Privacy Policy (UK GDPR & Data (Use and Access) Act 2025) 

Last updated: June 2026 

This Privacy Policy explains how S.H.E. UK (“we”, “us”, “our”) collects, uses, shares and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (DUAA)

1. Who we are 

S.H.E. UK is the data controller for the personal data we process. 

Contact details 
Email: info@she-uk.org.uk 
Postal address: 1 Byron Street, Mansfield, NG18 5NX 

The CEO is the Data Protection Lead and may be contacted at the email address above. 

2. The personal data we collect 

We may collect and process the following categories of personal data: 

  • Identity data (e.g. name, title, date of birth where relevant) 
  • Contact data (e.g. email address, phone number, postal address) 
  • Account and login data (e.g. username, encrypted password, login history) 
  • Enquiry and correspondence data 
  • Event, training and booking information 
  • Service user content (e.g. documents made available to you, self-help or therapeutic materials accessed through your account) 
  • Service user records (e.g. session notes, progress monitoring, obtained feedback, safeguarding reports) 
  • Website usage and technical data (e.g. IP address, browser type, cookies) 

We may also receive personal data from third parties such as referral partners, event providers or professional advisers where this is necessary for delivering our services. 

We do not intentionally collect excessive or irrelevant personal data. 

3. How and why we use your data (lawful bases) 

Under UK GDPR and DUAA, we must have a lawful basis for processing your personal data. The table below explains how we use your data and the lawful basis relied upon. 

Purpose Type of data Lawful basis 
Responding to enquiries Identity, Contact Legitimate interests (providing information and support) 
Delivering events, training or services Identity, Contact, Booking Performance of a contract 
Providing secure access to service-user materials via login area Identity, Contact, Account data, Service user content Performance of a contract and/or Legitimate interests 
Safeguarding and organisational integrity Identity, Contact Recognised Legitimate Interests (DUAA) 
Website analytics and improvement Technical, Usage Legitimate interests or consent (where required) 
Legal and regulatory compliance Identity, Contact Legal obligation 

Where we rely on Recognised Legitimate Interests under DUAA, we ensure processing is necessary and proportionate and respects individuals’ rights and freedoms. 

We have completed a Legitimate Interests Assessment (LIA) for all processing based on legitimate interests. 

You may withdraw consent at any time where consent is the lawful basis for processing. 

4. Special category data 

Some service user information may include special category data, such as health or wellbeing-related information, where this is relevant to the support provided. 

We process special category data only where: 

  • it is necessary for the provision of services or safeguarding purposes; and 
  • an appropriate condition under UK GDPR applies (for example, explicit consent or substantial public interest), and 
  • appropriate technical and organisational safeguards are in place. 

5. How we share your data 

We may share personal data with trusted third parties such as: 

  • IT and website service providers 
  • Event or training delivery partners 
  • Professional advisers (e.g. legal, accounting) 

All third parties are required to respect the security of personal data and process it lawfully. 

We do not sell personal data. 

6. International transfers 

We do not routinely transfer personal data outside the UK. If we do, appropriate safeguards (such as adequacy regulations or standard contractual clauses) will be used. 

7. Data retention 

We keep personal data only for as long as necessary for the purposes for which it was collected, including legal, accounting or safeguarding requirements. Retention periods are reviewed regularly. 

Examples include: 

  • Enquiry data: typically retained for 12 months 
  • Service‑user records: retained for 7 years – this is in line with legal, safeguarding and insurance requirements, and ensures we can respond appropriately to any future queries, concerns or complaints. 
  • Financial records: retained for 7 years in line with accounting rules and grant funder agreements 

8. Your rights 

You have rights under UK GDPR and DUAA, including: 

  • The right to be informed 
  • The right of access (Subject Access Request) 
  • The right to rectification 
  • The right to erasure 
  • The right to restrict processing 
  • The right to object 
  • The right to data portability 
  • The right to withdraw consent (where consent is used) 

Subject Access Requests (SARs) 

Requests can be made in writing using the contact details above. We may ask for proof of identity and, where necessary, additional information to help us locate the information you have requested.  

We will normally respond within one month. Where we reasonably require further information to identify you or clarify the scope of your request, the response period may be paused until that information is provided, in accordance with the Data (Use and Access) Act 2025 and applicable data protection legislation. 

We will conduct reasonable and proportionate searches for the personal information requested and will explain if any information cannot be provided because an exemption applies. 

There is normally no charge for making a Subject Access Request, although a reasonable fee may be charged where requests are manifestly unfounded, excessive or repetitive, as permitted by law. 

9. Automated decision-making 

Access to the login area and service-user materials may involve automated technical processes (such as authentication and access controls). However, we do not use automated decision-making or profiling to make decisions that have legal or similarly significant effects on service users. 

If this changes, we will update this policy and provide clear information about the logic involved and the safeguards available. 

10. Complaints 

If you have concerns about how we use your personal data, please contact us directly in the first instance either by phone (01623 622916) or email (info@she-uk.org.uk) . We will acknowledge complaints promptly and aim to respond within 30 days

If you are dissatisfied with our response, you also have the right to complain to the Information Commissioner’s Office (ICO)

Information Commissioner’s Office  
Wycliffe House, Water Lane,  
Wilmslow,  
Cheshire,  
SK9 5AF  
www.ico.org.uk 

11. Cookies and similar technologies 

Our website uses cookies to ensure it works properly and to support secure login functionality, as well as to understand how it is used. 

  • Strictly necessary cookies: required for core site functionality, including secure login areas 
  • Analytics cookies: help us understand how the website is used and improve it 

Where required by law, we will ask for your consent before placing non-essential cookies. You can manage cookie preferences through your browser settings. 

12. Children’s data 

Our services aren’t usually accessed by individuals under 18, however in the event of a safeguarding concern we may obtain data in line with our Safeguarding policy. We take additional care to protect children’s personal data and process it only where necessary, proportionate and appropriate, with safeguarding considerations in mind. 

Where consent is required, we will take reasonable steps to confirm parental or guardian authorisation. 

13. Changes to this policy 

We will review our privacy notice regularly and always to reflect changes in law or our practices. The latest version will always be available on our website.  

14. Contact us 

For questions about this Privacy Policy or how we handle personal data, please contact us using the details in section 1.

1 Byron Street, Mansfield,
Nottinghamshire
NG18 5NX