Ara Privacy Statement
Last updated: 3rd March 2026
Ara keeps information about its members, service users, employees, volunteers and supporters so that we can operate effectively and efficiently for the benefit of those we provide services to.
What does this privacy notice cover?
This privacy notice sets out what information we collect from you and why, how we process it and how we store it securely. We’ll keep this notice updated so that you can be confident when sharing your information with us that it will only be used for what we say here.
We aim to protect all the information we hold, in line with legal requirements and to maintain high standards of confidentiality, integrity and availability at all times.
Who We Are (Data Controller)
When we process your personal data, Ara is described as the ‘data controller’ under data protection law.
Our contact details are:
Ara Recovery for All
11-12 King’s Court
King Street
Bristol
BS1 4EF
Phone: 0330 1340 286
Email: info@recovery4all.co.uk
Data Protection Enquiries: [Info@recovery4all.co.uk]
Please do not hesitate to contact us if you have any questions about this statement, information we hold about you or our overall approach to data protection and confidentiality.
Who We Collect Personal Information About
- People who use our services – including current, former and potential service users who access our support and other services, and could also include their family and people associated with them
- Staff – including current, former and potential staff, Board of Trustees, and volunteers
- Job applicants – people applying for positions with Ara
- Supporters and newsletter subscribers – people who engage with our communications
- Website visitors – anyone who uses our websites or social media
- Complainants and enquirers – anyone who makes a complaint or enquiry
- Visitors – people who visit our offices
How We Collect Information From You
Ara collects information from you via a variety of sources, including when you:
- Make an enquiry about Ara’s services
- Submit a contact form or self-referral on our website
- Apply to work for us or volunteer for us
- Call us, write to us, email or meet with us
- Attend appointments or support sessions
- Respond to a survey
- Visit our offices
- Use our social media sites or websites (see our Cookie Policy section below)
We may also take general photographs at our events to use for marketing and publicity. However, photographs of individuals will only be used for those purposes with your consent.
We may receive information about you from third parties such as healthcare professionals, GPs, or support services, but only with your explicit consent (except in safeguarding situations).
Data We Collect
For Service Users
When you enquire about or apply to use one of our services, we may ask for:
Standard Personal Information:
- Your full name
- Your date of birth
- Your National Insurance number (your unique identifier)
- Your contact details (phone, email or correspondence address)
- Details of anyone authorised to act on your behalf (if applicable)
- Basic details (name, gender and date of birth) of household residents
Special Category (Sensitive) Health Information:
- Information about gambling, drug or alcohol dependency and related harms
- Your health and social care needs
- Your disability and/or medical history
- Mental health information
- Impact on your wellbeing and relationships
- Financial circumstances related to gambling
Please note: Information about addiction, mental health, and related health conditions is classified as “special category data” under GDPR Article 9 and receives the highest level of protection.
For Staff, Volunteers and Job Applicants
- Contact details
- Proof of identity
- Employment history and references
- Qualifications and training records
- Right to work documentation
- Criminal record checks (DBS) where required
- Bank details for payroll
- Emergency contact information
- Health information necessary for occupational health purposes
For Website Visitors
- IP address, browser type, device information
- Pages visited and time spent
- Referring websites
- Geographic location (country/region level)
- Cookie identifiers (see Cookie Policy section)
Important: If you provide us with personal information relating to members of your family or your carers, we will assume that you do so with their knowledge and their consent to the collection and processing of the information.
It is important that you notify us of any changes to your personal information.
How We Use Personal Information
We process your information for the following purposes:
Service Delivery
- Responding to your initial enquiry
- Assessing your needs and eligibility for services
- Delivering counselling, treatment and support sessions
- Coordinating care with other services (with your consent)
- Monitoring your progress and safety
- Maintaining clinical records and case notes
- Appointment scheduling and reminders
- Following up on your treatment journey
Communication
- Sending appointment reminders and service updates
- Responding to your questions and correspondence
- Providing information about services that may help you
- Emergency contact when necessary
Service Improvement & Research
- Analysing service effectiveness (using anonymised data)
- Conducting satisfaction surveys
- Training and supervision of staff
- Quality assurance and clinical governance
- Research and service development (always anonymised or pseudonymised)
When your personal data is used for statistical or research purposes, it is anonymised or pseudonymised so that you cannot be identified.
Legal & Regulatory Requirements
- Complying with healthcare regulations and standards
- Safeguarding vulnerable individuals
- Responding to legal requests
- Maintaining regulatory registrations
- Meeting audit and inspection requirements
Employment & Volunteer Management
- Recruitment and onboarding
- Employment contract management
- Payroll and benefits administration
- Performance management and development
- Health and safety compliance
Marketing & Fundraising (With Consent)
- Sending newsletters and updates about our services
- Sharing success stories (anonymised or with explicit permission)
- Providing information about events and campaigns
- Conducting supporter communications
You can opt out of marketing communications at any time.
