Privacy policy

Stop.Breathe.Think rely on the generosity and support of individuals to carry out our vital work with young people. That is why we want to be transparent about why we need the personal details we request when you engage with us and how we will use them. We take your privacy seriously and your information will be used in accordance with the General Data Protection Policy (GDPR).

GDPR serves one purpose: To protect individuals’ rights regarding personal data balanced against the rights of the organisation holding their personal data. Stop.Breathe.Think are committed to protecting the personal data that we collect and process about you. We aim to be clear and transparent and not do anything you wouldn’t reasonably expect. We collect and use personal data to ensure that we can manage our relationships with our stakeholders. This allows us to fundraise more efficiently and effectively to ultimately help us reach our goal of providing more opportunities to turn young people’s lives around.

Please read this policy carefully to understand how we collect, use and store your personal information.   

The privacy policy covers the following: 

  • Who we are 
  • How do we collect information from you? 
  • What information may Stop.Breathe.Think. collect about you 
  • How Stop.Breathe.Think. will use the information we collect 
  • Where Stop.Breathe.Think. will disclose your details  
  • How to access, correct or delete your information 
  • How we keep your data safe 
  • How long we store your data for 
  • Links to other websites 
  • Further information 
  • Iaptus software and services 
  • Review of this Policy 

By providing us with personal information, you consent to the collection and use of this information in accordance with this privacy policy. In accordance The General Data Protection Regulation (GDPR) becomes effective on May the 25th 2018. It will become the UK’s new data protection law. The GDPR modifies and extends the outgoing Data Protection Act 1998 

If you have any questions about this privacy policy please contact hello@stopbreathethink.org.uk 

Who we are?

Stop.Breathe.Think is a national youth charity supporting children and young people aged 8-21 with online counselling, without the wait.   Stop.Breathe.Think is registered as a charity in England & Wales (registered number 1206068). The Head Office address is 306a Portland Road, Hove, BN3 5LP. 

 How do we collect information from you?

Information you give us 

  • Stop.Breathe.Think obtain personal information from you when, you complete a referral for counselling with our service, complete an online or physical form, register with Stop.Breathe.Think for the newsletter, take part in an event or make a donation. 

Information from Third Parties 

  • We also receive information about you from independent third parties, such as fundraising sites like Just Giving or Enthuse, youth organisations and other third parties. We will only receive data from third parties in this way if you have given your consent for your data to be passed on to us. You should check their Privacy Policy when you provide your information to understand how they will process your data. Data obtained in this manner will be covered by this privacy policy. 

Information we get from your use of our website and services? 

  • We may collect information about the services you use and how you use them, like when you watch a video on YouTube, Facebook, Instagram, TikTok, visit our websites or view and interact with our ads and content. 

Information in the public domain 

  • We obtain some information from publicly available sources such as Companies House, newspaper articles or open postings on social media such as Facebook and LinkedIn. 

What type of information is collected from you?

Communications 

  • Users will have to actively opt in to receive communications from Stop.Breathe.Think boxes are not pre-ticked.  
  • Data collected through newsletter sign-ups will be only Full Name and Email address. To subscribe users have to opt-in.  
  • Users can unsubscribe at any time, by clicking unsubscribe or by contacting Stop.Breathe.Think via phone or email. 
  • If engaging in counselling with Stop.Breathe.Think we may contact your after counselling has concluded. Consent to remain on our database for 3 months is requested prior to engagement in counselling. 

The types of personal information that Stop.Breathe.Think collects may include: 

  • Your title, name, gender and date of birth 
  • Your contact details (address, email, phone number) 
  • Family and spouse/partner details, relationships to other supporters 
  • For clients, Primary and secondary presenting issues (reasons for accessing counselling) 
  • For clients, details of GP (name and address) 
  • For clients, any relevant individuals supporting with a referral (statutory organisation, youth professional 
  • Current interests and activities 
  • Gift aid status and records of donations 
  • Contact preferences 
  • Media articles about you (connected to Stop.Breathe.Think.) 
  • Your IP address, location, browser type and information on how you interact on our website 
  • If you make a donation online or purchase a product from us, your card information is not held by us, it is collected by our third party payment processors, who specialise in the secure online capture and processing of credit/debit card transactions, as explained below. 
  • Any other information provided by yourself at the request of Stop.Breathe.Think 

 Where appropriate we may also ask your interests and motivation for supporting Stop.Breathe.Think, we will never make this question mandatory and only want to know the answer if you are comfortable providing us with that information. 

