Privacy Policy

Privacy Policy

Personality Disorder CIC
Effective Date: 2025
Review Cycle: Annually

1. Introduction

Personality Disorder CIC (“we”, “our”, or “us”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, share, and store your personal information when you use our website, access our services, or otherwise interact with us.

We are a Community Interest Company registered in England and Wales (Company No. 16363152), with our registered office at:

24 Pope Crescent
Enderby
Leicester
LE19 4QT
United Kingdom

This Privacy Policy applies to:

  • Visitors to our website (including www.bpduk.org and any associated subdomains)
  • Users of our digital services, including BPD UK and BPD Coach
  • Individuals who sign up for our webinars, newsletters, surveys, or events
  • Individuals who contact us directly (e.g. by email or through our forms)
  • Donors, supporters, and partners who engage with our activities

Please read this policy carefully. By accessing our website or submitting your personal information to us, you confirm that you have read and understood the practices described in this Privacy Policy.

2. Who We Are and How to Contact Us

Personality Disorder CIC is the data controller responsible for your personal information under this Privacy Policy. This means we determine how and why your personal data is used, stored, and protected.

We are registered in England and Wales as:

Personality Disorder CIC
Company number: 16363152
Registered office:
24 Pope Crescent
Enderby
Leicester
LE19 4QT
United Kingdom

You can contact us regarding this Privacy Policy or any data protection concerns using the following methods:

  • Email: kapoutsis.i@gmail.com
  • Postal address: As above

If you have a complaint about how we have handled your personal data, we encourage you to contact us directly. You also have the right to lodge a complaint with the UK’s data protection authority:

Information Commissioner’s Office (ICO)
Website: https://ico.org.uk
Telephone: 0303 123 1113

3. What Personal Data We Collect

We may collect and process the following categories of personal data when you engage with us through our website, services, or communications:

A. Information You Provide to Us Directly

This includes information you voluntarily give us when you:

  • Contact us via email or website forms
  • Register for events, courses, or webinars
  • Sign up for newsletters or updates
  • Submit feedback, testimonials, or surveys
  • Make a donation
  • Create a user account (if applicable)

This data may include:

  • Full name
  • Email address
  • Postal address
  • Telephone number
  • Job role or affiliation (if given)
  • Payment or donation information (processed via secure third-party platforms)
  • Any personal messages or comments you submit

B. Special Category Data

We do not request or require you to share sensitive health-related data. However, you may voluntarily disclose information relating to:

  • Your mental health or that of someone you care for
  • Lived experience with personality disorders
  • Experiences of trauma, care, or support needs

We treat all such data with enhanced confidentiality and only use it with your explicit consent or where necessary to provide support, respond to queries, or improve our services.

C. Data We Collect Automatically

When you visit our website, we may collect certain information automatically via cookies or analytics tools. This may include:

  • IP address
  • Browser type and version
  • Device type
  • Pages visited and time spent on site
  • Date and time of access
  • Referral source (e.g. search engine or external link)

We use this information to improve website performance, understand user interests, and ensure security.

For more detail, please see our Cookies Policy.

4. How and Why We Use Your Personal Data

We only use your personal data when we have a legal basis to do so. The purposes for which we process your data, and the corresponding legal grounds, are as follows:

A. To Provide Our Services and Respond to Enquiries

Legal basis: Performance of a contract or legitimate interest

We use your data to:

  • Deliver resources, webinars, and tools you have requested
  • Respond to your queries or feedback
  • Send confirmation emails for events or subscriptions
  • Provide access to digital services like BPD Coach or BPD UK

B. To Communicate With You

Legal basis: Consent or legitimate interest

If you have opted in, we may use your contact details to:

  • Send email newsletters or campaign updates
  • Share information about upcoming events, courses, or services
  • Request feedback or invite you to participate in research or consultations

You can opt out of communications at any time by clicking “unsubscribe” in our emails or contacting us directly.

C. To Improve Our Services

Legal basis: Legitimate interest

We use usage data and analytics to:

  • Understand user behaviour and engagement
  • Identify areas for improvement or expansion
  • Monitor digital platform performance
  • Test new features or formats

We only use aggregated or anonymised insights for reporting unless individual-level data is required and consented to.

D. To Ensure Legal Compliance and Safeguarding

Legal basis: Legal obligation or vital interest

In rare cases, we may process or share your data if:

  • Required by law (e.g. financial regulations, safeguarding obligations)
  • Necessary to protect someone’s vital interests (e.g. serious risk of harm)
  • Required to comply with the terms of a grant or regulatory body

In such situations, we will limit disclosure to what is strictly necessary and ensure appropriate safeguards are in place.

