PLAN OF ACTION

Privacy policy

1. Introduction

Plan of Action (“we”, “us”, “our”) is committed to ensuring that your personal information is handled fairly, lawfully and securely, in accordance with UK data protection law. This Privacy Policy explains:

  • What information we collect and why
    • How we use your information
    • How long we keep it
    • Who we share it with
    • Your rights regarding your data

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We also follow relevant guidance for charities from regulators such as the ICO and Charity Commission to ensure best practices. We never sell your personal data or share it for others’ own marketing purposes.

If you have any questions about this policy or how we use your data, please contact us using the details in the Contact Us section below.

2. Who we are

Plan of Action is a registered charity in the UK (charity number: 1213028). Our mission is to support and advocate for those affected by the loss of a baby before 24 weeks of pregnancy, with a focus on providing information and raising awareness (particularly about the impact on men), and supporting relevant research. For the purposes of data protection law, Plan of Action (address: 4th Floor Silverstream House, 45 Fitzroy Street, Fitzrovia, London W1T 6EB) is the “data controller” for the personal information collected through our website and services. This means we determine how and why your personal data is processed.

Data Protection Officer: We do not have a mandated Data Protection Officer, but we take privacy seriously. For any queries about data protection compliance, you can email us at privacy@planofaction.org.uk. We will be happy to assist you.

3. What is Personal Data?

“Personal data” means any information that relates to an individual who can be identified from that data (either by itself or when combined with other information). In this policy, when we refer to personal data, it can include obvious identifiers like your name or email, as well as less direct identifiers like an IP address or information about your health or experiences. Some personal data is considered “special category” (sensitive) under the law – for example, information about health, racial or ethnic origin, or religious beliefs. We explain below when we might collect sensitive data and how we protect it.

4. The Information We Collect

We only collect personal information that we need for the purposes described in this policy. The data we hold about you will depend on how you interact with us, but it may include:

Contact details: Name, email address, postal address, telephone number or other contact information (for example, when you subscribe to our newsletter or contact us).

Correspondence: Any personal details or messages you provide when contacting us (e.g. by email, contact form, or post), such as queries or stories you share. This could include sensitive information you volunteer – for example, details about a pregnancy loss or your emotional well-being. We treat such information as confidential and handle it with special care.

Donation information: If you support us by making a donation, we collect information necessary to process that donation. This may include your contact details, donation amount, and donation method. Note: We use third-party payment or fundraising platforms for donations (see Third-Party Platforms below), so we do not receive or store your full payment card details. We may receive confirmation of your payment and limited details (e.g. your name, contact, donation amount, and any message) from the platform for our records.

Subscriptions and preferences: Records of your opt-ins for our newsletter or campaigns, and your communication preferences (e.g. whether you’ve agreed to receive marketing emails).

Event or research participation data: If you register for an event, campaign or research project we organise (or co-organise), we may collect information such as your registration details and any requirements (for example, accessibility or dietary requirements for an event). For research studies that we coordinate with partners, we might collect relevant personal data (with your consent) such as your experience related to our cause, to share with the research team – see Data Sharing with Partners below.

Special category data: You might choose to provide information that is considered sensitive, such as details about your health or medical history (for example, information about a miscarriage or other pregnancy-related data) or about your racial/ethnic background, if relevant to our support services. We will only collect and use this kind of information with your explicit consent or where it’s absolutely necessary (for instance, if you explicitly request support that involves sharing health information). We ensure such sensitive data is protected with extra security and only used for the specific purpose you provided it.

Technical and usage data: When you use our website, we collect information about your visit via cookies and analytics tools. This may include your IP address, browser type, pages viewed, the time and date of visits, and how you navigate our site. This data helps us understand how people use our website and improve its performance. (See Cookies & Analytics below for more details.)

We do not usually collect or process any financial information like credit card numbers or bank details directly – any online donations are handled by secure third-party providers on our behalf. We also do not actively collect any data about you from third-party data brokers or marketing agencies.

