Welcome to the Stroke Association's privacy notice.
The Stroke Association respects your privacy. We are committed to protecting your personal information and to being transparent about the information we hold about you. This privacy notice explains how we use and keep your personal information safe, tells you about your privacy rights and how the law protects you.
This privacy notice has multiple sections you can click through. If you have any questions or wish to contact us, please get in touch.
Purpose of this privacy notice
This notice explains what personal information we collect about you, how we use it and how long we will keep if for.
Why and how we collect your personal data
You might give us your personal information when you request a service or are referred to us by the NHS for stroke support services, sign up to an event, fundraise for us, or even simply by using our website.
When we collect your personal information, there is always a reason behind it. In addition, we will only ask you for sensitive personal data (also known as special category personal data), for example, health information, when there is a clear reason for doing so and we will tell you what that reason is.
It is important that you read this privacy notice so that you fully understand how and why we are using your personal information. On specific occasions, we may provide you with additional privacy notices. We will make it clear when you need to be aware of this, as this privacy notice supplements the other notices and is not intended to override them.
Controller (who we are)
The Stroke Association, a company limited by guarantee, registered in England and Wales (No. 61274) and registered as a charity in England and Wales (No 211015), in Scotland (SC037789), in Northern Ireland (XT33805), Isle of Man (No 945) and Jersey (NPO 369)) is the controller and responsible for the use of your personal information for the purposes set out in this notice.
This includes our trading arm Stroke Association (Trading) Limited with registered company number (00898941). Our Trading company’s main activities are retailing and commercial development (for example running our online shop and entering into commercial agreements).
Stroke Association and Stroke Association (Trading) are both controllers of your personal information. They each have different roles, but some activities they undertake overlap and personal data may be shared between them for certain purposes. This privacy notice applies to both controllers, and you can contact us both using the details set out in this notice.
If you have any questions about this privacy notice, including any requests to exercise your legal rights, please get in touch with us.
The information we collect about you
‘Personal information’ means any information about an individual from which they can be identified. The personal information we collect allows us to provide services to people affected by stroke. It also helps us to better understand our supporters and improve how we engage, communicate and fundraise, campaign and influence national policies for the benefit of all those affected by stroke.
We strongly believe your personal information needs to be safeguarded and protected. As long as you share it with us, we are its guardian. We take steps to collect only what is necessary and we do this for different purposes, but all with one goal in mind: to improve the lives of stroke survivors and their families. Here is a list of the type of personal information we currently use:
- Identity Information you give to us – this includes your full name and title, username, date of birth, gender and email address (if relevant).
- Contact and Financial Details including a billing address, telephone number and your bank account and payment card details.
- Transaction History of your interactions with us. This will include any donations, Gift Aid, events you have participated in, the services you requested, your interests, preferences, feedback and survey responses and how you use our website and services.
- Health Information necessary for providing support services for individuals affected by stroke or to enable you to participate in events which help you to reduce your risk of a stroke or involve risks to your health.
- Technical Information which allows us to confirm what browser you are using, the internet protocol (IP) address and computer operating systems that are being used, your login data and other technology on the devices you use to access our website.
- Marketing and Communications Preferences for receiving information from us about our support services, research, campaigning, volunteering and fundraising activities (including ways to donate) and how you would like us to communicate with you.
- Usage Data this includes information about how you use our website, products and services.
We also collect, use and share statistical or demographic information, which is known as ‘Aggregated Data’. This information does not directly or indirectly reveal your identity and therefore by law, it is not offered the same protection as your personal information. For example, we may aggregate information about how our website is used to calculate how many people are accessing a specific website page, so we can see where improvements need to be made. However, if we use any ‘Aggregated Data’ in combination with your personal information, it can directly or indirectly identify you.
To make sure this is safe, we will treat this combined information the same way we treat your personal information and will only use it in accordance with this privacy notice.
Data protection law recognises that certain categories of personal information are more sensitive, such as details about health, race, religious beliefs and political opinions. These are known as Special Categories of Personal Data. We do not usually collect such information about our supporters unless there is a clear reason for doing so (for example, participating in a marathon, where it is necessary to ask about conditions affecting your health to provide appropriate facilities and support, and/or where this is necessary to enable us to protect vulnerable individuals from fundraising or communications which they may find upsetting or overwhelming).
We collect Health Information if you are a stroke survivor or carer receiving a support service, if you tell us about your stroke experiences (for example by calling our helpline or volunteering with us), or if you participate in our Stroke Prevention Programmes such as “Know Your Blood Pressure” scheme. However, we will always make it clear to you when we collect this information, what information we are collecting and why.
