Introduction

Hello, we are Joshyboylegacy, we focus on persons with disabilities and families with disabled children, venerable persons and those who are less able to provide for themselves. We advocate for more adapted properties in the private housing sector. We raise awareness among landlords and developers, stressing the importance of building homes that cater to individuals with disabilities.

We believe that providing accessible housing shouldn’t be left to the social housing and charities alone, every landlord has a duty of care under the equality act to make reasonable adjustment to their property when the need arises.

At Joshyboylegacy, it’s really important to us that we show you that we care about looking after your personal information. This is our Privacy and Cookie Notice, where we tell you honestly how we use and look after your personal information. This privacy notice tells you what to expect us to do with your personal information if you apply for our services, support our work with a donation or by fundraising for us, apply for a voluntary or paid position with Joshyboylegacy or use our website. We will tell you what information we collect about you, how we use this data, with whom we share it, and how we store it and keep it safe.

Because privacy and cookie notices are often quite long, full of helpful information, ours is broken up into smaller sections. To read a section, click the heading that interests you. To help you find the information you need, we have created a section for everybody to read, followed by sections which are written especially for the type of interaction you have with Joshyboylegacy. All words and phrases in bold can be found in a glossary in

Appendix I.

If we make any important changes to the way in which we use, share, or store your information, we’ll update our Privacy and Cookie Notice and will let you know so that you can tell us if you have any concerns.

When making smaller changes, we’ll update this notice and post a summary of the changes on our website. We last updated our privacy notice in October 2024. 17th October 2024

We are Joshyboylegacy, We want to see a society in which every disabled person and family with disable children housed in a suitable accommodation that meets their needs. We believe home is everything. We are a registered community Interest company in England and Wales (15902020). Our main office is based in Newton Abbot, but we run our services from borough of Southwark in London. Joshyboylegacy is the Data Controller for the personal information we process.

There are many ways to contact Joshyboylegacy, including by post, phone, email, and social media.

Our registered address is:

Joshyboylegacy

20 Bonding Yard Walk

Surrey Quays 

London

Se16 7uw

Telephone Number: 07936086467

Email (general enquiries): info@joshyboylegacy.co.uk

Website: www.joshyboylegacy.co.uk

To get in contact please use this page of our website.

LinkedIn: joshyboylegacy

Instagram: @joshyboylegacy

Joshyboylegacy Data Protection Officer is contactable at data.protection@joshyboylegacy.co.uk  or write to ‘Data Protection Officer’ at our postal address.

As a Data Subject, under UK GDPR (data protection law) you have rights. You can choose to use any of these rights by contacting us at data.protection@joshyboylegacy.co.uk  or writing to us at this address with your request. Your rights are:

Access – You have the right to ask for copies of all information we have about you.

Rectification – You have the right to ask us to correct personal information you think is wrong. You also have the right to ask us to complete information you think is incomplete.

Erasure – You have the right to ask us to delete your personal information in certain circumstances.

Restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Objection to processing - You have the right to object to the processing of your personal information in certain circumstances.

Data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

Withdraw consent – if Joshyboylegacy have asked your consent to use your data for a specified reason, you have the right to take back that consent so that Joshyboylegacy cannot use your data like that in the future. Withdrawing your consent does not affect anything that Joshyboylegacyhave used your data for in the past with your consent.

You do not have to pay to use any of these rights. If you make a request, Joshyboylegacy has one month to respond to you.

If you would like to make a request, email: data.protection@joshyboylegacy.co.uk  

If you are unhappy or concerned about how Joshyboylegacy collects, uses or stores your personal information, you can let us know by emailing: data.protection@joshyboylegacy.co.uk  

 or writing to:

Data Protection Officer
20 Bonding Yard Walk

Surrey Quays 

London

Se16 7uw

You can also complain to the ICO (the UK supervisory authority for data protection) if you are unhappy with how we have used your data.

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk 

For Children, young people and families who use our services

Joshyboylegacy collects personal information such as name, contact information, assigned sex at birth, preferred pronouns, NHS number, parent or carer’s contact information, education information, household income, communication preferences, appointment history, activity attendances and where written permission is given photos and videos. We also collect your responses to surveys about your experience of Joshyboylegacy.

