Last updated: June 2026
This Privacy Policy explains how S.H.E. UK (“we”, “us”, “our”) collects, uses, shares and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (DUAA).
1. Who we are
S.H.E. UK is the data controller for the personal data we process.
Contact details
Email: info@she-uk.org.uk
Postal address: 1 Byron Street, Mansfield, NG18 5NX
The CEO is the Data Protection Lead and may be contacted at the email address above.
2. The personal data we collect
We may collect and process the following categories of personal data:
- Identity data (e.g. name, title, date of birth where relevant)
- Contact data (e.g. email address, phone number, postal address)
- Account and login data (e.g. username, encrypted password, login history)
- Enquiry and correspondence data
- Event, training and booking information
- Service user content (e.g. documents made available to you, self-help or therapeutic materials accessed through your account)
- Service user records (e.g. session notes, progress monitoring, obtained feedback, safeguarding reports)
- Website usage and technical data (e.g. IP address, browser type, cookies)
We may also receive personal data from third parties such as referral partners, event providers or professional advisers where this is necessary for delivering our services.
We do not intentionally collect excessive or irrelevant personal data.
3. How and why we use your data (lawful bases)
Under UK GDPR and DUAA, we must have a lawful basis for processing your personal data. The table below explains how we use your data and the lawful basis relied upon.
| Purpose | Type of data | Lawful basis |
| Responding to enquiries | Identity, Contact | Legitimate interests (providing information and support) |
| Delivering events, training or services | Identity, Contact, Booking | Performance of a contract |
| Providing secure access to service-user materials via login area | Identity, Contact, Account data, Service user content | Performance of a contract and/or Legitimate interests |
| Safeguarding and organisational integrity | Identity, Contact | Recognised Legitimate Interests (DUAA) |
| Website analytics and improvement | Technical, Usage | Legitimate interests or consent (where required) |
| Legal and regulatory compliance | Identity, Contact | Legal obligation |
Where we rely on Recognised Legitimate Interests under DUAA, we ensure processing is necessary and proportionate and respects individuals’ rights and freedoms.
We have completed a Legitimate Interests Assessment (LIA) for all processing based on legitimate interests.
You may withdraw consent at any time where consent is the lawful basis for processing.
4. Special category data
Some service user information may include special category data, such as health or wellbeing-related information, where this is relevant to the support provided.
We process special category data only where:
- it is necessary for the provision of services or safeguarding purposes; and
- an appropriate condition under UK GDPR applies (for example, explicit consent or substantial public interest), and
- appropriate technical and organisational safeguards are in place.
5. How we share your data
We may share personal data with trusted third parties such as:
- IT and website service providers
- Event or training delivery partners
- Professional advisers (e.g. legal, accounting)
All third parties are required to respect the security of personal data and process it lawfully.
We do not sell personal data.
6. International transfers
We do not routinely transfer personal data outside the UK. If we do, appropriate safeguards (such as adequacy regulations or standard contractual clauses) will be used.
7. Data retention
We keep personal data only for as long as necessary for the purposes for which it was collected, including legal, accounting or safeguarding requirements. Retention periods are reviewed regularly.
Examples include:
- Enquiry data: typically retained for 12 months
- Service‑user records: retained for 7 years – this is in line with legal, safeguarding and insurance requirements, and ensures we can respond appropriately to any future queries, concerns or complaints.
- Financial records: retained for 7 years in line with accounting rules and grant funder agreements
8. Your rights
You have rights under UK GDPR and DUAA, including:
- The right to be informed
- The right of access (Subject Access Request)
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to object
- The right to data portability
- The right to withdraw consent (where consent is used)
Subject Access Requests (SARs)
Requests can be made in writing using the contact details above. We may ask for proof of identity and, where necessary, additional information to help us locate the information you have requested.
We will normally respond within one month. Where we reasonably require further information to identify you or clarify the scope of your request, the response period may be paused until that information is provided, in accordance with the Data (Use and Access) Act 2025 and applicable data protection legislation.
We will conduct reasonable and proportionate searches for the personal information requested and will explain if any information cannot be provided because an exemption applies.
There is normally no charge for making a Subject Access Request, although a reasonable fee may be charged where requests are manifestly unfounded, excessive or repetitive, as permitted by law.
9. Automated decision-making
Access to the login area and service-user materials may involve automated technical processes (such as authentication and access controls). However, we do not use automated decision-making or profiling to make decisions that have legal or similarly significant effects on service users.
If this changes, we will update this policy and provide clear information about the logic involved and the safeguards available.
10. Complaints
If you have concerns about how we use your personal data, please contact us directly in the first instance either by phone (01623 622916) or email (info@she-uk.org.uk) . We will acknowledge complaints promptly and aim to respond within 30 days.
If you are dissatisfied with our response, you also have the right to complain to the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House, Water Lane,
Wilmslow,
Cheshire,
SK9 5AF
www.ico.org.uk
11. Cookies and similar technologies
Our website uses cookies to ensure it works properly and to support secure login functionality, as well as to understand how it is used.
- Strictly necessary cookies: required for core site functionality, including secure login areas
- Analytics cookies: help us understand how the website is used and improve it
Where required by law, we will ask for your consent before placing non-essential cookies. You can manage cookie preferences through your browser settings.
12. Children’s data
Our services aren’t usually accessed by individuals under 18, however in the event of a safeguarding concern we may obtain data in line with our Safeguarding policy. We take additional care to protect children’s personal data and process it only where necessary, proportionate and appropriate, with safeguarding considerations in mind.
Where consent is required, we will take reasonable steps to confirm parental or guardian authorisation.
13. Changes to this policy
We will review our privacy notice regularly and always to reflect changes in law or our practices. The latest version will always be available on our website.
14. Contact us
For questions about this Privacy Policy or how we handle personal data, please contact us using the details in section 1.






