Privacy Policy
Version: 1.1
Last Updated: 03/03/2026
This privacy notice outlines what personal data St Andrews First Aid (the “Charity”, “we”, “us”) collects and processes about you in various situations, which we have explained below. This notice does not cover personal data we process about our staff, workers, or volunteers.
Please read through this privacy notice to understand how St Andrews First Aid uses and processes your personal data. If you have any concerns about our processing of your personal data or you have a general enquiry in relation to data protection, please contact our Data Protection Officer at [email protected].
1. Who We Are (Data Controllers and Group Structure)
St Andrew’s First Aid operates several activities under two legal entities. For transparency, and in line with ICO expectations for multi-entity groups, the controller for each processing activity is:
| St Andrew’s Ambulance Association o/a St Andrew’s First Aid– Primary Data Controller | St Andrew’s First Aid Training and Supplies Ltd – Controller for Training & E-commerce (Ceasing operations as of 1 April; retained only for historic booking and transaction records) |
| Registered Charity in Scotland: SC006750 Address: St Andrew’s House, 48 Milton Street, Glasgow, G4 0HR | Limited Company Registered in Scotland: SC415390 Address: 48 Milton Street, Glasgow, G4 0HR |
| The Charity controls: • Volunteering and membership data • Donations and fundraising • Community programmes and education • Event medical services • Website operations and analytics • General marketing communications (unless relating specifically to training or supplies) | This entity controls: • Training course bookings • Online shop orders (supplies/e-commerce) • Training-related communications • Issuance of certificates and training reminders After 1 April, all new training, e-commerce and customer interactions will be fully transferred to the Charity. |
Data Protection Officer
Colin McNeill
[email protected] 0141 332 4031
St Andrew’s House, 48 Milton Street, Glasgow, G4 0HR
The DPO oversees both legal entities within the group.
2. Our Processing
Personal Data: means any information relating to an identified or identifiable living person (‘data subject’); an identifiable living person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Category of Data: means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation and any other categories which may be designated as special categories of data by the Secretary of State from time to time.
When we use the term ‘personal data’ we mean both personal data and special category of data.
We collect and process different categories of personal data depending on how you interact with us. The table below sets out what personal data we process about you, where we get it from, why we use it, our legal basis and who we share it with. Otherwise, we will only share your personal data:
- where we are required to share your personal data in accordance with law e.g. to assist with Police investigations, other authorities or other regulatory requirements to which the Charity is subject;
- where we use third parties to undertake certain services on our behalf and they require to process personal data in order to do this. Where we do so, we will ensure that adequate arrangements are in place to protect your personal data. These third parties include: our professional advisors, our website host provider, cloud storage suppliers, CRM suppliers, marketing platforms (including parties used for sending email marketing communications), telemarketing, IT infrastructure suppliers, payroll provider, donation site, payment bureau provider, postal mailing housing, fundraising management sites, fundraising event organisers; or
- where we have your consent.
