Privacy Notice

Read about what types of information we keep about you - How we use it, when we use it, why we use (or keep) it and where it might go. This is commonly called a 'Privacy Notice'.

1. Who this Privacy Notice is about and what it covers 

Vulnerable Paths is committed to protecting your privacy.


If you have any requests concerning information about you that we hold (including any requests to exercise your rights under applicable data protection law) or any queries with regard to how we handle, store or protect your personal information, please contact:


Matt Radford



This Privacy Notice sets out how we collect, handle, store and protect information about you when you visit and use our Website or interact with us over the phone, in person, on paper or through another medium, for example by email.


It should be read alongside our Cookies Notice.


It also contains information about when we share your personal information with other parties (for example with third parties we work with, such as event organisers).

In this Privacy Notice, we may also sometimes collectively refer to handling, collecting, protecting and storing your personal information as “processing” those types of information.


Our website may contain links to other websites that are not managed/operated by us, or that we don't control.  These websites are not covered by this Privacy Notice and if you access them using the links provided, the operators of these websites may collect information about you.


We encourage you to read and check the 'privacy notice' on each of these websites (which may be different from ours) before disclosing any personal information.

2. What information we collect

We collect information about you when you give it to us.


For example:


In some cases, we also collect information about you because other people legitimately provide that information to us.

For example; sometimes when you train with us, your information will be collected by an organisation working for us

In some cases, we also receive information about you from independent event organisers where they have legal permission to share your information with us (for example, you have consented to this).


We typically collect personal information from you because we observe or infer that information about you from the way you interact with us.

For example, we may use cookies and web beacons on our Website to automatically collect information about your visit. This information will help to improve your experience when you use this Website and help us check it is functioning correctly.

Please see our Cookies Notice for more details.


The information about you which we collect or obtain typically includes the following details about you: 



This information can be collected through face-to-face communications, offline registration forms, online forms or through third party providers working on our behalf.


If you visit our Website, we can also gather information about you based on the way in which you access and use our Website

We use this information to personalise the way our Website is used to improve the service we provide to you. Wherever possible we use aggregated or anonymous information which does not identify individuals.


Where you receive electronic communications from us (such as emails or social media platform messages), we can also gather information about your use of that communication.

This includes information on when you open the communication and what links you click on within it.

If you unsubscribe to a communication from us, we will also update your preferences and retain a record of this so that we don't contact you inappropriately.


Please note that in some cases we also collect sensitive personal information, such as details relating to your health, dietary requirements, ethnicity and/or race. 

This is possible when attending some of our courses, and would be kept to support safeguarding or for health and safety or because you voluntary provide sensitive information to us for specific purposes.


None of the information that we request from you is mandatory; however, if you choose not to provide some or all of the information that we request from you, we may be hindered or unable to provide you with the services or support that you seek from Vulnerable Paths.

3. How we use your information

We typically use your personal information:


As part of the uses above, we use your personal information in the course of any correspondence relating to products or services you requested from us or information you provided to us. This correspondence may be with you, our service providers or competent authorities. 

If you enter your details onto one of our online forms, and you don’t ‘send’ or ‘submit’ the form, we may also contact you to see if we can help with any problems you may be experiencing with the form or our Website.


In some cases, we also use your personal information for the purposes of, or in connection with:


We also combine your information with information available from external data sources including Royal Mail’s post office address file (PAF) and change of address file, Mortascreen and Experian.

This is known as data- or tele-appending and enables us to ensure that the information (including contact details) that we hold about you are accurate and up-to-date.

The external sources we use for this purpose include: 

(a) third party service providers that are permitted to share information about you with us; 

(b) information available publicly in places such as Companies House, Charity Commission and other charity registers, Who’s Who and Debrett’s guides, Electoral Roll, and information published in articles/newspapers; and 

(c) depending on your settings and applicable legal terms, social media platforms like Facebook, Twitter, Instagram, LinkedIn and other professional networking sites.


We will do this data appending for the above reasons unless you let us know that you don't want us to – you can do this at any time via the process indicated below.


We may use your personal data for online advertising to match to your account on Facebook or other social media sites to be able to show you Vulnerable Path’s content while you are using these sites.

If you have opted out from our Marketing Communication, you may still be able to see Vulnerable Path’s content based on your social media account’s settings. 

We may also use personal data to link to Facebook or other social media sites to be able to identify other users of these sites whom the social media platform believe would be interested in Vulnerable Path’s (‘Look-alike’/ ‘Similar audiences’). 

When doing this we send a list of hashed email addresses to the online platform, which will match the audience accordingly. Hashing is a security measure whereby the information is transformed into a code. The hashed data is deleted after a short period of time and not used for any other purpose. For more information, please refer to the social media platform’s privacy policy. 

We may also use ‘Saved audiences’ to remember which supporters on Facebook are most likely to engage with our adverts.

We will only send you marketing materials according to the preferences you submitted to us – either via our Website or another medium.


Where you have indicated to us that you do not want to receive any marketing materials from us, or you do not wish us to build profiles of you, we will respect your preference.


If you would like to update your preferences at any point, please contact us at:

Matt Radford


4. What laws we use

We are required by law to set out in this Privacy Notice the legal grounds on which we rely in order to process your personal information.


