Privacy policy

This policy is designed to ensure that HIV Scotland complies with the General Data Protection Regulation (GDPR) that came into force on Friday 25 May 2018.

HIV Scotland is committed to protecting your privacy. This privacy policy sets out how we use and protect any personal data that you provide to us, or that we collect from you.

HIV Scotland's privacy and cookies policy may change to reflect legislative and best practice updates so please remember to check back from time to time.


All personal information processed by HIV Scotland.

Policy statement

The following privacy and cookies policy will be displayed on all HIV Scotland websites and made available to all users of HIV Scotland's website on request. Individuals will be made aware of its existence through the website or email communication.

1. Who we are

At HIV Scotland, we are committed to protecting your personal information and making every effort to ensure that your personal information is processed in a fair, open and transparent manner.

We are a 'data controller' for the purposes of the EU General Data Protection Regulation 2016/679 ('Data Protection Law'). This means that we are responsible for, and control the processing of, your personal information. 

For further information about our privacy practices, please contact us by:

  • Writing to HIV Scotland, 18 York Place, Edinburgh EH1 3EP
  • Calling us on 0131 558 3713
  • Emailing to [email protected]

2. How we collect information about you

We collect information from you in the following ways:

When you interact with us directly: This could be if you use one of our projects, ask us about our activities, register with us for an event, make a donation to us, apply for a job or volunteering opportunity or otherwise provide us with your personal information. This includes when you phone us, visit our website, or get in touch through the post, or in person.

When you interact with us through third parties: This could be if you provide a donation through a third party such as JustGiving or one of the other third parties that we work with and provide your consent for your personal information to be shared with us.

When you visit our website: We gather general information which might include which pages you visit most often and which services, events or information is of most interest to you. We may also track which pages you visit when you click on links in emails from us. We also use cookies to help our site run effectively. There are more details below – see 'Cookies'.

We will use this information to personalise the way our website is presented when you visit to make improvements and to ensure we provide the best service and experience for you. Wherever possible we use anonymous information which does not identify individual visitors to our website.

3. Information we collect and why we use it

Personal information

Personal information we collect may include details such as your name, date of birth, email address, postal address, telephone number and credit/debit card details (if you are making a purchase or donation), as well as information you provide in any communications between us. You will have given us this information whilst making a donation, using our services, registering for an event, placing an order on our website or any of the other ways you interact with us.

We will use this information:

  • For monitoring, evaluation and audit of our projects.
  • For marketing, fundraising, campaigning and membership services.
  • To process your donations or other payments, to claim Gift Aid on your donations and verify any financial transactions.
  • To provide the services or goods that you have requested.
  • To update you with important administrative messages about your donation, an event or services you have requested.
  • To keep a record of your relationship with us.
  • Where you volunteer with us, to administer the volunteering arrangement.
  • To invite you to participate in surveys or research.

In order for us to undertake the above we need to collect personal data from you for either correspondence purposes or detailed service provision, depending on the service you are accessing.

Our aim is not to be intrusive and we undertake not to ask irrelevant or unnecessary questions.

We will not pass your personal data on to other agencies, unless this has been agreed with you to support independent advocacy on your behalf. 

Sensitive personal information as defined under article 9 of GDPR

Sensitive personal data as defined under article 9 of GDPR covers the following data types:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetics
  • biometrics
  • health
  • sex life
  • sexual orientation

Should we need to pass any sensitive personal data on to any other third parties we will only do so when you have agreed in relation to independent advocacy or unless we are legally required to do so, for example to comply with the law, or a court order or where there is a clear safety risk to you or to someone else. If this is the case we will always try to inform you.

4. Legal basis for using your information

Where consent is the appropriate legal basis for using your personal information we will use this only once we have your consent for the specific reason you have engaged with us. 

There are other lawful reasons that allow us to process your personal information and one of those is called 'legitimate interests'. This means that the reason that we are processing information is that there is a legitimate interest for HIV Scotland to process your information.

We may also process special categories of personal data, where appropriate, in line with GDPR article 9 regulations in relation to the provision of health and social care services.

Whenever we process your personal information under the ‘legitimate interest' lawful basis we make sure that we take into account your rights and interests and will not process your personal information if we feel that there is an imbalance.

Some examples of where we have a legitimate interest to process your personal information are where we contact you about our work via post, use your personal information for data analytics, or for conducting research to better understand who our supporters are, improving our services, or for our legal purposes (for example, dealing with complaints and claims).

6. Marketing

We will only contact you about our work and how you can support HIV Scotland by email or text message if you have agreed for us to contact you in this manner.

However, if you have provided us with your postal address or phone number we may send you information about our work and how you can support HIV Scotland by mail or phone unless you have told us that you would prefer not to hear from us in that way.

