Privacy policy

1. Purpose

1.1 Unlimit Health (formerly known as “SCI Foundation” or “SCIF”) is a registered UK charity (registered company number 11775313 and registered charity number 1182166) with registered office address at Edinburgh House, 170 Kennington Lane, London, SE11 5DP. Unlimit Health is committed to protecting the privacy and security of your personal information.

1.2 This privacy notice describes how we collect and use personal information about you during and after your relationship with us, in accordance with the applicable data protection legislation (including the Data Protection Act 2018 and the General Data Protection Regulations, referred to as the “GDPR”).

1.3 Unlimit Health is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

1.4 This notice applies to members of the public who donate to Unlimit Health. This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time.

1.5 It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

2. Data protection principles

We will comply with data protection law. This says that the personal information we hold about you must be:

1. used lawfully, fairly and in a transparent way;

2. collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;

3. relevant to the purposes we have told you about and limited only to those purposes;

4. accurate and kept up to date;

5. kept only as long as necessary for the purposes we have told you about; and

6. kept securely.

3. The kind of information we hold about you

3.1 Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

3.2 There are “special categories” of more sensitive personal data which require a higher level of protection.

3.3 We may collect, store, and use the following categories of personal information about you:

Contact and communications information, such as:

• your contact details;

• your communication preferences;

• records of communications and interactions we have had with you.

Biographical information, such as:

• your name, gender, title, nationality and date of birth;

• your family and partner/spousal details;

• your professional activities and employment, including work contact details;

• information you have publicly shared on social media including your image.

Financial information, such as:

• your donation history, including gift amount, purpose, date, method of payment, cheque numbers or other payment references;

• your bank account number, name and sort code (used for processing Direct Debits);

• tax status and Gift Aid declaration information;

• details of financial transactions e.g. event tickets purchased;

• our assessment of your ability and willingness to make donations, including considerations of income;

• donations to other organisations.

Technical data, such as:

• internet protocol (IP) address;

• your login data;

• browser type and version;

• time zone setting and location;

• browser plug-in types and versions;

• operating system and platform and other technology on the devices you use to access this website.

Usage data, such as the information on how you use our website.

3.4 We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregate Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

3.5 We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences in relation to our visitors.

3.6 Please note that we do not collect or store any credit/debit card details in our database if you have used these in transactions with Unlimit Health.

3.7 Research, profiling and ‘wealth screening’

To ensure that our communications are relevant to you and your interests and to assess your likely ability to make, and interest in making, donations to Unlimit Health, we may use additional information such as geographical information and measures of affluence where available from external sources to assist us. This will be a combination of publicly available information, for example drawn from company resources and news media, with what you have provided to us, such as past donations and career information. We may use the services of external screening/profiling companies, and publicly available data from social media sites like LinkedIn, Facebook and Twitter, depending on your privacy settings and/or interaction with us.

3.7.1 This may be carried out by automated or manual processes and enables us to better understand you as our supporter and make appropriate requests for support. A list of publicly available sources of information used by Unlimit Health for the purposes detailed is available on request.

3.7.2 If you do not wish Unlimit Health to undertake this activity, please email our Data Protection Compliance Manager at dpo@unlimithealth.org

3.7.3 Please note that before seeking or accepting donations of £10,000 and above we are required to conduct a minimum level of due diligence, including reviewing publicly available personal data relating to criminal convictions and offences. Due diligence is conducted in accordance with the Unlimit Health Fundraising Policy and Counter Fraud, Anti-Bribery and Anti-corruption Policy.

4. How is your personal information collected?

4.1 We collect most of the personal information about you through direct interactions with you while you are making a donation, and/or subscribing to a mailing list.

4.2 Automated technologies or interactions – As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, serverlogs and other similar technologies.

4.3 Third parties or publicly available sources – We may receive personal data about you from various third parties and public sources as set out below:

• Technical Data from the following parties: analytics providers, advertising networks and search information providers;

• Contact, Financial and Transaction Data from providers of technical and payment services;

• Identity and Contact Data from data brokers or aggregates;

• Identity and Contact Data from publicly available sources such as Companies House.

5. How we use information about you and the legal basis for processing your data under the GDPR

5.1 We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

• where we need to perform the contract we have entered into with you or in order to take steps at your request prior to the entry into a contract;*

• where we need to comply with a legal obligation;**

• where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;***

• where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;****

• where it is necessary in order to protect your vital interests or someone else’s vital interests;*****

• where you have consented to the processing.******

5.2 In the next section we have indicated by asterisks the purpose or purposes for which we are processing or will process your personal information.

6. Situations in which we use your personal information

6.1 We need all the categories of information included in paragraph 3 of this policy primarily to allow us to perform our contract with you(*), as part of a process in providing you a service which you have requested(******) and to enable us to comply with legal obligations(**). In some cases, we may use your personal information to pursue legitimate interests of ours, provided your interests and fundamental rights do not override those interests. The situations in which we will process your personal information are listed in paragraph 6.2 of this policy.

