Data Protection Policy

Effective date: 1 May 2026  |  Last reviewed: 1 May 2026

At The Bereavement Café, the people who come to us are at the heart of everything we do. We understand that those who engage with our services may be in a vulnerable or fragile state, and we take our responsibility to handle personal information with care, compassion and full compliance with UK data protection law extremely seriously. This policy sets out how we collect, use, protect and share personal data — including sensitive information — in line with UK GDPR and the Data Protection Act 2018.

Who we are

The Bereavement Café CIC (company number 14004905) is a Community Interest Company providing peer-to-peer grief support, Community Cafés, Youth Cafés, Grief Recovery support and bereavement training for individuals, schools and businesses. For the purposes of UK data protection law, The Bereavement Café CIC is the data controller responsible for the personal information we collect and hold.

The Bereavement Café CIC

Company number: 14004905

Website: thebereavementcafe.co.uk

Our data protection principles

We process all personal data in accordance with the seven principles of UK GDPR:

01
Lawfulness & fairness
Data is processed on a clear legal basis and never in a deceptive or harmful way.
02
Purpose limitation
Data is collected for specific, stated purposes and not used in incompatible ways.
03
Data minimisation
We only collect what is genuinely needed — nothing more.
04
Accuracy
We take reasonable steps to keep personal data accurate and up to date.
05
Storage limitation
Data is not kept longer than necessary for the purpose it was collected.
06
Security
Appropriate measures protect personal data against unauthorised access or loss.
07
Accountability
We take responsibility for compliance and can demonstrate how we meet these principles.

What data we hold and why

Community Café attendees

When you register for a Community Café, we collect your name and contact details. This is used to confirm your place, send session information and maintain attendance records. You are never required to share the nature of your loss or personal details about your bereavement — what you choose to share within a Café is entirely your decision.

Grief Recovery support participants

Where you engage with our Certified Grief Recovery Specialist, we hold information relevant to your support journey. This may include details you share about your bereavement, your emotional wellbeing and your progress through the Grief Recovery Method. This information is treated with the highest level of confidentiality and is held securely, accessible only to the relevant specialist.

Business and workplace training clients

We hold names, contact details and organisational information for individuals and businesses who enquire about or engage our training services. This is used to manage enquiries, deliver training and maintain our client relationships.

Schools and educational settings

We hold contact details for staff at schools and educational settings who engage with us about Youth Café provision or school training. Any personal data relating to pupils is managed through the school, which acts as data controller for its students. We do not hold personal data about children directly.

Volunteers

We hold names, contact details, roles and relevant background information for our volunteers to coordinate their activities and support their involvement with The Bereavement Café.

Website enquiries and newsletter sign-ups

When you contact us through our website or sign up for updates, we collect the information you provide. You can unsubscribe or withdraw consent at any time.

Sensitive personal data

Special category data

The nature of our work means that people may share information relating to their mental health, emotional wellbeing, personal bereavement circumstances or other sensitive aspects of their lives. Under UK GDPR, this type of information is classified as special category data and requires additional care and a higher level of protection.

We process sensitive personal data only where it is strictly necessary to deliver appropriate support, and only with the explicit consent of the individual concerned. It is never used for any purpose beyond the delivery of their support, and is never shared without explicit permission — except where our safeguarding obligations require it.

We always apply the principle of data minimisation to sensitive information. You are in control of what you share with us, and we will never ask for more than we genuinely need.

Children’s data and Youth Cafés

Children’s data

Our Youth Cafés are delivered within school environments in partnership with schools and educational settings. We do not collect or hold personal data about children directly. The relevant school or educational setting acts as the data controller for its pupils, and any involvement of children in our services is managed through them in accordance with their safeguarding and data protection policies.

Where we are required to hold any information relating to a young person in connection with a Youth Café, this is done with the full knowledge of the school, kept to the absolute minimum necessary, and securely deleted as soon as it is no longer needed.

Safeguarding and data protection

Safeguarding

The Bereavement Café operates a safeguarding policy at all times. Where we have a concern about the safety or welfare of an individual — including an adult at risk or a child — we may be required to share relevant personal information with statutory agencies such as social services or the police, regardless of normal data protection and confidentiality principles.

In all such cases, the safety and welfare of the individual takes precedence. We will always handle such situations with sensitivity, discretion and in accordance with our safeguarding policy and applicable law.

Lawful bases for processing

  • Legitimate interests — to manage Café registrations, communicate with attendees, volunteers and clients, and promote our services
  • Contract performance — to deliver training and Grief Recovery support services
  • Legal obligation — to meet our safeguarding, financial and regulatory obligations
  • Vital interests — where the safety or welfare of an individual is at immediate risk
  • Explicit consent — for all special category data relating to mental health, emotional wellbeing and personal bereavement circumstances

How long we keep data

  • Café registration and attendance records — up to 2 years
  • Grief Recovery support records — for the duration of the support relationship and up to 3 years after it ends
  • Training and business client records — up to 6 years
  • Volunteer records — for the duration of the volunteer relationship and up to 2 years after it ends
  • Sensitive personal data — for the minimum period necessary, then securely deleted
  • Safeguarding records — in line with statutory guidance, which may require longer retention
  • General enquiry and newsletter data — up to 2 years, or until consent is withdrawn

All data is securely deleted or anonymised once it is no longer needed.

Who we share data with

We do not sell personal data and we do not share it lightly. We may share it only where strictly necessary:

  • With schools and educational settings, in connection with Youth Café delivery
  • With statutory agencies such as social services or the police, where our safeguarding obligations require it
  • With trusted IT and administrative service providers, under appropriate data processing agreements
  • With authorities or regulators, where required by law

We do not transfer personal data outside the UK.

Data security

We take the security of personal data — particularly sensitive data — extremely seriously. Records are stored securely with access restricted to authorised individuals only. We regularly review our security practices to ensure they remain appropriate for the nature of the data we hold. In the unlikely event of a personal data breach that poses a risk to individuals, we will notify the ICO within 72 hours as required by law and will inform affected individuals where necessary.

Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

Right of access — request a copy of the data we hold about you
Right to rectification — ask us to correct inaccurate information
Right to erasure — request deletion in certain circumstances
Right to restrict processing — ask us to limit how we use your data
Right to data portability — receive your data in a readable format
Right to object — object to processing based on legitimate interests
Right to withdraw consent — at any time, where consent is our legal basis

Please note that some rights may be limited where data is held for safeguarding or legal purposes. To exercise any of these rights, please contact us via our website. We will respond within one calendar month.

ICO registration and complaints

ICO

The Bereavement Café CIC is registered with the Information Commissioner’s Office (ICO) as required under UK data protection law.

If you have a concern about how we handle your personal data and we have not been able to resolve it to your satisfaction, you have the right to lodge a complaint with the ICO:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline: 0303 123 1113

Website: ico.org.uk

Changes to this policy

We may update this policy from time to time. The date at the top of this page will always show when it was last reviewed.