Coeliac UK

External Privacy Notice

Last Updated: March 2026

1. Who we are and what we do

Who we are

We are Coeliac UK (“Coeliac UK”, “us”, “we”, “our”). We are a limited company registered in England and Wales under registration number 03068044, and we have our registered office at Artisan Hillbottom Road, Sands Industrial Estate, High Wycombe, Buckinghamshire, England, HP12 4HJ. We are registered with the UK supervisory authority, Information Commissioner’s Office (“ICO”) in relation to our processing of Personal Data under registration reference Z8547739.

What we do

We are a charity with the goal of helping individuals with Coeliac’s disease in the UK. We are committed to protecting the privacy and security of the Personal Data we process about you.

Controller

Unless we notify you otherwise, we are the controller of the Personal Data we process about you. This means that we decide what Personal Data to collect and how to process it.

2. Purpose of this privacy notice

The purpose of this privacy notice is to explain what Personal Data we collect about you and how we process it. This privacy notice also explains your rights, so please read it carefully. If you have any questions or you wish to make a complaint, you can contact us using the information provided below under the ‘How to contact us’ section.

3. Who this privacy notice applies to

This privacy notice applies to you if:

You visit our website
You purchase a membership with us
You enquire about our products and/or services
You use our App
You sign up to receive newsletters and/or other promotional communications from us

4. What Personal Data is

‘Personal Data’ means any information from which someone can be identified either directly or indirectly. For example, you can be identified by your name or an online identifier.

‘Special Category Personal Data’ is more sensitive Personal Data and includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying someone, data concerning physical or mental health, or data concerning someone’s sex life or sexual orientation.

5. Personal Data we collect

The type of Personal Data we collect about you will depend on our relationship with you. For the type of Personal Data we collect, see the table below in the section entitled ‘Purposes, lawful bases and retention periods’.

6. How we collect your Personal Data

We collect most of the Personal Data directly from you in person, by telephone, text or email and/or via our website.

However, we may also collect your Personal Data from third parties such as:

reputable companies who provide lead generation contact lists
others to whom you have provided consent
publicly available sources such as social media platforms

7. Purposes, lawful bases and retention periods

We will only use your Personal Data when the law allows. Most commonly, we will use your Personal Data in the following circumstances:

