Skip to content

Privacy Policy

Introduction

This Privacy Policy outlines how DEBRA collects, uses, and protects personal information. It is designed to ensure that individuals understand how their data is handled and to comply with relevant data protection laws.

 

Information Security

DEBRA takes the security of personal information seriously. We implement various measures to protect data from unauthorized access, use, or disclosure. These measures include encryption, access controls, and regular security assessments to ensure the integrity and confidentiality of personal information.

 

Fairness

DEBRA will always process your personal data fairly and lawfully and will only collect information from you for the purposes specified in our Privacy Policy to deliver our services and provide support.

 

Data Controller

DEBRA, The Capitol Building, Oldbury, Bracknell RG12 8FZ

 

Data Protection Officer

Dawn Jarvis – dawn.jarvis@debra.org.uk

 

ICO registration number

Z6861140

 

What information we collect, use and why?

DEBRA may collect information listed below to provide services and goods, including delivery and third-party referrals:

  • Names and contact details
  • Gender
  • Addresses
  • Date of birth
  • Emergency contact details
  • Next of kin details
  • Photographs or video recordings
  • Service use history
  • Health information (including medical conditions, test results, allergies, medical requirements and medical history)
  • Dietary information (including allergies and health conditions)
  • Information about work, home and living conditions
  • Information about support requirements
  • Information about lifestyle, interests or personal history
  • Criminal offence data
  • Records of meetings and decisions
  • Information about income and financial needs for funding or personal budget support
  • Payment details (including card or bank information for transfers and direct debits)
  • Website user information (including user journeys and cookie tracking)
  • Information relating to compliments or complaints

 

We collect or use the following information to receive donations or funding and organise fundraising activities:

  • Names and contact details
  • Addresses
  • Payment or banking details
  • Donation history
  • Taxpayer information (for Gift Aid purposes)

 

We collect or use the following personal information for service updates or marketing purposes:

  • Names and contact details
    Addresses
  • Marketing preferences
  • Purchase history
  • Donation history
  • Website and app user journey information
  • Records of consent, where appropriate

 

We collect or use the following personal information for research or archiving purposes:

  • Names and contact details
  • Addresses

 

We collect or use the following personal information to comply with legal requirements:

  • Name
  • Contact information
  • Financial transaction information

 

We collect or use the following personal information for recruitment purposes:

  • Contact details (e.g., name, address, telephone number or personal email address)
  • Date of birth
  • National Insurance number
  • Copies of passports or other photo ID
  • Employment history (e.g., job application, employment references or secondary employment)
  • Education history (e.g., qualifications)
  • Right to work information
  • Details of any criminal convictions (e.g., Disclosure Barring Service (DBS), Access NI or Disclosure Scotland checks)
  • Security clearance details (e.g., basic checks and higher security clearance)
  • Racial or ethnic origin

 

We collect or use the following personal information for dealing with queries, complaints or claims:

  • Names and contact details
  • Address
  • Correspondence

 

Lawful Basis

Our lawful basis for collecting or using personal information to provide services and goods, including delivery and third-party referrals are:

  • Consent: We have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
  • Legitimate interests: We’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
    • Record the support/activity undertaken and to be used anonymously for reporting and funding purposes. This information will not be used for marketing purposes.
    • When you join our membership scheme you will be informed of the benefits and ways in which we will contact you. As part of your membership benefits, we will send communications, which include information about research and services provided, information updates, surveys and networking invitations, Holiday homes and support grants.

 

Our lawful basis for collecting or using personal information to receive donations or funding and organise fundraising activities are:

  • Consent: We have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
  • Legitimate interests: We’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
    • Business to business and corporate partnership relationships: Legitimate interest will be the basis for DEBRA to keep in touch with named individuals at a business address and corporate partnership contacts. You may opt-out of these communications by contacting our fundraising department at fundraising@debra.org.uk.

 

Our lawful basis for collecting or using personal information for service updates or marketing purposes are:

  • Consent: We have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
  • Legitimate interests: We’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
    • DEBRA will use legitimate interest as the legal basis to communicate with individuals who have given us their postal address if we consider the purpose to be reasonable and compatible with the original purpose.

 

Our lawful basis for collecting or using personal information for research or archiving purposes are:

  • Consent: We have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
    Our lawful basis for collecting or using personal information to comply with legal requirements are:
  • Legal obligation: We have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

 

Our lawful basis for collecting or using personal information for recruitment purposes are:

  • Consent: We have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
  • Contract: We have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legal obligation: We have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

 

Our lawful basis for collecting or using personal information for dealing with queries, complaints or claims are:

  • Consent: We have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

 

Where we get information from

  • Directly from you
  • From family members or carers
  • From other third parties, for example, NHS, Social Services and other health and care providers

 

How Long we keep data for

We keep your personal information only for as long as we need to use it for the purposes set out in this Policy. Our Data Retention Policy sets out the retention periods in respect of these relevant purposes. Guidance from the ICO for retention periods is followed, if there is a legal time required to hold data, the purpose for holding the data and whether there is a legitimate reason (e.g., future legal disputes).

Personal information held is reviewed from time to time and disposed of if no longer required. Personal information that is no longer needed is securely disposed of or anonymised for statistical or historical research purposes. Payment card data is not held once the transaction has been completed.

