This policy explains how PatientsCann UK CIC collects, uses, stores, and protects your personal data when you use our website at patientscann.org.uk and communicate with us. We are committed to handling your information transparently and lawfully in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Scope note: This policy covers patientscann.org.uk only. Our web application at app.patientscann.org.uk is governed by its own separate Privacy Policy, accessible within the app.
Section 1
Who We Are
PatientsCann UK CIC (“we”, “us”, “our”) is a Community Interest Company and the data controller responsible for your personal data processed through the website at patientscann.org.uk.
This policy does not cover our web application at app.patientscann.org.uk, which operates under its own Privacy Policy. Please refer to the privacy notice within the app for information about how data is processed there.
We are registered with the Information Commissioner’s Office (ICO) as a data controller under registration number ZB345466. You can verify this at ico.org.uk (opens in new tab).
Section 2
Data We Collect
We collect and process only the personal data that is necessary for the purposes described in this policy. This may include:
Identity & Contact Data
- Name and title
- Email address
- Any other contact details you choose to provide
Financial Data
- Payment card information when making a donation (processed exclusively by our payment provider — we do not store full card details)
- Transaction records relating to donations
Communications Data
- Records of email correspondence you send to us (including enquiries, reports, and general contact)
- Information you share with us via social media messaging platforms
Technical & Usage Data
- IP address
- Browser type and version
- Device type and operating system
- Pages visited, time spent, and navigation paths on our site
- Referring URL
- Cookie identifiers (see Section 5)
Volunteer & Engagement Data
- Information you share with us during the volunteer onboarding process, which is conducted entirely via email
- Skills, availability, and relevant experience you disclose
Special Category Data
Our website and services are designed to support medical cannabis patients. If you choose to share information about your health condition or medical history (for example, when contacting us by email or reporting a product or service issue), this constitutes special category data under UK GDPR Article 9. We process such data only with your explicit consent and handle it with enhanced care.
Please note: You are never required to share health information with us. If you do share it, please indicate your consent clearly. You may withdraw that consent at any time by contacting
dpo@patientscann.org.uk.
Section 3
How We Collect Data
Directly from you
- Email correspondence — when you contact us directly by email with an enquiry, report, or any other matter
- Donations — when you make a financial contribution via our donation page
- Volunteer onboarding — when you express interest in volunteering and engage with our onboarding process via email
- Event attendance — when you register for a PatientsCann UK event via Eventbrite (see Section 6 for details)
Indirectly
- Social media platforms — when you message us via Facebook Messenger, Instagram DM, or other platforms, that platform’s data processors are also involved; please refer to their own privacy policies
- Analytics providers — aggregate and/or anonymised usage data from third-party analytics tools (see Section 5)
- Technical systems — server logs may automatically record your IP address and usage data when you visit our website
Section 4
Lawful Bases for Processing
Under UK GDPR Article 6, we must have a valid lawful basis for each processing activity. We rely on the following lawful bases. Where we rely on legitimate interests, we have carried out a Legitimate Interests Assessment (LIA) to ensure our interests are not overridden by your rights.
| Processing Activity |
Lawful Basis |
Detail |
| Responding to your enquiries and correspondence (via email or social media) | Legitimate Interests | Necessary to operate as a patient advocacy organisation and respond to people seeking support |
| Processing donations | Contract | Necessary to fulfil the donation transaction you initiate |
| Maintaining donation and Gift Aid records | Legal Obligation | Required for financial record-keeping and compliance with HMRC requirements where applicable |
| Volunteer onboarding and engagement | Legitimate Interests / Consent | Processing correspondence as part of the email-based onboarding process; where sensitive information is shared, we rely on explicit consent |
| Event ticketing (via Eventbrite) | Contract | Necessary to process your event registration; ticketing is handled by Eventbrite under their own privacy policy — please review it before registering |
| Improving our website and services (analytics) | Legitimate Interests | Necessary for operating and improving an effective patient information resource; analytics are implemented with privacy safeguards (see Section 5) |
| Processing incident and product reports you submit | Consent | You actively submit a report via email; special category health data processed under explicit consent (UK GDPR Art. 9(2)(a)) |
| Complying with legal obligations | Legal Obligation | Where required by law, regulation, or a court order |
| Security monitoring and fraud prevention | Legitimate Interests | Protecting the integrity of our services and preventing misuse |
Withdrawing consent: Where we rely on consent, you can withdraw it at any time by emailing
dpo@patientscann.org.uk. Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal.