Website Forms: Explicit Consent for Health Data
Important: When you submit a contact form or self-referral form on our website, you will be asked to provide explicit consent for us to process your health information about gambling addiction.
This consent is obtained through a separate checkbox that:
- Is unticked by default
- Uses clear, plain language
- Explains what you’re consenting to
- Tells you how to withdraw consent
- Links to this full privacy policy
You must tick this checkbox to submit the form. Without your explicit consent, we cannot process your enquiry or provide support services.
You can withdraw your consent at any time by contacting us. However, please note that we may still need to retain some information under our healthcare professional obligations and clinical governance requirements.
Special Categories of Data
Under Data Protection law, certain categories of personal information are classified as sensitive or special categories of data.
These categories include data relating to:
- Racial or ethnic origin
- Sexual orientation
- Gender identity
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Health information
- Genetic data
- Biometric data
We minimise the use of special categories of personal data, but given the services we provide, there are times when we may have a legitimate interest in processing special categories of data, and we may ask for your consent to collect and process this data.
We will always give you a ‘prefer not to answer’ option when we ask for any special categories of data. Providing us with this information helps us deliver appropriate services and meet our equality obligations.
Collecting special categories of data also helps us meet the Public Sector Equality Duty, which requires Ara to give due regard to the need to eliminate discrimination, advance equality of opportunity and foster good relations. However, our responsibilities under this duty do not override your right to privacy.
When we collect specific sensitive data, we will notify you of how we will use it and who it may be shared with.
We do not process genetic or biometric data for uniquely identifying a natural person.
Sharing Your Information
Your personal information will be kept secure and confidential. We respect your privacy and will only share information when necessary for your care or as required by law.
Within Our Organisation
- Clinical staff directly involved in your care
- Administrative staff (for scheduling and records management)
- Safeguarding leads (if protection concerns arise)
- Supervisors and clinical governance teams (for quality assurance)
- Management (for organisational operations)
All staff are bound by strict confidentiality obligations and professional codes of conduct.
External Partners (With Your Consent)
We may share information with external healthcare and support partners, but we will always ask for your explicit consent first, except in safeguarding emergencies.
This may include:
- Your GP or other healthcare providers
- Specialist addiction services
- Mental health services
- Social services
- Partner organisations providing complementary support
Technology Service Providers
We use trusted service providers who process data on our behalf:
- Website hosting providers
- Email service providers
- Client management systems
- Analytics providers (Google Analytics 4)
- Marketing platforms (Meta/Facebook, LinkedIn)
All providers are contractually required to:
- Process data only according to our instructions
- Maintain appropriate security measures
- Comply with GDPR requirements
- Not use your data for their own purposes
Legal and Regulatory Bodies (When Required)
We may share information when legally required or to protect vital interests:
- Safeguarding authorities – if we believe someone is at risk of serious harm
- Regulatory bodies – Care Quality Commission, professional regulators
- Law enforcement – in response to valid legal requests or to prevent/detect crime
- Legal proceedings – when required by court order
- Government agencies – where legally bound to do so
- Auditors – for financial and compliance auditing
We Never Share Your Data With:
- ❌ Marketing companies or data brokers
- ❌ Insurance companies (without your explicit consent)
- ❌ Employers (without your explicit consent)
- ❌ Family members (without your explicit consent)
- ❌ Third parties for their own marketing purposes
Please be aware: Ara may need to share personal information with government departments and agencies, our regulators and auditors, or with other organisations and agencies where we are legally bound to do so or where it is in the public interest (such as safeguarding).
International Data Transfers
Your clinical and health data is stored exclusively within the UK on secure servers and is never transferred internationally.
However, some of our website tools involve limited data transfers outside the UK/EEA:
Google Analytics 4 (USA)
- Purpose: Anonymous website usage statistics
- Safeguards: Standard Contractual Clauses, Google’s EU-US Data Privacy Framework certification
- Data type: Anonymous browsing behavior only, never health information
Meta Pixel (USA)
- Purpose: Measuring advertising effectiveness
- Safeguards: Standard Contractual Clauses
- Data type: Anonymous page views and interactions, never personal identity or health details
LinkedIn Insight Tag (USA)
- Purpose: Professional audience insights
- Safeguards: Standard Contractual Clauses
- Data type: Anonymous demographic data, never personal health information
All international transfers comply with GDPR Article 46 requirements and use appropriate safeguards.
