About this policy
Orri is committed to protecting and respecting your privacy, and ensure any personal data is stored and processed fairly and lawfully.
This statement explains why and how we process and store any personal data, how long we keep it for and how we keep it secure.
We will never sell your data, it will always be safely and securely stored, and we respect your rights under the General Data Protection Regulations.
This statement might change or be updated from time to time. We communicate any changes publicly via our website, social media and, where we have permission, email channels.
If you have any questions about the way we store your data or about our privacy practices you can talk to our team. You can email us on: email@example.com
Who we are
Orri is a new intensive day treatment option for eating disorders, focused on early intervention.
We treat a variety of eating disorders including anorexia, bulimia and binge eating as well as their co- occurring conditions including anxiety, trauma, obsessive compulsive disorder and depression. Orri provides multi- faceted day and evening programmes for men and women over the age of 16 who suffer from early stage symptoms through to those living with a severe disorder. We aim to provide patients with the tools and life skills that will help them manage and recover from their disorder challenging the role that it plays in their everyday life.
How we collect information
We collect information about you in the following ways:
- Information you give us: there are many instances where you directly give us your data. Some examples might include: signing up for an event organised by Orri, registering to receive our e-newsletter, applying for a paid role, contacting us to ask for more information about our activities, using our helpline.
- Information we get from your use of our website and services: like any organisation, we are able to track personal information when you use our website through ‘cookies’ and other tracking methods
- Information available publicly: we may record information which can be found publicly in order to fully understand someone’s interests and inclination to contact Orri. You can read more about this in the ‘profiling’ section of this Privacy Statement.
What information we collect/process
We collect, store and use the following kinds of personal information:
- your name(s);
- your contact details (including postal address, telephone numbers, e-mail address and, where applicable, your social media identity);
- your date of birth and/or age;
- your gender;
- your nationality and ethnicity information where appropriate for monitoring purposes;
- your communication preferences;
- details of your interactions or transactions with Orri including when you: contact us; use our helpline; attend an event; apply for a job; interact with our marketing emails;
- information about our services, events, activities, and communications which you have used, expressed an interest in or we believe to be of interest to you;
- information relating to your health (including where you share your personal experiences of eating disorders with us or information on your health, either from yourself or your doctor, is required for health and safety or wellbeing protection purposes);
- Financial information you provide when making a payment such as, your bank details for a Direct Debit or debit/credit card details
- your relationship to other individuals or organisations where relevant such as, your partner where you wish to receive joint communications, or your employer where you are attending a training course or conference.
- information about your activities on our website and about the device you use to access these, for instance your IP address and geographical location;
- if you apply to work for us, information necessary for us to process these applications and assess your suitability (which may include things like employment status, previous experience depending on the context, your understanding and possible personal experience of eating disorders, as well as any information disclosed during a DBS Check where the job or role requires the check to be undertaken);
- any other personal information you provide to us.
Certain types of personal information are classified as ‘special category data’ in data protection law because they are more sensitive. Examples of sensitive personal information include information about health, race, religious beliefs, political views, trade union membership, sex life or sexuality or genetic/biometric information. We collect these types of information about our service users where there is a clear need to do so, for example when supporting you through our helpline with your experience of eating disorders or when you are taking part in an employment activity in order to ensure you can take part safely.
Whenever we collect this type of information we will make it clear why either at the point of collection or at the earliest practical opportunity.
Legal basis for processing
Whenever we hold or collect your personal information we must have a “legal basis” for doing so as defined in data protection law. Further information about each of the legal basis is set out in the General Data Protection Regulation (EU Regulation 2016/679).
At times, we ask for your consent to use your personal information in a certain way and will only do so if you agree. Examples of occasions when we rely on consent include when sending you electronic marketing communications such as text or e-mail or when holding sensitive personal information about you. Whenever we use your information for a purpose based on consent, you have the right to withdraw your consent for us to use your information for this purpose at any time as described in “your personal data rights”.
In certain cases, we collect and use your personal information on the basis of our “legitimate interests” provided our use is reasonable and does not unduly impact on your rights.
We consider our legitimate interests to include all of the day-to-day activities we carry out in our effort to support those who are suffering with eating disorders and their carers.
