Privacy Policy

Last updated: 14/04/2024

At The Happy Mums Foundation, we believe that privacy is a foundation of trust. When you share your story, your contact details, or your time with us, we promise to look after that information with the same care we provide in our support groups.

This policy explains what information we collect, why we need it, and, most importantly, how we keep it safe.

1. Information We Collect

Depending on how you interact with us, we may collect:

• Contact Details: Your name, email, and phone number so we can stay in touch.

• Support Data: Information about your wellbeing (such as the Warwick Edinburgh Wellbeing scale) to help us provide the right support and measure our impact.

• Safeguarding Information: If we are concerned about your safety or the safety of a child, we record these details as part of our duty of care.

• Volunteer & Training Data: Your training progress, quiz results, and group attendance.

• Financial Data: Our payment processor (Stripe) handles your card details for donations or training. We never see or store your card number.

• Digital Data: Information about how you use our website (via the google analytics, tag manager and Facebook Pixel).

2. How We Communicate With You

We use various tools to make sure we are accessible while keeping everyone’s data secure:

• Facebook Messenger: We only communicate via the official Happy Mums Foundation business account. Our staff and volunteers never use their personal Facebook accounts to contact you about Foundation work.

• WhatsApp: We use a Business WhatsApp Channel. This allows us to send updates and information to members safely without sharing your personal phone number with other members of the group.

• Professional Telephony: When we call you, we use an app called FlowUC. This means our team calls from our office number, even if they are working flexibly, ensuring their personal numbers and your contact logs stay private.

• Newsletters: We use Mailchimp for bulk updates. You can “unsubscribe” at any time with one click.

3. Our “System Family” (Where Your Data Lives)

We use a carefully chosen “family” of secure systems. We use Two-Factor Authentication (2FA) on all these systems—which is like having a second, secret lock on the door that only we have the key to.

• Beacon CRM: Our main “digital filing cabinet” for contact details and support history.

• Volunteero: Used to coordinate our volunteers. To protect you, safeguarding notes here use initials only, keeping your identity separate from the sensitive details of the report.

• Microsoft 365: Our internal emails and documents, secured by our IT partners, Castle Computers.

• Stripe & QuickBooks: These handle our payments and accounting with world-class security.

• Our Website: Stores training progress and utilizes the Facebook Pixel. This “pixel” helps us understand how people use our site and ensures our Facebook adverts reach the people who might need our support most.

.

4. Privacy by Design: Our “Silo” Approach

We take an extra step to protect your most sensitive information. By keeping your name in Beacon and any safeguarding notes in Volunteero (using only your initials), we ensure that even if one system were ever compromised, your full identity and your private wellbeing notes stay disconnected.

5. DBS Data & Recruitment

We handle criminal record checks with the highest confidentiality. We physically inspect certificates, log the check, and return the certificate to you. We only keep a record of that inspection for one year after you stop working or volunteering with us.

6. Sharing Your Data

We will never sell your data. We only share it when:

• You give us explicit permission.

• We are legally required to (for example, in a safeguarding emergency).

• We share “anonymised” impact data (like average mood scores) with funders. This never includes your name or identifying details.

7. Your Rights

You are in charge of your data. You have the right to:

• Ask for a copy of the information we hold about you.

• Ask us to correct anything that is wrong.

• Ask us to delete your information (unless we have a legal duty to keep it).

8. Contact Us

If you have any questions or would like to exercise your rights, please contact our Data Protection Officer, Katie Bruce, at info@happymums.org.uk.

We review this policy every year to make sure we are always using the best and safest ways to look after you.

The Happy Mums Foundation Record of Processing Activities

Volunteers

What do we collect:
Name, address, phone numbers, personal email address, volunteer role title, DBS Certificate number, bank details, date of birth, driving licence number, passport number, medical conditions, declarations of interests, training records and certificates. Next of Kin name and phone number (for emergecy use only)

How do we collect it:
Application form, Volunteer Details Form, DBS supporting evidence , Medical Info form, letters
ALL ELECTRONIC unless specified otherwise

Storage:
Manual: If initially collected on paper, this is transferred to electronic format within a maximum of 2 weeks and paper version securely destroyed.
Electronic: Microsoft 365 – Password protected system. DBS information restricted to need-to-know users.

Why do we need this data:
To provide volunteer role
To pay expenses
To ensure safety of service users

Source of Data:
Volunteer, Line Manager

Permission / Legal Basis for storing and using data:
Contract – Volunteer Agreement

Who is this data shared with:
In response to requests for references
To/ from DBS check provider
To/ from HMRC as required by law
To healthcare providers in health emergency (with consent where possible)
To/ from accountant

Is any of this data shared oversees:
No

Security Arrangements:
Password protected systems with 2-step -verifcation where possible

Any Further Processing: 
Anonymised statistical analysis for reporting to funders; CIC Regulator and HMRC

Retention and Disposal:
Application and recruitment data for unsuccessful candidates held for 6 months from interview date
Volunteer details and training records up to 6 years after volunteering ends
Bank details & DBS info no longer than necessary
Expenses payments 6 years from financial year end

Third Parties: Next of Kin, Emergency Contacts and Children of Service Users

What do we collect:
Name, address, phone number, email address, job title, organisation

How do we collect it:
Application forms, Registration Forms, Group Register, Group Debrief Form, Emails, Telephone calls. 
ALL ELECTRONIC unless specified otherwise

Storage:
Manual: If initially collected on paper, this is transfered to electronic format within a maximum of 2 weeks and paper version securely destroyed.
Electronic: Microsoft 365 – Password protected system.

Why do we need this data:
To comply with Recruitment Policy
To keep employees, volunteers and beneficiaries safe
To report safeguarding concerns

Source of Data:
Service User, Volunteer, Employee

Permission / Legal Basis for storing and using data:
Legitimate Interest

Who is this data shared with:
Police / Safeguarding Hub (with consent where possible)
To healthcare providers in health emergency (with consent where possible)

Is any of this data shared oversees:
No

Security Arrangements:
Password protected systems with 2-step -verifcation where possible

Any Further Processing: 
Anonymised statistical analysis for reporting to funders; CIC Regulator and HMRC

Retention and Disposal:
All data held for 6 years from last contact EXCEPT:
If safeguarding procedures retain for 10 years from last contact
Suspicious death in relation to services provided of a service user kept for 75 years
Aggregated statistical returns including non-identifiable personal data kept indefinitely
Enquries which do not lead to services being received kept for 2 years (aggregated statitstical returns including non-identificable personal data kept indefinitely)
Records of accidents/incidents and If safeguarding procedures used until child reaches 24 years
Suspicious death in relation to services provided of a child kept for 75 years
Shredded on disposal

Suppliers

What do we collect:
Name, business address, business phone number, email address, company name, job title, bank details (if BACs payment required)

How do we collect it:
Phonecalls, emails, websites, invoices.

Storage:
Manual: If initially collected on paper, this is transferred to electronic format within a maximum of 2 weeks and paper version securely destroyed.
Electronic: Microsoft 365 – Password protected system. DBS information restricted to need-to-know users.

Why do we need this data:
To request products/services,
To pay invoices

Source of Data:
Supplier

Permission / Legal Basis for storing and using data:
Contract 
Legitimate Interests

Who is this data shared with:
To / from accountant
To / from payment provider

Is any of this data shared oversees:
No

Security Arrangements:
Password protected systems with 2-step -verifcation where possible

Any Further Processing: 
None

Retention and Disposal:
All data held for 6 years from last contact.

Associated Privacy Policies