Our Privacy Policy

The Comfrey Project (hereafter “TCP”) is committed to continually improving our services. To help us achieve this we may collect and process information about you.


We will collect and use personal information about you to enable us to administer our services and to help us continue to manage our relationship with you. The processing of personal data is governed by the General Data Protection Regulation, or GDPR.

TCP decides how your personal data is processed and for what purposes. TCP complies with its obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; and by protecting personal data from loss, misuse, unauthorised access and disclosure.

This Privacy Notice describes in detail how we will use your personal information, what your rights are in relation to personal information and how you can exercise those rights.

We are committed to protecting your privacy. We will only use your personal information in accordance with GDPR.

Who is responsible for your personal information?

We control the information that is collected by us about you and the purposes for which we use that information. This means that we are the data controller (for the purposes of the GDPR) in respect of such personal information.

 What is our legal basis for processing your personal information?

The legal bases under which we hold your personal data are ‘Consent of the Data Subject’, ‘Legitimate Interest’ and ‘Legal Obligation’.

What information do we collect?

At the point we collect your personal information we will advise you of the exact purpose and direct you to this Notice. This means we will not collect personal information for one purpose and then use it for another, unless the second purpose is implicit.

The information collected can vary depending on our relationship with you, but will primarily consist of your name, address, and contact details (including email address and mobile phone number). We may also require your GP’s and emergency contact details.

If you provide us with personal information about another individual (unless legally able to do so), you must ensure that before you provide us with their personal information, you have their agreement to do so and that they are aware of the ways in which we will use their personal information as set out in this Privacy Notice.

How do we use your personal information?

We may use your personal information:

  • To meet obligations arising from any contracts entered into between you and us;
  • To comply with our legal obligations, with instructions from a regulatory bodies such as Care Quality Commission (CQC) and Charity Governance Code (CGC);
  • To manage and administer the relation between you and us;
  • To notify you about changes to our services and otherwise communicate with you;
  • To train our staff to continuously improve our services; and
  • To carry out marketing activities.

With whom do we share your personal information?

In connection with the above uses of your personal information, some of our services may share your personal information with third parties in connection with our services. For instance, we may pass your personal information to:

  • Third party organisations that provide services to us;
  • External agencies and organisations (including the police and other law enforcement agencies) for the purpose of preventing and detecting crime;
  • Third parties if we are under a duty to disclose or share your personal information in order to comply with any legal obligation or instructions of a regulatory body, in connection with a court order, or in order to enforce or apply the terms of any agreements we have with or otherwise concerning you (including agreements between you and us); or to protect our rights, property or safety or those of our service users, employees or other third parties.

Transfers outside the EEA

The Comfrey Project uses Google Drive to store some of our operational data. TCP have set our data storage location to within the EU as permitted within our Google Administrator account, to ensure GDPR jurisdiction and compliance.

Protecting your personal information

We regularly review and continually improve our data security measures to reduce any risk of data loss, or data breaches. We also have a data breach plan and procedure to follow in the event of any data breach, to minimise any potential impact to you. Our security procedures mean that we will not disclose your personal information to any unknown third party without first gaining your consent to do so, unless for some legal exemptions.

How long will we keep your personal information?

We will not store your personal information for longer than is necessary for the purposes of processing. This means after we process your personal information, we will securely destroy your personal information from our records.

In line with GDPR guidance, we will only retain your personal information for a regulatory, legal or a specific business purpose, in line with our data retention procedures.

Our data retention periods will differ from service to service, dependent on the type of data and the purposes of processing. If you require specific retention schedules for your personal information please contact us using the contact details further on in this Notice.

What rights do you have?

By providing you with this Privacy Notice we are ensuring that you have been fully and clearly informed in relation to how we use your personal information.

You have the right to object to our processing of your personal information if you feel that our legal basis for the processing is incorrect. If you think any of the personal information we hold about you is inaccurate or incorrect, you can request that we correct this information. If you feel there is no compelling reason for the continued processing of your personal information, you can request that it is erased from our systems.

Access to your personal information

GDPR gives you the right to access your personal information, subject to certain exemptions. To request access to your personal information, please contact us using the contact information below, including the following items:

  • A clear label for your request (e.g. use ‘Data Subject Access Request’ as your email subject line or a heading for your letter);
  • The date of your request;
  • Your name (including any aliases, if relevant);
  • Your up-to-date contact details;
  • Either a request for all personal data held, or a comprehensive list of what personal data you want to access, based on what you need;
  • Any details, relevant dates, or search criteria that will help the organisation identify what you want; and
  • How you would like to receive the information (e.g. by email or printed out).

There will be no fee for any subject access request we receive; however, we may require identification to verify your identity before we supply the information.

We will respond to you within 1 month from the date of receiving your query.

How to contact us

If you have any questions, comments or requests regarding this Privacy Notice, please contact us in either of the following ways:

  • by writing to The Comfrey Project, Windmill Hills Centre, Chester Place, Gateshead, NE8 1QB, marked to the attention of Michael Blenkarn-Durning, or
  • by emailing at info@thecomfreyproject.org.uk

 This Notice was last updated in January 2024. The next review date is January 2025.