How St Andrew’s First Aid Processes the Personal Data
| Purpose | Personal Data | Where we get it from | Legal Basis for processing | Who we share it with |
| To enable the Charity to process donations from you. | Name, email address, postal address, telephone number, bank details, transaction description and payment amount. | From you | Legitimate Interest to process donations for the benefit of the Charity. | Donations will be operated by Opayo (Data privacy policy) |
| To process gift aid | Name, postal address, email address, telephone number, bank details | From you | Legitimate Interest to process donations for the benefit of the Charity. Legal obligation to process direct debit under direct debit agreement. | HMRC for purposes of Gift Aid. Payment bureau provider administering the payment |
| To provide training resources and services to you | Name, postal address, email address, telephone number | From you | Performance of a contract with you | Access Planit for training management |
| To process and deliver your order from our online shop, operated by WooCommerce | Name, email address, postal address (including billing address and shipping address), phone number, bank details, any information you provide to us, any username and password you create, answers to security questions and any information you provide to us. | From you | Performance of a contract with you | WooCommerce (shop platform) |
| To facilitate and manage your participation in events we host | Name, postal address, telephone number, email address. | From you | Legitimate Interest – it is in our legitimate interest to manage participation in our fundraising events. | Third party event organisers who assist with |
| To enable the Charity to provide you with our direct marketing communications by email or text | Name, email and telephone number | From you | Consent or soft opt-in | Brevo |
| To enable the Charity to provide you with our direct marketing communications by telephone or post | Name, telephone number and address | From you | Legitimate interest, which is to promote our charitable objectives and to increase fundraising | No |
| Cookies | Data about your use of our website. | From you | Legitimate interest to understand use of our website in order to maximise its usability. Consent for non-essential cookies. Please see our Cookie Policy for further information. | Google Analytics 4 (with consent) Microsoft clarity (with consent) |
3. Marketing Communications (Channels, Consent, Soft Opt-In)
UK GDPR and PECR require clear rules depending on the channel:
Email and SMS Marketing
We may rely on:
A. Consent
Used where:
- You actively opt in
- We send general charity news
- Analytics/behaviour-based messages are involved
B. Soft Opt-In (PECR) – where permitted
(i) Commercial purposes
We may use soft opt-in only when all conditions apply:
- You purchased training or products from us;
- The marketing relates to similar training or product services;
- You were given a clear opportunity to opt out at the time of collection; and
- You can opt out at any time
(ii) Charitable purposes
We may use the charitable purpose soft opt-in only when all conditions apply:
- We obtain your contact details via you expressing an interest in one or more of the Charity’s charitable purposes; or offering to/ providing support to further one or more of those purposes;
- The sole purpose of the marketing relates to furthering one or more of the Charity’s charitable purposes;
- You were given a clear opportunity to opt out at the time of collection; and
- You can opt out at any time.
Postal Marketing
May be sent under legitimate interests.
Opting Out
You may opt out at any time. Withdrawal of consent does not affect the legality of marketing already sent.
4. International Transfers
Google Analytics 4 and Microsoft Clarity may transfer limited online identifiers to the USA under approved safeguards (SCCs + Transfer Risk Assessments).
Data that may be transferred includes:
- IP addresses (GA4 uses truncated/anonymised IP)
- Device/browser identifiers
- Behavioural analytics data (session events, clicks, scrolls)
5. Retention
We keep personal data only as long as necessary.
Statutory Retention
- Medical records: 7 years or as required
- Booking/purchase/donation records: 6 years + current year (HMRC)
Marketing Data Retention
- Inactive = no opens/clicks after 90–180 days (depending on sending frequency)
- Win-back attempt
- Sunset at 18 months → removed from active mailing
- Suppression list kept indefinitely
- Consent refreshed approx. every 2 years
All retention decisions are recorded and reviewed annually.
8. Your Rights
You have the right to:
Access, rectification, erasure, restriction, objection, portability, and withdrawal of consent.
We respond within one month.
You can exercise these by contacting our DPO at [email protected]
You may contact the ICO (www.ico.org.uk).
9. Security
We implement technical and organisational measures including:
- Encryption
- Access controls and role-based permissions
- Secure servers
- Staff training
- Auditing and monitoring
10. Cookies and Online Tracking
We use essential, functional, and optional cookies.
Optional cookies (analytics, marketing) are disabled until you provide consent through our Cookie Banner.
See our Cookie Policy for full details.
11. Updates
We review this notice regularly and will publish a version history.
12. Contact
Data Protection Officer
Colin McNeill
[email protected] | 0141 332 4031
St Andrew’s House, 48 Milton Street, Glasgow, G4 0HR
Version Control
- Version: 1.1
- Last Updated: 03/03/2026
- Changes include: controller structure clarification, expanded cookie/analytics section, international transfer detail, enhanced marketing consent rules.