Stormbreak - Privacy Notice
1. Introduction
The privacy and security of your personal data is extremely important to Stormbreak. This privacy notice explains how and why we use personal data, to make sure you stay informed and can be confident about giving us your information.
This notice applies to our processing of personal data provided by you, including personal data that you provide about a child. Stormbreak is intended for use by Trusted Adults only, on behalf of children. If you become aware of a child accessing the Stormbreak site directly please contact Darryl Walsh on hello@stormbreak.org.uk.
We keep this notice updated and published on our website to show you all the things we do with personal data.
2. Who we are
Except as explained in the paragraph below, Stormbreak is the Controller for the personal data you provide. In this notice, whenever you see the words ‘we’, ‘us’, ‘our’, or ‘the Charity’ it refers to Stormbreak.
In certain circumstances (for example, if you are accessing Stormbreak on behalf of an organisation such as a school) Stormbreak will be acting as a Processor to the organisation as the Controller. For further information about when this is the case please see our website terms and conditions: [stormbreak.org.uk/terms-of-use].
When Stormbreak is acting as a Processor, then the organisation's privacy notice will apply in place of this privacy notice.
If you have any questions about this privacy notice please contact our Data Protection Lead, Judy Willits on hello@stormbreak.org.uk.
Stormbreak is a Registered Charity (No. 1182771).
3. Why we collect your personal data
Personal data is any information relating to an individual and which identifies them (either directly or indirectly). This includes personal details (name, date of birth, email, address, telephone number); financial information relating to donations or memberships (credit or debit card, direct debit details, gift-aid); some health information (for example, details of a child's wellbeing or difficulties) and opinions and attitudes, activities and events, and experiences.
We also collect, use and share Anonymous Data such as statistical or demographic data for any purpose. Anonymous Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your health data to identify certain trends in a geographical area. However, if we combine or connect Anonymous Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We collect information relating to your use of the website (technical data), in accordance with our Cookies Policy [stormbreak.org.uk/terms-of-use/cookie-policy].
Other than technical data, and save as set out elsewhere in this notice, we only collect the personal data that you voluntarily provide us, or that you provide about a child. This will be in connection with specific activities such as engagement in Stormbreak programmes and services, for example use of:
- Stormbreak Shine;
- Stormbreak Together;
- Stormbreak Surge;
and other activities such as:
- subscriptions to newsletters;
- organising events;
- consent forms for the use of images;
- processing donations;
- conducting research; registering for an account on our website;
- entering a competition; or
- prizes or surveys.
4. Information we collect and process
We collect personal data direct from you when you enquire about our resources and services, when we establish you as a member (for example, when you register for an account), when you make a donation or when you use our site.
We collect personal data about children from you as their Trusted Adult.
We collect further personal data from you during the period of our relationship.
In summary, we use personal data for the following purposes:
- to provide you with resources in accordance with your requirements;
- to communicate with you, including to provide you with information to understand the needs of the child for which you are a Trusted Adult; and
- where it is necessary for our ongoing operations.
You can find further information on the purposes for which we use your personal data below.
You can give us your personal data by:
- Engaging in our programmes and services
- Filling in forms or subscribing to a newsletter
- Entering a competition, promotion or survey
- Corresponding with us (by phone, email)
- Joining as a supporter/member
- Making a donation
- Registering for an account on our website
- Participating in a survey
If we don’t need your personal data, we won’t ask you for it. If we use your personal data for research or analysis, we will, unless we tell you otherwise, remove any obvious identifiers (such as your name) from the data that is used for research or analysis purposes.
We won’t knowingly send marketing or fundraising emails, letters or telephone calls to people under the age of 18.
5. Our lawful bases for using your information
Under the UK General Data Protection Regulation (UK GDPR) we must identify a lawful basis for processing personal data.
Our lawful bases for using your personal data are as follows:
- Contract: Sometimes we will need to use your personal data in order to perform our obligations under our contract with you (website terms and conditions) and for you to perform your obligations as well. For example, we need your name and contact details so that we can update you about any downtime the website might be experiencing.
- Legitimate interests: This means that Stormbreak is using your personal data where this is necessary for its legitimate interests or someone else's legitimate interests. We have a legitimate interest in fulfilling our charitable objects which are the advancement of education by the provision of programmes and services for the physical and mental health of children. We do this in a number of ways including
- Providing online resources for example Stormbreak Shine;
- Improving our services and materials;
- Research;
- Promoting Stormbreak to you and other interested individuals; or
- Delivering our programmes and services.
- Legal obligation: Sometimes we will need to process your personal data in order to comply with a legal obligation, for example, [in connection with Gift Aid and HMRC reporting requirements].