You can update your choices or stop us sending you these communications at any time by contacting us or by clicking the unsubscribe link at the bottom of the relevant communication.

7. Sharing your Information

The personal information we collect about you will mainly be used by our staff (and volunteers) at HIV Scotland so that they can support you.

We will never sell individual information and your details are never given out except where there is a service need to do so. Where this is the case you will have agreed to this as part of any independent advocacy being offered (e.g. legal , discrimination or employment cases etc). You have the right to prevent this but it may affect the services that we are able to offer you.

We may also use information to produce anonymous reports to our funders and stakeholders

Legal disclosure

We may disclose your information if required to do so by law. (For example, to comply with applicable laws, regulations and codes of practice or in response to a valid request from a competent authority).

8. Keeping your information safe

We will take all reasonable steps to make sure that your data is treated securely and in accordance with this privacy policy however we receive this information e.g. by post, e-mail or through accessing our website.

The information you provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure as part of our information security management system.

Your personal information is accessed only by those who are authorised to access it while carrying out their duties.

Details relating to any transactions entered into through the HIV Scotland website will be encrypted in transit to ensure their safety. The transmission of any information from you to HIV Scotland via website or e-mail is not completely secure, however, the transmission of such data is at your own risk.

Third party links

The HIV Scotland website contain links to third-party websites. These websites should have their own privacy policies but we do not accept any responsibility or liability for their policies.

9. How long we hold your information

We will endeavour to keep your information accurate and up to date and not keep it for longer than is necessary. Once you no longer need our services we are legally required to keep records for a certain amount of time depending on the type of data that we hold. After this time we will securely destroy it according to our records retention and disposal procedures. Please contact us for further information on our retention periods. 

10. Your rights

You have various rights in respect of the personal information we hold about you – these are set out in more detail below. If you wish to exercise any of these rights or make a complaint, you can do so by contacting us at HIV Scotland, 18 York Place, Edinburgh, EH1 3EP, by email at [email protected] and by phone on 0131 558 3713. You can also make a complaint to the data protection supervisory authority, the Scottish Information Commissioner - 

  • Access to your personal information: You have the right to request access to a copy of the personal information that we hold about you, along with information on what personal information we use, why we use it, who we share it with, how long we keep it for and whether it has been used for any automated decision making. You can make a request for access free of charge. Please make all requests for access in writing, and provide us with evidence of your identity.
  • Right to object: You can object to our processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes. Please contact us as noted above, providing details of your objection.
  • Consent: If you have given us your consent to use personal information (for example, for marketing), you can withdraw your consent at any time.
  • Rectification: You can ask us to change or complete any inaccurate or incomplete personal information held about you.
  • Erasure: You can ask us to delete your personal information where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for keeping it.
  • Portability: You can ask us to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred.
  • Restriction: You can ask us to restrict the personal information we use about you where you have asked for it to be erased or where you have objected to our use of it.
  • No automated-decision making: Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You have the right not to be subject to automated decisions that will create legal effects or have a similar significant impact on you, unless you have given us your consent, it is necessary for a contract between you and us or is otherwise permitted by law. You also have certain rights to challenge decisions made about you. We do not currently carry out any automated decision-making.

Please note, some of these rights only apply in certain circumstances and we may not be able to fulfil every request.

We use Google Analytics Advertising Features for demographics and interest reporting, which help us to better understand our site users. Find out about Google Analytics' currently available opt-outs.

Your data may also be available to our website provider to enable us and them to deliver their service to us, carry out analysis and research on demographics, interests and behavior of our users and supporters to help us gain a better understanding of them to enable us to improve our services.  This may include connecting data we receive from you on the website to data available from other sources.  Your personally identifiable data will only be used where it is necessary for the analysis required, and where your interests for privacy are not deemed to outweigh their legitimate interests in developing new services for us.  In the case of this activity the following will apply:

  1. Your data will be made available to our website provider
  2. The data that may be available to them include any of the data we collect as described in this privacy policy.
  3. Our website provider will not transfer your data to any other third party, or transfer your data outside of the EEA.
  4. They will store your data for a maximum of 7 years.
  5. This processing does not affect your rights as detailed in this privacy policy


A cookie is a small file placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. 

Cookies help us provide you with a better website by enabling us to monitor which pages you find useful and which you do not as well enabling some functionality, such as logins. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to user needs. We only use this information for statistical analysis purposes.

Disabling cookies on your browser

If you don’t want to receive cookies, you can modify your browser so that it notifies you when cookies are sent to it or you can refuse cookies altogether. You can also delete cookies that have already been set. 

If you wish to restrict or block web browser cookies which are set on your device then you can do this through your browser settings; the Help function within your browser should tell you how. Alternatively, you may wish to visit, which contains comprehensive information on how to do this on a wide variety of desktop browsers.