Privacy and Cookies

Who we are

We are Stepping Stone Projects, a company limited by guarantee incorporated in England and Wales (registered number: 2647645) and registered with the Charity Commission for England and Wales (charity registration number: 1004375). We are a homelessness charity providing services and accommodation to individuals in housing need.

We are a data controller for the purposes of the General Data Protection Regulation (GDPR). This means that we are responsible for deciding how we retain and use the personal information we hold about individuals.

Personal data

Personal data is any information relating directly or indirectly to an identifiable living person. We hold personal information about our customers, colleagus, trustees and other volunteers to allow us to provide our services effectively.

We are registered as a Data Controller with the Information Commissioner’s Office (ICO). Our registration number is: Z5859520

Data we hold

We will only collect information from you that is relevant to our work. In particular, we may collect the following information from you, which is defined as “personal data”:

  • Identity Data includes forenames, maiden name, last name, national insurance number, marital status, title, date of birth and gender.
  • Contact Data includes current and possibly previous address, e-mail address, emergency contact details and telephone numbers.
  • Financial Data includes bank account and payment card details, gift aid declarations.
  • Marketing and Communications Data includes your preferences for receiving marketing from us and your communication preferences.

Special categories of personal data

We may also collect special category personal data, such as:

  • Physical and mental health details;
  • Information relating to your racial or ethnic origin;
  • Information relating to your religion;
  • Information in respect of criminal records in order to undertake criminal record checks.

We will only collect this information either:

  • With your explicit consent, or where relevant;
  • When assessing our employees’ working capacity in compliance with our obligations under employment law.

Bases for processing

We have set out in the table below a description of all the ways in which we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out – as in the table below.

Purpose / Activity Type of Data Lawful basis for processing including basis of legitimate interest
To assist in delivering our services through the keeping of information on customers a) Identity
b) Contact
Necessary for our legitimate interests in ensuring that we can operate our services in a safe and effective manner
To process donations, including the administration of gift aid declarations; retaining that information as required a) Identity
b) Contact
c) Financial
a) Necessary for our legitimate interests in ensuring that the organisation is adequately funded and accountable for the funds raised
b) Necessary in order to comply with a legal obligation
To promote our activities and services through e-mail communications a) Identity
b) Contact
c) Marketing and communications
Consent – which may be withdrawn at any time via this email address or tel 01706 353000
To promote our activities and services through postal communications a) Identity
b) Contact
c) Marketing and communications
Necessary for our legitimate interests to develop and raise the profile of Stepping Stone Projects
To support and manage our colleagues, trustees and volunteers, including where necessary sharing information with payroll providers and public authorities (e.g. HMRC) a) Identity
b) Contact
c) Financial
a) Necessary in order to comply with a legal obligation
b) Performance of a contract with you
c) Necessary for our legitimate interests in ensuring colleagues are paid and managed effectively
To maintain a record of donors and supporters of the organisation a) Identity
b) Contact
c) Financial
d) Marketing and communications
Necessary for our legitimate interests in establishing marketing strategy and keeping in contact with our supporters.

Who we may share your information with

We will only share your personal data in limited circumstances. This may include:

  • To HMRC, law enforcement agencies and other state organisations as and when we are required to do so by law;
  • Local Authority funders in order to satisfy our contractual obligations;
  • Payroll providers when paying salaries to our colleagues;
  • Medical experts and healthcare professionals in order to ensure the safety and wellbeing of all colleagues, trustees, volunteers and customers;
  • Other agencies or landlords that we are working in partnership with;
  • Reference agencies in order to undertake criminal record and other checks.

How long we keep information for

We will keep your data in line with our retention policy, a copy of which is available on request. Some examples of how long we retain your personal data for are as follows:

  • We will usually keep the information of customers throughout the time they are using our services and for seven years afterwards in the event of any claim being brought;
  • We will also keep basic details about your time at Stepping Stone Projects (name, date of birth, dates attended our service) until you reach age 35;
  • We will retain contact details obtained for marketing purposes for as long as you consent for us to keep them. We will delete any information we hold on this basis upon being notified that you have withdrawn your consent.

Security arrangements in place to safeguard your data

We take the security of your personal data very seriously. We will ensure that all of the information provided to us is kept secure using appropriate technical and organisational measures and we have procedures in place to minimise the effects of any data breach. In the event of a data breach we will liaise with you and the ICO as necessary.


This website will deploy a single Session Cookie named Wire. This cookie is created by the CMS (Content Management System) and has the sole purpose of carrying out the transmission of a communication over an electronic communications network. This cookie does not need consent from the subscriber or from the user.

Session cookies do not collect information from the user's computer; they typically store information in the form of a session identification that does not personally identify the user. A transient cookie is not stored on your hard drive but is only stored in temporary memory that is erased when the browser is closed.

Our website does not use website tracking tools, i.e. we do not use 3rd party tools such as Google Analytics.

Other websites

Our website contains links to other websites. This privacy notice does not apply to those websites and you should familiarise yourself with the other organisation’s privacy notice in the first instance.

Your rights under the GDPR

You have several rights under the GDPR, which can be exercised in certain circumstances, including:

  • The right to be informed about the collection and use of your data;
  • The right of access to your personal data and confirmation that it is being processed;
  • The right to request rectification of inaccurate personal data;
  • The right to request erasure of your personal data in certain circumstances;
  • The right to request processing of your personal data is restricted or suppressed in certain circumstances;
  • The right to data portability;
  • The right to object to data processing carried out on the basis of our or a third party’s legitimate interests;
  • Rights in relation to automated decision making and profiling;
  • Right to withdraw any consent given.

If you have any queries in respect of any rights, please do not hesitate to contact us. Further information is also available at the Information Commissioner's Office.

Changes to the Privacy Notice

We will continually review and update this privacy notice to reflect changes in our services and to comply with changes in the law. When such changes occur we will update this privacy notice accordingly; the last review was in May 2023.

Contact Details

If you have any queries or concerns about this privacy notice or how we handle the personal information referred to in it, please contact us on 01706 353000 or by e-mail If you have any complaints about the processing of personal data referred to in this privacy notice, you have the right to make a formal complaint to the Information Commissioner’s Office (ICO) (further information can be found at