Addenbrooke's Charitable Trust Logo
Close
Menu

 Privacy Statement

Your privacy matters to us, and we are committed to protecting your personal information, and only using it legally and responsibly.

This privacy policy covers details of what information we collect from you (whether online, at the hospital, at an event, by phone, by email or through interaction with a third party); what we do with it, and whom it might be shared with.

If you have any questions about our privacy policy and the way we process personal data, or if you would like to change the way we communicate with you, then please contact us at hello@act4addenbrookes.org.uk, by phone on 01223 217757, or by writing to us Addenbrooke’s Charitable Trust, Box 126, Addenbrooke’s Hospital, Hills Road, Cambridge, CB2 0QQ

You may also like to see our accompanying fundraising promise.

Privacy Summary:

  • Your privacy is important to us. We collect and use your personal information responsibly and legally.
  • We do not sell your data and only share it when necessary, with safeguards.
  • You have rights over your data, including access, correction, and deletion.
  • This statement explains what we collect, why, how we use it, your rights, and how to contact us.
  • This statement does not apply to third-party websites you may access through our website.  You should check the privacy statements on any external websites that you visit.

Privacy Menu

  1. Who We Are
  2. What Information We Collect
  3. How We Use Your Information & Lawful Bases
  4. Automated Decision-Making & Profiling
  5. How We Keep Your Information Secure
  6. Keeping Your Information Up to Date
  7. How Long We Keep Your Information
  8. Who We Share Your Information With
  9. International Data Transfers
  10. Your Rights
  11. How to Exercise Your Rights
  12. Cookies & Analytics
  13. Data Breaches & Incident Reporting
  14. Staff Training & Data Minimisation
  15. Changes to This Policy
  16. Contact Us
  17. Special Information for Different Groups

1. Who We Are

Addenbroke’s Charitable Trust (ACT) is the registered charity supporting innovation in patient care at Addenbrooke’s and the Rosie hospitals (Cambridge University Hospitals NHS Foundation Trust).

  • Registered Charity Number: 1170103
  • Company Number: 10469089
  • ICO Registration: ZA232762
  • Contact:
    • Phone: 01223 217757
    • Post: Data Protection Lead, Box 126, Addenbrooke’s Hospital, Hills Road, Cambridge, CB2 0QQ

[go to top of page]

2. What Information We Collect

Depending on your relationship with us, we may collect, store and use the following kinds of personal information:

  • Your name, title, gender, date of birth
  • Your contact details (including email address, telephone number, postal address and/or your social media identity)
  • Your bank account or credit card details (for donations or reimbursements)
  • Your donation history and information about whether you are a taxpayer to enable us to claim Gift Aid
  • Event registrations and records of attendance
  • Images from events (with notice)
  • Information about your interests and preferences
  • Your correspondence with us (e.g. queries, compliments or complaints)
  • Emergency contact details (for our volunteers)
  • Information about your activity when using our website and about the device you use, for instance your IP address and geographical location (see our Cookie Notice)
  • Publicly available information (e.g. from Companies House, 192.com, news articles)
  • Special category data with your consent (e.g. information about your health or access needs if you are attending or taking part in an event), or where the information is manifestly public (e.g. you have published your political opinions or affiliations)
  • Any other personal information you provide to us

[go to top of page]

3. How We Use Your Information & Lawful Bases

Under UK data protection laws, we must have a clear legal reason for every way we use your personal information.  We process your personal information on one of the following bases:

  • Consent

Consent is where we ask you if we can use your information in a certain way and you specifically agree to this (e.g. when we keep you up to date on our fundraising activities) – you have the right to withdraw consent for any future useof your information for this purpose at any time.

  • Legal Obligation

We have a basis to use your personal information where we need to do so to comply with one of our legal or regulatory obligations (e.g. we may need to share your information with our various regulators such as the Charity Commission or Fundraising Regulator).

  • Performance of a contract or preparation for entry into a contract

We have a basis to use your personal information where we are entering into a contract with you or performing our obligations under that contract.

  • Legitimate interests

Legitimate interests provide a basis for us to use your personal information when we have a genuine, reasonable and legitimate reason to do so, provided this does not harm your rights, interests, or freedoms. This basis allows us to use personal information to support the essential day-to-day operations of our charity and help us fulfill our objectives.Some typical examples of when we do this might include:

  • fundraising activities
    • improvements and enhancements to our services
    • monitoring usage of our website
    • maintaining the security of our systems
    • analysis and profiling of our supporters or potential supporters

In every case, the use of personal information is carefully considered to ensure it aligns with our legitimate interests while respecting your rights and freedoms.