Section 5
Cookies & Analytics
Our website uses cookies and similar tracking technologies. We categorise these as follows:
Strictly Necessary Cookies
These are required for the website to function and cannot be disabled. They do not require consent under PECR (Privacy and Electronic Communications Regulations). Examples include cookies that maintain your session when using interactive features of the site.
Analytics Cookies
We may use analytics tools (such as Google Analytics or a privacy-focused alternative) to understand how visitors use our website. Where we use tools that set cookies or process personal data, we will request your consent before activating them.
Where possible, we configure analytics tools to anonymise IP addresses and disable cross-site tracking. Aggregated usage data helps us improve the educational resources we provide to patients.
Functionality Cookies
These cookies remember preferences you have set to improve your experience on the site.
WordPress & Plugin Cookies
Our site is built on WordPress. WordPress and certain plugins may set technical cookies (for example, the wordpress_logged_in cookie for authenticated users, and the wordpress_test_cookie used to check cookie support). These are strictly necessary and operational in nature.
Managing Cookies
You can control non-essential cookies through our cookie consent banner when you first visit the site. You can also manage or delete cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the site. For more information, visit aboutcookies.org (opens in new tab).
Section 6
Third-Party Processors
We use carefully selected third-party service providers to help us operate our website and services. These providers act as data processors on our behalf and are contractually required to process your data only on our instructions and in accordance with applicable data protection law.
Our third-party processors include (but may not be limited to):
- Web hosting & infrastructure provider — hosts our website and databases; servers are located within the UK or EEA
- WordPress.com / Automattic — website platform and associated services
- Payment processor — processes card payments for donations (we do not handle or store full card details); the payment processor is independently PCI-DSS compliant
- Eventbrite — used to manage ticketing and registration for PatientsCann UK events. When you register for one of our events, your registration data is processed by Eventbrite under their own privacy policy. We encourage you to review Eventbrite’s privacy policy (opens in new tab) before registering. We receive attendee information from Eventbrite solely for the purpose of administering the event.
- Analytics provider — collects anonymised usage data to help us improve the site
- Social media platforms (Facebook / Meta, Instagram, X/Twitter, LinkedIn, YouTube, TikTok) — if you interact with us through these platforms, those companies process your data under their own privacy policies; we do not control that processing
Note: We do not sell your personal data to any third party. We do not share your personal data with third parties for their own marketing purposes.
If you would like details of specific Data Processing Agreements in place with our processors, please contact us at dpo@patientscann.org.uk.
Section 7
How We Store & Retain Data
Your personal data is stored on secure servers. We implement appropriate technical and organisational measures to protect your data against unauthorised access, accidental loss, destruction, or damage, including:
- Encrypted connections (HTTPS/TLS) throughout the website
- Access controls limiting who can access personal data within our organisation
- Regular security reviews
- Secure disposal of data when no longer needed
Retention Periods
We retain your personal data only for as long as necessary. Our general retention schedule is as follows:
- Email correspondence & enquiries: Up to 2 years from the date of last correspondence, unless the matter requires longer retention for legitimate or legal reasons.
- Donation records: 7 years from the date of the donation, in line with HMRC financial record-keeping requirements.
- Volunteer onboarding & engagement data: For the duration of the volunteer relationship plus 2 years after it ends. Where an onboarding process does not proceed, data is deleted within 12 months of last contact.
