The new General Data Protection Regulation (GDPR) gives you more control over how your personal information is used. And it makes it quicker and easier for you to check and update the information we and other organisations we work with, hold about you.

This statement outlines:

  • What data we collect
  • How we may use it
  • How we keep your data safe

Who we are

YMCA St Paul’s Group is a large but local charity working across South West, South, East, West London, providing support to vulnerable and homeless young people. We also work with children, youth and families in the community, run five Health and Wellbeing Centres, and offer a range of inclusive activities.

We are a charity no:2971930 and a registered company no:1041923, Ofsted no: RP524773, CQC: 1-101652524, HCA: LH4078 (No 212810) and our registered office is St James House, 9-15 St James Road, Surbiton, KT6 4QH

We’re affiliated to YMCA England & Wales, our national body, and share its passion to stand up for young people, to speak out on national issues that affect their lives and help them to find confidence in their own voice.

YMCA St Paul’s Group is a data controller in respect of personal information that we process in connection with our activities.

We are committed to protecting both your data and your privacy and we want you to feel assured that any information you give us is held securely and safely, whether you are working for us, supporting us through campaigning, donations, volunteering, fundraising or events.

We aim to be clear with why we collect your information and promise not to use it in any way you wouldn’t reasonably expect.

If you have any questions about the following policy please contact our GDPR Project Team at YMCA St Paul’s Group, St James House, 9-11 St James Road, Surbiton KT6 4QH or email

What personal data might we hold on you

  • Name
  • Address
  • Telephone number(s)
  • Email address
  •  Date of Birth
  •  Interests
  • IP addresses
  • Donation/gift details
  • Records of your correspondence with us
  • Medical/health details
  •  Banking details
  •  Criminal records
  •  Benefit information
  •  Photographs
  •  CCTV images
  • Case studies/stories

When might collect data

  • When you sign up for gym membership or a group exercise class
  • When your child takes part in an activity or event
  • When you register for an activity/event
  • When you apply for accommodation with us
  • Through our support services and when you engage with training/education services
  • When we take photos or videos and you give your consent for us to use these
  • When you choose to share your story or endorsement
  • When you make a donation or engage with our fundraising activities
  • When you visit our website via cookies or if you sign up for our newsletter or a free pass
  • If a family member or friend contacts us on your behalf

We collect personal information to help us develop an understanding of our supporters and to keep in touch with information that you have said that you would like to receive or that is in your interest to receive. This helps us to give more people access our services, fundraise more effectively and provide you with appropriate opportunities to support us.

Where your personal information is held

Your personal information is held on secure servers operated by YMCA St Paul’s Group and within our offices at YMCA St Paul’s Group, Corporate office address is St James House, 9-15 St James Road, Surbiton, KT6 4QH. Any paper records with your personal information are kept in locked cupboards and only accessible by authorised YMCA St Paul’s Group staff and volunteers.  Your information is accessible by trained staff and volunteers at YMCA St Paul’s Group on a need to know basis only.

Data sharing with third parties

We will not share your information with anyone outside YMCA St Paul’s Group except:

  • Where we have your permission
  • Where we are required by law and by law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory bodies as required.
  • To protect YMCA St Paul’s Group, for example in cases of suspected fraud or defamation
  • Where we have legitimate situations with third parties, including fundraising agencies, whom we have contracted to fulfil specific services for us such as direct communication.

In all of these situations we set up a written contractual agreement that will ensure that those organisations can only use the data provided for the specific purposes we direct them to do, and that they have in place strict security requirements in order to protect your personal information and comply with GDPR.

To deliver services or manage our relationship with you, it is sometimes necessary for us to share your Personal Data outside the European Economic Area (EEA), e.g. – when your or our service providers are located outside the EEA; or if you are based outside the EEA.

Many non-EEA countries do not have the same data protection laws as the United Kingdom and EEA. We will, however, take reasonable steps to ensure any such supplier has in place appropriate measures to protect your information and any contract includes appropriate clauses about the use of data e.g. if the company is based in the USA, we will confirm whether it is accredited under the EU-US Privacy Shield.

Keeping your personal information safe

We take appropriate physical, electronic and managerial measures to ensure that we keep your information secure, accurate and up to date.

We also have procedures in place to deal with any suspected Data Security Breach. We will notify you and any Professional Regulators or other applicable regulator of a suspected Data Security Breach where we are legally required to do so.

How long will your information be retained?

YMCA St Paul’s Group will not retain information for longer than is necessary and reasonable. This differs depending on the reason for collecting your data and the department holding your data.

We remove personal data from our systems in line with our data retention policy. The length of time each category of data will be retained will vary on how long we need to process it, the reason it is collected, and in line with any statutory requirements.

