Privacy Policy



STEPWAY is committed to protecting your personal data. This Policy details what personal data we collect and how we shall use it. We continually review our Policy and update it to reflect changes in data protection law. If we make any significant changes, we will make reasonable efforts to contact you. The Policy is effective from 20 November 2019.

1. Who are we?

full legal and working title:

STEPWAY Registered charity in England and Wales (1186465)

STEPWAY  is a charity registered as: CIO on 20/11/2019.

Any question relating to this Policy should be addressed to the Data Protection Officer by emailing or by writing to us:

Data Protection Officer
The Trinity

 2. What is personal data?

Personal data is information about a living individual who can be identified from that information (directly or indirectly). We collect, store and use (or “process”) personal data including:

  • your name;
  • contact information;
  • date of birth;
  • your gender;
  • age, nationality and ethnicity information (for monitoring purposes);
  • bank details and credit card information (where these are required to make payment);
  • information relating to your health (particularly if you are applying for a welfare grant or to access one of our services);
  • (when we are a beneficiary in an estate) any information about you as an executor, next of kin or beneficiary;
  • whether you are a taxpayer and would like to enable us to claim Gift Aid; and
  • any other personal information we collect in accordance with the Data Protection Act  2018 (GDPR).

We process certain types of personal data which are in a ‘special category’ under data protection laws, as they are considered more sensitive. Examples of this type of sensitive data are information about your health, race, religious beliefs, political views, trade union membership, sex life or sexuality. These types of data will only be collected when we have appropriate measures in place to ensure they are protected, when we have a valid reason for doing so and only if the law allows us to – the law allows us to process such data, for example, to safeguard the economic well-being of certain individuals in need of our support.

 3. How do we collect your personal data?

We collect your personal data directly where: 

  • We obtain information from you to provide health, welfare, mentoring and social care services as specified by our constitution (for example when you register for support or when you otherwise interact with us).
  • We obtain your personal data when you participate in one of our fundraising activities or apply to be a volunteer or caseworker. Your personal details will be added to your record so that future communications with you are tailored to your interests.

Information collected indirectly:

We may obtain your personal data from third parties such as:

  • Mail order companies or Marketing Service Providers you have subscribed to and where a legitimate interest applies. A balance of your interests is carefully considered and scrutinised to ensure that your needs are balanced and beneficial rather than intrusive.
  • Prospect researchers such as Prospecting for Gold who use publicly available information – for example: industry directories, on-line sources, newspapers and journals – for the purpose of wealth screening for major gifts fundraising.
  • Fundraising platforms such as Virgin Money Giving, Charity Checkout and Just Giving
  • The Armed Forces and Ministry of Defence (for example: via referral)
  • Subcontractors, business partners, researchers and search/analytics providers
  • From a military charity or organisation so that we can provide assistance to you – we coordinate support with other military charities so that you receive support from the most appropriate source
  • Social Media platforms such as Facebook, WhatsApp, Twitter or LinkedIn, depending on your privacy settings on those social media platforms (for example when you choose to interact with us by ‘liking’ our page)
A note on social media: Our website includes social media plug-ins to allow you to easily share content from our website and, in doing so, your personal data may be sent to these social media platforms. We have no control over how social media platforms use your personal data and we encourage you to read the privacy notices on the various social media platforms you use. Find out more about how these social media platforms use your personal data: Facebook Twitter

Information from other sources

  • When you visit our website, we automatically collect technical information about your device including the IP address used to connect your device to the internet.
  • Using Google Analytics, we track which pages visitors to our website click on. Please see policy on Cookies

We may combine your personal data from these different sources for the purposes set out in this Policy.

4. Children and young people

We seek consent from parents/guardians for children who wish to participate in any fundraising activity. We always make clear to under 18s the purpose for which we are processing their data and comply with the Fundraising Regulator’s Code of Fundraising Practice. 