How We Collect Data

We collect personal data in a few ways:

Automatically: Some data is collected automatically when you interact with our website or emails. For instance, we use cookies and analytics to gather technical information as described above (e.g. IP address, device type, and usage patterns). We may also note whether you open or click links in the emails we send, to help us gauge engagement. This kind of data is usually collected in aggregate and isn’t used to identify you by name.

Directly from you: Most data is provided by you – for example, when you fill in a form on our site, sign up for our newsletter, correspond with us via email, or participate in an event or survey.

Through third-party platforms: We may receive your information from external platforms that you use to engage with us. For example, if you make a donation via GiveWP on our website or via a fundraising site like JustGiving, those platforms will pass along your details to us so we can record and acknowledge your donation. Similarly, if you sign up for one of our events through an event partner or platform, or fundraise for us via a third-party website, they might send us relevant information (such as your name, amount raised, or contact information). We only use this data for the purposes it was provided (e.g. to thank you or support your fundraising) and we ensure any third-party platform has lawful grounds to share your data with us. Please check the privacy notices of such third-party services for details on how they handle your data.

5. How We Use Your Information

We will only use your personal data for the specific purposes we explain in this policy, and we will not use it in any way that is incompatible with those purposes. In particular, we use the information we collect to:

Provide support and respond to you: If you contact us for advice, information or support, we will use your details and any information you give us to respond to you appropriately and carry out any actions you request. For example, if you email us about coping with a loss, we will use your message details to provide information or signposting in reply. We may also keep a record of this correspondence.

Send newsletters and updates (with your consent): If you subscribe to our newsletter or updates, we will use your name and email to send you the communications you have requested. These may include news about our charity’s work, information resources, upcoming events, and ways to get involved or support us. We will onlysend you marketing or promotional emails if you have actively opted in. You can unsubscribe at any time (each email will include an “unsubscribe” link, or you can contact us to remove you from the list). We may occasionally also send postal updates if you have provided your mailing address and consented to such contact.

Fundraising and donor support: If you donate to us or fundraise for us, we use your information to process and acknowledge your donation, to claim Gift Aid (if applicable), and to keep appropriate records for accounting and legal purposes. For example, UK charities are required to keep donor details for Gift Aid claims (which we submit to HMRC as a legal obligation). We may also use your contact information to thank you for your support or to invite you to future fundraising opportunities, but we will respect any communication preferences you have expressed.

Volunteer or event management: If you volunteer with us or sign up for an event or campaign, we use your data to coordinate your involvement. This can include communicating logistical details, providing training or resources, and ensuring any specific needs are met (e.g. accessibility requirements for an event).

Collaborative research: Fulfilling our mission includes supporting research into the effects of baby loss. If you express interest in participating in research we are involved in (for example, a study run by a partner university), we will use your information to liaise with you about the project. With your consent, we might share relevant details with the research organisers (see Data Sharing with Partners below). We may also use aggregated, anonymised information from our community to help guide research priorities (for instance, understanding what topics are most asked about by our service users, without identifying anyone personally).

Improve our website and services: We use data about how visitors use our website (collected via cookies and analytics) to help improve user experience and the content we provide. For example, understanding which pages are most visited or where users spend time helps us refine our information resources. This usage data is generally analysed in aggregate form. We may also use feedback or input you provide (e.g. through surveys or user research) to improve our offerings.

Internal administration and operations: Personal data is also used for day-to-day operational purposes within the charity. This includes maintaining our contact databases, keeping records of communications, managing consents and preferences, and ensuring our IT systems are secure. If you are a trustee, staff member, or volunteer, we will use your data for administration related to your role.

Ensure safety and comply with legal obligations: If you share information that raises safeguarding concerns(for example, indications of self-harm, risk to children or vulnerable individuals), we may need to use and possibly share that information to protect someone’s vital interests (see Safeguarding below for more). Additionally, we use personal data to meet legal requirements: for instance, retaining records for financial audits, complying with charity regulations, preventing fraud, or responding to lawful requests from authorities. We will also use your data to enforce our legal rights or to protect our rights or the rights of others when necessary.

Any other purpose that we specifically notify you of and, if required, obtain your consent for: We will not use your personal information for new or unrelated purposes without informing you. If we ever need to use your data for a purpose not covered by this policy, we will explain it to you and, if the law requires, ask for your permission.

