Privacy and Cookies Policy  

Here at YMCA St Paul’s Group, we are committed to protecting your personal information and we want you to feel assured that any personal information you give us is held securely and safely, whether we are providing support services to you, you are working for us, or supporting us through campaigning, donations, volunteering or fundraising/events.

This Policy outlines your rights regarding your personal information including what personal information we collect, how we might use it, how long we keep it for, and how we keep it safe.

1  Who we are

YMCA St Paul’s Group is a large but local charity working across London, providing support to communities and vulnerable homeless young people. This includes working with children, youth and families in the community, providing housing, running Health and Wellbeing Centres, and offering a range of other inclusive activities.

YMCA St Paul’s Group is registered as a charity (no: 1041923) and is a registered limited company (no: 02971930), with its registered office at St James House, 9-15 St James Road, Surbiton, KT6 4QH, UK. It is also registered with Ofsted no: RP524773, CQC: 1-101652524, HCA: LH4078 (No 212810).

YMCA St Paul’s Group is affiliated to YMCA England & Wales, its national body, and shares its passion to stand up for young people, to speak out on national issues that affect their lives and help them to find confidence in their own voice.

YMCA St Paul’s Group is a “data controller” for the purposes of the EU General Data Protection Regulation 2016/679, (GDPR) which means it is responsible for, and control the processing of, your personal information. For further information on this Policy or our privacy practices, please contact our Data Protection Officer by:

  • writing to us at YMCA St Paul’s Group, St James House, 9-11 St James Road, Surbiton KT6 4QH UK;
  • calling us on 0208 399 5427; or
  • emailing to

2  What information we might hold about you

The type of personal information data we hold on you can include the following:

  • name, address, telephone number(s), email address, IP address;
  • date of birth, race and sex, where relevant;
  • your hobbies and interests;
  • your history relevant to the support you receive from us;
  • records of your correspondence with us;
  • medical/health details where relevant;
  • banking details;
  • criminal records;
  • your Benefit(s) and other such information;
  • photographs;
  • CCTV images (see our CCTV Policy);
  • your case studies/stories; and
  • donations/gift details.

3  How we collect information from you.

We collect information about you in the following ways:

When you interact with us directly: This could be if you ask about our activities, register for an event, make a donation to us, sign up to our health and wellbeing services, apply for a job or to do volunteering or otherwise provide us with your personal information. This includes when you phone us, visit our website, or get in touch by post or in person.

When you interact indirectly with us through partners or suppliers working on our behalf: This could be where you access a service which is delivered through a trusted organisation working on our behalf, for example if you apply for housing, we may be working with local authorities.

When you interact indirectly with us through third parties: This could be where you have given a donation through a third party, such as Virgin Money Giving, or other third parties that we work with and who have provided your consent for personal information to be shared with us.

When you visit our website: We gather information which might include which pages you visit most often and which services, event or information might be of most interest to you. We may also track which pages you visit. We do this to make improvements to provide the best service and experience for you.  We also use “cookies” to help our site run more effectively. Please refer to section 15 (Cookies policy) below for more information.

From other information that is available to the public: In order to tailor our communications with you we may collect information from you publicly or through third party service providers. Please refer to section 10 (Profiling: making our work unique to you) below for more information.

Social media: When you interact with us on social media platforms such as Facebook, WhatsApp or Twitter we may also obtain information about you, for example when you publicly tag us in an event photo. The information we receive will depend on the privacy preferences you have set in those types of platforms.

3  How and why we use your information.

We collect your personal information to be able to provide the support and services that you have applied for, to process your donations, and to sign you up for fundraising/events. These may include when:

  • you sign up for gym membership or a group exercise class;
  • your child takes part in an activity or event;
  • you register for an activity/event;
  • you apply for accommodation with us;
  • you engage with housing related support services;
  • you engage with training/education services;
  • we take photos or videos and you give your consent for us to use these;
  • you choose to share your story or endorsement;
  • you make a donation or engage with our fundraising activities;
  • you apply for volunteering;
  • you visit our website;
  • you sign up for our newsletter or a free pass; or
  • a family member or friend contacts us on your behalf;

We also use your personal information where we:

  • provide you with volunteering opportunities, ways to donate and ways to fundraise;
  • for internal administration including accounting and gift aid procession;
  • to respond effectively to complaints;
  • keep a record of your relationship with us;
  • need to comply with the Charites (Protection and Social investment) Act 2016 and follow the recommendations of the official register of charities, and the Charity Commission, which require us to identify and verify the identity of supporters who make major gifts so we can assess any risk associated with accepting their donations;
  • need to update you with important messages about your donation or event or service you have requested;
  • contact you about our work and how you can support us;
  • invite you to participate in surveys or research;
  • can develop a better understanding of our supporters; or
  • keep in touch with you on information that you have said that you would like to receive or that is in your interest to receive.

