SAMEYOU - PRIVACY NOTICE
SameYou is a charity which aims to help young adults recover from brain injury and stroke trauma by improving access to quality rehabilitation and recovery care. We couldn't do any of our work without supporters like you. Whether it's making financial donations or helping us break the silence on brain injury - your support makes all the difference. The personal information you provide helps us by, for example, allowing us to carry out our grant making work and keeping people updated about the progress we are making.
SameYou ("we", "us", "our") is committed to protecting your privacy. At all times we aim to respect any personal information you share with us, or that we receive from elsewhere, and keep it safe. This Privacy Notice ("Notice") sets out our data processing practices and your rights and options regarding the ways in which your personal information is collected (including through our website sameyou.org) and used.
Please read this Notice carefully. We know it's long, but it contains important information about how and why we use your personal information and your personal rights to privacy. We aim to be clear when we collect your personal information and not do anything with your personal information that you wouldn't reasonably expect.
The provision of your personal information to us is voluntary. However, without providing us with your personal information, your use of our services or your interaction with us may be limited. For example, you may be unable to receive updates about the progress we are making or direct messages from us, tell us your story or enter our prize draw for unforgettable experiences.
- Who are we?
- How do we collect your personal information?
- What personal information do we use?
- How and why will we use your personal information?
- Lawful bases
- Supporter research
- Communications for marketing/fundraising purposes
- Donations and payments via our online shop
- Children's personal information
- How long will we keep your personal information?
- Will we share your personal information?
- Security/storage of and access to your personal information
- International transfers of your personal information
- Your rights and how to exercise them
- Changes to this Notice
- Data Protection Contact
- Links and third parties
- How to contact us
1. Who are we?
SameYou is a charity (with registration number 1170102) and company (with registration number 1034313) registered in England and Wales (with registered address 10 Queen Street Place, London, EC4R 1BE) which aims to help young adults recover from brain injury and stroke trauma. We want to help improve access to quality rehabilitation and recovery care after individuals leave hospital, for example by improving specialist nurse training; funding clinical research; and developing evidence for policy change. While we are headquartered in the UK (in London), we are also a registered charity in the US (registered in Delaware with registration number EIN – 81 -393 – 1169). We aim to achieve our goals on a global scale.
We may therefore collect and use personal information of individuals in different jurisdictions, for example member states of the EU or the US. Please note that there are certain aspects of this Notice that only apply when we are required to comply with some jurisdiction-specific laws, for example the EU General Data Protection Regulation 2016/679 ("GDPR"). In general, if you are interacting with us from the EU, the GDPR is likely to apply.
2. How do we collect your personal information?
We collect your personal information in the following ways:
When you give it to us directly
You may give us your personal information via sameyou.org and/or by email in order to:
- share your story about your experience of brain injury or stoke trauma or of being a carer of someone affected by brain injury or stroke trauma,
- make a donation;
- sign up to receive updates from us;
- fundraise for us via Just Giving or any other platform;
- create your own personal account on our website after signing up;
- buy a product or make an enquiry via our online shop
When we obtain it indirectly
From our partners
We work with a number of different partners to help achieve our goals (please see Will we share your personal information? below). Your information may be shared with us by an organisation working with or for us, for example third party fundraising organisations, like Just Giving. Your personal information may also be shared with us by sub-contractors in technical, payment and delivery services.
To the extent we have not done so already, we will notify you when we receive your personal information from them and tell you how and why we intend to use that personal information.
When it is available publicly
Your personal information may be available to us from publicly available external sources, for example:
Depending on your privacy settings for social media services like Facebook, Instagram or Twitter, we may access information from those accounts or services. This may include information that you have posted via a social media platform such as Twitter.
We may also integrate social media application program interfaces or plug-ins ("Plug-ins") from social networks, including Facebook, LinkedIn, Twitter, Instagram, YouTube, WhatsApp and/or possibly other companies, into the website. In order to register on our site now or in the future, you may have the option to sign in using your Facebook or other social media site) login.