We do not engage in any automated decision-making or profiling that has legal or significant effects on individuals. In other words, we do not make solely-automated decisions about you (without human involvement) and we do not profile you in ways that intrude on your privacy (such as wealth screening or targeted advertising based on your data). Any analysis we do (like looking at email open rates or website usage) is to help us improve our outreach overall, not to single out individuals.

Third-Party Tools and Automation

To run our operations efficiently, we use a few trusted third-party services and tools. We ensure any third-party service provider we use is carefully vetted for strong data protection practices. In all cases, when we use third-party processors, they only act under our instructions and we remain responsible for safeguarding your data. We have agreements in place to ensure they protect your information to GDPR standards and keep it confidential.

Key tools we use include:

Email and Newsletter Services: We use Mailchimp (an email service provider) to manage our mailing lists and send out our email newsletters. This means that if you subscribe to our emails, your name and email address may be stored on Mailchimp’s servers. Mailchimp is a US-based company, but we have a data processing agreement with them and rely on appropriate safeguards (like standard contractual clauses) to protect any data that may be stored or processed outside the UK (see International Transfers below). Mailchimp only uses your data to send our communications as instructed and will not use it for their own purposes.

Analytics: We may use tools like Google Analytics to understand how visitors use our website. These tools operate by setting cookies (small text files) on your device to collect internet log information and visitor behavior information in an anonymous form. The information collected (such as IP address and browsing info) is transmitted to the analytics provider (e.g. Google) and compiled into statistical reports for us. This helps us see overall trends (for example, which pages are most popular). We do not allow Google (or similar analytics providers) to identify you or to use the data for their own advertising or other services. You can opt out of Google Analytics by using a browser add-on if you prefer, and you can control cookies as described in Cookies & Analytics.

Automation and AI tools: We sometimes use automated tools to help with internal workflows. Notably, we may use OpenAI’s ChatGPT or similar AI-based services to assist in summarising or categorising incoming queries and messages. For example, if we receive a large or complex email seeking support, an AI tool might be used to draft a summary or to suggest useful resources, which our team can then review. This helps us respond more efficiently, but no final decisions or replies are sent without human review. When using such tools, we are careful about the data we input – we avoid including unnecessary personal details, and we use the tool only to accomplish tasks we’ve set (like getting a summary). Any third-party AI service we use is bound by contract or terms to maintain confidentiality of your data and not to use it for any purpose other than providing the service to us. We will obtain your consent before processing any particularly sensitive personal information using these tools (for instance, our policy is to ask for your permission if we ever wanted to process a sensitive query through an AI summariser). If you prefer that we not use such tools with your information at all, you can let us know and we will accommodate that.

Embedded Content from Other Websites

Some pages on this site include embedded content (such as videos, images, or articles). Embedded content from other websites behaves in the same way as if you had visited the other website directly.

Embedded YouTube Videos: We embed videos from YouTube using privacy-enhanced mode when possible. YouTube (a Google service) may process personal data (such as your IP address) on servers located outside the UK and EEA, including in countries not deemed to provide an adequate level of protection. By viewing embedded content, you agree to this processing.

6. Legal Bases for Processing

We will only collect and use your personal data when we have a lawful basis to do so under data protection law. Depending on the activity, we may rely on one or more of the following legal grounds:

Consent: We rely on consent for certain processing activities. For example, we will only send you marketing emails (newsletters, updates) if you have given clear consent by subscribing. Similarly, if you provide us with sensitive personal information (such as details about your health or experiences), we will usually ask for your explicit consent to use that information to support you. You have the right to withdraw your consent at any time (see Your Rights below).

Contract: If you request a service from us, or otherwise enter into an agreement or engagement with us, we may process your data as necessary to fulfill that contract or agreement. For instance, if you ask us to send you certain information or resources, or if you sign up to attend an event, we consider that we have an implied contract to provide what you asked for, which requires us to use your contact information and any relevant details.

