Privacy Policy

Last updated: 25 November 2025

Shining Steps UK (“we”, “us”, “our”) is committed to protecting your privacy and handling your personal information in a safe, respectful, and transparent way.

This Privacy Policy explains what information we collect, how we use it, and the rights you have under UK GDPR and the Data Protection Act 2018.

Who We Are

Shining Steps UK

We are the Data Controller for the information we process.

What Personal Information We Collect

The information we collect depends on how you interact with us.

We may collect:

A. Information from people accessing support

  • Name, address, and contact details
  • Information about your support needs
  • Health-related or household information (where relevant)
  • Referrer details (health, social care, education, VCSE)
  • Follow-up information
  • Information supplied through email, forms, or the website

B. Information from donors or supporters

If you donate or support our work, we may collect:

  • Name and contact details
  • Donation amount, method, and date
  • Payment reference and transaction ID
  • Optional communication preferences
  • Any messages or notes you choose to include
  • Information required for financial auditing and fraud prevention

We do NOT store full card or bank details.

Payments are processed through secure third-party providers (e.g., PayPal, Stripe, Giving platforms).

C. Special Category Information (only where relevant)

  • Health information
  • Information relating to vulnerabilities
  • Household or caring responsibilities
  • Information relating to safeguarding

Special category data is only collected when necessary and with clear justification.

D. Website information

  • IP address
  • Cookies and analytics data (see Cookie Policy)
  • Browser type and device information

3. How We Use Your Information

A. For people accessing support

We use information to:

  • Provide the correct notional item or service
  • Process and respond to referrals
  • Keep you and your household safe
  • Contact you or your referrer
  • Provide follow-up support
  • Signpost or refer you to other organisations
  • Manage compliments, complaints, or concerns
  • Improve our service
  • Meet legal and safeguarding duties

B. For donors and supporters

We use donor information to:

  • Process your donation securely
  • Send acknowledgement or thanks (where appropriate)
  • Maintain accurate financial records for audit and legal requirements
  • Prevent fraud or misuse
  • Contact you about your donation if needed
  • Manage donor communication preferences

We do NOT add donors to marketing lists unless you have explicitly opted in.

4. Our Legal Bases for Processing

We rely on different legal bases depending on the situation:

Consent (Article 6(1)(a))

  • When you choose to provide information or opt into communication

Legitimate Interests (Article 6(1)(f))

  • Delivering our support service
  • Communicating with donors about their donation
  • Preventing fraud
  • Managing and improving our organisation
  • Keeping people safe

Legal Obligation (Article 6(1)(c))

  • Financial auditing and Gift Aid requirements
  • Safeguarding duties
  • Keeping records required by charity or financial law

Contract (Article 6(1)(b))

  • Processing donations where needed to complete the transaction

Vital Interests (Article 6(1)(d))

  • Very rare cases where information must be shared to protect life

Special Category Data (Article 9)

For sensitive data, we use:

  • Explicit consent (Article 9(2)(a))
  • Substantial public interest, e.g., safeguarding (Article 9(2)(g))
  • Support-related processing (Article 9(2)(h))

5. Who We Share Information With

We only share information when necessary and appropriate.

We may share information with:

  • The professional who referred you
  • Agencies providing linked support (with consent)
  • Payment processors for donations
  • Safeguarding services if required
  • IT and cloud service providers (secure contracts)
  • Auditors, accountants, or regulators (when required by law)

We never sell or share information for marketing.

6. How Long We Keep Your Information

People accessing support

  • Referral and support records: 12–24 months
  • Safeguarding records: kept in line with legal requirements

Donor information

  • Donation records: 6 years (legal accounting requirement)
  • Communication preferences: kept until you update or withdraw consent
  • Transaction data via payment processors: stored according to their policies

Website analytics

  • Typically up to 26 months

You can ask us to delete information earlier unless we are legally required to keep it.

7. How We Store and Protect Your Information

We use strong technical and organisational measures, including:

  • Encrypted cloud storage
  • Password-protected systems
  • Limited access rights
  • Secure financial platforms
  • Regular data protection reviews
  • Secure disposal of any physical documents

8. Your Rights Under UK GDPR

You have the right to:

  • Access your information
  • Correct inaccurate data
  • Request deletion (where lawful)
  • Restrict or object to processing
  • Withdraw consent at any time
  • Receive a copy of your data in a portable format
  • Refuse marketing communications
  • Complain to the ICO if you’re unhappy

To exercise your rights, email: info@shiningsteps.co.uk

ICO contact: www.ico.org.uk | 0303 123 1113

9. Donations From Children or Vulnerable Adults

We do not knowingly collect donations from anyone under 18 without appropriate parental consent.

For vulnerable adults, we follow safeguarding principles and aim to ensure any donations are freely given and understood.

10. International Transfers

We do not transfer data outside the UK unless appropriate safeguards are in place (e.g., UK GDPR-compliant cloud providers).

11. Changes to This Policy

We may update this policy as our service develops or legal requirements change.

The most recent version will always be on this page.

©Copyright. All rights reserved.

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.