Kennedy St CiO privacy statement 

About this policy

Kennedy St CiO(KSCiO) are committed to protecting and respecting your privacy, and ensure any personal data is stored and processed fairly and lawfully.

This statement explains why and how we process and store any personal data, how long we keep it for and how we keep it secure.

We will never sell your data, it will always be safely and securely stored, and we respect your rights under the General Data Protection Regulations.

This statement might change or be updated from time to time. We communicate any changes publicly via our website, social media and, where we have permission, email channels.

If you have any questions about the way we store your data or about our privacy practices you can talk to our Data Protection Team. You can email us on: hello@kennedystreetcio

Or write to us at:  Bank House, Southwick Square, Southwick, Brighton.BN424FN

Phone number: 01273 758561

Policy was created on: 8.12.20

Who we are

Kennedy Street foundation (known as Kennedy St CiO) is a charity registered in England and Wales:


Kennedy St CiO became our working name in April 2020.

Our legally registered charity name is: Kennedy Street foundation. 

We have transitioned from Kennedy St CiC, limited by guarantee registered in England and Wales under number:  08908945

How we collect information

We collect information about you in the following ways:

Information you give us: there are many instances where you directly give us your data. Some examples might include: signing up for an event organised by KSCiO, registering to receive our e-newsletter, applying for a paid or volunteer role, contacting us to ask for more information about our activities, using our support services.

Information we get from your use of our website and services: like any organisation, we are able to track personal information when you use our website through ‘cookies’ and other tracking methods. You can read more information about this in our Cookie Policy.

Information from known third parties: in some circumstances your information is passed to us by known third parties for example, JustGiving, Virgin Money Giving, text donation site DONR or other fundraising sites, or other agencies we are working with to run events. You should always check the Privacy Policy of this third party to find out how and when they will share your personal data.

Information available publicly: 

we may record information which can be found publicly in order to fully understand someone’s interests and inclination to support KSCiO. You can read more about this in the ‘profiling’ section of this Privacy Statement.

All information we collect is collected ‘organically’ – we do not buy lists of personal data.

What information we collect/process:

We collect, store and use the following kinds of personal information:

  • your name(s);
  • your contact details (including postal address, telephone numbers, e-mail address and, where applicable, your social media identity);
  • your date of birth and/or age;
  • your gender;
  • your nationality and ethnicity information where appropriate for monitoring purposes;
  • your communication preferences;
  • details of your interactions or transactions with KSCiO including when you: contact us; make a donation; use our Support Services; fundraise for us; attend an event; sign a petition or take another campaigning action; volunteer for us; apply for a job; interact with our marketing emails; purchase merchandise; make a Gift Aid declaration or any other interaction you have with KSCiO.
  • information about our services, events, activities, funding opportunities, and communications which you have used, expressed an interest in or we believe to be of interest to you;
  • information relating to your health (including where you share your personal experiences of addiction recovery with us or where you are taking part in a KSCiO activity and information on your health, either from yourself or your doctor, is required for safeguarding, health and safety or wellbeing protection purposes);
  • Financial information you provide when making a payment such as, your bank details for a Direct Debit or debit/credit card details
  • your relationship to other individuals or organisations where relevant such as, your partner where you wish to receive joint communications, your friends where you are fundraising together, or your employer where you are attending a training course, workshop, event or conference.
  • information about your activities on our website and about the device you use to access these, for instance your IP address and geographical location;
  • if you apply to volunteer, fundraise or work for us, information necessary for us to process these applications and assess your suitability (which may include things like employment status, previous experience depending on the context, your understanding and possible personal experience of addiction recovery, as well as any information disclosed during an enhanced DBS Check where the job or role requires the check to be undertaken);
  • information about your philanthropic interests and your capacity and inclination to support KSCiO where you share this with us or it is publicly available in places such as publications, articles and newspapers, on LinkedIn, property websites or Companies House.
  • where you have made a gift to KSCiO in your Will, any information regarding your next of kin or executors with whom you wish us to liaise;
  • any other personal information you provide to us. 
  • Certain types of personal information are classified as ‘special category data’ in data protection law because they are more sensitive. Examples of sensitive personal information include information about health, race, religious beliefs, political views, trade union membership, sex life or sexuality or genetic/biometric information. We collect these types of information about our supporters and service users where there is a clear need to do so, for example when supporting you via our helpline, online support services or your referral recovery pathfinder, with your experience of addiction recovery or when you are taking part in a fundraising, employment or volunteer activity in order to ensure you can take part safely.

