Privacy Policy

This Privacy Policy is meant to provide guidance and understanding on which data we collect, why we collect it, what we do with it, the choices that we offer, and the choices and rights that you have.

Relevant legislation

We ensure that the way we work and the services we provide to you, including this website, are designed to comply with the following national and international legislation with regards to data protection and user privacy:

Who we are

The BAF is the leading national charity dedicated to supporting those with allergy. We provide advice and information and offer practical solutions to help manage an allergic condition. We work with government, professional bodies, healthcare professionals and corporates to achieve our vision for everyone affected by allergy to receive the best possible care and support. Please visit our About Us page to learn more about what we do.

2.2 Allergy UK is the operational name of the British Allergy Foundation, a charitable company limited by guarantee and registered in England and Wales (registered charity number 1094231 and company number 4509293), and registered in Scotland (registered charity number SC039257), whose registered office is at London House, Texcel Business Park, Thames Road, Crayford, DA1 4SL.

2.3 We also have a wholly owned subsidiary company of the British Allergy Foundation, called Allergy Research Limited (ARL) that carries out business which may be advantageous and ancillary to the charitable objects of Allergy UK and donates all profits to the British Allergy Foundation. ARL was established in 1998 and its donations support the charity in carrying out its charitable objects to support those living with allergic disease. Our subsidiary may process personal data in accordance with Allergy UK’s instructions and policies.

2.4 The charity and trading subsidiary are different entities and are administered separately. Within the context of this policy, “we”, “us”, or “our”, means both the charity and its subsidiary.

2.5 Allergy UK is registered as a data controller with the Information Commissioner’s Office (ICO) under the Data Protection Act 2018 – registration number Z5226293.  Allergy UK is responsible for operating this website.

What personal information we collect and when we collect it

3.1 Personal information is information that can be used to identify a person as an individual. In the context of this policy “personal information” can be an individual’s personal data, their child’s or someone for whom they are a carer.  Allergy UK may process personal data such as a first name, surname, date of birth, date of death, email address, postal address, home telephone number, mobile telephone number, gender, ethnicity, marital status, photographs or videos, social media name, bank account details, credit/debit card details, next of kin details, IP address and, where a person is a UK tax payer, details so that we can claim Gift Aid where agreed. We may also collect special categories of data, as detailed below.

We may collect personal information when a person:

  • uses our Helpline telephone service.
  • uses our Helpline webchat service;
  • signs up to our Allergy Alerts service;
  • uses our website;
  • downloads a Factsheet from our website;
  • orders products and services from us (such as translation cards);
  • makes a donation to us;
  • tells us about a fundraising event they are organising or taking part in;
  • registers for a place on one of our fundraising events;
  • asks about our activities or for us to send them something about our services;
  • registers for one of our events;
  • attends an event or exhibition not organised by us and agrees with the organisers that they can supply us with their personal information;
  • enquires about signing up for one of our product endorsement schemes;
  • becomes a corporate partner;
  • registers as a catering venue for our food safety scheme;
  • registers as a school for our schools’ information projects;
  • signs up to receive our newsletter;
  • signs up to receive our publications;
  • enters a prize draw or competition on our website or social media channels;
  • fills out a survey or questionnaire;
  • asks for press statements or requests a media spokesperson;
  • uses one of our social media channels such as Facebook, Twitter, LinkedIn and YouTube and asks us a question, requests something from us, or sends us a direct message;
  • supplies personal details to be in the public domain or via a publicly accessible source, such as the website of the company they work for or on LinkedIn;
  • applies for a bursary;
  • applies for a job with us;
  • becomes a supplier;
  • volunteers for us;
  • or otherwise provides us with their personal information through other means.

3.2 The following list identifies the kind of data that that we will process, and which falls within the scope of “special categories” of more sensitive personal information:

Equality Purposes

There may be specific equality laws or other legitimate purposes which require us to hold on file categories of information which relate to equality data.  This data will be kept on file with    the consent of each individual and used solely for the purposes of statistical data required for monitoring equality of opportunity and treatment across all employees and/or volunteers. For example, age, disability, gender, gender reassignment, race, religion or belief, and sexual orientation to encourage compliance with the Human Rights Act.

Health Data

If a person tells us about a health/medical condition or experiences and symptoms of allergy when using services or takes part in an event we will make it clear to them, at that time, what information we are collecting and how we will use the data.