6.2 This data is used by Unlimit Health to support a full range of activities for and in relation to our supporters. These include:

• providing you with information about our work and our activities. This might include sending you publications, e-newsletters, invitations to events and details of fundraising opportunities (****);

• conducting surveys, focus groups and other research (****);

• internal record keeping, including the management of any feedback or complaints (******);

• administrative purposes e.g.regarding a donation you have made or an event you have registered for or attended (*);

• furthering our charitable objectives, including to help us raise money or by asking you to donate money to Unlimit Health (****);

• transferring to HM Revenue and Customs in respect of any Gift Aid claims (**);

• wealth screening, profiling and research to gain a better understanding of our supporters, inform our fundraising strategy and target our communications more effectively and appropriately (****); and

• to sending you our newsletter or information about the work of Unlimit Health as further explained in paragraph 7 of this policy (******).

6.3 Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

7. Mailing list

7.1 Unlimit Health provide emails about stories, events, fundraising activities, and newsletters. The below information explains how we use your personal data when you sign up to our mailing list.

7.2 If you opt-in to receiving emails, we will ask for your:

• first and last name; and

• email address.

7.3 Our legal basis for processing your personal data for the purposes of sending you emails is based on your consent – by consenting to receiving emails you are giving us permission to process your personal data specifically for the purpose of sending you emails.

7.4 You may withdraw consent at any time by clicking unsubscribe on any email or by asking to be removed from the mailing list by emailing info@unlimithealth.org.

8. If you do not provide personal information

If you do not provide certain information when requested, we will not be able to contact you to keep you updated on our work or perform the contract we have entered into with you. We will however inform you when such actions will occur.

9. Change of purpose

9.1 We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

9.2 Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

10. Data sharing

10.1 We may have to share your data with third parties, including third-party service providers where required by law, where it is necessary to administer the relationship with you or where we have another legitimate interest in doing so.

10.2 “Third parties” includes third-party service providers (including contractors and designated agents). The following activities are carried out by third-party service providers: Torchbox, who assist us with our Google ads, SEO and analytics, ThirdLight, who host our photo library, WordPress, who provide our website platform, Ethical Digital Studio who host and provide support for our website, MailChimp (whose legal name is The Rocket Science Group LLC) who provide tools that assist us with email distribution to our subscribers, and Raiser’s Edge, a fundraising and relationship management solution.

10.3 We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business and operations of Unlimit Health. We may also need to share your personal information with a regulator or to otherwise comply with the law.

10.4 Except as explained above, we will not share your information with anyone, unless where required by law, where it is necessary to administer our relationship with you or where we have another legitimate interest in doing so.

10.5 We require third parties to respect the security of your data and to treat it in accordance with the law.

10.6 We may transfer your personal information outside the EU.

10.7 If we do, you can expect a similar degree of protection in respect of your personal information.

10.8 All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

11. Data security

11.1 We have put in place measures to protect the security of your information.

11.2 Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

11.3 We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

11.4 We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

12. Data retention – How long will you use my information for?

12.1 We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different records Unlimit Health holds are available in our Data Retention Policy. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In this case, we expect to retain your personal information for 6 years.

12.2 In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

13. Rights of access, correction, erasure, and restriction

13.1 Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.

13.2 Your rights in connection with personal information

13.2.1 Under certain circumstances, by law you have the right to:

• request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;

• request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;

• request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);

• object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes;

• request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;

• request the transfer of your personal information to another party.

13.2.2 If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Unlimit Health Data Protection Compliance Manager in writing.

13.2.3 No fee usually required – You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

13.2.4 What we may need from you – We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

13.2.5 Right to withdraw consent – In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Unlimit Health Data Protection Compliance Manager. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

14. Data Protection Compliance Manager and Regulator

14.1 We have appointed a Data Protection Compliance Manager to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the Data Protection Compliance Manager at:

Unlimit Health Data Protection Compliance Manager

Edinburgh House

170 Kennington Lane

London SE11 5DP

e-mail: dpo@unlimithealth.org

14.2 You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

15. Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

Cookies

16. Cookies

16.1 Cookies are small pieces of data that are used to optimise your browsing experience. Below is a list of the types of cookies we use on our site.

16.2 Analytics and performance cookies – These cookies collect information about how you interact with our site and count visits and traffic sources. They enable us to measure and improve the performance of our site and help us identify which pages are the most and least popular. This data is completely anonymous but you can disable these cookies.

Cookie name	Duration	Purpose
_ga4	2 years	Track visitor sessions and interactions on the site
_gid	24 hours	Used to differentiate users.
_gat	Same day	Used to throttle request rate.
_fbp	3 months	Tracks visitor sessions and interactions on the site
_ga	Same day	Used to differentiate users

16.4 Targeting and marketing cookies – These may be set through our site by our advertising partners, such as Facebook Pixel and Google Analytics. We use data from Google’s Remarketing and Advertising Reporting features to collect interest and demographics-based advertising or thirdparty audience data (such as age, gender and interests) to inform our marketing strategy. This data and the cookies active on our site are used to deliver ads relevant to you in and outside of our site and measure the effectiveness of social media advertising. They also limit the number of times that you see an ad and help us measure the effectiveness of our marketing campaigns. It’s never our intention to spam you, just to provide you with content we think you’d like to see. They do not store any personally identifiable information and expire after 90 days.

16.5 You can turn off all these cookies at any time. This can be done through the settings of your browser. If you do, you may notice that the site doesn’t work as well and you may not be able to use every service.

16.6 To opt out of any Google Analytics features used on this site, you can use Google Analytics’ opt-out tool.