Whenever we collect this type of information we will make it clear why we are collecting it,  either at the point of collection or at the earliest practical opportunity.  

Legal Basis for processing:

Whenever we hold or collect your personal information we must have a “legal basis” for doing so as defined in data protection law. Further information about each of the legal basis is set out in the General Data Protection Regulation (EU Regulation 2016/679).

Specific consent:

At times, we ask for your consent to use your personal information in a certain way and will only do so if you agree. Examples of occasions when we rely on consent include when sending you electronic marketing communications such as text or e-mail or when holding sensitive personal information about you. Whenever we use your information for a purpose based on consent, you have the right to withdraw your consent for us to use your information for this purpose at any time (as described in “your personal data rights”.)

Legitimate interests:

In certain cases, we collect and use your personal information on the basis of our “legitimate interests” provided our use is reasonable and does not unduly impact on your rights.

We consider our legitimate interests to include all of the day-to-day activities we carry out in our effort to end the pain and suffering caused by addiction.

Some examples where we rely on legitimate interests are:

  • Sending direct marketing materials to supporters by post for fundraising purposes;
  • Conducting research, analysis and profiling of our supports to better understand who our supporters are and better target our fundraising activity;
  • Measuring how our audiences respond to a variety of marketing activity so we can ensure our activity is well targeted, relevant and effective;
  • Updating your address using third party sources if you have moved house;
  • Monitoring individuals’ use of our website or apps for technical purposes;
  • Keeping and administering internal records of the people we work with, including supporters, volunteers and researchers;
  • Where you wish to take part in a fundraising activity or event organised by a third party (for example a sponsored run not organised by KSCiO), sharing your personal information with the third party organiser as necessary so they can administer the event.
  • When we rely on legitimate interests to process your personal information, we also consider and balance any potential impact this may have on you (both positive and negative) and your rights under data protection law. If we find that our interests are overridden by the impact on you and your rights then we will not process your information in that way. For example, where collection or use of your information would be excessively intrusive unless we are required or permitted to do so by law. 

When we use sensitive personal information we require an additional legal basis to do so under data protection law, so we will either do so on the basis of your explicit consent or another basis available to us (for example if you have made the information manifestly public, we need to process it for employment, your vital interests, or, in some cases, if it is in the public interest for us to do so).

Legal obligation:

We will use your personal information where we need to do so to comply with one of our legal or regulatory obligations. For example, in some cases we may need to share your information with regulators such as the Charity Commission, Fundraising Regulator, Funders, HMRC or Information Commissioner, or to use information we collect about you for due diligence.

Performance of a contract / preparation for entry into a contract:

This legal basis applies when it is necessary for us to process your personal information in order to meet our contractual obligations to you to deliver a product, service or action. This includes when you apply for a job or volunteer role with us, purchase a ticket for an event, apply for or pay for a place on a fundraising event, submit a Gift Aid declaration, enquire or confirm your attendance on one of our training courses.

Vital interests:

If we believe there is significant risk to an individual’s life, or the lives of members of the public, we will process the individual(s) personal information on the basis of “vital interests”. For example, if we believe that an individual who has contacted our helpline services is at serious risk of harm we may share their information with the emergency services as detailed in our Safeguarding Policy. 

What we do with the information


KSCiO offers a national helpline 24/7 manned by trained and empathetic staff, a text chat service and a variety of peer-led support services, including coaching, workshops and training.

All contacts to our support services remain confidential unless we believe someone is at risk of significant harm, as explained in our Safeguarding Policy. Whenever you contact support services, we will record the details of your communication with us and the support we provide in return (unless you choose to remain anonymous). This helps us to provide you with a higher level of service as you do not need to repeat information each time and are able to receive more personalised, productive support and signposting.     

All contact with our support services may be recorded for training and monitoring purposes and a record of the information from calls, emails, text chat, online groups and message board posts, including sensitive information, will be kept. Information from the use of our support services may also be used in an aggregated, anonymised form to provide business insight into the delivery of KSCiO’s services and in order to inform our fundraising, campaigning and research priorities.


KSCiO uses personal data we have collected about you to make sure the marketing we send you reflects your personal preferences. We may also use your personal data to develop our website and services and measure the effectiveness of our marketing.

We send information via email about addiction recovery news, our activities, campaigns, services and fundraising to individuals who have freely given explicit consent for us to do so, typically this consent is given when you sign up to receive our e-newsletter or fill in a form on our website registering for an event or expressing an interest in our activities. We may also send you information about the services or events you have recently signed up to.