Some examples where we rely on legitimate interests are:
- Measuring how our audiences respond to a variety of marketing activity so we can ensure our activity is well targeted, relevant and effective;
- Monitoring individuals’ use of our website or apps for technical purposes;
- Keeping and administering internal records of the people we work with
When we rely on legitimate interests to process your personal information, we also consider and balance any potential impact this may have on you (both positive and negative) and your rights under data protection law. If we find that our interests are overridden by the impact on you and your rights then we will not process your information in that way. For example, where collection or use of your information would be excessively intrusive unless we are required or permitted to do so by law.
When we use sensitive personal information we require an additional legal basis to do so under data protection law, so we will either do so on the basis of your explicit consent or another basis available to us (for example if you have made the information manifestly public, we need to process it for employment, your vital interests, or, in some cases, if it is in the public interest for us to do so).
We will use your personal information where we need to do so to comply with one of our legal or regulatory obligations. For example, in some cases we may need to share your information with regulators such as the Care Quality Commission, HMRC or Information Commissioner, or to use information we collect about you for due diligence.
Performance of a contract / preparation for entry into a contract
This legal basis applies when it is necessary for us to process your personal information in order to meet our contractual obligations to you to deliver a product, service or action. This includes when you apply for a job with us, purchase a ticket for an event, enquire or confirm your attendance on one of our training courses.
If we believe there is significant risk to an individual’s life, or the lives of members of the public, we will process the individual(s) personal information on the basis of “vital interests”. For example, if we believe that an individual who has contacted our helpline services is at serious risk of harm we may share their information with the emergency services as detailed in our Safeguarding Policy.
What we do with the information
Orri offers a confidential Helpline support service which can be contacted by phone, email or one-to-one webchat, as well as peer support services.
All contacts to our support services remain confidential unless we believe someone is at risk of significant harm, as explained in our Safeguarding Policy. Whenever you contact support services, we will record the details of your communication with us and the support we provide in return (unless you choose to remain anonymous). This helps us to provide you with a higher level of service as you do not need to repeat information each time and are able to receive more personalised, productive support.
All contact with our support services may be recorded for training and monitoring purposes and a record of the information from calls, emails, webchats, online groups and message board posts, including sensitive information, will be kept. Information from the use of our support services may also be used in an aggregated, anonymised form to provide business insight into the delivery of Orri’s services and in order to inform our research and training.
Orri uses personal data we have collected about you to make sure the marketing we send you reflects your personal preferences. We may also use your personal data to develop our website and services and measure the effectiveness of our marketing.
We send information via email about eating disorder news, our activities and services to individuals who have freely given explicit consent for us to do so, typically this consent is given when you sign up to receive our e-newsletter or fill in a form on our website registering for an event or expressing an interest in our activities. We may also send you information about the services or events you have recently signed up to.
On every marketing email we send to you, you have the opportunity to unsubscribe or update your marketing preferences by using links at the base of the email. If you decide to withdraw your consent to Orri’s marketing we will no longer use your personal data for this purpose.
We may use profiling techniques and segmentation to send you communications which we believe are the most interesting and relevant to you. For example, we may send you targeted communications about events and activities relevant to your geographical area, profession or your age group, invite you to support our work through tailored communications based on your interests or previous involvement or tell you about opportunities to join events or activities which we think you may be interested in.
Conference and training attendees
When you sign up to attend one of our events, conferences or training courses we use the information you have provided to send you relevant information ahead of time, deliver the event to your needs on the day (including any dietary or access requirements you may have) and to send you post-event communications. Where you have given us permission, we will also contact you about future conferences and events.
How we keep your information safe
We are committed to ensuring our processes and procedures are in line with current data protection regulations. We train staff to understand the importance of good data practice and recognise the risks of working with personal and sensitive data, and we make sure there are appropriate technical controls in place to protect your personal details.
Non-sensitive data such as your email address and contact details, in some cases, are transmitted to us over the internet, for example when you fill in the ‘contact us’ form on our website. When data is transferred in this way it can never be guaranteed to be 100% secure. As a result, while we make every effort to protect your personal information we cannot guarantee any information you transmit to us, and you do so at your own risk. Once we have received the your information, we store it in line with current data protection regulations.
