Mermaids is a registered charity (Number 1160575) at Suite 4, Tarn House, 77 The High Street, Yeadon, Leeds LS19 7SP, [email protected]mermaidsuk.org.uk. We are registered with the Information Commissioner’s Office, 

We use information about you (your ‘personal data’) for many reasons, which we will talk about below. Information about what to do to if, for example, you want to make a complaint or ask us for your information is at the bottom of this policy.  

  • Helpline calls (including calls to the legal support service)

    What are we doing? When you call our helpline, we take an initial note on paper of any information that you are happy for us to have. You can keep the call entirely anonymous if you like, or just ask us not to keep a note of anything. If we do take a note, we then put the information into a database called Charitylog and we destroy the paper note. 

    What is the information? If we do keep a note of anything, it will whatever you are happy to give us. This might include your name, contact details, general information about your situation and sensitive information about your situation and your health. 

    Where do we keep it? We keep notes on paper because we need to be able to write while we speak. But we then move the notes to a system called Charitylog. This is all kept in the UK. 

    How do we keep your information safe? Only people who need to see the information, in case you contact us again, can access this through their own passwords. Unless there are exceptional circumstances, any notes on paper are destroyed within 4 hours of us writing anything down and transferring the information onto Charitylog. In all cases notes will be destroyed as soon as possible. 

    How long do we keep it for? We keep your information for 6 years after your last contact with us, unless you ask us to delete it.

    Who do we share it with? We do not share your information with anyone unless you ask us to. Some rare exceptions are if there is a safeguarding concern (this is standard with younger people, so that if you are at risk of serious harm, we may contact local emergency services to safeguard your life). 

    What is our legal basis for doing this? We collect this information with your consent. We also hold this information in order to defend legal claims. 

  • Mermaids emails

    What are we doing? If you email us asking for information, support or advice, we receive your email, allocate it to a trained volunteer or a member of staff and reply to it. Sometimes, if our reply has sensitive information in it, we sent the reply to you encrypted (so that it is protected on its journey from our email to yours, and makes it difficult for anyone else to read it). We put information about our emails into a database called Charitylog.

    What is the information? This might include your name, contact details, general information and sensitive information about your situation and your health.

    Where do we keep it? The information is kept in our email system, which is in G Suite. We use Hiver to manage the joint mailbox (so all of our helpline staff and volunteers can reply to your email as soon as possible. We encrypt email using a service called RMail (which does not store your email contents, but does store some information about the email). Your data is kept in the UK and the USA.

    How do we keep your information safe? We have contracts with all the services that we use and have looked into their security measures to ensure that they are taking all steps to keep the information safe. We ensure that all staff and volunteers are trained in data protection and confidentiality so that they understand how to protect information. We take other measures, such as only allowing access to those that need it, requiring passwords and monitoring access to systems. 

    How long do we keep it for? We keep the information until 6 years have gone by since our last contact. After that, records are deleted. 

    Who do we share it with? We do not share your information with anyone unless you ask us to. Some rare exceptions are if there is a safeguarding concern (this is standard with younger people, so that if you are at risk of serious harm, we may contact local emergency services to safeguard your life).

    What is our legal basis for doing this? We collect this information with your consent. We also hold this information to defend any legal claims.

  • Donations

    What are we doing? We accept donations via the website, these can be one-off donations or recurring amounts.

    What is the information? In order to accept donations we must capture some personal information. The financial transaction is processed by Stripe with no credit card information being stored on our server. As a donor you will be able to opt into GiftAid, should you do so we may have to pass on some of your personal information to HMRC in order to claim the contribution. It will be your responsibility to fulfil any requirements relating to your own changes in tax status or liability.

    Where do we keep it? We store the required personal information, excluding credit card details, on our server for as long as needed to process the donation. This information will be retained for six years unless you request it be removed sooner. If you choose to opt into our marketing program, we may share your email address with a third-party in order to keep you informed from time to time.

    How do we keep your information safe? Information about your donations is transferred to us via a notification email but is not publicly available via the website.

    How long do we keep it for? We keep information for 6 years, as we need to keep all financial information for at least this long. We do not store any data relating to your bank cards on our server.

    Who do we share it with? We can share some details with HMRC, but we otherwise do not share your information with anyone unless the law forces us to. 

