Wellbeing Hub
Contents

GDPR & Privacy Policy

About this policy

Rareminds is a registered charity in England and Wales (No. 1205120). Our registered offices at 86-90 Paul Street, London, EC2A 4NE.

This policy explains:

  • What personal data we collect
  • How we collect and use your data
  • Your rights regarding your data
  • How to contact us or relevant regulators if you have concerns

This version of our policy is primarily written for adults, including the parents and guardians of any young people under the age of 18 who access our services.

The context of this policy

Where we collect, use and are responsible for personal data about you, we are the Data Controller and subject to data protection law.

We comply with the UK General Data Protection Regulation (UK GDPR). If we offer services to any individuals in the European Economic Area (EEA) we also comply with the EU General Data Protection Regulation (EU GDPR).

We may also be subject to other data protection laws where we offer services to individuals based outside of the UK and the EEA, or if we provide services from outside of the UK or the EEA.

Who this policy is for

If you are under 18 years old (or have any developmental or cognitive difficulties as a result of your rare condition or otherwise) you are welcome to read this policy if you find it useful, but we recommend that you also discuss its contents with a parent, carer or guardian. If you require this policy in another format, please email

Contents of this policy

1 Information we collect

2 How we collect personal information

3 How and why we use your personal information

4 Who we share your personal information with

5 Your privacy rights

6 Data security

7 Data retention

8 Data transfers between countries

9 Website cookies and tracking

10 Links and third parties

11 How to complain about how we use your data

12 Changes to this privacy notice

13 How to contact us

1. Information we collect

We collect and process personal data in compliance with Article 6 and Article 9 of the UK GDPR to ensure lawful, fair, and transparent handling of data. There are two types of data we may collect – standard personal information and special category data.

Standard Personal Information

We collect this data to provide our services and manage our relationship with you. The data we may collect includes:

  • Name, address, phone number and email
  • The country you live in, your age and date of birth
  • Records of past contact with us
  • Information about your use of our website, services, or technology (e.g., IP addresses, device details)
  • Payment details

Special Category Data

This information helps us to provide our counselling and wellbeing services. With your explicit consent, we may collect:

  • Information about your physical or mental health (from you or healthcare providers)
  • Data on your race, ethnicity, disability, or religion (to help us and our charity partners monitor equitable access to services)
  • Information about any criminal convictions (if required for safeguarding purposes)

Some of this information is required for us to be able to provide services. Failure to provide it may therefore affect our ability to deliver services to you.

If you have concerns about this, or would like to discuss further, please email

2. How we collect personal information

We obtain data in the following ways:

  • Directly from you when you contact us via phone, email, or website, or when you sign up for services (e.g., counselling, training, or webinars)
  • From third parties acting on your behalf, such as family members, healthcare professionals, or partner organisations (subject to their own privacy policies)
  • Automatically via cookies and analytics tools when you use our website

If you are accessing our counselling or wellbeing services we may also receive information from:

  • Your parent or guardian (if you are under 18 years old)
  • The organisation or charity who is paying for the services we provide (such as our partner charities who are providing you with access to counselling).

3. How and why we use your data

Under data protection law, we can only use your personal information if we have a valid reason to do so:

  • Where you have given consent
  • To comply with legal and regulatory obligations
  • For the performance of a contract, or in order to take steps at your request before entering into a contract
  • For legitimate interests, or those of a third party

Where we process special category personal information about you, we will ensure we are permitted to do so under data protection laws.

We use your data to manage our relationship with you, provide services and respond to enquiries. We also use it to undertake statistical analysis, evaluation and monitoring of our services and quality control.

Where required, we use data to manage disclosures and other activities necessary to comply with legal and regulatory obligations that apply to our activities (e.g. to record and demonstrate evidence of your consents).

We also use it to exercise our legal rights and to defend ourselves from legal claims, to undertake legal proceedings, or because we have a legal obligation to do so according to the applicable laws which govern the psychological and psychiatric healthcare services we offer.

 

Purpose of using your data

Legal Basis

Providing counselling and support services

Consent / Performance of a contract

Processing payments for services or donations

Performance of a contract / Legal obligation

Sending newsletters, updates, or event invitations

Legitimate interest / Consent

Monitoring website performance & analytics

Legitimate interest / Consent (via cookies)

Responding to inquiries and complaints

Legitimate interest / Legal obligation

Safeguarding & legal reporting obligations

Legal obligation

Updates about changes to our terms policies or services, or responding to complaints, enquiries or incident

Consent / Legitimate interest / Legal obligation

You can withdraw consent at any time by contacting us or using opt-out links in communications.

4. Who we share your personal information with

We will always treat your personal data with the utmost respect and never sell or share it with other organisations for marketing or medical purposes. We only share anonymised data unless legally required, or where we have your consent to identify you.

If we transfer data outside the UK/EEA, we ensure appropriate safeguards, including Standard Contractual Clauses (SCCs) or adequacy decisions. For more information on transferring data, see section 6.