Sharing your data with other organisations
We have never and will never sell or rent your information to third parties for marketing purposes. However, we may share your information with third parties for other purposes as described in this statement. Examples of the partners, suppliers and sub-contractors who may process information on our behalf are:
- providers of software and systems we use to operate Orri
- data cleaning service providers
We will have data processing agreements in place with all third parties as described above to make sure that your information is kept secure, and that they are not able to use it for their own marketing purposes. When working with third parties, we will only share the details necessary for the service they are delivering for Orri.
If any third party works outside of the European Economic Area (EEA) they may not be subject to the same data protection laws as the UK. In these instances we will make sure appropriate safeguards are in place and that they provide an adequate level of protection to comply with the UK law.
We may disclose your details to the police, regulatory bodies or legal advisors where we are under a legal or regulatory duty to do so.
How long we store your personal information
We keep your personal information only for as long as we need to for operational or legal reasons. We regularly review how long we keep information and why to ensure we do not retain information longer than necessary. The criteria we use is based on various legal requirements, the purpose of the data, whether there is a legitimate reason for continuing to store it and guidance from relevant regulatory authorities, such as the Information Commissioner’s Office (ICO).
Personal information we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it. If we do store any historical or statistical data, this will be in a manner which complies with data protection regulations.
We do not store payment card data after the transaction has been completed.
Your personal data rights
Under data protection law, you have various rights in respect of the personal information we hold about you. We’ve explained more about these rights below.
If you wish to exercise any of these rights, you can do so by contacting our team on firstname.lastname@example.org or call us on 0203 918 6340. We will respond to all requests within one calendar month.
Right of access: You have the right to request access to a copy of the personal data we hold about you, along with information on what personal information we use, why we use it, how we collected it, who we share it with, how long we keep it for and if it been used for any automated decision making. This is commonly referred to as a ‘subject access request’. You can make a request to access your data free of charge. Requests can be made verbally and in writing, we will ask you to provide evidence of your identity. We can provide the data electronically or verbally, if requested. In some circumstances we may not be able to disclose all of the information we hold about you. An example of this would be if the information we have about you contains data about other people as it may be not appropriate to disclose this to you without their explicit consent. Another example would be if you are exercising this right on behalf of a child, in this instance we would follow the Information Commissioner’s Office on requests for information about children.
Right to be informed: You have the right to be informed about the way we collect and use your data. Our Privacy Statement contains clear and transparent information explaining the purpose for processing personal data, how long we will keep your data and who it will be shared with.
Right to rectification: If you believe the personal data we hold is inaccurate or incomplete you can ask us to rectify or complete the data. You can also ask us to check the personal information if you are unsure whether it is up-to-date or not.
Right to erasure: You have the right for your personal data to be erased from our records so long as there is no overriding legitimate reason to process it (i.e. to comply with a legal obligation).
Right to restrict processing: You have the right to limit the way we use your data if you believe your data is inaccurate, or if there is disagreement about whether our use is legitimate or not.
Right to data portability: You can ask us to provide you or a third party with the information you have provided to us in a format so that it can be safely and securely transferred across IT environments.
Right to object: You can object to us processing your personal data if it is for direct marketing purposes, a task carried out in the public interest or in our legitimate interests.
Rights related to automated decision making, including profiling: Automated decision making takes place when a decision is made without any human involvement (i.e. by a computer). We currently do not carry out any automated decision making.
Keeping your data up to date
If you subscribe to our e-newsletter, on every email you receive from us there is a link to update your preferences or unsubscribe from these marketing communications.
To update your contact information or opt out of communications from Orri email email@example.com.
We really appreciate you letting us know if your contact details change.
Feedback and complaints
We appreciate any opportunity to learn and improve. Please use the contact us form on our website to inform us of any feedback you have about the way we process personal data.
If you are unhappy with how we are using your personal information and would like to make a complaint, please email firstname.lastname@example.org. Upon receiving your, our team will send out a copy of the complaints policy and the complaints form to the complainant as soon as possible, and always within 5 working days.
You also have the right to lodge a complaint about any use of your information with the Information Commissioners Office (ICO), the UK data protection regulator.
Changes to this statement
This statement may change from time to time. We will communicate any changes to this statement via email and via our social media channels, and the latest review date will be displayed at the top of this page. Please continue to check this section of the website periodically in order to keep up to date with any changes in our statement.
We welcome any questions, comments or suggestions about how we process data. Please let us know by contacting us at email@example.com or by phone on 0203 918 6430,
Non-sensitive details (your email address etc.) are transmitted normally over the internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems.