Skip to content
Privacy

Related

Cookies
Cookies Settings
Using your data

Coeliac UK

External Privacy Notice

Last Updated: March 2026

1. Who we are and what we do

Who we are

We are Coeliac UK (“Coeliac UK”, “us”, “we”, “our”). We are a limited company registered in England and Wales under registration number 03068044, and we have our registered office at Artisan Hillbottom Road, Sands Industrial Estate, High Wycombe, Buckinghamshire, England, HP12 4HJ. We are registered with the UK supervisory authority, Information Commissioner’s Office (“ICO”) in relation to our processing of Personal Data under registration reference Z8547739.

What we do

We are a charity with the goal of helping individuals with Coeliac’s disease in the UK. We are committed to protecting the privacy and security of the Personal Data we process about you.

Controller

Unless we notify you otherwise, we are the controller of the Personal Data we process about you. This means that we decide what Personal Data to collect and how to process it.

2. Purpose of this privacy notice

The purpose of this privacy notice is to explain what Personal Data we collect about you and how we process it. This privacy notice also explains your rights, so please read it carefully. If you have any questions or you wish to make a complaint, you can contact us using the information provided below under the ‘How to contact us’ section.

3. Who this privacy notice applies to

This privacy notice applies to you if:

  1. You visit our website
  2. You purchase a membership with us
  3. You enquire about our products and/or services
  4. You use our App
  5. You sign up to receive newsletters and/or other promotional communications from us

4. What Personal Data is

‘Personal Data’ means any information from which someone can be identified either directly or indirectly. For example, you can be identified by your name or an online identifier.

‘Special Category Personal Data’ is more sensitive Personal Data and includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying someone, data concerning physical or mental health or data concerning someone’s sex life or sexual orientation.

5. Personal Data we collect

The type of Personal Data we collect about you will depend on our relationship with you. For the type of Personal Data, we collect see the table below in the section entitled ‘Purposes, lawful bases and retention periods’.
 

6. How we collect your Personal Data

We collect most of the Personal Data directly from you in person, by telephone, text or email and/or via our website.

However, we may also collect your Personal Data from third parties such as:

  • reputable companies who provide lead generation contact lists
  • others to whom you have provided consent
  • publicly available sources such as social media platforms

 

7. Purposes, lawful bases and retention periods

We will only use your Personal Data when the law allows. Most commonly, we will use your Personal Data in the following circumstances:

Your Relationship With Us Purpose Lawful Basis
Members, Donors, Volunteers and other Supporters Provide you with the member services you have subscribed to, products you have purchased, activities you have volunteered for, events you have signed up to or information you have requested. Legitimate Interest – in administering any services, products, activities, events or information you have subscribed to.
Members, Donors, Volunteers and other Supporters Administer your financial transactions with us including any fees, donations and processing any related gift aid. Legitimate Interest – in processing any related financial transactions
Members, Donors, Volunteers and other Supporters Your communication preferences so we can contact you regarding any opportunities to support Coeliac UK, such as fundraising. Legitimate Interest – in holding your contact details for processing. Plus Consent required for contacting you by electronic means
Members, Donors, Volunteers and other Supporters To keep a record of our relationship with you and to help us better inform our services to you in the future. Legitimate Interest – to analyse data provided by you, directly, through your online behaviour, or publicly available information to help us provide a better service
Members, Donors, Volunteers and other Supporters Use your health and ethnic data to support the research community for coeliac disease by providing anonymised group data, or for making you aware of any research projects which may be of specific interest to you. Legitimate Interest – in providing anonymous data to support research into the condition and treatment. With additional consent – to permit use of sensitive data to identify any suitable research projects which may be of interest
Members, Donors, Volunteers and other Supporters Send you our magazine, newsletters, updates, appeals and campaign information where you have agreed to receive them. Consent
Members, Donors, Volunteers and other Supporters Monitor use of our websites and online services, and improve your experience. Legitimate Interest – to ensure our digital services function effectively and improve user experience
Members, Donors, Volunteers and other Supporters Comply with legal and regulatory obligations. Legal Obligation
Members, Donors, Volunteers and other Supporters Establish, exercise or defend legal claims. Legitimate Interest – in protecting and enforcing our legal rights
Campaigners and Petition Supporters Manage campaigns, petitions and advocacy activities you participate in. Legitimate Interest – in administering campaigns and advocacy work
Campaigners and Petition Supporters Contact you about related campaign opportunities and updates where permitted. Legitimate Interest and/or Consent, depending on the communication method
Campaigners and Petition Supporters Analyse engagement to improve future campaigns. Legitimate Interest – in improving our campaigning effectiveness
Event Attendees Register and manage your attendance at our events, webinars and training sessions. Contract and/or Legitimate Interest
Event Attendees Send event information, reminders and follow-up communications. Legitimate Interest
Event Attendees Use photos, videos or recordings where you have agreed or where otherwise permitted. Consent and/or Legitimate Interest
Website Users Provide access to website features, downloadable resources and account services. Legitimate Interest and/or Contract
Website Users Analyse traffic, troubleshoot issues and improve site performance. Legitimate Interest
Website Users Use cookies and similar technologies where consent is required. Consent
Researchers and Survey Participants Manage your participation in surveys, consultations and research activity. Consent and/or Legitimate Interest
Researchers and Survey Participants Analyse responses and produce anonymised insights or reports. Legitimate Interest
Researchers and Survey Participants Contact you about future research opportunities where you have agreed. Consent
All relevant individuals Maintain internal records, security, fraud prevention and governance procedures. Legitimate Interest and/or Legal Obligation
All relevant individuals Respond to complaints, safeguarding concerns or data protection requests. Legal Obligation and/or Legitimate Interest

Where Personal Data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.

