We are The Grace Eyre Foundation.
We are committed to safeguarding the privacy of:
For more information about us, see below (Our details).
If you are a parent or guardian, support or social worker, service manager, or other representative of a person (referred to in this policy as a “representative”), please read this section carefully.
If you are a representative and you provide personal data to us relating to another person, please provide them with the information in this privacy policy insofar as it relates to our use of that data.
Where information relating to a person you represent may be published in accordance with this policy, you must ensure that:
We may ask you for copies of written consents that you hold.
In this table we have set out details of the personal data that we process and the sources of that data.
| Data category | Data content | Source of data |
| Contact and profile data | Information we use to get in touch with you. The contact and profile data may include your name, email address, telephone number, postal address and/or social media account identifiers. | You |
| Communication data | Information contained in enquiries and communications that you send to us or that we send to you, along with metadata associated with enquiries and communications. This includes complaints, comments, compliments and other feedback you send to us. | You or your representative
Our website will generate the metadata associated with use of our website contact forms |
| Data for publication | Personal information you share with us for publication, including personal information included in any narrative published as “Your Story” on our website. For example: your name, age, health information, and other details of your life.
Information about your health is sensitive “special category” data, and additional rules apply where we handle this data. In particular, we will only process this data with your explicit consent (see below). |
You or your representative
|
| Bookings data | Information relating to bookings of events and courses made through our website. The bookings data may include the name and contact details of the attendee (and, if another person makes the booking, of that person), along with the particulars of the event or course booked. | You or your representative, or our payment services provider |
| Donations data | Information relating to donations made through our website. The donations data may include your name, your contact details, personal messages and the amount(s) of your donation(s), and other information relating to your donations. | You or our payment services provider
|
| Payment card data | Payment card details and similar information that you supply when making a booking or donation on or in relation to our website. The payment card data may include your name, your contact details and your bank account or payment card number. | You or our payment services provider
|
| Applicant data | Information supplied to us during the application process for the Grace Eyre jobs – which may include your name, date of birth, address, telephone number, education and employment history, along with any other information in your CV or covering letter, and any information supplied during our screening and interview processes. | You and any referee whose details you supply to us, along with recruitment services, public sources and other third party sources |
| Website usage data | The data about your use of our website and services, which may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. | Our web analytics system |
In this table, we have set out the purposes for which we may process personal data and the legal bases of the processing.
| Purpose of processing | Details | Legal basis of processing |
| Operations | We may use your personal data for the purposes of: (i) operating our website; (ii) providing, developing, monitoring and improving our services; and (iii) running our organisation generally. | Legitimate interests: the proper administration of our website and organisation |
| Relationships and communications | We may use contact and profile data, communication data, booking data and donation data for the purposes of managing our relationships, communicating with you (excluding communicating for the purposes of direct marketing) by email, SMS, post and/or telephone, and complaint handling | Legitimate interests: communications with our website visitors and individual and corporate contacts; the maintenance of our relationships; enabling the use of our services; and the proper administration of our website and organisation |
| Transactions | We may use payment card data, booking data and donation data to process transactions and provide services that you have booked | Legitimate interests: enabling the processing of payments |
| Publications | We may publish data for publication on our website and elsewhere in accordance with your express instructions and may otherwise store and process data for publication for this purpose.
We may also publish donations data on our website. If you do not consent to such publication, we may still publish information about donations in anonymised form. |
Consent and, insofar as this constitutes information about your health or other special category data, explicit consent
|
| Direct marketing | We may use contact and profile data for the purposes of creating, targeting and sending direct marketing communications by email, SMS, post and making contact by telephone for marketing-related purposes. | Consent |
| Job applications | We may use your job application data to process your application, contact you in relation to the application and recruitment process. | Consent |
| Research and analysis | We may use contact and profile data, booking data, donation data and website usage data for the purposes of researching and analysing the use of our website and services, as well as researching and analysing other interactions with our organisation. | Legitimate interests: monitoring, supporting, improving and securing our website and organisation generally
|
| Record keeping | We may use your personal data for the purposes of creating and maintaining our databases, back-up copies of our databases and our organisation records generally. | Legitimate interests: ensuring that we have access to all the information we need to properly and efficiently run our organisation in accordance with this policy |
| Security | We may use your personal data for the purposes of security and the prevention of fraud and other criminal activity. | Legitimate interests: protection of our website and organisation, and the protection of others |
| Insurance and risk management | We may use your personal data where necessary for the purpose of obtaining or maintaining insurance coverage, managing risks and/or obtaining professional advice. | Legitimate interests: the proper protection of our organisation against risks |
| Legal claims | We may use your personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. | Legitimate interests: protection and assertion of our legal rights, your legal rights and the legal rights of others |
| Legal compliance and vital interests | We may use your personal data to stay compliant with applicable law. | Compliance with legal obligations and protection of vital interests |
We use a range of services providers. These services providers will from time to time handle personal data on our behalf, as detailed in the following table.