In some limited circumstances, the personal information that Stop.Breathe.Think collects may include information that is considered “sensitive data”. This may include personal information regarding racial or ethnic origins, religious beliefs, health and also information concerning criminal offences.  

16 or Under 

We are concerned to protect the privacy of children aged 16 or under. For any child or young person engaging with Stop.Breathe.Think under the age of 16, parental/guardian’s permission will be required. Once a referral to Stop.Breathe.Think is received, all client data will be stored on our clinical database Iaptus. Anyone 16 and under must provide parental consent on the system. 

How is your information used?

If you engage with the service as a counsellor or client/referrer/parent or support us by making a donation, fundraising or sign up to one of our events, we will mainly use your data to: 

  • Send you communications through our newsletter. 
  • Provide you with the services, products or information that you asked for; as well as information about other services, products or information we think might interest you where you have consented to being contacted. 
  • Administer your donation or support your fundraising, including processing Gift Aid. 
  • Send you surveys for feedback to evaluate our work, track how many Stop.Breathe.Think sessions you have attended, track how many counsellor hours you have achieved and what accreditation you have gained whilst working with the service. 
  • For market research. 
  • Invite you to events. 
  • Keep a record of your relationship with us and record the contact we have with you. 
  • Ensure we know how you prefer to be contacted. 

Tools may be used to improve the effectiveness of Stop.Breathe.Think communications with you, including tracking whether you open the emails we send you and which links you click within a message. 

We may also use personal information to carry out due diligence so that we are fundraising in accordance within the law, and our internal policies and procedures. 

We are legally required to hold some types of information to fulfill our statutory obligations (for example the collection of Gift Aid). We will hold your personal information on our systems for as long as is necessary for the relevant activity, or as long as is set out in any relevant contract you hold with us. 

Who might we share your information with 

We will not share your information with third parties for marketing purposes. 

We are committed to protecting your data and therefore it will never be disclosed or sold to external organisations other than those acting as agents and data processors carrying out work on our behalf. Where we enter into a relationship with an external party, any such arrangements will be subject to a formal agreement between Stop.Breathe.Think and that organisation to protect the security of your data. They only act under our instructions, and we maintain full responsibility for your data. 

Third Parties Stop.Breathe.Think work with: 

  • Data processors (for example Microsoft 365, Donorfy, Iaptus, MailChimp and other third party platforms) which are compliant with GDPR. 
  • When you are using our secure online donation pages, your donation is processed by a third party payment processor, who specialises in the secure online capture and processing of credit/debit card transactions. If you have any questions regarding secure transactions, please contact us. 
  • Suppliers, outside caterers (for dietary requirements) venues etc. 
  • Our partnered organisations within the UK to enable us to deliver our service effectively. 

How you can access and update your information

We continuously review records of supporters to ensure your data is as accurate as possible and always appreciate it if you let us know if your contact details change. If you change email address, or any of the other information we hold is inaccurate or out of date, please email hello@stopbreathethink.org.uk, or write to us at: 306a Portland Road, Hove, BN3 5LP. Alternatively, you can telephone 01273 241383. 

You have the right to ask for a copy of the information we hold about you. Please see Data Protection Policy above for full details. 

How will we store your information and keep it safe?

  • Stop.Breathe.Think store personal details for supporters on our Donorfy database system which can only be accessed by Stop.Breathe.Think staff who each have an account which is password protected. 
  • Stop.Breathe.Think store personal details in password protected Excel files on Microsoft 365, accessible by relevant staff only. Password protected Excel files are only saved on the desktop of a password protected device with up to data anti –virus protection for the duration that they are needed (event, programme etc). Data is only printed if absolutely necessary and shredded immediately after use.  
  • Stop.Breathe.Think use Iaptus clinical database to store personal information on beneficiaries which can only be accessed by Stop.Breathe.Think staff who each have their own log in with a password.  
  • Anonymised data is used to create statistics. 
  • The information provided will be securely stored within our database and our third party email communication tool. Your data will only be accessed by authorised personnel and authorised parties who are responsible for the maintenance and security of our digital systems. Within our offices all of our staff receive training on handling data securely. 
  • In the event of staff leaving the company user accounts will be removed and passwords changed.  
  • An up to date anti-virus software is installed on all devices with access to personal information.  
  • Passwords are changed every 6 months automatically through our Microsoft Office 365 system.  
  • In case of breach Stop.Breathe.Think will notify both users and the ICO within 72 hours.   

Despite all of our precautions no data transmission over the internet can be guaranteed to be 100% secure. So, whilst we will always strive to protect your personal information, we cannot guarantee the security of any information which you disclose to us and so wish to draw your attention that you do so at your own risk.