Legitimate Interests: We may process your data as needed for our legitimate interests, provided those interests are not overridden by your data protection rights. “Legitimate interests” means we have valid organizational reasons to use your data in ways you would reasonably expect, with minimal privacy impact. For example, it’s in our legitimate interests to understand how our website is used so we can improve it, or to keep basic notes on interactions with service users to provide continuity of support. We may also rely on legitimate interests for certain fundraising activities or supporter communications (especially with people who have an existing relationship with us), ensuring we always balance our interests with your rights and interests. You have the right to object to processing based on legitimate interests (see Your Rights).

Legal Obligation: We will process personal data when necessary to comply with our legal obligations. This includes charity law requirements and other regulations. For example, we must keep certain transaction records for financial auditing and Gift Aid claims (HMRC requires retention of donor details for Gift Aid). We may also have legal obligations to disclose information to authorities in specific circumstances (such as safeguarding concerns or fraud prevention). If we are required by law to process or disclose your data, we will only do so to the extent that the law demands.

Vital Interests: In rare cases, we may need to process or share personal information to protect someone’s life or serious health (their “vital interests”). An example might be if a person we are in contact with is in imminent danger and unable to give consent – we might need to share information with medical services or police. This is an uncommon basis and would only apply in extreme, life-threatening situations.

Public Task/Substantial Public Interest: As a charity, some of our work (such as safeguarding vulnerable individuals or advancing health-related research) might be considered a task in the public interest or within certain specific public interest conditions under the Data Protection Act 2018. We would rely on this only if relevant – for instance, processing special category data without consent for safeguarding purposes can be done under a substantial public interest condition (protecting children or adults at risk). We will always ensure any such processing is lawful and necessary.

Special Category Data: If we process sensitive personal data (e.g. health or ethnicity information), we will ensure we have an additional lawful basis under Article 9 UK GDPR. Usually this will be your explicit consent, unless another condition applies (such as vital interests in an emergency, or the data being manifestly made public by you). For our activities related to support following baby loss, explicit consent will be our primary basis for any health-related information you share with us.
If you have questions about the legal basis for any specific processing of your data, feel free to contact us for more information. Typically, however, our aim is to rely on consent or clear legitimate interests for most of our interactions with you, and legal obligation for necessary record-keeping.

7. Cookies & Analytics

Our website uses cookies and similar technologies to ensure it works smoothly and to help us understand how people are using it. Cookies are small text files placed on your device by websites you visit.

To manage the cookies and similar technologies used (tracking pixels, web beacons, etc.) and related consents, we use the consent tool “Real Cookie Banner”. Details on how “Real Cookie Banner” works can be found here. The legal basis for the processing of personal data in this context are Art. 6 (1) (c) GDPR and Art. 6 (1) (f) GDPR. Our legitimate interest is the management of the cookies and similar technologies used and the related consents. The provision of personal data is neither contractually required nor necessary for the conclusion of a contract. You are not obliged to provide the personal data. If you do not provide the personal data, we will not be able to manage your consents.

When you first visit our site, you will be given the option to accept or reject non-essential cookies. You can always change your preference by adjusting your browser settings to refuse cookies or delete cookies set. Please note, disabling all cookies might affect some features of the site, but you will still be able to read content. You can also use browser extensions to opt-out of Google Analytics tracking if you wish.

We use the following types of cookies:

Necessary cookies: These make our site function correctly (for example, remembering your cookie preferences or allowing you to use features like forms). The site cannot function properly without these cookies, so they are always active.

Analytics cookies: These cookies help us understand how visitors engage with our site. We use analytics (like Google Analytics) to collect information such as which pages are visited, how long people stay, and what links are clicked. This data is aggregated and does not directly identify you. It helps us improve the structure and content of our website. We do not use analytics cookies unless you have given consent where required. (In any case, you can disable analytics cookies without affecting core site functionality.)

Our site includes social sharing buttons from AddToAny. These buttons do not set cookies themselves but may connect to third-party services (like Facebook or X) when clicked. Use is optional, and your browser privacy settings apply.

