Privacy Policy

Policy Statement

This Privacy Policy explains how Your Emotional Support Service (YESS) protect the privacy of personal information. YESS is a mental health charity, providing a range of treatment options to people of all ages across Staffordshire.  We are firmly committed to protecting the privacy and confidentiality of personal information, and we maintain robust physical, electronic and procedural safeguards to protect personal information in our care. 

We are a “data controller” for the purposes of the Data Protection Act 2018 and the EU General Data Protection Regulation 2016 (“Data Protection Law”). This means that we are responsible for the processing of your personal information. 

For further information about our privacy practices, please contact our Data Protection Officer by: 

  • Writing to YESS, 23 Carter Street, Uttoxeter, Staffs, ST14 8EY 
  • Calling us on 01889 567 756 
  • Emailing to 



To make sure it’s clear what we are talking about, here are some definitions: 

  • Personal Data 
    Personal Data means data about a living individual that allows them to be identified from that data. It may be provided directly by a user or provided indirectly by a user about their client (for example a health practitioner entering data about their patient). Personal information does not include “aggregate” information, which is data we collect about a group or category of products, services or people, from which individual identities have been removed. 
  • Data Processor 
    Data Processor means the person or entity that processes data on behalf of a data controller. We may use the services of various Data Processors in order to provide a range of services more effectively. 
  • Data Controller 
    Data Controller means a person or entity who determines the purposes for which and the manner in which any personal data are or are to be, processed.  


How we collect your data 

Personal Data 

While using our service, we may ask individuals to provide us with certain personally identifiable information that can be used to contact or identify an individual (“Personal Data”). Personally identifiable information may include, but is not limited to: name, email address, telephone numbers, address, and information about that individual’s mental health. Personal information can also include demographic information such as date of birth, gender, geographic area and preferences when such information is linked to other personal information that identifies an individual. 
Sensitive Personal Information 

If you share your personal experience or the experiences of a friend or relative, we may also collect this health information. If you provide us with any Sensitive Personal Information by telephone, email or by other means, we will treat that information with extra care and confidentiality and always in accordance with this Privacy Policy. 

Data Protection Law recognises that some categories of personal information are more sensitive. Sensitive Personal Information can include information about a person’s health, race, ethnic origin, political opinions, sex life, sexual orientation or religious beliefs. 

We will only use this information: 

  • For the purposes of dealing with your enquiry, training, and quality monitoring or evaluating the services we provide. 
  • We will not pass on your details to anyone else without your explicit consent except in exceptional circumstances. Examples of this might include anyone reporting serious self-harm or posing a threat to others or children contacting us and sharing serious issues such as physical abuse or exploitation. 
  • Where you have given us your explicit consent or otherwise clearly indicated to us that you are happy for us to share your story, then we may publish it on our blog or in other media. 

How we use your data 

We treat all information we collect as strictly confidential.  We will only share information where we have express consent to do so (such as making referrals to other organisations), or under the circumstances set out in this policy.  We do not reveal, disclose, sell, rent, lease nor make available any information to third parties. 

Service Provision 

First and foremost we use the personal data we collect and hold to operate our service, to provide therapeutic interventions to people of all ages across Staffordshire.  We also hold information to allow us to fulfil contractual obligations and complete activities in line with the aims of the charity.   


We may use personal data to contact users with information about new projects, YESS service developments and fundraising activity.  We may also contact individuals to complete research, seek feedback, or communicate other information that may be relevant. 

Human Resources Data 

We collect and process your personal data for the purposes of managing employment applications and recruitment-related activities.  We may use your personal data in relation to the evaluation and selection of applicants for recruitment purposes including scheduling and conducting interviews, tests, evaluations, and assessing results for candidate selection. The legal basis for this processing is our legitimate interests. 

Legal Basis for Processing (under GDPR) 

YESS’ legal basis for collecting and using the personal information described in this Privacy Policy depends on the Personal Data we collect and the specific context in which we collect it. 

YESS may process your Personal Data because: 

  • We need to perform a contract with you; 
  • You have given us permission to do so; 
  • The processing is in our legitimate interests and it’s not overridden by your rights; 
  • For payment processing purposes; 
  • To comply with the law. 

Location of Your Data 

Your data will be stored within the UK and EEA. Should it be necessary to process your data outside of the EEA we will ensure the required safeguards are in place to do so. 

How your data might be shared 

YESS will not disclose any personal data to anyone else without permission, except for the following reasons; 

Legal or Moral Requirement 

In rare circumstances, where permitted or required by law, requested and needed for a client’s emergency treatment in exceptional circumstances, or for the prevention of immediate risk of loss of life or serious harm; to various regulatory bodies and law enforcement officials and agencies to protect against fraud and for related security purposes, we will share the personal data necessary. 

Third Party Data Processors 

In order to provide our services YESS employs various third parties to perform various functions.  Where necessary, we share a limited amount of personal data with our third-party data processors.  In all cases, we provide only the minimum amount of personal data that is needed to perform the service and take reasonable steps to ensure these parties have appropriate data protection safeguards in place. 

A list of our data processors is as follows: 

  • Power Diary 
  • Microsoft Office 
  • Accountant 
  • Payroll 
  • My Concern 


Keeping your data secure 

  • YESS will take reasonable steps to protect the personal information we hold from any misuse, interference, loss, and unauthorised access, modification or deletion.  We have an extensive range of security measures in place to protect personal information from unauthorised access, use, or loss. 

How we retain your data 

We will retain Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will also retain and use Personal Data to the extent necessary to comply with our legal obligations. 

Type of Data

Client information CYP

Client information adults

Human Resources Information

Retention period

25th birthday

6 years

7 years after leaving employment

Your rights to your data

Your rights to your data 

We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data. In certain circumstances, you have the following data protection rights: 

  • The right to access, update or to delete the information we have on you. 
  • The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete. 
  • The right to object. You have the right to object to our processing of your Personal Data. 
  • The right of restriction. You have the right to request that we restrict the processing of your personal information. 
  • The right to data portability. You have the right to be provided with a copy of your Personal Data in a structured, machine-readable and commonly used format. 
  • The right to withdraw consent. You also have the right to withdraw your consent at any time where YESS relied on your consent to process your personal information. 


If you wish to be informed about what Personal Data we hold about you and if you want it to be removed from our systems, please email  Please note that we may ask you to verify your identity before responding to such requests.  


Changes to this policy 

From time to time, we may review and update this Privacy Policy. Revised versions will be updated on this website and be effective once posted.  


How to contact us 

We welcome your feedback. If you have any questions or concerns about our Privacy Policy or our privacy practices, if you would like to make a request for information, or if you believe that we have not complied with this policy, the Data Protection Act or GDPR obligations, please contact us at: 

Attention: Data Protection Officer 

YESS is committed to protecting your privacy and any complaints will be assessed by an appropriate person with the aim of resolving any issue in an efficient and timely manner. 


If you are not happy with our handling of your privacy concerns, you can also contact the Information Commissioner’s Office who are independent from YESS and can investigate your complaint. Please use the following registration number ZB083226.