Partner organisations, charities and funders

If you are accessing our counselling and associated services, we collect data regarding your physical and mental health/wellbeing, and your rare condition. These results are then aggregated and anonymised before being shared with the relevant partner organisations/funder. We also use this information for raising awareness and demonstrating the impact of our work. You will not be identifiable as an individual.

Data Processors

A Data Processor is a person or organisation that processes personal data on behalf of a Data Controller. Our Data Processors act in accordance with our  instructions (as the Data Controller) to help us provide services and manage our relationship with you.

Our Data Processors are:

  • Gaby Prothero Design (UK based website hosting and client management system)
  • Google Workspace (cloud-based storage and email services)
  • QuickBooks (financial management and payments)
  • Brevo (email communication software)
  • Payment processors (Stripe and PayPal for donations or service payments)

Other people we may share data with include:

  • Doctors, clinicians and other health-care professionals, hospitals, clinics and other health-care organisations. This will be with your consent unless in exceptional circumstances as outlined in our Counselling Services Confidentiality Agreement.
  • Regulatory bodies, the police and law enforcement agencies, courts, tribunals (if legally required).

Sharing your personal information without your consent

In exceptional circumstances, such as for safeguarding purposes, and/or where we feel there is significant risk of harm to you or another, we may disclose your personal information without your consent, in accordance with our Counselling Services Confidentiality Agreement.

If you would like more information about who we share our data with and why, please

5. Your Privacy Rights

Under UK/EU GDPR, you have the following rights:

Right to be informed: This policy outlines our practices to inform you how we use your personal data.

Right of access: You have the right to request copies of the personal information that we hold about you. There are some exemptions and limitations in what we can provide in response to such requests, which means you may not always receive all the personal information we process. We will always inform you if any exemption or limitation applies and what its impact is.

If you are accessing our counselling services and wish to access your personal clinical record, please discuss this with your counsellor or email . We can then send you our ‘Requesting Access to Your Records’ protocol.

Right to rectification: You have the right to ask us to correct personal information you think is inaccurate. You also have the right to ask us to complete your personal information you think is incomplete.

Right to erasure: This is also known as the ‘right to be forgotten’. In certain circumstances, you have the right to ask us to erase your personal information. Where it is appropriate that we comply, your request will be actioned within 30 days.

We may not always be able to remove your personal information from ongoing or completed treatment, or where we are required by law or regulation to retain it. We may also retain some account information related to service history. This enables us to provide ongoing support regarding prior treatments and services, and is also necessary for accounting, audit, quality and compliance purposes.

Right to restrict processing: In some circumstances you have the right to ask us to restrict the processing of your personal information. For example, you can request that we limit the way in which we use your personal information if you are concerned about the accuracy of the data.

Right to data portability: You have the right to receive your personal information which you have provided to us, in a structured, commonly used and machine-readable format. In certain situations you also have the right to ask us to send your personal information to another organisation.

Right to object: You have the right to stop our direct marketing and certain types of processing. Where it is appropriate that we comply with your request, we will stop processing your information for the use you have objected to.

For further information on each of these rights, including the circumstances in which they do and do not apply, please

When contacting us in regard to your rights please:

  • Provide enough information to identify yourself, and any additional information we may need to respond to your request appropriately.
  • Let us know which right(s) you want to exercise, and the information to which your request relates.

You may also find it helpful to refer to the guidance from the UK’s Information Commissioner https://ico.org.uk/on your rights under the UK GDPR

6. Data security

We implement strict security measures to protect your personal information, including:

  • Secure servers and encrypted databases
  • Internal policies and protocols in places regarding how we store and manage your information
  • Limiting access to your personal access to team members who have a genuine need to access it
  • Measures in place to prevent personal information from being accidentally lost, used or accessed unlawfully or inappropriately

You will only be emailed by us (except in very exceptional circumstances) via a Rareminds email address.

It is your responsibility to protect the confidentiality of your own passwords, account information, and any other access features associated with accessing our services, or use of the website, products or related services.

If you would like further information about cyber-security eg how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit Get Safe Online, which is supported by HM Government and leading businesses (http://www.getsafeonline.org).

Data breaches

We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

7. Data Retention

We will not keep your personal information for longer than we need it for the purpose for which it is used. Different retention periods apply for different types of personal information. How long we retain specific personal information varies depending on the purpose for its use.

When it is no longer needed data is anonymised or securely deleted. Data held in back-ups are subject to separate retention and erasure processes.

We retain data based on legal and professional guidelines. This means we may retain your personal information after we have stopped delivering services to you. This is needed so we comply with our legal and regulatory obligation. It is also to help resolve disputes or complaints, and to enforce our rights in connection with our website, services, products and/or to protect our business.

Data Type

Retention Period

Counselling records (including emails from clients)

7 years from the date of the last appointment. In some scenarios, such as in the event of a complaint, or if we reasonably believe there is a prospect of litigation in respect to our relationship with you we may retain your personal data for a longer period.