5. How and why we use your personal data

We use your personal data for the following purposes: –

  • to promote the interests of the charity and to enable us to provide a voluntary service for the benefit of the public in a geographical area as specified in our constitution;
  • to provide you with our services which you have requested and assess your eligibility to access those services.
  • to communicate with you in general;
  • to provide co-ordinated services across military charities
  • for administration purposes, including volunteering expenses
  • for publicity and profile-raising purposes (for example sharing success stories) and to fundraise to further our charitable purposes;
  • to maintain our own accounts and records (including the processing of gift aid on your donations);
  • to consider your application for a job or volunteer role with us;
  • to inform you of news, events, activities and services of STEPWAY
  • to report on the impact and effectiveness of our work;
  • to administer our website;
  • to satisfy legal and regulatory obligations;
  • for the establishment, defence and/ or enforcement of legal claims;
  • to prevent crime: We may record your image on CCTV which we use to prevent crime and keep our staff, tenants and the public safe. We may also process personal data to prevent fraud or misuse of services;
  • to conduct market research: Including research on the demographics, interests and behaviour of current and prospective supporters in order to help us gain a better understanding of different audiences and enable us to improve our service and seek support for our work. This research may be carried out internally by our employees or we may ask another company to do this work for us. Data will be anonymised where possible;
  • Profiling and analysis: Our profiling and analysis activities can be broken into three categories:
  • Segmentation so that we can offer supporters information relevant to them. This type of activity is not aimed at identifying specific individuals to target, but rather many individuals who may fall within a certain segment of supporters.
  • Data matching: We may combine the personal information you have given us with data obtained from external sources, such as the Office for National Statistics, Google, The Electoral Roll or postcode-based segmentation tools to help us understand social, demographic and financial characteristics, so we can tailor our communications and services to better meet your needs or the needs of others like you based on the insight we gain from the profile we build. We will not use the results of this data matching activity in a way that unduly intrudes on your privacy or your previously expressed privacy preferences, and you can ask us not to undertake this activity.
  • Major donor analysis: Our Financial officer may occasionally use your personal data to create profiles of our supporters or potential supporters. We use information our supporters have given us voluntarily to identify those who may wish to support our work with a major gift. We also use information already in the public domain, for instance industry directories, on-line sources, newspapers and journals and Companies House to identify individuals who may be interested in supporting our work with a major gift or are known to our existing major supporters. We also carry out due diligence checks on all new major supporters and ensure that the information we have on our major supporters is accurate and up to date. You can object to such use of your personal data for profiling at any time by contacting us at the details set out at the end of this Privacy Policy.

6. Our lawful basis for processing your personal data

Data privacy law requires us to rely on one or more lawful bases in order to process your personal data. We consider the bases below to be relevant:

  • Your consent (for example we may ask for your explicit consent to collect special categories of your personal data)
  • Where processing is necessary for the performance of a contract to which you are a party
  • Where processing is necessary for compliance with our legal obligations such as where we are obliged to share your personal data with law enforcement agencies, judicial bodies, government entities, tax authorities or regulating bodies.
  • Where processing is necessary to protect your vital interests or that of another person;

Where processing is necessary for the purpose of a legitimate interest pursued by us or a third party, except where your rights override our legitimate interest. The legitimate interest we rely upon is subject to an assessment based on the specific context and circumstances.

Our legitimate interests In broad terms, our legitimate interests mean, the interests of running STEPWAY as a charitable organisation and pursuing our aims and ideals, including to support Veterans of the British Armed Forces – see About Us. For example, we need to collect your personal data in order to assess your eligibility for support within mental health or the adaption to civilian life and accessing our 7-Step Civilian Skills Program or other support and share it with other military charities for that same purpose. We then need to process your personal data in order to provide that support.

7. Marketing and fundraising communications

We have evaluated the basis upon which we lawfully collect, hold and process personal data for marketing and fundraising. The balance test we carried out concludes that we have a lawful basis to communicate with existing and potential supporters and volunteers. We therefore rely on legitimate interest to communicate you.

We may use your contact details to provide you with information about our work and services, or to seek donations/ legacies.

We will send fundraising and marketing materials to you if we hold your contact details on our database and if you have not opted out of receiving communication by post. When communicating by post, we will offer you the opportunity to ‘opt out’ of receiving communication from us in future. You can also opt out of receiving communications from STEPWAY by registering your name and contact details on the Fundraising Preference Service (FPS) website.

We will send fundraising and marketing materials to non-supporters whose data (names and postal addresses) who have not opted out of receiving communication by post from third parties.

We will send fundraising and marketing materials to you if you have opted in to receive communication via email, telephone (landline and mobile) or/and SMS (text messaging). 

Where you have provided us with your consent previously, you can change your mind at any time and choose to withdraw that consent. If you do not wish for us to contact you with marketing and fundraising communications, please let us know by email at.

8. Sharing your personal data

  • If you request assistance, STEPWAY may share your personal data with other military charities that provide support for a request for assistance and to co-ordinate providing you with support. Further details are available at: How military charities use my personal information.
  • We share your personal data where it is necessary to achieve the purposes set out in this Policy. This includes sharing your personal data with:
  • suppliers and sub-contractors – for example IT service providers such as website hosts or cloud storage providers;
  • insurers;
  • professional service providers such as accountants and lawyers; and/ or
    • regulators, government and local authorities, including Child Services where appropriate.

we use third parties such as WorldPay, PayPal, and GoDonate to process online donations

  • We also may need to disclose your personal data if required to do so by law or as expressly permitted under applicable data protection legislation for example, we may disclose your personal data to the government for tax investigation purposes, or to law enforcement agencies for the prevention and detection of crime. 
  • We reserve the right to share your personal data with third parties in the event that we sell or buy any business or assets or if our assets (including your personal data) are acquired by a third party, and/ or to protect the rights, property or safety of STEPWAY, its personnel, users, visitors or others.
  • If you are an executor of an estate bequeathed to STEPWAY, we may share your details with co-beneficiaries and third parties such as solicitors, for the purpose of administrating the gift.
  • We do not sell your personal data to other charities or other third parties.