If you don’t want to share your personal information with us
If you don’t want us to use your personal information, please be aware that we may have to stop providing you with our support or other services, and you may not be able to engage with us or participate in our activities (such as campaigning, volunteering and fundraising activities (including donating). We will let you know if this is the case.
However, we will keep any personal information we are required to in accordance with legal requirements or tax and accounting rules.
Keeping your information accurate
It is important to us that the personal information we hold about you is accurate and up-to-date. Please tell us if there are any changes to your personal information during your relationship with us. You can do this easily by getting in touch with us.
How is your personal information collected?
We collect personal information from and about you through:
Direct interactions. You may give us certain information (e.g. your Identity Information, Contact and Financial Details and Health Information) by filling in forms (in person or via our website) or by corresponding with us by post, phone, email or otherwise. This includes personal information you provide when you:
- request a service (including our support services, clubs and groups)
- purchase our products;
- sign up for or attend an event;
- make a donation to or campaign with us;
- create an account on our website;
- subscribe to our services or publications;
- request marketing information to be sent to you;
- engage with us on social media or message boards;
- enter a competition, promotion or survey; or
- give us feedback on our work
Third parties or publicly available sources. We may receive personal information about you from various third parties and public sources as set out below:
- Identity Information and Contact Details from individuals who might provide your information to us, for example, if they nominate you for a Life After Stroke award, or you are their carer, emergency contact, relative or next of kin;
- Identity Information, and Contact and Financial Details from third party organisations with whom we fundraise in partnership (for example, when you sign up for an event (such as the London Marathon) or fundraise for us through a third party). Please contact us for a list of the organisations we work with for fundraising;
- Identity Information, Contact and Financial Details, and Health Information from third party organisations to whom you gave permission to share your details with us, including the NHS or charities. For example, when you are referred to us by the NHS to receive our support services, when you buy a product or service, register for an online competition or sign up with a comparison website;
- Technical Information from analytics providers such as Google based outside the UK and European Economic Area (EEA) advertising networks such as Facebook based outside the UK and EEA; and search information providers such as Google based outside the UK and EEA;
- Contact, Financial and Transaction History from providers of technical, payment and delivery services such as JustGiving based in the EEA; and
- Identity Information and Contact and Financial Details from data brokers or aggregators such as Royal Mail based in the UK and from publicly available sources such as Companies House and the Electoral Register based in the UK, as well as from general sources such as newspaper articles and social media posts.
Why we use your personal information
We will use your personal information only for specific purposes and where we have taken steps to ensure we respect your privacy. We will never sell your personal information to other organisations.
Here are the main reasons why we use your personal information:
When we provide a service to you
Stroke Support Services
We offer services across various pathways through our Stroke Recovery Service, the Caring and You programme, Post-Stroke Reviews, Communication Support, Emotional Support, the Moving Forward After Stroke programme, My Stroke Guide and Life After Stroke Grants and Awards.
When a referral is made to our Stroke Support Service we receive personal information from the referrer including ethnicity and health information about you, and contact information about your nominated carer, emergency contact or next of kin. We use this personal information to contact you and provide you with support and prevention services.
You can make a self-referral to our services, in this case, we obtain personal information directly from you, your carer or family member.
Personal information collected or obtained as part of a referral are used for the purposes of providing care and support by email, post, telephone and social media.
If appropriate we will also send fundraising communication about our charity to you by post.
To provide these services, we rely on the legal basis (see below) of legitimate interest and the provision of health and social care services for providing stroke recovery services. You can obtain more information on this by contacting us.
We also use information which does not identify you (anonymised data) to understand more about the effects of stroke, so we can improve our services, report to commissioners and monitor the availability, impact and quality of our services in different regions across the country.
Your personal information and details of the support received will be recorded and stored securely on our database. These are used to keep a record and to provide you with ongoing support and care by email, telephone and post.
Where appropriate, we will seek your permission before sharing your personal information with any third party for their own use, for example, the NHS or another service provider, unless we are legally permitted to do so without your permission. For example in a safeguarding referral where you may be at risk of harm.
If you change your mind and no longer want to receive support from us, you can withdraw from our stroke support services at any time by contacting us.
Stroke Support Helpline (Helpline)
Our Helpline service provides guidance, support and signposting to internal and external support services. Our Helpline Officers can help you, your carer or family member with emotional support and practical guidance on living everyday life after stroke.
When you contact our Helpline, we collect personal information about you including information about your health or the individual on whose behalf you have made the call. We ask that you have the individual’s permission before providing their personal information to us.
