top of page

Privacy Policy

The Thelma Matilda Alves Foundation is committed to protecting your personal information and being transparent about what we do with it, no matter how you interact with us.

That is whether you work with us, want information, donate or access our services. 


We are committed to using your personal information in accordance with our purpose. We won’t do anything with your information you wouldn’t reasonably expect. We are required to provide you with the information in this Privacy Notice under applicable law which includes (but is not limited to):

The General Data Protection Regulation (EU) 2016/679 (the "GDPR"), and the Data Protection Act 2018

This privacy notice applies to the personal information of those individuals who interact with the Thelma Matilda Alves Foundation. Processing of your personal information is carried out by or on behalf of Thelma Matilda Alves Foundation. 

Under GDPR, one has the right to be erased. Therefore, should you wish to request for any data we may hold with regards to you, please contact Please note that data access requests may take up to 28 days.


In the event that your request may be linked to another individual or be excessive, we have the right to refuse or charge an extra cost of £10.

This notice tells you about how we collect, use and protect your personal information.

How we collect and use your personal information

We may collect, store and use information about you when you interact with us. For example, this could be when you:

  • Get in touch with us via the website or email

  • Support us with a donation 

  • Register your interest in our sessions or other events 

  • Give us feedback

  • Submit an enquiry 

  • Apply for a job or volunteer placement 

When you indirectly give us information

When you interact with us on social media platforms such as Facebook, Twitter or LinkedIn we may also obtain some personal information about you. The information we receive will depend on the privacy preferences you have set on each platform and the privacy policies of each platform. To change your settings on these platforms, please refer to their privacy notices. You should be aware that Thelma Matilda Alves Foundation has no ownership over these websites who may process your data for their own purposes if you choose to use them.

We may obtain information about your visit to our site, for example the pages you visit and how you navigate the site, by using cookies. Please visit our Cookies Policy for information on this.


When you give permission to other parties to share it with us
Your information might be shared with us by independent event organisers, for example the London Marathon or fundraising sites like Just Giving or Virgin Money Giving. These independent third parties will only do so when you have indicated that you wish to support Thelma Matilda Alves Foundation, and only with your consent.
You should check their Privacy Policy when you provide your information to understand fully how they will process your information. We may also obtain information about you from a family member or a friend who contacts us on your behalf or if a fundraiser passes on your details to us.

What information we might collect

When you interact with us by mail, in person or online, we may collect information about you (referred to in this Privacy Notice as 'personal information'). This may include:

  • Name 

  • Age 

  • Email address

  • Address

  • Telephone number 

  • Date of birth 

  • Region

  • Job title 

  • Why you are interested in the foundation 

  • Any other information relating to you personally which you may choose to provide to us such as diversity information

Please note that the above list of categories of personal information we may collect is not exhaustive. Any personal information collected will be processed in accordance with the approach outlined in this Privacy Policy.

Data protection law recognises that certain types of personal information are more sensitive. This is known as 'sensitive' or 'special category' personal information and covers information revealing racial or ethnic origin, religion, philosophical beliefs and political opinions, trade union membership, genetics, biometrics (where it is used for ID purposes), information concerning health or data concerning a person's sexual orientation, or sex life.

Sensitive information will only be collected where necessary, for example, we may need to collect health information from you when you register for a challenge event. Clear notices will be provided at the time we collect this information, stating what information is needed, and why.

In addition, we may process special categories of data, such as information about ethnic origin, sexual orientation or religion or belief. We may also collect information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability. We process such information to carry out our obligations and exercise specific rights in relation to employment.

With your explicit consent, we may also collect sensitive personal information if you choose to tell us about your experiences relating to our services for use in a case study.

Lawful Basis of Us Processing your Data 

The GDPR sets out six reasons why we may lawfully process your personal information. When we process your personal information, we will ensure that we comply with one of these six lawful basis. We have set these out below.

Where processing your data is within our legitimate interests
We are allowed to use your personal information where it is in our interests to do so, and those interests are not outweighed by any potential prejudice to you.

We don't think that any of the following activities prejudice individuals in any way. However, you do have the right to object to us at any time about processing your personal information on this basis. We have set out details regarding how you can go about doing this in the section on your rights to your data. Further, when we contact you by e-mail, we will include an option for you to unsubscribe or alter the method with which we interact with you, at the end of the e-mail.

We process on the basis of our legitimate interests for:

  • Profiling and analysis: This will help us communicate with you in a more focused, efficient and cost effective way, helping us reduce the chances of you receiving inappropriate or irrelevant communications

  • Sessions and events: we have a legitimate interest in processing your information and keep data on your interest and attendance of events and sessions held by the charity.

Where you give us your consent to process your personal information

We are allowed to use your data where you have specifically consented. In order for your consent to be valid:

  • You have to give us your consent freely, without us putting you under any type of pressure;

  • You have to know what you are consenting to – so we'll make sure we give you enough information to make an informed consent;

  • You should only be asked to consent to one processing activity at a time – we therefore avoid "bundling" consents together so that you know exactly what you're agreeing to; and

  • You need to take positive and affirmative action in giving us your consent – we're likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.