We may also collect and use “sensitive personal information” about you.  This is information that can include information about your health, race, ethnic origin, and sexual orientation, religious and political beliefs. Where we hold your sensitive personal information we will treat that information with extra care and confidentiality and always in accordance with this Policy.

We will only use this sensitive personal information for dealing with your enquiry, training, services and quality monitoring or evaluating the service we provide. We will not pass on this sensitive personal information without your express permission except in exceptional circumstances, which might include anyone reporting serious harm to yourself or others, or harm to children such as physical abuse or exploitation, or if the law requires us to do so.  Where you have given us your express consent to use your sensitive personal information, for example, by submitting your story, we may also publish it on our blog or on our other social media.

4  Sharing your information with third parties

The personal information we collect about you will be mainly used by our staff (and volunteers) at YMCA St Paul’s Group so that they can support you. We will never sell your or share your personal information with organisations so that they can contact you for marketing activities. We also never sell any information about your browsing activities.

We will never share your personal information except where:

  • you have given us your permission to do so;
  • have genuine concerns for the safety and welfare of you or others;
  • we are required by law, for example to law enforcement agencies, judicial bodies, government entities, tax authorities or other regulatory bodies;
  • it is necessary to protect YMCA St Paul’s Group, for example, in cases of suspected fraud; or
  • we have engaged third party suppliers who help deliver our services, including fundraising agencies. In these cases, we have set up a written contractual agreement that will ensure that those organisations can only use the data provided for the specific purposes we direct them to do, and that they have in place strict security requirements in order to protect your personal data in compliance with the law.

5  Keeping your information safe

We take looking after your information very seriously. We have implemented appropriate physical, electronic and managerial measures to protect the personal information we have under our control, both on and off-line, from improper use, access, alteration, destruction and loss.

Unfortunately the transmission of information over the internet is not always completely secure, and while we have done our best to protect your personal information sent to us in this way, we cannot guarantee the security of data transmitted on our website. However, we have procedures in place to deal with any suspected data security breach and will notify you of a suspected data security breach where we are legally required to do so.

Any debit or credit card details which we receive on our website are passed securely to “Sage Pay” our payment processing partner, or such other partners, according the Payment Card Industry Security Standards.

6  Transfer of your information outside of Europe

To deliver services or manage our relationship with you, it is sometimes necessary for us to share your personal data outside the European Economic Area (EEA), e.g. – when your or our service providers are located outside the EEA; or if you are based outside the EEA.

We will, however, take reasonable steps to ensure any such supplier has in place appropriate measures to protect your information in the same way as under GDPR and any contract includes appropriate clauses about the use of data.

7  Links to other websites

Our website may contain links to other websites run by other organisations. While we try to link only to sites that share our high standards and respect for privacy we cannot guarantee that this is the case. Therefore we cannot take any responsibility for the content or the privacy practices employed by other sites. Please be aware that advertisers or web sites that have links on our website may collect personally identifiable information you. This Policy only applies to our website and does not cover the practices of those other websites or advertisers. We therefore encourage you to read the privacy statements on the other websites you visit.

8  How long we hold your information for

YMCA St Paul’s Group will not retain information for longer than is necessary and reasonable for the relevant activity for what it was collected. The length and time we retain your personal information for is also determined by operational and legal considerations, for example, we are required to hold some types of information to fulfil our statutory and regulatory obligations. These include for health/safety, tax/accounting purposes, where a supporter has kindly pledged a legacy to us in their Will, for gift aid purposes, or where personal information might be relevant to a future safeguarding enquiry to comply with our insurance and safeguarding guidance.

9  Marketing communications

We will only contact you about our work and how you can support us (marketing) by phone, email or text message, if you have agreed for us to contact you in this manner. However, if you have provided us with your postal address we may send you information about our work and how you can support us by mail, unless you have told us that you would prefer not to hear from us in that way. You can update your choices or ask us to stop us sending you these communications anytime by contacting us using the contact details in section 1 above (Who we are), or using the unsubscribe link at the bottom of relevant communication.

10  Profiling: making our work more unique for you

We may analyse your personal information to create a profile of your interests and preferences so that we can tailor and target our communications to you in a timely and relevant way. We may use other additional public information on you when it is available to help to do this effectively. This allows us to be more focussed, efficient and cost effective with our resources and also reduces the risk of someone receiving information that they might find inappropriate and irrelevant. You can opt out anytime of this by contacting us using the contact details in section 1 (Who we are) above.

11  Legal basis for using your information

Data protection requires us to rely on one or more legal grounds to process your personal information. We consider the following grounds to be relevant:

  • Consent: where you have given us consent to do so;
  • Performance of a contract: where we are entering into a contract with you, for example, if you take out a gym membership;
  • Legal obligation: where we need to comply with a legal or regulatory obligation, for example, where we might be ordered by a court to do so;
  • Vital interests; where it is necessary to protect the life or health (for example, in the case of medical emergency suffered at one of our events) or a safeguarding issue which requires us to share your information with emergency services;
  • Legitimate interests: where it is reasonably necessary to achieve our aims so that helps us to achieve our vision of ensuring that everyone in need of our support gets such support. Where we do so we make sure that we take into account your rights and interests and will not do so if we feel that there is an imbalance to your rights. Some examples where we us it might be for conducting research to better understand who our supporters are, for improving our services, for legal purposes dealing with complaints or claims or for complying with guidance from the Charity Commission.

