Who we are

Royal Brompton & Harefield Hospitals Charity supports these two world-class centres in their fight against heart and lung disease. Raising money for equipment, research and amenities that fall outside the scope of NHS funding, the Charity’s projects are not ‘nice-to-haves’ – they are often vital to patients’ lives and wellbeing. They make the hospitals not only excellent but extraordinary.

As pioneers in the research and treatment of heart and lung disease, our hospitals treat newborns with heart problems, toddlers affected by asthma, teenagers living with cystic fibrosis and adults needing transplants, to name only a few. These life-threatening conditions could affect any of us. This is why the hospitals’ work is so important, and the Charity’s support so worthwhile.

Royal Brompton & Harefield Hospitals Charity is registered as a charity in England and Wales (registered charity number 1053584) and we are also registered as a company limited by guarantee (company number 07795583). 

Policy summary

Royal Brompton & Harefield Hospitals Charity (“we”) promises to respect any personal data you share with us, or our partner organisations, and keep it safe. We aim to be transparent when we collect data and not do anything you wouldn’t reasonably expect.

Developing a better understanding of our supporters through their personal data allows us to make better decisions, fundraise more efficiently and, ultimately, help support the world-class work carried out by Royal Brompton and Harefield Hospitals. 

Our marketing communications include information about our latest projects, campaigns and life-saving work. If you would like to receive such communications but have not opted in, please contact us on 020 3988 5982 or at [email protected].

The Data Protection Act

In carrying out our normal activities, we process and store personal information relating to our supporters and we are therefore required to adhere to the requirements of the Data Protection Act 2018. We take our responsibilities under this act very seriously and ensure personal information we obtain is held, used, transferred and processed in accordance with that Act and all other applicable data protection laws and regulations including, but not limited to, the Privacy and Electronic Communication Regulations and General Data Protection Regulation.

The ways we collect data

  • You may give it to us directly

You may give us your information when you sign up to our newsletters, purchase merchandise or an event ticket, tell us your story, make a donation, or communicate with us. We never use third-party fundraising agencies to collect personal information or solicit donations, such as street fundraisers or cold callers.

  • You may give it to us indirectly

Your information may be shared with us by independent event organisers, for example the London Marathon or fundraising sites like Just Giving. These independent third parties will only do so when you have indicated that you have given your consent to share it. To better understand how these sites will process your data, you can check the Privacy Policies on their websites.

  • You may have your details passed on by a contact or family member

A friend or relative of yours may pass on your details to us for a specific purpose. For example, if they are signing up multiple people for an event, they may have to provide names and details of all participants. We will only hold and process your details for the purpose of completing the task for which your details were provided to us. We will not further process your data or contact you without you telling us you would like further contact.

  • You may give permission for other organisations to share it, or it is available publicly

We may combine information you provide to us with information available from external sources in order to gain a better understanding of our supporters, to improve our fundraising methods, products and services.

The information we get from other organisations may depend on your privacy settings or the responses you give, so you should regularly check them. This information comes from the following sources:

Social Media

We will only ever use social media platforms (such as Twitter and Facebook) in accordance with their own terms and conditions. If you have an account on one of these platforms, you will have agreed to these terms and conditions yourself. All social media platforms must comply with data protection laws when processing or storing the personal data of individuals in the UK and Ireland. This means organisations like Facebook have a responsibility, under law, to store and process data in a fair and transparent way.

If you have given us permission to use your email address, we may match it with your social media accounts (known as Custom Audiences) so we can share relevant information with you such as fundraising events linked to your interests. To do this, we upload email addresses that have already been encrypted to a secure portal within the social media provider's platform – this means they don’t receive the original email addresses. This is very common marketing practice, but we feel it’s important to make it clear to you that we sometimes use data in this way.

We may also use the information you give us to identify other users of social media platforms who we think may also be interested in finding out more about the work we do. We upload email addresses to a secure portal these are then encrypted by the social media site. They then look for users in their community which have similar characteristics to those uploaded emails and who may therefore be interested in supporting the work of Royal Brompton & Harefield Hospitals Charity. This is known as Lookalike Audiences.

You can object to your information being shared with social media platforms. Please contact us at [email protected] specifying that you do not want us to process your data on social media platforms.

On our website, we have a social media tracking code in place. This allows our social media accounts and websites to share data with one another. This is entirely anonymised data so we can’t see information about any individuals, but it will tell us, for example, what percentage of our Facebook page fans have recently visited our website. This relates to the official Royal Brompton & Harefield Hospitals Charity website and channels only.