For example, when you visit our website, the plugin creates a direct connection between your browser and the Facebook server. This allows Facebook to receive information about your visit to our website or platform with your IP address. If you click the Facebook "Like" button while you are logged on to your Facebook account, you can link the contents of our website or platform to your Facebook profile. This allows Facebook to assign your visit to our website or platform to your user account. Please note that we receive no notification about the contents of the transmitted data or their use by Facebook. If you do not want Facebook to assign your visit to our website or platform to your Facebook user account, please log out of your Facebook user account.
Information which is available via Companies House or in publications
This may include information found in places such as Companies House in the UK and information that has been published in articles/newspapers.
When you visit our website
We also collect certain types of personal information about you every time you interact with us online. While the information obtained may not be personal information under the laws of the country you are based in, we recognise that there are certain laws (for example the GDPR) which consider these types of information to be personal information.
These types of information include:
(a) technical information, including the internet protocol (IP) address used to connect your device to the internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems and platforms; and
(b) information about your visit to our website, including the uniform resource locator (URL) clickstream to, through and from the website (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, referral sources, page interaction information (such as scrolling and clicks) and methods used to browse away from the page.
We may combine your personal information from the different sources set out in this section to achieve the purposes set out in this Notice.
3. What personal information do we use?
We may collect, store and otherwise use the following kinds of information:
- your name and contact details (postal address, telephone number and email address);
- your date of birth and gender;
- information about our services, products, work, activities or events which you use/in which you have expressed an interest/which we consider may be of interest to you;
- information about your preferences to make sure we're sending you the most relevant communications;
- your financial information, such as bank details and/or credit/debit card details, account holder name, sort code and account number (when you donate to SameYou or when you buy a product from our online shop);
- information about your computer/mobile device and your visits to and use of this website, including, for example, your IP address and geographical location;
- your social media identity;
- details of your attendance at SameYou events;
- details of your organisation and the position you hold there;
- personal descriptions and photographs (for example so that we can identify you at our events);
- details of your qualifications and experience;
- if you correspond with us by email, information about you in email messages – both in your emails and our responses;
- information you provide to us about your experiences of brain injury (as a sufferer or carer) which you share with us via the Share your story part of our website or which you otherwise tell us about;
- photographs and video footage (for example, for publicity purposes in relation to past or forthcoming events – where required, we will not do so without your consent); and/or
- any other personal information which we obtain as set out in section 2 (How do we collect your personal information?) of this Notice.
4. How and why will we use your personal information?
Your personal information, however provided to us, will be used for the purposes set out in this Notice. In particular, we may use your personal information:
- to provide you with products, or information you have requested;
- to answer your questions/requests and communicate with you in general;
- to process your donations;
- to process orders that you make via our Online Shop;
- to allow you to set up a user account and profile;
- to carry out research on brain injuries through our work with partners (see section 11 (Will we share your personal information?), although note that we take steps to anonymise your personal information before sharing it with our research partners;
- to post details that you share on the Share your Story section of the site on our social media platforms such as Facebook although we take steps to anonymise your comments before we share them on social media.
- to run/administer our website, including troubleshooting and fixing problems with the website, to improve your user experience by ensuring that content is presented in the most effective manner for your and for your device, and to keep the website safe and secure;
- to allow you to join the SameYou community and to send you, news and updates about SameYou and other ways you can help us with our work. We may use your personal information in order to tailor and improve our communications so that they are relevant to you;
- to contact you about any SameYou fundraising events you have signed up to so we can give you information and register/administer your participation;
- to manage relationships with our partners, supporters and beneficiaries in general;
- to ask you to support our work through a fundraising request (only where we are allowed to do so by applicable law and, with your consent where that is required);-
- to analyse and improve our work, services and products by conducting statistical analysis and research using, where possible, anonymised data (such that the data does not qualify as personal information);
- to report on the effectiveness of our work;
- to audit/administer our accounts;
- to satisfy legal obligations which are binding on us, for example where we are legally required to hold donor transaction details for Gift Aid or accounting/tax purposes; or in relation to the requirements of regulatory, government and/or law enforcement bodies with whom we may work (for example requirements relating to the payment of tax or anti-money laundering);
- to consider you for potential job or volunteering opportunities where you complete an application;
- for training and/or quality control;
- for the prevention of fraud or misuse of services; and/or
- for the establishment, defence and/or enforcement of legal claims.
