Privacy Policy

Starlight Children’s Foundation (“Starlight”) respects and is committed to protecting the privacy of the people whose personal information it collects. This policy sets out how Starlight uses the information that you provide us with in order to help us further brighten the lives of seriously ill children in and out of hospital.

This Policy explains when and why we collect personal information about people who visit our website, support us through a variety of channels, provide us with services, or who use our services, as well as how we use it, the conditions under which we may disclose it to others and how we keep it secure.

Any questions regarding this Policy and our privacy practices should be sent by email to [email protected], calling 020 7262 2881 (Monday-Friday 9am-5.30pm), or by writing to Third Floor, 227 Shepherds Bush Road, Hammersmith, London, W6 7AU.

Who are we?

Starlight Children’s Foundation is a national children’s charity dedicated to brightening the lives of serious ill children and their families.

What information do we collect?

We collect personal information about individuals who are, or are employed by, our donors, our volunteers, other supporters, hospitals, product recipients and distributors, consultants and service providers as well as the children (and their families) whose lives we aim to brighten.

Whenever we collect personal information we will identify ourselves as Starlight. We will tell you why we are collecting personal information at the point when we collect it, and inform you of how we plan to use it.

We currently collect information when you give it to us directly. Information may also be gathered when you give permission to other parties to share it with us, or when it is available publicly from external sources.

The type of personal information Starlight usually collects and holds includes names, addresses, telephone numbers, email addresses, dates of birth, financial records, medical records, records of previous support and donations, records of merchandise orders, and other information to assist us in providing our services. Some of this personal information is collected via our website, for example from online donations, forms, medical data where required and emails.

We will hold information on children and parents in order to support the allocation and delivery of Starlight Wishes. As a Wish Family, your data may also be used, where relevant, to advise you of our free events and treats, such as Escapes, which may be of interest to you. This information includes contact details, medical records and details of the Wish requested.

For attendees to events, volunteers and service recipients, we may hold an image of you in a photo or video. We may wish to use this on our website or in other marketing materials in order to promote the charity, but we will always seek consent for us to do so. You do not have to agree that we may use your image, it is entirely your choice. Staff and volunteer information will be used for DBS checks.

How do we use your personal information?

We use your personal information to carry out the functions and activities of Starlight including to process information, services, products you have requested or donations made, to comply with our legal obligations and to help us manage and provide our services.

We use your information to keep a record of your relationship with us, and for internal administrative purposes, and to let you know about changes to our services or policies that may affect you.

We use your personal information to look into, and respond to, complaints, claims, or any other issues.

We use your personal information to claim Gift Aid on your donations.

We will process information to ensure all submissions to the Wishes programme are handled and fulfilled correctly and to the highest standard. This includes sharing your name and postcode with other Wish Granting organisations to ensure you have not had a wish granted before. If you have applied for a Wish, you will have been asked for consent to have your child included within the Starlight Wish programme.

We may also use it to ask for your support, contacting you about the work of our organisation, fundraising, campaigns, and how you can further support and make a difference to the lives of sick children. This may be by post, email, telephone or text message, depending on your preferences and, where required, consents given for marketing purposes (email, telephone or SMS). We will also continue to ask about your marketing preferences, to ensure that you are still happy to be contacted by us and by which means.

Images will not be used without consent.

We may analyse your personal information to carry out statistical analysis and research in order to help us provide an improved experience to our supporters by keeping a record of our communications with you, understand how we are performing and ensure we are using our funds in the best possible way. We may create a profile of your interests and preferences so that we can contact you with information relevant to you. We may make use of additional information about you when it is publicly available from external sources to help us do this effectively. We may also use your personal information to detect and reduce fraud and credit risk.

You can ask us at any time not to contact you again, or not to use your data for these purposes, by emailing [email protected], calling 020 7262 2881 (Monday-Friday 9am-5.30pm), or by writing to Third Floor, 227 Shepherds Bush Road, Hammersmith, London, W6 7AU.

We do not use any automated decision making.

Who has access to your information?

We do not share information about our children with anyone without consent to do so, unless the law requires it.

We will not sell, trade or rent your information to third parties. Occasionally we need to disclose personal information to trusted third parties who assist us in providing services or who perform functions on our behalf (such as commercial mail preparation services, distribution of hospital resources, or people involved in our Wish-Granting program). We ensure that any third parties with access to your data are held to strict standards for data use and security.

Your data is shared with our Cloud Service and IT providers, such as CRM, project management systems and webhosting. We also share with IT professionals who not only ensure that our systems run smoothly, but are also committed to the highest standards of data protection compliance.

Third Party Service Providers working on our behalf:

We may pass your information to our third party service providers, agents subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf (for example to process donations and send you mailings). However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own direct marketing purposes. Please be reassured that we will not release your information to third parties beyond the Starlight Children’s Foundation Network for them to use for their own direct marketing purposes, unless you have requested us to do so, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.