| Services | Current provider | Main location(s) | More info |
| CRM (customer relationship management) system | Beacon Apps | UK and EEA | https://www.beaconcrm.org/legal/terms
|
| CRM (supported people management system) | Nourish | UK and EEA | https://nourishcare.com/legal/nourish-standard-terms-conditions/ |
| Website hosting | Nimbus Hosting | UK | https://nimbushosting.co.uk/docs/General_Data_Protection_Regulation_Policy.pdf |
| Website backup hosting | Amazon Web Services | UK | https://d1.awsstatic.com/legal/aws-dpa/aws-dpa.pdf |
| Website emailing services | Postmark | USA and worldwide | https://postmarkapp.com/dpa |
| Website support and maintenance | Pipe Media | UK | Please contact us for more information |
| Website traffic analysis | Google Analytics | USA and worldwide | https://policies.google.com/privacy?hl=en
|
| Payment services
|
Stripe | UK and EEA | https://stripe.com/gb/privacy |
| PayPal | UK and EEA | https://www.paypal.com/uk/legalhub/paypal/privacy-full | |
| Apple Pay | Worldwide | Legal – Apple Privacy Policy – Apple | |
| Google Pay | Worldwide | Privacy Policy – Privacy & Terms – Google | |
| Event tickets booking service | TicketSource | UK | https://www.ticketsource.co.uk/kb/terms-of-use/data-processing-agreement |
| Email marketing | Mailchimp | USA and worldwide | https://mailchimp.com/legal/data-processing-addendum/ |
| Applicant tracking system | Healthbox HR | UK | https://www.healthboxhr.com/documents/HBHR%20-%20Privacy%20&%20Data%20Processing%20Policy%202025-01%20v2.pdf |
We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purpose of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice.
In addition to the specific disclosures of personal data set out above, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise, or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
Where required by data protection law, we will ensure that transfers of personal data to our services providers in other jurisdictions are protected by appropriate safeguards. These are detailed in the links above.
In addition to transferring and permitting our services providers to transfer personal data to the jurisdictions identified above:
You acknowledge that personal data that you submit for publication through our website or services may be available, via the internet, around the world. We cannot prevent the use (or misuse) of such personal data by others.
Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
In general, we will delete your personal data before the end of the applicable standard data protection period. Those periods, and the dates by reference to which they are calculated, are as follows.
| Data category | Retention period | Reference date |
| Contact and profile data | 7 years | Date of the most recent contact between you and us (although where processing is based on consent, we will delete the data if you withdraw that consent) |
| Communication data | 7 years | Date of communication |
| Data for publication (including any special category data) | 7 years | Last date of publication or, if later, the date of termination or expiry of our right to publish this data |
| Bookings data | 7 years | Date of booking
|
| Donations data | 7 years | Date of donation |
| Payment card data | 7 years | Date of transaction |
| Applicant data – successful candidates | As per our employee privacy policy | As per our employee privacy policy |
| Applicant data – unsuccessful candidates | 6 months | Date of the determination that your application was unsuccessful |
| Website usage data | 14 months | Date of collection |
Notwithstanding the other provisions of this section, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
In this table, we have summarised your legal rights with respect to your data.
| Your rights | What you can do |
| Right to access | You can ask for copies of your personal data |
| Right to rectification | You can ask us to rectify inaccurate personal data and to complete incomplete personal data |
| Right to erasure | You can ask us to erase your personal data |
| Right to restrict processing | You can ask us to restrict the processing of your personal data |
| Right to object to processing | You can object to the processing of your personal data |
| Right to data portability | You can ask that we transfer your personal data to another organisation or to you |
| Right to complain to a supervisory authority | You can complain about our processing of your personal data |
| Right to withdraw consent | If the legal basis of our processing is consent, you can withdraw that consent |
These rights are subject to certain limitations and exceptions. You can learn more about the rights of data subjects by visiting https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/
You may exercise any of your rights in relation to your personal data by written notice to us, using the contact details set out below.
Our website includes hyperlinks to, and details of, third party websites.
In general, we have no control over, and are not responsible for, the privacy policies and practices of third parties.
Our website and services are targeted at adults. If we have reason to believe that we hold personal data of a person under 17 years of age in our databases, we will delete that personal data.
Please let us know if the personal information that we hold about you needs to be corrected or updated.
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies may not contain any information that personally identifies a user, but personal data that we store about you may be linked to the information stored in and obtained from cookies.
You can find information about the cookies used on our website by visiting the cookies settings pages (from any page on our website, click on the cog in the bottom left corner).
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser and from version to version. You can obtain up-to-date information about managing cookies from your browser publisher.
Blocking all cookies will have a negative impact upon the usability of many websites.
If you block cookies, some features of our website (including the colour mode feature) may not work as intended.
We may update this policy from time to time by publishing a new version on our website.
You should check this page occasionally to ensure you are happy with any changes to this policy.
This website is owned and operated by The Grace Eyre Foundation.
We are registered in England and Wales under registration number 02806429, and our registered office is at Ground Floor West, Telecom House, 125-135 Preston Road, Brighton, BN1 6AF.
We are a registered UK charity (charity registration number 1020192).
You can contact us:
We are registered as a data controller with the UK Information Commissioner’s Office. Our data protection registration number is Z5812405.
The privacy officer is Jane Bettany and can be contacted via jbettany@grace-eyre.org or at Grace Eyre, Telecom House, 125-135 Preston Road, Brighton, BN1 6AF.