5. Lawful bases
Under certain laws, for example the GDPR, we are required to rely on one or more lawful grounds to collect and use your personal information.
Where this requirement applies to us, we consider the grounds listed below to be relevant:
(a) Where you have provided your consent for us to use your personal information in a certain way (for example, we may ask for your consent to use your personal information to send your our newsletter or to ask for a donation). You always have the right to withdraw your consent.
(b) Where necessary so that we can comply with a legal obligation to which we are subject (for example, where we are obliged to share your personal information with regulatory bodies which govern our work and services).
(c) Where necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering a contract (for example to ensure that you can enjoy your prize if you win one of our prize draws).
(d) Where it is in your/someone else's vital interests (for example, in case of medical emergency suffered by an attendee at one of our events).
(e) Where there is a legitimate interest in us doing so.
In certain instances, we may collect and use personal information where this is reasonably necessary to achieve our own (or a third party's) legitimate interests (so long as that processing is fair, balanced and does not unduly impact your rights).
In broad terms, our "legitimate interests" means the interests of running SameYou as a charity which aims to raise awareness about and improve the standards and conditions of rehabilitative care after brain injury and stroke trauma. Specific examples include:
- conducting research to better understand who our supporters are and better target our fundraising activity;
- monitoring who we deal with to protect our charity against fraud, money laundering and other risks; or
- maintaining and administering our register, supporter database and systems.
In all cases, we balance our legitimate interests against your rights to privacy and any potential impact on you (both positive and negative), and make sure we only use personal information in a way or for a purpose that you would reasonably expect in accordance with this Notice and that does not intrude on your privacy or go against your previously expressed preferences. We will not use your personal information for activities where our interests are overridden by the impact on you, for example where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).
Special categories of your personal information
The GDPR recognises certain categories of personal information as sensitive and therefore requiring more protection, for example information about your health (physical and/or mental), ethnicity and political opinions. Under the GDPR, this is known as "special category" personal information.
In certain situations, SameYou may collect and/or use these types of personal information. For example, you may choose to share information about your health with us when you tell us your story of your experience with brain injury or stroke trauma including via the Share your Story part of our site, or we may need to know information about your health or religious beliefs to ensure that your access or dietary requirements can be facilitated at one of our events. We will only use these types of personal information if there is a valid reason for doing so and where applicable law allows us to do so. In most instances, we will obtain your explicit consent to use information about your health. You always have the right to withdraw your consent.
6. Supporter research
We may also analyse your personal information to create a record of your interests and preferences. This allows us to gain a better understanding of our supporters to improve our fundraising methods, products and services; for example by ensuring that our communications are timely and relevant, so you're only receiving the information you want.
This activity also assists us in understanding the background of the people who support us and helps us to make appropriate requests to supporters who may have the means and the desire to donate, or donate more than they already do, enabling us to raise funds and help beneficiaries sooner and more cost-effectively.
If you would prefer us not to use your personal information for supporter research in this way, you can opt out by contacting us at [email protected].
7. Communications for marketing/fundraising purposes
We may contact you so we can update you on news and information about campaigns to get involved with, ways to financially support our work, stories from patients, and other news or information about our work, events, services or activities we think you'd be interested in.
Where we do this via email, SMS or telephone, we will not do so without your prior consent (unless allowed to do so by applicable law).
Where you have provided us with your consent previously but no longer wish to be contacted by us about our work, events, services, activities or products in the future, you can update your preferences or unsubscribe from these communications at any time by clicking the link provided in every message we send you or by contacting us (see the How to contact us section below). We will not use your personal information for promotional or fundraising purposes if you have indicated that you do not wish to be contacted by us for such purposes. However, we will retain your details on a suppression list to help ensure that we do not continue to contact you.
