At Been There we are committed to protecting and respecting your privacy. This policy explains how we use any personal data that we collect from you, or that you provide to us.

Introduction

Been There is a charity offering mentoring support to help people over the age of 18 in the UK to those experiencing body image issues.

When we process your personal data, we are considered to be the data controller for your personal data. This means that we determine why and how we use it, and are responsible for protecting it. When we process your personal data, we must comply with the rules set out in the Data Protection Legislation (the Data Protection Act 2018, the UK General Data Protection Regulation – UK GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003 – PECR).

We understand how important your personal data is and we will only process it when we have a lawful reason to do so, when it is necessary and in accordance with the Data Protection Legislation. This Privacy Policy, together with our Terms of Use explains how and why we use the information we collect about you; how your personal information will be processed, stored and used; and information about your information rights and how to access them.

What is personal data?

Let’s get started with the basics. Personal data means any identified or identifiable information that relates to or is about you. This could be your name, contact details, a username, or an IP address. This can be information that can directly identify you or information that can indirectly identify you, such as when it is combined with other information.

Some personal data is considered to be sensitive; this is called ‘special categories of personal data’ and includes things relating to your health or sexual orientation. We must comply with additional requirements when processing this type of data and ensure that we process it securely.

What personal data do we collect?

The personal data that we collect and process about you will vary depending on the reason why we are in contact with you or the services that we are offering. The table in annex 1 outlines what personal data we process about you.

How do we obtain your personal data?

In most cases, we will collect your personal data directly from you. For example, if you use our app, visit our website or fill out a form.

We may partner with other organisations such as universities, employers or other organisations to provide you with services. These organisations may provide us with your personal data so that we can provide you with these services.

Which lawful grounds do we have to process your personal data?

When we process personal data, we must have a lawful basis (lawful grounds) to do so. There are six lawful grounds that we can process personal data under and they will depend on the reasons why we need to process it and your relationship with us.

The lawful grounds that we use for processing your personal data is outlined in annex 1 to this Privacy Policy

Why do we process your personal data?

The reasons why we process your personal data will vary depending on the reasons why we are interacting with you or the services that we are offering. The purposes for process your personal data is outlined in annex 1 to this Privacy Policy.

There may be some circumstances where we need to process your personal data for reasons not set out in in this Privacy Policy. For example, when we are required to by law (such as a court order) or need to share information for the purposes of the prevention or detection of crime. When this is the case, we will only do so when it is necessary and when it is lawful under the Data Protection Legislation.

Special Category Data

We will process special categories of personal data about you when you download our app and share information about your health. When we process special categories of personal data, we need to have a condition under the UK GDPR for processing it.

The conditions that we rely on for processing special categories of personal data about you include:

- It is based on your explicit consent

- It is necessary to protect your vital interests

- It is necessary for reasons of substantial public interest (such as counselling and safeguarding children and other individuals at risk or equality of opportunity or treatment).

Criminal offence data

We may process criminal offence data when it is necessary such as when you volunteer or are employed by us; for the prevention and detection of crime; or when it is necessary for safeguarding purposes.

We will generally rely on your consent to process this information. However, there may be circumstances where it is not possible to process this information with your consent. In these circumstances, we will only process this information when it is necessary, lawful to do so and in accordance with the data protection legislation.

How long do we keep your personal data?

We will only keep your personal data for as long as is necessary for the purposes that we have outlined, or for as long as is necessary by law. After this time, we will either anonymise it so that it can no longer identify you or securely destroy or delete it.

Please contact us with if you would like to know more about how long we process your personal data for.

Consent

Where we are processing your personal data with your consent, or explicit consent for special categories of personal data; you have the right to withdraw that consent at any time. When you withdraw your consent, it will not affect the lawfulness of the processing before you withdrew the consent.

We will take measures to stop processing your personal data as soon as is we can. However, there may be a short delay while we put these in place. For example, you may still receive communications from us until we have amended our records. We will aim to stop processing your personal data within one month of you withdrawing your consent.

You can withdraw your consent at any time by contacting us with the contact information in this policy.

Am I required to provide you with information?

You are not required under law or contract to provide us with or share any personal data with us. However, if we were unable to process your personal data we would be unable to provide you with a service or facilitate you volunteering with us.

Do you share my personal data with anyone else?

We will never sell your personal data to any other organisation or use it in ways that are beyond your reasonable expectations, or in ways we haven’t told you about.

Sometimes, we may partner with employers, societies, universities or other organisations to provide you with services, information or mentoring. We may share information about your participation with these organisations.

