Privacy notice PROTECTING YOUR DATA

The Institute processes personal data in accordance with the following data protection principles:

• The Charity collects personal data only for specified, explicit and legitimate purposes.
• The Charity processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
• The Charity processes personal data lawfully, fairly and in a transparent manner.
• The Charity keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
• The Charity keeps personal data only for the period necessary for processing.
• The Charity adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
• The Charity tells individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices. It will not process personal data of individuals for other reasons. Where the Charity relies on its legitimate interests as the basis for processing data, it will carry out an assessment to ensure that those interests are not overridden by the rights and freedoms of individuals.
• The Charity will update personal data promptly if an individual advises that his/her information has changed or is inaccurate.

The Charity keeps a record of its processing activities in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018.

We collect data in the following ways:

• When you sign up to our newsletters and updates
• Through the submission of various forms through our website or from signing up at our events
• When you engage with us directly in relation to certain campaigns, we may process data that you provide us related to the campaign, such as your reasons for participating in the campaign and any other sensitive data that you provide, for example about your own mental health
• When you send us information for recruitment purposes in relation to any vacancies that we advertise
• (Research Community members only) via surveys, focus groups, interviews, media engagement events, and published reports. For more details, please see our separate Research Community privacy policy here.

Our servers also use cookies and collect logs when you visit our site to improve the user experience of our website and provide a better service. For more information, please read our separate cookie policy here. 

Depending on what you provide to us, we may hold the following personal data:

• Full name
• Email address
• Full/ postal address
• Phone number
• Country
• Company name
• Job title
• IP Address
• Professional sector
• Areas of interest
• Information about activities you have taken part in (for example, campaigns you have supported or emails you have opened.)
• Education and qualifications
• Employment history
• References
• Sensitive personal data, including racial, ethnic, sexual, religious and/or disability information
• Any other details in your CV, cover letter or other application materials
• (Research Community members only) your personal experiences or the experiences of friends/ relatives you have shared with us. For more information, please see our separate Research Community privacy policy here
• Cookies from our website (for more details on the types of cookies we use, see our separate cookie policy here)

We use your information for the following purposes:

• To improve the user experience of our website and provide a better service
• To stay in touch with you 
• To inform you of our events, research, and wider work in order to fulfil our charitable objectives 
• To provide you with information including updates or our newsletter or to contact you in relation to services we feel to be useful to you, either by email or by phone
• To invite you to take part in research, attend events or otherwise contribute to our work 
• To inform our charitable research and policy development activities (for example if you share your personal experience or the experience of a friend or relative)
• For media engagement, events and other external engagement (e.g. speaking to funders) in order to fulfil our charitable objectives
• To deal with your enquiries
• For recruitment purposes 
• To share your data with with trusted third parties (further details below) 
• To fulfil our legal obligations 
• (Research Community members only) where you have given express consent to share your or a friend or relative’s story, for publishing purposes, for example in the media or through a blog

In order to process your data, we are required to have a legal reason to do so. We process all of your data on the basis of your consent, our legitimate interest, and/or for the performance of a contract, depending on the type of data and the type of processing involved (see below). If the basis you have provided is consent, you have a right to withdraw your consent at any time. Please see the ‘Your Individual Rights’ section for further details on your rights.

Communications

We will process data for getting in touch with you on the basis of your consent in signing up to our newsletters and updates and/or our legitimate interest in informing you of our events, research, and wider work in order to fulfil our charitable objectives. You are able to opt out from emails at any time via the “Unsubscribe” link present at the bottom of every email communication we send or by emailing [email protected]. 

Campaigns and Charitable Objectives

When you engage with us directly in relation to certain campaigns, and we process related data which you provide to us, we will process such data on the basis of your consent. 

If you share your personal experience or the experience of a friend or relative with us, we will process this sensitive personal data on the basis of your consent. We will not pass on these details to anyone else without your express permission, except in exceptional circumstances, which may include anyone reporting serious self-harm, posing a threat to others, or sharing serious issues such as abuse or exploitation. This would be under the lawful basis of vital interests and/or our legitimate interest. 

We will only share or publish your story where you have given express consent for us to share it, for example in the media or through a blog. 

Recruitment

We process recruitment related data under our legitimate interest in delivering an effective recruitment process, identifying the right candidates, and offering them new positions. We also process data in order to provide reasonable adjustments to candidates where necessary, under the basis of our legal obligation. 

We may process additional data later on in the recruitment process, which will be processed on the basis of performing a contract (i.e. an employment contract), or where we have a legal obligation (such as for immigration or diversity monitoring purposes). This will be further detailed during the onboarding process should you be successful. 

Without collecting and processing this data, we would be unable to offer employment.

We only keep your data for as long as is reasonable and necessary to fulfil the purposes we collected it for, which may include fulfilling statutory obligations. 