How Long We Keep Information
We retain information only as long as necessary for the purposes described in this policy:
Service User Records
Clinical records: 7 years from last contact
Rationale: Healthcare record-keeping requirements and clinical governance obligations
Initial enquiries (no service provided): 6 months from enquiry date
Rationale: To respond to follow-up questions or if you return to our services
Employment Records
Staff files: 7 years after employment ends
Recruitment records (unsuccessful): 6 months after recruitment process
Rationale: Employment law requirements and good practice
Financial Records
Financial transactions: 7 years
Rationale: Legal and accounting requirements
Website Analytics
Google Analytics data: 26 months
Rationale: Understanding long-term trends while limiting retention
Marketing Data
Newsletter subscribers: Until unsubscribed or 3 years of inactivity
Rationale: Maintaining communication preferences
Complaints and Enquiries
Complaint records: 25 years after resolution
Rationale: Potential legal claims and organisational learning
CCTV Footage
Retention: Up to 30 days unless required for investigation
Rationale: Security purposes only
Safeguarding Records
May be retained longer if required for legal or safeguarding needs
Rationale: Protection of vulnerable individuals and legal compliance
After retention periods expire, we securely delete or anonymize your information in accordance with our Data Retention Policy.
Job Applicants and Staff
Recruitment
Personal information about unsuccessful candidates will be held for 6 months after the recruitment exercise has been completed and will then be securely destroyed or deleted. We retain anonymised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
Employment
Once a person has taken up employment with Ara, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment.
Staff files include:
- Employment contract and terms
- Proof of identity
- Right to work documentation
- DBS checks
- Qualifications and training records
- Performance reviews
- Payroll and tax information
- Sickness and absence records
- Disciplinary or grievance records (if applicable)
Once employment with Ara has ended, we will retain the file for 7 years in accordance with our Data Retention Policy and then securely delete it.
Complaints and Enquiries
If you make a complaint or enquiry, we may collect and store personal information in relation to it. We will keep your information secure and use it only for the purpose for which it was collected.
When the complaint is resolved or the enquiry is completed, we will retain the information for 25 years in accordance with our Data & Document Retention Policy and then securely destroy it.
CCTV
CCTV is in operation at our building at King’s Court and the houses used to support recovery for security and safety purposes. Ara is the ‘data controller’ of this information.
- Clear signage is displayed both inside and outside of the buildings notifying people that CCTV is in operation
- Footage is retained for up to 30 days unless required for investigation
- Access to footage is restricted to authorised personnel only
- Footage may be shared with law enforcement if required for crime prevention or detection
Website and Cookie Policy
Information We Collect Via Our Website
When you visit our website, we collect standard internet log information, including:
- IP address
- Host name
- Browser type and version
- Operating system
- Device information
- Pages visited and time spent
- Referring website
This information is used to:
- Help diagnose problems with our server
- Administer and improve our website
- Understand how visitors use our site
- Improve user experience
Cookies and Tracking Technologies
Important: We use cookies and similar technologies on our website. We obtain your explicit consent before using non-essential cookies.
What Are Cookies?
Cookies are small text files stored on your device when you visit a website. They help websites remember your preferences and understand how you use the site.
Types of Cookies We Use
- Essential Cookies (Always Active)
These cookies are necessary for the website to function and cannot be switched off:
- Cookie consent preferences
- Session management
- Security tokens
Legal Basis: Legitimate interest (essential functionality)
You cannot opt out of these cookies.
- Analytics Cookies (Google Analytics 4) – Requires Consent
Purpose: Help us understand how visitors use our website so we can improve it.
What Google Analytics 4 collects:
- Pages visited and time spent
- General location (country/region only, never precise)
- Device and browser type
- Traffic sources (how you found us)
- Anonymous usage patterns
What GA4 does NOT collect:
- Your name or identity
- Form submission content
- Sensitive health information
- Email addresses or phone numbers
- Precise GPS location
Google Consent Mode v2:
We implement Google Consent Mode v2, which means:
- GA4 only tracks with your consent
- Without consent, only anonymous aggregate data is collected
- Your consent choices are respected across Google services
- You can change your preferences at any time
Data sharing: Analytics data is processed by Google LLC (USA) with Standard Contractual Clauses
Retention: 26 months
Legal Basis: Consent (Article 6(1)(a))
- Marketing Cookies – Requires Consent
Meta Pixel (Facebook Pixel)
Purpose: Measure the effectiveness of our Facebook/Instagram advertising and show relevant information to people who may benefit from our services.
