Privacy - The Lily Foundation
The Lily Foundation logo featuring a butterfly, hearts and an 'x' for a kiss

Fighting mito,
finding hope.


Privacy & cookies policy

The Lily Foundation operates this website. At The Lily Foundation we take your right to privacy very seriously. For that reason, we have set out this privacy & cookies policy so you can make sure you understand how and why we use the information you give us. The terms of this policy may change, so please check it from time to time.

If you have any queries about this policy please contact:

Liz Curtis, Assigned Data Controller – [email protected].

Who are we?

The Lily Foundation is a company limited by guarantee, registered in England and Wales under company number 6400879 and registered as a charity with the Charity Commission for England and Wales under number: 1122071 whose registered office is at 31 Warren Park, Warlingham, Surrey CR6 9LD.

How we collect information from you

The Lily Foundation is the sole owner of the information submitted by you, to us, in any way. We may use this information gathered during our organisation’s stated role, to further our charitable aims and objectives and to further understand our supporters and how best we can support you. However, we will not ever sell or rent personally identifiable information that you have submitted to this site to third parties.

Collection of your information may be through:

  • our online shop
  • your registration to an event via our website (we will only contact you about this event unless you have specified otherwise)
  • your information passed from a third party you have registered with for a fundraising event (in this instance please always refer to their own privacy policy too)
  • via a phone call to us (we will always refer to our marketing preferences and make sure that we have your consent to contact you further)
  • via a written consent form you have sent to us
  • registration via The Lily Foundation UK Mito Patient Registry

Information we collect about you

This is the information that you have given us. 

Information collected by a third party

Your information may be shared with us by third party organisations, for example fundraising sites like Virgin Money Giving and JustGiving, Run for Charity and Skyline. These sites will do so pursuant to their own policies on data protection and privacy. It’s a good idea to check their privacy policy when you provide your information to understand fully how they will process your data.

Special category or sensitive information

Some health information that you may tell us falls under what is deemed as sensitive information, such as your genetic data, medical data or health information. As with all the personal information you provide us, you can be assured that any sensitive information you choose to supply will be kept confidential and only shared with your consent.

The personal data (including sensitive personal data) we collect, store and process must be accurate, in particular where diagnostic data is concerned, and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate, in order to ensure the integrity of the diagnostic data.

We will ensure that the personal data we hold, including sensitive personal data, is accurate, complete, kept up to date and relevant to the purpose for which it is collected by us. We check the accuracy of any personal data at the point of collection and at regular intervals afterwards, in particular where diagnostic data in respect of The Lily Foundation UK Mito Patient Registry is concerned. We take all reasonable steps to destroy or amend inaccurate or out-of-date personal data, including sensitive personal data, in particular within the diagnostic data framework. 

What are we collecting?

The questionnaire will collect the following data:

  • your name/ affected child name
  • DOB
  • ethnic background
  • first language
  • address/postcode
  • hospital/consultant names and addresses
  • syndrome diagnosis (if known)
  • biochemical diagnosis (if known)
  • genetic diagnosis (if known)
  • symptoms.

Why do we collect this sensitive information?

Research studies:

We are often approached by research groups who enquire whether we have suitable members for studies and trials. The information we collect in these questionnaires makes finding suitable patients a much quicker and more reliable process.

Support services:

As a charity we like to ensure that we are providing the best possible service for our patients. By understanding demographics and the disease spread it will help to ensure that our services are targeted in the right areas.

How do we store your sensitive information?

The Lily Foundation has taken the utmost care to ensure that all data collected on The Lily Foundation UK Mito Patient Registry is stored securely and in line with GDPR legislation. Any personal data – such as names and email addresses: the “contact record” – is stored on the central Lily Foundation database. The medical data related to your diagnosis is stored on two entirely separate databases located in different locations to the central Lily database. The records in these two medical and the one central Lily database are connected via an encrypted reference which prevents identification of medical records using the contact record and vice versa.

Who do we share your data with?

None of your data will be shared with third parties without your knowledge and consent.

None of your data will be used for marketing purposes unless you have opted in.

Retention of data

We will retain your information for as long as we feel it necessary to do so for the purpose upon which it was obtained and/or retained and/or processed. If at any stage you would like us to delete your information you should make this request in writing by contacting [email protected].

What do you do with the registry data?

We use your data:

  • to provide you with the services, products or information you have asked for (for example when you purchase an item from our shop or sign up to an event via our website)
  • for specific sporting events we will share your email with third parties to process registration (e.g. London Marathon event)
  • to administer your donation or support your fundraising, including processing Gift Aid
  • to add you to our database
  • to keep a record of your relationship with us
  • to comply with financial regulations and the law
  • to contact you for marketing purposes by email if you have opted in to receive these.

If you have provided us with your postal address or telephone number, we may send you direct mail for marketing purposes unless you have told us that you would prefer not to receive such information. 

You may opt out of marketing emails at any time by clicking the ‘unsubscribe’ link in our marketing emails.  

You can also change your contact preferences at any time, including telling us to no longer send you marketing by post, by contacting [email protected] or calling 0300 400 1234.