5. Who We Share Your Data With

We take your privacy seriously and will never sell or rent your personal data. However, we may share your data with trusted third parties under specific circumstances and only where it is lawful and necessary to do so.

A. Trusted Service Providers

We may share your data with third-party providers who support us in delivering our services. These may include:

  • Email platforms (e.g. Mailchimp, Sendinblue)
  • Website and cloud hosting services
  • Payment processors (e.g. Stripe, PayPal)
  • Survey and form platforms (e.g. Google Forms, Typeform)
  • Analytics providers (e.g. Google Analytics)
  • Learning platforms or webinar hosts (e.g. Zoom, Eventbrite, Teachable)

These providers act on our instructions only, are bound by strict data processing agreements, and must comply with UK data protection laws.

B. Regulators, Funders, and Partners

We may provide aggregated or anonymised data to:

  • Grant funders (e.g. for impact reporting)
  • Research collaborators or academic partners
  • Regulatory bodies (e.g. CIC Regulator, Information Commissioner’s Office)

Personal identifiers will only be shared if explicitly consented to or required by law.

C. Legal and Safeguarding Obligations

We may share personal data with relevant authorities if:

  • Required by law (e.g. HMRC, courts, law enforcement)
  • Necessary to safeguard a person at risk of serious harm
  • Required in connection with legal proceedings or regulatory compliance

Wherever possible, we will inform you of such disclosures unless prohibited by law or where doing so would increase risk.

D. Internal Staff and Volunteers

Authorised team members of Personality Disorder CIC may access personal data only as needed for their roles and in line with our confidentiality and data protection policies.

Access is restricted by role and safeguarded with appropriate security measures.

6. How We Store and Protect Your Data

We take appropriate technical and organisational measures to ensure that your personal data is stored securely and protected against accidental loss, unauthorised access, misuse, or disclosure.

A. Data Storage

Your data may be stored:

  • On secure servers located in the UK or the European Economic Area (EEA)
  • In cloud-based platforms that comply with UK GDPR standards
  • In encrypted or access-controlled systems used by Personality Disorder CIC

Where possible, we use UK- or EU-based providers. If any data is stored or processed outside the UK or EEA, we ensure that appropriate safeguards are in place — such as UK adequacy decisions or Standard Contractual Clauses (SCCs).

B. Data Retention

We retain your data only for as long as necessary for the purposes for which it was collected, including:

  • To fulfil the purpose for which you provided the data
  • To comply with legal, tax, and accounting obligations
  • To support reporting or audit requirements from funders or regulators
  • To manage our relationship with you (e.g. for mailing lists or event history)

Typical retention periods are:

  • Contact form or enquiry data: up to 12 months
  • Newsletter mailing list: until you unsubscribe
  • Donation/payment data: 6 years for financial compliance
  • Event or programme participation: 3–5 years for reporting and analysis
  • User feedback or testimonials: retained only with permission

After these periods, data is securely deleted or anonymised.

C. Security Measures

We use the following safeguards to protect your data:

  • Encrypted connections (HTTPS) for all website transactions
  • Password-protected systems with tiered access rights
  • Firewalls, antivirus software, and malware detection
  • Regular data access reviews and secure back-ups
  • Staff and volunteer training in data protection

7. Your Rights

As a data subject under UK data protection law, you have a number of rights regarding how we use and manage your personal information. You can exercise these rights at any time by contacting us using the details in Section 2 of this policy.

A. Right to Access

You have the right to request a copy of the personal data we hold about you and information about how it is being used.

B. Right to Rectification

You may request that we correct or update any inaccurate or incomplete personal data we hold about you.

C. Right to Erasure (Right to Be Forgotten)

In certain circumstances, you can ask us to delete or remove your personal data — for example, if the data is no longer needed for the purpose for which it was collected or if you withdraw consent (where consent was the legal basis).

This right is not absolute and may be limited by legal or contractual requirements (e.g. for financial reporting or safeguarding).

D. Right to Restriction of Processing

You can ask us to temporarily suspend the use of your data if:

  • You contest its accuracy
  • You believe its processing is unlawful but do not want it erased
  • You have objected to its use and we are verifying our legitimate interests

E. Right to Data Portability

Where we process your data based on consent or contract, and in an automated way, you can request a copy in a structured, commonly used, and machine-readable format. You may also request that we transfer your data to another service provider.

F. Right to Object

You can object to our use of your personal data where we rely on legitimate interest as a legal basis. We will stop processing unless we can demonstrate compelling legitimate grounds or the processing is necessary for legal reasons.