If we ask for your consent to use your personal data you can take back this consent at any time. Any use of your personal data before you withdraw your consent remains valid. To withdraw your consent please contact Judy Willits on hello@stormbreak.org.uk.
6. Special category data
The law recognises some types of personal data as particularly sensitive (special category data), this includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health, and genetic and biometric data. Special category data requires higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data.
As part of our usual course of business, we collect special category data to carry out our tasks. We do not collect any information about criminal convictions and offences. We collect special category data for the following purposes:
- to provide trusted adults with the tools to support children’s mental health and wellbeing through the Stormbreak Shine Digital Pathways;
- relating to a health condition or disability in order to meet our legal obligation to make reasonable adjustments in the provision of our services;
- to ensure meaningful equal opportunity and diversity and inclusion monitoring and reporting;
- where it is needed to protect someone's vital interests and they are not capable of giving consent;
- where it is necessary to establish, exercise or defend a legal claim; or
- where the information has manifestly been made public.
7. Who we may share your personal data with
Personal data collected and processed by us may be shared with the following, where necessary:
- trustees and employees of Stormbreak
- consultants who conduct research on our behalf
- staff from our partners, such as university research partners (you will be informed beforehand)
We may also share your information with other third parties as follows:
- HMRC or other government or law enforcement agencies;
- if we sell any business or assets, in which case we may disclose your personal data to the prospective buyer of such business or assets;
- if we have a legal obligation to do so;
- for the purposes of fraud protection and credit risk reduction; and
- with professional advisers such as lawyers and accountants.
With the exception of our trustees and employees, the categories of third parties listed above use your personal data for their own purposes and are responsible for their own compliance with data protection legislation.
We also share your personal data with third-party service providers who provide services to Stormbreak, such as our CRM host server, IT support and maintenance service, cloud storage provider and email exchange server, and other businesses that provide certain services on our behalf. All of our third-party service providers are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow these third-party service providers to use your personal data for their own purposes.
8. How we use personal data
8a. Marketing communications
We’d like to use your details to keep in touch about things that may matter to you. This might be about taking part in Stormbreak, volunteering with us, events and activities, or fundraising.
We’ll only send these to you if you agree to receive them and we will never share your information with companies outside Stormbreak for inclusion in their marketing.
We’ll always act upon your choice of how you want to receive communications (for example, by email, post or phone). However, there are some communications that we need to send. These are essential to fulfil our promises to you, for example transaction messaging if you’re a donor or supporter.
Sending marketing communications is within our legitimate interests to Stormbreak and our purposes.
8b. Fundraising, donations and legacy pledges
Where we have your permission, we may invite you to support the vital work we are doing to help children’s mental health. This might be by making a donation, getting involved in fundraising activities or leaving a gift in your will.
We may invite some supporters to attend special events to find out more about the ways in which donations, gifts and legacies can make a difference to specific projects and to our cause. We’ll also send you updates on the impact that you make by supporting us in this way.
If you make a donation, we’ll use any personal data you give us to record the nature and amount of your gift, claim gift aid where you’ve told us you’re eligible and thank you for your gift.
If you’ve told us that you’re planning to, or thinking about, leaving us a gift in your will, we’ll use the information you give us to keep a record of this – including the purpose of your gift.
If we have a conversation or interaction with you (or with someone who contacts us in relation to your will, for example, your solicitor), we’ll note these interactions throughout your relationship with us, as this helps to ensure your gift is directed as you wanted.
As part of our ongoing fundraising and prospecting activities we may use publicly available information to research potential donor prospects. If we believe individuals identified through this research may have an affinity to the charitable cause we may pursue contact with them through an invitation to an event or letter of enquiry.
Charity Commission rules require us to be assured of the provenance of funds and any conditions attached to them. We follow a due diligence process which involves researching the financial soundness, credibility, reputation and ethical principles of donors who’ve made, or are likely to make, a significant donation to Stormbreak.
Fundraising is within our legitimate interests to promote and support the purposes of Stormbreak.
8c. Research
We carry out research with our supporters, staff and volunteers to get feedback on their experience with us. We use this feedback to improve the experiences that we offer and ensure we know what is relevant and interesting to you, which we consider to be within our legitimate interests.
If you choose to take part in research, we’ll tell you what information we will collect, why and how we’ll use it. All the research we conduct is optional and you can choose not to take part. For some of our research we may ask you to provide sensitive personal data (e.g. ethnicity). You don’t have to provide this information and we also provide a ‘prefer not to say’ option. We only use it at an aggregate level for reporting (e.g. equal opportunities monitoring).