8. Who We Share Your Data With

We treat your personal data with care and confidentiality. We do not share or disclose your information to third parties unless it is necessary for the purposes described in this policy, or we have a legal obligation or your permission to do so. We never sell your information to other organisations, and we do not share it for others’ independent use (such as their own marketing). However, there are some situations where we need to share data with others in order to carry out our work or comply with the law. These include:

  • Service providers (“data processors”): Like most charities, we use third-party companies and contractors to perform certain tasks on our behalf. For example, we use external providers for website hosting, email newsletter distribution (Mailchimp), payment processing, cloud data storage, and IT support. We only share the information that is necessary for them to perform their services. They must act only on our instructions and cannot use your data for their own purposes. We have data processing agreements in place with such providers requiring them to protect your data to GDPR standards. Examples of our processors include our web hosting company (which may process site visitor IP addresses in server logs) and our email service (Mailchimp) which holds the email list.
  • Donation and payment platforms: If you donate through third-party platforms (such as GiveWP on our site, JustGivingPayPal, or Stripe for card payments), your data will be processed by those platforms. They will then share some information with us (e.g. your name, contact, donation amount, and whether you want to hear from us) so we can record and acknowledge your donation. We might also share data back with them if needed – for instance, confirming a donation or providing reporting. Rest assured, these platforms are also required to protect your data. Please review their privacy policies when you use them (for example, JustGiving’s privacy policy on their website) to understand how they treat your information.
  • Research or event partners: In line with our charitable aims, we sometimes collaborate with other organisations (such as universities or healthcare institutions) on research studies or events. If you sign up to participate in a research project or joint event, we may need to share your details with our partner organization running that project. For example, we might share a list of event registrants with a co-hosting institution, or provide your contact information to a university research team if you have agreed to be contacted for a study. We will make clear at the time what data will be shared and with whom. Such partners will be vetted and likely have their own legal obligations to protect your data (often they will be separate data controllers, especially in the case of academic research). We will only share what is necessary and will usually do so with your knowledge and consent (e.g., by you signing up or opting in for that specific collaboration). One example: if we partner with the University of Birmingham on a study about miscarriage experiences, and you volunteer for that study via us, we would share your contact details and relevant survey responses with the university researchers to facilitate the study. In these cases, the research partner will use your data only for the agreed purposes and will not contact you for unrelated reasons.
  • Advisors and auditors: We may share information with professional advisors (such as legal counsel or accountants) and auditors if needed for compliance, legal advice, or financial auditing. These parties are bound by confidentiality. For instance, our auditors might review donor records as part of confirming our accounts, or a solicitor might need details of a communication if it’s relevant to legal action.
  • Law enforcement and legal requirements: If we are under a duty to disclose or share your personal data to comply with a legal obligation, we will do so. This could include situations such as: responding to court orders or subpoenas, providing information to law enforcement for crime prevention or investigation, or sharing information with regulatory bodies (e.g. the Charity Commission or ICO) if required. We may also share data to enforce or apply our own rights or agreements, or to protect the rights, property, or safety of our charity, our service users, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection or credit risk reduction, where applicable.
  • Safeguarding and emergency situations: If a significant safeguarding concern arises (such as a risk of serious harm to an individual), we may share information with appropriate authorities (for example, the police or social services) to ensure the safety of those involved. We will normally inform you if we need to share your information in such a case, unless doing so could increase the risk of harm (see Confidentiality & Safeguarding below for more on this).

In all cases of sharing, we adhere to the principle of data minimisation – only the necessary information is shared, and nothing more. We also ensure that anyone we share data with is obligated to handle it securely and lawfully. All our suppliers and contractors that process personal data must sign agreements upholding strict data privacy requirements, and we only work with organisations that meet the provisions of UK GDPR. We periodically review our partners’ compliance as needed.

If there are any other instances of sharing not covered above, we will explain them at the point we collect your information or obtain your consent as required. Remember, you have the right to know who has your data, and we’re happy to provide more detail on the specific third parties we use if you ask

9. International Data Transfers

Plan of Action is based in the UK, and generally we prefer to store personal data on servers located in the UK or European Economic Area (EEA) when possible. However, some of our service providers are located, or store data, outside of the UK. For example, as noted, we use Mailchimp for email newsletters, which may involve data being stored on U.S. servers, and we use other cloud-based tools that might involve international data transit.

