Legal
Privacy Policy
1. Who we are
The Sexual and Reproductive Health Education Network ("SRHE") is in the process of registration as a company limited by guarantee in England and Wales. Our website is srhe.net. Contact us: info@srhe.net
2. What data we collect
Data you give us directly
- Name and email address, if you contact us
- Any other information you choose to provide in correspondence
- DBS check information, where required for an outreach volunteer role
- Date of birth, where required to confirm eligibility for membership (18+)
Data collected automatically
Our website is hosted on Cloudflare's infrastructure. Cloudflare may process technical data including IP addresses for security and routing. We do not use Google Analytics, Facebook Pixel, or any third-party tracking. See Cloudflare's privacy policy.
3. Cloudflare as our infrastructure processor
Cloudflare, Inc. acts as a data processor on our behalf for hosting, content delivery, and DDoS/security protection. Cloudflare processes limited technical data — primarily IP address, request metadata, and timing information — strictly to deliver and secure the site. This processing is governed by Cloudflare's standard Data Processing Addendum (DPA), available at cloudflare.com/cloudflare-customer-dpa, which we have accepted as part of our hosting agreement. Where Cloudflare processes data outside the UK or EEA, it relies on the UK International Data Transfer Addendum and/or EU Standard Contractual Clauses, as set out in that DPA. We do not separately store or have access to raw Cloudflare request logs beyond what Cloudflare's dashboard provides for security monitoring.
4. How and why we use your data
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| Responding to enquiries | Legitimate interests (Art. 6(1)(f)) |
| Notifying you when membership opens | Consent (Art. 6(1)(a)) |
| Confirming membership age eligibility | Legitimate interests / legal obligation (Art. 6(1)(f)/(c)) |
| DBS checks for outreach volunteers | Legal obligation / substantial public interest (Art. 6(1)(c)/(e); DPA 2018 Sch. 1 Pt. 2) |
| Infrastructure security (Cloudflare) | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance and safeguarding | Legal obligation / vital interests (Art. 6(1)(c)/(d)) |
5. Retention
- Correspondence: up to 3 years from last contact. Correspondence older than 3 years is reviewed quarterly and deleted unless it is needed for an ongoing matter (for example, an open enquiry or a legal obligation).
- Membership interest: until membership opens and you apply, or 2 years
- DBS check results: as long as necessary for safeguarding, then securely deleted
- Safeguarding records: per our Safeguarding Policy (typically until youngest person involved turns 25)
6. Data breaches
In the event of a personal data breach, we will assess the risk to affected individuals without undue delay. Where the breach is likely to result in a risk to people's rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, as required by UK GDPR. Where the breach is likely to result in a high risk to affected individuals, we will also notify those individuals directly, without undue delay, explaining what happened and what we are doing about it.
7. Your rights
Under UK GDPR you may access, rectify, erase, restrict, or port your data, and object to processing. To exercise any of these rights, email info@srhe.net with the subject line "Data request" and specify which right you wish to exercise. We will respond within one calendar month, as required by UK GDPR, and will tell you if we need longer for a complex request. We may ask you to verify your identity before acting on a request. You may complain to the ICO at ico.org.uk or 0303 123 1113.
8. Changes
We may update this policy. The "Last updated" date reflects any changes.