We also collect the following sensitive category information: health and medical data, ethnicity, and sexual orientation.

At Joshyboylegacy we do our very best to stick to the GDPR principles of data minimisation and purpose limitation, and only collect information that we need when we need it. We only use information for the intended purpose. For example, we only ask for information on ethnicity and sexual orientation for monitoring and evaluation purposes and so that we can improve our services; we only ask for information on household income to monitor if we are reaching lower income households. 

Most of the personal information Joshyboylegacy collects is given by you when you apply for our services or attend an activity group. Some information is collected in a secure online form, other information is collected during a telephone assessment with one of our staff or at a face-to-face appointment.

Sometimes, information may be shared with us by your education provideror care provider so that we can provide you with the best possible service.

We collect this information so that we can assess your eligibility for our services, apply for or match your requirements with funding, and provide you with the best possible care. Joshyboylegacy collects this information so that we can fulfil your request for equipment or a service (contractual performance).

We also collect data in optional surveys (both online and on paper) and interviews (telephone, face to face, virtual meeting) which help us to decide on the most important things to campaign on and influence. Joshyboylegacy collects data in this way for public interest.

We collect sensitive category information, such as ethnicity and sexual orientation so that we can conduct monitoring and evaluation and ensure that Joshyboylegacy is providing services to everyone who needs our support. We also use this anonymised data to help us decide what to focus on as an organisation. Joshyboylegacy is collecting information for our legitimate interest, to understand more about our service users so that we can make sure that we are providing the best possible service.

Joshyboylegacy also collects information with your consent to share your story and experience on our social media channels or in communications (both internally with colleagues and externally with the public). We will never share photos, videos or your story identifying you with anyone unless you give your permission. In some cases, we may share your story anonymously with a funder as they would like to know how we have spent their money. We ensure that you cannot be identified by the information we share with funders unless you give your consent. 

Joshyboylegacy also uses your contact information to share surveys about your experience. These surveys help us to find out the good and bad things we do and improve our services. These surveys are optional to complete. You do not have to share your experiences if you don’t want to.

We use your contact information with your consent to send communications about other exciting things going on at Joshyboylegacy, such as volunteering opportunities, work experience placements, fun activities or fundraising appeals. You can opt out of receiving these communications at any time: to opt out please contact: data.protection@joshyboylegacy.co.uk or follow the instructions in each communication to unsubscribe.

Joshyboylegacy also works with companies to look at the personal information we store in our database and match it against publicly available records to add value to our database and improve the quality of the data. This also helps us to avoid sending communications to people who are recently deceased. We also add dates of birth and record home moves and changes of address where the data is publicly available. This helps us to save money by only contacting those people who would be most interested in our communications. Joshyboylegacy uses our legitimate interest to work with these companies. Joshyboylegacy is the data controller and the companies are the data processor.

Joshyboylegacy stores personal information on secure server on Microsoft’s cloud document and storage system, SharePoint, as well as in other Microsoft applications. To read more about Microsoft’s data storage and security please visit Microsoft’s Trust Centre: Microsoft Privacy & Data Storage | Where Your Data Is Stored.

Joshyboylegacy have a retention schedule which we use to decide how long to store personal information. Sometimes, this is for as long as we are actively using the data. In other cases, there is a legal requirement for us to store data (such as safeguarding reports, or health and care records) for a fixed minimum period of time. For all our health and care records, Joshyboylegacy follows the guidelines as set out by ‘The Records Management Code of Practice for Health and Social Care 2016’ (published by the Information Governance Alliance for the Department of Health). We keep children’s health records until their 25th birthday if aged under 16 at the conclusion of a our intervension, or until their 26th birthday if aged 17 or above after being discharged or last seen by Joshyboylegacy services. For more detailed information, contact us at data.protection@joshyboylegacy.co.uk

We never sell personal information. We do share it with organisations who we work with to deliver the best possible care and experience to you, such as, your education provider, healthcare agencies, mobility equipment suppliers and content providers for our clubs and activities. We may also need to share some data (usually with your name removed) with funders who are paying for events. Unless otherwise stated, Joshyboylegacy is the data controller and other organisations are the data processor. However, sometimes we will be joint controllers or at other times independent data controllers. We make sure that all suppliers of services to us take as much care with your data as we do. Where possible, we ensure that suppliers process your data in the UK, or in the EEA (European Economic Area) and therefore are subject to the same rules as we are. 

