Donate Play the lottery

Privacy Policy

Privacy policy

Sebastian’s Action Trust
Last updated: February 2026

Sebastian’s Action Trust is committed to protecting your personal information and being open and transparent about how we collect and use it.

This Privacy Policy explains how we use personal data about families we support, referrers, supporters, donors, volunteers, staff, suppliers and website visitors.

1. Who we are

Sebastian’s Action Trust (“we”, “us”, “our”) is a registered charity in England and Wales (Charity number 1151146). We support families of life-limited children with family breaks, emotional and practical support.

We are the Data Controller for the personal data we collect.

Contact details

Sebastian’s Action Trust does not require a Data Protection Officer (DPO) under UK GDPR because we do not carry out large-scale processing of special category data. However, we maintain internal responsibility for data-protection compliance.

2. Data protection law

We comply with:

  • the UK General Data Protection Regulation (UK GDPR)
  • the Data Protection Act 2018
  • the Privacy and Electronic Communications Regulations (PECR)
  • other relevant legal and regulatory obligations, including safeguarding duties
3. The personal data we collect

We collect different types of personal information depending on how you interact with us.

A) Families and beneficiaries (including children)

This may include:

  • parent/guardian and child name, contact details and date of birth
  • family members’ names and relationships
  • details needed to provide support, activities, or a family break
  • referral information (including from hospitals, schools or other professionals)

Where we process data about children, consent is always obtained from a parent or legal guardian unless another lawful basis applies.

Because of the nature of our services, this may also include special category data, such as:

  • health information (diagnosis, disability, treatment information)
  • mental health or emotional wellbeing support needs
  • information about ethnicity (only where relevant and appropriate)
  • information needed to make reasonable adjustments
  • safeguarding information (where necessary)

B) Supporters, donors and fundraisers

This may include:

  • name, address, email, phone number
  • donation history and Gift Aid information
  • event attendance and fundraising participation
  • communication preferences and contact history

C) Volunteers, trustees and job applicants

This may include:

  • application details and references
  • training records
  • DBS checks (where required)
  • role and emergency contact details (where appropriate)

D) Suppliers and corporate partners

This may include:

  • contact names and business contact details
  • contract and payment records

E) Website visitors

This may include:

  • IP address and device information
  • cookie identifiers
  • pages visited and how you use our website
4. How we collect personal data

We collect personal data when you:

  • contact us by phone, email, post or via our website
  • apply for, are referred to, or access our services
  • make a donation, sign up to fundraising, or attend an event
  • volunteer, apply for a role, or work with us
  • buy goods (including merchandise or event tickets)
  • sign up for news and updates
  • interact with us on social media
  • visit our website (via cookies and analytics)

We may also receive information from:

  • hospitals, hospices, schools, local authorities, social workers, or other professionals (where appropriate)
  • family members acting on behalf of a child or family
  • publicly available sources (see section 11)

Where we receive personal data from third parties (such as hospitals, referrers, or public sources), we will inform individuals of the source of their data and the categories of data obtained, unless an exemption applies (e.g., safeguarding).

5. How we use personal data (and why)

We only use personal data when we have a lawful basis.

We use personal data to:

  • process referrals and service applications
  • provide support, breaks, activities, counselling and practical help
  • communicate with families about services and bookings
  • safeguard children, young people and adults at risk
  • manage volunteering and recruitment
  • administer donations, fundraising, Gift Aid and events
  • manage relationships with supporters and partners
  • improve our services, communications and website
  • comply with legal obligations (including financial, employment and safeguarding duties)
  • prevent fraud and protect the charity, our supporters and families

Sebastian’s Action Trust does not carry out any automated decision-making or profiling that produces legal or similarly significant effects for individuals. We do not use AI tools that make decisions about families.

6. Our lawful bases for processing

Under UK GDPR, we rely on the following lawful bases:

Consent

We may rely on consent for:

  • email or text marketing
  • use of photos, videos, stories and case studies
  • certain processing of special category data where required

You can withdraw consent at any time.

Contract

We may process data where necessary to:

  • provide services you request
  • administer event bookings
  • manage volunteering arrangements
  • process purchases or transactions
Legal obligation

We may process data to comply with legal requirements such as:

  • Gift Aid rules
  • financial and audit obligations
  • employment law
  • safeguarding and reporting requirements
Vital interests

In rare circumstances, we may process data to protect someone’s life.

Legitimate interests

We may process data where it is necessary for our legitimate interests, and where those interests do not override your rights.

This may include:

  • postal fundraising communications (unless you opt out)
  • supporter care and relationship management
  • improving services and communications
  • preventing fraud and protecting our systems
  • due diligence checks for significant donations or partnerships

Where we rely on legitimate interests, we carry out appropriate balancing assessments.

Some personal data may be required under statutory or contractual obligations (for example Gift Aid rules, employment or volunteering requirements, or safeguarding duties). Where providing personal data is mandatory, we will explain what information is required and the consequences of not providing it.

7. Special category data (including health information)

We do not rely on legitimate interests for processing special category data.

We only do this where we have both:

  • a lawful basis under Article 6 UK GDPR, and
  • an additional condition under Article 9 UK GDPR

This may include:

  • explicit consent
  • provision of social care and support
  • safeguarding children and individuals at risk
  • substantial public interest (where applicable)

We apply additional protections, including restricted access, staff training, and secure storage.

