Skip to main content


Privacy Policy 

Who we are and what we do

Who we are

We are Affinity Trust (“Affinity Trust”, “us”, “we”, “our”). Affinity Trust is a registered charity (registered in England No. 216250. Registered in Scotland No. SC043881) and a company limited by guarantee (06893564) and we have our registered office at 1 St Andrew’s Court, Wellington Street, Thame, Oxfordshire, OX9 3WT We are registered with the UK supervisory authority, Information Commissioner’s Office (“ICO”), in relation to our processing of Personal Data under registration number Z1845610.

    This website is owned and operated by Affinity Trust, which is also registered as a Data Controller with the Information Commissioner under reference Z1845610. 

    Affinity Trust is a registered charity (registered in England No. 216250. Registered in Scotland No. SC043881) and a company limited by guarantee (06893564). 

    Our registered office is 

    1 St Andrew’s Court 
    Wellington Street 
    Thame 
    Oxfordshire OX9 3WT 

    What we do 

    We support people with assessed needs to live great lives, have their own home and play an active part in their community. By offering different types of support, we can ensure more people can live their life, their way. We are committed to protecting the privacy and security of the Personal Data we process about you. 

    Controller

    Unless we notify you otherwise, we are the controller of the Personal Data we process about you. This means that we decide what Personal Data to collect and how to process it.

    Purpose of this privacy notice

    The purpose of this privacy notice is to explain what Personal Data we collect about you and how we process it. This privacy notice also explains your rights, so please read it carefully. If you have any questions, you can contact us using the information provided below under the ‘How to contact us’ section.

    Who this privacy notice applies to

    This privacy notice applies to you if:

    1. You visit our website
    2. You receive support from us
    3. You enquire about our services
    4. You sign up to receive newsletters and/or other communications from us

    What personal data is

    ‘Personal Data’ means any information from which someone can be identified either directly or indirectly. For example, you can be identified by your name or an online identifier.

    ‘Special Category Personal Data’ is more sensitive Personal Data and includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying someone, data concerning physical or mental health or data concerning someone’s sex life or sexual orientation. 

    Personal data we collect

    The type of Personal Data we collect about you will depend on our relationship with you. For the type of Personal Data we collect see the table below in the section entitled ‘Purposes, lawful bases and retention periods’.

    National Data Opt-Out

    The national data opt-out provides everyone the choice to stop health and social care organisations sharing their “confidential patient information” with other organisations where it is used for reasons beyond individual treatment and care, such as for research and planning purposes.

    Confidential patient information:

    • identifies or could be used to identify a person;
    • is obtained or generated in circumstances leading to an obligation of confidence and
    • says something about their health, care, or treatment.

    Confidential patient information includes to information about someone’s health or social care that can identify them. Social Care providers, in line with your wishes and the national data opt-out, are required to apply national data opt-outs to use or disclose confidential patient information for purposes other than your direct care.

    Affinity Trust does not share your information with any pharmaceutical, medical or other researchers for reasons beyond individual treatment and care and does not use sensitive information for purposes beyond your care and treatment for which the national data opt-out would apply. We review all of the confidential patient information we process on an annual basis to see if this is used for research and planning purposes. If it is, then individuals can decide to stop their information being shared for this purpose. You can find out more information at https://www.nhs.uk/your-nhs-data-matters/.

    We only share personal information on a “need to know” basis, observing strict protocols when doing so. Most of the data sharing is with other professionals and agencies involved with care and treatment. We will always inform you if we fundamentally change the way we use your personal data,

    How we collect your Personal Data

    We collect most of the Personal Data directly from you in the following ways:

    • enquire about our activities or services
    • visit our website
    • sign up to receive updates from us
    • create or update a profile
    • post content to our website or via our social media channels
    • communicate with us (either online, by email, phone or post)
    • others to whom you have provided consent
    • publicly available sources such as social media platforms

    Purposes, lawful bases, and retention periods

    We will only use your Personal Data when the law allows. Most commonly, we will use your Personal Data in the following circumstances:

    Categories of individuals

    Categories of Personal Data

    Purpose of Processing

    Lawful Basis

    Retention Period

    Contact data.

    This contact data may include your name, address, telephone number, email address, and date of birth and may be provided to us in person, over the phone, or through our website.

    We may use this contact data during the course of providing our care services, in conjunction with our partners and suppliers to you.

    The legal basis for this processing is to perform our contract with you or to take steps at your request prior to entering into a contract.

    6 years following the date of the transaction

    Care Data

    This care data may include your name, home address and postcode, telephone number, email address, date of birth, gender, a photograph of you, CCTV imagery and information contained within images or texts that you send us which may contain locational data, and may be provided to us in person, through one of our contact forms or through our website or the online portals that we provide.

    We may use this care data during the course of providing our care services, in conjunction with our partners and suppliers to you.

    The legal basis for this processing is to perform our contract with you or to take steps at your request prior to entering into a contract.

    2 years following the last meaningful contact

    Care Data – NHS

    This care data – NHS - NHS Number, notes and reports about your health, assessments made by a health professional, details of diagnosis and treatment given, information about any allergies and health conditions, results of scans, x-rays and laboratory tests, physical and mental wellbeing, details of contact we have had with you, relevant information from professional care givers and relatives, and any other important current and historical medical information for the purposes of providing our care services.

    This data is a special category of personal data and we will only process it to provide you with appropriate health and social care services.

    The legal basis for the processing of this data is for the purposes of medical diagnosis, provision of healthcare and treatment, provision of social care and the management of healthcare systems or services or social care systems.

    2 years following last meaningful contact

    Transaction and financial data

    The transaction data may include your contact details, your bank account details, and the transaction details.

    We may process information relating to any payments made to us by you, or on your behalf (“transaction data”).

