1. Introduction

Raedan Institute (“we,” “us,” or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website (www.raedan-institute.co.uk) or engage with our services. 

We are registered as a charity in England and Wales (Charity Numbers: 1113547 and 1209333) and our registered office is at 2 Overton Road, Leicester, LE5 0JA. 

This Privacy Policy should be read alongside our Terms and Conditions and Cookie Policy. 

1.1 Data Controller 

Raedan Institute is the data controller for the personal data we process. This means we are responsible for deciding how we hold and use personal information about you. 

Contact Details: 
Raedan Institute 
2 Overton Road 
Leicester, LE5 0JA 
Email: [email protected] 
Phone: 07725974831 

Data Protection Officer: 
Email: [email protected] 

1.2 Your Rights 

You have important rights under data protection law. This Privacy Policy explains these rights and how to exercise them. Key rights include accessing your data, correcting inaccuracies, requesting deletion, and objecting to certain processing. 

1.3 Changes to This Policy 

We may update this Privacy Policy from time to time to reflect changes in law, our practices, or for other operational reasons. We will notify you of significant changes by: 

• Posting the updated policy on our website with a new “Last Updated” date 

• Sending email notification to registered service users 

• Displaying notices at our premises 

Please review this policy periodically to stay informed about how we protect your information. 

 

2. What Personal Data We Collect

We collect different types of personal data depending on your interaction with us. We only collect data that is necessary for the purposes described in this policy. 

2.1 Information You Provide Directly 

Contact and Identification Information: 

• Full name 

• Date of birth / age 

• Gender 

• Home address and postcode 

• Email address 

• Telephone number(s) 

• Emergency contact details 

• Relationship to service user (for parents/guardians) 

• Proof of identity documents (where legally required) 

Service Registration and Enrolment: 

• Registration forms and enrolment applications 

• Educational history and qualifications 

• Previous schools attended 

• Reasons for seeking our services 

• Specific support needs or requirements 

• Referral information (who referred you, professional recommendations) 

Educational and Academic Information: 

• Current educational setting (school, home educated, alternative provision) 

• Key Stage and year group 

• Subjects studied 

• Examination entries and results 

• Academic assessments and progress reports 

• Homework and coursework submissions 

• Attendance records 

• Behavioural records (where relevant) 

• Individual Education Plans (IEPs) or support plans 

• Special Educational Needs (SEN) information 

Health and Medical Information: 

• Disclosed medical conditions (e.g., asthma, epilepsy, diabetes) 

• Allergies and dietary requirements 

• Medications and treatment plans 

• Disabilities or impairments 

• Mental health information (for counselling services) 

• GP contact details 

• Medical consent forms 

Safeguarding Information: 

• Child protection concerns or records 

• Information about family circumstances affecting welfare 

• Court orders affecting contact or residence 

• Social services involvement 

• Relevant criminal records disclosures (for volunteers/staff only) 

Financial Information: 

• Payment details (bank account for refunds, payment history) 

• Eligibility for fee concessions or benefits 

• Gift Aid declarations (for donations) 

• Grant applications and financial assessments 

Communication and Preferences: 

• Communication preferences (email, phone, post) 

• Language preferences 

• Marketing consent preferences 

• Dietary and cultural preferences 

• Religious requirements 

• Accessibility needs 

User-Generated Content: 

• Photographs and videos (with consent) 

• Testimonials and feedback 

• Survey responses 

• Complaint submissions 

• Social media interactions 

2.2 Information We Collect Automatically 

Website Usage Data: 

• IP address 

• Browser type and version 

• Operating system 

• Device information 

• Pages visited and time spent 

• Referring website 

• Links clicked 

• Cookies and similar technologies (see Cookie Policy) 

CCTV and Security: 

• CCTV footage from our premises (for security and safeguarding) 

• Access control records (entry/exit times) 

Service Usage Data: 

• Attendance records 

• Session participation and engagement 

• Progress and outcome data 

• Feedback and evaluation responses 

2.3 Information From Third Parties 

We may receive personal data about you from: 

Referral Sources: 

• Schools and educational institutions 

• Family law solicitors 

• Cafcass officers 

• Family mediators 

• Social workers 

• GPs and healthcare professionals 

• Court orders 

Partner Organisations: 

• Local authorities 

• NHS services 

• Examination boards 

• NACCC (National Association of Child Contact Centres) 

• Funding bodies and grant-making trusts 

• DBS (Disclosure and Barring Service) – for staff/volunteers only 

Family Members: 

• Information provided by parents/guardians about children 

• Information from other family members (e.g., in Contact Centre context) 

2.4 Special Category Data 

Some personal data we collect falls into special categories requiring additional protection under UK GDPR: 

• Racial or ethnic origin (for equality monitoring) 

• Religious or philosophical beliefs (for service provision, e.g., Madrasah) 

• Health data (medical conditions, disabilities, mental health) 

• Biometric data (photographs, potentially) 

• Data concerning a child (anyone under 18) 

We only process special category data where we have: 

• Your explicit consent, or 

• A legal obligation, or 

• Vital interests (protecting life), or 

• Legitimate activities of a not-for-profit body, or 

• Data manifestly made public by you, or 

• Legal claims or safeguarding purposes 

 

3. How We Use Your Personal Data

We process personal data for specific, explicit, and legitimate purposes. We will not use your data in ways you would not reasonably expect unless we have a legal obligation or legitimate reason to do so. 

