Privacy Policy

Revitalise is committed to respecting your privacy. This privacy notice explains how Revitalise may use personal information we collect about you. This policy explains how Revitalise complies with the law on data protection and what your rights are. For the purposes of data protection, Revitalise will be the data controller of any of your personal information.

This notice applies to all visitors of Revitalise’s premises and website (and sub-sites) including grant applicants, supporters, and anybody who has signed up to hear from us. This notice does not form part of any contract.

Note for donors: If you are making a donation to Revitalise, please see our separate Donor Privacy Notice which provides information specific to donation processing.

References to “we,” “our” or “us” in this privacy notice are to Revitalise.

Who we are

Revitalise is a charity that provides hardship grants to individuals experiencing financial difficulty, including those with disabilities and their carers. Our Head Office address is: 240 City Road, London, EC1V 2PR. You can contact us via 0303 303 0145, or if you have any concerns or questions regarding the processing of your data you can email us on: dpo@revitalise.org.uk.

We are what is known as the ‘data controller’ of personal information we collect and use. This means that we are responsible for determining the purpose and the means of processing your personal data. We are registered with the Information Commissioner’s Office under number Z8338122.

All personal data collected by Revitalise is processed in compliance with the requirements of the UK General Data Protection Regulation, the UK Data Protection Act 2018 and any other relevant legislation. Our Data Protection Officer (DPO) ensures that we apply the best standards to protecting your personal information and comply with our responsibilities for data protection.

Information we collect from you

The information we collect from you is for the use of Revitalise only, unless stated otherwise, and may include:

General website and supporter information

  • Any personal details you knowingly provide us with when using or registering with the site such as email address, name, address, telephone number (telephone number is optional).
  • Your preferences and use of email updates, recorded by emails we send you (if you receive email updates).
  • Your Internet Protocol (IP) Address and website usage data to monitor general usage and improve the site.
  • Data recorded by the website through cookies that allows us to recognise you and your preferred settings. See our Cookie Policy for full details.
  • Payment information and personal details provided when you make a donation or payment to us.

Grant application form

When you apply for a hardship grant from Revitalise, we collect additional information necessary to assess your application and provide appropriate support:

  • Personal details: Full name, contact details (email and optionally phone), address.
  • Age confirmation: Confirmation that you are 18 years of age or older. We do not collect your exact age or date of birth.
  • Financial information: Benefits received (types not amounts), approximate income level, significant expenses such as care costs or medical costs, savings or assets situation. We collect enough to assess financial hardship but do not require detailed bank statements or extensive financial records with your initial application.
  • Disability information: Brief confirmation of how your disability meets the Equality Act definition. We do not need detailed medical diagnoses, extensive symptom descriptions, treatment history, or specific medication details. We only collect what is necessary to verify eligibility.
  • Care support information: Whether you require care support and the general type of support needed. We do not need intimate personal care details such as toileting or washing assistance.
  • Grant request details: Description of the break or activity you are applying for, costs involved, when you plan to take it, and provider details.
  • Referee information: Name and professional role of someone who can verify your application such as a doctor, district nurse, social worker, charity worker, or faith leader. We contact them only to verify the information you have provided.
  • Previous grant history: Whether you have received a grant from Revitalise before and when.
  • Third-party helper information: If someone helps you complete your application, we collect their name and relationship to you. This is solely to verify the application is legitimate and protect vulnerable applicants from coercion or financial abuse.
  • Special circumstances information: If you are requesting funding above our standard amounts due to exceptional circumstances such as palliative care, carer breakdown, or extreme hardship, we ask you to briefly confirm which applies. We do not need extensive detail or traumatic narratives.
  • Monitoring and evaluation data: During your application and if your grant is successful, we will ask you to provide monitoring and evaluation information. This will include wellbeing measures collected before and after your break, feedback on your experience, and impact on your quality of life. This helps us improve our services and demonstrate impact to funders.

What we do not collect as mandatory information

We do not collect the following as mandatory information on grant applications:

  • Your exact age or date of birth – we only need confirmation you are 18 or over.
  • Gender or sex – this is not required for grant assessment.
  • Ethnicity – this is not required for grant assessment.

Optional equality monitoring

When you complete your grant application, you may choose to provide gender and ethnicity information for equality monitoring purposes. This is completely voluntary and will not affect your grant decision. We use this data to ensure we are serving diverse communities fairly and to report to funders on the people we support.

For grant decisions: Demographics are removed before trustees review applications. Trustees do NOT see your name, gender, ethnicity, or contact details.

For monitoring and evaluation: Demographic data is linked to your application using a unique ID (pseudonymisation) to enable us to track outcomes and measure impact across different groups.

This data is collected under Article 6(1)(a) UK GDPR (consent) and Schedule 1 Part 1 Paragraph 2 Data Protection Act 2018 for equality monitoring.

Third party information

Revitalise will also process data about you and in some circumstances other persons involved in your care where relevant to your grant application. This information may be collected directly from you or via referring agencies such as social services, healthcare providers, or other charitable organisations. This includes:

  • Details of third parties, including your emergency contact details.
  • Information from carers, family members, or support workers (with appropriate consent or legal basis).
  • Professional assessments from social workers, occupational therapists, or medical professionals.
  • Details of your support network and care arrangements where relevant to grant assessment.

Special categories of personal information

Revitalise collects, stores, and uses “special categories” of personal information which is more sensitive in nature. For grant applications, this is essential to assess eligibility and need. We will only collect this information where you provide it to us directly, where it is provided via a referral such as from social services, NHS, or other agencies, or where we have another lawful basis to do so.

Special category data we process includes:

  • Health information, medical conditions, disabilities, and care needs.
  • Financial hardship and vulnerability information.
  • Information about family circumstances that may indicate vulnerability.
  • Information about dependants, including children or vulnerable adults where relevant to your application.

We will only process this information where we have a lawful basis to do so under data protection law, specifically Article 9(2)(b) UK GDPR for social protection purposes and where applicable Article 9(2)(h) for health and social care assessment.

Where we collect your data

We may collect personal data about you when you interact with us, including:

  • When you visit our website or contact us for information.
  • When you apply for a hardship grant (online, by phone, or in writing).
  • When you are referred to us by another agency or professional.
  • When you make a donation or attend a fundraising event.
  • When you make an enquiry about our services.
  • When you sign up to receive communications from us.
  • Through follow-up contact after grant decisions or payments.

If you are providing us with details of others such as family members, emergency contacts, or dependants, they have a right to know what personal information we hold about them, how we collect it, use it, and share it. Please share this policy with them. They also have the same rights as set out in the “Your rights in relation to personal information” section below.

USES MADE OF YOUR PERSONAL DATA

Any personal information we process about you will be used in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 and other applicable laws. We use your details for the following purposes:

Grant-related processing

  • To assess your eligibility for hardship grants.
  • To verify the information provided in your application by contacting your nominated referee.
  • To make decisions about grant awards and payment amounts.
  • Applications are anonymised before review by our Trustee panel. The panel sees your disability information and grant request details but NOT your name, contact details, age, gender, or ethnicity. This ensures fair assessment based on need rather than personal characteristics.
  • To process grant payments and maintain payment records.
  • To contact you regarding your application, decision, and payment arrangements.
  • To pay accommodation or activity providers directly on your behalf if your application is successful. We share only your name, booking reference, and the grant amount with providers. We do NOT share your disability, health, or financial information with providers. It is your responsibility to share care needs or accessibility requirements directly with the provider when you book.
  • To monitor the use and impact of grants provided.
  • To conduct follow-up assessments where appropriate.
  • To comply with charity law and regulatory requirements including the Charities Act 2011.
  • To maintain statistical records for reporting to funders and regulators. All statistics are anonymised and individual applicants cannot be identified.
  • To prevent fraud and ensure appropriate use of charitable funds.