Where we have sought your consent, we will only process for the purposes we specified at the time you provided your data. However, in the future we may wish to process your data for a different purpose as long as the new purpose is one you might reasonably expect and we will notify you of it beforehand, seeking fresh consent if required.

You have the right to withdraw your consent to these activities. You can do so at any time, and details of how to do so can be found below in the section on your rights to your data.

We seek your consent for:

  • Necessary processing for the fulfilment of your financial interactions with the Thelma Matilda Alves Foundation (when you donate). Your decision to engage with these financial interactions is taken as affirmative action that you consent to our processing your personal information for this purpose, including the sharing of your payment details with our payment suppliers.

  • Direct marketing by email or telephone, we seek your specific consent before contacting you by electronic means for marketing purposes.

We do not think that any of the above activities prejudice you in any way. However, you do have the right to object to us processing your personal information in certain circumstances. If you would like to know more about these circumstances and how to object to our processing activities, please see the "Right to object" section below.

Where processing is necessary for us to carry out our legal obligations
As well as our obligations to you under our contract, we also have other legal obligations that we need to comply with and we are allowed to use your personal data when we need to in order to comply with those other legal obligations.

An example of a legal obligation that we need to comply with is our obligation to cooperate with tax authorities.

Who do we share your information with?

We will only use your information for the purposes for which it was obtained. We will not, under any circumstances, sell or share your personal information with any third party for their own purposes, and you will not receive marketing from any other companies, charities or other organisations as a result of giving your details to us.

We will only share your data for the following purposes:

  • Third party suppliers: We may need to share your information with data hosting providers or service providers who help us to deliver our services, projects, or fundraising activities and appeals. These providers will only act under our instruction and are subject to pre-contract scrutiny and contractual obligations containing strict data protection clauses.

  • Where legally required: We will comply with requests where disclosure is required by law, for example, we may disclose your personal information to the government for tax investigation purposes, or to law enforcement agencies for the prevention and detection of crime. We may also share your information with the emergency services if we reasonably think there is a risk of serious harm or abuse to you or someone else.

  • We always aim to ensure that personal information is only used by those third parties for lawful purposes in accordance with this Privacy Notice.

  • All, or substantially all the assets of an entity within the Thelma Matilda Alves Foundation are merged with or acquired by a third party, or we expand or re-organise our business, in which case your personal information may form part of the transferred or merged assets or we may need to transfer your information to new entities or third parties through which our business will be carried out.

  • Your family and personal representatives;

  • Third parties who hold information related to your financial record such as financial organisations, credit reference agencies and debt collection and tracing agencies;

  • Third party service providers who perform functions on our behalf (including benefits administration, external consultants, business associates and professional advisers such as lawyers, auditors, accountants, technical support functions and IT consultants carrying out testing and development work on our business technology systems);

  • Third party outsourced IT providers where we have an appropriate processing agreement (or similar protections) in place; an 

Payment Processors: To process your payments (including donations) to Thelma Matilda Alves Foundation, we need to pass some of your personal information to one or more of the following suppliers. Please follow the links for information on these company’s privacy policies:

How we protect your information

For the purpose of internal data protection, all files containing personal data must be password protected to ensure safety within the organisation. This will especially be the case for sensitive data.


In the unlikely event that any data is accessed by a person with unauthorised permission, all affected individuals will be contacted within 72 hours.


Staff must store all data on a google drive folder. The use of USB sticks or external drives are prohibited.


Staff must ensure to check their surroundings when working with a phone or laptop, to ensure members of the public do not have a clear view.

If you use your credit or debit card to donate to us or make a booking online, we pass your card details securely to our payment processing partners.

We do this in accordance with industry standards and do not store the details on our website.

However, please be aware that there are always inherent risks in sending information by public networks or using public computers and we cannot 100% guarantee the security of data (including personal information) disclosed or transmitted over public networks.

If you suspect any misuse or loss of or unauthorised access to your personal information please let us know immediately. 

How long will we keep your information

We will keep your personal information in respect of financial transactions for as long as the law requires us to for tax or accounting purposes (which may be up to seven years after a particular transaction).

In respect of other personal information, we will retain it for no longer than necessary for the purposes for which it was collected, taking into account guidance issued by the Information Commissioner’s Office.

Your rights to your personal information

Data protection legislation gives you the right to request access to personal information about you which is processed by the Thelma Matilda Alves Foundation and to have any inaccuracies corrected.

Email us at: 

You also have the right to ask us to erase your personal information, ask us to restrict our processing of your personal information or to object to our processing of your personal information.

If you wish to exercise these rights, please refer to the above contact details to find out more.