3.1 Providing Services 

Purpose: To deliver the educational, therapeutic, and support services you have registered for. 

Activities: 

• Enrolling you in programmes and courses 

• Delivering tuition, counselling, sports, and other activities 

• Assessing learning needs and progress 

• Providing appropriate differentiation and support 

• Facilitating Contact Centre sessions 

• Providing food bank assistance 

• Organizing events and activities 

• Communicating about sessions, timetables, and updates 

Legal Basis: 

• Contract performance (delivering services you’ve enrolled in) 

• Legitimate interests (providing quality services) 

• Consent (where services are optional or additional) 

3.2 Safeguarding Children and Vulnerable Adults 

Purpose: To protect the welfare and safety of children and vulnerable adults. 

Activities: 

• Recording and investigating safeguarding concerns 

• Sharing information with local authority safeguarding teams 

• Conducting risk assessments 

• Implementing safety measures and supervision 

• DBS checking staff and volunteers 

• Following safer recruitment procedures 

• Reporting to relevant authorities (police, social services, LADO) 

Legal Basis: 

• Legal obligation (statutory safeguarding duties) 

• Vital interests (protecting life and wellbeing) 

• Public task (exercising official authority for safeguarding) 

• Legitimate interests (ensuring safety of all service users) 

3.3 Communication 

Purpose: To communicate effectively with service users and families. 

Activities: 

• Responding to inquiries and requests 

• Sending service updates and information 

• Discussing progress and concerns 

• Coordinating with parents/guardians 

• Emergency communications 

• Providing receipts and confirmations 

Legal Basis: 

• Contract performance 

• Legitimate interests (effective communication) 

• Consent (for non-essential communications) 

3.4 Administration and Management 

Purpose: To administer services efficiently and manage our organization. 

Activities: 

• Maintaining accurate records 

• Scheduling sessions and managing attendance 

• Processing payments and refunds 

• Managing waiting lists 

• Staff and volunteer management 

• Quality assurance and monitoring 

Legal Basis: 

• Contract performance 

• Legitimate interests (efficient administration) 

• Legal obligation (record-keeping requirements) 

3.5 Compliance and Legal Obligations 

Purpose: To comply with legal and regulatory requirements. 

Activities: 

• Charity Commission reporting 

• HMRC reporting (Gift Aid, employment taxes) 

• Health and safety compliance 

• Examination board requirements 

• NACCC accreditation and reporting 

• Regulatory inspections and audits 

• Responding to legal requests and court orders 

• Maintaining statutory records 

Legal Basis: 

• Legal obligation 

• Public task 

• Legitimate interests (regulatory compliance) 

3.6 Improvement and Development 

Purpose: To improve our services and develop new offerings. 

Activities: 

• Analysing service usage and outcomes 

• Conducting evaluations and research 

• Gathering feedback through surveys 

• Identifying areas for improvement 

• Developing new programmes 

• Training and development of staff 

Legal Basis: 

• Legitimate interests (service improvement) 

• Consent (for optional surveys and feedback) 

3.7 Fundraising and Marketing 

Purpose: To sustain and grow our charitable work through fundraising and awareness-raising. 

Activities: 

• Grant applications to trusts and foundations 

• Donor communications and stewardship 

• Fundraising campaigns and appeals 

• Case studies and impact stories (with consent) 

• Marketing our services to potential users 

• Social media and website content 

• Newsletters and updates 

• Annual reports and promotional materials 

Legal Basis: 

• Legitimate interests (charitable fundraising and service promotion) 

• Consent (for direct marketing communications) 

• Soft opt-in (for existing service users, with easy opt-out) 

Your Rights: 

• You can opt out of marketing communications at any time 

• We will always respect “do not contact” requests 

• We never sell or rent your data to third parties for their marketing 

3.8 Examinations 

Purpose: To enter candidates for examinations and manage examination processes. 

Activities: 

• Registering candidates with examination boards 

• Submitting coursework and assessments 

• Administering examinations 

• Reporting results 

• Processing appeals and special considerations 

Legal Basis: 

• Contract performance 

• Legitimate interests (facilitating educational qualifications) 

• Legal obligation (JCQ and examination board requirements) 

 

4. Legal Bases for Processing

Under UK GDPR, we must have a legal basis for processing personal data. We rely on the following legal bases: 

4.1 Consent 

You have given clear, informed, and freely given permission for us to process your data for specific purposes. 

Examples: 

• Marketing communications 

• Photographs and videos for promotional use 

• Optional surveys and research 

• Sharing case studies with funders 

Your Rights: 

• You can withdraw consent at any time 

• Withdrawal does not affect lawfulness of processing before withdrawal 

• We will make withdrawal as easy as giving consent 

4.2 Contract 

Processing is necessary for a contract we have with you, or to take steps at your request before entering a contract. 

Examples: 

• Delivering educational services, you’ve enrolled in 

• Processing payments 

• Providing counselling sessions 

• Facilitating Contact Centre sessions 

4.3 Legal Obligation 

Processing is necessary to comply with legal obligations. 

