Privacy policy

We use your data for the following reasons and under these legal bases:

Deliver and manage our services

Responding to enquiries, assessing needs, providing support, signposting.

Legal basis: contract (if you use a service) or legitimate interests (to run our services safely and effectively).

Keep you safe

Acting where there is an immediate risk to life.

Legal basis: vital interests.

Communicate with you

Service updates, event info, responding to enquiries.

Legal basis: contract (to deliver our services), legitimate interests (to run our services safely and effectively), or consent (you can withdraw anytime).

Donations

Processing and thanking you for donations.

Legal basis: legitimate interests and legal obligation (for financial records).

Improve our services and report impact

Monitoring quality, evaluation, anonymised reporting to Board and funders.

Legal basis: legitimate interests.

Recruitment and volunteering

Selecting candidates, PVG checks, managing roles.

Legal basis: contract, legal obligation, and legitimate interests.

Website analytics

Understanding how people use our website.

Legal basis: consent (for non-essential cookies).

Special category data:
We only collect this where necessary for your support, equality monitoring, or with your explicit consent, or where the law allows it (for example, to keep you safe). You can choose not to provide equality monitoring information.

Criminal offence data (e.g., PVG checks):
We only process this where required by law and with appropriate safeguards.

We collect different types of information depending on how you interact with us. We only collect what we need.

• Name and contact details
• Access needs and support needs
• Background and service use history
• Health information (when it helps us support you)
• Equality monitoring (e.g., sexual orientation, gender identity, race, religion)
• Anonymised details for research, evaluation, and reporting
• Donation amount and method (we do not receive your full card or bank details—these are handled securely by our payment providers)
• Employment history, references
• PVG/Disclosure check details (criminal offence data) where required by law
• Cookie and analytics data (see cookies below)

Photo and video

We sometimes take photos, videos or audio recordings for promotional purposes. We will only do this with your clear consent. We will explain how the material will be used before we record anything, and you can withdraw your consent at any time.

We keep a record of necessary details to support you effectively.

Information used for monitoring and reporting is anonymised.

All personal information you share with us as part of using our services is treated as strictly confidential. We also follow the Gender Recognition Act (2005), which makes it a criminal offence to share protected information about a person’s gender history if you’ve learned it in an official role.

Some of the information we hold is legally and ethically sensitive. We keep it safe and secure, and only staff or volunteers who genuinely need access to it can see it. All staff and volunteers receive data protection training, and we carry out regular checks to make sure we are following our policies.

We will never publish anyone’s information in any directory without their written consent, and we will never share your information with other organisations for marketing, fundraising, or promotional purposes.

Paper records
Manual files that contain sensitive information are clearly marked as confidential and stored in locked filing cabinets. Only authorised employees can access them.

Digital records
Computer files containing sensitive information are password‑protected and stored on a secure drive with restricted access.

We use trusted third‑party services to help us deliver our services.

Data processors

They support our day‑to‑day services and can only use your information in the ways we tell them to. They must keep it secure.

We use processors for:

Service delivery

• Examples: referral forms, online meeting tools, live chat tools
  (e.g., Microsoft 365, LiveChat, Zoom)

Communication

• Examples: secure email platforms, event registration tools
  (e.g., Microsoft 365, Mailchimp)

Evaluation and feedback

• Examples: tools that collect survey responses
  (e.g., SurveyMonkey)

Website hosting and analytics

• Examples: platforms that host our website or help us improve it
  (e.g., WPEngine, Google Analytics)

Independent third‑party controllers

Some platforms process your information for their own purposes, like managing payments or running user accounts. They have their own privacy policies.

• Donation and fundraising platforms like Stripe and JustGiving
• Social media platforms like Meta and LinkedIn
• Design and publicity tools like Canva and CapCut (photos or recordings are only used with your consent).

Some providers may store data outside the UK/EEA. Where this happens, we make sure appropriate safeguards are in place (for example, standard contractual clauses).

We do not sell your personal data.

Transfer of information

We only keep your data for as long as we need it. In some cases, we must keep information for several years to meet our responsibilities as an employer, a charity and a service provider.

Service user records

Normally 1 year after you stop using a service. If there’s no contact for 2 years, we mark the record as “closed”. We keep a brief summary record so we can understand past use of our services.

Employee records

6 years after employment ends. After that, we keep only a short summary with job title, dates of employment, salary/hours, total sickness days in the final year, last known address.

Volunteer records

6 years after volunteering ends

Unsuccessful job applications

6 months after the closing date

Unsuccessful volunteer applications

3 years after we receive the application

Financial records (donations)

As required by law (typically up to 6 years)

Photos, videos and audio recordings

5 years after data of collection. If we’d like to use them after that, we will contact you to ask for your consent again.

Under UK data protection law, you have the right to:

• Be informed about how we use your data (that’s this notice)
• Access your personal data
• Rectify inaccurate or incomplete data
• Erase your data (in some cases)
• Restrict or object to processing (in some cases)
• Data portability (move your data)
• Withdraw consent at any time (for things like newsletters or use of your image)

To use your rights, email admin@lgbthealth.org.uk. We’ll respond within one month.

There may be times when we cannot provide certain information, for example if doing so would reveal someone else’s personal details. In these cases, we will seek advice from the Information Commissioner’s Office to make sure we protect everyone’s rights.

We use cookies to make our website work and to understand how it’s used.

• Essential cookies: needed for the site to work.
• Analytics cookies (e.g., Google Analytics): help us understand visits, pages viewed, and device/browser types.

You can accept or reject non‑essential cookies using the cookie banner. You can also control cookies in your browser settings

For more information, visit: www.allaboutcookies.org.

Our site may link to other websites. We aren’t responsible for their content or privacy practices. Please check their privacy policies.

If you’re unhappy with how we handle your data, please contact us first so we can try to resolve it.

Data Controller
LGBT Health and Wellbeing
Address: 4 Duncan Place, Edinburgh, EH6 8HW
Email: admin@lgbthealth.org.uk
Phone: 0131 564 3970

Data Protection Officer
Mark Kelvin, Chief Executive
Email: mark@lgbthealth.org.uk
Phone: 0131 564 3970

You can also complain to the Information Commissioner’s Office (ICO):
Address: Queen Elizabeth House, Sibbald Walk, Edinburgh, EH8 8FT
Email: scotland@ico.org.uk
Phone: 0303 123 1115