8d. Online services
We provide online mentally healthy movement sessions for children under the supervision of a responsible adult. You can choose to register for an account if you are over the age of 18.
If you choose to register for an account we will collect any information you voluntarily provide. This may include your first name, last name, username or similar identifier.. We may ask you for information about the child, to help us monitor our services. This may include: first name or last name, gender, school, age.
We use this information for both our and your legitimate interests of enabling us to monitor your child's progress and to issue completion certificates for sessions they have completed.
If you are an organisation (e.g. a school or primary care network) that has registered with us and has provided details of children who have completed sessions we will share progress of those children on a de-identified basis.
If you have entered a competition on the website we use the information you provide for the purpose of running the competition, and announcing the winners. When we run competitions you do not have to provide the child's full name, you may use a nickname.
We may also collect any feedback you provide about our sessions. We may monitor your use of the website and which online sessions you have watched.
When you browse our site we may collect information about your preferences and the types of resources you are interested in.
We also collect technical information, including the Internet Protocol (IP) address used to connect your computer to the internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.
We also collect information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call us.
These uses are for our legitimate interest in giving you content which is bespoke to you and making sure that our website runs smoothly.
8e. Stormbreak Shine Digital Pathways
If you are making use of the Stormbreak Shine Digital Pathways then we need to collect certain information to assist you in selecting the appropriate Pathway. We collect the following personal data in relation to Stormbreak Shine:
- Your name
- Your contact details such as email
- The name, date of birth and gender of the child for which you are the Trusted Adult
- Description of mental health indicators for the child
- Updates that you post using the tracker function
We use this information to provide the Trusted Adult with Pathways that may be suitable for the child.
When a pathway is complete Stormbreak will send the Trusted Adult a survey to complete, which will collect information about the child's:
- emotions;
- behaviours; and
- skills;
during the Pathway journey.
Our lawful basis for using personal data in in connection with Stormbreak Shine is legitimate interests. Specifically, Stormbreak has a legitimate interest in providing you with helpful resources in the form of Stormbreak Shine Pathways that are appropriate to the child, and tracking the child's progress to ensure that our resources are helpful.
8f. Other uses
Regardless of the relationship we have with you, we may need to use your personal data for legal reasons such as fraud prevention and to check that you are complying with our terms and conditions, to enforce our legal rights and in connection with our regulatory obligations. We have a legitimate interest in doing this unless we are under a legal obligation.
9. How is your personal data kept safe?
Protecting your personal data is extremely important to us.
We have put in place:
- appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
- procedures to deal with any suspected data security breach, and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Information is securely stored on our servers based in the UK. Personal data is encrypted in transit between your device and our storage providers.
Any personal data that you submit to us will be held on secure servers based within the UK or the European Economic Area (EEA).
If we are required to transfer your information outside the UK, we have put in place appropriate measures to ensure that your personal data is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection.
By registering with us from outside the UK you consent to such transfer as necessary to enable use of our service. If you are based outside the UK we may transfer personal data to any correspondence address you provide to us.
10. How long we will keep your information
We will only use and store your information for as long as it is required for the purposes it was collected for. How long it will be stored for depends on the information and what it is being used for, but in most cases this will be for no longer than six years after our last contact with you.
Following expiry of the appropriate retention period Stormbreak will securely delete all of your personal data from all systems.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
11. Your rights
You have the following rights:
- to be told what we are doing with your personal data. We do this by providing you with this privacy notice;
- to correct or update the personal data we hold about you;
- to object to the processing of your personal data where we are using your personal data for direct marketing purposes or research / statistical purposes;
- to request a copy of the personal data we hold about you;
- to ask us to delete the information that we hold about you;
- to ask us to stop processing your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground and where there is no good reason for us continuing to process it;
- to withdraw your consent to us processing your personal data (where we are relying on consent as our lawful basis);
- to ask us to restrict how we use your personal data ;
- to ask us to send your personal data to another organisation in a computer-readable format;
- to request that you are not subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
These rights don't apply in all cases. For example, if you request your personal data then we don’t have to supply anything that is subject to an exemption.
You also have a right to complain to the Information Commissioner's office. You can do this at https://ico.org.uk/concerns/. Do contact us straight away if you consider that we are not handling your personal data properly so we can try and sort the problem out.
Stormbreak endeavours to respond to requests to exercise your rights within the statutory timeframes permitted (usually within the initial one month timeframe).
If we delete your personal data or restrict our use of it, we may not be able to provide our services to you.
If you want to exercise any of your rights or update your marketing preferences, please contact the Data Protection Lead on hello@stormbreak.org.uk or 07855 788024. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights).
June 2023