- Event attendee data (received from Eventbrite): Up to 2 years from the date of the event, or as long as reasonably necessary for follow-up advocacy or reporting purposes.
- Incident and product reports: For as long as necessary to process and follow up on the report, and for a further period if required for advocacy or legal purposes (up to 5 years).
- Technical / server logs: Up to 90 days.
- Health / special category data: We will not retain special category data beyond the specific purpose for which it was provided, and will delete it upon request or once that purpose is fulfilled.
Upon expiry of the relevant retention period, we will securely delete or anonymise your data.
Section 8
International Transfers of Data
We seek to keep your personal data within the UK and the European Economic Area (EEA). However, some of our third-party service providers (such as social media platforms and certain cloud services) may process data outside the UK or EEA.
Where data is transferred outside the UK, we ensure that appropriate safeguards are in place, such as:
- Transfers to countries that the UK has recognised as providing an adequate level of data protection (an adequacy decision under UK GDPR Article 45)
- Use of the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses where required
For more information about the safeguards in place for specific transfers, please contact us at dpo@patientscann.org.uk.
Section 9
Automated Decision-Making & Profiling
We do not use automated decision-making processes (including profiling) that produce legal or similarly significant effects on individuals, as defined under UK GDPR Article 22.
Any use of analytics or email engagement data is for aggregate insight and service improvement purposes only and does not result in automated decisions about individual data subjects.
Section 10
Children’s Privacy
Our website and services are intended for individuals who are 18 years of age or older. Medical cannabis in the UK is available only on prescription, and our content and services are directed at adult patients and healthcare professionals.
We do not knowingly collect personal data from children under the age of 13. If we become aware that we have inadvertently collected personal data from a child under 13 without appropriate parental consent, we will take steps to delete that information promptly.
If you believe we may have collected information from a child, please contact us immediately at dpo@patientscann.org.uk.
Section 11
Your Data Protection Rights
Under UK data protection law, you have the following rights. We will respond to all valid requests within one calendar month of receipt, free of charge (unless requests are manifestly unfounded, excessive, or repetitive).
Right of Access
You may request a copy of the personal data we hold about you (a Subject Access Request / SAR).
Right to Rectification
You may ask us to correct inaccurate data or complete incomplete data we hold about you.
Right to Erasure
You may ask us to delete your personal data where there is no compelling reason for us to continue processing it.
Right to Restrict Processing
You may ask us to pause the processing of your data in certain circumstances (for example, while we verify its accuracy).
Right to Object
You may object to processing based on legitimate interests or for direct marketing purposes at any time.
Right to Data Portability
Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, machine-readable format.
Right to Withdraw Consent
Where we process your data on the basis of consent, you may withdraw that consent at any time without detriment.
Rights re: Automated Decisions
You have the right not to be subject to solely automated decisions that significantly affect you. We do not carry out such processing (see Section 9).
These rights are not absolute and may be subject to exemptions in certain circumstances. We will explain any limitations when we respond to your request.
Section 12
How to Exercise Your Rights
To exercise any of your rights, or to raise a data protection concern, please contact us using the details below. We may ask you to verify your identity before processing a request.
Data Protection Contact
Email: dpo@patientscann.org.uk
Please include “Data Rights Request” in your subject line, along with your full name and a description of your request. We aim to acknowledge all requests within 5 working days and respond in full within one calendar month.
Section 13
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will:
- Update the effective date and version number at the top of this page
- Post a notice on our website where appropriate
- Notify individuals by email where the changes materially affect how we use their data and we hold a current email address for them
We encourage you to review this policy periodically. Continued use of our website after a policy update constitutes acceptance of the revised policy.
Previous versions of this policy are available on request by emailing dpo@patientscann.org.uk.
Section 14
How to Complain
If you are unhappy with how we have handled your personal data, please contact us first — we take all complaints seriously and will aim to resolve your concern promptly.
If you remain dissatisfied after contacting us, or if you prefer to contact the regulator directly, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent data protection authority.