You can find out more about how we use social media tracking code in our cookies notice.

Information available publicly

This may include information found in places such as Companies House or through the electoral roll and information that has been published in articles/newspapers.

  • It may be collected when you use our website

 Like most websites, we use “cookies” to help you use our website with ease. Cookies mean that a website will remember you. They’re small text files that sites transfer to your computer, phone or tablet. They make interacting with a website faster and easier – for example by automatically filling your name and address in text fields. Further information about our website and cookie policies can be found in our T&Cs on our website.

The type of device you’re using to access our website may provide us with information about your device, including what type of device it is, what specific device you have, what operating system you’re using, what your device settings are, and why a crash has happened. This is to make our website widely accessible on a range of devices and operating systems and to help us fix bugs that stop you using our website effectively. Your device manufacturer or operating system provider will have more details about what information your device makes available to us.

The data we collect and how we use it

The type and amount of information we collect (and how we use it) depends on why you are providing it and what you tell us you would like us to do in the future.


If you are one of the amazing supporters who make our work possible, for example by donating, volunteering, registering as a fundraiser, signing up for an event or purchasing merchandise, we will usually collect data that includes:

  • Your name
  • Your contact details
  • Your payment, bank or credit card details.

Where it is appropriate we may also ask for:

  • Your date of birth, information relating to your health and details of an emergency contact (for example, if you are taking part in a sporting or high-risk event)
  • Your reason for donating. This helps us understand which of our fundraising activities are favoured by our supporters. This is never mandatory and we only want you to share as much information as you are happy to.

Your data will mainly be used for:

  • Providing you with the services, products or information you have asked for
  • Processing any donation(s) we may receive from you
  • Supporting your fundraising
  • Processing Gift Aid
  • Asking you to help us raise or donate money to our charity or attend our events
  • Keeping a record of your relationship with us
  • Ensuring we know how you prefer to be contacted by us
  • Understanding how we can improve our services, products or information.

We may also use your personal information to detect and reduce fraud and credit risk.

Keeping your information up to date

Where possible we use publicly available sources to keep your records up to date; for example, the Post Office’s Address database and electoral roll data.

If your contact details change, it is helpful to let us know, especially when they affect future Gift Aid claims. To update your information please contact us on 020 3988 5982 or [email protected]


Credit, debit card payment information

If you use your credit or debit card to donate to us, buy something or pay online or over the phone, we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standard. Find out more information about PCI DSS standards by visiting their website at www.pcisecuritystandards.org. 

We do not store your credit or debit card details in full, following the completion of your transaction. All card details and validation codes are securely destroyed once the payment or donation has been processed with just the last four digits of your card number being kept. This is used as a unique identifier and is not enough information to take any further payment from your card. Only staff authorised to process payments will be able to see your card details. 

To process payments made through our website we use a third-party payment merchants called Stripe Payments Europe Ltd (“Stripe”) and PayPal Ltd (“PayPal”). Both Stripe and PayPal are internationally trusted payment service used by millions of charities, online retailers and international businesses and individuals. They have stringent security and data processes to protect your data. Stripe and PayPal may use, retain and disclose your personal information and credit card details for this purpose and as set out in their privacy policy, including transferring your data outside of the European Economic Area (EEA). Where such transfer occurs, they ensure your data is adequately protected under UK data protection law. 

Building profiles of supporters and targeting communications

To provide an improved experience for our supporters, we use profiling and screening techniques to ensure communications are relevant and timely. Profiling also allows us to target our resources effectively; ensuring donor money is spent wisely and carefully. It helps us understand our supporters, allowing us to make appropriate requests to those who may be able and willing to give and attend our events. It enables us to raise more funds, sooner, and in a more cost-effective way.

We may carry out targeted fundraising activities using profiling techniques based on the information that we hold about you. We may also work with third party organisations who provide additional insight, this may include providing wealth screening information or general information about you that is publicly available.

When building a profile we may analyse geographic, demographic and other information relating to you, including information you have freely provided to us relating to your interest in our Hospitals, in order to better understand your interests and preferences and to contact you with the most relevant communications. In doing this, we may use additional information using publicly available data about you, for example addresses, listed Directorships and Trusteeships.