Examples: 

• Statutory safeguarding duties 

• Health and safety requirements 

• Financial record-keeping 

• Regulatory reporting 

• Court orders 

4.4 Vital Interests 

Processing is necessary to protect someone’s life or critical wellbeing. 

Examples: 

• Medical emergencies 

• Serious safeguarding concerns 

• Immediate risks to safety 

4.5 Public Task 

Processing is necessary for performing tasks in the public interest or exercising official authority. 

Examples: 

• Safeguarding functions 

• Providing educational services meeting statutory requirements 

• Working with local authorities on community initiatives 

4.6 Legitimate Interests 

Processing is necessary for our legitimate interests or those of a third party unless these are overridden by your rights and interests. 

We rely on legitimate interests for many processing activities. Before doing so, we conduct a Legitimate Interests Assessment (LIA) to ensure: 

• There is a genuine and legitimate reason 

• It is necessary for that purpose 

• It does not override your rights and freedoms 

Examples: 

• Fraud prevention and security 

• Network and information security 

• Internal administration and record-keeping 

• Service improvement and quality assurance 

• Fundraising for charitable purposes (with opt-out) 

• Asserting or defending legal claims 

 

5. Who We Share Your Personal Data With

We do not sell, rent, or trade personal data. We share data only when necessary for the purposes described in this policy, and we ensure appropriate safeguards are in place. 

5.1 Safeguarding and Statutory Agencies 

Who: Local authority children’s and adult social care services, police, LADO (Local Authority Designated Officer), courts, Cafcass 

What: Safeguarding concerns, child protection information, relevant family circumstances, risk assessments 

Why: Statutory safeguarding duties, child protection, preventing harm, legal obligations 

Legal Basis: Legal obligation, vital interests, public task 

5.2 Educational Institutions and Authorities 

Who: Schools, colleges, local authority education departments, Department for Education 

What: Educational history, progress reports, attendance, SEN information, examination results 

Why: Coordinating education, supporting transitions, statutory reporting 

Legal Basis: Consent, contract, legal obligation, public task 

5.3 Examination Boards 

Who: AQA, Edexcel, OCR, WJEC, and other awarding bodies, JCQ (Joint Council for Qualifications) 

What: Candidate names, dates of birth, examination entries, coursework, results, access arrangements 

Why: Examination administration and certification 

Legal Basis: Contract, legal obligation 

5.4 Healthcare Providers 

Who: GPs, NHS services, mental health services, occupational therapists, speech, and language therapists 

What: Relevant health information, counselling records (with consent), referrals 

Why: Coordinated care, medical emergencies, therapeutic support 

Legal Basis: Consent, vital interests, legitimate interests 

5.5 NACCC (National Association of Child Contact Centres) 

Who: NACCC for accreditation and quality assurance 

What: Anonymized statistical data, policies and procedures, safeguarding records (if required) 

Why: Maintaining accreditation, quality standards, sector learning 

Legal Basis: Legitimate interests, public task 

5.6 Funders and Grant-Making Bodies 

Who: Charitable trusts, foundations, lottery distributors, government grant programmes (e.g., FIFA Foundation, DEFRA, Arts Council England) 

What: Anonymized outcome data, case studies (with consent), project reports, financial information 

Why: Grant applications, monitoring and evaluation, demonstrating impact, accountability 

Legal Basis: Legitimate interests, consent (for identifiable case studies) 

5.7 Professional Advisors and Regulators 

Who: Solicitors, accountants, auditors, insurance providers, Charity Commission, ICO, professional bodies (BACP, etc.) 

What: Information necessary for professional advice, regulatory compliance, investigations 

Why: Legal advice, financial management, regulatory compliance, professional standards 

Legal Basis: Legal obligation, legitimate interests 

5.8 Service Providers and Processors 

Who: IT service providers, website hosting, cloud storage, payment processors, email services, CCTV monitoring, volunteer background checking services 

What: Data necessary for them to provide services on our behalf 

Why: IT infrastructure, communications, payment processing, security 

Legal Basis: Legitimate interests 

Safeguards: We have data processing agreements with all processors, requiring them to: 

• Process data only on our instructions 

• Implement appropriate security measures 

• Delete or return data when no longer needed 

• Not use data for their own purposes 

5.9 Legal and Emergency Situations 

We may share data without consent in emergency situations or when legally required: 

• Medical emergencies: Sharing health information with emergency services 

• Court orders: Complying with legal orders and subpoenas 

• Legal claims: Defending or asserting legal rights 

• Police investigations: Cooperating with criminal investigations 

• Safeguarding emergencies: Preventing serious harm 

5.10 Third Parties With Your Consent 

We may share data with other parties when you specifically request or consent: 

• References for employment or education 

• Transferring records to new educational providers 

• Sharing reports with parents, solicitors, or other nominated individuals 

 

6. International Transfers

We primarily store and process data within the United Kingdom. However, some data may be transferred internationally in limited circumstances: 

6.1 Cloud Services and IT Infrastructure 

Some of our service providers (e.g., cloud storage, email services) may process data on servers located outside the UK/EEA. 

Safeguards: 

• We only use reputable providers with robust security 

• We ensure transfers are protected by:  

• UK GDPR-compliant Standard Contractual Clauses (SCCs) 

• Adequacy decisions (for approved countries) 

• Other appropriate safeguards 

6.2 International Educational Services 

Through our partnership with Academica Mentoring, we may share data with international educational institutions or participants in teacher training programmes. 

