Steps2Recovery Privacy Policy February 2021

At Steps2Recovery we are committed to protecting and respecting your privacy.

This Policy explains when and why we collect personal information, how we use it, the conditions under which we may disclose it to others and how we keep it secure.

Who are we?

Steps2Recovery was set up as a charity in 2010 with the aim of providing help for ex-offenders caught in the merry go round of short prison sentences, homelessness; using and chaotic lifestyles who wanted to turn their lives around and become abstinent from drugs and alcohol. Since July 2014 we have run a rolling 12 week abstinence-based day programme in Stoke Newington, in partnership with St Mungo’s Broadway. We take male and female clients.

This policy explains how we collect and use your information.

When you provide us with your personal information you are agreeing to this policy and consenting to our collection and use of that information as set out in this policy. We may be required to update this policy at any time without notice to you, so please check it regularly.

If you have any queries about this policy please contact us at

How do we collect information? 

We may obtain personal information from you when you ask about our activities, register with us, train with us, send or receive an email, make a donation or otherwise provide us with personal information. All information collected is processed in accordance with our legal requirements and the General Data Protection Regulation (GDPR).

What information do we collect? 

The information we collect depends upon your interaction with Steps2Recovery, whether it’s via the website, getting in touch, taking part in an event or training. This information could include (but is not exclusive to) your full name, date of birth, email address, medical condition (if applicable), postal address and telephone number. At this date (February 2021) the majority of our donations are processed by third party sites- Virgin Money Giving, Steps2Recovery do not hold any banking details; but we will hold information on donation dates, values and if they were for a specific purpose. Client details are held securely and are not used for any other purpose than for your treatment while at Steps2Recovery.

We may also collect details of your visits to our website, including but not limited to traffic data, location data, weblogs and other communication data. All the forms and transactions on this site comply with data protection requirements (GDPR, Data Protection Act 1998 (DPA).

You may give us your personal information indirectly, through a donation on a fundraising site such as Virgin Money Giving.  These third parties will ask you whether you are happy to be contacted by us and we will not use your information to contact you without explicit permission given by you via these sites.

When we ask for your personal information, we give you the option to opt out of communications via post, telephone (which includes text message) and email.

If you would like to opt out of communications directly, please contact us by email at   we do not sell your personal information to any other organisations. We may share relevant information with organisations that are employed directly to assist in the running of Steps2Recovery, move on housing, raising funds, or companies that manage fundraising events for Steps2Recovery.

Why do we collect your information? 

We collect the information you provide to:

  • Respond to your requests – such as donations, Gift Aid, events and challenges, training, and any information regarding Steps2Recovery that you have made enquiries about
  • Record any contact we have with you and hold any information received on clients when they register with Steps2Recovery.
  • Keep you up-to-date on Steps2Recovery news such as fundraising campaigns, challenges, achievements etc, but only if we believe this falls under the category of legitimate interest to you, according to the new GDPR guidelines 2018
  • Keep you up to date with new support or learning materials available – for clients and professionals
  • Prevent or detect fraud or abuses of our website and to enable third parties to carry out technical, logistical or other legitimate functions on our behalf

Steps2Recovery will never swap or sell your details. When dealing with your personal information we will always comply with the General Data Protection Regulation and any other applicable legislation.

We will only use your personal information for direct marketing purposes (i.e. such as an appeal letter to you) if we believe you would reasonable expect to receive this or we have notified you that you will receive it. You can change your marketing preferences at any time by emailing

How do we protect personal information? 

We take the security of your information very seriously and have put appropriate measures in place to minimise the risk to your information from loss, theft or misuse. These include:

  • Restricted access control, including use of complex passwords, to your information stored on our systems
  • Taking measures to ensure the information provided is accurate, up-to-date and kept only for as long as is necessary for the purposes to which you have given consent
  • We have contractual agreements between working partners (e.g. third party donation collectors for payment transactions) that require compliance with the Fundraising Regulator and the Information Commissioners Office, GDPR, Data Protection Act 1998 and all applicable legislation.
  • When we employ external service providers to undertake fundraising operations on our behalf, we do so only through encrypted data transfers.
  • Your information is only accessed by staff and volunteers who have received data protection and compliance training. We undertake regular reviews of who has access to our database.

Links to third party websites 

If you access other websites via a link on our website please ensure you read their privacy policy as they are independent from Steps2Recovery and we have no control over how they manage your personal information that is collected from their website.

Social media sites

(Facebook, Twitter, Instagram, YouTube, LinkedIn etc) this policy covers how we will use your information from social media pages that you visit but you will also need to read how the providers of the social media websites will use your information. Please ensure you read their Privacy policy before sharing data and make use of their privacy settings and reporting mechanisms to control how your data is used.

Do we share your information?

We will not sell or rent your information to third parties.

We will not share your information with third parties for marketing purposes

There are some circumstances where we may need to share data. For instance:

  • If we are legally required to do so, e.g. court order, law enforcement agency pursuing an investigation
  • If we believe it necessary to protect or defend our rights, property or the personal safety of our personnel or visitors to our premises or website
  • When we work with carefully selected partners for research, analysis or providing services. However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own direct marketing purposes.
  • Information has to be sent to HMRC as part of the declaration process for Gift Aid so that we can reclaim the Gift Aid on your donation(s)

Right of access 

You have the right to ask for a copy of the information we hold about you, why we hold your data, how it is processed and to have any inaccuracies in your information corrected.

To request this information please email Please note Steps2Recovery have up to 30 days to respond to your request

Right to be forgotten

You have the right to have your data permanently erased. This will also apply to third parties and does not require a formal withdrawal of consent.

Contact details 

If your personal details change, please help us to keep your information up-to-date by notifying us.

If at any time you’d like us to change the way we contact you, or if you would like to opt out of our communications altogether please contact a member of our team by email,

We will only email or text you if we have your consent to do so, but if you receive anything you would rather not, please let us know. We include an unsubscribe option within every email or text message we send so you are always in control of what you receive.

There are also details of how to opt out of mailings in our annual mailing. If you receive a mailing you do not want, please let us know so we can update your communication preferences. This will help us to ensure we only ever send you materials that you would like to receive.

Your consent 

By providing us with your personal information you consent to the collection and use of the information you have provided in accordance with the above purposes and this Privacy policy.


All photography on this site is reproduced with kind permission of the photographers concerned and the people in the photographs.


All information published on this site is provided to the best of our knowledge. However, while Steps2Recovery are happy to provide information and advice to professionals, supporters and members of the public; it must be appreciated that such guidance is based only on information supplied to Steps2Recovery and Steps2Recovery will not be liable for injury, loss or damage arising from such guidance supplied. You may print any newsletter or factsheet on this site for your own information, but you may not sell it, reproduce it on the internet, alter it, or reprint it in any publication without permission from Steps2Recovery –

Legitimate Interest 

It was agreed that Steps2Recovery adopt option 2 of the GDPR – legitimate interest. Adopting the legitimate interest option means Steps2Recovery must decide on the length of time to keep personal details and then work to CHDS agreed time frame. The paper outlines best practice, which is professional -5 years; service users – 5 years; and supporters – 2 years.

Each time we communicate with our database if we hear back from them the clock resets itself for a further 5/ 2 years, however if there is no activity within 5/2 years the data will be considered lapsed and be removed. In all communications there will clearly be the option to opt out.


If you have a complaint about Steps2Recovery or any of our policies or procedures please visit the Contact Us page or email

This policy was last updated February 2021