We generally use your personal information for the purposes outlined above because:

(a) it is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms (see below); 

(b) it is necessary for legal and/or regulatory obligations that we are subject to, such as keeping records for tax purposes or providing information to a public body or law enforcement agency; 

(c) it is necessary for the performance of a task carried out in the public interest; or 

(d) in some cases, we have obtained your prior consent


Examples of the ‘legitimate interests’ referenced above are:

(i) The effective operation of our services, including analysing and gaining insights into the performance and effectiveness of our products and programme activities;

(ii) To benefit from cost-effective services (for example, it being cheaper to use an external printer to print our letters instead of print them ourselves);

(iii) To assess and verify any application that you submit through the Website to work with us;

(iv) To prevent fraud or criminal activity, misuses of our products and services, as well as the security of our IT systems, architecture and networks;

(v) To exercise our rights under Article17 of the Charter of Fundamental Rights, including our right to property; and

(vi) To conduct market research to better understand our users, along with their expectations and perceptions of Vulnerable Path’s and it’s services.


To the extent that we process any sensitive personal information relating to you for any of the purposes outlined above, we will do so because either:

(a) you have given us your explicit consent to process such information; 

(b) the processing is necessary for reasons of substantial public interest on the basis of applicable law (for example, where we are required to process personal information to ensure we meet our ‘know your client’ and ‘anti-money laundering’ obligations); 

(c) the processing is necessary for the purposes of health or social care or treatment on the basis of applicable law; 

(d) the processing is necessary to carry out our obligations under employment, social security or social protection law; or 

(e) the processing is necessary for the establishment, exercise or defence of legal claims. The legal grounds for processing sensitive personal information outlined above at (a) to (e) appear at Articles 9(2)(a), 9(2)(g), 9(2)(h) 9(2)(b) and 9(2)(f) of the EU’s General Data Protection Regulation respectively.

5. How we keep your data safe

We ensure that there are appropriate technical controls in place designed to protect your personal information. 

For example:


Sometimes we use the services of partners or other reputable companies to collect or process personal information on our behalf. 

Before we permit company or partner to collect or process personal information on our behalf we seek to put a written agreement in place with appropriate controls to secure your personal information.


We use appropriate security measures once we have received your personal information, but the transmission of data over the internet (including by email) is never completely secure

We try to protect personal information but we cannot guarantee the security of data transmitted to us or by us.

6. What locations your information may be shared

Section 8 below describes the third parties that we generally provide with information about you.  

Some of them may be based outside the European Union (EU), including United States, Philippines, India, China and Japan. Although they may not be subject to the same data protection laws as companies based in the UK, we take steps to make sure that they provide an adequate level of protection to your personal information in accordance with our obligations under UK data protection law.  


These steps might include Vulnerable Paths entering into a data transfer agreement with the relevant third party based on standard contractual clauses approved by the ICO.


Further details of the transfers of your personal information outside of the UK and the adequate safeguards used by Vulnerable Paths in respect of such transfers (including copies of relevant agreements) are also available from us by contacting:

Matt Radford

0749 600 1701

7. How we keep your information up to date

We may use publicly available sources to keep your records up to date; for example, the Post Office’s National Change of Address database and information provided to us by other organisations (as described in Section 3 above).


We also use external data lists to check the accuracy of the telephone numbers we hold for our users.


We really appreciate it if you let us know if your contact details change.

8. Who we share your information with

In connection with one or more of the purposes outlined in the Section 3 above, we may share your information with:

9. Your data rights

You have various rights in relation to your personal information. 

In particular, you have a right to:


If you want to exercise any of your rights, or if you have any other questions about our use of your personal information, please contact us at:

Matt Radford


In certain circumstances we may need to seek further information about your identity before complying with your request.

Further information and guidance on subject access requests is also available from the Information Commissioner's Office here:


If we have been unable to deal satisfactorily with any concerns you may have over how we have processed your personal information, you have the right to make a complaint to the UK’s Information Commissioner’s Office or to any other data protection regulator in the place where you live or work, or in the place where you think an issue in relation to your data has arisen.


A list of the national data protection authorities can be found here:

10. About our Direct Marketing (e.g. advertising)

Where your marketing preferences allow us to do so, we will contact you to let you know about the work we are doing or send you updates about Vulnerability.

Where we are permitted to do so, we may include information from organisations we work with in these marketing communications.


Please note if you decide to turn off or disable cookies this may affect the level of service we can provide you as described in the .

We aim to make it easy for you to tell us how you want us to communicate in a way that suits you.


Our forms have clear marketing preference questions and we include information on how to opt out when we send you marketing communications.


If you don’t want to hear from us, please do let us know. 

You can do this when you provide your data or by contacting us:

Matt Radford

0749 600 1701

11. How long we keep your information

We will hold your personal information on our systems for as long as is necessary to fulfill the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements.

Although there may be some limited exceptions, your personal data is kept for up to 10 years after you:

(i) Stop receiving communications from Vulnerable Paths

(ii) Stop receiving services from us

(iii) Stop attending our events

(iv) Last visited our website


We believe it is reasonable to keep information and contact individual supporters up to 10 years after the above for the purposes defined in section 3 (How we use your personal information). 

For example, this is because:

Limited exceptions where we may keep information for longer than the above, may include:

12. Changes and updates

We may change this Privacy Notice from time to time.  

Any future changes or additions to the processing of your personal data as described in this Privacy Notice affecting you will be communicated to you through an appropriate channel, depending on how we normally communicate with you.

Alternatively, please visit this page from time to time in order to keep up to date with the changes in our Policy.

Last updated - 16 December 2022

(Version 1.0)