12 Your rights

You have various rights of the personal information we hold about you which are set out below.

  • Access to personal information: you have the right to request access to a copy of the personal information we hold about you, along with how we sure it, why, who we share it with, how long we keep it and if it is used for automated decision making. It is free of charge. Requests must be in writing and evidence of identity must be provided.
  • Right to object: you can object to our processing of your personal information where we are relying on legitimate interests and there is something on this reason you wish to raise an objection. You can also object to any marketing use. You can do so by contacting us using the contact details in section 1 (Who we are) above.
  • Consent: where you have given consent you can withdraw it at any time;
  • Rectification: you can ask us to change or update any inaccurate or incomplete personal information held on you;
  • Erasure: you can ask us to delete your personal information where it is no longer necessary for us to use it, you have withdrawn your consent, or where we have no lawful reason to deep it.
  • Portability: you can ask us to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form, so that it can be easily transferred;
  • Restriction: you can ask us to restrict the personal information we use about you where you have asked for it to be erased or where you have objected to our use of it;
  • No automated-decision making: this means where an electronic system uses personal information to make a decision without human intervention. You have the right to object if it has a significant impact on you unless you have consented, it is necessary for a contract between us or is permitted by law. We do not currently carry out any automated decision making.

Please note, some of these rights only apply in certain circumstances and we may not be able to fulfil every request.

If you wish to exercise any of these rights or make a complaint you can contact us using the contact details set out in section 1 (Who we are) above. You can also make a complaint to the data protection supervisory authority, the Information Commissioner’s Office at

13  Aged 16 or under

We are concerned to protect the privacy of children aged 16 or under. If you are aged 16 or under, please obtain your parent/guardian’s permission beforehand wherever you provide us with your personal information.

14  Monitoring

Your communications with our teams (including by telephone or email) may be monitored or recorded for training, quality control and compliance purposes to ensure that we continuously improve our customer service standards.

15 Cookies Policy

Cookies are small text files which store your information on websites and in your browser history. They are used to help websites run efficiently and to give the owner of a website information about the visitors to their site. A cookie can be used to recognise your computer or device when a user of your computer or device has visited it previously. Cookies cannot identify your personal identity.

How does YMCA St Paul’s Group use cookies: We use cookies to better understand the groups of people who visit our website and to monitor how effectively our website performs. Cookies can tell us the areas of the website you visit, how much time you spend on the website, your device and browser and whether you are a new or regular visitor to the site.

  •  Your rights concerning cookies: When visiting the YMCA St Paul’s Group website you have the right to choose whether to accept cookies but as cookies help the website run more efficiently, if you choose to deny cookies you may not be able to make use of the full functionality of the website.
  • Changing cookie preferences: You can change your individual cookie preferences by accessing the “help” menu in most web browsers. More information about cookies is available at
  • Cookie terminology

There are two type of cookies, “first party cookies” and “third party cookies”.

First party cookies are served directly by the website operator to your computer, and are often used to recognise your computer when it revisits that site and to remember your preferences as you browse the site.

Third party cookies are served by a service provider on behalf of the website operator, and can be used by the service provider to recognise your computer when you visit other web sites. Third party cookies are most commonly used for web site analytics or advertising purposes.

  • Cookies used on our website: We use Google Analytics cookies to collect anonymous traffic data, such as page visit information, where the visitors to the site had come from and the browser and operating systems used. This information is stored by Google and subject to their privacy policy.

We also use Google DoubleClick cookies to measure how our online advertising performs. This helps us to ensure that our digital marketing activities provide a good return for our investment. The information stored by Google DoubleClick is subject to their own privacy policy.

Facebook and Twitter cookies, used on our website, help us to understand the effectiveness of our online advertising on those social platforms. Please read their privacy policies for further information of their use of cookies.

Our website also makes use of session cookies. Those cookies are necessary for site functionality and contain no personally identifiable information. They are deleted when the browser is closed.

Additionally, some of the pages on our website have embedded content and / or share buttons that enable users to easily share our content with their friends via a number of social networks. Those websites might set their own cookies when you log into their services. We do not control those cookies and suggest you check their websites on information on how they manage them.

17  Changes to this Policy

This Policy may change so please remember to check back from time to time, this is version 1.0 and was last updated in July 2018. Where we have made changes to this Policy, we will make this clear on our website or if possible contact you about any changes.

This website is owned and operated by YMCA St Paul’s Group, St James House, 9-15 St James Road, Surbiton, Surrey, KT6 4QH.