 

Who we share personal information with

Data processors:

    • HMRC: This data processor carries out the following activities for us: Collect Gift aid. We have a joint controller relationship with HMRC. We process your personal information with that joint controller for the following reason: DEBRA sends financial data to HMRC for the purpose of collecting Gift Aid on donations.
    • Retail Gift Aid Scheme: DEBRA has a legal requirement to share data with the HM Revenue and Customs (HMRC) to collect Gift Aid on the sales of second-hand goods sold from our shops. DEBRA is legally obliged to inform you of these sales, so that you can check you are paying enough tax to cover the claimed amount. We will use your information to keep our records up to date. This includes recording any changes of address and Gift Aid declaration renewals. We will communicate with you via your preferred method. You may opt out of the shops gift aid scheme at any time and you are given 21 days’ notice to stop any claim.

 

Others we share personal information with:

    • Other health providers (e.g., GPs and consultants)
    • Care providers
    • Organisations we need to share information with for safeguarding reasons
    • External auditors or inspectors
    • Organisations we’re legally obliged to share personal information with
    • Other Third-Party processors: Controls are in place to keep data safe. A Data Sharing Agreement will be put in place with any external provider before data is shared, for asks such as fundraising appeals, legacy marketing, event booking services. The data will only be used for the purpose of the DEBRA project they are appointed to carry out.
    • Mailings: We may use a mailing house from time to time and Mailchimp is used for online mailings.
    • Fundraising Corporates: DEBRA may use a third-party data processor to research potential corporate donors. Agreements are in place to ensure that any shared data is kept securely.
    • Legacies: Data is collected for administration purposes.
    • Payment information: This includes but is not limited to credit/debit card details, Just Giving, Stripe and Rapidata. This data is passed securely to third party processors as necessary to process your payment if you make purchases or donations.
    • We also have a joint controller relationship with Unity Lottery. We process your personal information with that joint controller for the following reason: Administration of the DEBRA lottery.
    • Shop delivery and collection service: If you use DEBRA’s shop delivery or collection services your details may be shared with third party suppliers. A data sharing agreement would be put in place to protect your data.
    • E Receipts: If you choose to have your receipt sent by email when you shop in a DEBRA store we will collect your email address.
    • Holiday Homes: When booking a DEBRA holiday home your personal data, (Guest names and if anyone has EB) is shared with the holiday park office. Refer to the privacy policy on the website for the holiday home you have booked for further information.
    • Human Resources: DEBRA uses a third-party online recruitment tool to collect initial stages of job application data. This data is retained for 2 years. This data is held within the EU in accordance with GDPR law. DEBRA has an agreement in place to ensure that any data collected is kept securely. If you are employed by DEBRA your data will be kept securely in accordance with the legal requirements currently 6 years after end of employment.
    • When you apply for a Volunteering role: We collect your name, address, telephone number and referees to process your application, DBS checks etc. This information will be treated in the same way as employment records.

 

How to withdraw consent and change how we communicate with you

You may withdraw your consent, and object to some or all of our Direct Marketing communications at any time by contacting debra@debra.org.uk or by phoning our head office 01344 771961 and stating the mailing you wish to be excluded from. You may opt-out of our marketing communications at any time by clicking the ‘unsubscribe’ link in at the end of our marketing emails. You can also use this information to let us know if your contact details change so that we may keep our records up to date.

If you have indicated that you do not wish to be contacted by us for marketing purposes, we will retain your details on a ‘do not contact’ list to help ensure that we do not contact you accidentally. However, we may still need to contact you if you carry on dealing with us, including (but not limited to):

  • Processing donations you make, or any continuing direct debit.
  • Providing you with information you need to participate in an activity or event for which you have registered.
  • Complaints, explaining and apologising where we have made a mistake.
  • Dealing with future legal claims in connection with a contract we have with you.
  • Processing data for admin purposes and legal reasons such as Gift Aid administration, employment and volunteering records.

 

User Rights

Individuals have several rights regarding their personal data, including the right to:

  • Access their data: Request a copy of the personal information we hold about them.
  • Rectify their data: Request corrections to any inaccurate or incomplete information.
  • Delete their data: Request the deletion of their personal information under certain circumstances.
  • Restrict processing: Request limitations on how their data is used.
  • Object to processing: Object to the processing of their data for specific purposes.
  • Data portability: Request the transfer of their data to another organization.

 

Subject Access Requests

You have the right to obtain a copy of the information DEBRA keeps about you, this is known as a Subject Access Request. A request for access to this information may be made in writing, to the Data Protection Officer – Dawn Jarvis, by email at dawn.jarvis@debra.org.uk or by post to DEBRA, The Capitol Building, Oldbury, Bracknell, RG12 8FZ.

Please provide as much detail as possible about the personal information you are seeking and whether it relates to a specific incident or specific date/period of time.

DEBRA will never sell your information to a third party.

 

Information Storing

DEBRA aims to store personal data within the EU, however for some online services (eBay, Shopify) data may be kept outside of the EU.

 

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

 

Changes to the Policy

DEBRA may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify individuals of any significant changes by posting the updated policy on our website and, where appropriate, through direct communication.

This privacy policy was last updated in November 2025.

Logo of DEBRA UK. The logo features blue butterfly icons and the organization's name. Underneath, the tagline reads "The Butterfly Skin Charity.
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.