Privacy, Cookie & Data Protection Policy

Click here to go to our Cookie Policy or click here to go to our Data Protection Policy

Privacy Policy

Privacy Notice

Esme’s Umbrella (registered charity no. 1197087) exists to support people with Charles Bonnet Syndrome (CBS) by:

  • raising awareness of CBS to healthcare professionals and the wider community;
  • creating support for the care and welfare of anyone who develops CBS and their families/caregivers;
  • sourcing and raising funding for CBS research and publishing all useful results arising from the research.

We respect the privacy of our service users and supporters, as well as visitors to our website. This notice explains how we collect, manage, use and protect your personal information.

How we protect your privacy

According to the law, we are accountable for the data we process. So, we measure any risk we might create when we process your data, and we provide contact details for your use if you have any concerns about our use of your data. We keep records of our processing and any incidents so we can measure and improve our approach. We regularly review our policies and procedures to ensure we are upholding your rights under the Data Protection Act (2018).

The information we collect from you

Under the Data Protection Act (2018), and Privacy and Electronic Communications Regulation (2019), the charity is what is known as a ‘controller’ of the personal information you provide to us. The information you provide will vary, but could include:

  • Your name, postal address, telephone number and email address
  • Information on your motivation for supporting the charity, if applicable
  • If you are making a financial contribution, your debit and credit card information, bank account details or other banking information in order to process your payment, as well as information required to validate your identity and prevent fraud
  • Information about your activity online when you visit our website, interact with our social media and when we send you an email.

Sometimes you may provide other information, which could include your date of birth, gender, ethnicity, details about your eye condition, genetic diagnosis and health. We will only collect and record sensitive information like this, which is known as ‘special category data’, with your explicit consent and where there is a good reason to do so. Access to this data will be restricted to certain members of our team, and it will not be shared with any third party without your consent, unless we have a statutory obligation to do so, or if there are concerns for your safety.

How we collect your information

We collect your personal information in various ways, for example when you register for an event, provide us with feedback, make a donation, enter a raffle or make a call to our helpline. We may also collect information when you are using our websites. Sometimes, we will gather publicly available data to ensure that your information is up to date, build a profile based on your background and interests, and communicate more effectively with you. Remember that if you give us permission to share information about you publicly in the form of a case study, or on social media, or you share such information yourself, it is then in the public domain.

Esme’s Umbrella uses social media to promote our work. We have accounts on Facebook, Twitter, Instagram and LinkedIn. Where members of the public engage with our posts or publish content relevant to our work, we may like the posts, follow them, reply or write to them.

How we use your information

The information you provide is used to fulfil any requests or queries we receive from you, including referrals onto other relevant parties, to process any donations you make, to manage your contact preferences, and to provide you with information about our work and activities, including updates about our services, medical research support and fundraising activities. We may from time to time use your information to seek feedback from you or conduct surveys. Sometimes, we also have a legal obligation to process your personal information, for example when maintaining Gift Aid records.

Often, we will process your information based on consent that you have provided to us. On other occasions, we will do so because we consider we have a legitimate interest to do so. Some examples of when we would rely on our legitimate interest include:

  • to pursue our organisational aims and objectives;
  • to fundraise now and in the future for our important work;
  • to ensure we meet our regulatory requirements as a charity;
  • to manage our ongoing relationships with service users and supporters;
  • when you work for us;
  • when you volunteer your time for us;
  • to manage financial transactions and prevent fraud;
  • to clean our data and to ensure it remains up to date.

Where we rely on legitimate interest to process your information, we will always ensure that we respect your rights, and that you have the opportunity to opt-out and inform us of your preferences. You can contact us at any time on to ask us to remove your information from our records.

How long we keep your information

We will not keep your personal information for any longer than is necessary for the charity’s purposes or for legal requirements and we review our retention periods for personal information on a regular basis.

Sharing your information

We only disclose information to third parties when obliged to by law, for purposes of national security, taxation and criminal investigations, and the following:

  • if you have agreed that we may do so;
  • if we run an event or deliver a service with a partner organisation.

However, we will share your information with third parties only where it is necessary to fulfil the service and where the third party has adequate policies and procedures in place to safeguard its use.

We will never sell or rent your personal information to other organisations.

Your rights

You have a number of very important rights, which we will always respect:

  • the right to be informed – transparency over how we use your personal information;
  • the right of access – you can request a copy of the information we hold about you, which you will receive within one month;
  • the right of rectification – you can let us know if any of the information we hold about you is inaccurate, and we will correct it;
  • the right to restrict processing – you can ask us to stop processing your information;
  • the right to be forgotten – you can ask us to remove your information from our records;
  • the right to object – you can let us know at any time if you want us to stop processing your information for marketing purposes (e.g. sending you event notifications, fundraising appeals etc);
  • the right to data portability – you can obtain and reuse your personal information for your own purposes;
    you also have the right not to be subjected to decision making based on automated processing.

Remember, you can contact us at any time to discuss your rights or update your preferences by emailing

How we protect your information

We maintain the highest standards of data privacy and security to protect your personal details. We regularly review our processes and procedures to ensure that your information is protected from unauthorised access or use, accidental loss and/or destruction. We ensure that there are appropriate technical and organisational controls in place to protect your personal details. For example, all our team receive training on data privacy and how to keep your data secure, and our network is protected and routinely monitored.

Unfortunately, no data transmission over the internet is 100 per cent secure. As a result, while we try to protect your personal information, Esme’s Umbrella cannot guarantee the security of any information you transmit to us and you do so at your own risk.

If you have any concerns or would like to make a complaint about how we have handled your personal data please also get in touch with us. If you are not satisfied with our response or if you want to know more about your Data Protection rights, you can visit the Information Commissioner’s Office website at or contact their helpline on 0303 0123 01113.

You can also contact the Fundraising Regulator at

Contacting us

We are always happy to hear from you if you would like to:

  • Discuss our approach to privacy and data protection in more detail
    Request a copy of the information we hold about you
    Provide or withdraw consent
    Tailor your communication preferences

Esme’s Umbrella

26 Western Gardens
W5 3RU

Last updated: 15 March 2022


Cookie Policy

Our Privacy and Cookie policy explains our principles when it comes to the collection, processing, and storage of your information. This policy specifically explains how we, and our partners of our services deploy cookies, as well as the options you have to control them.

What are cookies?

Cookies are small pieces of data, stored in text files, that are stored on your computer or other device when websites are loaded in a browser. They are widely used to “remember” you and your preferences, either for a single visit (through a “session cookie”) or for multiple repeat visits (using a “persistent cookie”). They ensure a consistent and efficient experience for visitors, and perform essential functions such as allowing users to register and remain logged in. Cookies may be set by the site that you are visiting (known as “first party cookies”), or by third parties, such as those who serve content or provide advertising or analytics services on the website (“third party cookies”). Both websites and HTML emails may also contain other tracking technologies such as “web beacons” or “pixels.” These are typically small transparent images that provide us with statistics, for similar purposes as cookies. They are often used in conjunction with cookies, though they are not stored on your computer in the same way. As a result, if you disable cookies, web beacons may still load, but their functionality will be restricted.

How we use cookies

We use cookies for a number of different purposes. Some cookies are necessary for technical reasons; some enable a personalised experience for both visitors and registered users; and some allow the display of advertising from selected third party networks. Some of these cookies may be set when a page is loaded, or when a visitor takes a particular action (clicking the “like” or “follow” button on a post, for example).For more information on the choices you have about the cookies we use, please see the Controlling Cookies section below.

Where we place cookies

We set cookies in a number of different locations across our services. These include:

  • On our websites
  • On sites we host for our users.

Types of Cookie

The table below explains the types of cookies we use on our websites and why we use them.


Category of Cookie

Why we use this type of Cookie

Strictly Necessary

These cookies are essential for websites on our services to perform their basic functions. These include those required to allow registered users to authenticate and perform account related functions, as well as to save the contents of virtual “carts” on sites that have an ecommerce functionality.


These cookies are used to store preferences set by users such as account name, language, and location.


We use these cookies to help identify and prevent potential security risks.

Analytics and Performance

Performance cookies collect information on how users interact with our websites, including what pages are visited most, as well as other analytical data. We use these details to improve how our websites function and to understand how users interact with them.


These cookies are used to display relevant advertising to visitors who use our services or visit websites we host or provide, as well as to understand and report on the efficacy of ads served on our websites. They track details such as the number of unique visitors, the number of times particular ads have been displayed, and the number of clicks the ads have received. They are also used to build user profiles, including showing you ads based on products you’ve viewed or acts you have taken on our (and other) websites. These are set by Automattic and trusted third party networks, and are generally persistent in nature.

Controlling Cookies

Visitors may wish to restrict the use of cookies or completely prevent them from being set. Most browsers provide for ways to control cookie behavior such as the length of time they are stored – either through built-in functionality or by utilising third party plugins. If you disable cookies, please be aware that some of the features of our service may not function correctly.To find out more on how to manage and delete cookies, visit For more details on your choices regarding use of your web browsing activity for interest-based advertising you may visit the following sites:

On a mobile device, you may also be to adjust your settings to limit ad tracking. You can opt out of Google Analytics by installing Google’s opt-out browser add-on. You may see a “cookie banner” on our websites and dashboards. When you consent in this manner, we and our advertising partners may set advertising cookies on the site you are visiting. We’ll display the banner to you periodically, just in case you change your mind.We set a cookie to help us understand how visitors engage with websites. When you opt out, we replace the unique value for that cookie with an opt-out value. The opt-out works across all websites. Please note that this option is browser specific, and so if you use a different device or browser or clear your cookies, then you will need to repeat the process.

Last updated: 15th March 2022


Data Protection Policy

Esme’s Umbrella

Data Protection Policy

Last updated

15 March 2022

Date of next review

March 2023



means Esme’s Umbrella, a registered charity.


means the General Data Protection Regulation.

Responsible Person

means Judith Potts

Data Register

means a register of all systems or contexts in which personal data is processed by the Charity.

1. Data protection principles

The Charity is committed to processing data in accordance with its responsibilities under UK GDPR and the Data Protection Act (2018) and Privacy and Electronic Communications Regulations (2019).

UK GDPR requires that personal data shall be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

2. General provisions

  • This policy applies to all personal data processed by the Charity.
  • The Responsible Person shall take responsibility for the Charity’s ongoing compliance with this policy.
  • This policy shall be reviewed at least annually.
  • The Charity is exempt, due to its status as a “not for profit” organisation, from registration with the Information Commissioner’s Office as an organisation that processes personal data.

3. Lawful, fair and transparent processing

  • To ensure its processing of data is lawful, fair and transparent, the Charity shall maintain a Data Register.
  • The Data register shall be reviewed at least annually.
  • Individuals have the right to access their personal data and any such requests made to the charity shall be dealt with in a timely manner.
  • If any third parties, such as partner charities, process any data on behalf of Esme’s Umbrella or receive referral data, they will be asked to confirm that they have appropriate data protection policies and procedures in place.

4. Lawful purposes

  • All data processed by the charity must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
  • The Charity shall note the appropriate lawful basis in the Data Register but undertakes no activities which require the collection, holding and/or processing of personal information for reasons of vital interests or public tasks.
  • Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
  • Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Charity’s systems.

5. Data minimisation

  • The Charity shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

6. Accuracy

  • The Charity shall take reasonable steps to ensure personal data is accurate.
  • Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
  • All data is stored either in the Contact Database (password protected spreadsheet) or in secure email folders.

7. Archiving / removal

  • To ensure that personal data is kept for no longer than necessary, the Charity shall consider what data should/must be retained, for how long, and why and this will be recorded in the Data Register.

8. Security

  • The Charity shall ensure that personal data is stored securely using modern software that is kept-up-to-date. This will include appropriate password protection for the laptops, emails, relevant filing systems and social media accounts of the Charity along with up to date anti-virus protection from an appropriate provider.
  • Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
  • When personal data is deleted, this should be done safely such that the data is irrecoverable.
  • Appropriate back-up and disaster recovery solutions shall be in place via a Cloud-based provider.

9. Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Charity shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website).