This policy was last updated 26 May 2023.
Who we are
Mermaids is a charity that has been supporting transgender, non-binary and gender-diverse children, young people, and their families since 1995.
Mermaids is registered as a charity with the Information Commissioner’s Office (Number 1160575) at Mermaids, Regus, Princes Exchange, 2 Princes Square, Leeds, LS1 4HY, [email protected].
How we collect personal data about you
We collect personal data in a variety of ways, which are set out below:
- Personal data you provide to us directly
You may provide personal data to us when making a donation, signing up to attend events, using our forum, signing up to receive email communications from us, contacting us via phone or email or otherwise using our services.
When you interact with our website, we collect your personal data by using “cookies” and other tracking methods. This personal data includes tracking data, browsing activities and patterns over time and across different websites.
- Personal data you may provide to us indirectly
There may be scenarios where we collect personal data about you that has been provided to us by a third party. This may occur if a friend or family member puts you forward for an event or an independent event organiser shares your personal data with us, such as third-party donation websites or organised charity runs.
We transfer any necessary documents, which may contain personal data, onto storage provided by third party providers such as Google and Microsoft, who take technological measures to keep your personal data safe.
The personal data we collect about you
We may collect, use and store the following kinds of personal data:
- your name;
- your pronouns;
- your date of birth;
- your contact details;
- your address;
- general information about your situation and/or your health;
- notes from any call;
- equalities monitoring information;
- meal preferences;
- any reasonable adjustments necessary;
- if hosting younger people, we may collect next of kin data;
- information on tax payer status to enable us to claim Gift Aid;
- information about activities/interaction on our website or social media platforms e.g. the device being used, IP address and location; and
- any other personal information you provide to us.
We may collect some forms of special category data, which includes information about your race or ethnicity, health, religious or philosophical beliefs, sexuality, sexual orientation, political opinions, trade union membership, and generic genetic and biometric data. We only collect this special category data where there is good reason to do so. You may wish to keep the call entirely anonymous and/or ask us not to keep a note of anything.
How we use your personal data
We use your personal data for many reasons, which includes, but may not be limited to, the following:
- to process your donations;
- to sign you up to events;
- to enable your use of the forum;
- keep a record of your relationship with us;
- respond to or fulfil any requests, complaints or queries you make to us;
- further our charitable objectives;
- to sign you up to receive email communications; and
- to contact you via phone or email or otherwise whilst using our services (e.g. helpline calls, volunteering, to enable us to claim Gift Aid on your donations where eligible, to support you in your fundraising efforts).
Legal basis for processing data
Data protection law ensures that every use of personal data is justified by a “legal basis”.
This legal basis requires clear consent to be obtained in order to process personal data for a specific purpose. We ensure we have obtained consent before collecting your personal data wherever necessary. For example, email, forum, and phone correspondence. You have the right to withdraw consent at any time.
- Legal Obligation
The processing is necessary for Mermaids to comply with the law. For example, we collect personal data in order to keep a record of donations for tax purposes and under anti-money laundering legislation.
The processing is necessary for a contract Mermaids has with the individual, or because you have asked us to take specific steps before entering into a contract.
- Legitimate interest
The processing is necessary for an individual’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data, which overrides those legitimate interests.
How we keep your information safe
We have implemented appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. We ensure that only people who need to access the information have passwords in order to access it. They will only process your personal data on our instructions and they are subjected to a duty of confidentiality.
We ensure that all staff and volunteers are trained in data protection and confidentiality so that they understand how to protect personal data. We take other measures, such as only allowing access to those that need it, requiring passwords, using two factor authentication when available and monitoring access to systems.
We store the required personal data, excluding credit card details, on our server for as long as needed to process the donation. We also keep any paper records locked away or under the supervision of a member of staff until digitised, from then it is destroyed.
How long we keep your personal data for
We will store your personal data for 6 years after your last contact with us, unless you ask us to delete it. We abide by any applicable legal, accounting, reporting or regulatory requirements which specify how long certain records must be kept.
Your forums account will be removed after 11 months of inactivity and all of your forums posts will be archived for 6 years – The forums team will email you beforehand to warn you that your account is due to be terminated due to inactivity. We keep your information in an archived form for 6 years after your last post or after you delete your personal data unless you exercise your rights (see Your rights below).
Disclosures of your personal data
We will only disclose your personal data in a few minimal ways. For example, if there is a safeguarding concern (this is standard with younger people, so that if you are at risk of serious harm, we may contact local emergency services to safeguard your life). Additionally, we can share some details with HMRC, or if the law necessitates sharing personal data. We may only share information with any venues or organisers that are running events for or with us. We only share the information that we need to share and will not share information such as gender information where this is not required. We may need to share your information with our various regulators such as the Charity Commission and Fundraising Regulator.
You have several rights over your data. If you want to do any of these things, please contact [email protected]. Please note, that some of these rights are not guaranteed. For example, you can always ask for a copy of your data, but if you ask us to delete something that we have a legal obligation to hold (such as information about a donation) then we may not be able to comply.
- The right to be informed about the collection and use of personal data
We will tell you what we are doing with your information
- The right to access personal data and supplementary information
You can request a copy of any personal data that we hold about you.
- The right to have inaccurate personal data rectified, or completed if it is incomplete
If you think that our records of your personal data are incorrect, inaccurate or incomplete, please let us know. We will correct any factually incorrect information.
- The right to erasure (to be forgotten) in certain circumstances
In some cases, you can ask us to delete your information. If this is not possible, we will explain why this is the case.
- The right to restrict processing in certain circumstances
You can ask us to stop using your data for certain purposes.
- The right to data portability, which allows you to obtain and reuse your personal data for your own purposes across different services
You can ask us for a copy of your data in a format that is machine-readable
- The right to object to processing in certain circumstances
You can object to some of our processing
- Rights in relation to automated decision making and profiling
We have to tell you if we are using any programmes to make automatic decisions about you – however, we do not do this.
If you have any complaints or concerns with regard any personal data that Mermaids may hold about you or if you wish to exercise rights in relation to your personal data, please contact us via our Data Protection Officer at [email protected]. You also have the right to raise concerns with the UK Information Commissioner’s Office, which is the regulator for data protection matters. They can be contacted at ico.org.uk.