Privacy Notice 

Your privacy is important to us and we will process your personal data in accordance with data protection laws. This Privacy Notice sets out how we process personal data about you and other individuals about whom you might disclose information.

Identity of Data Controller

FLAG DV CIO (referred to in this Privacy Notice as “we“, “us“, “our“) is the data controller in respect of any personal data, including special category data, which you provide to us or which we hold about you and any personal data which is processed in connection with the services we provide to our clients. 

Data Protection Lead

FLAG DV CIO
Email: hello@flagdv.org.uk
Phone: 01635 015854
Address: 4-8 The Broadway, Newbury RG14 1BA

What information we collect

• Client information – name, contact details, demographic information (such as age, gender, ethnicity, disability status), information about your situation, and notes from our support services.
• Special category data – such as information about health, domestic abuse, safeguarding concerns, or protected characteristics. We only process this where necessary for providing support and where the law allows us to.
• Referrer information – details from agencies or professionals who refer clients to us.
• Volunteer and staff information – recruitment details, training records, references, and safeguarding checks.
• Website visitor information – technical data (e.g. IP address, browser type, pages visited) collected through cookies and analytics.
• Donor and supporter information – contact details, donation history, Gift Aid information, and communication preferences.

How we collect your data

• We may collect information when:
• You access our services directly,
• You are referred to us by another organisation,
• You visit our website,
• You donate or sign up for fundraising activities,
• You apply to volunteer or work with us,
• You communicate with us by email, phone, or post

How we process personal data

We use your information to:

• Provide and manage our services to survivors of domestic abuse,
• Record and monitor referrals, legal advice clinics, and court support,
• Meet safeguarding and legal obligations,
• Monitor and improve our services,
• Recruit, train, and manage volunteers and staff,#
• Administer fundraising and donations,#
• Communicate with you in line with your preferences,
• Maintain financial and governance records required by law.

How we keep your data secure

Your personal data is securely stored on our electronic database and can only be seen by those who have access to the system.  Those with access to your personal data have been vetted and have received record management training.

We constantly work to make sure that your personal data is properly protected through encryption, firewalls and monitoring.

In addition, our servers containing personal data are situated in the cloud. This data is backed up frequently and tested regularly in line with our standard backup procedures.

Lawful bases for processing

We rely on one or more of the following lawful bases under UK GDPR to process your information:

• Consent – where you have given us clear permission,
• Contract – where processing is necessary for a service you have requested,
• Legal obligation – where the law requires us to,
• Vital interests – where processing is necessary to protect life,
• Legitimate interests – where processing is necessary for our charitable purposes and does not override your rights,
• Public task – where we carry out work in the public interest.
• For special category (sensitive) data, we may also rely on conditions such as the provision of support services, safeguarding of individuals at risk, or where you have given explicit consent.

How we share your information

We will only share your information where it is necessary and lawful to do so. This may include:

• With solicitors or barristers providing you with pro bono legal advice,
• With statutory agencies such as local authorities, social services, or the police for safeguarding purposes,
• With partner agencies involved in your support (with your consent where required),
• With regulators, auditors, or funders where reporting is required,
• With trusted third parties that provide services to us (such as IT providers, mailing services, or payment processors), who are only permitted to use your data in line with our instructions and the law.

We will never sell your personal data.

How long we keep your information

We will keep your personal information for as long as it is needed for the purposes set out in this policy, and to meet our legal, safeguarding, and regulatory obligations.

The length of time we hold information depends on factors such as:

• the nature of the support or service provided,
• our safeguarding responsibilities,
• legal or regulatory requirements, and
• our need to maintain records for accountability and governance.

We do not keep personal data indefinitely without purpose. Where information is no longer required, we will ensure it is securely deleted, anonymised, or archived.

How we keep your data secure

Your personal data is securely stored on our electronic database and can only be seen by those who have access to the system. Those with access to your personal data have been vetted and have received record management training.

We constantly work to make sure that your personal data is properly protected through encryption, firewalls and monitoring.

In addition, our servers containing personal data are situated in the cloud. This data is backed up frequently and tested regularly in line with our standard backup procedures.

Your rights

You have the following rights under UK data protection law:

• Right of access – you can ask for copies of the personal information we hold about you (this is called making a Subject Access Request or SAR).
• Right to rectification – you can ask us to correct or update inaccurate or incomplete information.
• Right to erasure – in some circumstances, you can ask us to delete your personal data.
• Right to restrict processing – in some circumstances, you can ask us to stop using your data other than for storage.
• Right to data portability – you can ask us to transfer the information you gave us to another organisation or to you.
• Right to object – you can object to the use of your data in certain situations.
• Right to withdraw consent – if we are processing your data on the basis of consent, you can withdraw that consent at any time.

Subject Access Requests (SARs)

If you would like to access the personal data we hold about you, you can make a Subject Access Request (SAR). To do this, please contact us using the details at the end of this policy or ask us for a copy of our SAR form.

When you make a SAR, we may need to ask for proof of identity or additional information to confirm your request is genuine. This helps us make sure your data is only shared safely with you.

We will normally respond to a SAR within one calendar month from the date we have received your completed request and verified your identity. If your request is complex or involves large amounts of information, we may extend this by up to two further months, but we will tell you if this happens.

While we aim to be as transparent as possible, there may be times when we need to withhold or redact some information, including:

• details that identify third parties (where their consent has not been given),
• information covered by legal professional privilege, or
• information where disclosure could cause serious harm to you or another person.

We will send your information using the method you tell us is safe (for example, secure email, encrypted file, or post to a verified address).

Cookies and Website Analytics

Our website uses cookies to improve your experience and to help us understand how people use the site. Cookies are small text files stored on your device. You can disable cookies in your browser settings if you prefer.

We may also use website analytics tools (such as Google Analytics) to monitor site usage. These tools collect anonymous information about how visitors use our site.

Online Forms and Donations

If you use our online forms (for example, to request support, sign up to our mailing list, or make a donation), we will collect the personal information you provide in order to process your request. Where we use third-party providers (such as payment processors or mailing services), they are only permitted to use your data in line with our instructions and data protection law.

External links

Our website may contain links to other websites. Please be aware that FLAG DV is not responsible for the privacy practices of other sites. We encourage you to read the privacy statements of any website you visit.

How to contact us

For further information on how your personal data is used and your rights in relation to your personal data please contact us by:

• Writing to us at FLAG DV, Broadway House, 4-8 The Broadway, Northbrook Street, Newbury, RG14 1BA; or
• Emailing us at hello@flagdv.org.uk

Complaints

If you’re not happy with the way we’re handling your personal data, you have a right to make a complaint with your local data protection supervisory authority at any time. In the UK this is the Information Commissioner’s Office (ICO). You can contact the ICO on 0303 123 1113. However, we ask that you please attempt to resolve any issues with us before contacting the ICO.

Updates to this Privacy Notice

We may need to make changes to this Privacy Notice periodically, for example, as the result of government regulation, new technologies, or other developments in data protection laws or privacy generally. Our website will show the most recent version of this Privacy Notice, and you will be directed to this in our communications with you.

This Privacy Policy was last updated on: 18/19/2025