After this point the data will either be deleted or rendered anonymous. In certain specific situations, for example where a supporter has kindly pledged a legacy to us in their Will, we will maintain their details up to the time when we need to carry out the legacy administration and communicate effectively with their family.

Where we believe data might be relevant to a future safeguarding enquiry we reserve the right to retain data securely for up to 50 years to comply with our insurance and safeguarding guidance.

To find out more about our our data retention policy, please contact us using the details above.

How we use your information

The information your provide us with is used in the following ways:

  • To provide you with information about our services, including changes to delivery times and policies
  • To provide you with volunteering opportunities
  • To provide you with ways to donate and ways to fundraise (You can opt out of these communications at any time by emailing calling 020 8399 5427 or writing to our GDPR Project Team at the postal address below. To help us get a clearer understanding of your situation and areas in which you may like to support
  • For internal administration including accounting and gift aid procession
  • To respond effectively to complaints
  • For other purposes in which we would specifically notify you and obtain consent

You have the right to ask for a copy of the information we hold about you and to have any inaccuracies in your information corrected. You also have the right to ask us to delete any personal information we hold about you. In some cases, we may be unable to delete data, such as if it is required for tax or Gift Aid purposes. In these cases, we will ensure that you are removed from future communications and processing. You can access your personal data held by us or request to receive your information in part or its entirety in machine readable format.

For all questions or concerns regarding the processing of your personal information, please do get in touch. You can email, telephone: 020 8399 5427 or write to our GDPR Project Team at the postal address above. To amend any of the personal information we hold about you, such as a change of address or phone number please contact us.

Direct Marketing

At each of our data collection points (i.e. online form or paper flyer) we will provide you with the opportunity to “opt in” to communications which have a particular fundraising purpose (this is called Direct Marketing).
If you provide us with your consent by “opting in” to receive such communications we will occasionally contact you to let you know about upcoming ways to fundraise (such as events) and the areas where we need specific financial support (such as campaigns).
We want to communicate in a way that suits you so we will only ask you to fill in the contact details of your preferred means of communication. We will make it easy for you to opt out of Direct Marketing communications at any time and you can contact us to change your preferences.

Changes to this policy

We will continue review and update this policy from time to time and any revisions will be published on our website.

Cookies Policy

Cookies are small text files which store your information on websites and in your browser history. They are used to help websites run efficiently and to give the owner of a website information about the visitors to their site. A cookie can be used to recognise your computer or device when a user of your computer or device has visited it previously. Cookies cannot identify your personal identity.

How does YMCA St Paul’s Group use cookies?

We use cookies to better understand the groups of people who visit our website and to monitor how effectively our website performs. Cookies can tell us the areas of the website you visit, how much time you spend on the website, your device and browser and whether you are a new or regular visitor to the site.

Your rights

When visiting the YMCA St Paul’s Group website you have the right to choose whether to accept cookies but as cookies help the website run more efficiently, if you choose to deny cookies you may not be able to make use of the full functionality of the website.

Changing cookie preferences

You can change your individual cookie preferences by accessing the “help” menu in most web browsers. More information about cookies is available at

Cookie terminology

There are two type of cookies, “first party cookies” and “third party cookies”.

  • First party cookies are served directly by the website operator to your computer, and are often used to recognise your computer when it revisits that site and to remember your preferences as you browse the site.
  • Third party cookies are served by a service provider on behalf of the website operator, and can be used by the service provider to recognise your computer when you visit other web sites. Third party cookies are most commonly used for web site analytics or advertising purposes.

Cookies used on our website

We use Google Analytics cookies to collect anonymous traffic data, such as page visit information, where the visitors to the site had come from and the browser and operating systems used. This information is stored by Google and subject to their privacy policy.

We also use Google DoubleClick cookies to measure how our online advertising performs. This helps us to ensure that our digital marketing activities provide a good return for our investment. The information stored by Google DoubleClick is subject to their privacy policy.

Facebook and Twitter cookies, used on our website, help us to understand the effectiveness of our online advertising on those social platforms. Links to their privacy policies provided below:

The site also makes use of session cookies. Those cookies are necessary for site functionality and contain no personally identifiable information. They are deleted when the browser is closed.

Additionally, some of the pages on our website have embedded content and / or share buttons that enable users to easily share our content with their friends via a number of social networks. Those websites might set their own cookies when you log into their services. We do not control those cookies and suggest you check their websites on information on how manage them.

Our website also has links to other organisations who will have their own data protection privacy statements.

Social Media

Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might give us permission to access information from those services, for example when you publicly tag us in an event photo.

Changes to this privacy policy

We are continually reviewing and updating our policy, so check back again soon.

Contacting us

This website is owned and operated by YMCA St Paul’s Group, St James House, 9-15 St James Road, Surbiton, Surrey, KT6 4QH. If you have any questions about this privacy policy, please contact us.