General communications and support

  • To process your request for information such as grant application forms or guidance documents.
  • To send you email updates where requested.
  • To contact you regarding your grant application or ongoing support.
  • To provide information about other services or grants that may help you.
  • To process donations and thank you for your donation (including Gift Aid claims).
  • For planning fundraising events you may be attending, including processing data to ensure dietary requirements or accessibility needs are met.

Supporter and marketing activities

  • To share information about our work, services and activities (with your consent).
  • To invite you to attend events.
  • To ask for your support or to thank you for your support.
  • For other marketing purposes, such as legacy giving programmes.
  • To send you holiday brochures and information about offers and updates (with your consent).
  • To contact you occasionally for feedback about our services.

The information provided by you will be stored on Revitalise’s secure databases and may be used to provide our services to you, fulfil legal obligations, or for the purposes described above.

lawful basis for processing your personal data

The UK General Data Protection Regulation (UK GDPR) requires that we must have a lawful basis for all processing activities. Our lawful bases are:

  • UK GDPR Article 6(1)(a) – The processing activity is carried out with your consent, for example when you opt in to receive marketing communications or participate in optional equality monitoring.
  • UK GDPR Article 6(1)(b) – The processing activity is necessary for the performance of a contract (grant agreement).
  • UK GDPR Article 6(1)(c) – The processing activity is necessary to comply with a legal obligation such as charity law requirements, HMRC Gift Aid reporting, or safeguarding obligations.
  • UK GDPR Article 6(1)(f) – The processing activity is in our legitimate interests, including:
    • To assess and process grant applications fairly and effectively.
    • To prevent fraud and ensure proper use of charitable funds.
    • To share information about our work, services and activities.
    • To invite you to attend events.
    • To ask for your support, process donations, or thank you for your support.
    • To maintain statistical records for charity reporting requirements.
    • To comply with charity law and regulatory obligations.

We have carefully balanced our legitimate interests against your rights and freedoms. We only process data where our interests do not override your rights, and we implement safeguards such as anonymisation, data minimisation, and security measures to protect you.

For special category data such as disability and health information, we rely on:

  • UK GDPR Article 9(2)(b) – Processing is necessary for social protection purposes as set out in Schedule 1 Part 1 Paragraph 2 of the Data Protection Act 2018.
  • UK GDPR Article 9(2)(h) – Processing is necessary for health or social care assessment where applicable.
  • Schedule 1 Part 1 Paragraph 2 Data Protection Act 2018 – For equality of opportunity monitoring (optional and with consent).

Who we share your information with

We only share your information when necessary and appropriate:

Grant decision-making

Our Trustee Application Panel reviews anonymised applications. They see your disability information and grant request details but NOT your name, contact details, age, gender, or ethnicity. After the panel makes a decision, administrative staff reconnect the decision to your identity to process payment and communicate with you.

Verification

We contact the referee you nominated to verify the information in your application.

Payment processing

If your application is successful and you are requesting funding for accommodation or activities, we pay the provider directly on your behalf. We share only your name, booking reference, and the grant amount with the provider. We do NOT share your disability, health, or financial information. You are responsible for sharing care needs or accessibility requirements directly with the provider when you book.

Legal and regulatory requirements

If required by law, court order, or requested by government or law enforcement authority.

  • To comply with charity law and regulatory requirements including reporting anonymised statistics to the Charity Commission.
  • To share donor information with HMRC for Gift Aid claims (name and address only).
  • To protect vulnerable individuals from harm where we have safeguarding obligations.

