Leiomyosarcoma Research UK
Donate Donate

Data Protection and Privacy Policy (Version 2.0)

Last updated: February 2026

1. About this Policy

Leiomyosarcoma Research UK (“LMSR UK”, “we”, “us”, “our”) is committed to protecting your personal data and respecting your privacy.

This policy explains:

  • What personal data we collect
  • Why we collect it
  • The lawful basis we rely on
  • How we use and protect it
  • How long we keep it
  • Who we share it with
  • Your rights

This policy may be updated from time to time. The latest version will always be available on our website.

2. Who We Are

Leiomyosarcoma Research UK is the Data Controller for the personal data we process.

ICO Registration Number: ZC088623

Contact details:

Leiomyosarcoma Research UK
167–169 Great Portland Street
5th Floor
London
W1W 5PF
Email: admin@lmsruk.org

3. What Personal Data We Collect

We collect personal data when you:

  • Make a donation
  • Fundraise for us
  • Register for an event
  • Apply for funding or a grant
  • Apply for a job or volunteer role
  • Subscribe to our newsletter
  • Contact us by email, phone, or post
  • Complete a survey
  • Engage with our website

The data we collect may include:

  • Name
  • Postal address
  • Email address
  • Telephone number
  • Date of birth
  • Donation history
  • IP address
  • Employment or professional information
  • Health information (where relevant)

Special Category Data (Health Information)

As a charity supporting people affected by leiomyosarcoma, we may collect information about health where:

  • You choose to share it
  • It is necessary for a grant application
  • It is relevant to support or research engagement

We only process health data where we have a lawful basis and a specific condition under UK GDPR (see Section 5).

4. How We Collect Data

We collect data:

  • Directly from you
  • From third-party fundraising platforms
  • From payment processors
  • From family members or organisations contacting us on your behalf
  • Through website analytics and cookies (see Section 11)

5. Lawful Basis for Processing

Under UK GDPR, we rely on the following lawful bases:

Article 6 Lawful Bases

We process personal data under one or more of the following:

  • Consent – for newsletters, marketing communications, or where required
  • Contract – where processing is necessary to fulfil a donation, grant, or event registration
  • Legal obligation – for financial reporting, Gift Aid, employment law compliance
  • Legitimate interests – to administer the charity effectively, improve services, and communicate with supporters

Article 9 Conditions (Special Category Data)

Where we process health data, we rely on:

  • Explicit consent, or
  • Processing necessary for reasons of substantial public interest, where applicable under UK law

You may withdraw consent at any time.

6. How We Use Your Information

We use your data to:

  • Process donations and Gift Aid
  • Administer fundraising activities
  • Manage grant applications
  • Communicate with you
  • Respond to enquiries
  • Manage volunteers and staff
  • Improve our services
  • Maintain financial records
  • Meet legal and regulatory obligations

We do not sell personal data.

7. Who We Share Data With

We only share personal data where necessary.

This may include:

  • Payment processors
  • Fundraising platforms
  • Email service providers
  • IT and cloud storage providers
  • Professional advisers (legal, financial, auditors)
  • HMRC (for Gift Aid)

All third parties are required to process data securely and only for agreed purposes.

We do not share health information without your consent unless required by law.

8. International Transfers

Some of our service providers may store data outside the UK.

Where this occurs, we ensure appropriate safeguards are in place, such as:

  • UK adequacy regulations
  • International Data Transfer Agreements (IDTAs)
  • Standard Contractual Clauses

9. Data Security

We use appropriate technical and organisational measures to protect personal data, including:

  • Secure cloud storage
  • Password protection and access controls
  • Encrypted payment processing
  • Restricted staff access
  • Regular review of data handling practices

We are PCI-DSS compliant through our payment processors and do not store card details.

While we take security seriously, no method of transmission over the internet is completely secure.

10. Data Retention

We only keep personal data for as long as necessary.

Typical retention periods include:

  • Donation and Gift Aid records: 6 years (for accounting and HMRC compliance)
  • Grant applications: Up to 7 years
  • Employment records: 6 years after employment ends
  • Volunteer records: Up to 6 years after involvement ends
  • Marketing records: Until consent is withdrawn

Where data is no longer required, it is securely deleted or anonymised.

We retain suppression records (where you have asked not to be contacted) indefinitely to ensure we respect your wishes.

11. Website and Cookies

Our website uses cookies and analytics tools to understand how visitors use the site.

This may include:

  • Pages visited
  • Time spent on pages
  • Click-through behaviour
  • IP address

You can manage cookie preferences through your browser settings.

We are not responsible for the privacy practices of external websites linked from our site.

12. Automated Decision-Making

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects.

13. Data Breaches

If a personal data breach occurs that is likely to result in risk to individuals, we will:

  • Notify the ICO where required
  • Inform affected individuals where necessary

We maintain internal procedures for managing data breaches.

14. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Request correction of inaccurate data
  • Request erasure (“right to be forgotten”)
  • Restrict processing
  • Object to processing
  • Data portability (where applicable)
  • Withdraw consent at any time
  • Lodge a complaint with the ICO

To exercise your rights, contact: admin@lmsruk.org

We may request proof of identity before responding.

We will respond within one month unless the request is complex.

We may charge a reasonable fee for excessive or unfounded requests.

15. Complaints

If you are unhappy with how we handle your data, please contact us first so we can try to resolve the issue.

You also have the right to complain to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF


Helpline: 0303 123 1113
Website: www.ico.org.uk