9. How we protect your personal data

  • We use appropriate technical and organisational safeguards to ensure we keep your personal data secure. We have security measures in place to help protect against the loss, misuse, and alteration of the data under our control. For example, where appropriate, data is encrypted when in transit and storage, access is limited and subject to confidentiality commitments.
  • We only use personal data for the purposes for which it was supplied (and not for any non-business purposes). We limit access to personal data on a need-to-know basis and take appropriate measures to ensure that our people are aware that such information is only used in accordance with this Privacy Policy.

10. Keeping your personal data up to date

  • We take reasonable steps to ensure your personal data is accurate and up to date.
  • Where appropriate and lawful we may use publicly available sources (such as the Royal Mail) to identify deceased records or whether you have changed address.
  • We really appreciate it if you let us know when your contact details change.

11. Our use of cookies

STEPWAY uses cookies and other tracking technologies to assist with navigation of our website and your ability to provide feedback, analyse your use of our products and services, assist with our promotional and marketing efforts, and provide content from third parties. To find out more about the types of cookies we use, please visit our Cookie Policy page.

12. Vulnerable circumstances

We are committed to protecting vulnerable supporters, and clients, and appreciate that additional care may be needed when we use their personal data. We recognise that occasionally we may contact individuals who are not able to make decisions on their own such as donating to our charity. We observe the Fundraising Regulator’s Code of Fundraising Practice when dealing with people who are in vulnerable circumstances.  

In addition, to ensure we aren’t writing to individuals who do not wish to hear from us, i.e., receive direct mail from STEPWAY when there’s been no prior relationship, the prospective donor acquisition data list(s) will be screened against the Mailing Preferential Service (MPS), Fundraising Preference Service (FPS), and STEPWAY’s own suppression file prior to sending any postal communication.

13. International data transfers

STEPWAY only stores your personal data on computers located in the UK, as part of its work to support the Veteran’s in our community.  

14. How long will we keep your personal data?

We ensure that personal data is retained only for as long as necessary for the above purposes and to comply with applicable laws. We may be required to retain your personal data for several years (generally six years after our interaction with you ceases) in order to satisfy legal or contractual obligations, or in order to establish, exercise or defend legal claims. When your personal data is no longer necessary for these purposes, where we are no longer lawfully entitled to process it, or where you validly exercise your right to erasure, the personal data will be deleted. 

If you ask us to stop contacting you, we will keep some basic information about you on a ‘suppression list’ in order to comply with your request and ensure we do not send you unwanted communications in the future.

15. Your rights to your personal data

You have rights under data protection law over your personal data. You are entitled, to request:

  • access to (i.e. ask for a copy of) your personal data
  • correction of your personal data if it is incorrect
  • erasure of your personal data
  • that we stop using your personal data if you believe that the information, we hold is wrong, or that we don’t have a valid reason for using it
  • that we stop using your personal data where you object to us using it
  • that we transfer the information you gave us from one organisation to another or give it to you.

These rights are subject to eligibility and to legal exemptions, and we may need to verify your identity before we are able to respond to your request.

 a) Your right to withdraw consent

Where you have given us your consent, please note you have the right to withdraw that consent at any time.

If you wish to exercise any of your individual rights including your right to withdraw consent, by contacting our DPO: or writing to:

Data Protection Officer
The Trinity
Worcester. WR1 2PN

We will generally respond within one month, on receipt of your written request.

Please note that we might refuse to comply with subject access requests which would reveal sensitive information about third parties, such as those who access our services, even if they are a family member or are otherwise known to you.

 b) Your right to lodge a complaint or raise a concern

You also have the right to lodge a complaint with the UK’s Supervising Authority: The Information Commissioner’s Office. Prior to lodging a complaint, STEPWAY would like the opportunity to address any complaint you may have by completing our complaints form.

If you require further information and advice about data protection law or you wish to make a complaint, you can contact the Information Commissioner’s Office:

Information Commissioner’s Office
Wycliffee House
Water Lane

Telephone: 0303 123 1113

Contact form:

Please note: STEPWAY is not a ‘public authority’ as defined under the Freedom of Information Act and we will not therefore respond to requests for information made under this Act.

16. Contact us

If you have any questions about this Policy or the way we use your personal data, you should contact the Data Protection Officer James Stanley as follows:

Data Protection Officer
The Trinity,

Policy date: 20th Nov 2021

To be revised: 20th Nov 2022