Direct marketing

We would like to keep you updated with our work and show you how your support has helped people with complex heart and lung conditions. If you opt in to be contacted, we will contact you using the methods (phone, text, email, post) that you have specified. We may include invites to events, raffle tickets and may ask for donations or other support.

We only want to contact you in the way that you like and strive to make it easy for you to tell us how you want us to communicate with you. If you do not want to hear from us, just let us know when you provide your data or contact us anytime on 020 3988 5982 or at [email protected].

We will never sell or share personal details to third parties for the purposes of their marketing. We may have to share your details with a third party if we run an event in partnership with another named organisation. In this case your details may need to be shared.

Our twice yearly News Beat is sent by post through a trusted mailing house. This is because it is the most cost effective way of fulfilling our newsletter. We only work with partners who comply with all current data protection legislation. Any personal information (including names and addresses) sent to the mailing house is encrypted and protected to ensure your data is safe.

Sharing your story

You may choose to tell us about your experiences of fundraising, being a patient at Royal Brompton and Harefield Hospitals or living with a particular condition, to help further our work. This may include you sharing sensitive information related to your health and family life in addition to your biographical and contact information. This information is always stored securely and will not be used without your permission.

We may use some of the information provided in your story, including gender, age, or the type of condition you have experience with, to inform our marketing. This is so that those with an interest in a particular area will hear about related work and exciting medical breakthroughs.

If you have provided your story, and have given explicit and informed consent (or have consented as a parent or guardian if the story relates to a person under 18), this information may be made public by us at events, in materials promoting our campaigning and fundraising work, or in documents such as our annual report.

Children’s data

At times, we may need to collect and manage information about children, and aim to manage it in a way which is appropriate to the age of the child. Information is usually collected when children attend our events or fundraise for us. But it can also be sensitive personal data if a medical condition needs to be disclosed for the purpose of attending an event or in a personal story. We will always keep this information secure and will never knowingly send marketing material to children.

Where possible and appropriate we will seek consent from a parent or guardian before collecting information about children. Our events have specific rules about whether children can participate, and we‘ll make sure advertising for those events is age appropriate.

Anyone of any age is able to sign up on our website and opt in to receive marketing material. If a child signs up in this way, we may not be aware of their age. In this circumstance, they may receive marketing material. If your child is receiving marketing or fundraising material and you wish this to stop, please contact us on 020 3988 5982 or at [email protected]

How we keep your data safe and who has access

We ensure that there are appropriate controls in place to protect your personal details. For example, online forms on our website are always encrypted and our network is protected and routinely monitored.

We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff and volunteers. Anyone with access to personal information must sign a confidentiality agreement as part of their contract which, among other things, includes strict regulations on the processing of personal data.

Where we use external companies to process personal data on our behalf, such as mailing houses, we undertake comprehensive checks on these companies before working with them. We have contracts in place that set out expectations and requirements, especially regarding how they manage the personal data they have access to. 

We may disclose your personal information to third parties if we are required to do so through a legal obligation (for example, to the police or a government body); to enable us to enforce or apply our terms and conditions or rights under an agreement; or to protect us, for example, in the case of suspected fraud or defamation.

We will never sell your details to any third parties and do not share personal data with any third parties other than in the circumstances already outlined. We do not conduct street fundraising, cold calling or any other fundraising activities that involve others using your data to fundraising on our behalf.

If you are contacted by a third party fundraising agency claiming to raise money on our behalf, please do not give out your personal details. If you suspect someone is using our name unlawfully to fundraise, please report this by contacting us on 020 3988 5982 or at [email protected]

Your right to know what we know about you, make changes to, or ask us to stop using your data

You have a right to ask us to stop processing your personal data, and if it’s not necessary for the purpose you provided it to us for (for example, processing your donation or registering you for an event) we will do so. To make a request please contact us on 020 3988 5982 or at [email protected].

You have a right to ask for a copy of the information we hold about you, although we may charge £10 to cover the costs involved. If you spot any discrepancies in the information we provide, please let us know and we will correct them.

To make a request, send a description of the information you want to see and proof of your identity by post to Royal Brompton & Harefield Hospitals Charity, 250 Kings Road, London, SW3 5UE. For security reasons, we must handle these requests in writing, by post and only when you provide proof of identity. This is to ensure your data is secure and we are not sharing it with someone else.

If you have any questions, please send them to [email protected] and for further information, see the Information Commissioner’s guidance on the ICO website.