Your Relationship With Us	Purpose	Lawful Basis
Members, Donors, Volunteers and other Supporters	Provide you with the member services you have subscribed to, products you have purchased, activities you have volunteered for, events you have signed up to or information you have requested.	Legitimate Interest – in administering any services, products, activities, events or information you have subscribed to.
	Administer your financial transactions with us including any fees, donations and processing any related gift aid.	Legitimate Interest – in processing any related financial transactions
	Your communication preferences so we can contact you regarding any opportunities to support Coeliac UK, such as fundraising.	Legitimate Interest – in holding your contact details for processing PLUS Consent required for contacting you by electronic means
	To keep a record of our relationship with you and to help us better inform our services to you in the future.	Legitimate Interest – to analyse data provided by you, directly, through your online behaviour, or publicly available information to help us provide a better service
	Use your health and ethnic data to support the research community for coeliac disease by providing anonymised group data, or for making you aware of any research projects which may be of specific interest to you.	Legitimate Interest – in providing anonymous data to support research into the condition and treatment With additional consent – to permit use of sensitive data to identify any suitable research projects which may be of interest
	Use your experiences that you have shared with us as case studies to raise awareness, to be used for either/or external media publications, broadcast (ie TV or radio) and online. Or to be used on Coeliac UK’s website, marketing materials and social media posts.	Legitimate Interest – as a member and wider community service to showcase the impact coeliac disease and gluten related conditions can have on people and why diagnosis, research, fundraising and support services are critical to create a better future for those affected. With additional consent – to permit access to personal information to be shared across our communication channels and via other media agencies for the purpose of awareness and engagement, and enable contact by media for the purposes of interviews and news stories
	To send you third party advertising where we believe the products will support living gluten free and / or related health conditions, we will not provide your personal data to third parties for them to market to you directly.	Legitimate Interest – as a member service as product information and offers are related to adhering to the gluten free diet as treatment Consent – for those not subscribed to membership
	If you enter a competition via our social media channels or website we will capture what you have entered and may, in specific circumstances, pass your data to a third party but we will inform you of this before you submit your data so you can choose not to participate.	Legitimate Interest – to allow engagement with wider community outside Coeliac UK
	In the event you enter your details on one of our online forms but don’t complete the submission, we may contact you.	Legitimate Interest – to see if we can help with any problems you may be experiencing, such as technical issue with our forms or website, or requiring more information
	We use profiling and screening techniques to better understand your interests and preferences in order to contact you with the most relevant communications. Apart from an analysis of geographic, demographic and other information relating to you, we may also use information from third party sources when it’s available. Such information is gathered using publicly available data about you, for example listed Directorships or typical earnings in a given area. Profiling allows us to target our resources effectively, which donors consistently tell us is important to them.	Legitimate Interest – Profiling allows us to send you information about any applicable local policy changes e.g. prescribing policies or opportunities to engage locally ensuring you have the chance to have your say. – Profiling allows us to understand the background of the people who support us and helps us to make appropriate requests to supporters who may be able and willing to give more than they already do. Most importantly, it enables us to raise more funds for the charity, sooner, in a more cost-effective way.
	If you join on behalf of a child under the age of 16 or an adult dependant, all our communications and services will be directed to you as the parent/carer to share with your child or dependant. We will never contact your child directly until they reach the age16. We will never contact a dependant directly.	Legitimate Interest – to help safeguard young children and adult dependants by not allowing them to directly access services which may contain distressing medical information
	Surveys – to capture views on our services or the experiences of people affected by coeliac disease and the impacts of gluten so that we can tailor and improve our offerings and ensure we represent the views of our members. Data from surveys will be reported anonymously unless otherwise mentioned and we have your explicit consent.	Legitimate interest – to ensure the charity remains current, and understands and focuses on the needs of its members.
Additional Householders	Under Household membership, we ask the primary joiner to supply personal data of others in the household whom they wish to receive services.	Legitimate Interest – to provide services as requested but we will inform additional householders that their data has been provided when we start providing services, so they can choose not to share their data
Is It Coeliac Disease Online Assessment participants	Provide support through the assessment process or information you have requested.	Legitimate Interest – assist people with identifying a possible diagnosis of coeliac disease
	Use any health, ethnic or dietary information provided for anonymised research purposes.	Legitimate Interest – in providing anonymous data to support research into the condition and treatment With additional consent – to permit use of sensitive data for participation in research
	Provide marketing information on membership or relevant products and offers.	Legitimate Interest – assist people with managing a diagnosis of coeliac disease PLUS Consent required for contacting you by electronic means
Catering Training	Provide support for the online and face to face catering training courses we provide including administration for the financial transaction and provision of completion certificate.	Contract
	Marketing of our commercial services relevant to the catering/food sector and your role	Legitimate interest – marketing
Health Care Professionals	Health care professionals contacted in their professional capacity for the purpose of education and providing materials for their patients on services available from Coeliac UK.	Legitimate Interest – to advance the standards of healthcare for those with coeliac disease and other conditions
Research Professionals	Researchers and academics contacted in their professional capacity for the purpose of participation in research calls, research events or for recruitment to research related committees within Coeliac UK.	Legitimate Interest – data provided directly or from a public source – to help research and advance understanding in coeliac disease and the impact of gluten, provide access to funding to support research
Business Customers	To fulfil contractual obligations made with any sale of services or goods or sponsorship agreements.	Contract
	Marketing of other relevant Coeliac UK commercial services	Legitimate Interest – to extend availability of GF food by approaching business customers in the relevant sectors to develop and promote their GF offering
Other Professional Contacts	Media, politicians and related others	Legitimate Interest – to enable the dissemination of information about coeliac disease and the gluten free diet to the community and help to influence changes and improvements to benefit our members

Where Personal Data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.

8. Sharing your Personal Data

We may share your Personal Data with our carefully selected third parties, including:

IT services providers
Cloud Storage providers
Web Hosting Services providers
If you subscribe to direct marketing, we may share your personal data with marketing and advertising service providers
Professional advisers

Where required by law or regulation, we may share your personal data with the police, regulatory bodies, or our legal advisers when we are legally or regulatorily obliged to do so, or when we consider it necessary to protect the rights, property, or safety of Coeliac UK and the people connected to us.