We may use publicly available sources in order to make sure your information is up to date so we can keep in touch (only where you have provided your consent, if necessary).
8. Donations and payments via our online shop
When you use our secure online donation function or make a payment for a product in our shop you will be directed to a specialist payment services provider who will receive your financial information to process the transaction. Your personal information will be provided to the relevant payment services provider only to the extent necessary for the purpose of processing your donation.
9. Children's personal information
We ask that children under 13 do not provide us with their personal information.
When we do use children's personal information, we will not do so without their consent where this is required or, where required or appropriate, the consent of a parent/individual with parental responsibility for the child. We take steps to put in place appropriate safeguards to ensure that children's personal information is handled with due care.
10. How long will we keep your personal information?
In some countries, there are limits on how long we may retain your personal information. Where these limits apply, in general, unless still required in connection with the purpose(s) for which it was collected and/or used, we remove your personal information from our records 6 years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure (please see section 15 below), we will remove it from our records at the relevant time.
We will take reasonable steps to securely delete, destroy or de-identify personal information we hold if it's no longer needed in connection with the purpose(s) for which it was collected and/or processed or if we are no longer lawfully entitled to use it.
However, if you do choose to share your personal information with us publicly (for example, photos or footage on social media), then it's possible that other people may have copied this information during the time that it was live, and therefore use of it is beyond our control.
You can request copies of your personal information that we hold at any time (see Your rights and how to exercise them below).
11. Will we share your personal information?
There may be some third parties that we share personal information with in order to achieve our goals as a charity. We will only share personal information with third parties where the sharing complies with our obligations under data protection law. Those third parties include, but are not limited to:
- our partners:
- the Royal College of Nursing, with whom we work to develop specialist training to provide integrated recovery support for young adults who have suffered brain injury or stroke trauma;
- the Spaulding Rehabilitation Hospital, who work to help advance understanding of the most common causes of behavioural dysfunction in young adult survivors of brain injury or stroke trauma and help to promote best nursing practices;
- NursingNow, with whom we work to influence policy makers both nationally and globally; and
- University College London with whom we work on research initiatives relating to brain injuries
- our advisors, in order to help us better manage, support or develop our organisation and comply with legal and regulatory obligations;
- other professional service providers, such as accountants;
- service providers who need to know certain information in order to provide you (or us) with a product or service (for example IT service providers such as website hosts and cloud storage providers). Where we use third parties to collect or process personal information on our behalf, where required, we put a contract in place with them to set out our requirements, especially in relation to how they manage the personal information they collect or have access to;
- other organisations who help us carry out our work including, for example, events organisers who help us organise and administer our events;
- payment service providers who help us process donations;
- third party fundraising organisations;
- banks and insurers;
- parties assisting us with research to monitor the impact/effectiveness of our work and services;
- healthcare professionals and organisations involved in the provision of care, facilities and/or supplies; and/or
- law enforcement bodies and/or regulatory entities, in order to comply with any legal obligations or regulatory requirements which are binding on us.
In addition, we may have to disclose your personal information to third parties:
- in the event that we sell or buy any business or assets, in which case we may disclose your personal information to the (prospective) seller or buyer of such business or assets;
- if substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets; and/or
- to protect the rights, property and/or safety of SameYou, its personnel, users, visitors or others.
12. Security/storage of and access to your personal information
We are committed to keeping your personal information safe and secure. We have appropriate and proportionate organisational and technical measures in place to do this, for example we invest in the appropriate software to protect your personal information from loss, misuse, unauthorised access, modification or disclosure and have written policies and procedures in place to understand that people handling your personal information on our behalf understand how to do so as securely as possible. Your personal information is only accessible by appropriately trained staff, volunteers and contractors and their sub-contractors.