You can choose not to provide us with personal information about yourself, in which case we will support you as best as we can.
Your personal information and details of your enquiry will be recorded and stored securely on our database for the purposes of progressing your query and or providing you with ongoing support.
Where appropriate, we will seek your permission before sharing your personal information with any third party for their own use, for example, the NHS or another service provider unless we are legally permitted to do so without your permission. For example in a safeguarding referral where you may be at risk of harm.
When you join our campaigns network, we use your personal information to advocate on matters specific to you or other general issues using the most appropriate legal basis relevant to the campaign.
If we need to share your personal information, including health information with other organisations or individuals to resolve an issue, we will inform you of this and obtain your consent where appropriate.
You can withdraw from campaigns at any time by contacting us.
Clubs and Groups
Clubs and Group are peer support services providing one-to-one support, practical help, advice, and a listening ear. Some Clubs and Groups are part of our charity; other Groups are independent groups that are affiliated to us.
Clubs and Groups are available to every member of the public and are aimed at building and creating a network of support and encouragement in living your best life after stroke.
We will use your personal information to inform you of community clubs and group events near you.
If you join one of our own groups, your personal information including health data is used to provide you with ongoing support and advice. We will use your personal information to comply with our legal obligations, for example, our obligations relating to health and safety and safeguarding.
If you express a wish to join one of our affiliated groups, we may pass your contact details to them. Affiliated groups are independent from us and are data controllers in their own right. They will process your personal data in accordance with their own policies.
When you support or donate to our cause
If you take part in one of our fundraising events, we will use your personal information to contact you about event participation and your fundraising including information about how your donation has helped support stroke survivors.
- As a donor or supporter, we also use your personal information to:
- give you the services, products or information about our charity;
- receive and process your donations (including gift aid donations, legacy gifts, in-kind and regular donations for which you may have set up a direct debit);
- manage the relationship with us when you support us as a volunteer;
- manage our relationship with philanthropy givers and trust organisations;
- manage events, competitions or surveys you take part in and provide you with relevant updates;
- pay for a will where you have used our free will scheme service;
- manage your legacy gift to us; and
- provide you with information about stroke services and new research developments and/or information about how you can get involved through volunteering, campaigning, donating or fundraising for us. We only contact you with this information by email, text message or telephone if you have given us your consent.
If you sign up to stay connected, we will use your preferred mode of communication (email or telephone) to provide information about future fundraising events, products and campaigns.
However, if you have provided us with your postal address, we will send you information by post unless you have previously told us not to. We do this in compliance with data protection laws and on the legal basis of legitimate interest (see below).
You can tell us about changes to your preference for receiving information or opt out of receiving information by post by contacting us or using the link in our email communications.
We will not use your personal information to send you information about our services or fundraising activities if you have indicated that you do not wish to be contacted by us for such purposes. However, we will retain your details on a suppression list to help ensure that we do not continue to contact you for these purposes.
If you use your credit or debit card to donate to us or buy something over the phone or by post, we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standard. You can find out more information about PCI DSS here.
We do not store your credit or debit card details once we have completed your transaction. All card details and validation codes are securely destroyed once the payment or donation has been processed. Only staff authorised and trained to process payments will be able to see your card details.
If you make a credit or debit card payment on our website, the transaction is processed by our suppliers PayPal or Stripe. PayPal and Stripe are separate controllers of your personal information, so we recommend you read their privacy notices carefully which can be found here (for PayPal) and here (for Stripe).
If we receive an email containing any credit or debit card details, it will be deleted, no payment will be taken and you will be notified about this.
If you make donation by direct debit, we will store your bank details securely in order to process your payments.
Profiling and Analysis of your Personal Information
We may also carry out analysis of the personal information we collect about you and add publicly available information to create a profile of your interests and preferences. This is so we can contact you in the most appropriate way and with the most relevant information, which enables us to raise funds sooner and more cost-effectively.
We do this on the basis of our legitimate interests (see section 5 below), having undertaken an assessment that our approach does not unduly impact on your rights and freedoms, and is not too intrusive.
If we consider you may be interested to donate to our work, we may analyse your personal information to create a record of your interests and preferences, to allow us to ensure that communications (e.g. by post, telephone, email, text or social media) are appropriate and relevant, and to generally provide you with an improved user experience.
When we participate in social media marketing, we may provide your email address, telephone and address to social media platforms or third party agents to exclude you from supporter generation campaigns (where you have indicated you do not wish to be contacted), to create ‘lookalike’ audiences (whereby your information is used to identify people who may share similar interest with you on social media) and/or to enable us to display adverts to you as an existing supporter when you access certain media platforms such as Facebook.
