| 020 3096 9130
About One Trust|Enquiries|Contact Us
Support Us

Privacy Notice

Privacy Notice

This Privacy Notice informs you who we are, how we collect, use, secure and share personal information collected by us when you use our services, enquire about our services, visit our website, send to, or receive from us, communications, (including marketing messages) and through any other interactions we have with you. This Privacy Notice also informs you how you can exercise your rights.

This notice does not describe our processing of personal data relating to our employees.  Our processing for employment-related purposes is set out in a separate notice that we make available to our employees.

One Trust (‘we’, ‘us’, and ‘our’) is committed to respecting and protecting the privacy of individuals and to fully complying with all the requirements of the UK GDPR and all other applicable data protection laws and regulations.

If you have any questions or concerns about our use of your personal information, please contact us using the contact details provided in this Privacy Notice.

Data Protection Officer

We have appointed a Data Protection Officer (DPO). If you wish to contact our DPO you can do so via: dpo@normcyber.com

Please note our DPO is an external organisation, with which your personal data may be shared.

What is personal information?

Personal information is anything that enables you to be identified or identifiable. Personal information is also called “personal data”. We collectively refer to handling, collecting, protecting, storing or otherwise using your personal information as ‘processing’.

If you fail to provide personal information

Where we need to collect personal information by law, or under the terms of a contract we have with you and you fail to provide that information when requested, we may not be able to perform the contract we have or are trying to enter into with you or provide you with our services that you have requested.

Collecting (obtaining) your Personal Information

Most of the personal information we process is provided to us directly by you, for example for one or more of the following reasons:

  • You are one of our service users
  • You are a legal guardian or carer for one of our service users
  • You have made an enquiry or information request to us via our website
  • You have visited our website(s) or used app(s) or platform and consented to our use of cookies or similar technologies
  • You have subscribed to our e-newsletter(s)

We may also obtain your personal information indirectly, from third parties, such as from:

  • Social workers
  • Other care providers
  • Using CCTV or other monitoring devices
  • When your contact details are given to us as a referee or for use in an emergency

The personal information we collect about you

We may collect and otherwise process different kinds of personal data about you which we have grouped together as follows:

  • Contact Data includes postal and email address and telephone numbers.
  • Identity Data includes names and similar identifiers, ID photo, marital status, title, date of birth and gender.
  • Health Data includes health, therapy and care plan records.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our partners and your communication preferences.
  • Transaction Data includes details about payments to and from you and other details of products, goods and services you have purchased from us.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website and services.
  • Usage Data includes information about how you use our products, services and website.

Lawful Bases (legal grounds) for Processing Personal Information

Our legal basis for collecting and using your personal information will depend on the personal information concerned and the specific context in which we collect it.

We will normally collect personal data from you on one or more of the following lawful bases:

  • Consent: We may process your personal information after you have consented (agreed) to us doing so. Your consent may have been obtained by us, or by third parties on our behalf. You have the right to withdraw your consent at any time.
  • Contract: We may process your personal information when we need to deliver a contractual service to you or because you have asked us to do something before entering into a contract (e.g., provide a quote).
  • Legal obligation: We may process your personal information when we need to comply with a legal obligation.
  • Legitimate interest: We may process your personal information when we need to for our or another’s legitimate interests, where these interests are not overridden by your rights.

Purpose(s) for Processing Personal Information

We have set out below a description of all the ways we plan to use your personal information, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Please note that we may process your personal information for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground(s) we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity Type of data Lawful basis for processing
To register a new service user • Contact Data
• Identity Data
• Health Data
• Transaction Data		 • Contract
To manage our service user relationships • Contact Data
• Identity Data
• Marketing and Communications		 • Contract
• Legal obligation
• Legitimate interest (to keep our records updated and to study how service users benefit from/engage with our services)
To provide marketing materials • Contact Data
• Identity Data
• Usage Data
• Marketing and Communications Data		 • Consent
• Legitimate interest (to provide customers and contacts with information about our products/goods/services)
To administer and manage our website • Contact Data
• Identity Data
• Technical Data		 • Legitimate interest (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
For the safety and security of our staff, visitors, and others. • Contact Data
• Identity Data		 • Legitimate interests (to protect and keep safe develop our staff, visitors and other individuals that we have a responsibility for)
To comply with our legal obligations • Contact Data
• Identity Data
• Marketing and Communications Data
• Transaction Data
• Technical Data
• Usage Data		 • Legal obligation

Using your Personal Information for Marketing Purposes

We will not use your personal information for marketing purposes.

We will not share your information with any third parties for the purposes of direct marketing.

Sharing your Personal Information

We may share your personal information with third parties (other organisations or individuals) for:

  • The purpose(s) for which the information was submitted.
  • The purposes listed under ‘Purpose(s) for Processing Personal Information’.
  • As agreed between us.

We share personal information with third parties that act as data processors to provide elements of our service by processing personal information on our instructions (see ‘Data Processors’ below).

We may share your personal information with third parties in connection with our corporate transactions, (e.g., mergers and/or acquisitions), as a result of which your personal information may be assigned to a third party.

We may share your personal information with law enforcement, regulatory and other government agencies and professional bodies, as required by and/or in accordance with applicable law or regulation.

In some circumstances we are legally obliged to share information. For example, under a court order.

It is our policy to only share your personal information with third parties that are legally or contractually bound to protect your personal information to the same standards as we are, and that will flow those same standards to their subcontractors.
In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share your personal information.
We will not sell your personal information to any third party.
We do not send personal data to servers in China.