    The legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract and our legitimate interests, namely our interest in the proper administration of our website and business.

    6 years following the date of the transaction

    Shared data.

    We run services on behalf of other organisations such as Local Authorities, NHS. These services are often run under a contract agreement. Data may be shared with these organisations at a summary level but not at a personably identifiable level. For our health-related services, with your consent, we may share identifiable information with your GP and NHS services. At the end of a contract, if the service is to be run by another operator, we will forward on your details to the new operator so they can continue to provide the service to you without interruption. You may object to our sending this data by contacting us at communications@affinitytrust.org.

    These organisations will be a Data Controller in their own rights, and where they do process your data will inform you directly or through their services such as a website about the data they hold and what processing they undertake.

    To run services on behalf of other organisation to provide extra support.

    The legal basis for this processing is consent.

    2 years following last meaningful contact

    Individuals that sign up to receive our newsletter

    Name, job title, work email address, work phone number, company you work for.

    To send you newsletters and other promotional material.

    The legal basis for this processing is legitimate interest to keep you updated on the services we provide to your organisation or that you may be interested in.

    Until you unsubscribe from our newsletter/receiving emails from us

    Website visitors

    Technical data including Internet Protocol (IP) address details including your public browser type and version.

    Help us understand more about visitors to our website, the products and services you are interested in, so we can serve you better.

    The legal basis for this processing is consent.

    Cookie specific (please see our Cookies Policy here).

    Complaint data

    This contact data may include your name, address, telephone number, email address, date of birth, and information  provided to us in person, over the phone or through our website about the complaint.

    To process the complaint and to check on the level of care and service we provide or how contracts are performed.

    The legal basis for this processing is our legitimate interests in dealing with the complaint appropriately and transparently.

    Other processing activities. In addition to the specific purposes for which we may process your personal data set out above, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

    Please do not supply any other person’s personal data to us, unless we prompt you to do so or have entered into a written data processing agreement with you.

    Where Personal Data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.

    Sharing your Personal Data

    We will only use your information for the purposes for which it was obtained. Rest assured that we never sell or share your personal information with other organisations for their own marketing purposes. But there are some situations where we do need to share your information.

    Social Media

    Depending on your settings and the relevant policies and terms of service, when using social media and messaging services like Facebook and X (Twitter), you might give us permission to access information about you from those accounts or services. Occasionally, if you have given us permission to use your email address, we will try and match it to your Facebook account. This is so we can share relevant information with you in your newsfeed (known as Custom Audiences) or to identify people who Facebook think share your interests, behavior and demographics (known as Lookalike Audiences). We do this by securely uploading a cypher of your email address to Facebook. If you have an account, Facebook will note your connection with Affinity Trust on your profile and then show you adverts for us that you might like to see, as well as delivering adverts to people with similar interests. Regardless of whether there is a match, the cyphered email address will be deleted from Facebook’s servers within 48 hours, leaving only an updated Facebook profile. You can of course request that we do not use your email address in this way or for this purpose, whilst continuing to receive our emails. Please consult the “your rights” section of this policy or adjust your settings by visiting Facebook’s Data Policy.

    Your rights and how to complain

    You have certain rights in relation to the processing of your Personal Data, including to:

    • Right to be informed

    You have the right to know what personal data we collect about you, how we use it, for what purpose and in accordance with which lawful basis, who we share it with and how long we keep it. We use our privacy notice to explain this.

    • Right of access (commonly known as a “Subject Access Request”)

    You havethe right to receive a copy of the Personal Data we hold about you.

    • Right to rectification

    You have the right to have any incomplete or inaccurate information we hold about you corrected.

    • Right to erasure (commonly known as the right to be forgotten)

    You have the right to ask us to delete your Personal Data.

    • Right to object to processing

    You have the right to object to us processing your Personal Data. If you object to us using your Personal Data for marketing purposes, we will stop sending you marketing material.

    • Right to restrict processing

    You have the right to restrict our use of your Personal Data.

    • Right to portability

    You have the right to ask us to transfer your Personal Data to another party.

    • Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making. 
    • Right to withdraw consent

    If you have provided your consent for us to process your Personal Data for a specific purpose, you have the right to withdraw your consent at any time. If you do withdraw your consent, we will no longer process your information for the purpose(s) you originally agreed to, unless we are permitted by law to do so.

    • Right to lodge a complaint

    You have the right to lodge a complaint with the relevant supervisory authority, if you are concerned about the way in which we are handling your Personal Data. The supervisory authority in the UK is the Information Commissioner’s Office who can be contacted online at:

    Contact us | ICO

    Or by telephone on 0303 123 1113

    For supervisory authorities in other countries within the EU see the link below:

    https://edpb.europa.eu/about-edpb/about-edpb/members_en

    How to exercise your rights

    You will not usually need to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

    If you wish to exercise your rights, you may contact us using the details set out below within the section called ‘How to contact us and our Data Protection Officer’. We may need to request specific information from you to confirm your identity before we can process your request. Once in receipt of this, we will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take us longer than this and, if so, we will keep you updated.  

    How to contact us and our Data Protection Officer

    Finance Director

    Affinity Trust
    1 St Andrew’s Court
    Wellington Street
    Thame
    Oxfordshire OX9 3WT

    or by email communications@affinitytrust.org

    We have also appointed a Data protection Officer (“DPO”). Our DPO Evalian Limited can be contacted as follows:

    or by email dpo@evalian.co.uk

    Leylands business park, West Lodge, Colden Common, Winchester SO21 1TH

    Please mark your communications FAO the ‘Data Protection Officer’.

    Changes to this privacy notice

    We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify of the changes where required by applicable law to do so.

    Last modified June 2022.

    You can request previous versions of this notice.