Privacy Policy

Last Updated: 8th January 2024

At Fresh Futures we are committed to protecting the privacy and security of our service users and site visitors. The team here at the Fresh Futures fully understand the importance of keeping your data secure and private.

This privacy notice therefore aims to be completely transparent about how we handle and use your personal data. We’ve tried to keep this policy as jargon free as possible, but if you are unsure of any terminology or have any questions or suggestions, please contact our Data Protection Officer using the contact details below.

Who We Are And How You Can Contact Us

Our Data Protection Officer

Where We Collect Your Personal Data

Data We Collect About You

How We Use Your Personal Data

Who We Share Your Personal Data With

Transferring Your Personal Information Outside The EEA

How Long We Keep Your Personal Data

Your Rights

Not Happy

“Fresh Futures” (referred to in this policy as “we”, “us” or “our) is a trading name of:
Fresh Futures (NCC)
Brian Jackson House
New North Parade


Registered Charity Number: 288125
Company number: 1763241
ICO Registration Number: Z5459259

We have appointed a Data Protection Officer, who can be contacted in the following ways should you have any questions, complaints or feedback about your privacy:


Data Protection Officer

FAO Shaista Ahmed and Bruce & Butler Limited
Fresh Futures
Brian Jackson House
New North Parade

Email: [email protected]

Tel: 01484 519988

We collect your personal data in the following ways:


Data you give to us:

  • Self-referral form; and
  • Participation entry form; and
  • Newsletter subscription


Data we collect when you use our services:

  • Service assessment information;
  • Service user progress information;
  • Service user exit forms;
  • Surveys;
  • CCTV;
  • Attendance sheets;
  • Photographs;
  • Schedules of work;
  • Invoices (room bookings);
  • Card payments; and
  • Accident/Incident records.



Data we are provided with:

Referrals from a variety of organisations for current and potential service users such as, but not limited to:

  • Police;
  • Individuals;
  • NHS; and
  • Local Authorities.

We will collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:


  • Identity data – Title, name, date of birth, gender, national insurance number, reference number, criminal conviction data, image data, registration number.
  • Contact data – Current address, email address, telephone number(s).
  • Emergency contact data  – Title, name, relationship to service user, current address, telephone number(s).
  • Transaction data – Details of the services you are paying for, including date and time of paying in relation to that transaction. We also process your card number, expiry date and CVV number.
  • Technical Data – Visual footage collected via CCTV.


We collect special categories of personal data about you, and these will be processed under our
requirement for the management of health or social care systems. This includes details about race
or ethnicity, religious or philosophical beliefs, sex life, sexual orientation and information about
your health.

We also collect information relating to criminal convictions that are currently being served or are
outstanding and we have official authority to do this.

We are only allowed to use personal data about you if we have a legal basis to do so, and we are required to tell you what that legal basis is. We have set out in the table below: the personal data which we collect from you, how we use it, and the legal ground on which we rely when we use the
personal data.

To maximise the protection of your identity, for certain processing activities, Fresh Futures will
pseudonymise your personal information. Pseudonymisation is a technique to remove information that directly identifies an individual and replaces it with a reference point i.e., replacing a service
user’s name with an identification number.

In some circumstances we can use your personal data if it is in our legitimate interest to do so,
provided that we have told you what that legitimate interest is. A legitimate interest is when we
have a business or commercial reason to use your information which, when balanced against
your rights, is justifiable. If we are relying on our legitimate interests, we have set that out in the
table below. We will not use your personal data for activities where our interests are overridden by
the impact on you (unless we have your consent or are otherwise required or permitted to by law).

What We Use Your Personal Information ForWhat Personal Information We CollectOur Legal Grounds For ProcessingOur Legitimate Interests (If Applicable)
Newsletter subscriptionsIdentity data & Contact dataConsentN/A
Administering cookies onto the website user’s deviceTechnical DataConsentN/A
To sign you up to use our serviceIdentity data, Contact data & Professional dataPerformance of a contract with you & Legal obligationN/A
Service assessmentsIdentity data, Contact data, Professional
data, Emergency contact data, Special category & personal data
Performance of a contract with youN/A
Recording your progressionIdentity dataPerformance of a contract with youN/A
Termination of our servicesIdentity dataPerformance of a contract with youN/A
SurveysIdentity data & Contact dataLegitimate interestsTo help improve our service.
CCTVIdentity DataLegitimate interestsTo ensure the safety and security of assets, employees and service users
Attendance sheetIdentity data & Contact dataLegal obligationN/A
PhotographsIdentity DataLegitimate interestTo show the work of our services in our marketing pieces for the website, magazines and articles.
Publication of case studies through social media, online, leaflets and the pressIdentity data & Special category dataLegitimate interestsTo offer a first-hand insight into the benefits of services that Fresh Futures has to offer
Mobile application (pseudonymised)Identity dataLegitimate interestTo improve the current service and help ensure we meet our safeguarding requirements
Video callingIdentity data & Contact dataPerformance of a contract with youN/A
Schedules of workIdentity data, Contact data & Professional dataPerformance of a contract with youN/A
Invoices (room bookings)Identity data, Contact dataPerformance of a contract with you & Legal obligationN/A
Card paymentsIdentity data & Transaction dataPerformance of a contract with youN/A
Accident/Incident recordsIdentity data & Contact dataLegal obligationN/A
Referrals from various organisations for current and potential service usersIdentity data & Contact dataLegal obligationN/A

In order to provide you with our services and meet our legal obligations, we only share your data
with third parties, in the following circumstances:


  • To fulfil a service;
  • To authorise debit/credit card payments;
  • To improve our services;
  • To meet legal obligations, for example, for the purposes of national security, taxation and
    criminal investigations; and
  • If the Fresh Futures are acquired by a third party, personal data held by it,
    about its service users, will be one of the transferred assets.