Service providers and support

  • Third parties who carry out activities on our behalf, such as:
    • Processing and sorting data.
    • Monitoring website usage through analytics platforms.
    • Issuing emails and communications.
    • Processing donations and payments.
    • Grant payment systems.
    • IT and database support.
    • Independent evaluation providers (for monitoring and evaluation of grant impact, data is pseudonymised or anonymised before sharing).
    • Website hosting.
    • Email marketing systems (only for people who have opted in).
  • When we share your information, it may be with the following types of organisations:
  • Database and CRM providers .
  • Email marketing systems (only for opted-in contacts).
  • Payment processing systems (such as Stripe, PayPal, JustGiving or similar – your payment data goes directly to them and is NOT stored by Revitalise).
  • IT and security support providers.
  • Website hosting providers.
  • Other charitable organisations for coordination of support where appropriate.
  • Regulatory bodies including Charity Commission and HMRC.

All third parties process data only on our instructions under Data Processing Agreements. Third parties will not be allowed to use your personal information for their own purposes, and we do not sell information to others. All third parties are required to maintain appropriate security and confidentiality measures in accordance with UK GDPR Article 28.

International transfer

We do not currently transfer personal data outside the UK.

Should Revitalise undertake data transfers to a country not in the UK to a location where data subjects’ rights may not be adequately protected or enforceable, we will arrange for suitable safeguards to be in place to facilitate such transfers. Revitalise has a process in place that ensures that suitable arrangements are in place such as Adequacy Regulations set by the UK Secretary of State, Standard Contractual Clauses, or other permitted mechanisms under Chapter V UK GDPR.

If you would like more information about international transfers or the safeguards we implement, please contact us at: dpo@revitalise.org.uk

Cookies and tracking technologies

Our website uses cookies and similar technologies. Some cookies are essential for the website to function. Other cookies help us understand how visitors use our website and require your consent.

When you first visit our website, you will see a cookie banner asking for your preferences. You can accept all cookies, reject optional cookies, or manage your preferences in detail. You can change your cookie preferences at any time using the Cookie Settings link in our website footer.

Strictly necessary cookies

These cookies are essential for our website to function. They enable secure navigation, form submission, and basic features. We do not need your permission for these cookies as they are necessary for the website to work.

Analytics cookies (requires your consent)

With your permission, we use analytics to understand how visitors use our website. This helps us improve our services. We retain analytics data for 14 months which allows year-on-year comparison while being privacy-friendly. After 14 months, individual session data is deleted, and only anonymised aggregate statistics are retained. For full details about what cookies, we use, their purposes, how long they last, and how to manage them, please see our Cookie Policy.

How long we keep your personal data

The duration for which we retain your personal data will differ depending on the type of data and the reason why we collected it from you:

  • Successful grant applications: 6 years from final grant payment (Charities Act 2011 requirement for financial records).
  • Unsuccessful grant applications: 12 months from decision (allows time for appeals or queries while respecting your privacy).
  • Withdrawn or incomplete applications: 6 months from last contact.
  • Supporter and donor data: 6 years from donation date for financial records. Email addresses are deleted after this period unless you have opted in to ongoing communications.
  • Marketing contacts: Until you unsubscribe or 2 years of inactivity. Every 2 years we ask if you still want to hear from us. If we do not hear back within 30 days, we remove you from our mailing list.
  • Website enquiry data: 2 years from last contact unless you opt in to ongoing communications.
  • Website analytics: 14 months.
    Safeguarding records: As required by safeguarding policies and legal obligations.
  • Financial records: 6 years (legal requirement under Charities Act 2011).
  • Monitoring and evaluation data: Same as grant records, 6 years for successful applications, 12 months for unsuccessful, 6 months for withdrawn. M&E data is linked to grant records using unique IDs.

We may process data for longer where necessary to comply with a legal obligation or for safeguarding purposes. After these periods, we securely delete personal data. We retain anonymised statistics indefinitely for reporting purposes.

It is important to ensure that the personal information we hold about you is accurate and up-to-date. Please let us know if anything changes, such as your contact details or circumstances relevant to your grant application.