13. International transfers of your personal information
Certain countries have rules relating to the transfer of personal information across borders and require us to ensure that personal information remains protected according to appropriate standards (for example, EU Member States under the GDPR).
As an international organisation also registered in the US, and because some of our suppliers run their operations outside the UK, we may occasionally need to transfer your personal information overseas, e.g. to the US. In particular, it is possible that personal information we hold may be transferred to and stored in a location outside the UK and the European Economic Area ("EEA").
Please note that some countries outside of the UK and EEA have a lower standard of protection for personal information, which may include lower security requirements and fewer rights for individuals. Where your personal information is transferred, stored and/or otherwise processed outside the UK and EEA in a country that does not offer an equivalent standard of protection to the UK and EEA, we will take all reasonable steps to ensure that there are appropriate safeguards in place to protect your personal information (such as entering into European Commission approved standard contractual clauses) designed to protect your personal information.
Unfortunately, no transmission of your personal information can be guaranteed to be 100% secure. However, once we have received your personal information, we will use strict procedures and security features to try and prevent unauthorised or unintended access.
14. Your rights and how to exercise them
Certain countries give you certain rights in relation to how your personal information is used. Some of these rights may only be available to you if you are located within the EU when you engage with us.
Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for marketing or fundraising purposes or to unsubscribe from our email list at any time.
You also have the following rights:
- Right of access: you can ask us for confirmation of what personal information we hold on you and to request a copy of that information. Provided we are satisfied that you are entitled to see the personal information requested and we have successfully confirmed your identity, we will provide you with your personal information subject to any exemptions that may apply.
- Right of rectification: if you believe our records of your personal information are inaccurate, you have the right to ask us to update or amend those records. You can also ask us to check the personal information we hold about you if you are unsure about its accuracy or legitimate usage.
- Right to restrict processing: you have the right to ask us to restrict the processing of your personal information if there is a disagreement about its accuracy or legitimate use.
- Right of erasure: at your request we will remove your personal information from our records as far as we are required to do so.
- Right to data portability: in certain circumstances, you can request an electronic copy of your personal information be sent to you, or another organisation.
- Right to object: you have the right to object to the processing of your information where we are (i) processing your personal information for direct marketing purposes; (ii) processing your personal information on the basis of a legitimate interest or (iii) using your personal information for statistical purposes.
- Rights related to automated decision-making: you have the right not to be subject to a decision based solely on automated processing (i.e. without human intervention) of your personal information which produces legal effects or similarly significant effects on you, unless such a decision (i) is necessary to enter into/perform a contract between you and us/another organisation; (ii) is authorised by EU, UK or another Member State's law to which SameYou is subject (as long as that law offers you sufficient protection); or (iii) is based on your explicit consent.
- Right to complain: you have the right to raise a concern or complaint with your local data protection authority about the way in which we use your personal information. For instance, the data protection authority in the UK is the Information Commissioner's Office - https://ico.org.uk/.
We may ask you for additional information to confirm your identity and for security purposes, before taking action in response to your request. Please note that some of these rights only apply in limited circumstances. If you have any questions, please contact us using the details in the How to contact us section.
15. Changes to this Notice
This Notice was updated in May 2020. We will keep it under review and make updates from time to time. If we make any significant changes to the Notice, we will make this clear on the SameYou website or, where appropriate, by contacting you directly.
16. Data Protection Contact
Our Financial Controller can be contacted directly for all data protection communications at [email protected]. Alternately, please use the details in the How to contact us section and mark the email for the attention of, or ask to speak to, the Financial Controller.
17. Links and third parties
This website contains links to other websites that we believe may be of interest to you. This Notice only applies to our website, so if you visit another website using a link on our website, we recommend you read the privacy Notice of that website. This Notice does not cover external websites and we are not responsible for the privacy practices or content of those sites.
18. How to contact us
If you have any questions or concerns about this Notice or the way in which SameYou uses your personal information, please let us know by contacting us using the following channels:
+44 7388 497851
10 Queen Street Place
London EC4R 1BE