Included, Not Excluded – Every autistic learner. Every choice. Every future.

  1. Home
  2. Privacy Policy

Privacy Policy

Quick Summary

We know privacy policies can feel dense, so here is a simple overview:

  • We only collect personal data that we need to deliver our services, support families, and run our organisation
  • We keep your information safe and do not sell or trade it
  • We only contact you for marketing if you have agreed, or where we are allowed to under soft opt-in rules
  • You can opt out of marketing at any time, and this will not affect service-related communication
  • You have rights over your data, including access, correction and deletion

If you would like more detail, the full policy is set out below.

Last updated: April 2026

1. Introduction

BeyondAutism (“we”, “us”, “our”) is committed to protecting and respecting your personal data.

This policy explains what personal data we collect, why we use it, how we keep it safe, and the rights you have.

We process personal data in line with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and current UK guidance.

Personal data means any information that can identify you, either directly or indirectly.

We aim to be clear and transparent about how we use your information, so you can feel confident in how it is handled.

2. Lawful Bases for Processing

We use personal data in a way that is lawful, fair and transparent. Depending on the activity, we rely on one or more of the following legal bases:

  • Contract – where we need to use your data to deliver services you have requested
  • Legal obligation – where we must comply with laws or regulatory requirements
  • Legitimate interests – where we have a clear operational reason to use data, and this does not override your rights
  • Consent – where you have actively agreed, particularly for marketing communications
  • Vital interests / safeguarding – where processing is necessary to protect someone’s wellbeing or safety

Where we rely on legitimate interests, we carry out appropriate assessments to ensure your rights are protected.

How we use lawful bases in practice

Activity Lawful Basis
Service delivery (education, care, admissions) Contract; Legal obligation
Safeguarding and child protection Legal obligation; Vital interests; Substantial public interest
Training and outreach services Contract; Legitimate interests
Fundraising communications Consent; Soft opt-in (legitimate interests under PECR)
Marketing (general updates, newsletters) Consent; Soft opt-in
Donor management and Gift Aid Legal obligation; Legitimate interests
HR and staff management Contract; Legal obligation
Website analytics and improvement Consent; Legitimate interests (for essential functionality)

3. Security

We take the security of your personal data seriously.

We have appropriate technical and organisational measures in place, including:

  • Staff training on data protection and confidentiality
  • Controlled access to systems and information
  • Regular review and updating of our security practices

While we take all reasonable steps to protect your data, information sent over the internet is not completely secure. Once we receive your data, we use strict procedures to reduce the risk of unauthorised access.

4. Data We Collect and How We Use It

We only collect and use personal data where it is necessary for our work.

In most cases, BeyondAutism acts as a data controller, meaning we decide how and why your data is used.

In some situations, such as when we deliver services on behalf of local authorities or partners, we act as a data processor, following their instructions. In these cases, appropriate agreements are in place to protect your data.

We will make our role clear where this affects how your data is used.

4.1 Services

We collect and process personal data to deliver education, care and support services.

Why we process this data

  • Admissions and assessment
  • Delivery of services and support
  • Safeguarding and wellbeing
  • Administration and record keeping
  • Compliance with legal and regulatory requirements

We may also contact you about relevant services where permitted.

What data we may collect

  • Names, contact details, addresses
  • Date of birth
  • Education and support needs information
  • Health and safeguarding information (special category data)
  • Family and emergency contact details
  • Equality and diversity data (where appropriate)

Special category data

Where we process sensitive data, such as health information, we do so under appropriate legal bases and safeguards.

Retention

We retain data only as long as necessary and in line with our Data Retention Policy.

4.2 Training and Outreach

We process data relating to training participants and professionals.

Purposes

  • Deliver training services
  • Manage bookings and attendance
  • Improve our services
  • Send relevant follow-up information

Data collected

  • Names, contact details
  • Professional information
  • Photos/videos (with consent)

Retention

Data is retained only as long as necessary for delivery, compliance and audit purposes.

4.3 Fundraising and Marketing

We process personal data to communicate with supporters, donors and stakeholders.

