Privacy Policy

Your personal data is important to both you and us and it requires respectful and careful protection.  This privacy policy informs you of our privacy practices and of the choices you can make about the way we hold information about you. We are committed to complying with the GDPR (2016) and the Data Protection Act (2018) and good business practices. the Data Protection Act 2018 was granted royal assent on 23rd May 2018, which ensures alignment with the EU on data protection after Brexit. The Data Protection Act 2018 also tailors the UK-GDPR, the UK’s own version of the GDPR, which came into effect on January 31st, 2020. We are both a data controller and a data processor.

This is our privacy policy so please be aware that should you follow a link to another website, you are no longer covered by this policy. It’s a good idea to understand the privacy policy of any website before sharing personal information with it.


​At Cinnabar Support and Living Ltd we will only collect the minimum personal information from you. This will be at the point you contact us, ask to be included on a newsletter, ask for further information or become a client. This could include your name, address, telephone numbers, email address, signature and bank account details. We need this information for legitimate, contractual or organisational purposes to provide you with the services that you have requested. We will not use your data for any other purpose unless we have obtained your consent for that specific purpose.


​In order to provide the comprehensive service that is required by our Service Users we need to collect special category personal data.  This is personal data that relates to a person’s body, their beliefs, their race and their sexual preferences. We may also have details of any criminal activities and records where appropriate.  We will only collect the minimum amount of data that is necessary. We will need to ensure that the service we provide takes in account their whole situation, thus allowing the correct often significant care decisions to be made.  We may also have special category data about family members if this effects the Service User. We also will escalate any situation to a third party where we are required to do so in accordance with our processes and any legal obligation.  This could be a health care specialist, the emergency services or any professional party. The health and well being of the Service User is paramount in any decision that is taken.
We need this information to process your requests and we do not regard it as excessive. Other relevant details that you provide in relation to the services you receive from us may be added to your data, but anything not required will be deleted immediately.  We will not ask for any irrelevant information. If your contact details change, please advise us and we will update our records accordingly. We do not carry out automated decision making or any type of automated profiling. We will always process your data in a fair and lawful way in accordance with article 5 and article 6 of the GDPR.
We regularly conduct data flows and a data inventory or data audit which looks at all aspects of the personal data that we process. This includes the legal basis for processing and any special requirements that the data needs.  Any risk assessments (DPIAs) requirements are identified and completed paying particular attention to privacy risks associated with each processing activity: storage, collection, transmission, access and deletion.
We regularly complete Legitimate Interest Assessments to ensure that our marketing activities are considered, appropriate and are in accordance with all relevant legislation.
We will never knowingly collect data from or on children below 13 years old.


​We have put in place security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed without authorisation. This is in accordance with our Data Protection Policy. Your data maybe used by the Cinnabar Support and Living team who have a legitimate business need, a contractual obligation or a vital interest to know such data. We will only process your personal data in accordance with our business processes and the safety of your data is paramount.


​We use third parties in conjunction with routine business or safety requirements as previously mentioned. If we do need to share your data to additional relevant third parties, we will obtain your consent first.
We share photos of our service users with family and carers to show their amazing progress.  The nature of some disabilities may be obvious in photographs. Although this will be special category data, we feel that to exclude them from this way of sharing photographs and progress would be discriminatory. We have a vigorous process for data protection for employees and full consents are in place from the service users to use their photographs in social media and marketing. We will only use their photos in social media and marketing if it is appropriate to do so.
We have procedures in place to deal with any suspected personal data breach and will notify you and any supervisory body of a breach if we are legally required to.
Please note that we do not require your consent to share this information if we suspect criminal or unlawful activity, in these circumstances we will only contact the relevant organisations.



​We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Our data retention policy considers the amount of data, its nature and sensitivity, the potential risk of harm from unauthorised use or disclosure, the processing purposes and if these can be achieved by other means and legal requirements.

Also any legal requirements or guidelines that our customers require will be considered. In some circumstances we may anonymise your personal data for research or statistical purposes in which case we may use this information indefinitely without further notice to you. You will not be recognisable as a natural living person from this anonymised data.
If you contact us via our website, please ensure that you supply your contact details so that we can process your enquiry. You will not be added to a mailing list and your information will be deleted as soon as we have answered your query if you do not become a client. If you to sign up for marketing and update emails you can opt in to receive these, it should be as easy to opt out as to opt in so if you no longer want us to process your data please contact us at
There will be occasions where we do not need your consent to contact you and will rely on a legitimate business reason as in to contact you about services you have expressed an interest in or a contractual obligation to fulfil a business commitment e.g. to pay you or to provide services.


​The GDPR provides the following rights for individuals:
  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.
You have a right to see what information that we hold about you and you can get in contact with our Data Protection Officer Jill Wood at the following address: or by post at Genesis Centre, Garrett Field, Birchwood, Warrington, Cheshire, WA3 7BH.
Under the GDPR you have the right to request a copy of the personal information Cinnabar Support and Living hold about you and to have any inaccuracies corrected or information deleted. You will need to prove your identity with 2 pieces of approved identification which can be a:  passport, driving licence, birth certificate, utility bill (from last 3 months), current vehicle registration document, bank statement (from last 3 months) or a rent book (from last 3 months). We will verify your identity, noting how and when we verified it, then we will immediately delete that data.  We will send you a form which clarifies what information you are looking for and to verify your identity.

If you can advise of the specific information that you require, we can process your request more quickly. We will respond to your request within one month of you providing information that confirms your identity. You are obviously entitled to all your personal information.
We will respond within one month, giving you a copy of your data, why we have it, who it could be disclosed to, the categories of data it involves, and it will be in a format that you can access easily. You have the right to clarify and correct the information as necessary. It can be deleted providing that it is not required for legal or public interest reasons. If your request is more complex, for example it involves other data subjects and we need their consent to release the relevant information we can extend our response time to three months, but we will inform you of this.  If they do not give their consent, we will anonymise this data or remove the relevant detail before sending this to you. We will not charge for data subject access requests unless they are excessive or manifestly unfounded.  Then we will charge for administrative time only.
If you are not satisfied with our response, please get in touch and we will do our best to help you:
If you would like to complain about how we have dealt with your request, please contact:
Information Commissioner’s Office,
Wycliffe House,
Water Lane,
SK9 5AF.