Third Party Product Providers we work in association with:

We work closely with various third party product providers to bring you a range of quality and reliable products and services designed to grant the wishes and provide the services for the children who we help. When you enquire about a wish or request information about our hospital services (e.g. Distraction/Boost Boxes), the relevant third party product provider will use your details to provide you with information and carry out their obligations arising from any contracts you have entered into. In some cases, they will be acting as a data controller of your information and therefore we advise you to read their Privacy Policy.  These third party product providers will share your information with us which we will use in accordance with this Privacy Policy.
When you are using our secure online donation pages, your donation is processed by a third party payment processor, who specialises in the secure online capture and processing of credit/debit card transactions. If you have any questions regarding secure transactions, please contact us by emailing [email protected], calling 020 7262 2881 (Monday-Friday 9am-5.30pm), or by writing to Third Floor, 227 Shepherds Bush Road, Hammersmith, London, W6 7AU.

We may transfer your personal information to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation, or if we’re under a duty to disclose or share your personal data in order to comply with any legal obligation or to enforce or apply our terms of use or to protect the rights, property or safety of our supporters and customers. However, we will take any necessary steps to ensure that your privacy rights continue to be protected.

Transfer of data outside of the UK

Sometimes, because of the location of our software providers, we may need to transfer your data to and from countries within the European Union. Following the end of the transition period of the departure of the UK from the European Union on 1st January 2021, the conditions around such data transfers may change. However, we will always ensure that any transfers comply with relevant UK Data Protection law (the UK GDPR and the Data Protection Act 2018) and that adequate safeguards are in place over your data. For example, we may rely on a ruling that allows the continuation of free data transfer from the UK to the EU on the basis of the UK having data protection laws that are in line with those of the EU. If such a ruling is not available, we will put other safeguards in place, such as ensuring we have standard, approved, data protection contract clauses with our software providers.

We may transfer personal data relating to the fulfilment of overseas wishes to the country in which the wish takes place (or any other necessary for delivery of the wish), in which case we will ask you to consent to the transfer at the point at which the wish is agreed.

What the Law says about protection of personal information

The handling of your personal data is governed by the UK GDPR and Data Protection Act 2018. The law states that personal data (information relating to a person that can be individually identified) can only be processed if there is a legal ground to do so. Activities like collecting, storing and using personal information would fall into the UK GDPR’s definition of processing. The UK GDPR provides six legal grounds under which personal information can be processed in a way that is lawful. For the processing to be permitted by law, at least one of the legal grounds must apply.

The four legal grounds that are most relevant to Starlight’s use of your personal information are:


Legitimate Interest


Legal Obligation

What is our legal basis for processing your personal data?

Starlight Children’s Foundation will only process your personal information if we have:

asked you and have a record of your express and consent for us to do so;

a ‘Legitimate Interest’ to do so in order to support our charitable purposes. Our use will be fair and balanced and never unduly have an impact on your rights.;

a contract with you that we can only fulfil by using your personal information, e.g. to send you an item that you have requested;

a legal obligation to use or disclose information about you, e.g. we are required by law to keep records of gifts that are given to us with Gift Aid for 4 years, or for insurance purposes as part of wish-fulfilment.

In extreme situations, such as an accident or medical emergency, we may share your personal details with the emergency services if it is essential for the preservation of life (yours or another persons’) for us to do so. This is the ‘vital interest’ ground for using your personal information. After the emergency, we will always try to inform you about how we had to use your information in that extreme situation.

We will not unduly prioritise our interests as a charity over your interests as an individual. We will always balance our interests with your rights. We will only use personal information in a way and for a purpose that you would reasonably expect in accordance with this Policy.


Where Starlight have asked for your consent for processing your data, this can be withdrawn at any time by emailing [email protected], calling 020 7262 2881, or by writing to Third Floor, 227 Shepherds Bush Road, Hammersmith, London, W6 7AU.
There are times when it is not practical to obtain and record consent. At those times, we will only process personal information if that processing would meet another legal ground e.g. Legitimate Interests, in which case we would only process in accordance with the law’s rules on legitimate interest processing.

What is Legitimate Interest?

This legal ground for processing means that organisations can process your personal information if they 1. have a genuine and legitimate reason for doing so and 2. That use does not harm any of your rights and interests as an individual.

We do not unduly prioritise our legitimate business interests as a charity over your interests as an individual. We always respect your rights. Which is why we carry out a balancing exercise of the rights of the charity with the rights of our supporters.

We consider your interests based on previous communications, as well as what we consider your expectations to be, and assess whether we are using your personal information in a way that matches your relationship with us.

We aim to be clear about what information we collect, to enable you to make meaningful choices about how it is used.

When it is necessary we will contact you for administrative purposes, e.g. to contact you regarding a payment. We may hold the minimum personal information required to support our ability to respect your preferences for communication with us.

Retention of personal data

Wish Families

Medical records will be destroyed once a wish has been granted. Your details and supporting paperwork (for example the wish forms) will be retained for 14 years, to ensure that there is no cross over with other wish granting charities. After 14 years, unique identifiers will be destroyed, but we will retain information on services provided for reporting requirements on impact, charitable services and audits.

