Donate
Donate
Donate

Privacy policy

Stomach Cancer UK's privacy policy explains how we collect, use, store, and share your personal data when you engage with us, whether through our website, email, phone, post, or in person.

At Stomach Cancer UK (SCUK), we take your privacy seriously. We are committed to protecting your personal information, being transparent about how we use it, and complying with UK data protection law.

 

Who we are

Gastric Cancer UK is a registered charity in England and Wales (1213056) that operates as Stomach Cancer UK (SCUK).

Registered office: Stomach Cancer UK, 45 Montpelier Rise, Wembley, Middlesex HA9 8RQ

We are the data controller of the personal information you provide to us.

 

Contact us about your data

We are not required to appoint a Data Protection Officer, but you can contact our privacy lead at [email protected]  or Privacy, Stomach Cancer UK, 45 Montpelier Rise, Wembley, HA9 8RQ

 

Information we collect

Personal data means information that identifies you or could identify you (for example, your name, contact details, donation history, or IP address).

Special category data is sensitive information, such as details about your health, ethnicity, or beliefs.

We only collect this information if you choose to share it with us, or where the law allows it, for example, if you tell us about your diagnosis when seeking support. Because this data is sensitive, we apply additional safeguards to protect it. Health-related information is stored on secure, access-restricted systems and only viewed by trained staff.

Please do not send detailed medical or confidential information through unsecured channels such as social media or standard email.

We may collect the following types of personal data

  • Basic contact details (name, email address, postal address, phone number)
  • Donation details (amount, Gift Aid declaration, payment method — we do not store full card details)
  • Health-related information (only if you choose to share this for support or feedback)
  • Event registration and attendance information
  • Newsletter subscriptions and communication preferences
  • Volunteer, trustee, or applicant information (including DBS data where relevant)
  • Technical data (e.g. IP address, browser type, and website usage via cookies/analytics)

We do not knowingly collect information from children under 18. If we become aware that we have collected such information without parental consent, we will delete it promptly unless consent is provided.

 

How we collect your data

We collect information when you:

  • Contact us by email, phone, or post
  • Sign up for our newsletter (via Mailchimp)
  • Register for an event (via Eventbrite)
  • Donate through our website (via Stripe, PayPal, or Enthuse)
  • Volunteer or apply for a role with us
  • Visit our website (via cookies and Google Analytics)

Information we receive from other sources

We may also receive data from trusted third parties when you have asked them to share it with us (for example, JustGiving, Enthuse, or Eventbrite), or from public sources such as the Charity Commission or Companies House, to keep our records accurate and up to date. When we receive personal information from other organisations or public sources, we tell you what categories of data we obtained and the source of that information.

 

How we use your information

We use your personal data to:

  • Provide information, support, or services you request
  • Process donations and claim Gift Aid
  • Keep a record of your relationship with us
  • Administer events and communications
  • Manage volunteers, trustees, and applicants
  • Invite you to take part in optional surveys or feedback
  • Send newsletters and updates where you have consented
  • Contact you by post or phone based on legitimate interests (unless you opt out)
  • Analyse website usage to improve our services
  • Comply with our legal and regulatory obligations

We do not, and never will, sell or trade your data.

 

Service vs marketing communications

We may send service emails (e.g. donation receipts, event confirmations) even if you opt out of marketing.

Marketing preferences

We will only send email or SMS marketing with your consent. You have an absolute right to object to direct marketing at any time, and we will stop sending it immediately.
We may send postal or phone communications under legitimate interests, unless you object.
We screen all contacts against the Telephone Preference Service (TPS) and Mailing Preference Service (MPS).
You can change your preferences or opt out at any time by contacting [email protected]

Profiling and audience matching

We may use limited profiling to tailor our communications (for example, understanding supporter interests). We may also use secure “audience matching” tools with platforms such as Meta or Google. You can opt out of this at any time by contacting us. We do not make decisions about you solely based on automated processing that has legal or similarly significant effects.

 

Special category (health) and criminal offence data (DBS)

If you share health information with us, we will only process it with your explicit consent or where another legal condition applies.
Under Article 9 UK GDPR, we may rely on:

  • Your explicit consent (Art. 9(2)(a))
  • Processing by a not-for-profit body with safeguards (Art. 9(2)(d))
  • Provision of support or health-related services (Art. 9(2)(h))

Where a role requires a Disclosure and Barring Service (DBS) check, we process criminal-offence data only where necessary and with safeguards in place. Such information is kept securely and deleted once no longer needed.

 

Legal bases for processing

We process your personal data on one or more of the following bases:

  • Consent – for newsletters or support based on health data
  • Contract – to register you for an event or volunteer role
  • Legal obligation – to process Gift Aid or comply with charity law
  • Legitimate interests – to communicate with supporters and improve services

In some cases, providing your information is a legal or contractual requirement, for example, the details needed to process Gift Aid, and we may be unable to provide certain services if you choose not to provide it.

 

Third-party services we use

We sometimes use trusted third-party providers to help us deliver our work. These include services for email newsletters (Mailchimp), event registration (Eventbrite), donation processing (Stripe, PayPal and Enthuse), website analytics (Google Analytics), hosting and IT support, cloud-based email and storage providers, customer relationship management (CRM) tools, survey platforms and mailing partners.

All providers act under our instruction, must keep your data secure, and cannot use it for their own purposes.

Some providers are based outside the UK/EEA (for example, Mailchimp). Where data is transferred internationally, we use appropriate safeguards such as the UK International Data Transfer Addendum, Standard Contractual Clauses, or adequacy decisions. You can ask us for a copy of the safeguards we rely on.

 

How long we keep your information

We keep data only as long as necessary for the purposes set out in this policy and to meet legal obligations.

We keep personal data only for as long as it is needed for the purpose for which it was collected and to meet legal, accounting, or regulatory requirements. Donation and Gift Aid records are generally retained for six years after the end of the relevant tax year. Event registration details are kept for up to three years after the event. Volunteer and trustee records are kept for six years after the role ends, while unsuccessful job applications are deleted within about six months. Data is securely deleted or anonymised when no longer required.

 

Your rights

Under UK data protection law, you have the right to:

  • Access a copy of your personal data
  • Request correction of inaccurate information
  • Request deletion (“right to be forgotten”)
  • Restrict or object to specific processing
  • Withdraw consent at any time
  • Request data portability

This applies only to data processed by automated means where our lawful basis is consent or contract. To exercise any of these rights, contact us using the details above.
We may ask for proof of identity and will respond within one month.

 

Cookies and external links

We use cookies and similar technologies to operate our website and understand usage patterns.
For more details or to manage your settings, please see our cookie policy 

Our website may link to external sites. We are not responsible for their content or privacy practices and encourage you to read their policies.

 

Security

We use a combination of technical and organisational measures to keep your data safe, including:

  • Encryption and secure transfer protocols
  • Access controls and password protection
  • Staff training in data protection and confidentiality
  • Secure contracts with all third-party processors

Health-related and other sensitive data are stored only on secure, access-restricted systems.
PCI DSS-compliant providers handle payment details; we never store full card details ourselves.

 

Complaints

If you have a concern or complaint about how we handle your personal data, please refer to our complaints policy for how to raise this with us. You also have the right to contact the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, 0303 123 1113, or, for fundraising concerns, the Fundraising Regulator

 

Updates to this policy

We may update this policy from time to time and review it annually.
We will post the latest version on our website and, where appropriate, notify you of significant changes. We encourage you to check this page periodically for the most up-to-date version.

 

This policy was last updated: 30th November 2025. Next review: 30th November 2026