Alternatively, we may seek to acquire other businesses/charities, or merge with them. If a change happens to Coeliac UK, then the new owners may use your personal data in the same way as set out in this privacy notice.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

9. International Transfers

Your Personal Data may be processed outside of the UK. This is because the organisations we use to provide our service to you are based outside the UK.

We have taken appropriate steps to ensure that when your Personal Data is processed in a country outside the UK, it does not have a materially lower level of protection than that guaranteed in the UK. We do this by ensuring that:

Your Personal Data is only processed in a country which the Secretary of State has confirmed has an adequate level of protection (an adequacy regulation), or
We enter into an International Data Transfer Agreement (“IDTA”) with the receiving organisation and adopt supplementary measures, where necessary. (A copy of the IDTA can be found here international-data-transfer-agreement.pdf (ico.org.uk)) or
When transferring your Personal Data to America, we may rely on the UK extension to the EU-US Data Privacy Framework.

10. Marketing Communications

From time to time, with your consent we may use your information to contact you with details about our products and services which we feel may be of interest to you. You have the right at any time to stop us from contacting you for marketing purposes. If you wish to exercise these rights you can do so by following the ‘unsubscribe’ link on any emails received or contacting us at [email protected].

11. Automated Decision-making

We do not make any decisions about you based solely on automated decisions.

12. Your rights

You have certain rights in relation to the processing of your Personal Data, including to:

Right to be informed
You have the right to know what personal data we collect about you, how we use it, for what purpose and in accordance with which lawful basis, who we share it with and how long we keep it. We use our privacy notice to explain this.
Right of access (commonly known as a “Subject Access Request”)
You have the right to receive a copy of the Personal Data we hold about you.
Right to rectification
You have the right to have any incomplete or inaccurate information we hold about you corrected.
Right to erasure (commonly known as the right to be forgotten)
You have the right to ask us to delete your Personal Data.
Right to object to processing
You have the right to object to us processing your Personal Data. If you object to us using your Personal Data for marketing purposes, we will stop sending you marketing material.
Right to restrict processing
You have the right to restrict our use of your Personal Data.
Right to portability
You have the right to ask us to transfer your Personal Data to another party.
Automated decision-making
You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.
Right to withdraw consent
If you have provided your consent for us to process your Personal Data for a specific purpose, you have the right to withdraw your consent at any time. If you do withdraw your consent, we will no longer process your information for the purpose(s) you originally agreed to, unless we are permitted by law to do so.

How to exercise your rights

You will not usually need to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

If you wish to exercise your rights, you may contact us using the details set out below within the section called ‘How to contact us and our Data Protection Officer’. We may need to request specific information from you to confirm your identity before we can process your request. Once in receipt of this, we will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take us longer than this and, if so, we will keep you updated.

13. Complaints

You have the right to complain if you consider that we have not complied with the data protection law when handling your Personal Data. We will acknowledge receipt of your complaint within 30 days, investigate the matter without undue delay, and keep you informed of the progress and outcome. If you wish to complain please use the contact details given below under “How to contact us and our Data Protection Officer”. We will do our best to resolve the matter to your satisfaction.

If you are not satisfied with the outcome of your complaint, you can complain with the relevant supervisory authority. The supervisory authority in the UK is the Information Commission who can be contacted online at:

Or by telephone on 0303 123 1113

For supervisory authorities in other countries within the EU see the link below:
https://edpb.europa.eu/about-edpb/about-edpb/members_en

14. Children’s Privacy

If you are a child, you must have your parent’s permission to use our services. If you learn that a child has provided us with their Personal Data without parental consent, you may contact us, as described below, and if appropriate, we will securely and permanently delete it, in accordance with applicable law.

15. How to contact us and our Data Protection Officer

If you wish to contact us in relation to this privacy notice or if you wish to exercise any of your rights outlined above, please contact us as follows:

Artisan
Hillbottom Road
Sands Industrial Estate
High Wycombe
Buckinghamshire
England
HP12 4HJ

[email protected]

We have also appointed a Data Protection Officer (“DPO”). Our DPO is Evalian Limited and can be contacted as follows:

Unit 5
West Lodge Nobs Crook
Colden Common
Winchester
England
SO21 1TH

[email protected]

Please mark your communications FAO the ‘Data Protection Officer’.

16. Changes to this privacy notice

We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify of the changes where required by applicable law to do so.

Last modified March 2026