When we do transfer personal data outside of the UK (or outside the UK/EEA region), we take steps to ensure adequate protection of your information. These steps may include:

  • Verifying if the destination country has an “adequacy decision” by the UK government. An adequacy decision means the UK has determined that the country’s data protection laws offer a similar level of protection to UK/EU laws. If so, your data can flow to that country just as it would within the UK.
  • If no adequacy decision is in place (for example, transfers to the United States currently require extra safeguards), we will use Standard Contractual Clauses (SCCs) or equivalent legal agreements as approved by the UK ICO. These are contractual commitments that the recipient of the data must adhere to, to ensure your data is protected to a high standard.
  • We may also assess any additional technical and organisational measures needed on a case-by-case basis. For instance, we might enable encryption for data in transit, limit what data is transferred, or require our providers to store data in certain regions when feasible.

By using our services or submitting your personal data to us, you understand that your data might be transferred and stored outside your country of residence under the safeguards described. We will always strive to protect your data no matter where it is processed, in line with this privacy policy and applicable laws.

If you would like more information about the specific safeguards in place for any international transfer of your personal data, please contact us (see Contact Us section)

10. Data Retention

We will not hold your personal data for longer than necessary for the purposes we collected it. How long we keep information depends on the type of information and the purpose. We have an internal retention schedule that sets standard retention periods for different categories of data. Below are some general guidelines.

Contact inquiries: If you get in touch with us for support or information, we may retain the correspondence and our response for a certain period (for example, up to 2 years) in case you contact us again or for our records of how we assisted you. This helps us provide continuity and also allows us to review common issues raised. However, if the correspondence contains very sensitive information, you can request for it to be deleted sooner and we will do so unless we have a compelling reason to retain it.

Newsletter subscriptions: We will keep your email on our mailing list until you unsubscribe or if we notice prolonged inactivity. If emails to you bounce or you do not engage for a long time, we may remove you as part of list cleaning. In our current practice, we remove inactive newsletter subscribers after about 24 months of no engagement. You can also unsubscribe at any time, and we will promptly remove you from the list.

Donation and financial records: We keep donation records (including donor name, amount, date, and Gift Aid status if applicable) for at least the minimum time required by law. In practice, this is generally 7 years from the end of the financial year in which the last transaction occurred, to comply with HMRC auditing and accounting rules. Some records may be kept longer if needed for ongoing administrative purposes (for example, if you make a pledge for a future donation). Gift Aid declarations themselves are usually kept for 6 years after the last donation on the declaration, as required by HMRC.

Event or volunteer data: If you register for an event or volunteer, we will keep your details for the duration of that event or volunteering position. After the event or your volunteering ends, we may retain relevant information for a short period (e.g. a year or two) in case of follow-up events or reports. We may also be required to keep attendance records for safeguarding or insurance purposes for a certain time. Any unnecessary data will be deleted after the event concludes. For volunteers, basic information about your role and tenure might be kept indefinitely for our archival/historical records (e.g., listing of past volunteers), but we will delete personal contact details when no longer needed.

Research participation data: If you take part in a research study, we will inform you of the retention period for that specific study’s data (often the research partner’s privacy notice will cover it). Any personal data we collect for research (e.g., a survey response) will either be anonymised (so individuals are not identifiable) or deleted after the research concludes, unless you consent to us retaining it for future research follow-up.

Technical data: Analytics data is typically retained for a limited period (Google Analytics, for example, might retain aggregated website data for 26 months by default). We do not store raw server logs beyond the short term unless investigating security issues.

When the retention period expires or the data is no longer needed, we will either securely delete your personal information or anonymise it (so it can no longer be linked to you). For example, we might aggregate data for statistical purposes, stripping out personal identifiers.

If you unsubscribe or ask us to erase your information, we will delete the personal data we hold about you promptly, unless we are required to keep it for a lawful reason. In some cases we might retain a minimal record of your opt-out (such as your email address on a “do not contact” list) to ensure we honor your no-contact request in the future.