Safeguards: 

• Explicit consent obtained 

• Appropriate data protection agreements in place 

• Limited to necessary information only 

6.3 Your Rights 

You can request information about international transfers affecting your data and obtain copies of the safeguards in place. 

 

7. How Long We Keep Your Personal Data

We retain personal data only as long as necessary for the purposes for which it was collected, and to comply with legal obligations. 

7.1 Retention Periods 

Educational Records: 

• Current students: For duration of service provision 

• Former students (under 18): Until the individual reaches age 25, or 6 years after leaving (whichever is longer) 

• Former students (over 18): 6 years after completion of service 

• Home education files: 6 years after last contact 

• Examination records: In line with examination board requirements (typically 6 years) 

Safeguarding Records: 

• Until the individual reaches age 25 (minimum), or longer if serious concerns exist 

• Serious case reviews: Indefinitely 

• In accordance with “Safeguarding Children and Safer Recruitment in Education” guidance 

Counselling and Therapy Records: 

• 7 years after last session (adults) 

• Until age 25 for minors, or 7 years after last session (whichever is longer) 

• In line with BACP/professional body guidance 

Contact Centre Records: 

• Duration of contact arrangements plus 7 years 

• Safeguarding records: Until child reaches 25 or longer if concerns exist 

• NACCC reporting data: Anonymized indefinitely for sector learning 

Financial Records: 

• 7 years from end of financial year (HMRC requirement) 

• Gift Aid declarations: 7 years 

• Grant applications and reports: 7 years after grant completion 

Employment and Volunteer Records: 

• 6 years after employment/volunteering ends 

• DBS checks: Not retained (outcome recorded only) 

• Safeguarding allegations: Until individual reaches 65 or 10 years from allegation (whichever is longer) 

Food Bank Records: 

• 2 years from last contact 

CCTV Footage: 

• 30 days, unless required for investigations or legal proceedings 

Website and Marketing: 

• Active contacts: Until consent is withdrawn or person becomes inactive 

• Inactive contacts: Removed after 3 years of no engagement 

• Website cookies: As specified in Cookie Policy 

General Correspondence: 

• 2 years from last correspondence 

7.2 Exceptions 

We may retain data longer than specified periods where: 

• Legal proceedings are ongoing or anticipated 

• Regulatory investigations require retention 

• Serious safeguarding concerns exist 

• Historical or archival purposes (with appropriate safeguards and public interest) 

• We have obtained your consent for longer retention 

7.3 Secure Disposal 

When retention periods expire, we securely destroy or delete data: 

• Paper records: Confidential shredding 

• Electronic data: Secure deletion or destruction of storage media 

• CCTV: Automatic overwriting 

 

8. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. 

8.1 Technical Measures 

IT Security: 

• Firewalls and anti-virus software 

• Encrypted data transmission (SSL/TLS) 

• Encrypted data storage for sensitive information 

• Secure passwords and multi-factor authentication 

• Regular security updates and patches 

• Secure cloud storage with reputable providers 

• Regular data backups 

• Access controls and user permissions 

Physical Security: 

• Locked filing cabinets for paper records 

• Restricted access to offices and record storage 

• CCTV monitoring of premises 

• Visitor sign-in procedures 

• Secure destruction of confidential waste 

8.2 Organisational Measures 

Policies and Procedures: 

• Data Protection Policy 

• Information Security Policy 

• Acceptable Use Policy (IT) 

• Clear Desk Policy 

• Data Breach Response Plan 

• Access control protocols 

Staff and Volunteer Training: 

• Mandatory data protection training for all staff and volunteers 

• Regular refresher training 

• Specific training for roles handling sensitive data 

• Confidentiality agreements signed by all personnel 

Access Controls: 

• Need-to-know basis for data access 

• Different permission levels based on roles 

• Regular review of access rights 

• Prompt removal of access when staff/volunteers leave 

Third-Party Management: 

• Due diligence on processors and partners 

• Data Processing Agreements with clear obligations 

• Regular review of third-party security practices 

8.3 Data Breach Response 

Despite our best efforts, breaches can occur. We have procedures to: 

Detect and Respond: 

• Promptly identify and contain breaches 

• Assess risks to individuals 

• Take remedial action to prevent recurrence 

Report: 

• Report serious breaches to the ICO within 72 hours (where legally required) 

• Notify affected individuals when risks are high 

• Document all breaches for learning and accountability 

Learn and Improve: 

• Investigate root causes 

• Implement improvements to prevent recurrence 

• Update training and procedures 

If you suspect a data breach, contact us immediately at [email protected]. 

 

9. Your Data Protection Rights

Under UK GDPR, you have important rights regarding your personal data. We will respond to requests within one month (extendable by two further months for complex requests). 

9.1 Right of Access (Subject Access Request) 

What it means: You can request a copy of the personal data we hold about you. 

How to exercise: Submit a written request to [email protected] or our postal address. 

What we’ll provide: 

• Confirmation we’re processing your data 

• Copy of your personal data 

• Supplementary information (purposes, categories, recipients, retention periods, your rights) 

Timeframe: Within one month (may extend to three months for complex requests) 

Cost: Usually free. We may charge a reasonable fee for unfounded, excessive, or repeat requests. 

Identity verification: We may request proof of identity to prevent unauthorized disclosure. 

9.2 Right to Rectification 

What it means: You can request correction of inaccurate or incomplete personal data. 

How to exercise: Contact us with details of the inaccuracy and the correction required. 

Our response: We will correct inaccurate data promptly and notify any third parties we’ve shared the data with (unless impossible or disproportionate effort). 

Note: For some data (e.g., examination results), we cannot make changes as it’s controlled by examination boards. 

9.3 Right to Erasure (‘Right to be Forgotten’) 

What it means: In certain circumstances, you can request deletion of your personal data. 

When it applies: 

• Data is no longer necessary for the purpose collected 

• You withdraw consent (where processing was based on consent) 

• You object and there are no overriding legitimate grounds 

• Data was processed unlawfully 

• Legal obligation requires erasure 

Limitations: We cannot erase data when: 

• Required by law (e.g., safeguarding records, financial records) 

• Necessary for legal claims or obligations 

• In the public interest (e.g., safeguarding) 

• For archiving, research, or statistical purposes (with appropriate safeguards) 

How to exercise: Submit written request explaining why erasure should apply. 

9.4 Right to Restrict Processing 

What it means: You can request we limit how we use your data while issues are resolved. 

When it applies: 

• You contest accuracy (while we verify) 

• Processing is unlawful but you prefer restriction to erasure 

• We no longer need the data, but you need it for legal claims 

• You’ve objected to processing (pending verification of our legitimate grounds) 

What restriction means: We store the data but don’t use it (except with your consent, for legal claims, to protect others, or for public interest). 

How to exercise: Submit written request specifying the grounds for restriction. 

9.5 Right to Data Portability 

What it means: You can receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller. 

When it applies: 

• Processing is based on consent or contract 

• Processing is carried out by automated means 

What we’ll provide: Your data in CSV, JSON, or similar format. 

Limitations: Doesn’t apply to paper records or manual processing. 

How to exercise: Submit written request specifying the data and format desired. 

9.6 Right to Object 

What it means: You can object to processing based on legitimate interests or for direct marketing. 

Direct Marketing: You have an absolute right to object to direct marketing at any time. We will stop immediately upon objection. 

Legitimate Interests: You can object to processing based on our legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds overriding your interests, or for legal claims. 

How to exercise: 

• For marketing: Click unsubscribe links, reply “STOP” to texts, or contact us 

• For other processing: Submit written request explaining your objection 

9.7 Rights Related to Automated Decision-Making 

What it means: You have rights not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. 

Our practices: We do not currently use automated decision-making or profiling with legal/significant effects. 

Your rights: If we introduce such processing, you have rights to: 

• Be informed about the logic involved 

• Request human intervention 

• Express your point of view 

• Contest the decision 

9.8 Right to Withdraw Consent 

What it means: Where processing is based on consent, you can withdraw it at any time. 

Effect: Withdrawal doesn’t affect lawfulness of processing before withdrawal. If consent is our only legal basis, we must stop processing (except where we have another legal basis). 

How to exercise: Contact us by any method; we’ll make withdrawal as easy as giving consent. 

9.9 Rights for Children 

Children (under 18) have the same rights as adults. Parents/guardians can exercise rights on behalf of children, though we may consider the child’s level of maturity when responding. 

For children under 13: We generally require parental consent for processing (except for safeguarding or legal obligations). 

For children 13-17: We may accept their consent directly for some services, depending on maturity and understanding. Parents can exercise rights unless this would conflict with safeguarding interests. 

 

10. How to Exercise Your Rights

10.1 Making a Request 

Contact us by: 

Email: [email protected] 
Post: Data Protection Officer, Raedan Institute, 2 Overton Road, Leicester, LE5 0JA 
Phone: 07725974831 

Include in your request: 

• Your full name and contact details 

• Proof of identity (if first request or identity unclear) 

• Specific right you wish to exercise 

• Details of the data or processing concerned 

• Any relevant reference numbers or dates 

10.2 Identity Verification 

To protect your privacy, we verify identity before disclosing personal data or making changes. We may request: 

• Copy of passport or driving license 

• Recent utility bill (for address verification) 

• Additional information only you would know 

If requesting on behalf of a child or someone lacking capacity, we may request evidence of your authority (e.g., parental responsibility, power of attorney). 

10.3 Our Response 

We will: 

• Acknowledge requests promptly 

• Respond substantively within one month 

• Extend to three months for complex requests (with explanation) 

• Explain reasons if we decline requests 

• Provide responses free of charge (with limited exceptions) 

10.4 If You’re Not Satisfied 

If you’re unhappy with our response: 

1. Internal review: Request escalation to our Board of Trustees 

1. ICO complaint: Contact the Information Commissioner’s Office (details in section 11) 

1. Legal action: You may seek judicial remedy through courts 

 

11. Complaints

11.1 Complaining to Us 

If you have concerns about how we handle your personal data, please contact us first: 

Data Protection Officer 
Raedan Institute 
2 Overton Road 
Leicester, LE5 0JA 
Email: [email protected] 
Phone: 07725974831 

We will investigate and respond within 28 days. 

11.2 Complaining to the ICO 

You have the right to complain to the supervisory authority: 

Information Commissioner’s Office (ICO) 
Wycliffe House 
Water Lane 
Wilmslow 
Cheshire SK9 5AF 

Helpline: 0303 123 1113 
Website: www.ico.org.uk 
Report online: www.ico.org.uk/make-a-complaint 

The ICO can investigate complaints and take enforcement action if necessary. 

11.3 Legal Remedies 

You have the right to seek judicial remedy through courts if you believe your data protection rights have been infringed. 

 

12. Children’s Privacy

We take children’s privacy very seriously and implement enhanced protections for data about individuals under 18. 

12.1 Parental Consent 

For children under 13, we obtain verifiable parental consent before processing personal data (except for safeguarding, legal obligations, or counselling where child sought support independently). 

For children aged 13-17, we assess whether they have sufficient maturity to provide their own consent, depending on the service and processing. 

12.2 Transparency for Children 

We strive to explain data processing to children in age-appropriate language. For services primarily used by children, we provide simplified privacy information suitable for young people. 

12.3 Parental Rights 

Parents/guardians can: 

• Access their child’s personal data 

• Request rectification, erasure, or restriction 

• Object to processing 

• Withdraw consent (where applicable) 

However, we balance parental rights with: 

• The child’s own rights and maturity 

• Safeguarding considerations (we may withhold data from parents if disclosure would risk harm to the child) 

• Professional confidentiality (e.g., counselling sought independently by child) 

12.4 Special Protections 

For children, we: 

• Use enhanced security measures 

• Implement strict access controls 

• Provide additional safeguarding training to staff 

• Never use children’s data for marketing 

• Carefully consider legitimate interests (giving greater weight to children’s rights) 

• Minimise data collection and retention 

 

13. Marketing and Communications

13.1 Types of Communications 

Service Communications (non-marketing): 

• Essential service information (schedules, cancellations) 

• Account and payment information 

• Safety or safeguarding alerts 

• Legal notices 

These are necessary for service provision and are not marketing. 

Marketing Communications: 

• Newsletters about our activities 

• Fundraising appeals 

• Promotional materials about new services 

• Event invitations 

• Success stories and impact reports 

13.2 How We’ll Contact You 

We may send marketing communications by: 

• Email 

• Post 

• Text/SMS (occasionally) 

• Phone (rarely) 

• Social media (if you follow/engage with us) 

13.3 Your Consent and Preferences 

Opt-in: For most marketing, we require opt-in consent. You choose to receive communications by ticking boxes or confirming preferences. 

Soft opt-in: For existing service users, we may send marketing about similar services unless you opt out (in line with PECR regulations). 

Your control: 

• Update preferences any time 

• Choose which communications to receive 

• Opt out of some or all marketing 

13.4 How to Opt Out 

Email: Click “unsubscribe” links in emails or reply requesting removal. 

Text: Reply “STOP” to any marketing text. 

Post: Write to us requesting removal from mailing list. 

Phone: Tell us you don’t wish to receive calls. 

General: Email [email protected] stating your preference. 

We’ll action opt-outs within 5 working days. 

13.5 Third-Party Marketing 

We never sell, rent, or share your data with third parties for their marketing purposes. 

 

14. Cookies and Website Technologies

Our website uses cookies and similar technologies. Please see our separate Cookie Policy for detailed information about: 

• What cookies we use 

• Why we use them 

• How to control cookies 

• Third-party cookies 

 

15. Links to Other Websites

Our website may contain links to third-party websites, social media platforms, or services. This Privacy Policy applies only to Raedan Institute. 

We are not responsible for: 

• Privacy practices of third-party sites 

• Content or accuracy of external sites 

• How third parties collect or use your data 

We recommend: 

• Reviewing privacy policies of any sites you visit 

• Being cautious about information you provide to third parties 

• Understanding that clicking links may share some data (e.g., IP address, referrer) 

 

16. Updates to This Privacy Policy

We may update this Privacy Policy to reflect: 

• Changes in law or regulation 

• Changes in our practices or services 

• Improvements in clarity or transparency 

• Feedback from regulators or stakeholders 

16.1 How We’ll Notify You 

For significant changes: 

• Post updated policy on website with new “Last Updated” date 

• Email notification to registered service users 

• Display prominent notice on website and premises 

• Highlight key changes in summary 

For minor changes (clarifications, formatting): 

• Update website with new date 

• No active notification 

16.2 Your Options 

After changes: 

• Review the updated policy 

• Contact us with questions or concerns 

• Withdraw consent if changes affect consent-based processing 

• Exercise your data protection rights 

16.3 Version Control 

Previous versions available on request for transparency and record-keeping. 

 

17. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices: 

Raedan Institute 
2 Overton Road 
Leicester 
LE5 0JA 
United Kingdom 

General Inquiries: [email protected] 
Phone: 07725974831 
Data Protection Officer: [email protected] 

Office Hours: 
Monday – Wednesday: 8:30 AM – 3:30 PM 
Other times by appointment 

We aim to respond to all inquiries within 3 working days. 

 

18. Definitions

Personal Data: Information relating to an identified or identifiable living individual. 