On every marketing email we send to you, you have the opportunity to unsubscribe or update your marketing preferences by using links at the base of the email. If you decide to withdraw your consent to KSCiO’s marketing we will no longer use your personal data for this purpose.

We use profiling techniques and segmentation to send you communications which we believe are the most interesting and relevant to you. For example, we may send you targeted communications about events and campaigns relevant to your geographical area, profession or your age group, invite you to support our work through tailored communications based on your interests or previous support or tell you about opportunities to join fundraising events or activities which we think you may be interested in.  


We are committed to fundraising as efficiently and sensitively as possible, always respecting the wishes of our donors, volunteers and fundraisers (see our Supporter Promise for more about our values and commitments to supporters).

To produce effective, engaging fundraising appeals we use data analysis, segmentation and profiling techniques to target and tailor communications to different supporters. This helps us to use our resources as cost-effectively as possible to enable KSCiO to raise funds to help more people affected by addiction. If you do not wish to receive solicitation mailings or appeals, you can opt-out of these at any time by emailing:

When you have expressed an interest in fundraising for KSCiO or signed up to take part in a fundraising event we will contact you by email, telephone or post to make sure you have all the support you need to fundraise safely, legally and effectively – whilst enjoying your experience as much as possible.

If you’ve signed up to a fundraising event with a third-party provider (such as the London or Edinburgh Marathon) and told the organiser that you wish to fundraise for us, we may contact you to make sure you have all the support you need to make your event a success.

We may combine information you have given us about you with publicly available information in order to build a more accurate profile of you. This helps us to tailor communications and send information about our major donor scheme, KSCiO Benefactors, to the most appropriate people. This sort of profiling can include combining information such as your age, previous donations, likely affinity with our cause, property prices where you live, your job, your philanthropic interests, and your estimated wealth, to assess how likely it is that you would be interested in donating to us and the level of donation that you may be able to give. Where it is more efficient to do so, we may ask a trusted third-party provider to conduct this analysis for us. If you do not wish us to use these techniques, you can exercise your right to object to this processing by contacting us on:

If you are preparing to make a significant financial contribution to KSCiO we will follow the advice of the Fundraising Regulator and conduct due diligence checks to ensure your financial background and reputation are consistent with KSCiO’s values as described in our Ethical Fundraising Policy (available on request).

Conference and training attendees:

When you sign up to attend one of our events, conferences, workshops or training courses we use the information you have provided to send you relevant information ahead of time, deliver the event to your needs on the day (including any dietary or access requirements you may have) and to send you post-event communications. Where you have given us permission, we will also contact you about future conferences and events.

How we keep your information safe:

We are committed to ensuring our processes and procedures are in line with current data protection regulations. We train staff and volunteers to understand the importance of good data practice and recognise the risks of working with personal and sensitive data, and we make sure there are appropriate technical controls in place to protect your personal details.

Non-sensitive data such as your email address and contact details, in some cases, are transmitted to us over the internet, for example when you fill in the ‘contact us’ form on our website. When data is transferred in this way it can never be guaranteed to be 100% secure. As a result, while we make every effort to protect your personal information we cannot guarantee any information you transmit to us, and you do so at your own risk. Once we have received your information, we store it in line with current data protection regulations.

Sharing your data with other organisations:

We have never and will never sell or rent your information to third parties for marketing purposes. However, we may share your information with third parties for other purposes as described in this statement. Examples of the partners, suppliers and subcontractors who may process information on our behalf are:

  • providers of software and systems we use to operate Beat such as Engaging Networks and Oracle
  • data cleaning service providers such as UK Changes who can inform us when the address we have for you is no longer accurate
  • Skyline the company who facilitate our fundraising skydives
  • In Any Event who supports us with the delivery of our annual conferences.

We will have data processing agreements in place with all third parties as described above to make sure that your information is kept secure, and that they are not able to use it for their own marketing purposes. When working with third parties, we will only share the details necessary for the service they are delivering for KSCiO

If any third party works outside of the European Economic Area (EEA) they may not be subject to the same data protection laws as the UK. In these instances we will make sure appropriate safeguards are in place and that they provide an adequate level of protection to comply with the UK law.

We may disclose your details to the police, regulatory bodies or legal advisors where we are under a legal or regulatory duty to do so.