With your permission, we may also work with you to share your story (including photos and videos) on our social media channels and in our digital and postal communications to potential donors of Joshyboylegacy. We will never share photos, videos or your story identifying you with anyone unless you give your permission. In some cases, we may share your story anonymously with a funder as they would like to know how we have spent their money. We ensure that you cannot be identified by the information we share with funders unless you give your consent. 

Occasionally, we will share your data when we are legally required to do so, for example to comply with the law, or a court order or where there is a clear safety risk to you or to someone else.

Where possible, we ensure that suppliers process your data in the UK, or in the EEA (European Economic Area) and therefore are subject to the same rules as we are. 

For Donors and fundraisers

Joshyboylegacy collects personal information like name(s), contact information (for example email address, postal address, mobile telephone number), donation history, card payment details*, bank details (for Direct Debits)*, accessibility requirements, dietary requirements, medical information, emergency contact information, incident and accident reports (for events management) relationships, job title and employer, whether a donor pays tax (for Gift Aid), date of birth, communication preferences, reason for support, and communication history. At Joshyboylegacy we do our very best to stick to the GDPR principles of data minimisation and purpose limitation, and only collect information that we need when we need it. We only use information for the intended purpose. For example, we only ask for accessibility and dietary requirements if a fundraiser is attending an in-person event, or we only ask if an individual is a UK tax payer to work out if we can claim Gift Aid on their donation.

Most of the information we process for our donors and fundraisers is given directly by you when we request it online. This may be when you make a donation through (Go fund me), complete a survey (JotForm), or click through an advert on social media (Facebook, Instagram). We partner with suppliers (in brackets) to host these forms to provide the best experience to you and anyone who fills out these forms. Joshyboy is the data controller, and these suppliers are data processors. Whenever we use an online form to collect information we will always make you aware that we are using a supplier and provide you with both our and their privacy notice so that you know how we and they will look after your information. Often when Joshyboylegacy collects this information using online forms we are doing this so that we can carry out an agreement with you (contractual performance) such as processing a donation, claiming Gift Aid or registering you to run in Marathon and other fund raising activities. Sometimes, Joshyboylegacy is collecting information for our legitimate interest, to understand more about our donors and fundraisers so that we raise money sustainably to continue the great work we do families with disabled children. 

Joshyboylegacy also works with companies to look at the personal information we store in our database Raisers Edge and match it against publicly available records to add value to our database and improve the quality of the data. This helps us to avoid sending communications to people who are recently deceased. We add dates of birth and record home moves and changes of address where the data is publicly available. This helps us to save money by only contacting those people who would be most interested in our communications. Joshyboylegacy uses our legitimate interest to work with these companies. Joshyboylegacy is the data controller and the companies are the data processor.

We also work with companies to research the potential of donors and fundraisers to be a significant donor and collect additional details relating to their employment and any philanthropic activity. We may estimate gift capacity, based on visible assets, history of charitable giving and their connection to Joshyboylegacy. This helps us to understand our donors and fundraisers more and means that we can be more cost-effective. Joshyboylegacy uses our legitimate interest to work with these companies.  Joshyboylegacy is the data controller and the companies are the data processor.

We never sell personal information. We do share it with organisations who are completing a service on our behalf: where this is the case we will let you know at the point that we request your personal information. Examples include our mailing team, who send our letters and fundraising materials to our donors and fundraisers on our behalf, or couriers or venues who are helping us to put on an event. We make sure that all suppliers of services to us take as much care with your data as we do. Where possible, we ensure that suppliers process your data in the UK, or in the EEA (European Economic Area) and therefore are subject to the same rules as we are. Occasionally, the best decision is to use a supplier outside of the UK and EEA and we need to transfer your data outside of this area. 