11. Information Security

We take the security of your personal data seriously. We have implemented appropriate technical and organisational measures to protect your information from unauthorized access, loss, or misuse. These measures include:

Secure storage: Personal data is stored on secure servers. For physical documents (if any), we keep them in locked cabinets or secure premises. Digital access is protected by passwords and, where possible, encryption.

Access control: Only personnel who need to process your data have access to it, and they are trained on data protection. We limit the access rights of our people based on their role (a principle of least privilege).

Encryption: We use encryption technology for transferring sensitive information online. For instance, our website uses HTTPS (secure SSL/TLS encryption) to ensure data entered is encrypted in transit. If we ever need to share particularly sensitive data with third parties, we use encrypted channels or password protection as appropriate.

Policies and training: We maintain internal policies on data protection and cybersecurity. Our team is educated about the importance of confidentiality and we regularly review our practices. For example, we have rules about using strong passwords and not downloading personal data onto unsecured devices.

Regular backups: We perform regular backups of critical data to prevent loss. Backup data is also stored securely.

Third-party security: When using third-party services, we assess their security measures too. We choose reputable providers (for example, larger providers like Mailchimp and Google have robust security practices and certifications) and have clauses in our contracts requiring them to protect your data.

Incident response: We have a procedure to follow in the event of a data breach or security incident. If any personal data is ever compromised, we will act quickly to mitigate it and, where required by law, inform you and the ICO of the breach.
Please note that while we strive to protect your information, no website, database or transmission is completely secure. We cannot guarantee absolute security of data, especially data transmitted over the internet. However, we do our best to prevent any breach. You also play a role in keeping your data safe: for example, if we give you (or you create) a password to access certain resources, please keep it confidential and do not share it.

If you suspect any unauthorized access to or misuse of your information, please contact us immediately.

12. Children’s Data

Our website and services are not directed to children under 16. We do not knowingly collect personal data from children under the age of 16. If you are under 16, please do not provide any information about yourself to us (including your name, address, or email). If we become aware that we have received personal information from a child under 16 without parental consent, we will delete that information as soon as possible.

For young people aged 13–15 who engage with Plan of Action (for example, a teenager seeking information on how to support their family, or participating in a campaign with parental permission), we advise that a parent or guardian should supervise and consent to any data provided. If we know someone is under 16, we will generally seek parental/guardian consent or approval for any significant data collection or involvement in activities.

We also will not knowingly communicate directly with a person under 16 for marketing purposes.

If you are a parent or guardian and believe we may have inadvertently collected information about a child, please contact us so we can ensure it’s removed.

13. Confidentiality & Safeguarding

We understand that many who come to us may be dealing with sensitive and personal issues. We are committed to maintaining confidentiality for our service users. This means that information you share with us is kept private within the organisation, and only used for the purposes of providing you support or services, except in certain important situations outlined below.

Safeguarding override: If we have reason to believe that you or someone else (for example, a child or vulnerable adult) is at serious risk of harm, we have a duty of care to take action. In such cases, protecting individuals’ welfare may take priority over confidentiality. For example, if you share information indicating that you intend to self-harm seriously, or that a child is being abused, we may need to share details with appropriate authorities or emergency services to prevent harm. We will limit what information is shared to only what is necessary for the protection of those at risk.

Where possible and safe to do so, we will inform you of our need to escalate a concern. In a typical scenario, we would discuss with you what steps we feel are needed and get your consent to share information. However, if we believe that informing you or delaying action could increase the risk to someone’s safety, we might proceed without prior notification. We will always handle such situations with sensitivity and follow applicable safeguarding policies and laws.

Apart from urgent safety concerns, we treat your personal information as confidential. All staff and volunteers are bound by confidentiality agreements. If we discuss your case internally (for example, to get guidance on how best to support you), we do so discreetly and only among those who need to know.

