Privacy policy

Thistle Foundation (Thistle) respects and keeps safe any personal details (which are also referred to as personal data) that you share with us. This policy explains which information we may collect about you when you engage or interact with us. It explains how we store and handle your data, who we share it with and how we keep it safe, and it explains your rights in relation to your information.

About this Policy

We have tried to make this policy as clear as possible although we recognise there is a lot of information. Hopefully, we have included enough information to answer your questions, but if you have any concerns, please get in touch by emailing or writing to the Data Protection Officer, 13 Queen’s Walk, Edinburgh, EH16 4EA, or by telephoning 0131 661 3366.

We may make changes to this privacy policy from time to time in line with best practice or new regulations or legislation. The latest version of our policy will always be available on the Thistle website ( and we will notify you of any significant changes.

You can download a copy of our Privacy Policy for your records: Privacy Policy Document

About Thistle Foundation

We know that people engage with different part of our organisation, so in this document, ‘Thistle’, covers Supported Living, Thistle Services, Health and Wellbeing, our Young People’s work, Thistle Training Consultancy and Thistle Learning. The policy covers all of our activities too whether it’s the support we provide for you, the support you give to us or our corporate outreach such as fundraising and marketing.

Policy Contents

This policy includes:


1. The Legal Basis For Thistle To Collect Personal Data

Under the new regulations, Thistle can collect personal data for the following reasons:

1)   If we have your consent 
For example: if you have filled in a self-referral form or signed-up for a newsletter.

2)   If we need your personal details to fulfil our legal or regulatory obligations
For example: we need your address to provide support to you at home

3)   If we’re required to by law.
For example: to prevent fraud or criminal activity

4)   If we have a legitimate interest – in some situations we may need to collect and use your personal information in a way you could reasonably expect to carry out our work and fulfil our charitable aims which does not impact on your rights, freedom or interests.

For example, we will contact you about any changes to your service, or to keep you informed of our work.

For example, if you are part of our supporter community, we may contact you about fundraising activity and appeals to ask you for financial or non-financial support.

For example, to assess and verify applications for paid or voluntary work.

For example, analysis and profiling of our supporters using personal information we already hold

For example, updating or appending your address using third party sources if you have moved house or changed your telephone number; confirming the email address you provided us is still valid

Making sure your information is up to date:

We may use information from external sources such as the Post Office’s National Change of Address Database, public electoral roll or professional database companies to ensure the details we hold are accurate. We have a legal obligation to ensure our records are up to date but also to ensure we are acting in the most cost effective and considerate way. We do this when we think you have changed address or telephone number so that we can update our records and stay in touch but also to ensure that we are not contacting anyone who may have deceased since our last communications. We may also append an (additional) address or telephone number to be able to contact you, providing you have not objected or opted out of such communications and we are acting in accordance with legitimate interest as noted above.

Where we need to process sensitive information relating to your health, we will only do so if:


2. When and Where Do We Collect Personal Data?

The type and quantity of information we collect and how we use it depends on why you are providing it. You may be a supporter of Thistle (through volunteering or donating), you may be supported by us or you may attend one of our courses or training and development sessions.

Here are some examples of when we collect personal data and where we get the information:

With third party organisations, the information we receive may depend on your device settings or the responses you give when you make initial contact, so check the permissions you have given regularly.

We may sometimes use profiling or screening techniques to ensure communications we send to you are relevant and timely. When building a profile we may analyse geographic, demographic and other information relating to you. In doing this, we may use additional information from publicly available information about you or from organisations where you have given your consent for your details to be shared. This helps us to better understand your interests and preferences so that we can contact you with relevant information.

Our website uses a cookie for Google Analytics. It does not capture or store personal information, but merely logs users’ IP addresses which are automatically recognised by the web server. These are used to record the number of visitors to our site and volumes of usage. For more information about Google Analytics, please visit the Google Analytics website.


3. What Personal Data Do We Collect?

This varies according to the interaction and engagement you have with us and what we need to be able to fulfil our role.

If you are a supporter – that means if you make a donation, volunteer, register to fundraise or sign-up for an event, then we may collect the following information:

If you receive support from us – if you participate in our Health & Wellbeing programme (attend courses, have gym membership, come to classes) or use our supported living services or take part in our young peoples' work – we may request/collect the following information:

If you access one of our supported living services, you will have an individual contract that sets out exactly what information we hold and how we use it.