How to access, amend or take back your personal information

One of the GDPR's main objectives is to protect the rights of individuals with regards to data privacy. Where we hold your personal information, you have various rights in relation to it, which are set out below.


To get in touch about these rights please contact us.

We aim to deal with your request without undue delay, and in any event within one month (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which may be raised.

The GDPR gives you the following rights in relation to your personal information:


Right to object: this right enables you to object to us processing personal information you give us where we do so for one of the following reasons:

  • because it is in our legitimate interests to do so;

  • to enable us to perform a task in the public interest or exercise official authority;

  • to send you direct marketing materials; or

  • for scientific, historical, research, or statistical purposes.


The "legitimate interests" category above is the one most likely to apply, and if your objection relates to us processing your personal information because we deem it necessary for our legitimate interests, we must act on your objection by ceasing the activity in question unless:


We can show that we have compelling legitimate grounds for processing which overrides your interests; or we are processing your data for the establishment, exercise or defence of a legal claim.

Right to withdraw consent: Where we have obtained your consent to process your personal information for certain activities, you may withdraw all or part of your consent at any time and we will cease to carry out that particular activity unless we consider that there is an alternative lawful basis to justify our continued processing of your data for this purpose, in which case we will inform you of this condition.


Data Subject Access Requests (DSAR): You may ask us to confirm what personal information of yours we hold about you at any time, and request us to modify, update or delete such information. We may ask you for more information about your request. If we provide you with access to the information we hold about you, we will not charge you for this unless your request is "manifestly unfounded or excessive". If you request further copies of this information from us, we may charge you a reasonable administrative cost. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.


Right to erasure: You have the right to request that we "erase" your personal information in certain circumstances. Normally, the information must meet one of the following criteria:

  • The data are no longer necessary for the purpose for which we originally collected and/or processed them;

  • Where previously given, you have withdrawn your consent to us processing your data, and there is no other valid reason for us to continue processing;

  • The data has been processed unlawfully (i.e. in a manner which does not comply with the GDPR);

  • It is necessary for the data to be erased in order for us to comply with our obligations as a data controller under EU or Member State law; or

  • If we process the data because we believe it necessary to do so for our legitimate interests, you object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.


We would only be entitled to refuse to comply with your request for one of the following reasons:

  • To exercise the right of freedom of expression and information;

  • To comply with legal obligations or for the performance of a public interest task or exercise of official authority;

  • For public health reasons in the public interest;

  • For archival, research or statistical purposes; or

  • To exercise or defend a legal claim.


When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data.


Right to restrict processing: You have the right to request that we restrict our processing of your personal information in certain circumstances. This means that we can only continue to store your data and will not be able to carry out any further processing activities with it until either: (i) one of the circumstances listed below is resolved; (ii) you consent; or (iii) further processing is necessary for either the establishment, exercise or defence of legal claims, the protection of the rights of another individual, or reasons of important EU or Member State public interest.


The circumstances in which you are entitled to request that we restrict the processing of your personal information are:

  • Where you dispute the accuracy of the personal information that we are processing about you. In this case, our processing of your personal information will be restricted for the period during which the accuracy of the data is verified;

  • Where you object to our processing of your personal information for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal information;

  • Where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it; and

  • Where we have no further need to process your personal information but you require the data to establish, exercise, or defend legal claims.


If we have shared your personal information with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal information.

Right to rectification: You also have the right to request that we rectify any inaccurate or incomplete personal information that we hold about you, including by means of providing a supplementary statement. If we have shared this personal information with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete personal information to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.

Right of data portability: If you wish, you have the right to transfer your personal information between data controllers. In effect, this means that you are able to transfer the details we hold on you to a third party. To allow you to do so, we will provide you with your data in a commonly used machine-readable format so that you can transfer the data to a third party. Alternatively, we may directly transfer the data for you. This right of data portability applies to: (i) personal information that we process automatically (i.e. without any human intervention); (ii) personal information provided by you; and (iii) personal information that we process based on your consent or in order to fulfil a contract.

Right to lodge a complaint with a supervisory authority: You also have the right to lodge a complaint with your local supervisory authority which is the Information Commissioner's Office in the UK. You can contact them in the following ways:

  • Phone: 0303 123 1113

  • Email: via Live chat

  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
    If you would like to exercise any of these rights, or withdraw your consent to the processing of your personal information (where consent is our legal basis for processing your personal information), please contact us using our details. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

How to make a complaint or raise a concern

If you would like more information, or have any questions about this privacy notice, to make a formal complaint about our approach to data protection or raise privacy concerns please email us:

If you are not happy with the response you receive after making a complaint, then you can raise your concern with the relevant statutory body:
Information Commissioner’s Office:
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Alternatively you can visit their website.

Changes to our privacy notice 

Our Privacy Notice may change from time to time, so please check this page occasionally to see if we have included any updates or changes, and that you are happy with them.

Last amendment made on 21st October 2020

bottom of page