Data processors

Where we use data processors, we have contracts in place with them to ensure that they cannot do anything with personal information we have shared with them unless we have instructed them to do it. They will hold it securely and retain it for the period we instruct them to.

These data processors may use sub-contractors (known as sub-processors) that have access to your personal data. If they do, they are required to have contracts in place with those sub-processors to ensure that they cannot do anything with personal information shared with them beyond what we have instructed our data processors to do with it.

The data processors which we mainly and routinely use* are:

  • We use Wavenet to provide our secure IT Network.
  • We use Acronis to provide our Cloud System Backup.
  • We use Cobweb Solutions as our email provider.
  • We use Log My Care as our care management platform.

We may share personal data with authorised NHS partners that provide therapies and/or treatment support.

*The above list identifies those data processors that we routinely use. It does not identify each and every data processor we use.

Transfers of your personal information to outside the UK

Your personal information may be transferred (sent to or accessed from) outside the UK. Any such transfer will be only:

  • To you; or
  • To a recipient located in a country which provides an adequate level of protection for your personal information, (i.e., a country where the data protection standards are the same or better than in the UK), for example, a country in the European Union (EU), or European Economic Area (EEA); or
  • To a recipient under a contractual agreement which satisfies UK legal requirements for the transfer of personal information, to ensure that appropriate safeguards are in place to protect your personal information in accordance with UK levels of data protection; or
  • To a recipient under the UK-US Data Bridge; or
  • When your personal information has first been anonymised

The countries/areas to which we routinely transfer personal data to* are:

EU/EEA: To a recipient located in a country which provides an adequate level of protection for your personal information.

*This does not mean that your personal data will definitely be transferred to any of these countries.

Retention (Storage) of Personal Information

We will retain your personal information only for as long as we need it for the purpose(s) for which it was collected, or as required to do so by law.

To determine the appropriate retention period for your personal information, we consider the amount, nature, and sensitivity of it, the potential risk of harm from unauthorised use or disclosure of it, the purposes for which we process it and whether we can achieve those purposes through other means, as well as applicable legal requirements.

Examples of the periods for which personal information will be stored*

Personal data Retention period
Service User records As required by any applicable statutory retention period, or where no statutory retention period applies, for the period of the service, then handed back to service user or new provider or destroyed, we will only hold data on a 2-year rolling basis.
Business contacts records As required by any applicable statutory retention period, or where no statutory retention period applies, three years after business relationship ends.

*The above list gives examples and does not identify each and every, period for which individuals’ personal data will be stored. Further information about our retention of Personal Information is set out in our Retention Policy. If you would like a copy of our Retention Policy, please contact us.

Your data protection rights.

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

  • Your right of access: You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
  • Your right to rectification: You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
  • Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances.
  • Your right to object to processing: You have the right to object to processing if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests.
  • Your right to data portability: This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

You are not required to pay any charge for exercising your rights. We have one month to respond to you.

If you wish to exercise any of your rights, please contact us.

Security

We use appropriate technical and organisational measures to protect the personal data that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal data. Please be aware that, we cannot guarantee the security of all personal information transmitted to or by us.

Artificial Intelligence (AI)

We use Artificial Intelligence (AI), which means that AI may be used to process your personal data.
When we use AI, we do so in compliance with applicable data protection legislation, and regulatory guidance. The AI tools that we may routinely use are:

  1. SemblyAI – used for recording and note taking during meetings

Automated Decision Making

We will not use your personal information for automated decision making or profiling

Photo Consent

We will capture and use your image on our internal systems as part of our records, this is classified as ‘Identity Data’ in the above section (‘The personal information we collect about you’).

We may ask for your consent to use your image for marketing and other purposes, for example:

  • Internal newsletters, leaflets, and/or posters;
  • External (marketing) newsletters;
  • Social media campaigns;

Children’s personal information

We do not provide services directly to children or proactively collect their personal information.

Visiting our premises

When you visit our premises you may provide your name and other personal information for security and safety reasons.

CCTV

Closed-circuit television (CCTV) operates at our premises for security and safety reasons. The lawful basis we rely on to process your personal data is article 6(1)(f) of the UK GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests. Our CCTV is a live feed system only; we do not store recordings of CCTV imagery.

Links to other websites

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

Our contact details
We can be contacted as follows:

Email:Admin.Team@onetrust.co.uk
Phone: 020 3096 9130
Post: UC 1.04, The Light Bulb, 1 Filament Walk, Wandsworth, London, SW18 4GQ
Our contact form: https://onetrust.co.uk/contact-4/

Cookies

We use a cookies tool on our website to gain consent for the optional cookies we use. Cookies that are necessary for functionality, security and accessibility are set and are not deleted by the tool. For information about the cookies and any other similar technologies we use, please see our cookies policy.

Your right to complain

We work to high standards when it comes to processing your personal information. If you have any queries or concerns about our handling of your personal information, please contact us directly via Admin.Team@onetrust.co.uk.

We will confirm receipt and our next steps within 30 days, and all queries will be investigated without undue delay. In all cases we will provide you with an outcome that explains what steps we have taken following your concern.

Should you remain dissatisfied following our response, you can make a complaint about the way we process your personal information to the Information Commissioner’s Office (ICO), the UK data protection regulator. Please follow this link to see how to do that.

Updating

We may update this Privacy notice at any time by publishing an updated version here. So that you know when we make changes, we will amend the revision date at the bottom of this page. The new modified or amended privacy policy will apply from that revision date.

This Privacy Notice was last updated on 06th May 2026