Privacy Policy
Who are we?
“We” and “us” means The Pituitary Foundation. We are a charity with registered Charity No.1058968 and a registered company with Company No.3253524. We work with everyone with a pituitary condition, their support networks and healthcare professionals to raise pituitary awareness and reduce time to diagnosis.
Your privacy matters
At The Pituitary Foundation, we are committed to keeping your personal data safe and secure.
This notice sets out in detail the purposes for which we process information about you, who we share it with, what rights you have in relation to that information and everything else we think it’s important for you to know.
If you have any questions about the processing of your personal information, or you would like to exercise any of your rights, please reach out to us with the details mentioned below:
Email us: [email protected]
Call us: 0117 370 1333
Write to us: The Pituitary Foundation, Brunswick Court, Brunswick Square, Bristol, BS2 8PE
How we process your information
To understand how we process your personal information and to understand your rights, please visit the relevant appendix below:
Appendix 1: Service users and members
Appendix 2: Human resources (Job applicants, employees, volunteers)
Appendix 3: Medical Committee and Lived Experience Committee members
Appendix 4: Fundraising and marketing
Appendix 5: General information (complaints procedure, your rights)
Appendix 6: How long do we keep your information?
Changes to this privacy notice
We aim to keep this privacy notice regularly updated. This privacy notice is kept under regular review. If we make any significant changes to the way in which we process your information, we will let you know by either reaching out to you or posting a banner on the website.
This was last updated in September 2025.
Appendix 1: Service users and members
How and when do we collect information about you?
We collect your personal data directly from you, when you engage with us to use or enquire about our services using our helpline, via email or in person.
The information we collect includes the following: name, contact details, health information and other information you may provide to us when engaging with us.
How is the information used?
We use this information to:
- Effectively provide our services or programs to you
- Facilitate your enquiries
- Address any safeguarding concerns
- Carry out internal evaluation and monitoring
What is our lawful basis for processing this information?
- To process your information when you use our services, we rely on legitimate interest, read with substantial public interest and conditions from the Data Protection Act 2018 (DPA).
- For any safeguarding information that we record, we rely on legitimate or vital interest, read with substantial public interest and conditions from the DPA.
- For any case studies, and photography that we circulate, we rely on legitimate interest, and for surveys, we rely on your explicit consent (if they are not anonymous).
Who do we share your data with?
- We only share your information with universities or pharmaceutical companies with your consent.
- Personal data is not shared with funders. Information shared with funders is shared only anonymously
- When data is shared anonymously with pharmaceutical companies, universities, or funders, it will be done in a manner that ensures it cannot be traced back to any individual person
- To comply with our duty of care and safeguarding, we may need to pass some information raising safeguarding concern with the authorities. In such circumstances, we apply vital interest and legitimate interest as our lawful basis. Data subjects’ rights and other UK GDPR provisions may be restricted when concerning personal data processed in these circumstances. Exceptions and exemptions are applied on a case-by-case basis.
How we store your information and for how long?
We retain the personal data of all service users for a period in line with our retention periods – these are listed in Appendix 6. If you would like to know more about this, please contact us at the email address above.
Appendix 2: Human resources
(Job applicants and current and former employees, trustees, volunteers)
How and when do we collect information about you?
You provide several pieces of data to us directly during the recruitment period and subsequently upon the start of your employment/engagement. In some cases, we will collect data about you from third parties, such as employment agencies or former employers when gathering references.
What types of information is collected about you and who provides it?
We keep several categories of personal data to carry out effective and efficient processes. Specifically, depending on your type of engagement with us, we may process the following types of data:
- Personal details such as name, address, phone numbers, marital status
- Name and contact details of your next of kin
- Footage of the organisation events where you may appear
- Information of any disability or other medical information you have disclosed
- Right to work documentation, National Insurance number, bank account details
- Information gathered via the recruitment process such as that included in a CV, cover letter or application form, references, details on your education and employment history etc
- Information relating to your employment with us (e.g. job title, job description, salary, terms and condition of the contract, annual leave records, appraisal and performance indication, formal and informal proceedings involving you such as letters of concern and disciplinary, disciplinary and grievance proceedings)
- Your biography and picture for the website (if applicable)
We may also process criminal records information if the role involves DBS check.
How is the information used?
We are required to use your personal data for various legal and practical purposes for the administration of your contract of employment or your volunteer/ trustee agreement, without which we would be unable to employ you or engage with you. Holding your personal data enables us to meet various administrative tasks, legal obligation or contractual/agreement obligation. We process information in relation to the DBS for our safe recruitment practices.