How long we store your data for

You have a choice about whether or not you wish to receive information from us. We will hold your personal information on our systems for 7 years. If you do not want to receive direct marketing communications from us about the vital work we do and our exciting products and services, then you can opt out by emailing us hello@stopbreathethink.org.uk telephone on 01273 241383 or by ticking the relevant boxes to opt out box situated on the form on which we collect your information. 

If a user requests to opt out of communications their account will be made ‘dormant’ and they data will still be visible for reference, but they will no longer be contacted. If a user requests for their data to be deleted the implications will be explained (if they have bought a ticket for a Stop.Breathe.Think. event that has not yet taken place) and their data will be deleted from all systems. 

If you request that we stop sending you marketing materials we will keep a record of your contact details and appropriate information to enable us to comply with your request not to be contacted by us, we won’t keep any information that we don’t need.

Links to other websites

Our website may contain links to other websites run by other organisations. This privacy policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access those using links from our website. 

In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site.

Further information

The laws governing how your personal data can be used are: 

  • The General Data Protection Law (GDPR) 25th May 2018 
  • The Privacy and Electronic Communications Regulations 2003

We also follow the best practice code set out by the Fundraising Regulator: Code of Fundraising Practice. 

Iaptus software and services system managed by Mayden House Limited for the Stop.Breathe.Think programme and how this contract operates

Mayden House is a software company providing patient management solutions to the NHS and other providers of patient care including Stop.Breathe.Think with the Stop.Breathe.Think programme. The processing of data will be for the provision of a patient management solution for providers of patient care to manage workflows, track patients on care pathways and where appropriate report national datasets. Master Software and Services agreement in place between Mayden and Stop.Breathe.Think.  

Please see APPENDIX B for full breakdown on Maden House’s Data Processing Obligations. 

Types of personal data 

Personal Data to include but not limited to the following:  

  • Name 
  • Gender  
  • Date Of Birth/Age 
  • Address 
  • Post Code 
  • Next of Kin 
  • Online identifier (e.g. email address, user name, ) 
  • GP  
  • Consultant 
  • NHS Number 
  • NI Insurance  

Special Category Data to include the following:  

  • Clinical Data 
  • Financial Data (relating to any individual) 
  • Occupation 
  • Sexual Orientation 
  • Religion/Beliefs  
  • Ethnic Origin 
  • Political Membership or opinions 
  • Commission or alleged commission of an offence 
  • Proceedings for any offence committed or alleged  

Review of the Policy 

This policy document is to be kept up to date. The policy will be reviewed annually by  the Development Director & Head of Service, who will review the contents and operation of the Data Protection policy. 

Last review date: 16th May 2025 

APPENDIX A – Personal Data Handling Guidelines 

Respectful 

  • Treat everyone’s personal data with the same respect you would wish your own data to be treated. 
  • Prior to the deadline of the GDPR policy on 25th May 2018, a data review was carried out. All existing data was reviewed and updated or deleted as appropriate. Existing users were contacted and given the option to opt in to future communications. 
  • If a user requests to opt out, their account will be made ‘dormant’ and their data will still be visible for reference but they will no longer be contacted. 

Secure 

  • All staff receive training on handling data securely. 
  • Up-to-date anti-virus software is installed on all devices with access to personal information. 
  • The Donorfy database system can only be accessed by Stop.Breathe.Think staff with password-protected accounts. 
  • Passwords are changed every 6 months. 
  • All staff mobile phones are password protected. 
  • For children aged 17 or under, we must get parent/guardian permission before collecting personal information – consent forms include opt-in/opt-out options. 
  • Store personal details in password-protected Excel files on Microsoft 365, accessible only by relevant staff. 
  • Internally, always send Office 365 links to password-protected files. 
  • Send encryption passwords for attachments via separate communications—not in the same email. 
  • If personal data needs to be shared, users must be informed in advance about who it will be shared with. 
  • Use shredders to destroy paper records. 
  • When staff leave the company, user accounts are removed and passwords changed. 

Discreet 

  • Use anonymous references (e.g., “participant”) unless consent has been given to be featured in a case study or blog. 
  • Personal information will be kept in our systems for 15 years. 

Diligent 

  • Keep Donorfy contacts up to date and encourage contacts to update subscription preferences. 
  • Send emails containing personal data separately from general content. 
  • Double-check recipient details before sending emails, especially if not using Donorfy. 
  • Verify email addresses in the “To,” “CC,” and “BCC” fields. 
  • Do not BCC more than 15 people in one email to prevent data breaches. 
  • Use Donorfy to send all mass communications to avoid contacting opted-out individuals. 
  • Every contact on Donorfy must have a unique email address. Group staff under companies using relationship links rather than shared contact records. 