If you use Thistle Training and Consultancy – attended or made an enquiry about a course or training/development support – we may collect the following information:

Other available information

We may supplement information on our supporters with information from publicly available sources. This may include your address, telephone number, demographic profiling including wealth screening, household status or additional information on your interests, charity websites and annual reviews, corporate websites, public social media accounts, the electoral register, the Royal Mail National Change of Address Database, and Companies House. This helps us create a fuller understanding of someone’s interests which in turn means we can share information that is most relevant to you. You can opt out of this at any time, by calling, writing or emailing us on the contact information below.



4. How and Why Do We Use Your Personal Data?

We want to give you the best possible support and the best possible experience of Thistle whether you are someone who uses our services or whether you are a donor, a volunteer or fundraiser. Depending on why you’re engaging with Thistle, typically we’ll use your personal details to:

We may also need to use your personal information for the following reasons:

We do not sell or share personal details to third parties for the purposes of marketing. But, if you attend an event run in partnership with another named organisation, your details may need to be shared. In this situation, we will explain clearly what will happen to your data when you register.

Marketing Communication for Fundraising

We make it as easy as possible for you to tell us how you want us to communicate with you. Our forms have clear marketing preference questions and we include information on how to request no contact (Opt-Out) from us. If you don’t want to hear from us, that’s absolutely fine. Just let us know when you provide your data or any time that we contact you. Or you can contact us on 0131 661 3366 or

Remember, if you choose not to share your personal data with us, we may not be able to keep you up to date or provide you with information that may be useful to you.

Updating your details

We really appreciate it if you let us know when your contact details change. And we may also use publicly available sources to keep your details up to date (for example, the Post Office’s National Change of Address database). It is important that we have correct contact details so that we do not send mail to the wrong address.


5. Who Has Access To Your Personal Details?

This will depend on your interaction and engagement with us. As a general principle, within Thistle we limit access to all personal data ensuring a minimum number of staff are able to view your information.

 In general terms, we may also share your data with:

When we share your information, we provide as few details as possible for them to do their job and they are only allowed to use your data for a specified activity and must comply with GDPR and delete or anonymise your data on completion of the specified activity.


6. How Do We Keep Your Details Safe?

We ensure that there are appropriate technical controls in place to protect your personal details; for example our online forms are always encrypted and our network is protected and routinely monitored. Data is in password-protected systems and confidential paper records are locked away.

We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by a limited number of appropriately trained staff, volunteers and contractors. 

We sometimes use external companies to collect or process personal data on our behalf (for example we use a mailing house to post out our newsletters). We do comprehensive checks on these companies before we work with them and ensure that they are compliant with the relevant regulations.

As a rule, we will only ever share your data with third parties if we have your permission and informed consent. However, in highly exceptional circumstances, we may be required by law or regulatory requirements, to disclose your details to others such as regulatory bodies or legal advisors without your consent.

A note about websites and email

Our website has links to other sites that are not under our control. If you follow a link then please check the privacy notice on the new site. 

We make every effort to keep your data secure but cannot guarantee total security when transferring data by email. 


7. How Long Will We Keep Your Personal Data?

We retain personal data for as short a time as possible and this depends on the reason for which it was collected initially and in accordance with any instructions from you or regulatory/legal or reporting requirement. 

At the end of the period, your data is either deleted completely or anonymised (so that we can aggregate it with other data for analysis to improve our service).


8. Right of Access to Your Data

We fully respect your rights:

You have a right to ask us to stop processing your personal data. We will do this provided it's not necessary for the purpose you provided it to us (e.g. registering for an event) and if we are not required to process it for regulatory or legal reasons.

Contact us on 0131 661 3366 or if you have any concerns.

You also have a right to ask for a copy of the information we hold about you and accessing this information is usually free of charge. We will send you the information within 30 days and once you have received the information, if you spot any mistakes, please let us know and we will correct your record accordingly.

If you wish to access your information, simply send your request along with a description of the information you want to see and proof of your identity by post to the Data Protection Officer, 13 Queen’s Walk, Edinburgh, EH16 4EA. We’re sorry but we cannot accept these requests by email.

Sign up to the newsletter