Donate Shop Get Support Contact Us
0
Donate Shop Get Support Contact Us
0

Privacy statement

Privacy Statement

At Winston’s Wish, we take your privacy and your personal data very seriously. We know how important it is to you that we treat any personal information that we might gather from you with the utmost care.

The law is very clear about what we need to do in this regard, and we are fully committed to complying with our legal obligations.

But we always do our best to protect your data because we genuinely value the trust that you put in us as an organisation, and we believe ensuring we look after the information you give us is part of continuing that trusted relationship.

We abide by the principles, processes, and practices we set out in our Data Protection Policy (last updated in September 2021 in line with GDPR).

In relation the General Data Protection Regulation (GDPR), rely on legitimate interests with regards to processing personal data concerning our relationships with our donors, supporters, those we support and volunteers. For staff, we use contracting, legitimate interests and legal obligations as the lawful bases for processing personal information.

Who we are

We are Winston’s Wish – a registered charity (1061359) established in 1992 that provides support for children and young people who are bereaved. We are a registered company, limited by guarantee (number 03329289). Our services are available throughout the UK. Our Head Office is located in Gloucester,
Gloucestershire.

We also provide support for parents, carers, and professionals, and we deliver training and raise funds through a range of activities. We also conduct research and advocate on behalf of bereaved children in pursuit of our vision of a society in which bereaved children and young people have their needs met.

Get in touch

Before we tell you more about what data we gather, why we gather it, and how we look after it, why don’t we let you know how you can contact us. This might be to ask to see your data; to make a complaint about how we have handled your data; to ask us to delete or correct something.

Our Data Protection Officer (DPO) is Laura Threadingham

Just drop her an email with the details of your request at lthreadingham@winstonswish.org. It is as simple as that.

If you’d prefer to write to us, then please do:

Data Protection Officer, Winston’s Wish, Conway House, 31-33 Worcester Street, Gloucester, GL1 3AJ

Personal data – what’s that?

By personal data, we mean any information that could be used to identify you. At its simplest this could be just your name and address; or, it could include your bank account details, telephone number, email address, a picture or recording of you. As we also provide clinical services, some of the data we need to gather to help us deliver those services will be sensitive personal data which might include information about health and well-being or ethnicity.

The law requires us to have a legal basis for collecting and using your personal data. We usually rely on one or more of the following legal bases:

  • Performance of a contract with you: Where we need to perform a contract we are about to enter into or have entered into with you.
  • Legitimate interests: We may use your personal data where it is necessary to conduct our work and as a charity and pursue our legitimate interests, for example to prevent fraud and enable us to give you the best and most secure experience. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
  • Legal obligation: We may use your personal data where it is necessary for compliance with a legal obligation that we are subject to.
  • Consent: We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example if you subscribe to an email newsletter.

Where this includes processing certain special categories of data (such as health data or DBS checks) We usually rely on one or more of the following legal bases:

  • Necessary for employment/volunteering: where the processing is necessary for carrying out obligations concerning employment or volunteering.
  • Necessary for the defence or bringing of legal claims.
  • Necessary for purpose of the provision of health or social care treatment.

Where we get your personal data from

There are several ways in which we might collect personal data from you, including those set out below. In many instances we will collect your personal data through your interactions with us. You may give us your personal data by filling in online forms or by corresponding with us by post, phone, email or otherwise.

We may receive personal information from a third party (such as a business or charity) if we take over or merge with that organisation. The records and identities of ongoing donors, supporters, those who have been supported and are now supported and volunteers will need to be held to allow those individuals to access what data has been held where required. Where such a merger or takeover occurs we will notify you that we now hold your personal data and why.

Children and Families

Bereavement Support Services

You might be receiving a service from us in which case we would collect your data as part of receiving that service. This might include quite sensitive information relating to the support we are providing to you. If you are under 13, we will confirm with any relevant adults (parents or guardians for example) that they are happy for us to hold your personal information.

Sometimes another agency (like a school, GP or local authority) might have information that they want to pass onto us, but we would only take that personal information with your consent. In any case, before you started receiving support from us, we would have explained this to you and asked you to give us your specific permission (your ‘consent’) to gather this information from these third parties.

Once we have received personal information about you from any source, we will need to hold this to assist you and keep records of what we have done for a defined period of time. We take seriously our responsibility for identifying the risks and consequences of the processing when relying on these legitimate interests to process your personal information,

Sometimes we are approached by the media who want to speak to families who have experienced a bereavement. We never pass on any information about families to the media unless the family have given us specific consent to do so.

Helpline

When you call our Helpline, we collect some basic information about you and your situation to allow us to provide the support offered to you. We only gather information from you that you wish to supply. We follow the nationally recognised Helplines Standard and are a member of the Helplines Partnership.

If you asked to be referred on for further support, or if you requested a free resource to be sent to you at the end of a call or a series of calls then we would let you know at that point that we would need to gather some additional personal information from you.

Once we have received personal information about you, we will need to hold this to assist you and keep records of what we have done for a defined period of time. We take seriously our responsibility for identifying the risks and consequences of the processing when relying on these legitimate interests to process your personal information.

This information is kept safe and deleted after an appropriate period of time, in line with our data retention policy. If you want to know how long that is, then please ask us.

ASK email service

When you contact us through the ASK email service, you are providing some personal information such as an email address or names. We retain this information securely for as long as necessary in order that we can respond to your request appropriately.

Online chat, SMS and WhatsApp

Our online chat services (including Live Chat, SMS, and WhatsApp) can be used anonymously. You do not need to provide personal information to access support.

