Privacy policy


We (“we”, “our” or “us”) are the Internet Watch Foundation (“IWF”) whose registered office is Discovery House, Vision Park, Chivers Way, Histon, Cambridgeshire, CB24 9ZR. Our charity registration number is 1112398 and company registration number is 34226366.

You (“you” or “your”) are the Data Subject and user or viewer of our web site.

We are the Data Controller of the personal data we collect about you.

This privacy notice explains the who, what, when, where and why with respect to your personal data we process. It covers the following:

  • Our approach to personal data processing
  • Data protection principles
  • Our use of your personal data
  • Other parties
  • Transferring personal data outside of the UK
  • Third-party links
  • Your rights
  • Security of your data
  • Changes to this Privacy Notice
  • How to make a complaint

Our Approach To Personal Data Processing

We really value the support we receive from the public; our members, partners and stakeholders and we take your privacy seriously. We are fully committed to compliance with applicable data protection laws, and we keep up-to-date with legislation changes. 

In processing child sexual abuse material for the fulfilment of our remit and to the extent that this is personal data, we are doing so for reasons of substantial public interest as a relevant self-regulatory authority which is recognised within the Memorandum of Understanding between the Crown Prosecution Service (CPS) and National Police Chief’s Council (NPCC). Further information can be provided on request.

We will keep your personal data secure and confidential and will only use it for the purposes intended. At no time will we sell your personal data.

We may disclose your personal information to third parties if we are legally obliged to; or in order to enforce or apply our terms of use for our website or other agreements; or to protect the rights, property or safety of the IWF, our donors or others.

Data Protection Principles

In adhering to the GDPR we are committed to protecting Personal Data in accordance with the following:

Data must be processed lawfully, fairly and in a transparent manner.

Data must be obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data processed must be adequate, relevant, and limited to what is necessary.

Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure data that are inaccurate, are erased or rectified without delay.

Data must not be kept for longer than is necessary for the purposes for which the data are processed.

Data must be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures.

Our Use of Your Personal Data

The Personal Data, as defined under the GDPR, which we process includes certain information which can be used to potentially identify you.

Although we do not currently collect and/or process Special Category (sensitive) Personal Data, should this change, we shall inform you and explain any further protections that we may implement.

The Personal Data we collect about you is as follows:

Our Capacity:Data Controller
Purpose/Activity:Operational management of the platform
Type of Data:

Web server logs

Identity: IP Address

Other: Site usage information including URL.

When:Ongoing basis during system use
How Long:Deleted after a period of 50 months
Lawful Basis:Legitimate Interest

Our Capacity:

Data Controller


Operational management of the platform to ensure the performance and capacity of the service meets service level agreement targets

Type of Data:


Identity: IP Address, temporary unique user identifier

Stored as cookies and other local storage mechanisms.

See separate Cookie Notice.


Ongoing basis during system use

How Long:

See separate Cookie Notice.

Lawful Basis:

Legitimate Interest

Other Parties

During our relationship with you and providing this website to you, we currently engage the following parties as Data Processors, all of whom we have assessed for their compliance with relevant data protection legislation:





20i Limited

Website hosting




Website analytics




Website analytics




Video hosting



Transferring Personal Data Outside Of the UK

Other than as set out above, we do not transfer Personal Data outside the United Kingdom (UK) if you are based within the UK.

If you are based outside of the UK, to provide our services which include contacting you, we shall be obliged to send the Personal Data outside of the UK.

Whenever we transfer Personal Data to a Data Processor or third-party outside of the UK, we have ensured that appropriate measures, as allowed for by the GDPR, are in place to continue the ongoing protection of the Personal Data.

Third-Party Links

Where we provide links to other websites that are not owned or managed by the IWF, clicking on those links may allow third parties to collect or share data about you. We do not control these websites and cannot be held responsible for the privacy of data collected by those sites.

You should consult each website’s respective Privacy Notice or policy if you have any concerns or would like further information.

Your Rights

You have the following rights under the GDPR, though some may not always apply depending upon the lawful basis of processing of the Personal Data, or other relevant circumstances:

  • The right to be informed, which encompasses the obligation to provide transparency as to how your Personal Data will be used (this Privacy Notice);
  • The right of access (DSAR or Data Subject Access Request);
  • The right to rectification of data that is inaccurate or incomplete;
  • The right to be forgotten under certain circumstances;
  • The right to block or suppress processing of Personal Data;
  • The right to object to automated decision-making and profiling (Note: the only activity we consider involves ‘automated decision-making’ is our collection of Cookies that can be either consented to or not depending on your preference. We do not do any ‘profiling’); and
  • The right to data portability which allows you to obtain and reuse your Personal Data for your own purposes across different services under certain circumstances.


If you make a request relating to any of the rights listed above, we will consider each request in accordance with all applicable data protection laws and regulations and respond in the first instance within one month of receipt.

You may make a request by:

Emailing: [email protected]; or

Writing to: Data Protection Officer, The Internet Watch Foundation, Discovery House, Vision Park, Chivers Way, Histon, Cambridge, CB24 9ZR

No administration fee will be charged for considering and / or complying with such a request unless the request is deemed to be excessive in nature. If a complex request is received, we may need to extend the period to a further two months to respond appropriately. We will inform you of the reasoning behind any extension. 

Please be aware that during the Covid-19 pandemic there is a reduced workforce in our office therefore online contact is recommended to ensure a swift response to your query.

Security of Data

We are committed to taking steps to ensure that your Personal Data is protected, and to prevent any unauthorised access, unauthorised changes, accidental loss, destruction, unlawful processing, equipment failure or human error, and will do this through the continual monitoring of our security systems and by regular training and awareness raising.

We are an ISO27001 accredited organisation which means our information security management system has been independently verified as meeting the high standards expected of ISO27001 certification. You can therefore be assured of the seriousness with which we take the security of your data.

We take any potential personal data breach seriously and will fully investigate it. As per the requirements of the GDPR, we will record all data breaches and report to the Information Commissioner’s Office (ICO) within 72 hours if we assess necessary.  If a data breach is assessed to be a high risk to data subjects, will contact you as soon as possible.

You can learn more about the obligations of organisations regarding personal data breaches on the ICO’s website .

Where we feel it necessary in the event of a breach, we may employ an independent consultant or advisor to investigate the matter on our behalf.

Changes to This Privacy Notice

We are committed to monitoring this policy and reserve the right to make changes to this Privacy Notice. Each time you visit our website we would encourage you to check that no changes have been made to any sections that are important to you.

This notice was last updated in July 2021.

How to Make a Complaint

We try to meet the highest standards when processing Personal Data. For this reason, we take any complaints we receive about our services seriously. We encourage you to bring any issues, in relation to data privacy, to our attention if you think that our processing of your Personal Data is unfair, misleading or inappropriate, by email at [email protected].

You have the right to lodge a complaint directly with the Information Commissioner’s Office (ICO) if you believe your data has not been processed by the IWF in the stated way, or in accordance with relevant data protection legislation.

You can contact the ICO on their helpline – 0303 123 1113 or via their website –