Privacy policy

What this privacy policy covers

Your data is in safe hands with Crohn’s & Colitis UK. As a Data Controller we are committed to looking after your personal data (this means any information that could identify you) and safeguarding your privacy.

The purpose of this policy is to give you clear and easy to understand information about how we collect and process your personal data and how we comply with legal requirements. We have provided a number of examples of how this policy applies, but please note that this is not a complete list. 

Who we are

We are Crohn’s & Colitis UK, the UK’s leading charity for Crohn’s Disease and Ulcerative Colitis.

Crohn’s & Colitis UK

1 Bishops Square (Helios Court)

Hatfield Business Park

Hatfield

Hertfordshire

AL10 9NE

If you have any queries about this policy or would like to give us feedback, then please email supporters@crohnsandcolitis.org.uk

How we collect information about you

• Information you give us: For example, when you call the helpline, register for an event or sign up as a member through our website
• Information we get when you use our website: For example, cookies (please see the section ‘What website information do we use?’ for more information)
• Information from our trusted third parties: For example, JustGiving (a site that you can use to create a fundraising page to raise money for us), Engaging Networks (a campaigning platform we use to support you in sending e-actions to politicians) and Meta (a social media platform where people can express interest in our campaigns or events). These platforms will have their own privacy policies, so please do check with them before providing your personal data to them
• Information we receive indirectly: For example, the emergency contact of an employee when they start working with us, information about an executor when we administrate legacies
• Information available publicly: For example, information available from Companies House or sites such as LinkedIn  

LAWFUL BASES WE USE TO PROCESS DATA

We want to keep you updated with what we are doing, and how you can get 
involved. The main bases we use are:

• Consent (Article 6.1a GDPR) in relation to marketing and information about IBD and our services, You can tailor the consent you give from All Marketing to only marketing about, for example, volunteering, events, legacies etc. You can change your consent at any time by notifying supporters@crohnsandcolitis.org.uk
• Contract (Article 6.1b GDPR) in relation to communications to staff, suppliers, research grants, trusts, corporate donors and membership payments etc.
• Legitimate interest (Article 6.1e GDPR) in relation to communications about our existing relationship e.g. about your membership. We may, based on your previous activities, contact you about similar activities for example: about events next year if you are a fundraiser doing a running event. Our internal team assesses whether such approaches are balanced with your rights. Other examples are surveys, campaigning, opportunities to donate again etc.
• Legal obligation (Article 6.1c GDPR) is primarily used to comply with HMRC regulations on salaries and Gift Aid but includes notifying members of General Meetings etc.

If you ask us to stop sending you marketing materials, we will keep a record of your contact details and appropriate information to enable us to comply with your request as quickly as possible, normally within a week.

PERSONAL DATA THAT WE PROCESS

We only process the information that we need to. We sometimes process data that is also known as special category, for example: Health related data such as whether you or someone you are related to or care for, has a diagnosis of Crohn’s Disease, Ulcerative Colitis or any other form of IBD; and information relating to equality and diversity.

We only ask for this information for the following purposes (Article 9.2d GDPR):

• To provide the information most relevant to your situation
• To help us understand how well we currently engage and support diverse groups of people affected by Crohn’s and Colitis, to take action to ensure different groups are well represented, and to enable wider participation.
• To enable us to monitor and evaluate progress with our work to improve equality, diversion and inclusion across all areas of the charity.

We keep your data for as long as is necessary for us to provide you with the 
support, service or information you need.

* Part of Contact records refers to the combined personal data held about you. This record is kept for 6 years after your last engagement with us in any way. In addition, if you have not opened an update email from us for 3 years we will stop sending them proactively. If you wish to continue getting communications from us please let us know at supporters@crohnsandcolitis.org.uk

** We may carry out  prospect research to support our fundraising activities. This involves analysing information that is publicly available, together with information you have already provided to us, in order to develop an understanding of philanthropic interests. To carry out this activity, we may share relevant personal data with third party suppliers who undertake analysis on our behalf. We will ensure that such suppliers act only on our instructions and are bound by appropriate contractual safeguards in line with data protection requirements.

What website information do we process?

Google Analytics is a web analytics service that tracks and reports on website traffic. We use analytics services to help us understand what information people find useful on our website(s). This helps us improve our information and services. Google's tracking is anonymous, so we do not know who has visited our website. 

Our websites run on Content Management Systems (CMS) which use cookies to function. Cookies are small parcels of information routinely used by websites, such as an option you’ve selected or a page you’ve visited. Most cookies expire as soon as your session expires, unless a user has self-selected options and book-marked pages within our website. Cookies do not collect any personal identifying information.

Most modern browsers allow you to manage cookies saved on your computer. Find out more about managing cookies on your browser.

HOW WE USE ARTIFICIAL INTELLIGENCE (AI)

We may use Artificial Intelligence (AI) tools to help improve our services, such as analysing anonymised data, summarising previous communications or automating routine tasks. We do not use AI to make decisions about individuals that affects their rights or access to our services without human involvement. All personal data processed by AI is handled securely and in line with data protection law.

For more information about how we use AI, please read our full AI Policy.

Your rights

When we process your data you have the right to:

• Be informed what information is being collected and how it is used. This privacy notice provides this and a link is always available at the time of data collection.
• Access the information we hold about you. Correct the information we hold about you.
• Restrict the processing of your data to certain purposes

When we process your data based on legitimate interest or consent you have the additional right to:

• Object to the ways(s) your data is processed.
• Remove the information we hold about you. We will erase from across our systems and files your personal information except where we have a legitimate reason to retain it for a set period.