When you volunteer for us, we may conduct background checks with previous employers, referees or the Disclosure and Barring Service, Access NI or Disclosure Scotland. It is necessary to share your personal information with them, but we will only do so when we have your consent.

We may use data processors who provide services to us such as IT infrastructure, data storage or for processing payments. When we use a data processor, we will have a contract in place with them, or their terms and conditions will outline that they can only process your personal data in accordance with our instructions and that they provide sufficient guarantees that they secure your personal data to a high standard and they comply with the requirements set out in the data protection legislation.

There may be other circumstances where we need to share your personal data with other organisations such as law enforcement or other organisations when we have a legal obligation do so, such as a court order.

If we believe that there is an immediate risk to your life or safety, we may share information with relevant authorities for safeguarding purposes or to protect your vital interests. We will always consider whether we can obtain your consent to do this, though we may need to rely on other lawful grounds such as vital interests for sharing this information if we cannot obtain that consent or you are incapable of providing consent.

If we need to do this, we will only do so when it is necessary, lawful and in accordance with the data protection legislation.

Automated decision making

We, nor our data processors will use your information for automated decision making, including profiling, which have legal effects or in a way that similarly significantly affects you.

Where do you process my personal data?

We process your personal data in the United Kingdom (UK) or European Economic Area (EEA). The United Kingdom has an adequacy regulation with the EU Commission, which means that the EU GDPR is considered to provide for equivalent rights and protections for your personal data.

How do you protect your personal data?

When we process your personal data, we must comply with the data protection principles under the UK GDPR. This includes the responsibility to implement appropriate organisational and technical measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to your personal data.

We do this by implementing security measures such as our data protection policy and processes; training for mentors; information security and cyber security measures such as firewalls; controlling access to our systems such as password protection and encryption; and only sharing your personal data by secure means.

We also have policies and procedures in place to deal with personal data breaches to ensure that we can effectively deal with any risks posed and can comply with our notification obligations under the UK GDPR.

What are my information rights?

The Data Protection Legislation gives you rights over your personal data and we will always help you to exercise these; the information rights are:

Right of access

This gives you the right to a copy of the personal data that we are processing about you.

Right to rectification

This gives you the right to have inaccurate personal data about you corrected or incomplete personal data completed.

Right to erasure (right to be forgotten)

This gives you the right to have the personal data about you deleted or erased in some circumstances.

Right to restriction of processing

This gives you the right to ask us to stop processing your personal data in certain ways in some circumstances.

Right to data portability

This gives you the right to have your personal data transferred to another data controller in an easily accessible format.

Right to object to processing

This gives you the right to object to, or tell us to stop processing your personal data when we are using legitimate interest to process it, in some circumstances. If we are processing your personal data under legitimate interest for direct marketing purposes, this right is absolute.

Not all of these rights are absolute, they do not apply in every circumstance and they may be restricted under certain conditions. For example, if we have a legal obligation to continue processing your personal data or when an exemption applies under the Data Protection Act 2018. If we need to restrict these rights, we will always consider this on a case-by-case basis, only when it is necessary, lawful to do so and in accordance with the Data Protection Legislation.

How do I exercise my information rights?

You can exercise your information rights at any time by letting us know or by contacting us at [email protected].

When you exercise your information rights, we usually have one month to comply with the request unless it is considered to be complex. If we consider your rights request to be ‘complex’, we may extend this timeframe to a total of three months. We will let you know if this is the case within one month of receiving your request.

We may ask you for proof of identity when considering an information rights request to ensure that we protect it from unlawful disclosure or from unauthorised alteration or processing.

Ordinarily, we will not charge you a fee for exercising your information rights unless we consider it to be manifestly (or clearly) unfounded or excessive. This includes situations where repeat requests are made within a short timeframe; or where the request is clearly intended to cause disruption. In this case, you may be charged an administrative fee. Alternatively, we may refuse to comply with your request. We will always inform you if this is the case.

Data Protection Officer

We have appointed a Data Protection Officer to assist us with complying with our data protection responsibilities. You can contact our Data Protection Officer at [email protected]

Information Commissioner’s Office

The Information Commissioner’s Office (ICO) regulates and enforces data protection compliance in the UK. Their website has useful guidance on data protection matters, you can find it here: www.ico.org.uk

You have the right to lodge a complaint to the ICO at anytime, if you are unhappy with how we have processed your personal data or if you think we have not followed the rules. You can contact the ICO here – https://ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/

Changes to this privacy policy

We will regularly review this privacy policy and publish any new versions on our website. You should regularly check our privacy information to ensure that you have the most up to date version.

This version

Version: October 2024

Review: October 2025