Special Category Data: Sensitive personal data including racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation. 

Processing: Any operation performed on personal data, including collection, storage, use, sharing, or deletion. 

Data Controller: The organization determining purposes and means of processing personal data (Raedan Institute). 

Data Processor: An organization processing data on behalf of the controller. 

Data Subject: The individual whose personal data is being processed (you). 

Consent: Freely given, specific, informed, and unambiguous agreement to processing. 

UK GDPR: UK General Data Protection Regulation (retained EU law in UK). 

DPA 2018: Data Protection Act 2018. 

ICO: Information Commissioner’s Office (UK supervisory authority). 

 

Document Control: 

• Version: 1.0 

• Last Updated: January 2, 2025 

• Next Review Date: January 2, 2026 

• Approved by: Board of Trustees, Raedan Institute 

• Owner: Data Protection Officer, Raedan Institute 

 

COOKIE POLICY 

Last Updated: January 2, 2025 

1. Introduction

This Cookie Policy explains how Raedan Institute (“we,” “us,” or “our”) uses cookies and similar technologies on our website (www.raedan-institute.co.uk). 

This policy should be read alongside our Privacy Policy and Terms and Conditions. 

1.1 What Are Cookies? 

Cookies are small text files placed on your device (computer, smartphone, tablet) when you visit a website. They help websites: 

• Remember information about your visit 

• Make your next visit easier 

• Ensure the site is useful and relevant to you 

Cookies contain information that is transferred to your device’s hard drive. They’re commonly used to improve user experience and website functionality. 

1.2 Cookie Regulations 

We comply with: 

• UK GDPR and Data Protection Act 2018 

• Privacy and Electronic Communications Regulations (PECR) 2003 (as amended) 

• Guidance from the Information Commissioner’s Office (ICO) 

 

2. Types of Cookies We Use

2.1 Strictly Necessary Cookies 

What they do: These cookies are essential for the website to function. They enable core functionality like security, network management, and accessibility. The website cannot function properly without them. 

Examples: 

• Session cookies keeping you logged in 

• Security cookies preventing fraudulent activity 

• Load balancing cookies distributing traffic 

• Cookie consent cookies remembering your preferences 

Your control: These cookies cannot be disabled as they’re required for the site to work. They don’t require consent under PECR. 

Lifespan: Usually session cookies (deleted when you close browser) or up to 12 months. 

2.2 Performance/Analytics Cookies 

What they do: These cookies collect information about how visitors use our website, such as which pages are visited most often, where visitors come from, and how they navigate the site. All information is aggregated and anonymous. 

Purpose: To understand how visitors use our site and improve website performance, user experience, and content. 

Examples: 

• Google Analytics cookies tracking page views, time on site, bounce rate 

• Heatmap tools showing where users click 

• Error tracking identifying technical issues 

Your control: You can opt out through our cookie consent tool or browser settings. We won’t use these cookies without consent (unless anonymized and no IP addresses stored). 

Lifespan: Typically, 12-24 months. 

Information collected: 

• Pages visited and time spent 

• Links clicked 

• Browser and device type 

• Approximate location (country/city) 

• Referral source (how you found our site) 

Third parties: Google Analytics (subject to Google’s privacy policy). 

2.3 Functionality Cookies 

What they do: These cookies remember choices you make (such as language, region, or accessibility settings) to provide enhanced, personalized features. 

Purpose: To improve user experience by remembering your preferences. 

Examples: 

• Language selection 

• Text size preferences 

• Video player settings 

• Form data you’ve entered 

Your control: You can opt out through cookie settings. Disabling may affect site functionality and personalization. 

Lifespan: Typically, 12 months or until you clear cookies. 

2.4 Targeting/Advertising Cookies 

What they do: These cookies track your browsing across different websites to show relevant advertisements and limit how many times you see an ad. 

Our use: We do NOT currently use targeting or advertising cookies. We are a charity and don’t engage in behavioural advertising. 

If this changes: We will update this policy, seek your consent, and provide clear opt-out options. 

 

3. How We Use Cookies

3.1 Essential Website Functions 

• Maintaining security and preventing fraud 

• Remembering items in forms (before you submit) 

• Enabling navigation and core features 

• Load balancing for performance 

• Remembering cookie preferences 

3.2 Improving User Experience 

• Remembering your settings and preferences 

• Reducing repetitive data entry 

• Providing personalized content 

• Enabling interactive features 

3.3 Analytics and Performance 

• Understanding which content is most useful 

• Identifying technical issues or errors 

• Testing new features and designs 

• Measuring campaign effectiveness 

• Understanding visitor demographics and interests 

3.4 What We DON’T Do 

• We don’t sell cookie data to third parties 

• We don’t use cookies to identify you personally (except where you’re logged in) 

• We don’t use cookies for behavioural advertising 

• We don’t track you across unrelated websites 

 

4. Third-Party Cookies

Some cookies are placed by third-party services that appear on our pages. We don’t control these cookies or the data they collect. 

4.1 Google Analytics 

Provider: Google LLC 

Purpose: Website analytics to understand visitor behaviour 

Data collected: IP address (anonymized), pages visited, device type, approximate location, referral source 

Privacy policy: https://policies.google.com/privacy 

Opt-out: https://tools.google.com/dlpage/gaoptout or via our cookie consent tool 

4.2 Embedded Content 

When we embed content from third parties (e.g., YouTube videos, social media posts), these services may set their own cookies. 