Lawful basis and communications

We send marketing communications by email, SMS or similar channels where:

  • You have given consent, or
  • Soft opt-in applies (in line with PECR)

Soft opt-in

Soft opt-in applies only to individual subscribers (not corporate subscribers) and allows us to contact you where:

  • You previously engaged with us (for example donation, event, training, enquiry)
  • You were given a clear opportunity to opt out at the time your data was collected
  • You are given an easy way to opt out in every communication

For the purposes of soft opt-in, “similar services” means communications relating to:

  • Our education, training and outreach services
  • Fundraising activities and appeals
  • Events and initiatives connected to our charitable objectives

We do not use soft opt-in for:

  • Third-party marketing
  • Unrelated services
  • Corporate subscribers

What we use your data for

  • Fundraising appeals
  • Event invitations
  • News and updates
  • Impact reporting

Data collected

  • Names and contact details
  • Donation history
  • Communication preferences
  • Media (photos/videos with consent)

Your choices

You can opt out at any time by:

  • Clicking “unsubscribe” in emails
  • Contacting us directly

Opting out of marketing communications will not affect our ability to contact you regarding services you are receiving, or other essential administrative or safeguarding communications.

4.4 Staff and Volunteers

We process personal data to manage employment and volunteering.

Purposes

  • Recruitment and onboarding
  • Payroll and pensions
  • Safeguarding and compliance (including DBS)
  • Performance and development

Data collected

  • Contact and identity information
  • Employment and education history
  • Financial and payroll data
  • Safeguarding and criminal records checks

Retention

We retain staff data in accordance with employment law and regulatory requirements.

4.5 Website Use

We collect personal data when you:

  • Complete forms
  • Contact us
  • Subscribe to communications

Cookies

We use cookies in line with UK guidance:

  • Strictly necessary cookies – always active
  • Optional cookies – used only with your consent (for example analytics and marketing)

You can manage cookie preferences via our cookie banner.

5. Sharing Personal Data

We do not sell, rent or trade personal data to third parties.

We only share personal data where it is necessary and lawful. This may include sharing with:

  • Local authorities and regulators
  • Social workers and safeguarding bodies
  • Partners delivering services on our behalf
  • IT providers and systems that support our operations

We ensure appropriate safeguards and contracts are in place whenever data is shared.

We may also share data where required by law, or where necessary to protect individuals.

6. International Transfers

Where data is transferred outside the UK, we ensure appropriate safeguards are in place, such as:

  • UK adequacy regulations
  • The UK International Data Transfer Agreement (IDTA)
  • The UK Addendum to the EU Standard Contractual Clauses (SCCs)

We assess transfers on a case-by-case basis and implement additional safeguards where necessary to ensure that personal data receives an equivalent level of protection.

7. Your Rights

You have rights over your personal data. These include the right to:

  • Access the data we hold about you
  • Correct inaccurate information
  • Request deletion of your data in certain circumstances
  • Object to or restrict how your data is used
  • Request transfer of your data to another organisation
  • Withdraw consent at any time (where consent is used)

We aim to respond to all requests within one month. If a request is complex, we may take longer, but we will keep you informed.

In some cases, we may not be able to fulfil a request, for example where we must retain data for legal or safeguarding reasons. If this applies, we will explain why.

To exercise your rights, contact: info@beyondautism.org.uk

8. Complaints

If you have concerns, contact us first at info@beyondautism.org.uk.

You also have the right to complain to the Information Commissioner’s Office (ICO):
https://ico.org.uk/concerns

9. Data Controller

BeyondAutism 

Gatehouse by Spacemade
1 Armoury Way
London
SW18 1TH

Email: info@beyondautism.org.uk

10. Changes to this Policy

We keep this policy under regular review to reflect legal and regulatory updates.

Significant changes will be clearly communicated on our website.

Registered Charity No. 1082599. VAT No. 480334795. Registered in England and Wales Ltd by guarantee No. 4041459.
Registered Office: London Fruit & Wool Exchange, Ashurst LLP, 1 Duval Square, London, E1 6PW