Data security

We implement appropriate technical and organisational measures to protect your personal data in accordance with Article 32 UK GDPR:

Technical security measures

  • All data transmitted to and from our website is encrypted using SSL/HTTPS.
  • Our databases are encrypted at rest.
  • We use access controls and multi-factor authentication for staff accounts.
  • Regular backups are encrypted and stored securely.
  • We conduct regular security testing and vulnerability scans.

Organisational security measures

  • All staff receive data protection training before accessing personal data.
  • All staff and trustees sign confidentiality agreements.
  • We use role-based access controls so staff only access data necessary for their role.
  • We have clear desk and clear screen policies.
  • We conduct regular access reviews to ensure only authorized personnel have access.

Your rights in relation to personal data

You have the following rights concerning your data:

Right of access

You have the right to obtain confirmation from Revitalise as to whether personal data concerning you are being processed and, where that is the case, access to that data. We will respond to access requests within one month. For complex requests we may extend this by two months and will explain why.

Right of rectification

You have the right to require Revitalise to rectify inaccurate personal data concerning you. You also have the right to have incomplete personal data completed by providing a supplementary statement.

Right of erasure

You have the right under certain circumstances but not all to require Revitalise to erase personal data concerning you. Note that this may not apply where we need to retain data for charity law compliance (6 years for successful grant records), HMRC Gift Aid records (6 years), or safeguarding purposes. We will explain what we can and cannot delete when you make a request.

Right of restriction of processing

You have the right under certain circumstances but not all to require Revitalise to restrict processing of your personal data, for example if you are contesting the accuracy of personal data held about you.

Right to data portability

You have the right under certain circumstances but not all to require Revitalise to provide you with personal data about you in a structured, commonly-used and machine-readable format, and to transmit those data to another controller.

Right to withdraw consent

If the lawful basis for processing is consent, you have the right to withdraw that consent at any time. This will not affect processing that occurred before you withdrew consent.

Right to object to direct marketing

Where your personal data are processed for direct marketing purposes, you have the absolute right to object at any time to processing of your personal data for marketing purposes. You can unsubscribe from marketing emails using the link in any email or by contacting dpo@revitalise.org.uk.

Rights to object to processing based on legitimate interests

Where we process your data based on legitimate interests, you have the right to object. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing is for establishment, exercise or defence of legal claims.

Rights in relation to automated decision-making and profiling

Revitalise does not perform any automated decision-making based on personal data that produces legal effects or similarly affects you. All grant decisions are made by human assessors reviewing applications fairly.

Please note: Some of these rights have specific requirements and exemptions. For example, we may not be able to delete data that we are required to retain for charity law compliance or safeguarding purposes. However, your rights to withdraw consent or object to direct marketing are absolute rights.

How to exercise your rights

To exercise any of these rights, contact our Data Protection Officer at dpo@revitalise.org.uk or write to us at 240 City Road, London, EC1V 2PR. We will respond within one month.

Your Right to lodge a complaint

If you wish to exercise any of your rights concerning your personal data, you should contact Revitalise’s Privacy Officer at dpo@revitalise.org.uk. If you are not satisfied with the response you receive, you have the right to lodge a complaint with the supervisory authority.

In the United Kingdom this is:

Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
Tel: 0303 123 1113 Email: icocasework@ico.org.uk

More information about your legal rights can be found on the Information Commissioner’s website at https://ico.org.uk/for-the-public/

Changes to this policy

Revitalise may update this privacy policy from time to time. When we change this policy in a material way, we will update the version date at the bottom of this page. For significant changes to this policy, we will try to give you reasonable notice unless we are prevented from doing so. Where required by law, we will seek your consent to changes in the way we use your personal information.

Contacting us

In the event of any query or complaint in connection with the information we hold about you, please email dpo@revitalise.org.uk, or write to us at:
Revitalise 240 City Road London EC1V 2PR
Our Data Protection Officer, Rebecca Young, can be contacted at dpo@revitalise.org.uk