8. Sharing your Personal Data

We may share your Personal Data with our carefully selected third parties, including:

9. International Transfers

Your Personal Data may be processed outside of the UK. This is because the organisations we use to provide our service to you are based outside the UK.

We have taken appropriate steps to ensure that when your Personal Data is processed in a country outside the UK, it does not have a materially lower level of protection than that guaranteed in the UK. We do this by ensuring that:

  • Your Personal Data is only processed in a country which the Secretary of State has confirmed has an adequate level of protection (an adequacy regulation), or
  • We enter into an International Data Transfer Agreement (“IDTA”) with the receiving organisation and adopt supplementary measures, where necessary. (A copy of the IDTA can be found here international-data-transfer-agreement.pdf (ico.org.uk)) or
  • When transferring your Personal Data to America, we may rely on the UK extension to the EU-US Data Privacy Framework.

    •  

    10. Marketing Communications

    From time to time, with your consent we may use your information to contact you with details about our products and services which we feel may be of interest to you. You have the right at any time to stop us from contacting you for marketing purposes. If you wish to exercise these rights you can do so by following the ‘unsubscribe’ link on any emails received or contacting us at [insert].

    11. Automated Decision-making

    We do not make any decisions about you based solely on automated decisions.

    12. Your rights

    You have certain rights in relation to the processing of your Personal Data, including to:

    • Right to be informed

    You have the right to know what personal data we collect about you, how we use it, for what purpose and in accordance with which lawful basis, who we share it with and how long we keep it. We use our privacy notice to explain this.

    • Right of access (commonly known as a “Subject Access Request”)

    You have the right to receive a copy of the Personal Data we hold about you.

    • Right to rectification

    You have the right to have any incomplete or inaccurate information we hold about you corrected.

    • Right to erasure (commonly known as the right to be forgotten)

    You have the right to ask us to delete your Personal Data.

    • Right to object to processing

    You have the right to object to us processing your Personal Data. If you object to us using your Personal Data for marketing purposes, we will stop sending you marketing material.

    • Right to restrict processing

    You have the right to restrict our use of your Personal Data.

    • Right to portability

    You have the right to ask us to transfer your Personal Data to another party.

    • Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.
    • Right to withdraw consent

    If you have provided your consent for us to process your Personal Data for a specific purpose, you have the right to withdraw your consent at any time. If you do withdraw your consent, we will no longer process your information for the purpose(s) you originally agreed to, unless we are permitted by law to do so.

    How to exercise your rights

    You will not usually need to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

    If you wish to exercise your rights, you may contact us using the details set out below within the section called ‘How to contact us and our Data Protection Officer’. We may need to request specific information from you to confirm your identity before we can process your request. Once in receipt of this, we will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take us longer than this and, if so, we will keep you updated.

     

    13. Complaints

    You have the right to complain if you consider that we have not complied with the data protection law when handling your Personal Data. We will acknowledge receipt of your complaint within 30 days, investigate the matter without undue delay, and keep you informed of the progress and outcome. If you wish to complain please use the contact details given below under “How to contact us and our Data Protection Officer”. We will do our best to resolve the matter to your satisfaction.

    If you are not satisfied with the outcome of your complaint, you can complain with the relevant supervisory authority. The supervisory authority in the UK is the Information Commission who can be contacted online at:

    Contact us | ICO

    Or by telephone on 0303 123 1113

    For supervisory authorities in other countries within the EU see the link below:

    https://edpb.europa.eu/about-edpb/about-edpb/members_en

     

    14. Children’s Privacy

    If you are a child, you must have your parent’s permission to use our services. If you learn that a child has provided us with their Personal Data without parental consent, you may contact us, as described below, and if appropriate, we will securely and permanently delete it, in accordance with applicable law.

     

    15. How to contact us and our Data Protection Officer

    If you wish to contact us in relation to this privacy notice or if you wish to exercise any of your rights outlined above, please contact us as follows:

    Artisan Hillbottom Road
    Sands Industrial Estate
    High Wycombe
    Buckinghamshire
    England
    HP12 4HJ

    [email protected]

    We have also appointed a Data protection Officer (“DPO”). Our DPO is Evalian Limited and can be contacted as follows:

    Unit 5
    West Lodge Nobs Crook
    Colden Common
    Winchester
    England
    SO21 1TH

    [email protected]

    Please mark your communications FAO the ‘Data Protection Officer’.

     

    16. Changes to this privacy notice

    We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify of the changes where required by applicable law to do so.

    Last modified March 2026

    You can find previous versions of this notice here [hyperlink].