Privacy notice
Version 1.0 · Last updated 18 July 2026
This notice is maintained by the organisers of the Better Health. More GDP. Now.™ movement (the "movement", "we", "us") and explains how we handle personal data under the UK GDPR and the Data Protection Act 2018.
Who is the data controller?
The movement organisers are the data controller. For any privacy question, write to us via the contact page. If a formal data protection lead is appointed, that appointment will replace this section.
What information we collect
- Account data — email address, password hash, sign-in provider (Google) if used.
- Profile data — name, organisation (optional), postcode area (first part only, optional), interests, skills, availability, short bio.
- Contribution data — opportunities you claim, follow or submit; comments; activity log entries.
- Organisation intake data — where an organisation representative signs your organisation up: organisation name, sector, website, contact email and role.
- Public forms — the contribute matcher, partner form and subscribe form collect the fields you type in.
- Technical data — standard server request logs held by our hosting provider.
We do not collect health information, date of birth, ethnicity, political views or any other UK GDPR special-category data.
Why we collect it and our lawful basis
- Match you to opportunities and run the movement — legitimate interests (running the volunteer platform you signed up to).
- Authenticate your account and secure it — necessary for the contract you enter when you sign up.
- Notify you about approvals, claims and status changes — legitimate interests; you can turn email delivery off (see below).
- Aggregate public statistics — legitimate interests. Only counts are shown; no individual records are exposed.
- Marketing / newsletters — only if you separately opt in.
Who we share it with
- Hosting and database — our platform provider, with data hosted in the EU (Ireland).
- Email delivery — our platform's transactional email service when enabled; otherwise no external mail provider.
- Sign-in with Google — Google receives the fact that you signed in; we receive your email and name.
- Administrators of the movement — see all submissions in order to approve organisations, moderate opportunities and respond to messages. Ordinary users never see another user's private data.
We do not sell personal data and do not use it for advertising.
International transfers
Data is hosted in the EU (Ireland). Google authentication and any platform services may involve transfers outside the UK under standard contractual clauses and adequacy decisions.
How long we keep it
- Account and profile: until you delete your account.
- Contribution records: retained while your account exists; anonymised on account deletion where an audit trail is needed.
- Public form submissions (contribute matcher, partner form, subscribe): retained while the movement is active; you can request deletion by contacting us.
- Server logs: rotated by the hosting provider on their standard schedule.
Your rights
Under UK GDPR you have the right to access, rectify, erase, restrict, port and object to the processing of your personal data, and to lodge a complaint with the ICO (ico.org.uk).
You can exercise these rights directly from your profile page:
- Download my data — exports everything we hold about you as a JSON file.
- Delete my account — permanently deletes your profile, contribution links, follows, notifications and login.
Cookies
We only set cookies that are strictly necessary for the site to function (sign-in session). We do not use analytics or advertising cookies. A cookie banner will appear only if non-essential cookies are added in future.
Security
Passwords are hashed by our authentication provider and checked against the Have I Been Pwned breach database at sign-up and password reset. Access to private data is enforced at the database layer with Row Level Security so each user can only reach their own records.
Changes
If we change this notice we will update the version and date at the top. Material changes will be communicated in-app to signed-in users.