We store the data of our donors and fundraisers in our database. Joshyboylegacy is a customer of Microsoft business services and stores data in Microsoft’s cloud document and storage system, SharePoint, as well as in other Microsoft applications. To read more about Microsoft’s data storage and security please visit Microsoft’s Trust Centre: Microsoft Privacy & Data Storage | Where Your Data Is Stored.

Joshyboylegacy has a retention schedule which we use to decide how long to store personal information. We keep personal information for as long as this document states. Sometimes this will be for as long as we are actively using the data. In other cases, there is a legal requirement for us to store data (such as financial data, or Gift Aid declaration information) for a fixed minimum period of time. For more information, please contact Data.protection@joshyboylegacy.co.uk

Where possible, we ensure that suppliers process your data in the UK, or in the EEA (European Economic Area) and therefore are subject to the same rules as we are. Occasionally, the best decision is to use a supplier outside of the UK and EEA and we need to transfer your data outside of this area.

We take steps to make sure that, when we transfer your personal information to another country, appropriate protection is in place, in line with global data protection laws. Some countries are considered to provide an adequate level of protection because of the data protection laws in place in those countries (including New Zealand and Japan). If this is not the case, the protection may be set out under our contract with the organisationwho receives the information.

For volunteers, Job applicants and directors/trustees

Joshyboylegacy collects personal information such as name, contact information, preferred pronouns, emergency contact information, marital status, communication preferences, references, proof of ID (e.g. passports, driving license), results of a criminal record (DBS) check, education information, employment history, relevant skills and experience, reason for applying, pre-interview assessment results, interview notes, and photos and videos (with consent).

We also collect the following sensitive category information: health and medical data, religion, ethnicity and sexual orientation.

At Joshyboylegacy we do our very best to stick to the GDPR principles of data minimisation and purpose limitation, and only collect information that we need when we need it. We only use information for the intended purpose. For example, we only ask for information on religion, ethnicity and sexual orientation for monitoring and evaluation purposes.

We collect personal information when you apply for a paid position via Applied, or a voluntary or director/trustee position via our website. We use information you provide to assess your suitability for a position, andcontact information to let you know if you have been successful (contractual performance).

We collect sensitive category information, such as ethnicity and sexual orientation so that we can ensure that our recruitment processes are fair and unbiased. We also use this anonymised data to help us decide on the best ways of recruiting talent. Joshyboylegacy is collecting information for our legitimate interest, to understand more about our role applicants so that we can make sure that we are providing opportunities to all.   

Joshyboylegacy will also sometimes ask for personal information from therecruitment agencies to increase the number of candidates for a position. At first, any information shared by a recruitment agency (the data controller) will be anonymous until we have decided to offer the potential candidate an interview. Only at this point are details such as name and contact details shared at which point Joshyboylegacy will become a data controller of the candidates’ data.

We store the data of role applicants, trustees/directors and volunteers on secure servers in the UK. Joshyboylegacy is also a customer of Microsoft business services and stores data in Microsoft’s cloud document and storage system, SharePoint, as well as in other Microsoft applications. To read more about Microsoft’s data storage and security please visit Microsoft’s Trust Centre: Microsoft Privacy & Data Storage | Where Your Data Is Stored.

Joshyboylegacy has a retention schedule which we use to decide how long to store personal information.  We keep personal information for as long as this document states. Sometimes this will be for as long as we are actively using the data. In other cases, there is a legal requirement for us to store data (such as financial data for payroll) for a fixed minimum period of time. For more information, please contact data.protection@Joshyboylegacy.co.uk

Where possible, we ensure that suppliers process your data in the UK, or in the EEA (European Economic Area) and therefore are subject to the same rules as we are. Occasionally, the best decision is to use a supplier outside of the UK and EEA and we need to transfer your data outside of this area.

We take steps to make sure that, when we transfer your personal information to another country, appropriate protection is in place, in line with global data protection laws. Some countries are considered to provide an adequate level of protection because of the data protection laws in place in those countries (for example, the UK, New Zealand, and Japan). If this is not the case, (for example, the US) the protection may be based on a contract with the organisation who receives the information.