If you choose to receive notifications or follow-up messages by email, SMS, or WhatsApp, you will provide limited personal information, which is stored securely and deleted after a short period.

During Live Chat, you may remain anonymous or choose to provide optional personal details. All questions are optional, and we only collect this data if you choose to provide it.

When using SMS or WhatsApp, we collect your telephone number to respond to your message. No other personal information is requested unless needed during the conversation.

If you request a referral or ask for a resource to be sent to you, we will explain what information is required before collecting it.

Once we have received personal information about you, we will need to hold this to assist you and keep records of what we have done for a defined period of time. We take seriously our responsibility for identifying the risks and consequences of the processing when relying on these legitimate interests to process your personal information.

This information is kept safe and deleted after a defined period of time. If you want to know how long that is, then please ask us.

Supporters, Donors, Staff and Volunteers

Supporters and donors

As a supporter or donor, you might give us personal information if you take part in a fundraising event, buy a book or a memory box, register for an activity, or donate an amount to us to support our work. This might include your name and address and bank details, for example.

Staff and volunteers

You might want to work for us, or already be employed here in which case we would hold personal information that you had given us for the purposes of your employment which might include your employment history and bank details.

If you are successful and you come and work for us, then we use performance of a contract, legitimate interests and legal obligations as the lawful bases for processing personal information.

You might also have volunteered with us, and so we would hold some personal information that you had given to us for the purposes of making that happen. Again, this might include information you had given to us relating to your interests, experience and contact information. Again, we use legitimate interests and legal obligations as the lawful bases for processing this personal information.

We use the information that staff provide us to ensure that we can meet our legal obligations as an employer and for administrative purposes. For volunteers, we use personal data for administrative purposes. In both cases, we also use personal data to ensure we comply with safeguarding legislation and our obligations there. This includes ensuring our vetting and barring checks are done in accordance with DBS legislation and best practice.

In some instances, we need to record personal data to meet our legal obligations (for example we need to record financial transactions to comply with UK tax laws).

What we do with your personal data

Children, young people and families

We use the data we gather from children, young people, and families we are supporting for the sole purpose of providing the best care and support that we can to them. This might also include being able to evaluate the quality of support we have given and audit our practices. Where we believe sharing the information we have been given with other agencies is in the best interests of supporting the child or young person then we would usually only do that with consent.

We have produced a separate privacy notice for children and young people.

We take our responsibility to safeguard the welfare of children, young people, and vulnerable adults very seriously. We may have to pass on personal information to a relevant authority without consent if we thought a child, young person or vulnerable adult was at risk. When you begin to receive a service, this will all be covered in the process of giving your consent for us to hold and process your personal information.

Supporters and donors

We take protecting your personal information seriously. We will never sell your details to another organisation. We use the information supporters and donors have given to us to process any donations or to keep in touch about our work. This includes newsletters, fundraising updates, and opportunities to attend or take part in events. We aim to provide our supporters with a great experience and to communicate with every support in the best way.

At Winston’s Wish, our work is only made possible thanks to the generosity of our supporters – so it is important that our fundraising efforts are as effective as they can be. By developing a better understanding of our supporters’ interests, preferences, and level of potential donations through researching them on publicly available sources we can tailor our fundraising communications to those most likely to be interested in them. We use websites such as corporate websites, public social media accounts, the Electoral Register and Companies House to get a fuller understanding of someone’s interests and capacity to support the charity.

How long we keep your data for

We would never seek to keep your data for longer than you would think reasonable. In our GDPR and Data Protection Policy we set out a retention schedule that indicates how long we hold personal information and when it is deleted or archived.

If you would like to know how long we keep data for then please do contact us using the contact information at the top of this privacy notice.

We are registered with the Fundraising Regulator, and we follow the Fundraising Regulator’s Code of Practice – https://www.fundraisingregulator.org.uk/code-of-fundraising-practice/code-of-fundraising-practice/

If you are receiving communications from us then we will periodically ask you if you would still like to receive information from us and you are welcome to opt out at any time in line with best practice in fundraising.

Who can see your information

We take data security very seriously. Our internal systems are robust, and we have invested in ensuring our data systems meet industry standards. Access to information we hold internally is restricted according to the type of data we hold and where we hold it. All personal data is processed by staff based in the UK. Data held securely on third-party servers is hosted and maintained within the European Union. Staff who occasionally work from other EEA countries access systems only via secure, encrypted VPN connections using organisation-issued laptops.

For the purposes of storing or processing some of the data you provide, or providing our services to you we might pass some of your personal information to service providers e.g., Cloud-based data storage providers; HMRC or external agencies (e.g. schools, local children’s services).

We may also share your data with law enforcement agencies or statutory agencies if required.

A word about ‘Cookies’

As you interact with our website, we will automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. This information is only used for statistical purposes to help improve this site.

We use the following cookies:

  • Strictly necessary cookies. These are cookies that are required for the operation of our website. These essential cookies are always enabled because our website won’t work properly without them. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services. You can switch off these cookies in your browser settings but you may then not be able to access all or parts of our website.
  • Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. These will only be activated with your consent.
  • Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region). These will only be activated with your consent.

If you use your browser settings to block all cookies (including strictly necessary cookies) you may not be able to access all or parts of our website.

GDPR – A Summary of Your Rights

The Information Commissioner’s Office (ICO) has produced a summary of your rights in relation to data protection and the General Data Protection Regulation (GDPR)

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

If you have a concern about how we have handled or processed your data, or are unsatisfied with our response to a complaint you have raised with us then please contact the ICO – https://ico.org.uk/concerns

This privacy notice was last updated in December 2025. It is reviewed regularly.