Genetics, Race and Ethnic Origin Data

We participate in research activities that are associated with understanding allergic disease. Allergy UK may be the lead for a research project, or we might partner with other associated organisations. Research evidence has shown that genetics, race and ethnic origin can be factors involved in allergy. We would only use identifiable personal data where explicit consent has been provided in advance. Anonymised data might be used.  When collecting information specifically in respect of a particular research project we will make it clear why we are collecting data and how the data will be used.

Finance Data

If a person uses their credit or debit card to donate to us, buy something or pay online or over the phone, we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standard (PCI DSS). We do not store credit or debit card details following the completion of a financial transaction. All card details and validation codes are securely destroyed once the payment or donation has been processed.  Only those staff authorised to process payments will be able to see card details.

Why we collect and how we use personal information

4.1 We may collect personal information for a number of reasons, such as:

  • to provide a person with appropriate clinical advice when they get in touch with us, where appropriate, throughout the lifetime of their medical condition(s) and their ongoing contact with us;
  • to protect their vital interests, in the case of life or death situations;
  • to comply with legislation and regulations;
  • to enter into a contract with them or take steps to enter into a contract with them;
  • to provide them with the services, products and/or information which they have signed up to or requested;
  • to process any donation we may receive from them;
  • to ask them to help us raise money or donate money to our charity;
  • to respond to a question or enquiry;
  • to register a person for a fundraising event, where we have bought a place, and to send them details about that event and how to send us the money raised and collected;
  • to keep a record of a person’s own fundraising event for us;
  • when a person makes use of one of our specialist clinical services;
  • to invite participation in surveys and research in order to use the results for statistical analysis to help improve our services and gather statistics on areas relating to allergic disease in the UK;
  • to be a case study for us, where we may also use photos or a video on our website or other channels, with consent;
  • for internal record keeping, such as the management of feedback or complaints;
  • to maintain a list of people who have explicitly told us that they do not want us to contact them;
  • to analyse and improve the services we offer;
  • or to set a person up on our systems as, for example, a bursary recipient or a volunteer.

4.2  Once collected, we may anonymise your data for activities relating to our legitimate interests, such as being able to collate statistical data to inform our services, survey data or research.

4.3 We aim to ensure that all information we hold about a person is accurate and kept up-to-date. If any of the information we hold about a person is inaccurate and either they advise us or we become otherwise aware, we will ensure it is amended and updated as soon as possible.

4.4 We may contact a person for direct marketing purposes by post, email, home telephone, mobile telephone or text, if they have given us permission to do so. We will only contact a person for the purpose requested via the channel they request. For example, if a person only wishes to receive our newsletter, we will only send emails about this. It is each person’s choice about the type of communication and information they receive from us.

4.5 We will not use personal information for direct marketing purposes if a person has asked us not to do so. However, we will retain details on a suppression list to help ensure we do not contact them. A person may ask for any personal information about them that we hold to be  deleted and destroyed at any time but, please note, in that case we will have no record of any marketing preferences. There may also be times when we cannot delete data because of other laws or regulations. We will inform a person, if possible, if data cannot be deleted.

4.6 We use a number of third-party data processors to process your data and have agreements in place to ensure that they comply with the necessary standards. The list of these third-party data processors can be found in section 10 of this Privacy Policy, as updated from time to time.

Our legal basis for processing and storing personal data

5.1 Our legal basis for processing and storing personal data differs depending on when and why a person has provided us with their personal information. For example:

For the purposes of health care advice and to protect a person’s vital interests

  • If a person supplies us with details of personal information relating to health or medical condition(s), whether over the phone on our Helpline, via our webchat service, by signing up to Allergy Alerts, or via another method, we will record and store these details for the purpose of providing health care advice. The data input is always undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality. This is to protect the person’s interests and provide them with the most appropriate clinical advice and information at all times when they make contact with us. Only individuals involved in our clinical service have access to this information.
  • When a person calls our Helpline service there may be situations in which we need to record the call even if consent has not been given. This is because we provide clinical advice, through a health professional, on our Helpline. If, at a later date, our advice is questioned, a person does not follow our advice or raises a dispute or complaint, then we need to ensure that we have a record of the conversation. In those situations, we will therefore record the call for the purpose of providing the health care advice.  There may also be times when either the person who calls our Helpline, or the person about whom they are calling may be in danger or we are provided with information which we believe may indicate there is a need to enact safeguarding procedures. In these circumstances, we have a legal duty of care to collect the personal data in order to protect the person’s vital interests and, if necessary, this may include passing details on to the emergency services or other relevant authorities.


  • Collection of details of health and medical data which is not related to the purpose of the provision of health care advice or protecting a person’s vital interests will be on the basis of the person’s consent. Section 12 provides further details on individual rights.
  • We may contact those included in our database to raise awareness of research projects which are seeking participant involvement. This activity may require some profiling to try to ensure that only people for whom it may be relevant are contacted.

6.1 For the performance of a contract or to take steps to enter into a contract

  • If a person sets up a direct debit to donate money to us regularly, orders translation cards from us, is representing a company that wishes to work with us, either by signing up to one of our endorsement schemes or working with us as a partner or a supplier, or for another reason, we will collect personal information to allow us to take steps to enter into a contract.

6.2 Direct Marketing

  • Consent for us to process and store personal information is separate from giving us consent for electronic direct marketing purposes, which is when a person has requested that we send by email or other electronic method, from time to time, marketing or other materials promoting our organisation and charitable aims. We always ask for separate consent for electronic direct marketing purposes to make it explicitly clear as to what a person is consenting to and how we will be using the personal information. For example, we may email you information concerning research projects which are looking for participants. This activity may require some profiling to try to ensure that only people for whom it may be relevant are contacted.
  • If we have processed and stored personal data and a person has provided us with consent to contact them by opting in to receive direct marketing by email from us then, every 12-24 months, we may ask them to verify the personal information we hold about them and provide us with their consent to continue to receive direct marketing from us. We do this to ensure the personal information we hold on them and their preferences for any contact from us is as accurate and up to date as possible.
  • We may also send you direct marketing information by post, using the postal address we have on record for you, unless you have opted out from receiving such information. Our legal basis for such direct marketing is that it is in our legitimate interests of raising the profile of our charity and providing information in line with our charitable aims, including events, projects and requests for donations.

Data Protection and Security

7.1 We take steps to ensure all information is safe and secure, and that all staff are aware of and comply with their responsibilities in relation to data protection legislation. A copy of our Information Security Policy can be accessed through the BAF HR department. We will ensure that:

  • The Information Security policy is up to date
  • All staff undergo training in data protection requirements
  • Access to personal data is based on role responsibility and a ‘need to know’ basis, which is seen as good practice by the Information Commissioner’s Office (ICO). We do this to reduce the risk of inappropriate access to personal data by staff or volunteers.
  • Access to our office is through use of secure keypad entry and the code is changed regularly as required.
  • We have confidential waste processes in place in the form of a shredder. This improves the security of documents which may contain personal data which is no longer required.
  • We have formal retention schedules in place to ensure that we only keep personal information for an appropriate length of time.
  • We have security locks for our I.T. screens.
  • We enforce regular password changes through our IT systems.
  • We have a clear desk policy with regard to personal information – nothing containing personal information is to be left out on a desk outside office hours.
  • All paper files or discs containing personal information are held in securely locked cabinets, with only the appropriate staff having access to them.
  • We have an encrypted memory stick which is password protected and use this if we are required to present at external meetings/events.

7.2 Although we cannot fully guarantee the security of any information transmitted to us, we enforce strict procedures and security features to protect all information and prevent unauthorised access.

Storing information and how long we store it

8.1 We only hold personal information for appropriate lengths of time, in line with the Information Security Management Schedule ( Addendum IT1) and will contact a person for      consent to continue holding or destroy the data.

8.2 We take into consideration our legal obligations, the guidance of relevant UK authorities such as the ICO, the National Health Service, Fundraising Regulator and also tax and accounting bodies, when determining how long we should retain information.

8.3 When we no longer need to retain personal information, we will ensure it is securely deleted and destroyed at the appropriate time, unless a person provides consent for us to retain it for a further period.

Our websites and cookies

9.1 Our websites use Google Analytics to track what a visitor sees on our website and which pages they visit. We use this data to determine the number of people using our site, to better understand how they find and use our web pages, and to see their journey through the websites.

9.2 Although Google Analytics records data such as geographical location, the device being used to access our website, internet browser, and operating system, it does not personally identify any person. Google Analytics also records a computer’s IP address, and although this could be used to personally identify a person, Google does not grant access to this.

9.3 Our websites contain links to other websites belonging to third parties and we sometimes  choose to participate in social networking websites including but not limited to Twitter,       YouTube, LinkedIn, and Facebook. We do not have any control over the privacy practices of  these other websites or applications. It is a person’s individual responsibility to make sure nwhen they leave our website that they have read and understood that website’s privacy policy in addition to our own.

9.4 We also use cookies to monitor the usage of our websites and webchat communications, to help the websites work well and to track information about how people are using them.

Information sharing, disclosure, and third-party data controllers and data processors

10.1 We will not share a person’s information with any third party apart from trusted partners we work with to help deliver our services.

10.2 We require all our trusted partners to comply with data protection regulations and our   standards and we allow them only to process information in strict compliance with our instructions. We will always make sure appropriate contracts and controls are in place and we   regularly monitor all our partners to ensure their compliance.

10.3 We may disclose personal information to third parties if we are required to do so through a legal obligation, to enable us to enforce or apply our terms and conditions or rights under an agreement or to professional advisers, to protect us, for example, in the case of suspected fraud or defamation.

10.4 We may use third parties to process personal data on our behalf. Some of these third parties       have servers located outside the EU, which means that when a person uses these services, data is passed between the UK and a country outside the EU. We will take steps to ensure       privacy continues to be protected as per UK data protection legislation in line with the BAF Information Security Policy.

10.5 These third parties have been carefully chosen and all commit to complying with the legislation set out in section 1 of this Privacy Policy. Some of these parties are based in the USA and confirm that they have adopted the new Standard Contractual Clauses (SCCs) as per GDPR – EU Commission requirements.

  • Click4Assistance – who we use to enable our WebChat – their obligations are set out in their Privacy Policy
  • Enthuse – who we use to process donations, direct debits and sign people up to one of our events – their obligations are set out in their Privacy Policy
  • Google – what we use to track movements on our website – their obligations are set out in their Privacy Policy
  • T. Support (UK) Ltd. – we have a contract with them to provide our I.T. support – their obligations are set out in their Privacy Policy .
  • Elavon Digital Europe Ltd T/A Opayo – Formerly Sage Pay, used as our payment processing service – their obligations are set out in their Privacy Policy. They also have a built-in encryption process for secure payments
  • Orbtalk – who we use to record our Helpline calls – their obligations are set out in their Privacy Policy
  • Sage – what we use to track our finances and payroll – their obligations are set out in their Privacy Policy as well as a document on their GDPR Readiness.
  • Salesforce & Pardot – the CRM system in which we store personal details, send emails where opted in, and submit forms from our website – their obligations are set out in their Privacy Policy and their data processing agreement with us.
  • SurveyMonkey – what we use to conduct surveys or questionnaires – their obligations are set out in their Privacy Policy and terms of business.
  • TextMagic – App used to send appointment confirmations by text – their obligations are set out in their Privacy Policy
  • Zivver – An online plug in to secure and safeguard our sensitive email data when using Microsoft 365 and allowing for secure file transfer. Their obligations are set out in their Privacy Policy

We will always seek consent to share data with any third parties for any other purposes.

Changes to the privacy policy

11.1 This Privacy Policy replaces all previous versions and is correct as of August 2023.

11.2 Our Privacy Policy may change from time to time. We will post any Privacy Policy changes on this page and, if the changes are significant, we will provide a more prominent notice. We will also keep prior versions of this Privacy Policy in an archive and for information purposes only a person can request to see the version of the Privacy Policy they signed up to at any time by contacting us. The most recent version will supersede all previous versions and we advise people to check our pages periodically.

Your rights as an individual

12.1 Under data protection legislation, a person has the right to:

  • obtain confirmation from us about whether we are processing their personal information, how, and why;
  • request that we update or amend the information we hold about them, if it is wrong;
  • object to the processing of their information for direct marketing purposes or profiling;
  • object to their personal information being subject to automated processing;
  • request a copy of the information we hold about them;
  • change their communication preferences at any time;
  • ask us to remove their personal information from our records without delay;
  • a right to portability of photographs and images which they provided to us, returned in a ‘machine readable’ format and, where requested, transferred directly to another data controller (free of charge);
  • raise a concern or complaint with us about the way in which their information is being used.
  • if dissatisfied with the outcome of any complaint we have investigated, then raise a concern or complaint about the way in which their information is being used with a data protection authority. In the UK, the data protection authority is the Information Commissioner’s Office (ICO) who can be contacted at

If at any time a person contacts us regarding any of their rights above, we will respond to their enquiry as soon as possible.

Contacting us

If a person would like us to contact us in relation to this Privacy Policy and our processing of personal information, then please contact us via email on or by post at: Data Protection, Allergy UK, London Business Centre, Texcel Business Park, Thames Road, Crayford, DA1 4SL.

Sign Up For More Information

It is important to Allergy UK that we can engage with all people that are affected by allergic disease

Join our mailing list