Privacy Policy

Last updated: 19 May 2025

Next Steps Together (NeST) is committed to protecting your privacy and handling your information in a transparent, secure, and lawful manner. This Privacy Policy explains how we collect, use, store, and share your personal data when you engage with our organisation — whether in person, online, or by telephone.

We adhere to the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and guidance from the Information Commissioner’s Office (ICO). NeST is a registered Community Interest Company (CIC) based in Devon. Our main site is Tumbly Hill Health & Wellbeing Hub in Kingsbridge, Devon, TQ7 1HN.

If you have any questions about this policy, please contact us at:

Data Protection Lead
Email: hello@nextstepstogether.org
Telephone: 01548 853033

1. What Information We Collect

We may collect and process the following categories of personal data:

• Contact information – Name, address, telephone number, email
• Demographic information – Age, gender, ethnicity, access needs
• Health and wellbeing information – Where relevant for safety and service delivery (e.g. mobility needs, cognitive or sensory impairments, allergies)
• Safeguarding information – Records of concerns or disclosures (where applicable)
• Referral information – Provided by professionals or family members with appropriate consent
• Volunteer or staff information – Including DBS status, training, supervision records
• Communication data – Your preferences for contact, feedback you provide, records of correspondence
• Website usage information – IP address, browser type, cookie preferences

2. How We Use Your Information

We use your personal data to:

• Deliver our services safely and appropriately
• Assess and meet your needs, including adapting sessions or providing support
• Contact you about session changes or wellbeing updates
• Monitor and evaluate the effectiveness and impact of our services
• Record attendance and maintain safeguarding responsibilities
• Process referrals, applications, feedback, and expressions of interest
• Comply with our legal obligations (e.g. safeguarding, grant reporting, insurance, DBS)
• Promote the work of NeST, if you have given consent for your story, photo, or quote to be used

We will not use your data for automated decision-making or profiling.

3. Lawful Bases for Processing

Under the UK GDPR, we must identify a lawful basis for each type of processing. These include:

• Consent – Where you’ve given clear permission (e.g. for marketing or sharing stories)
• Contract – To provide a service you’ve requested (e.g. counselling or meeting centre sessions)
• Legal obligation – For example, safeguarding, DBS checks, health and safety
• Vital interests – To protect someone’s life in an emergency
• Legitimate interests – Where the use of data is necessary for our work and your rights do not override this

We always strive to collect the minimum data needed to deliver our work effectively.

4. How We Store Your Data

We store your data securely using a combination of cloud-based systems and encrypted documents. These include:

• Charitylog – Our client management system, used to record referrals, session attendance, outcomes and support provided
• Microsoft OneDrive / SharePoint – For secure storage of HR, finance and safeguarding records
• Xero – For financial processing, invoicing, and reporting
• Hallmaster – For booking community spaces and activity rooms
• NVivo – For evaluating anonymised qualitative feedback data

Data is only accessible to relevant authorised staff or volunteers. We review our security protocols regularly and restrict access by role.

5. How Long We Keep Your Data

We keep records only for as long as necessary. Examples include:

• General contact data: 2 years after last contact
• Client support records: 7 years (in line with safeguarding and insurance guidance)
• Volunteer and HR records: 6 years after departure
• Financial records: 6 years (HMRC requirement)
• Safeguarding records: in accordance with statutory requirements

Where possible, data is anonymised for evaluation purposes once no longer in active use.

6. Sharing Your Data

We never sell or rent your personal data. We may share your information with:

• Health or care professionals where this is necessary for your wellbeing or safeguarding
• Funders, but only in anonymised or aggregated format (unless you have given specific consent)
• Regulatory bodies, e.g. the Care Quality Commission or the Information Commissioner’s Office, if required by law
• Emergency services or safeguarding authorities where vital interests are at risk

We will always explain who we are sharing your data with unless there is a lawful reason not to (e.g. safeguarding protocols).

7. Cookies and Website Use

Our website uses limited cookies to support functionality and gather basic usage data. You can control your cookie settings through your browser. We do not use cookies to track individual behaviour or serve personalised adverts.

Our website may contain links to external sites. We are not responsible for the content or privacy policies of those sites.

8. Your Rights

You have the following rights under UK GDPR:

• Right to access – Ask for a copy of the information we hold about you
• Right to rectification – Ask us to correct inaccurate or incomplete information
• Right to erasure – Ask us to delete your data in some circumstances
• Right to restrict processing – Ask us to limit the use of your data
• Right to object – To processing where we rely on legitimate interests
• Right to data portability – Request to transfer your data to another provider (where applicable)

To exercise any of these rights, please contact us using the details provided above. We aim to respond to all requests within one calendar month.

9. Changes to This Policy

We may update this policy from time to time in response to legal, operational, or service changes. The latest version will always be available on our website.

10. How to Complain

If you have any concerns about how we handle your data, please contact us first. If you are not satisfied with our response, you can complain to the Information Commissioner’s Office (ICO):

Website: www.ico.org.uk
Telephone: 0303 123 1113