What it does:
- Tracks page visits (not personal information)
- Records button clicks and interactions
- Measures ad campaign effectiveness
What it does NOT do:
- Read form submission content
- Identify individuals seeking addiction help
- Share names or personal details
Data sharing: Meta Platforms, Inc. (USA)
Legal Basis: Consent
LinkedIn Insight Tag
Purpose: Understand professional audiences and measure LinkedIn content effectiveness.
What it does:
- Tracks page visits
- Provides demographic insights (aggregated)
- Measures campaign performance
Data sharing: LinkedIn Corporation (USA)
Legal Basis: Consent
Your Cookie Choices
When you first visit our website, you’ll see a cookie banner asking you to choose which cookies to accept:
Your options:
- Accept All – Enable analytics and marketing cookies
- Reject All – Only essential cookies
- Customise – Choose specific categories
You can change your cookie preferences at any time by:
- Clicking the cookie settings icon on our website
- Adjusting your browser settings
- Using opt-out tools:
- Google Analytics: https://tools.google.com/dlpage/gaoptout
- Facebook: https://www.facebook.com/settings/?tab=ads
- LinkedIn: https://www.linkedin.com/psettings/guest-controls
Important: Cookies do NOT collect your health information or details about your enquiry. When you submit a form:
- Cookies may track that you visited the form page
- Cookies may record that the form was submitted
- Cookies do NOT capture: Form content, your name, health details, or anything you typed
Your sensitive health data is protected separately through form consent and healthcare confidentiality obligations.
Links to Other Websites
Our website may contain links to other websites of interest. If you follow a link from the Ara website to an external site, please check the privacy notice of that site before giving any personal details.
Ara is not responsible for the privacy policies or practices of third-party websites.
Security of Information
We take data security seriously and implement appropriate technical and organisational measures to protect your information:
Technical Security
- Encryption: All data transmitted to and from our website uses HTTPS/TLS encryption
- Secure storage: Data stored on encrypted servers within the UK
- Access controls: Role-based access, strong authentication requirements
- Firewalls: Network security monitoring and intrusion detection
- Regular updates: Software patches and security updates
- Secure backups: Encrypted backups tested regularly
- Antivirus protection: Across all systems
Organisational Security
- Staff training: Regular data protection and confidentiality training for all staff
- Confidentiality agreements: All staff sign confidentiality clauses
- Professional obligations: Clinical staff bound by professional codes of conduct
- Clear desk policy: Physical security of documents
- Secure disposal: Confidential shredding and secure data wiping
- Incident response: Procedures for handling data breaches
- Regular audits: Internal compliance reviews
Third-Party Security
- Due diligence: All data processors assessed before engagement
- Contracts: Data processing agreements requiring GDPR compliance
- Regular reviews: Ongoing monitoring of processor compliance
Ara operates a range of information and communications systems and technologies for efficient operation. Personal information is stored and managed within systems maintained to achieve a high level of Confidentiality, Integrity and Availability (CIA), following best practice cyber security standards.
All data is held within the UK (European Economic Area for legacy systems).
Data Breach Procedures
In the unlikely event of a data breach:
- We will investigate and contain the breach immediately
- We will notify the ICO within 72 hours if required
- We will inform you if there is a high risk to your rights and freedoms
- We will take steps to prevent recurrence
For further information on how we maintain the security of your information, please contact our Data Protection Lead.
Your Rights Under GDPR
You have important rights regarding your personal information:
1. Right to Be Informed
You have the right to clear, transparent information about how we use your data (this privacy notice provides that information).
2. Right of Access (Subject Access Request)
You have the right to request a copy of the personal information we hold about you.
How to request:
- Email: info@recovery4all.co.uk
- Phone: 0330 1340 286
- Post: FAO Data Protection Lead, Ara, King’s Court, King Street, Bristol, BS1 4EF
We will respond within one calendar month from receiving your request.
Cost: Free (unless request is excessive or manifestly unfounded)
3. Right to Rectification
You have the right to ask us to correct inaccurate or incomplete information.
4. Right to Erasure (“Right to be Forgotten”)
You can request deletion of your information in certain circumstances:
- You withdraw consent
- Information is no longer needed for the original purpose
- You object to processing and there’s no overriding legitimate reason
Important limitations:
- We may need to retain information for legal, clinical governance or safeguarding reasons
- Healthcare records typically must be retained for specified periods
- We cannot delete information required by law
5. Right to Restrict Processing
You can ask us to limit how we use your information while a dispute is resolved or accuracy is verified.
6. Right to Data Portability
You can request your information in a common electronic format to transfer to another provider.
7. Right to Object
You can object to:
- Processing based on legitimate interests
- Direct marketing (at any time, no questions asked)
- Automated decision-making (we don’t use this for treatment decisions)
Where you believe that our legitimate interests are overridden by your interests, rights or freedoms, you have the right to object.
8. Rights Related to Automated Decision Making
We do not make automated decisions about you that significantly affect you without human involvement.
9. Right to Withdraw Consent
You can withdraw your consent at any time for processing based on consent, including:
- Marketing communications
- Optional information sharing
- Website tracking cookies
- Form submission consent
How to withdraw consent:
- Email: info@recovery4all.co.uk
- Phone: 0330 1340 286
- Click “unsubscribe” in emails
- Update cookie preferences on our website
Important: Withdrawing consent doesn’t affect:
- Processing that already occurred
- Processing based on other legal grounds (e.g., healthcare obligations)
- Information we must keep for legal or clinical governance reasons
10. Right to Complain
If you’re unhappy with how we’ve handled your information, you can complain to:
Information Commissioner’s Office (ICO)
Website: https://ico.org.uk/make-a-complaint/
Phone: 0303 123 1113
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
ICO Registration Number: Z6850075
We encourage you to contact us first so we can try to resolve any concerns directly.
Further information on your rights is available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/
Email Communications Opt-Out
If we hold your email in our database, occasionally we may send you emails about:
- Events and information about our services
- News and updates
- Surveys to help improve our services
- Other information that we think will be of interest to you
You can unsubscribe at any time by:
- Clicking “unsubscribe” in any email
- Emailing us at info@recovery4all.co.uk
- Calling us on 0330 1340 286
Changes to Our Privacy Notice
This privacy notice will be updated to reflect changes to the way we operate or changes to data protection legislation.
When we make significant changes:
- We’ll update the “Last Updated” date at the top
- We’ll notify clients and supporters by email where appropriate
- For substantial changes, we may seek renewed consent where required
We recommend that you revisit this notice periodically to stay informed about how we protect your information.
What We Will Not Do
We are committed to responsible data handling:
- ❌ We will not send you unsolicited marketing material
- ❌ We will not sell your personal data to third parties
- ❌ We will not pass on your personal data to unrelated third parties unless allowed or required by law, or with your explicit permission
- ❌ We will not use your health information for purposes other than providing treatment and support (except as required by law)
- ❌ We will not share your identity or health details with social media platforms or advertisers
- ❌ We will not make automated decisions about your treatment without human involvement
Children and Young People
Our services are primarily designed for adults (18+). If we provide services to someone aged 16-17, we will:
- Ensure appropriate consent is obtained
- Apply additional safeguarding measures
- Consider capacity to consent
- Retain records until age 25 (or 8 years after last contact, whichever is later)
If we become aware that we’ve inadvertently collected information from someone under 16 without appropriate parental consent, we will take steps to delete it promptly (unless required for safeguarding purposes).
Contact Us About Privacy
For any questions about this Privacy Policy or how we handle your information:
General Enquiries:
Email: info@recovery4all.co.uk
Phone: 0330 1340 286
Post: Ara, King’s Court, King Street, Bristol, BS1 4EF
Data Protection Lead:
Email: [info@recovery4all.co.uk]
Post: FAO Data Protection Lead, Ara, King’s Court, King Street, Bristol, BS1 4EF
Exercise Your Rights:
Use the contact details above to exercise any of your data protection rights.
We will respond within one calendar month.
Make a Complaint:
Contact us first, or contact the ICO directly (details above)
Legal Compliance Statement
This Privacy Policy complies with:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Data (Use and Access) Act 2025
- Privacy and Electronic Communications Regulations (PECR)
- Healthcare regulatory requirements
- Care Quality Commission standards
- Professional codes of conduct (BACP)
Definitions
Personal Data: Any information relating to an identified or identifiable person.
Special Category Data: Sensitive personal data including health information, protected under Article 9 GDPR.
Processing: Any operation performed on personal data (collection, storage, use, sharing, deletion).
Data Controller: Ara Recovery for All – determines purposes and means of processing.
Data Processor: Third parties who process data on our behalf under our instructions.
Consent: Freely given, specific, informed, and unambiguous agreement to processing.
Explicit Consent: Clear affirmative action demonstrating consent (e.g., ticking a checkbox), required for special category data.
Addiction Recovery Agency Limited (Ara Recovery for All)
Confidential gambling harms treatment and support across Wales and South West England, together with drug, alcohol dependency and homelessness in Bristol
Registered in England and Wales
Company Number: 02540814
Charity Number: 1002224
Registered Address: 11-12 King’s Court, King Street, Bristol, BS1 4EF