If you request to receive no further contact from us, we will keep some basic information in order to avoid sending you unwanted materials in the future, and to ensure that we do not accidentally store details for the same person multiple times. This will be the only reason your data is retained and/or processed in such a scenario.

How long do we keep your personal data?

We keep personal data only for as long as it’s necessary. When it comes to financial donations and Gift Aid, we’re required to keep information such as the supporter’s name, address, Gift Aid declaration form(s) and financial information for seven years for HMRC auditing purposes. We’ll retain basic information (such as a supporter’s postcode and transactional history). We believe it’s important to keep basic information of this kind in case someone leaves a gift in their will to us and we’re re required to evidence the nature of their support if it’s contested.

How do we protect personal information?

We use a secure server when you make a donation or payment via our website. We take appropriate measures to ensure that the personal information disclosed to us is kept secure, accurate and up to date and kept only for so long as is necessary for the purposes for which it is used. All personal information is stored in a central database which has stringent measures in place for restricting access and preventing external data breaches.

 We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff and third-party organisations who have been contracted by us to process data. Our approach to personal information involves restricting access to sensitive personal information, for example health information and financial contributions, to only those departments that need this data in order to carry out their functions.

We use external companies to collect or process personal data on our behalf. We make sure we only work with companies that comply with the Payment Card Industry Data Security Standard (PCI DSS) and we do annual reviews of their data processes to be certain that they meet our GDPR expectations and requirements. The data we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (EEA) e.g. USA. It may also be processed by persons operating outside the EEA.

We use the following systems for processing and storing your data:

Donorfy – please click here to read their privacy policy.

Dropbox for Business – please click here to read their privacy policy.

Mailchimp – please click here to read their privacy policy.

Free Online Surveys – please click here to read their privacy policy.

Microsoft – please click here to read their privacy policy.

Google Workspace – please click here to read their privacy policy.

Facebook – please click here to read their privacy policy.

Acuity Unified Communications – please click here to view their privacy policy.

JustGiving – please click here to view their privacy policy. 

Stripe – please click here to view their privacy policy. 

Unfortunately, no data transmission over the internet can be completely secure. Whilst we do our best to protect your personal data, we cannot guarantee the security of any information which you transmit to us online and you must understand that you do so at your own risk. 

Your consent

By providing us with your personal data, including sensitive personal data such as your state of health, you consent to the collection and use of this information in accordance with the purposes described above and this privacy statement.

You also consent to our transferring your information to countries or jurisdictions outside the UK if necessary for the above purposes. These countries may not provide the same level of data protection as the UK.

Your rights under the GDPR

The General Data Protection Regulation (GDPR) gives you more control over what happens to your personal information. Under this legislation you have the right to:

  • be given clear, transparent and free information about how your data will be used
  • access your personal data so that you can see how your personal information is being used by us
  • have your personal information updated and corrected
  • obtain and reuse the personal data you have given to us for your own purposes
  • request that we permanently delete or remove your information where there is no “compelling” reason for us to keep it; and request that we don’t use your personal data for specific purposes and, unless we are under a legal or contractual obligation, we must respect your wishes
  • the GDPR also prohibits us from using solely automated technologies to build profiles and make decisions about people who support us which will have “legal or similarly significant effects”, unless: it’s necessary to fulfil a contract; it’s been authorised by a Union or Member state law; or you’ve given your explicit consent for your information to be used in this way.

How to access and update your personal information

We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate by contacting us using the contact details below. You may also withdraw your consent for us to keep your personal data for some of the above purposes by writing to the address below. You have a right to access the personal information we hold about you and in certain circumstances to be provided with a copy of that information. You can request this free of charge by email to [email protected] or by writing to The Lily Foundation, 31 Warren Park, Warlingham, Surrey CR6 9LD.

If you have set up an account via The Lily Foundation UK Mito Patient Registry, you will be able to access and update your data at any time.

If you are unhappy with the way in which your personal data has been handled you are entitled to make a complaint to the Information Commissioner’s Office.

How we use cookies

A cookie is a small piece of information that we may put on your computer or mobile device. There are several types of cookie and they have different functions, such as saving your passwords and site preferences. We use cookies to help us understand your interests and preferences, and distinguish you from other users, to ensure the website is as user friendly and relevant as possible and to provide you with information specifically tailored to your interests. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

We may use cookies to:

  • analyse our web traffic using an analytics package. This aggregated data on usage helps us improve the website design, structure, content and function
  • test content on the website. For example, 50% of our users may see one piece of content, the other 50% will see something else.

Cookies do not provide us with access to your computer or any information about you, other than that which you choose to share with us.

Most browsers accept cookies by default but allow you to stop receiving cookies if you prefer. If you do not accept our use of cookies as set out in this policy, change the settings in your browser (normally via the privacy section). This may impair your ability to use our website.

The cookie’s name is page_theme and is set to expire with the session (that is to say once the user closes their browser tab).

For further assistance visit in your browser or

Changes to this privacy policy

We may change the terms of this privacy policy from time to time. If we do so, we will post the changes here for you to see. By continuing to use our website you will be deemed to have accepted such changes.