14. Your Rights

Under data protection law, you have several important rights regarding your personal data. We want to make sure you are fully aware of all of your rights, which include:

Right to be informed: You have the right to be given clear and transparent information about how we use your personal data – that’s the aim of this Privacy Policy and any related notices.
Right of access: You have the right to request a copy of the personal data we hold about you, as well as information about how we process it. This is commonly known as a “Subject Access Request”. We will provide you with a copy of the information in a commonly used format, normally within one month of your request (unless the request is complex and allows for a longer period).
Right to rectification: If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected or updated. Upon your request, we will rectify any errors.
Right to erasure: You have the right to have your personal data erased (the “right to be forgotten”) in certain circumstances. For instance, if the data is no longer necessary for the purpose we collected it, or if you withdraw consent and there is no other legal ground for us to keep it, or if you object to processing and we have no overriding reason to continue, you can request deletion. Please note this right is not absolute – sometimes we may need to retain certain information for legal reasons (for example, we cannot delete records we are required to keep by law, such as certain donation records, until those obligations lapse). But we will inform you if that is the case.
Right to restrict processing: You have the right to ask us to restrict or “pause” the processing of your personal data in certain circumstances. This could apply if you contest the accuracy of the data or if you want to prevent us from using the data while a complaint is being resolved. When processing is restricted, we can still store your data but will not use it until the issue is resolved (unless it’s to address legal claims or protect someone’s rights).
Right to data portability: For data that you have provided to us and is processed based on your consent or under a contract, you have the right (if technically feasible) to have that data sent directly to you or to another organisation in a structured, commonly used, machine-readable format. This is intended to allow you to reuse your data across different services. This right typically applies to data held electronically.
Right to object: You have the right to object to our processing of your personal data in certain situations. You can always object to your data being used for direct marketing purposes – if you object, we will stop using your data for that purpose promptly. You can also object if you feel our use of your data is not justified by a “legitimate interest” or if processing is for research/statistical purposes and you have grounds to object. We will honor objections unless we have a compelling overriding reason to continue (in which case we will explain that to you).
Rights related to automated decision-making: As noted, we do not make any significant decisions about you using purely automated means without human involvement. If we ever did, you would have the right to not be subject to a decision based solely on automated processing that significantly affects you, and to request human intervention.
Right to withdraw consent: If we are processing your data based on your consent, you have the right to withdraw that consent at any time. For example, you can unsubscribe from our emails, or if you gave consent to use your testimonial on our website, you can change your mind. Withdrawing consent will not affect the lawfulness of any use of your data that occurred before you withdrew, but once consent is withdrawn we will stop the specific activities that were based on consent.
Right to complain: If you have any concerns or complaints about how we handle your data, we encourage you to contact us first so we can address them. However, you also have the right to lodge a complaint with the UK’s independent regulator, the Information Commissioner’s Office (ICO). The ICO can be contacted at: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or by phone at 0303 123 1113. More information is available on the ICO’s website: ico.org.uk.
To exercise any of your rights, please get in touch with us (see Contact Us below). We may need to verify your identity before fulfilling certain requests, to ensure we don’t disclose data to the wrong person. We will respond to requests within one month, as required by law, and will inform you if we think an extension of time is necessary. Generally, we will not charge a fee for handling a request, unless it is manifestly unfounded or excessive (in which case, we may charge a reasonable fee or refuse the request – but we will explain our reasoning).

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make any significant changes, we will post the updated policy on our website with a new “last updated” date. If the changes are substantial, we may also notify you by other means, such as by email or a notice on our homepage, to ensure you are aware of them.

We encourage you to review this policy periodically to stay informed about how we are protecting your information. Any changes will become effective when the revised Privacy Policy is posted on our site. Your continued use of our services after any updates constitute your acknowledgment of the changes.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please reach out to us. We are here to help and appreciate the opportunity to address your concerns.

Contact details for data queries and requests:

Email: privacy@planofaction.org.uk
Postal Address: Privacy Officer, Plan of Action, 4th Floor Silverstream House, 45 Fitzroy Street, London W1T 6EB, United Kingdom.

We will do our best to assist you promptly and courteously. If you contact us to exercise a data right, please provide enough information to verify your identity (e.g., your name and the email/address you used with us) and clarify the request.
Thank you for reading our Privacy Policy. Your trust is very important to us, and we are committed to safeguarding your personal information while carrying out our mission.

back to top
WordPress Cookie Notice by Real Cookie Banner