Last updated: February 2026

1. Who We Are

Action on Smoking and Health (ASH) Wales is a registered charity (1120834) and a company limited by guarantee (6030302).

In this privacy policy, “we”, “us” or “our” refers to ASH Wales.

We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This means we are responsible for deciding how and why we process your personal data.

If you have any questions about this policy or how we handle personal information, please contact:

Email: enquiries@ashwales.org.uk
Registered address: 14 Hollybush Rise, Cardiff, Wales, CF23 6TG

2. What This Policy Covers

This policy explains how we collect, use, store and protect personal data when you:

• Visit our website

• Make a donation

• Sign up to our newsletter

• Book or attend an event

• Download resources

• Register for training

• Contact us

• Take part in research, surveys or campaigns

• Use any of our reporting tools

This policy also applies to personal data relating to employees, volunteers, trustees, contractors, job applicants, partners and suppliers.

This policy applies where ASH Wales acts as a data controller. In some circumstances, we may process personal data on behalf of another organisation, such as a school, local authority or partner organisation. Where this is the case, that organisation’s privacy policy may also apply.

This policy covers our main website and related campaign websites operated by ASH Wales.

3. The Information We Collect

Personal information you provide directly

We may collect personal information that you provide to us, including:

• Name

• Email address

• Postal address

• Telephone number

• Organisation name

• Job title

• Donation details

• Event booking details

• Survey responses

• Correspondence with us

In some cases, we may also collect demographic information such as age group, professional role information, or information relevant to participation in research, campaigns or training.

Information collected automatically

When you visit our website, we may automatically collect certain information, including:

• IP address

• Browser type

• Device information

• Pages visited

• Time spent on pages

• Referral source

We use Google Analytics to help us understand how visitors use our website and to improve our services.

We use a cookie consent banner to allow you to choose whether to accept non essential cookies. You can manage or withdraw your cookie preferences at any time through our cookie settings tool.

4. Children’s Data

Some of our work involves schools, youth settings and campaigns aimed at young people.

Where we collect personal data relating to children:

• This is usually done through schools, youth organisations or trusted partners

• We collect only what is necessary for the relevant campaign, activity or research

• We may use secure third party tools such as SurveyMonkey

• We do not use children’s data for marketing purposes

Where required, we obtain appropriate consent, including parental or guardian consent where applicable, or rely on another lawful basis under UK GDPR.

We take additional steps, where appropriate, to ensure information provided to children is clear, accessible and age appropriate.

5. Special Category and Criminal Offence Data

Some of our work involves public health research, surveys and campaigns. This may involve collecting information that is considered special category data under UK GDPR, such as information relating to health behaviours, including smoking or vaping status.

Where we process special category data, we will only do so where permitted under UK GDPR and with appropriate safeguards in place. We will usually rely on explicit consent or another lawful basis under Article 9 UK GDPR, such as processing for research purposes or in the public interest in public health.

Where required for safeguarding purposes, for example for certain staff or volunteer roles, we may also process criminal offence data, including Disclosure and Barring Service information, in accordance with Article 10 UK GDPR and relevant safeguarding legislation.

Where employee benefit providers process health related information for administering benefits, they do so in accordance with their own privacy policies and applicable data protection law.

6. How We Use Your Information

We process personal data for the following purposes:

• To process donations

• To manage event bookings

• To deliver training and resources

• To respond to enquiries

• To conduct research and analyse survey findings

• To administer campaigns and public health initiatives

• To improve our website and services

• To send newsletters and updates where you have opted in

• To manage relationships with partners, suppliers and stakeholders

• To administer recruitment, employment, volunteering and trustee relationships

We do not sell or rent personal data to third parties.

7. Lawful Basis for Processing

Under UK GDPR, we rely on the following lawful bases when processing personal data:

• Consent, for newsletters and certain surveys

• Contract, where processing is necessary for donations, event bookings, employment or service registrations

• Legitimate interests, to operate, evaluate and improve our services and communicate about our work

• Legal obligation, where required for financial, safeguarding or regulatory purposes

Our legitimate interests include administering the charity effectively, evaluating the impact of our campaigns, communicating with stakeholders, and supporting good governance.

Where we process special category data, we rely on an additional lawful basis under Article 9 UK GDPR.

You may withdraw consent at any time where processing is based on consent.

8. Marketing Communications

We may send newsletters and campaign updates where you have opted in to receive them.

We may also send essential service related communications, such as event updates or administrative messages. These are not considered marketing communications.

You can unsubscribe from marketing emails at any time by using the unsubscribe link in our emails or by contacting enquiries@ashwales.org.uk.

9. Third Party Services We Use

We use trusted third party providers to support our work. These may include:

• Mailchimp for email marketing

• Donorbox for processing donations

• Eventbrite for event bookings

• Salesforce for contact management

• SurveyMonkey for surveys

• Google Analytics for website analytics

• Microsoft SharePoint and OneDrive for secure storage

• Payroll providers for salary processing and statutory reporting

• Accountants and financial advisers for audit and financial compliance

• Pension providers for administering employee pension schemes

• Disclosure and Barring Service checking providers for safeguarding purposes

• Insurance providers, including death in service benefit providers

• Employee benefit providers for administering staff wellbeing benefits

These providers may act as data processors or, in some cases, as independent data controllers depending on the nature of the service provided.

We ensure appropriate contracts, including data processing agreements where required, are in place. We only share the minimum personal data necessary for the relevant purpose.

10. Where We Get Your Data From

We usually collect personal data directly from you.

In some cases, we may receive personal data from partner organisations, schools, event platforms or trusted third parties where you have signed up to participate in an activity delivered in partnership.

11. International Data Transfers

Some of our third party providers may process personal data outside the United Kingdom.

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR. These may include:

• Transfers to countries that have been deemed to provide an adequate level of protection

• The use of approved international data transfer agreements or standard contractual clauses

• Equivalent safeguards recognised under UK data protection law

12. Data Retention

We retain personal data only for as long as necessary to:

• Fulfil the purpose it was collected for

• Meet legal or financial obligations

• Support audit and reporting requirements

For example:

• Financial and donation records may be retained for up to six years

• Employment records are retained in line with statutory requirements

• Marketing records are retained until you unsubscribe or request removal

• Research data may be anonymised and retained for longer periods for reporting and evaluation

When data is no longer required, it is securely deleted or anonymised.

13. Data Security

We take appropriate technical and organisational measures to protect personal data from unauthorised access, loss, misuse or alteration.

These measures may include:

• Secure hosting environments

• Restricted access controls

• Encryption where appropriate

• Multi factor authentication

• Secure cloud storage

• Staff training in data protection

While we take reasonable steps to protect personal data, no method of transmission over the internet can be guaranteed as completely secure.

14. Your Rights

Under UK GDPR, you have the right to:

• Request access to your personal data

• Request correction of inaccurate or incomplete data

• Request erasure of your data in certain circumstances

• Request restriction of processing

• Object to processing

• Request transfer of your data to another organisation

• Withdraw consent where processing is based on consent

We may need to verify your identity before responding to a data protection request.

We will respond to valid requests within one month.

To exercise your rights, please contact enquiries@ashwales.org.uk.

15. Automated Decision Making

We do not carry out automated decision making or profiling that produces legal or similarly significant effects.

16. Complaints

If you have concerns about how we handle your personal data, please contact us first so we can try to resolve the issue.

You also have the right to complain to the Information Commissioner’s Office:

Information Commissioner’s Office
www.ico.org.uk

17. Changes to This Policy

We may update this policy from time to time. The latest version will always be available on our website, and the “Last updated” date at the top of this page will be revised accordingly.