What is our lawful basis for processing this information?
We mainly use ‘contractual obligation’ as a lawful basis for processing personal data for employees, job applicants and freelancers. We mainly use ‘legitimate interest’ for trustees. We may also have legal obligation to process and share your data, for example we need to share salary information to HRMC or use some of your data to enrol a new employee on a pension scheme.
We may rely on our legitimate interest for processing activity such as keeping supervision and appraisal records; using your image, bio and videos/pictures of the organisations’ events where you may appear on our website or marketing/fundraising materials to promote the charity.
Some special categories of personal data, such as information about health or medical conditions is processed to carry out employment law obligations and for health and social care obligations (such as those in relation to colleagues with disabilities and for health and safety purposes). We may also process other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief based on substantial public interest for the purposes of equal opportunities monitoring but this will be processed anonymously.
When processing criminal records (for example, to perform DBS check), the organisation relies on the lawful basis of legitimate interest and additional conditions of the UK GDPR and DPA 2018.
Who do we share your data with?
Personal Data in relation to your salary is shared with HMRC as part of our legal obligation. Personal Data may be shared with third parties for the following reasons:
- for the administration of payroll, pension, HR functions (for example the online holiday booking system), administering other employee benefits.
- When sharing information with third parties, we have data sharing agreements, data processing agreements or contracts in place to ensure data is not compromised. These third parties implement appropriate technical and organisational measures to ensure the security of your data.
How long do we keep your data?
We only keep your data for as long as we need it for, which will be at least for the duration of your employment/engagement with us though in some cases, we will keep your data for a period of 6 years after your employment/engagement has ended. If you’ve applied for a vacancy but your application hasn’t been successful, we will keep your data only for 12 months.
Some data retention periods are set by the law. Retention periods can vary depending on why we need your data. Please get in touch by contacting us using the details above if you want to know more about retention period.
Data is destroyed or deleted in a secure manner as soon as the retention date has passed.
Appendix 3: Medical Committee and Lived Experience Committee members
How and when do we collect information about you?
We may collect your information or receive it from you when you respond to our adverts to join the Medical Experts committee. This may include: your name, contact details, professional titles, bank details, CV, biography and picture (if applicable). For Lived Experience Committee Members, we process your name, contact details, health information and photographs.
How is the information used?
We use this information to engage you in our expert committee or support committee that provides support and advice to our service users. We also use your information to provide you resources, invite you to events and engage you in our support groups. We may use your photographs for our website.
What is our lawful basis for processing this information?
We process this information based on legitimate interest. To process health information of our lived experience committee members, we rely on Article 9(d) of UK GDPR (not for profit bodies).
Who do we share your data with?
We may publish your information on our website, but we will only share your details with service users or enquirers if we have your explicit permission.
How we store your information and for how long?
We retain the personal data of all service users for a period of in line with our retention periods. If you would like to know more about this, please contact us at the email address above.
Appendix 4: Marketing and fundraising
Events
We host many events in a year, and your personal information is collected when you register for an event with us. We may collect basic personal information, such as your name, email, phone number. We rely on legitimate interest to administer your registration for the event. When we collect other information such as dietary information, we rely on your explicit consent.
If you have attended an event with us previously, we may reach out to you to invite you for our future events. We rely on consent to send you emails.
Campaigns
We host online campaigns via our website. We may collect your personal information such as name, contact details and postal address. We process this information on the lawful basis of consent.
Donations
Your personal Information is provided by you via a donation form on our website or via third party donation platforms (e.g. JustGiving, Enthuse, Stripe etc). The information gathered may be name, email address, Gift Aid sign up, donation details, reasons to engage, postal address.
This information allows us to process your donation, and deal with any potential enquiry. We rely on our legitimate interest to process this data. If you agree that we can claim Gift Aid on your donations we are legally required to keep a record of the claim and your Gift Aid declaration. If you are donating using a third party, please also refer to the privacy notice published on their websites.
Members and newsletter subscribers
If you sign up for a membership with our organisation or want to receive our newsletter, we will process your name, contact details and postal address. To process this information, we rely on your consent.
Fundraising and marketing:
We may reach out to you for fundraising, if you have previously engaged with us in an event, made a donation, or if we believe that you may be interested in engaging with our organisation. We may also send you marketing communications if you have signed up for marketing emails. We use email and post for marketing.