Hospital Contacts

Once we have confirmation that you are no longer a contact (for example having left that place of employment or position), your unique identifiers will be deleted, but your order history will be retained for reporting on impact, charitable services and audits.


In order to accurately report on the activities of the charity, we need to be able to report on all donations, as well as demonstrate our level of interaction with you. We will therefore store data indefinitely, unless you request we delete it. In those cases, we will delete your unique identifiers, but retain your transactional and communication information.
Where we are informed that a supporter has passed away, after 12 months, unique identifiers will be deleted, but the transactional and communication information will be retained for reporting on impact, charitable services and audits.


We will retain your personal for the time that you volunteer with us, and for 2 years afterwards. Following this, your unique identifiers will be deleted, but communication and activity-based information will be retained.

Use of Cookies

When you visit our website, or download information from it, the following information is recorded: your internet address, your domain name if applicable, the date and time of your visit, the pages you accessed, documents you downloaded, the previous website you have visited and the type of browser you are using. This information is only used for statistical and website development purposes.

We make limited use of cookies on our website. We only use cookies to improve the functionality of our website, not to store any of your personal information. A cookie is a small message given to your web browser by our web server. The browser stores the message in a text file, and the message is then sent back to the server each time the browser requests a page from the server. If you do not wish to receive cookies, you may be able to change the settings of your browser to refuse all cookies or to notify you each time a cookie is sent to your computer, giving you the choice whether to accept it or not. If you do disable cookies in your browser certain features of the website will become unavailable, including the ability or make online donations. Find out more about our Cookie Policy here.

Security of your personal information

Starlight regards the security of your personal information as a priority and takes a number of precautions to protect your personal information from loss, misuse, unauthorised access, modification or disclosure. Specific security precautions are in place for processing online payments which include the use of encrypted links, dedicated private connections and Secure Sockets Layer (SSL) encryption. We remind you, however, that the internet is not a secure environment and although all care is taken, we cannot guarantee the security of information you provide to us via electronic means.

Accuracy of your personal information

Starlight will endeavour to ensure that the personal information we hold is accurate, complete and up-to-date. If you become aware of any inaccuracy in the personal information we hold about you, we encourage you to contact us so we can update any personal information we hold about you. Our contact details are set out below.


Where it is lawful and practicable, we will allow individuals to deal with us on an anonymous basis. For example, if we receive a telephone enquiry we will not require that the enquirer gives us their name, although depending on the nature of the enquiry, we may not be able to answer it unless they do. We can also accept gifts and other forms of support anonymously. However, if you wish to Gift Aid your donation, the government requires Starlight to collect the title, initials, surname, first line of address and postcode of the donor.

Your choices

We will not contact you for marketing purposes by email, phone or text message unless you have given your prior consent. We will not contact you for marketing purposes by post if you have indicated that you do not wish to be contacted.

You have a choice about whether or not you wish to receive information from us, and whether or not we use your data for the purposes outlined above. If you do not want to receive direct marketing communications from us about the vital work we do to change the experiences of children going through treatment, and our services, then you can select your choices by ticking the relevant boxes situated on the form on which we collect your information.

You can change your data processing and marketing preferences at any time by contacting us by email: [email protected] or telephone on 020 7262 2881 or by writing to Third Floor, 227 Shepherds Bush Road, Hammersmith, London, W6 7AU.

Your rights as a data subject

The GDPR gives you rights as a data subject. You have:

the right to request from us access to your personal data;

the right to request from us rectification of your personal data;

the right to request from us erasure of your personal data;

the right to request from us restriction of processing your personal data;

the right to object to our processing of your personal data;

the right of data portability;

if we are processing your personal data on the basis of your consent, you have the right to withdraw your consent at any time. This does not affect the lawfulness of processing based on your consent before you withdrew it; and

You have the right to complain to the ICO.

More information on your rights can be found in Chapter 3 of the GDPR.

Under data protection legislation, you have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your or your child’s Starlight record, Our Data Protection contact is X and he/she can be contacted at our London office

How you can access and update your information

Under data protection legislation, you have the right to request access to information about them that we hold. To request a review of your information, or to correct the information that we hold about you, please email us at [email protected] or telephone on 020 7262 2881 or write to Third Floor, 227 Shepherds Bush Road, Hammersmith, London, W6 7AU.
If you are a staff member or volunteer and wish to see the Fair Processing Notice regarding your information, please contact us on the details above.

Children’s privacy

The safety of children is very important to us. If we display a child or their wish on our website or in our communications, Starlight only uses images where we have consent to do so, and does not display the full name of individual children nor their addresses. Children should always ask a parent for permission before sending personal information to anyone online.

Acceptance of terms

If Starlight updates or changes this Privacy Policy, the changes will be made on this page. Your continued use of Starlight’s website following the posting of changes will mean you accept those changes.

Review of this Policy

We keep this Policy under regular review. This Policy was last updated in May 2018.

Contact us

If you do not wish to be contacted by us to ask for your support write to: Starlight Children’s Foundation, Third Floor, 227 Shepherds Bush Road, London W6 7AU or telephone on 020 7262 2881 or contact us.