When you have provided consent for your data to be processed you may restrict but not object to our processing but you have the additional right to:

• Portability allowing you to obtain and reuse your personal data for your own purposes across different services.

You will not normally be charged for any of the above and we will respond to your request within one calendar month.  

We may wish to confirm your identity before changing or providing your data.

In exceptional circumstances, normally legal, we may not be able to comply with your request but will keep you informed of this and take advice from the Information Commissioner’s Office if we disagree.

To make a request, please email supporters@crohnsandcolitis.org.uk, call us on 01727 617457 or write to the Supporter Care team at Crohn’s & Colitis UK, 1 Bishops Square (Helios Court), Hatfield Business Park, Hatfield, Hertfordshire AL10 9NE. 

Children, young people and adults at risk data

Children and adults at risk have the same rights as any adult over their personal data. At Crohn’s & Colitis UK, we define a child as anyone who has not yet reached their 18th birthday. We define an adult at risk as a person over the age of 18 years and at risk of abuse or neglect because of their needs for care and support. We do not share information about children or adults at risk with anyone without consent unless the law and our policies allow us to do so, which overrides the need for consent to be sought. Our Confidentiality Statement outlines when we will need to do so, with examples from our Helplines.

For our parent and child memberships, all communication will be with the parent/guardian and we keep the following information about the child: Name, Date of Birth, Crohn’s or Colitis diagnosis, address. This information can be removed by request at any time. We will not contact your child directly.

We use the words and images of young people and children to demonstrate and promote our work. We request written consent from the guardian/parent for their data to be used in this way. As above, this can be revoked at any time.

For our young fundraisers, we request written consent from the guardian/parent if they are under 18 years old. We ensure the guardians/parents receive a copy of all communications between us and the young person. This applies also to publicity consent for example for nominees for the Alex Demain Young Fundraisers of the Year Award. 

KEEPING YOUR PERSONAL INFORMATION SAFE AND UP TO DATE

We store your data securely and in line with our Confidentiality and Data Protection policies.

We have security measures in place to protect your personal information. This includes encryption on our website, a closed network and a secure contacts database. We carry out regular security reviews and respond quickly to any breaches that could compromise your data.

Payment details (such as credit or debit cards) that we receive to make donations or pay for membership etc are passed to our secure payment processing providers who meet the Payment Card Industry (PCI) Security Standards. We do not store your card details.

If your personal information changes, please let us know. We try to keep our information about you up to date, for example by periodically checking our data using trusted data cleansing services such as Post Office’s National Change of Address database.

Who we share your data with

The following are examples of the types of trusted suppliers we work with. We work hard to ensure that their policies and values align with our own. We securely transfer data to them, mainly encrypted over Secure FTP.

• Mailing houses
• Fulfilment houses
• Telemarketing Companies
• Event organisers
• Analysis companies, usually anonymised

We only pass the information on that is vital for the intended purpose. For example, we will not share your phone number with a mailing house when they send you our printed Connect magazine.

We also process data on behalf of IBD UK. We manage communications for them if you have expressed an interest in their work. 

Volunteers

Our volunteers agree to our Data Protection policies and those who view personal data on our internal database sign a confidentiality agreement.

Social Media 

Our supporters are important to us and by reaching more people we can increase our impact. We sometimes search for ‘lookalike’ audiences on social media platforms who match interests, behaviour and demographics of Crohn’s & Colitis UK supporters to find others who may benefit from our information, support and engaging with the charity. We may also participate in social media platforms’ audience preference services which remember supporters who have responded in the past to Crohn’s & Colitis UK fundraising and marketing requests. Using platforms in this way is an important way in which we can reach more people who are likely to be interested in our work.

If a young person or adult at risk has shared their story via their own personal social media page e.g. Instagram, we may reshare using judgement, ensuring personal details such as name, school badges etc are not included.

At any time, you can turn off reposting by updating the settings directly from within your social media platforms:

• Google: https://adssettings.google.com/authenticated
• Facebook: https://www.facebook.com/help/568137493302217
• Instagram: https://help.instagram.com/
• X: https://x.com/settings
• LinkedIn: https://www.linkedin.com/help/linkedin/answer/62931
• YouTube: https://www.youtube.com/account
• Snapchat: Settings – Snapchat Support
• TikTok: Account privacy settings 

Complaints

Our Data Protection Compliance Lead is the Chief Operating Officer (currently vacant this function is being covered by Ciara Bosworth, Programme Director).

We always strive to offer the best service in all areas of our work however occasionally we don’t get it right. If you are unhappy with our data handling please let us know. Details of how to do this and a link to our Complaints Policy can be found on our website: Complaints and feedback

We aim to resolve issues raised as soon as possible and the Data (Use and Access) Act 2025 requires us to respond to data protection complaints within 30 days. If you do not feel that we have resolved your complaint then you have the right to approach the Information Commissioners Office (ICO) for an independent assessment. 

Our other policies

Confidentiality Statement

Equality, Diversity and Inclusion Policy

Cookies Policy

Employee Recruitment

Safeguarding

Social Media Policy not available on the website

Data Retention Policy not available on the website

Artificial Intelligence Policy not available on the website

Use of AI and Personal Data Statement not available on the website

Complaints Policy