    What is our legal basis for doing this? There is a legal obligation to keep a record of donations for tax purposes and under anti-money laundering legislation.

  • Events and residential retreats

    What are we doing? We run events that are mostly free to attend. 

    What is the information? Depending on the event, we might need to collect some basic information such as name and contact details in order to administer the event. If we do something different, we will let you know on any form we ask you fill in. We can also collect some equalities monitoring information, meal preferences, reasonable adjustments, etc. When we host younger people, we may collect information such as next of kin. 

    Where do we keep it? We keep information on paper forms and then transfer this onto G Drive or in emails. Where we arrange the event via EventBrite, we will delete it annually. 

    How do we keep your information safe? We keep any paper records locked away or under the supervision of a member of staff. G Drive and EventBrite take technological measures to keep your information safe. We ensure that only people who need to access the information have passwords in order to see it. 

    How long do we keep it for? We keep information for 6 years.

    Who do we share it with? We may only share information with any venues or organisers that are running events for or with us. We only share the information that we need to share and will not share information such as gender information where this is not required. 

    What is our legal basis for doing this? If you are paying for an event, we do this to fulfil the contract. If the event is free, we do it to support individuals with a medical condition, which is one our aims. 

  • Merchandise

    What are we doing? We are selling Mermaids merchandise on our website. 

    What is the information? In order to process an order the online facility will collect some basic information such as name and address. Your payment will be processed by Stripe, we do not store any credit card information whatsoever on our servers.

    How do we keep your information safe? All online order take place via a secure server and the financial transaction aspect of your purchase is handled by Stripe which is a separate entity to Mermaids.

    Where do we keep it? Your order details are collected over an encrypted connection and stored on our server.

    How long do we keep it for?  We keep your details for as long as necessary to process your order, we will periodically remove this data from our server, typically every three months but should you want your information removed sooner you can get in touch and we will do so.

    Who do we share it with? Your order details are shared with a third party, InkThreadable, who will fulfil your order and will in turn will share your delivery address and name with a shipping company in order to deliver the merchandise.

    What is our legal basis for doing this? If you are paying for a product, we do this to fulfil the contract. 

  • Forum

    Our forum is currently hosted on IO.Groups and Facebook. We are currently building a new system where privacy and security will be our main focus. Privacy information for IO.Groups and Facebook are available on those websites. 

  • Your rights

    You have several rights over your data. If you want to do any of these things, please contact [email protected]. Please note, that some of these rights are not guaranteed. For example, you can always ask for a copy of your data, but if you ask us to delete something that we have a legal obligation to hold (such as information about a donation), then we may not be able to comply. 

    The right to be informed We will tell you what we are doing with your information

    The right of access You can ask us for a copy of your data. 

    The right to rectification If you think that our records on you are wrong, please let us know. We will correct any factually incorrect information. 

    The right to erasure In some cases you can ask us to delete your information. 

    The right to restrict processing You can ask us to stop using your data for certain purposes. 

    The right to data portability You can ask us for a copy of your data in a format that is machine-readable

    The right to object You can object to some of our processing

    Rights in relation to automated decision making and profiling We have to tell you if we are using any programmes to make automatic decisions about you – however, we do not do this. 

  • Marketing

    We will only send you electronic marketing messages, by email, SMS or social media where your consent has been asked for and you have indicated that you want to receive these from time to time. You can opt out at any time by contacting us or unsubscribing.

    We will market to you by email or by using Blackbaud Online Express, which is compliant with the Data Protection Act and GDPR.

  • How we use cookies

    A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

    We use traffic log cookies to identify which pages are being used. We use cookies to collect information about your browsing activities over time and across different websites following your use of our services. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

    Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

    You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. In some circumstances, this will prevent you from taking full advantage of the website.

    You can find more information about cookies and how to manage them at http://www.allaboutcookies.org/

  • Links to other websites

    Our website will, in some circumstances, contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

  • Changes

    Any material changes we make to this policy in the future will be posted on this page. Please check back frequently to see any updates or changes to this policy.

  • Complaints and Concerns

    In the first instance, please address any complaints to [email protected] as we may be able to assist you more speedily. However, you also have the right to raise concerns with the Information Commissioner’s Officer, which is the regulator for data protection matters. It can be contacted at www.ico.org.uk.