To establish the correct retention period for personal data, we evaluate factors such as the volume, nature, and sensitivity of the data, the potential risks of harm from unauthorized access or disclosure, the purposes for which we process the data and whether those purposes can be achieved through alternative methods, and any relevant legal obligations.

For details on how long our cookies last, please see our cookie policy here.

In addition to our systems, the information that you provide to us may be stored in secure servers which are operated by trusted providers. We share your information with these trusted providers, who work on our behalf to deliver our services, but they only process this information under our instructions. 

These include MailChimp, Google, QuestionPro, DocuSign and Be Applied Ltd. 

Mailchimp and Google use servers based in the United States of America. Mailchimp and Google have been certified under the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework. Mailchimp also commits to processing customer data in compliance with Standard Contractual Clauses if these Frameworks are invalidated as an extra measure of protection. 

For EU customers, DocuSign stores eDocuments in the EU. 

Be Applied Ltd uses some service providers based outside the UK, and in these cases has specific contracts with these companies which “give personal data the same level of protection it has in the UK”.

The above measures allow us to legally transfer your personal data to these companies. 

You can view Mailchimp’s Data Protection Addendum here and its Privacy Policy here. You can view Google’s Data Transfer Framework here and Privacy Policy here. You can view DocuSign’s Data Management and Privacy Practices here and Privacy Policy here. You can view Be Applied Ltd’s Privacy Policy here.

Money and Mental Health uses reasonable administrative, technical, personnel and physical measures to safeguard personal information in its possession against loss, theft and unauthorised use or modification. These measures include, but are not limited to, security software such as firewalls and antivirus software, ongoing security reviews and testing, access-controlled systems limiting access only to those who need it, and back-up and restore facilities. While we strive to protect your personal information, you will understand that we cannot guarantee the security of any information transmitted to us over the internet. Therefore, please do not submit personal information to us online unless you accept the security risks of doing so.

You have several individual rights in relation to your personal data that we collect, which we are committed to respecting. In particular, you have the right to:

• make a subject access request about the data that the Institute holds about you (see below), how it is used and how long it will be kept;
• ask us to provide you or a third party with some of the personal information we hold about you in a portable electronic format;
• rectify inaccurate data;
• stop processing or erase data that is no longer necessary for the purposes of processing;
• stop processing or erase data if the individual’s interests override the Charity’s legitimate grounds for processing data (where the Charity relies on its legitimate interests as a reason for processing data);
• stop processing or erase data if processing is unlawful; and
• stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual’s interests override the Charity’s legitimate grounds for processing data.
• not be subject to automated decision-making that may have legal effects or have a similar significant impact on you, without consent, if it is necessary for a contract, or otherwise permitted by law. 

Additionally, where we collect your personal details for sending you newsletters, campaigns or updates related to our work, you have the right at any time to notify us that you no longer want to receive this information.

If you wish to exercise any of these rights, or make a complaint, you can do so by contacting us, by email at [email protected] or by post at Money and Mental Health, The Green House, 244-254 Cambridge Heath Road, Cambridge Heath, London E2 9DA.

You can also make a complaint to the data protection supervisory authority, the Information Commissioner’s Office, https://ico.org.uk.

Individuals have the right to make a subject access request. If an individual makes a subject access request, the Charity will tell them:

• whether or not their data is processed and if so why, the categories of personal data concerned and the source of the data
• to whom their data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
• for how long their personal data is stored (or how that period is decided);
• their rights to rectification or erasure of data, or to restrict or object to processing;
• their right to complain to the Information Commissioner if they think the Charity has failed to comply with their data protection rights; and
• whether or not the Charity carries out automated decision-making and the logic involved in any such decision-making.

The Charity will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless they agree otherwise.

If the individual wants additional copies, the Charity will charge a fee, which will be based on the administrative cost to the Charity of providing the additional copies.

If you wish to activate any of these rights, or to raise a complaint on how we have handled your personal data, you can contact our office at [email protected]. In some cases, the Charity may need to ask for proof of identification before the request can be processed. The Charity will inform the individual if it needs to verify their identity and the documents it requires. The Charity will normally respond to a request within a period of one month from the date it is received. In some cases, such as where the Charity processes large amounts of the individual’s data, it may respond within three months of the date the request is received. The Charity will write to the individual within one month of receiving the original request to tell them if this is the case.

If a subject access request is manifestly unfounded or excessive, the Charity is not obliged to comply with it. Alternatively, the Charity can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the Charity has already responded. If an individual submits a request that is unfounded or excessive, the Charity will notify him/her that this is the case and whether or not it will respond to it.

This Privacy Notice was last updated in March 2025.

Any changes made to this Privacy Notice will be updated on our website and you will be notified by email if necessary and appropriate.