  • Vital Interests

We have a basis to use your personal information where it is necessary for us to protect life or health (e.g. if there were to be an emergency impacting individuals at one of our fundraising events)

We use your information only when we have a legal reason to do so. Below, we explain how we use your data and which lawful basis applies:

ActivityLawful Basis
Processing donations and Gift Aid declarationsLegal obligation Contract
Keeping you updated about our work, events, and fundraisingConsent Legitimate interests
Managing your preferences and communication choicesConsent Legitimate interests
Administering events, volunteering opportunities and grant applicationsContract Legitimate interests
Meeting legal and regulatory requirementsLegal obligation
Improving our services and fundraising through analysis and researchLegitimate interests

If you would like more details about the lawful basis for a specific activity, please contact us. When we use special category personal data, we require an additional legal basis to do so under data protection laws, so will either do so on the basis of your explicit consent or another lawful route for using this type of information (e.g. if you have made the information manifestly public, we need to process it for employment purposes, or to protect your vital interests).

[go to top of page]

4. Automated Decision-Making & Profiling

We are dedicated to making Addenbrooke’s and The Rosie even better – this is only possible thanks to the generosity of our supporters, so it is vital that our fundraising efforts are as effective as possible. By developing a better understanding of our supporters, we can tailor and target our fundraising communications and events to the people most likely to be interested in them.  This allows us to be more efficient and cost effective and also reduces the risk of an individual receiving information that they might find irrelevant, intrusive or upsetting.

We do not use automated decision-making that could have legal or similarly important consequences. We may use basic profiling (e.g. segmenting supporters for tailored communications), information from publicly available sources, and occasionally third parties (e.g. Experian and Factary), to identify individuals on our database who might have the capacity and propensity to make significant contributions – you can object to this at any time.

[go to top of page]

5. How We Keep Your Information Secure

  • We use strict security procedures to prevent unauthorised access, misuse, loss, or damage
  • Transfers outside the UK are only made where permitted by UK Adequacy Regulations, with appropriate safeguards (e.g. standard contractual clauses), or with your explicit consent
  • All staff and data processors are legally obliged to respect confidentiality
  • We also adhere to data minimisation; not recording or processing any data that isn’t strictly necessary

[go to top of page]

6. Keeping Your Information Up to Date

We may use trusted external sources (e.g. Post Office change of address database) to update your contact details. We do this so we can continue to contact you (where you have given consent), make you aware of any changes to our terms, save money by not sending post to incorrect addresses, or assist you if you are having problems with donations. It also helps to prevent us having duplicate records and out-of-date preferences, so we don’t get in touch if you’ve asked us not to.

You can opt out of this activity at any time, or update your details, by contacting us.

[go to top of page]

7. How Long We Keep Your Information

We keep your information only as long as necessary for the purposes described in this statement, to meet legal requirements, and for record-keeping. We take into account various criteria when determining the appropriate retention period for personal data including:

  • the purposes for which we process your personal data and how long we need to keep the data to achieve these purposes
  • how long personal data is likely to remain accurate and up to date
  • for how long the personal data might be relevant to possible future legal claims
  • any applicable legal, accounting, reporting or regulatory requirements which specify how long certain records must be kept

 For more details, please see our full retention schedule (available on request).

[go to top of page]

8. Who We Share Our Information With

We do not sell your information. We may share your information with:

  • Service providers (e.g. email, payment, mailing services or our grant management system provider) under strict contracts
  • Cambridge University Hospitals (if your support relates to your care, and only with your consent)
  • Fundraising and campaign partners (e.g. University of Cambridge, or Head-to-Toe Charity for specific projects, with clear agreements and only necessary details)

Regulatory bodies (if required by law)

[go to top of page]

9. International Data Transfers

If we transfer your personal data outside the UK, we will ensure it is protected by:

  • Sending it only to countries with adequate data protection laws
  • Using contracts approved by the UK or EU
  • Obtaining your explicit consent where required
  • Transferring data only by secure means

A list of relevant countries/providers is available on request.

[go to top of page]

10. Your Rights

You have the right to:

  • Know if we hold your personal information
  • Access your information
  • Correct inaccurate or incomplete information
  • Ask us to delete your information (in certain circumstances – if we are unable to delete your information, we will explain why this is the case)
  • Restrict or object to how we use your information, including profiling
  • Withdraw your consent at any time (where applicable)
  • Opt out of marketing communications
  • Complain to the Information Commissioner’s Office (ICO)

Some rights may not apply in all situations – we will explain if this is the case. For more details, see the ICO guidance.