General enquiries and emails (not related to counselling service)

2 years

Payment details (excluding bank/card info)

6 years from the end of the relevant financial year for financial compliance

Website analytics

Up to 2 years (depending on cookie settings)

 

8. Data transfers between countries

Transfers of data from the EEA to the UK

If you are an individual based within the EEA and we provide services to you, we will transfer your personal information from the EEA to the UK. This is because Rareminds as an organisation is based in the UK. EEA data protection laws provide that transfers of personal data to the UK are lawful under an adequacy decision dated 28 June 2021.

Transfers of data outside of the UK/EEA

The EEA, UK and other countries outside the EEA and the UK have differing data protection laws. Some may provide lower levels of protection of privacy.

On some occasions it may be necessary for us to share your personal information to countries outside the UK and EEA, for example, if some of our service providers or clinicians are based outside the UK/EEA.

To comply with data protection laws, we will only transfer your data to a country outside the UK/EEA where:

  • They are deemed adequate by the UK/EU government’s ‘adequacy decisions’. This means the UK and/or EU government has decided a particular country ensures an adequate level of personal data. A list of countries the UK currently has adequacy regulations in relation to is available here. A list of countries the European Commission has currently made adequacy decisions in relation to is available here.
  • There are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you.
  • Consent is a valid exception under relevant data protection laws and we have your explicit consent to transfer your personal information out of the UK/EEA.
  • A specific exception applies under relevant data protection law.

Transfers of data in the UK/EEA from outside

Where we transfer your personal information into the UK/EEA from a country outside of the UK/EEA and that country has applicable data protection law which governs such transfer, we will transfer your personal information in accordance with the requirements of that applicable data protection law. For example, we may need to obtain and rely on your consent to transfer the data to the UK/EEA, or a country may have similar adequacy decisions to that of the UK/EEA.

Any changes to the destinations to which we send personal information, or in the transfer mechanisms we use to transfer personal information internationally will be notified to you in accordance with the section on ‘Changes to this Privacy Policy’ below.

For further information about such transfers and the safeguards we employ, please contact our Data Protection Officer (see ‘How to contact us’ below).

9. Website cookies and tracking

Like many other websites, our website uses cookies. Cookies are small text files that are placed onto your device (e.g. computer, smartphone or other electronic device) when you visit our website. They do not affect your device, but are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

Some of the cookies we use are essential for the site to work. We also use some non-essential cookies to collect information about how visitors use our website so that we can make informed decisions about improvements to the site and get a good understanding of the kind of content our visitors like to read.

Cookies can be used to remember information about you, such as your language preference or login information. They may contain a unique identification code that makes it possible to track the user’s navigation of the site for statistical, advertising, and technical purposes.

For further information on cookies, our use of them, when we will request your consent before placing them and how to disable them, please see our Cookie Policy.

10 Links and third-parties

As part of our services, including our counselling services and our website, we may provide links to other websites and organisations. This policy does not cover how these third-parties may process your personal information if you follow the links we provide. Please be aware that those third-parties may have different terms of use and privacy policies.

We are not responsible for the privacy practices of any third-party, unless we have engaged them on our behalf to process your personal information for a specific purpose identified within this Privacy Policy. We are also not responsible for the terms of use you may be required to agree to in order to use third-party websites and services.

11. How to complain about how we use your data

We hope you never have cause to make a complaint against us. You can read our Complaints Policy here.

Rareminds is registered with the Information Commissioner’s Office (ICO) as a Charity organisation. All our clinicians are also independently registered.

If you have any queries or concerns about our storage or use of your personal information, please or write to us as indicated below.

You also have the right to make a complaint to:

  • The Information Commissioner in the UK. The UK’s Information Commissioner may be contacted at: https://ico.org.uk/make-a-complaint or by telephone: 0303 123 1113.
  • The relevant data protection supervisory authority in the EEA state of your habitual residence, place of work or of an alleged infringement of data protection laws in the EEA. For a list of EEA data protection supervisory authorities and their contact details see: https://edpb.europa.eu/about-edpb/about-edpb/members_en

12. Changes to this policy

We may update this policy from time to time by updating the link on our website. When significant changes are made, we will notify users via email and/or a website announcement. All changes are effective immediately upon posting an update, and they apply to all access to and use of the website and our products and Services from that point onward.

13. How to contact us

You can contact our Data Protection Officer by post, email or telephone if you have any questions about this Privacy Policy or the information we hold about you, to exercise a right under data protection law, or to make a complaint.

Please do not include any health information or other sensitive information if you contact us in connection to this Privacy Policy.

For data protection queries in the first instance contactus@rareminds.org marking your query FAO the Data Protection Officer, or,  write to us at Rareminds, 86-90 Paul Street, London, EC2A 4NE. Please mark your correspondence FAO attention: Data Protection Officer.

Do you need extra help?

If you would like this Privacy Policy in another format (for example audio or large print, braille) please contact us as above.

KW/RM Feb 2025