Conscientious 

  • Encourage third parties to use reference numbers instead of names for cases, claims, file names, etc. 
  • Keep your desk clear and your computer screen locked when away. 
  • Collect printed documents immediately if working in a shared office. 

Aware 

  • Ask your Manager for guidance if you receive personal data from an unfamiliar source. 
  • Contact the Director or Operations Director for guidance in the following scenarios: 
  • Enquiries received about data protection or personal data 
  • Receipt of personal data or data requests from an unknown source 
  • You sent or may have sent data to the wrong person 
  • Lost papers or devices containing or accessing personal data 
  • Any doubts or suspicions about data protection 
  • In case of a breach, Stop.Breathe.Think will notify users and the ICO within 72 hours 

APPENDIX B 

Iaptus Software and Services System Managed by Mayden House Limited 

Data Protection Obligations 

In this clause, the terms controller, data subject, processor, processing (and any similar terms) shall have the meanings given to them under Data Protection Laws. The term Regulator shall mean any regulatory body to which the Client is subject from time to time in relation to the Processing of Personal Data (including the Information Commissioner’s Office (ICO) in the UK or any authority whose consent, approval, or oversight is required, including the Care Quality Commission, NHS England, NHS Improvement, and the Department of Health). 

Roles and Responsibilities 

  • The parties agree that Mayden is a processor, and the Client is a controller of Personal Data. 
  • The Client must ensure all instructions given to Mayden (including those in this agreement) comply with: 
  • Data Protection Laws, including lawful basis and fair processing; 
  • Caldicott Principles; 
  • Nothing in this agreement relieves the Client of their responsibilities under Data Protection Laws. 

Ownership of Client Data 

  • The Client shall retain all rights, title, and interest in and to all Client Data.

Mayden’s Obligations as Processor 

Mayden shall: 

  • Process Personal Data only on the Client’s documented instructions (unless required by law, in which case Mayden shall inform the Client where permitted). 
  • Promptly notify the Client if any instruction infringes Data Protection Laws. 
  • Ensure all staff processing data understand its confidential nature and are under written confidentiality obligations. 
  • Implement appropriate technical and organisational security measures. 
  • Transfer Personal Data outside the UK only with the Client’s prior written consent and valid legal mechanisms. 
  • Promptly notify the Client of: 
  • Any communication from a supervisory authority; 
  • Any request from an individual to exercise their rights; 
  • Any complaint relating to this agreement. 
  • Assist the Client in complying with its obligations under Data Protection Laws. 
  • Delete or return Personal Data upon termination or expiry of the agreement (unless legally required to retain). 
  • Assist with data protection impact assessments and regulator consultations. 
  • Provide all information necessary to demonstrate compliance and allow audits or inspections by the Client or a Regulator. 

Sub-processing 

Mayden may engage third-party sub-processors, provided that: 

  • A written agreement is in place with terms equal to or stricter than this agreement. 
  • Mayden remains fully liable for all sub-processor actions. 
  • For any new or replacement sub-processor: 
  • 30 days’ written notice is given to the Client, detailing identity and scope. 
  • The Client may object within 15 days and parties must attempt to resolve the objection in good faith. 

Personal Data Breach 

Each party must: 

  • Notify the other within 24 hours of becoming aware of a Personal Data Breach. 
  • Provide reasonable assistance in investigating and mitigating the breach. 
  • Share costs equally for any third-party breach analysis (if jointly agreed). 
  • The Client is responsible for: 
  • Deciding whether to notify regulators or data subjects; 
  • Managing related communications, unless the breach affects other Mayden clients.

Use of Client Data for Research and Service Improvement 

  • Mayden may aggregate and anonymise Personal Data (including combining it with other clients’ data) so it no longer qualifies as Personal Data. 
  • This will be done following: 
  • ICO Anonymisation Code of Practice; 
  • UK Anonymisation Network (UKAN) Decision-Making Framework; 
  • NHS Anonymisation Standard (ISB1523), as amended. 

Indemnity for Breach 

Each party agrees to indemnify the other for any costs or losses incurred due to the indemnifying party’s breach of Data Protection Laws. This indemnity is capped at the fees paid by the Client in the prior 12 months. 

Keep up to date

Sign up to get the latest news and updates sent to your inbox.

Subscribe now