This is to enable us to use our charitable funds in the most appropriate and cost-effective way, and ensure you are only provided with information you will find relevant.
We share data securely and ask any provider to use the data for our stated purposes only. For example, when we share your personal information with social media platforms to create ‘audiences’, we may share your email address with those platforms so they can determine whether you are a registered account holder with them – this is sent in encrypted form that is deleted by the social media platform (a) if it does not match with an account or (b) after they confirm you hold an account with them. To ensure your privacy rights are protected, we only contract with social media platform or third party agent who provide appropriate assurances regarding their data protection compliance.
Fundraising is an important element of our charitable work so we may undertake research or analysis to assess your ability to support us financially. This may include an assessment of your income and/ or wealth and our assessment of your willingness to make donations to particular projects or us more generally. We may use analysis to help us identify your likely support for particular projects. All of these activities are undertaken to ensure that we are working in a cost-effective manner and allow us to raise more funds in support of our mission.
If you would prefer us not to use your personal information for profiling please let us know by contacting us.
There are occasions when we collect and use the personal information of young people (those who are under 18 years of age) that engage with us. We will collect a young person’s information if a young person:
- has a stroke and needs support with their recovery, and is referred to one of our services. In this situation, we will collect that person’s information (including their health information) in order to be able to provide them with support, information about stroke and their recovery after stroke;
- attends one of our events, we will collect their contact details (so that we can send them our event pack) as well as information relating to any medical conditions (so we can judge whether they need additional help from us during the event and so that we can keep them safe during the event). We will ask for personal information as well as medical conditions in case they need additional help from us during the event;
- wants to volunteer for us, we will ask for their contact details in order to make all necessary arrangements for them to volunteer. This includes arranging for them to go on training or managing their activities as a volunteer. We will also ask for sensitive information about them like any medical conditions in order to make sure we provide them with appropriate support whilst volunteering; and
- participates in sponsorship (either in a group or in school) and contacts us to tell us about it, we use their contact details to write back to them to thank them for their support.
We take extra care to manage the information of young people. For example, when we collect information about a young person, we will make it very clear at the time why we are collecting this personal information and how it will be used.
If you would like more information on how we use children’s data, please contact us.
The legal bases which allow us to use your personal information
The legal basis that we rely on for using your personal information will depend upon the circumstances in which we collect and use it, but will in most cases be because:
- you have provided your consent to allow us to use your personal information in a certain way;
- it’s necessary to carry out for the performance of a contract with you;
- it’s necessary in order for us to comply with a legal obligation; or
- it’s in our legitimate interest to do so. The law permits us to use personal information where we have a legitimate interest, our use is fair and any impact on you and your rights is balanced. Our legitimate interests includes the ability to pursue our charitable objectives and commercial interests, and to provide support and services. You can obtain further information about how we assess our legitimate interest against any potential impact on you by contacting us.
When we use special categories of personal data (such as your Health Information) we will rely on at least one of these additional bases:
- your explicit consent to allow us to use your special categories of data for a particular purpose; and
- the processing is necessary for the provision of health and social care when we are providing stroke support services to you, such as under an NHS contract.
- the processing is necessary for particular reasons of substantial public interest, such as to provide support to individuals with a particular disability or medical condition, or the safeguarding of children and of individuals at risk.
Recipients of your personal information
Rest assured, we take steps to keep your personal information safe, and we never share, sell or swap your personal information with any third parties for the purposes of their own marketing or to monetise your personal information.
Sharing your information with third parties we work with
However, we sometimes share your personal information with third parties we work with. When we share your personal information with organisations that act for us as service providers, we take the following steps to keep your personal information safe and protect your privacy:
- we provide them with only the personal information they need to perform their specific services;
- we require them to only use your personal information for the exact purposes we specify;
- we require them to keep your personal information secure; and
- if we stop using their services, we require them to delete or anonymise.
Examples of the kinds of service providers we work with are those who provide us with advertising, marketing, research or IT administration services. If you would like more information about the third parties we currently use, who, in providing us with their services, will process your personal information as part of their contracts with us, please contact us.
