Young Minds Matter (“We”) are committed to protecting and respecting your privacy.

This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

The rules on processing of personal data are set out in the Data Protection Act 2018, which is the UK’s implementation of the General Data Protection Regulation (the “GDPR”).

Data Compliance Officer

Any questions, reports or concerns in relation to data protection or GDPR should be shared with our Data Compliance Officer:

  • Name: Alex Withers
  • E-mail address:

Categories of data: Personal data and special categories of personal data

  • Personal data – The UK GDPR applies to ‘personal data’ meaning any information relating to a person who can be identified in particular by reference to specific data such as name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.
  • Special categories personal data – The special categories of personal data relevant to YMM would include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.
  • Processing – means any operation(s) which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Who are we?

Young Minds Matter is the data controller. This means we decide how your personal data is processed and for what purposes. Our contact details are: Young Minds Matter, C/O STT Community Hub, Venture House, Avenue Farm, Birmingham Road, Stratford upon Avon, CV37 OHR. For all data matters contact us using the details above.

The purpose(s) of processing your personal data

We use your personal data for the following purposes:

  • To deliver safe and effective services to young people
  • To deliver services relating to the hosting of events (for example, supplying you with tickets)
  • To facilitate our fundraising activities (for example, Gift Aid declarations)
  • To operate our website

The categories of personal data concerned

With reference to the categories of personal data described in the definitions section, we process the following categories of your data:

  • Personal data (for example, your name, gender, date of birth, school/college (if applicable))
  • Special categories of data (for example, information about your physical or mental health if supplied to us by you or by the person or organisation that requested services for you.)

We have obtained your personal data from a service request form completed by the person or organisation that requested services for you and, once the service has started from you during the delivery of that service.

All notes completed by our Mentors during their sessions are stored in secure encrypted cloud storage, restricted to only who is necessary within YMM.

What is our legal basis for processing your personal data?

Personal data (article 6 of GDPR)

Our lawful basis for processing your general personal data:

Processing necessary for the purposes of the legitimate interests of the data controller, except where such interests are overridden by the interests or fundamental rights or freedoms of the data subject

To deliver safe and effective services to young people

Special categories of personal data (article 9 of GDPR)

Our lawful basis for processing your special categories of data:

Processing necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent

This relates to data supplied to us by the person or organisation that requested services for you prior to us agreeing to provide services for you

Processing relates to personal data manifestly made public by the data subject

This relates to data provided to us by you during the delivery of our services to you

More information on lawful processing can be found on the ICO website.

Sharing your personal data

Your personal data will be treated as strictly confidential and will be shared only with your Young Minds Matter service provider and, if required to facilitate delivery of safe and effective services, our administrative team.

How long do we keep your personal data?

We keep your personal data for no longer than reasonably necessary and we only retain your data either in limited form to record that you received a service from us or in more detailed form in the case of any legal claims/complaints or child protection purposes etc.

Your rights and your personal data

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:

  • The right to request a copy of the personal data which we hold about you;
  • The right to request that we correct any personal data if it is inaccurate or out of date;
  • The right to request your personal data is erased where it is no longer necessary to retain it;
  • The right to withdraw your consent to the processing at any time, where consent was your lawful basis for processing the data;
  • The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable i.e. where the processing is based on consent or is necessary for the performance of a contract with the data subject and where the data controller processes the data by automated means);
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
  • The right to object to the processing of personal data, where applicable i.e. where processing is based on legitimate interests (for the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics.


Our website address is:

What personal data we collect and why we collect it

  • Comments
    • When visitors leave comments on the site we collect the data shown in the comments form and also the visitor’s IP address and browser user agent string to help spam detection.
    • An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service Privacy Policy is available here: After approval of your comment, your profile picture is visible to the public in the context of your comment.
  • Media
    • If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
  • Cookies
    • If you leave a comment on our site you may opt in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
    • If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
  • Embedded content from other websites
    • Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
    • These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.
  • Analytics
    • We use Google Analytics to track web traffic to our website.
    • We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioural metrics, heatmaps, and session replay to improve and market our services & support. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

In the event of a data breach

Data security breaches include both confirmed and suspected incidents. A personal data breach is one that leads to the accidental or unlawful destruction, loss alteration, unauthorised disclosure of, or access to, personal data. In short it is any breach of security that affects the confidentiality, reliability or availability of personal data. Data that is even temporarily unavailable can be seen as a breach and may need us to notify the local regulatory authority if it could have a significant negative effect on individuals.

Personal data breaches can include:

  • access by an unauthorised third party;
  • deliberate or accidental action (or inaction) by a controller or processor;
  • sending personal data to an incorrect recipient;
  • computing devices containing personal data being lost or stolen;
  • alteration of personal data without permission; and
  • loss of availability of personal data.

Reporting an Incident

Any individual who accesses, uses or manages the business information is responsible for reporting a data breach and information security incidents immediately to the Data Compliance Officer.  If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable.

The report should include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to people, the nature of the information, and how many individuals are involved. An Incident Report Form should be completed as part of the reporting process.

Investigation & risk assessment

An investigation will be undertaken by the Data Compliance Officer immediately and wherever possible within 24 hours of the breach being reported. They will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur.

The investigation will take into account the following:

  • the type of data involved
  • its sensitivity
  • the protections are in place (e.g. encryptions)
  • what’s happened to the data, has it been lost or stolen
  • whether the data could be put to any illegal or inappropriate use
  • who the individuals are, number of individuals involved and the potential effects on those data subject(s)
  • whether there are wider consequences to the breach


The Data Compliance Officer will determine who needs to be notified of the breach

Every incident will be assessed on a case by case basis; however, the following will need to be considered:

  • Whether there are any legal/contractual notification requirements;
  • Whether notification would assist the individual affected – could they act on the information to mitigate risks?
  • Whether notification would help prevent the unauthorised or unlawful use of personal data?

Notification to the individuals whose personal data has been affected by the incident will be given as soon as is possible and will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves and include what action has already been taken to mitigate the risks.

Further processing

If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.

Changes to our privacy policy

Any changes we may make to our privacy policy in the future will be made available through our usual communication channels (e.g. our website) and, where appropriate, communicated directly to you.

How to make a complaint

To exercise all relevant rights, queries or complaints please in the first instance contact our data representative using the following contact details: Young Minds Matter, C/O STT Community Hub, Venture House, Avenue Farm, Birmingham Road, Stratford upon Avon, CV37 OHR.

If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 0303 123 1113 or via email, or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.