Stoma Helpline We’re here 24 hours a day: 0800 328 4257

Stoma Helpline We’re here 24 hours a day: 0800 328 4257

Privacy Policy – Colostomy UK

Summary

Colostomy UK (“we”, “our”, “us”) abides by the UK’s General Data Protection Regulation (GDPR). In so doing, we respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our website or interact with us in other ways.

We are a registered charity in England and Wales (no. 1113471) and registered with the supervisory authority, the Information Commissioner’s Office (ICO) under registration number Z9295190. Colostomy UK is the data controller for the personal information we collect. This means we decide how and why your data is used and ensure it is processed lawfully and securely.

  1. What information we collect

Depending on how you interact with us, we may collect the following:

Website visitors

  • Technical information such as your IP address, browser type, and device identifiers.
  • Information about how you use our website (pages visited, links clicked, etc.).
  • We may use analytics tools such as Google Analytics or similar services that collect aggregated data about website use

Individual donors and beneficiaries

  • Name and contact details (address, email, telephone (if visible when you call us)).
  • Demographic information (date of birth, region, type of stoma, reason for surgery, year of surgery).
  • Notes about the issues you raise and what support we have provided.
  • Details of donations or payments if you support us financially.
  • Information from third parties: personal data from trusted third parties such as fundraising platforms (e.g. JustGiving), NHS partners, or event organisers, where you have given them permission to share your details

Special category (sensitive) data

Some of the information we collect about your health and medical history is considered “special category data” under UK GDPR. We only collect this with your explicit consent, and we keep it securely.

We also ensure such information is only accessed by trained staff and stored securely on encrypted systems

  1. How we use your information

We only use your personal data where the law allows. This includes:

  • To provide you with support, advice, and resources.
  • To keep internal records and manage supporter relationships.
  • To send you copies of our magazine Tidings (where requested).
  • To invite you to events, webinars, or community activities.
  • To process donations and maintain financial records.
  • To improve our website and support services through analytics.
  • To send you information about our work, campaigns, or fundraising – but only where you have given us your consent or where we are allowed by law.
  • To send you email or post from third parties (where you have opted in); we may include information from our partners in our communications, but we do not share your data with third parties for their own marketing
  • To monitor the issues people contact us about, to guide our wider work.
  • To occasionally invite you to give feedback on our support services, such as our helpline or active ostomates programme, via a short survey which we’ll send via email or text. You can opt out of these initiatives at any time and participation is optional. To opt out you can simply follow instructions on the email or text, or contact our team via the details noted under Point 10 of this policy.
  1. Legal basis for processing

We always ensure there is a valid legal basis before processing your data. We rely on one or more of the following regarding lawful bases:

  • Consent (Art. 6(1)(a)) – when you agree for us to contact you or share your data.
  • Legitimate interest (Art. 6(1)(f)) – for running our charity effectively, maintaining supporter records, and improving our services.
  • Legal obligation (Art. 6(1)(c)) – where we must keep records for HMRC or regulatory purposes.
  • Special category data (Art. 9(2)(d)) – as a not-for-profit body, we process health data to provide support services, with appropriate safeguards in place.
  1. Sharing your information

We do not sell your data.

We may share your information with trusted third-party service providers, such as:

  • IT and database providers
  • Mailing houses for sending magazines or information
  • Fundraising or event platforms (e.g. JustGiving, Eventbrite)
  • Professional advisers and regulators (e.g. auditors, HMRC)

All third parties are required to keep your data secure and act only on our instructions.

  1. Cookies and website analytics

We use cookies and similar tools to:

  • Improve website functionality
  • Analyse visitor behaviour (e.g. which pages are most popular)
  • Tailor content and marketing (where consent is given)

You can manage or disable cookies at any time through your browser or our Cookie Policy. For more details, please see our Cookie Policy – Colostomy UK.

  1. How long we keep your information

We only keep your personal data for as long as necessary. Examples include:

  • General enquiries: retained for up to 5 years after your last contact, to maintain continuity of support and for monitoring and service improvement purposes. After this period, data is securely deleted or anonymised.
  • Beneficiary data: retained while you are receiving support from us, and for up to 5 years after your last interaction, to maintain continuity of support and respond to future enquiries – this includes health related data. Records relating to safeguarding or serious incidents may be kept for up to seven years, in line with our safeguarding policy and legal obligations.
  • Individual donor data: kept for 7 years for HMRC and accounting purposes.
  • Marketing and newsletter subscriptions: retained until you unsubscribe or withdraw consent, after which your details will be suppressed
  1. Your rights

You have the following rights under UK GDPR:

  • To access your personal data.
  • To have incorrect data corrected.
  • To request deletion of your data (“right to be forgotten”).
  • To restrict or object to processing of your data.
  • To withdraw consent at any time (where processing is based on consent).
  • To request transfer of your data to another organisation (where applicable).
  • To lodge a complaint with the ICO if you are unhappy with how we handle your data.
  • To object to us using your information for feedback purposes.
  • We do not use your personal data for automated decision-making or profiling that has legal or significant effects on you

To exercise your rights, please contact us using the details noted under point 10, below.

  1. Children’s data

We do not knowingly collect personal data from children under 16 without parental consent. If we become aware we have collected such data, we will delete it promptly.

  1. How we protect your information

We use appropriate technical and organisational measures to keep your data secure, including encryption, restricted access, and staff training. We store beneficiary records securely on our CRM system and restrict access to authorised staff only. We do not share your information with third parties unless required by law or for safeguarding reasons.

  1. Contact us

If you have any questions about this policy or wish to exercise your data rights, please contact:

Colostomy UK
100 Berkshire Place
Winnersh, Berkshire RG41 5RD
Tel: 0118 939 1537
Email: hello@colostomyuk.org

Charity registration number: 113471

Company number 05623273

You also have the right to contact the Information Commissioner’s Office (ICO): www.ico.org.uk or call 0303 123 1113 with any questions you may have on the above.

We review this policy annually or whenever there are significant changes to our data processing. Updates will be published on our website with a new ‘last updated’ date.”

Glossary of Terms:

Aggregated Data – Information that has been combined and anonymised so that it cannot identify individual users.

Consent – Freely given, specific, informed and unambiguous agreement by the data subject to the processing of their data.

Data Breach – A security incident leading to accidental or unlawful destruction, loss, alteration, or disclosure of personal data.

Data Controller – The organisation or person that determines why and how personal data is processed.

Data Processor – A third party that processes personal data on behalf of the controller (e.g. a cloud service).

Data Protection Impact Assessment (DPIA) – A process to identify and minimise data protection risks in new projects.

Data Protection Officer (DPO) – The individual responsible for overseeing GDPR compliance within an organisation.

Data Subject – The individual whose personal data is being processed.

Data Subject Rights – The rights individuals have under GDPR, including access, rectification, erasure (“right to be forgotten”), restriction, portability, and objection.

Lawful Basis – The legal reason for processing data (e.g. consent, contract, legal obligation, legitimate interest).

Personal Data – Any information relating to an identified or identifiable person (e.g. name, email, IP address).

Processing – Any operation performed on personal data, such as collection, storage, use, or deletion.

Supervisory Authority – The national body responsible for enforcing GDPR (e.g. the ICO in the UK).

Last updated: October 2025

Stay in touch

Call Stoma Helpline Donate