We rely on your consent to send you email communications (except where this is a business email address, whereby we rely on legitimate interest).
Whether you are an individual or a business, if you would like to change your marketing preferences, please reach out to us on the email address provided in the first section of this privacy notice, or you can simply unsubscribe with the option on the bottom of the emails.
We may also use post as a mode of sending you marketing communications, relying on legitimate interest. If you would like us to not send such communications, please do reach out to us.
Appendix 5: General information (complaints procedure, your rights)
Your rights as a Data Subject
You have the following rights:
- ‘Right to be informed’, which means we will be completely clear and transparent about how we plan to use your personal information.
- ‘Right of access’, which means you can request details of the personal information we hold about you and how we use it. We will provide this within one month.
- ‘Right to rectification’, which means you can ask us to update or amend the personal information we hold about you, if it is incorrect.
- ‘Right to restrict processing’, which means you can ask us to change, restrict or stop the way we are using your personal information.
- ‘Right to erasure’ (or ‘right to be forgotten’), which means you can ask us to remove your personal information from our records.
- ‘Right to object’, which means you can object to us using your personal information for marketing purposes.
- ‘Right to data portability’, which means you can obtain the personal information we hold about you and reuse it for your own purposes.
- ‘Right not to be subject to automated decision making’, which means if we use systems to make a decision about you, you have the right to ask for a person to intervene, which may change the outcome.
- Right to lodge a complaint with a supervisory authority, such as the Fundraising Regulator or the Information Commissioner’s Office (ICO), if you are not satisfied with our response to a request you make to us, or you feel we are not using your information correctly.
International data transfers
Where personal data is stored outside of the UK and the EEA, safeguards to protect personal data may include but are not limited to the UK Addendum used in conjunction with the EU Standard Contractual Clauses (SCCs), or UK International Data Transfer Agreement (IDTAs). Such safeguards will be subject to Transfer Risk Assessments (TRAs).
Complaints procedure
If you are unhappy with the way we process your data, please get in touch with the Data Protection Lead using the contact details mentioned above.
You can also make a complaint to the Information Commissioner’s Office (ICO), which regulates the use of information in the UK. They can be contacted at 0303 123 1113 or, you can write to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Appendix 6: How long do we keep your information?
We retain your information only for as long as necessary to fulfil the purposes outlined in this privacy notice. Below is a list detailing retention periods for your personal data.
| Category of Record | retention period | notes / legal basis |
| Safeguarding of adults | 6 years after the case is closed | Based on the Limitation Act 1980 (time frame for legal claims). Longer if ongoing risk |
| Safeguarding of children | Until a child reaches the age of 25 (7 years after reaching 18) | ICO guidance & NSPCC best practice. If the child was in care, keep until age 75 |
| HR - employees | 6 years after employment ends | For contractual / legal claims (Limitation Act) |
| HR - recruitment (unsuccessful applicants) | 12 months after recruitment | To defend against discrimination claims |
| Trustees and volunteers | 6 years after sevice ends | Aligns with charity governance and safeguarding best practice |
| DBS checks | A record of the check is kept for as long as the role is held + 6 years. The actual certificate copy is destroyed after a decision is made | ICO / DBS guidance |
| Payroll and pension | 6 years after employment ends. In the case of pensions, records are kept for 75 years from the date of birth | HMRC and pension law requirements |
| Health and safety / accident records | 3 years from the incident (adults); or until a child reaches 21 (children) | Required under RIDDOR and H&S law |
| Donor and Gift Aid records | 6 years from the end of the financial year | HMRC requirement |
| Financial records (accounts, invoices) | 6 years from the end of a financial year | Companies Act and HMRC |
| Service user case notes (non-safeguarding) | 6 years after the closure of a case | ICO guidance and Limitation Act |
| Marketing consents | Until consent is withdrawn (plus 6 months audit trail) | PECR and UK GDPR |
| Website and event photography and case studies | Until the individual no longer wishes their information to be shared | ICO guidance |
| Unsolicited test results and medical records | We ask service users not to send in medical records or test results. When we do receive such information, these records will be returned to the individual and deleted from our systems within 1 month or as soon as practicable | ICO guidance |
| Health information for service request | Service users may provide us with health information so that we can respond to a service request e.g., send someone a booklet appropriate to their condition. We will delete this information within 1 month of the request being fulfilled or as soon as practicable. | ICO guidance |
| Helpline emails | 6 months after the last correspondence | ICO guidelines |