[go to top of page]

11. How to Exercise Your Rights

You have the right to ask us if we hold any personal information about you, and you can also request a copy of that data – this is known as making a Subject Access Request.

  • To make a request, please contact us with proof of identity (e.g. passport, driving licence, or birth certificate) and specify the information you are seeking
  • We will aim to acknowledge receipt of your request within 3 working days.  We will fulfil your request within one calendar month but if we require longer than this, we will inform you as soon as possible
  • If you are not satisfied with our response, you can contact the ICO

[go to top of page]

12. Cookies & Analytics

We use cookies and analytics to improve our website and communications. For details, see our Cookie Notice.

You can manage your cookie preferences through your browser.

[go to top of page]

13. Data Breaches & Incident Reporting

We have procedures in place to detect, report, and investigate personal data breaches. If a breach occurs that affects your data, we will notify you and the ICO as required by law.

[go to top of page]

14. Staff Training & Data Minimisation

All staff and volunteers receive regular data protection training. We only collect data that is necessary for our purposes and review our processes regularly.

[go to top of page]

15. Changes to This Statement

We may update this policy from time to time. If we make any significant changes in the way we treat your personal information we make this clear on our website or by contacting you directly. The latest version of our privacy statement will always be available online.

[go to top of page]

16. Contact Us

If you have any questions or concerns about this privacy statement or how we use your information, please contact:

  • Email: hello@act4addenbrookes.org.uk (add ‘Data Protection Enquiry’ to the subject line)
  • Phone: 01223 217757
  • Post: Data Protection Lead, Addenbrooke’s Charitable Trust, Box 126, Addenbrooke’s Hospital, Hills Road, Cambridge, CB2 0QQ

[go to top of page]

17. Special Information for Different Groups

How we handle your personal information may vary based on your relationship with us. For more details, refer to the appropriate section below; however, our general privacy statement still applies to you, and your rights will not change.

a. Donors, Fundraisers, Friends, 1766 Club Members, Lottery Players

  • What we collect: Name, contact details, donation history, payment info, interests, event participation, correspondence, images, and sometimes special category data (with consent or if manifestly made public)
  • Why: Fundraising, processing donations, communications, legal compliance, due diligence, analysis, event management
  • Sharing: Service providers (e.g. MailChimp, GoCardless), Cambridge University Hospitals (if linked to your care), fundraising partners (with agreements), independent research agencies (e.g. Factary) to carry out due diligence on individuals who intend to make substantial donations, in line with our Fundraising policy

b. Supporters of Capital Campaigns (Children’s Hospital, Cancer Research Hospital)

(by ‘supporters’ we mean supporters, potential supporters, Ambassadors and campaign board members)

  • What we collect: Personal details, donation/payment records, event participation, images, special category data (with consent or if manifestly made public)
  • Why: Fundraising, event management, legal compliance, due diligence, supporter engagement
  • Sharing: Service providers, campaign partners (e.g. Cambridge University Hospitals, University of Cambridge), independent research agencies (e.g. Factary) to carry out due diligence on individuals who intend to make substantial donations, in line with our Fundraising policy

c. E-news Subscribers

  • What we collect: Name, email, country of residence, email and website usage, third-party info (e.g. social media)
  • Why: Email updates, tailoring communications, improving experience
  • Sharing: Service providers (e.g. MailChimp)

d. Website Visitors

  • What we collect: Website visit data (IP, browser, pages viewed), cookies, analytics
  • Why: Improve website, understand usage
  • Sharing: Analytics providers (e.g. Google Analytics) – there is no personal identification

e. ACT Volunteers

  • What we collect: Personal details, emergency contact, bank details, volunteering interests, images, ID/references, limited sensitive special category data
  • Why: Role matching, safeguarding, communication, legal compliance
  • Sharing: Cambridge University Hospitals (safeguarding), ACT staff, sensitive data is shared only when necessary

f. Children and Young People

  • What we collect: We do not actively collect personal information from children or young people under 18. Data is collected only if they fundraise or donate, with parental consent required for those under 13. Photo consent is needed – by a parent/guardian if under 13, by the young person if 13 or older
  • Why: Fundraising activities, legal compliance
  • Sharing: Only with proper consent, no marketing to under 18s

g. Grant Applicants (CUH Staff, University of Cambridge staff, other external organisations)

  • What we collect: Personal details, correspondence, images, grant application info, website usage
  • Why: Process/evaluate/administer/monitor applications, communicate outcomes, comply with legal/audit requirements
  • Sharing: Reporting/audits (as required by law), internally (for monitoring), service providers (e.g. SmartSimple)

[go to top of page]

Updated on 12 February 2026