How long we store your personal information:

We keep your personal information only for as long as we need to for operational or legal reasons. We regularly review how long we keep information and why to ensure we do not retain information longer than necessary. The criteria we use is based on various legal requirements, the purpose of the data, whether there is a legitimate reason for continuing to store it and guidance from relevant regulatory authorities, such as the Information Commissioner’s Office (ICO).

Personal information we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it. If we do store any historical or statistical data, this will be in a manner which complies with data protection regulations.

We do not store payment card data after the transaction has been completed.

Your personal data rights:

Under data protection law, you have various rights in respect of the personal information we hold about you. We’ve explained more about these rights below.

If you wish to exercise any of these rights, you can do so by contacting our Data Protection team on, in writing at KSCiO(see above for the office address). We will respond to all requests within one calendar month.

Right of access: You have the right to request access to a copy of the personal data we hold about you, along with information on what personal information we use, why we use it, how we collected it, who we share it with, how long we keep it for and if it been used for any automated decision making. This is commonly referred to as a ‘subject access request’. You can make a request to access your data free of charge. Requests can be made verbally and in writing, we will ask you to provide evidence of your identity. We can provide the data electronically or verbally, if requested. In some circumstances we may not be able to disclose all of the information we hold about you. An example of this would be if the information we have about you contains data about other people as it may be not appropriate to disclose this to you without their explicit consent. Another example would be if you are exercising this right on behalf of a child, in this instance we would follow the Information Commissioner’s Office on requests for information about children.

Right to be informed: You have the right to be informed about the way we collect and use your data. Our Privacy Statement contains clear and transparent information explaining the purpose for processing personal data, how long we will keep your data and who it will be shared with.

Right to rectification: 

If you believe the personal data we hold is inaccurate or incomplete you can ask us to rectify or complete the data. You can also ask us to check the personal information if you are unsure whether it is up-to-date or not.

Right to erasure:

You have the right for your personal data to be erased from our records so long as there is no overriding legitimate reason to process it (i.e. to comply with a legal obligation).

Right to restrict processing: 

You have the right to limit the way we use your data if you believe your data is inaccurate, or if there is disagreement about whether our use is legitimate or not.

Right to data portability:

You can ask us to provide you or a third party with the information you have provided to us in a format so that it can be safely and securely transferred across IT environments.

Right to object:

You can object to us processing your personal data if it is for direct marketing purposes, a task carried out in the public interest or in our legitimate interests.

Rights related to automated decision making, including profiling: 

Automated decision making takes place when a decision is made without any human involvement (i.e. by a computer). We currently do not carry out any automated decision making.

Keeping your data up-to-date:

We may use information from external sources such as the post office national change of address database and/or the public electoral roll to identify when we think you have changed address so that we can update our records and stay in touch. We only use sources where we are certain that you have been informed of how your information may be shared and used.

This helps us make sure we do not have duplicate records and out of date preferences and means that we can continue to contact you, make you aware of changes to our terms or assist you with information about your donation.

If you subscribe to our e-newsletter, on every email you receive from us there is a link to update your preferences or unsubscribe from these marketing communications.

To update your contact information or opt out of communications from KSCiO email: hello@kennedystreetcio

We really appreciate you letting us know if your contact details change.

Feedback and complaints:

We appreciate any opportunity to learn and improve. Please use the contact us form on our website to inform us of any feedback you have about the way we process personal data.

If you are unhappy with how we are using your personal information and would like to make a complaint, please email: hello@kennedystreetcio

Upon receiving your email or letter, our Complaints Manager will send out a copy of the complaints policy and the complaints form to the complainant as soon as possible, and always within 5 working days.

You also have the right to lodge a complaint about any use of your information with the Information Commissioners Office (ICO), the UK data protection regulator.

Changes to this statement

This statement may change from time to time. For example, it has been recently updated to reflect new legal requirements of the EU General Data Protection Regulation (GDPR). We will communicate any changes to this statement via email and via our social media channels, and the latest review date will be displayed at the top of this page. Please continue to check this section of the website periodically in order to keep up to date with any changes in our statement.

Contact us:

We welcome any questions, comments or suggestions about how we process data. Please let us know by contacting us at: hello@kennedystreetcio

Any sensitive information (such as credit or debit card details) is encrypted and protected with the following software: 128 Bit encryption on SSL. When you are on a secure page, a lock icon will appear on the bottom of web browsers such as Microsoft Internet Explorer.

Non-sensitive details (your email address etc.) are transmitted normally over the internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Charity no: 1189265  Reg office: Bank House, Southwick Square, Southwick, Brighton, BN4 24FN Recovery helpline: 01273 758561 Email: Website: