Privacy & cookies policy - The Lily Foundation
The Lily Foundation logo featuring a butterfly, hearts and an 'x' for a kiss

Fighting mito,
finding hope.

Privacy & cookies policy

Updated 1st April 2026

The Lily Foundation operates this website and is responsible for your personal data when you interact with us, whether through our website or through other means such as events, fundraising activities or direct contact.

At The Lily Foundation, we take your right to privacy very seriously. This policy explains how and why we use the information you give us. We may update this policy from time to time, so please check it regularly.

If you have any questions, please contact: Liz Curtis, Data Controller – [email protected].

Who we are

The Lily Foundation is a company limited by guarantee, registered in England and Wales (06400879) and a registered charity (1122071), with its registered office at 31 Warren Park, Warlingham, Surrey CR6 9LD.

Our ICO registration number is ZA227002.

How we collect information from you

The Lily Foundation is the data controller of the personal information you provide to us.

We collect information when you interact with us in a variety of ways, including through our website and through other activities such as events, fundraising platforms, phone calls and written communications.

We use this information to support our charitable aims and better understand how we can support our beneficiaries and supporters. We will never sell or rent your personal data.

We may collect information from you:

  • Through our online shop
  • When you register for events
  • Via third-party fundraising platforms (e.g. JustGiving)
  • Through phone calls
  • Via written consent forms

Information we collect about you

This includes information you provide directly to us.

Information collected from third parties

We may receive your data from third-party organisations (e.g. fundraising platforms). These organisations will process your data in line with their own privacy policies. You may wish to check their privacy policy when you provide your information to understand fully how they will process your data.

Special category (sensitive) data

If you are a patient, parent or advocate of someone with mitochondrial disease, some health information that you may tell us falls under what is deemed as sensitive information, such as:

  • Health information
  • Genetic data
  • Ethnicity

We only process this information with your explicit consent and will keep it confidential.

What data we collect

Through our contact forms, we may collect:

  • Name (or name of child/individual)
  • Date of birth/death
  • Ethnic background
  • First language
  • Address/postcode
  • Medical details including specialist mitochondrial disease centre and medical diagnosis, if you have one, and when this was given

Why we collect sensitive data

As a charity we like to ensure that we are providing the best possible service for our patients. By understanding demographics and the disease spread it will help to ensure that our services are targeted in the right areas.

How we store your data

Your personal data is stored securely within our central database with appropriate access controls.

Who we share your data with

We do not sell or rent your personal data.

We may share your data with trusted third parties where necessary, including:

  • Service providers (e.g. email platforms, website hosting, Google reCAPTCHA)
  • Payment processors (e.g. donations and purchases)
  • Event partners
  • Regulators or legal authorities where required

We ensure appropriate safeguards are in place and that your data is only used for specific purposes.

Retention of data

We retain your data only as long as necessary.

For example:

  • Financial records (e.g. Gift Aid): retained for 7 years (HMRC requirement)
  • Basic supporter data may be retained to maintain records of support

You can request deletion at any time in writing by contacting [email protected].

How we use your data

We use your data to:

  • Provide services or products
  • Manage donations and fundraising
  • Maintain records of our relationship
  • Comply with legal obligations
  • Send marketing (only where you have opted in)

You can opt out of marketing at any time by clicking the ‘unsubscribe’ link in our marketing emails.

Marketing preferences

We may contact you by:

  • Email (with consent)
  • Post or phone (unless you opt out)

You can update your preferences at any time, including telling us to no longer send you marketing by post, by contacting [email protected] or calling 0300 400 1234.

How long we keep your data

We only keep data as long as necessary and in line with legal obligations.

How we protect your personal information

We take appropriate technical and organisational measures to protect your personal data and ensure its confidentiality, integrity and availability.

These include:

  • Secure systems and servers
  • Access controls
  • Restricting access to trained staff
  • Regular reviews of data access

We work with third-party providers and take steps to ensure they meet appropriate data protection and security standards.

Your data may be transferred outside the UK. Where this happens, we ensure safeguards are in place, such as Standard Contractual Clauses.

While we take all reasonable steps to protect your data, no transmission over the internet is completely secure.

We also have procedures in place to respond to any suspected data breaches in accordance with data protection laws.

How to access and update your personal information

We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate by contacting us using the contact details below. You may also withdraw your consent for us to keep your personal data for some of the above purposes by writing to the address below. You have a right to access the personal information we hold about you and, in certain circumstances, to be provided with a copy of that information. You can request this free of charge by email to [email protected] or by writing to The Lily Foundation, 31 Warren Park, Warlingham, Surrey CR6 9LD.

If you are unhappy with the way in which your personal data has been handled you are entitled to make a complaint to the Information Commissioner’s Office.

Your consent

Where required, we rely on your consent to process your data, particularly for sensitive information.

You may withdraw consent at any time.

Your rights under UK GDPR

You have the right to:

  • Access your data
  • Correct inaccuracies
  • Request deletion
  • Restrict or object to processing
  • Data portability
  • Withdraw consent

Cookies

Cookies help us improve your experience on our website.

We use:

  • strictly necessary cookies (essential for functionality)
  • analytics cookies (optional)
  • marketing cookies (optional)
  • We also use security-related cookies set by services such as Google reCAPTCHA to help protect our website from spam and abuse

We will ask for your consent for non-essential cookies.

To learn more about cookies and how they are used, visit www.aboutcookies.org.uk.

Google reCAPTCHA

We use Google reCAPTCHA to protect our website from spam and abuse.

reCAPTCHA uses automated analysis to determine whether activity is human or automated. This may involve collecting technical and behavioural data such as your IP address, browser and interactions with the site.

This data is shared with Google, which acts as an independent data controller. See https://policies.google.com/privacy.

We rely on our legitimate interests (Article 6(1)(f) UK GDPR) to protect our website and users. We have carried out an assessment to ensure this does not override your rights.

Data may be transferred outside the UK, with appropriate safeguards in place.

reCAPTCHA may set cookies. Please refer to the cookies section above.

Changes to this privacy policy

We may update this policy from time to time. Updates will be posted on this page.