Privacy Policy

Future Dreams — Privacy Notice for Visitors

Version: October 2025 (updated to reflect the Data (Use and Access) Act 2025)

The survey is being hosted by an external provider to ensure your responses remain confidential. The data will only be used for the purposes of evaluating and improving Future Dreams services. Some questions may relate to your health and experiences of breast cancer. All data will be handled in accordance with GDPR and our privacy policy.

• We aim to keep responses anonymous and do not collect names or contact details.Please avoid including information that could identify you in free-text answers.
• Lawful basis: Legitimate Interests (service evaluation). Where your answers include health information, we rely on your explicit consent.
• Responses are processed by Omnisis Ltd acting as our data processor.
• We keep raw responses for up to 12 months, then delete them. Aggregated, non-identifiable results may be kept longer.
• Taking part is voluntary and won’t affect your access to our support.
• If you have any questions, please contact dpo@futuredreams.org.uk.

Legal Framework

This privacy notice complies with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Data (Use and Access) Act 2025
• Privacy and Electronic Communications Regulations (PECR) 2003
• Recognised Legitimate Interests (introduced by the Data (Use and Access) Act 2025) for specified purposes such as safeguarding, emergency response, security and crime prevention, where a separate balancing test is not required.

Future Dreams is committed to maintaining the accuracy, confidentiality and security of your personal information.

1) Who we are (Controller)

Future Dreams (“FD”, “we”, “us”) is the data controller for personal information we process about our service users (“Visitors”).

Registered office (for legal notices): 73 Cornhill, London, EC3V 3QQ

Operational address: Future Dreams House, 61 Birkenhead Street, London WC1H 8BB

Registered Charity number: 1123526

Contact for privacy matters (Data Protection Officer): dpo@futuredreams.org.uk

Please use this inbox as the single, authoritative route for privacy requests to avoid delay. You may also write to us at either postal address above (mark the envelope “FAO: Data Protection Officer”).

2) Scope

This notice explains how we collect, use, share, and keep personal information relating to your use of Future Dreams House (FDH) and our services (in‑person and online). Separate notices may apply for donors, website visitors, staff and volunteers.

3) What we collect

We collect the minimum information needed to provide our services and ensure safety and quality. Depending on the service, this may include:

• Identification and contact details (name, date of birth, address, email, phone)
• Emergency/next of kin details
• Health information relevant to your care (diagnosis)
• Therapy and support session records and clinical notes
• Accessibility
• Risk assessments and incident records (where relevant)
• Equality, diversity and inclusion information (e.g., ethnicity, religion) — always optional
• Booking, attendance and outcome data
• Payment information where paid services apply (processed through our payment providers; we do not store full card details)
• CCTV footage captured at Future Dreams House (see Section 10)

We collect information directly from you, or other providers involved in your care, with your permission where required. In the case of safeguarding concerns, we may need to share information with your GP, emergency services, or wider agencies (such as local authority safeguarding teams or specialist services) to protect you or others from harm. We may also create information we generate as part of providing services (e.g., session notes).

We avoid collecting more personal information than we need, and wherever possible we analyse feedback and outcomes in anonymised or aggregated form.

4) Why we use your information (purposes and lawful bases)

We must have a lawful basis under UK GDPR for each purpose and, where health information is involved, an additional condition for special category data. The table below summarises the main purposes and bases we rely on. We will only use the minimum data necessary for each purpose.

In some cases, defined by the Data (Use and Access) Act 2025, we may rely on Recognised Legitimate Interests as a lawful basis (for example, safeguarding vulnerable individuals, emergency response, security and crime prevention). Where this basis applies, a separate Legitimate Interests Assessment (LIA) is not required. For all other uses of legitimate interests, we complete an LIA to ensure our interests do not override your rights and freedoms. Where required, we also complete Data Protection Impact Assessments (DPIAs) and maintain records of decisions and safeguards.

Note on safeguarding: Where we have a legal obligation to share information for safeguarding purposes, this overrides the usual requirement for your consent. We will always aim to discuss this with you where it is safe and appropriate to do so, but our primary duty is to protect you or others from serious harm.

* Where we process data for safeguarding, crime prevention or emergency response, we may rely on “recognised legitimate interests” under the Data (Use and Access) Act 2025, which provides a specific lawful basis for these vital functions.

We will tell you if a data element is required and what happens if you choose not to provide it.

5) Who we share information with

We share personal information only when necessary and with appropriate safeguards:

• Professionals involved in your care (e.g., your GP/clinical team) with your knowledge or where otherwise permitted by law.
• Our contracted providers (secure booking, CRM, email and IT support, cloud hosting, payments), under written data‑processing agreements.
• Regulators and authorities (e.g., Care Quality Commission, NHS bodies) where required.
• Police or emergency services where necessary to protect life or prevent crime.
• Our legal/accountancy advisers where necessary.

We do not sell personal data.

6) International transfers

Some suppliers may process data outside the UK/EEA (e.g., in the US). Where this occurs, we ensure appropriate safeguards are in place. Following the Data (Use and Access) Act 2025, we will only transfer data to countries where protections are not materially lower than UK standards. We use lawful transfer mechanisms such as:

• Adequacy regulations (including the UK-US Data Bridge for certified US organisations).
• UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses with the UK Addendum.
• Binding Corporate Rules (BCRs) approved for the UK (controller or processor).
• Additional technical and organisational safeguards where appropriate (e.g., encryption, pseudonymisation, access controls, split processing).
• Limited Article 49 derogations where strictly applicable (e.g., explicit consent, important reasons of public interest).

7) Your choices for marketing and surveys

• We will only send you electronic marketing if you have opted in or if the ‘soft opt‑in’ applies (you used our services and did not opt out at the time). You can opt out at any time by contacting us.
• Invitations to surveys are optional; you can opt out at any time. We prefer to analyse results in aggregate or anonymised form.
• We will review and update our approach if/when the ICO finalises guidance on any charitable-purpose soft opt-in and will reflect those changes here.

8) Automated decision‑making

We do not currently make decisions about you based solely on automated processing that have legal or similarly significant effects. If we introduce any such automated decision-making in the future, we will:

• Inform you about the decision and how it was made
• Give you the right to make representations and challenge the decision
• Provide meaningful human intervention in the decision-making process
• Comply with the safeguards required under the Data (Use and Access) Act 2025

We will comply with DUAA safeguards by providing meaningful information about any such automated logic, enabling human review, and allowing you to challenge the decision.

9) How long we keep information (retention)

We keep personal information only for as long as necessary for the purposes above and to comply with legal, regulatory and insurance requirements. Typical retention periods are:

• Therapy/support records: 7 years from last contact as a minimum (or longer if required by law, insurance, or professional body guidance). Where the record relates to safeguarding or serious incidents, or where there are ongoing legal proceedings or potential claims, we may retain for longer in line with legal obligations and limitation periods.
• Booking and financial records: 7 years from the end of the financial year they relate to.
• CCTV footage: normally retained for 30 days and then overwritten unless required longer for an incident, investigation or legal proceedings.
• Surveys and service-evaluation data: raw responses normally retained for 12 months; aggregated, non-identifiable statistics may be kept longer.
• Marketing preferences: until you opt out or your email bounces permanently.

If we anonymise data so it can no longer identify you, we may keep it for research and statistics.

10) CCTV at Future Dreams House

CCTV operates in certain areas of the building for security, safety and crime prevention. Signage is in place. Footage is reviewed only by authorised staff/contractors and disclosed to law‑enforcement or insurers where necessary. See retention in Section 9.

11) Security

We use appropriate technical and organisational measures to keep information secure (access controls, encryption in transit and at rest where supported, staff training, role‑based access, secure disposal). We limit access to those who need it and require our suppliers to do the same under contract.

12) Your rights

You have rights over your personal information, including to:

• Access a copy of your data – we will make reasonable and proportionate searches to locate your information
• Ask us to correct inaccurate or incomplete data
• Ask us to delete data in certain circumstances
• Ask us to restrict processing in certain circumstances
• Object to processing based on our legitimate interests and an absolute right to object to direct marketing
• Ask for portability of data you provided to us where the processing is based on consent or contract and carried out by automated means
• Withdraw consent at any time where we rely on consent (this won’t affect processing done before withdrawal);
• Complain to the UK Information Commissioner (see Section 14).

We normally respond within one month and do not charge a fee unless a request is unfounded, excessive or repetitive. If we need additional information from you to locate your data or verify your identity, we may pause the response deadline until we receive this information (the “stop the clock” rule). If requests are complex, we may extend by up to two further months and will tell you why.

How to submit a request: Email our DPO at dpo@futuredreams.org.uk (preferred), or write to either postal address in Section 1 marked “FAO: Data Protection Officer.”

13) How to exercise your rights or update your details

Please contact our DPO at dpo@futuredreams.org.uk — this is our single authoritative inbox for privacy matters. You can also write to us at either address in Section 1 and mark your envelope “FAO: Data Protection Officer.” We may ask for information to verify your identity. For clinical records, your therapist may be consulted to ensure disclosures protect your privacy and third parties.

14) Complaints and concerns

If you have concerns about how we handle your personal information, you can raise them with us at any time.

Internal complaints process:

To make a formal data protection complaint, please complete our Data Protection Complaints Form available online at [INSERT LINK], or contact our DPO:

• Email: dpo@futuredreams.org.uk (preferred)
• Post: Data Protection Officer, Future Dreams, Future Dreams House, 61 Birkenhead Street, London WC1H 8BB
  or Data Protection Officer, Future Dreams, 73 Cornhill, London EC3V 3QQ

We will:

• Acknowledge your complaint within 30 calendar days from the date we receive it
• Investigate your concern thoroughly
• Inform you of the outcome and any actions taken
• Maintain records of all complaints and how they were resolved

External complaints:

You have the right to complain directly to the UK Information Commissioner’s Office (ICO) at any time. You do not need to wait for our response or exhaust our internal process first:

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We welcome the opportunity to resolve concerns directly, but the choice is yours.

15) Changes to this notice

We may update this notice to reflect changes in our services or the law. We will post updates on our website and, where appropriate, notify you directly. The latest version will always be available online.

Appendix — Data we collect by channel (examples)

• In‑person at FDH: registration form, consent forms
• Telephone/video: booking notes, advice given, follow‑up actions
• Online forms/CRM: bookings, preferences, feedback, surveys
• Email/newsletters: subscription preferences, delivery and engagement (open/click) metrics
• CCTV: footage captured in designated areas of Future Dreams House for security and safety purposes