you're not satisfied with how we've handled your data, you can complain to the UK Information Commissioner's Office at ico.org.uk.

Security

Your data sits behind HTTPS in transit and inside a database protected by application-level controls. CV uploads live in a private filesystem outside the web root and are served only through authenticated admin download. Magic-link tokens are signed and time-limited (15 minutes). We do not store passwords for customer accounts at all. Sign-in is passwordless via the magic-link emailed to your inbox.

Children

Our services are aimed at adults. If you're under 13, please ask a parent or guardian to make any bookings or donations on your behalf. If you believe we hold data on a minor without parental consent, contact us and we'll delete it.

Changes to this policy

We update this page when our practices or the services we use change. The "Last updated" stamp at the top of this page reflects the most recent material change.

Stay close

Pick your next move

Support

Donate

One-off or monthly. Every penny goes towards TAL programmes.

Make a gift

Spaces

Venue Hire

Host your shiur or simcha at our community space.

Enquire

Watch

Videos

Shiurim, talks, and event highlights from our library.

Browse videos

Daven

TAL Minyan

Regular communal davening for young professionals.

Find out more

Get the Parsha sheet every Friday

Drop your email in. We’ll send one confirmation, then you’re in.

Cookies on this site

We use a small number of essential cookies to keep the site running. Some pages embed Google Maps, which sets its own cookies. We don't use analytics or marketing trackers. Read our cookie policy.