You may also object at any time to direct marketing communications (including newsletters).

G. Rights Relating to Automated Decision-Making and Profiling

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

H. Right to Withdraw Consent

Where we rely on your consent to process data (e.g. for newsletters or sensitive data), you may withdraw that consent at any time. This does not affect the lawfulness of processing before withdrawal.

8. Children and Vulnerable Individuals

Personality Disorder CIC recognises the importance of protecting the privacy of children and vulnerable adults. While our services are primarily designed for adult carers and families, some resources may be accessed by or on behalf of minors or individuals receiving care.

A. Children’s Data

We do not knowingly collect personal data from children under 16 without the verifiable consent of a parent or legal guardian.

Where a young person (aged 13–15) wishes to use our services or provide feedback, we will take reasonable steps to:

  • Obtain consent from a parent or guardian, where applicable
  • Use only non-sensitive information for non-identifiable analysis or insight
  • Avoid direct marketing or profiling of under-16s
  • Ensure content and communications are age-appropriate and safeguarding-aware

If we become aware that personal data has been collected from a child without appropriate consent, we will take steps to delete it promptly.

B. Vulnerable Adults

Where users disclose sensitive data relating to mental health, care status, or support needs, we will:

  • Treat all data as strictly confidential
  • Avoid using such data for automated decisions or profiling
  • Seek explicit consent for any use beyond direct service response
  • Signpost to appropriate safeguarding or crisis services where necessary

We are committed to accessible, trauma-informed, and non-discriminatory practices across all our platforms.

9. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to improve your browsing experience, understand user behaviour, and support the functionality of our services. This section provides a summary; please refer to our separate Cookies Policy for full details.

A. What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They help the site recognise your device and remember certain information — such as preferences, login status, or pages visited.

B. Types of Cookies We Use

We may use the following types of cookies:

  • Strictly necessary cookies – essential for basic site functionality (e.g. login, security, form submission)
  • Performance cookies – collect anonymised usage data to help us improve the website (e.g. Google Analytics)
  • Functionality cookies – remember user preferences or form entries between sessions
  • Third-party cookies – may be set by external tools we embed (e.g. Eventbrite, YouTube, Zoom)

You can manage or disable cookies via your browser settings. Disabling certain cookies may affect your experience of the site.

C. Consent and Control

On your first visit, we will display a cookie banner requesting your consent for optional cookies. You can accept or decline these cookies. You can also clear your cookies at any time through your browser.

Essential cookies that are strictly necessary for the operation of the site do not require consent.

10. External Links and Third-Party Sites

Our website may contain links to external websites, platforms, or services that are not owned or operated by Personality Disorder CIC. These links are provided for your convenience, information, or participation in third-party services such as event registrations, video hosting, payment processing, or partner campaigns.

A. Responsibility and Liability

We are not responsible for the content, policies, or practices of external websites. Once you leave our domain (e.g. www.bpduk.org), you are subject to the privacy policies and terms of use of the respective third party.

We encourage all users to review the privacy policies of any external sites they visit, particularly before submitting personal data or engaging with interactive features.

B. Embedded Services

In some cases, we may embed third-party services directly into our site — such as:

  • Videos (e.g. YouTube, Vimeo)
  • Forms (e.g. Google Forms, Jotform)
  • Event tools (e.g. Eventbrite)
  • Surveys or feedback mechanisms

These may use cookies or collect data according to their own privacy practices. We strive to use trusted providers and disclose their use where applicable.

C. No Endorsement

Links to third-party sites do not imply our endorsement, recommendation, or guarantee of their accuracy, legality, or safety. Use of such sites is entirely at your own discretion.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or technological advances.

  • Any material changes will be communicated clearly via our website, email newsletters, or at the point of service access.
  • The updated Privacy Policy will be published on our website with an updated effective date.
  • We encourage you to review this policy periodically to stay informed about how we protect your information.
  • Continued use of our website or services after any changes indicates your acceptance of the updated terms.

12. Your Rights and How to Exercise Them

Under UK data protection law, you have the right to:

  • Access your personal data and receive a copy of it
  • Request correction of inaccurate or incomplete data
  • Request deletion of your data, subject to certain conditions
  • Restrict or object to our processing of your data
  • Receive your data in a portable format and transfer it to another controller
  • Withdraw any consent you have given for data processing at any time
  • Lodge a complaint with the Information Commissioner’s Office (ICO) if you believe your rights have been violated

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: kapoutsis.i@gmail.com
Postal address: 24 Pope Crescent, Enderby, Leicester, LE19 4QT

We aim to respond to all requests within one calendar month.