Sharing your information with third parties for their own purposes
We may also need to share your personal information with third parties for their own purposes. We will only do this in specific circumstances. For example, we may need to share your information with:
- health providers across the UK like the NHS or other charities, to whom we might refer you for additional support as part of delivering a service to you;
- HM Revenue & Customs, regulators and other authorities in the United Kingdom who require reporting of processing activities in certain circumstances;
- our professional advisors including our lawyers, bankers, auditors and insurers; and
- third parties to whom we may choose to transfer, or merge parts of our organisation or our assets. Alternatively, we may seek to take over other organisations or merge with them. If a change happens to our organisation, then the new entity must use your personal information in the same way as set out in this privacy notice.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to those employees, volunteers, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to confidentiality obligations.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
How long will you use my personal information for?
We will only use your personal information for as long as is necessary to fulfil the purposes for which they are processed or for compatible legal purposes including for satisfying legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information; the potential risk of harm from its unauthorised use or disclosure; the purposes for which we process it and whether we can achieve those purposes through other means; and the applicable legal requirements.
For more information about the retention periods we apply to different aspects of your personal data, see our data retention and disposal policy.
In some circumstances you can ask us to delete your personal information: see ‘request erasure’ below for further information.
In some circumstances, we anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this anonymous information indefinitely without further notice to you.
International Data Transfers
Sometimes we will need to share your personal information with third parties such as our service providers, who are based outside of the UK or EEA. The EEA is the European Economic Area and includes all EU member states as well as Norway, Liechtenstein and Iceland.
For example, we use a third party to host our campaigns, which stores the information we ask it to host on our behalf on its servers in Canada.
The European Commission considers that some non-EEA countries do not have adequate levels of protection in place to safeguard personal information. Therefore, if we do share your personal information with any third party outside of the EEA in this way, we take steps to ensure that your personal information receives the same protection as if it were being processed inside the EEA. For example, our contracts with third parties stipulate the standards they must follow at all times and we will enter into UK or EU-authority approved standard contractual clauses or rely on Privacy Shield where appropriate and necessary.
If you would like more information about where your personal information might be transferred to or how we take steps to protect it, please contact us.
Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal information. You have the right to:
- request access to your personal information and receive a copy as well as check we are processing it lawfully.
- request correction of any incomplete or inaccurate information we hold about you. However, we may need to verify the accuracy of the new personal information you provide to us.
- request erasure of your personal information where there is no longer a good reason for us to hold it. This may also apply where you have successfully exercised your right to ‘object to processing’ (see below); where we may have processed your personal information unlawfully; or where we are required to erase your personal information to comply with local law. Please note however, that we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- object to processing of your personal information where we are relying on a legitimate interest (or those of a third party). This applies where there is something about your particular situation which makes you want to object to as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes or where we process your personal information for research purposes. In some cases, we will be able to demonstrate that we have compelling legitimate grounds to process your personal information which override your rights and freedoms.
- request a restriction on processing of your personal information. This applies in the following scenarios: (a) if you want us to establish the accuracy of your personal information; (b) where our use of it is unlawful but you do not want us to erase it; (c) where you need us to hold the personal information, even if we no longer require it, to enable you to establish, exercise or defend legal claims; or (d) you have objected to our use of your personal information but we need to verify whether we have overriding legitimate grounds to do so.
- request us to port your personal information to you or to a third party. We will provide to you, or your chosen third party, your personal information in a structured, commonly used, machine-readable format. Please note this right only applies to automated information for which you initially provided consent for us to use or where we used the information to perform a contract with you.
- withdraw consent at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of processing carried out prior to this withdrawal. If you do withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
How to exercise your rights
If you wish to exercise any of the rights set out above, please contact us (PDF download).
You can also unsubscribe or stop fundraising contact (email, telephone, post and/or SMS by registering with the Fundraising Preference Services or Telephone Preference Services to stop unsolicited telephone calls.
For unwanted direct marketing communications, you can register with the Mailing Preference Services.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please do contact us in the first instance.
No fee usually required
There is no fee to access your personal information (or to exercise any of your other legal rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to safeguard your personal information. We may also contact you to ask for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Our contact details
- Addressee: Data Protection Officer
- Full name of legal entity: Stroke Association or Stroke Association Trading Limited
- Email address: firstname.lastname@example.org
- Postal address: Stroke Association House, 240 City Road, London EC1V 2PR
- Telephone number: 0300 330 0740
Website Third-Party Links
When using our website, there may be links to third-party websites, plug-ins and applications. Clicking on those links may allow third parties to collect or share information about you. We do not control these third-party websites, plug-ins or applications, and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
Changes to this Privacy Notice
This Privacy Notice was last updated on 26 May 2020 and will be reviewed and updated from time to time. Older versions can be obtained by contacting us.
Where there is a significant change to our Privacy Notice, we will use reasonable endeavours to notify you.