Examples: 

• YouTube (video hosting) – Google privacy policy applies 

• Vimeo (video hosting) – Vimeo privacy policy applies 

• Social media plugins (Facebook, Twitter, etc.) – their privacy policies apply 

Your control: These cookies are only set when you interact with the embedded content (not just by visiting the page). You can control them through your browser settings or the third party’s privacy tools. 

4.3 Payment Processors 

If you make payments through our website, payment processors (e.g., PayPal, Stripe) may use cookies for security and fraud prevention. These are governed by their privacy policies. 

 

5. Managing Your Cookie Preferences

5.1 Cookie Consent Tool 

When you first visit our website, you’ll see a cookie banner allowing you to: 

• Accept all cookies 

• Accept only necessary cookies 

• Customise preferences (choose which types to allow) 

You can change your preferences anytime by: 

• Clicking the “Cookie Settings” link in our website footer 

• Revisiting the cookie banner (clearing cookies will show it again) 

5.2 Browser Controls 

All modern browsers allow you to control cookies through settings. You can: 

• Block all cookies 

• Accept only first-party cookies (not third-party) 

• Delete cookies after each session 

• Set exceptions for trusted sites 

How to access cookie settings: 

Google Chrome: Settings > Privacy and Security > Cookies and other site data 

Firefox: Settings > Privacy & Security > Cookies and Site Data 

Safari: Preferences > Privacy > Cookies and website data 

Microsoft Edge: Settings > Privacy, search, and services > Cookies and site data 

Limitations: Disabling cookies may affect website functionality. Some features may not work properly without cookies. 

5.3 Google Analytics Opt-Out 

Install Google’s opt-out browser add-on: 
https://tools.google.com/dlpage/gaoptout 

This prevents Google Analytics from collecting data across all websites you visit. 

5.4 Do Not Track 

Some browsers have “Do Not Track” (DNT) signals. Currently, there’s no industry standard for responding to DNT. We don’t respond to DNT signals but provide robust cookie controls through our consent tool. 

 

6. Cookie Lifespan

Session Cookies: 

• Temporary cookies deleted when you close your browser 

• Used for essential functions like security and navigation 

Persistent Cookies: 

• Remain on your device for a set period or until manually deleted 

• Used for preferences, analytics, and functionality 

• Our persistent cookies typically last 12-24 months 

• You can delete them anytime through browser settings 

 

7. Cookies and Personal Data

7.1 When Cookies Are Personal Data 

Cookies may constitute personal data if they can identify you (e.g., when you’re logged in or if combined with other data). 

When cookies contain personal data: 

• Our Privacy Policy applies 

• All UK GDPR rights apply (access, erasure, etc.) 

• We process the data lawfully (consent, legitimate interests, or contract) 

7.2 Anonymized Analytics 

We anonymize Google Analytics data by: 

• Activating IP anonymization (removing last octet of IP addresses) 

• Not collecting personally identifiable information 

• Not combining with other data to identify individuals 

Anonymized analytics don’t constitute personal data and require no consent under GDPR (though we still seek consent under PECR). 

 

8. Cookies and Children

We don’t knowingly collect data from children under 13 through cookies without parental consent. 

If our website has sections for children, we: 

• Use minimal cookies in those sections 

• Avoid tracking or targeting cookies 

• Provide child-appropriate privacy information 

• Seek parental consent where required 

Parents can manage their child’s cookie preferences through browser settings. 

 

9. Updates to Cookie Usage

We may update our cookie usage to: 

• Improve website functionality 

• Add new features or services 

• Comply with legal requirements 

• Respond to user feedback 

9.1 Notification of Changes 

For significant changes (e.g., adding new cookie types): 

• Update this Cookie Policy with new “Last Updated” date 

• Display cookie banner again to seek fresh consent 

• Email registered users if substantial changes occur 

For minor changes: 

• Update policy with new date 

• No active re-consent required 

9.2 Your Control 

After updates: 

• Review the updated policy 

• Adjust your cookie preferences 

• Withdraw consent if you disagree with changes 

 

10. Contact Us

For questions about cookies or this policy: 

Raedan Institute 
2 Overton Road 
Leicester, LE5 0JA 

Email: [email protected] 
Phone: 07725974831 

For data protection matters: 
Data Protection Officer: [email protected] 

 

11. Complaints

If you’re unhappy about our use of cookies: 

Contact us first: [email protected] 

Complain to the regulator: 
Information Commissioner’s Office (ICO) 
Website: www.ico.org.uk 
Helpline: 0303 123 1113 

 

12. Useful Resources

More about cookies: 

• All About Cookies: www.allaboutcookies.org 

• ICO Cookie Guidance: www.ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies 

Browser help: 

• Chrome: https://support.google.com/chrome/answer/95647 

• Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer 

• Safari: https://support.apple.com/en-gb/guide/safari/sfri11471/mac 

• Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09 

 

Document Control: 

• Version: 1.0 

• Last Updated: September 1st, 2025 

• Next Review Date: September 1st, 2026 

• Approved by: Board of Trustees, Raedan Institute