If you use our Befriending Service, we may share your information with Age UK and Royal
Voluntary Service (RVS). This is to ensure that we can fulfil the demand for the service within the befriending partnership. If your data is shared with Age UK or RVS and you would like to know more about how they process your personal information, please visit their website to access their privacy notice.

We’ll never make your personal data available to anyone outside the Fresh Futures group for them to use for their own marketing purposes without your prior consent.

The EEA is the European Economic Area, which consists of the EU Members States, Iceland,
Liechtenstein and Norway. If we transfer your personal data outside the EEA, we have to tell you.


Limited personal information that we collect from you may be transferred to and processed in a destination outside of the EEA. In these circumstances, your personal information will only be transferred on one of the following bases:

  • The country that we send the data is approved by the Information Commissioners Office as providing an adequate level of protection for personal data; or
  • The recipient has agreed with us standard contractual clauses approved by the European Commission, obliging the recipient to safeguard the personal data; or
  • The recipient has agreed Binding Corporate Rules (BCR’s) approved by the European Commission, obliging the recipient to safeguard personal data; or
Purpose of Processing3rd PartyLocationSafeguard
To process card paymentsStripeUSAStandard Contractual Clauses

To find out more about how your personal information is protected when it is transferred outside
the EEA, please contact our Data Protection Officer using the details above. Before sharing any
information with a third party, we will ensure that there is a data processing agreement in place
requiring that the third party protects personal data according to the UK General Data Protection
Regulation (UK GDPR).

We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected. When assessing what retention period is appropriate for your personal data, we take
into consideration:


  • Any statutory or legal obligations;
  • The requirements of the business;
  • The purposes for which we originally collected the personal data;
  • The lawful grounds on which we based our processing;
  • The types of personal data we have collected;
  • The amount and categories of your personal data; and
  • Whether the purpose of the processing could reasonably be fulfilled by other means.


After such time, we will securely delete or destroy your personal data. In most instances the personal data processed by us this will be securely destroyed 6 years from when you cease to be a service user.

For email newsletters, we will retain email addresses for 2 years. After that, we will seek to reobtain consent from individuals that have been inactive. If they do not re-consent, they will be securely deleted from the marketing database.

Right to be Informed

We will always be transparent in the way we use your personal data. You will be fully informed about the processing through relevant privacy notices.


Right to Access

You have a right to request access to the personal data that we hold about you and this should be provided to you, under the UK GDPR and the Data Protection Act 2018, within 1 month. If you would like to request a copy of your personal data, please contact us using the details at the top of this policy.


Right to rectification

We want to make sure that the personal data we hold about you is accurate and up to date. If any of your details are incorrect, please let us know and we will amend them.


Right to erasure

You have the right to have your data ‘erased’ in the following situations:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected or processed.
  • When you withdraw consent.
  • When you object to the processing and there is no overriding legitimate interest for continuing the processing.
  • When the personal data was unlawfully processed.
  • When the personal data has to be erased in order to comply with a legal obligation.

If you would like to request erasure of your personal data, please contact us using the details at the top of this policy. Please note that each request will be reviewed on a case-by-case basis and where we have a lawful reason to retain the data, it may not be erased.


Right to restrict processing

You have the right to restrict processing in certain situations such as:

  • Where you contest the accuracy of your personal data, we will restrict the processing until you have verified the accuracy of your personal data.
  • Where you contest the accuracy of your personal data, we will restrict the processing until you have verified the accuracy of your personal data.
  • When processing is unlawful, and you oppose erasure and request restriction instead.
  • Where we no longer need the personal data, but you require the data to establish, exercise or defend a legal claim.


Right to data portability

You have the right to data portability in certain situations. You have the right to obtain and reuse your personal data for your own purposes via a machine-readable format, such as a .CSV file. If you would like to request portability of your personal data, please contact us. This only applies:

  • To personal data that you have provided to us;
  • Where the processing is based on your consent or for the performance of a contract; and
  • When processing is carried out by automated means.


Right to object

You have the right to object to the Fresh Futures processing your data in these circumstances:

  • Where the processing is for direct marketing. Remember you can opt out of email communication at any time via the unsubscribe feature on our emails;
  • Where the processing is based on legitimate interests; or
  • Where the processing is for purposes of scientific/historical research and statistics

Please let us know if you are unhappy with how we have used your personal data by contacting the Data Protection Officer (details can be found at the top of this policy).

You also have a right to complain to the Information Commissioner’s Office. You can find their contact details at We would be grateful for the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.