For website users

Our website collects information about how you use it and what your preferences are for browsing our website. To do this, we place cookies on your device. A cookie is a small file placed on your device’s hard drive. Cookies can be used to provide core functionality for a website (e.g., logins), for website traffic reporting or for marketing purposes.

A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. We use our legitimate interest to:

Necessary cookies are cookies essential to ensure our website works for you.

Preference based cookies help a website to ‘remember’ information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

Statistical cookies count website visitors. With the use of these cookies, we are able to count visits and traffic sources to improve the performance of our website.

Unclassified cookies are cookies that we are working to define soon as necessary, marketing, preference based, statistical, first party or third party.

Marketing cookies are used to deliver adverts relevant to you. They are also used to limit the number of times you see an advert and help measure how effective an advert is. They can also be used to choose the adverts that are displayed to you on other websites.

First party cookies are set by the website you're visiting and only Joshyboylegacy can read them.

Third party cookies are not set by us and can be read by the owner of those cookies. They may be used by companies that provide tools that we have on our websites, such as when we include a form, map, or video. Usually, we can't control what information they collect but we can tell you the cookies we use.

If you don’t want to receive cookies, you can modify your browser so that it notifies you when cookies are sent to it, or you can refuse cookies altogether. You can also delete cookies that have already been set.

If you wish to restrict or block web browser cookies that are set on your device, you can do this through your browser settings – the Help function within your browser should tell you how. Alternatively, you may wish to visit Know Cookies, which contains information on how to do this on a variety of web browsers.

We place Instagram and Google Ads cookies on certain pages to help us understand what users do when they click on our online ads. For example, we want to see if users sign up to an event or donate after clicking on one of our ads. This helps us measure the success of any online advertising campaigns and ensures we only direct our Google and Instagramadvertising towards those most likely to be responsive to us.

We also use social media buttons and/or plugins on this site that allow you to connect with your social network in various ways. For these to work the following social media sites including Facebook, Instagram, Linkedin, will set cookies through our site.

Policy Review

The policy will be reviewed by the committee.

Date of current review October 2024

Date of next review October 2025

Glossary of Definitions

Cookies – a small file of information – like a username or password – that are stored on your device and identify the user. Cookies are used to work out what to show you, improving your web experience. 

Consent – permission, usually only valid when you have been told exactly what you are consenting to. One of the ways that processing data can be justified under GDPR law.

Contractual Performance – the data processing is needed to carry out an agreement with an individual. One of the ways that processing data can be justified under GDPR law.

Data Controller – an organisation (or a person) who makes decisions about how and why data is processed.

Data Minimisation – collecting the smallest amount of personal data that you need.

Data Processor(s) – an organisation (or a person) who carries out the instructions of the Data Controller and processed data on behalf of the Data Controller.

Data Protection Officer – someone who is an independent expert in data protection and looks after the interests of the Data Subject.

Data Subject – the individual whose personal data is being processed.

Joint Controllers – two or more Data Controllers who together decide how and why data is processed.

Legitimate Interest – a strong reason (or reasons) for a Data Controller to process data for no other reason than it is beneficial to the Data Controller if it doesn’t have a bad effect on the Data Subject. One of the ways that processing data can be justified under GDPR law although whenever a Data Controller relies on it, they should have a written decision called a Legitimate Interest Assessment.

PCI DSS Compliant – a standard which sets out to regulate the card payments industry to help to prevent fraud.

Privacy and Cookie Notice – a publicly displayed explanation of how organisations process data.

Purpose Limitation – one of the principles of GDPR: personal data should only be used for the reasons it was collected.

Public Interest – beneficial for the public. One of the ways that processing data can be justified under GDPR law.

Retention Schedule – a table of how long organisations should store data.

Special Category Information – personal data that needs more protection because it is sensitive, and it could cause harm to the Data Subject if is found out by someone who has no right to access the information.

Standard Contractual Clauses (SCCs) – model (i.e., a good example to follow) data protection clauses, approved by the UK, which allow for the international transfer of personal data outside of the UK and the European Economic Area (EEA).