8. Safeguarding and child protection

Safeguarding is central to our work.

We may process and share personal data where necessary to:

  • protect a child, young person or adult at risk
  • investigate and manage safeguarding concerns
  • comply with safeguarding guidance and legal duties
  • work with relevant authorities (e.g. local authority, police, NHS)

Where safeguarding requires it, we may share information without consent. We will only do so when lawful, necessary and proportionate.

9. Photos, videos, stories and case studies

We may use stories, quotes, photographs and video to help raise awareness and funds.

We will obtain appropriate consent before using identifiable images or stories of:

  • children and young people
  • family members
  • volunteers or supporters

You can withdraw consent at any time. If materials have already been printed or shared, we may not be able to remove all copies, but we will stop future use wherever possible.

10. Marketing and keeping in touch

We may contact you about our work, events, fundraising and ways to support Sebastian’s Action Trust.

Email and text

We will only send marketing emails or texts where you have opted in (or where permitted by law).

Post and telephone

We only make calls if the person hasn’t opted out and is not listed on the Telephone Preference Service (TPS).

Updating your preferences

You can change your preferences at any time by:

11. Fundraising research, wealth screening and due diligence

To help raise funds responsibly and in line with best practice, we may carry out fundraising research.

This may involve using publicly available information such as:

  • Companies House
  • the Electoral Register (where lawfully accessible)
  • company websites and published biographies
  • professional networking sites such as LinkedIn
  • news archives and publicly available registers

We may also use trusted third-party agencies to support research and screening.

We use this information to:

  • understand supporter interests and capacity
  • ensure communications are appropriate
  • comply with our Gift Acceptance Policy
  • meet legal and regulatory expectations (including anti-fraud and money laundering checks)

You can opt out of this processing at any time by contacting: [email protected]

12. Who we share your data with

We never sell your personal data.

We may share personal data with trusted third parties where necessary, including:

  • IT and database providers
  • email and marketing platforms
  • payment processors and donation platforms
  • event booking providers
  • printing and mailing suppliers
  • professional advisers (e.g. auditors, insurers, legal advisers)
  • regulatory bodies where required
  • safeguarding authorities (e.g. local authority, police, NHS)

All third‑party suppliers are assessed for appropriate technical and organisational security measures before we share any personal data with them, and we review these safeguards regularly.

13. International transfers

Some suppliers may process data outside the UK.

Where personal data is transferred internationally, we ensure appropriate safeguards are in place, such as:

  • UK adequacy regulations
  • UK International Data Transfer Agreements (IDTAs)
  • contractual protections and security requirements
14. How we keep your data safe

We use appropriate technical and organisational measures, including:

  • secure systems and encryption
  • role-based access controls
  • staff confidentiality requirements and training
  • safeguarding procedures
  • secure disposal of data
  • monitoring and updates to systems

If a personal data breach occurs that risks your rights and freedoms, we will take appropriate action and report it to the ICO where required.

15. How long we keep your data

We keep personal data only for as long as necessary.

We delete or anonymise personal data when it is no longer required.

Retention depends on the type of information and legal requirements, including:

  • service delivery and safeguarding needs
  • financial and Gift Aid requirements
  • employment and volunteering records
  • regulatory and audit obligations

We apply defined retention periods for each category of personal data, based on legal, safeguarding and operational requirements. These periods are set out in our internal retention schedule, available on request.

16. Payment information

If you donate, purchase tickets, or pay online, your payment is processed securely by third-party payment providers.

We do not store full card details on our systems.

If we receive card details by email, we will delete the email and ask you to use a secure payment method.

17. Cookies and website analytics
Cookies

Cookies are small files stored on your device. We use cookies to:

  • ensure the website functions correctly
  • understand how the site is used
  • improve your experience

We use a consent‑management tool to record users’ cookie preferences, including timestamps, consent version and proof of opt‑in. You can update or withdraw cookie consent at any time via our on‑site cookie settings banner. View our Cookies Policy

Analytics

We may use analytics tools (such as Google Analytics) to understand how visitors use our website. This information is used in a way designed not to directly identify you.

18. Links to other websites

Our website may contain links to third-party websites and social media platforms.

We are not responsible for the privacy practices of other websites. Please check their privacy policies.

19. Your rights

You have rights under UK GDPR, including the right to:

  • request access to your personal data
  • request correction of inaccurate data
  • request deletion (in certain circumstances)
  • request restriction of processing
  • object to processing based on legitimate interests
  • withdraw consent at any time
  • request data portability (where applicable)
  • make a complaint to the Information Commissioner’s Office (ICO)

To exercise your rights, please contact us at [email protected]
Please write ‘Data protection request’ in the subject line so we can respond promptly.

We may need to verify your identity. We will respond within one month unless the request is complex.

20. Requests to delete beneficiary data

Families supported by Sebastian’s Action Trust may request deletion of their personal data.

Safeguarding records are retained in accordance with statutory guidance and cannot be deleted.

However, we may need to retain certain information where:

  • safeguarding requires it
  • we have a legal obligation
  • it is necessary to protect the charity or individuals

Safeguarding records are retained in accordance with statutory guidance and cannot be deleted.

21. How to complain

If you have concerns, please contact us first so we can try to resolve them.

Contact details:

You can also complain to the regulator:

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

22. Changes to this policy

When we make significant changes, we will notify individuals via our website or direct communication. Previous versions of this policy are available on request.