Privacy and Cookie Declaration | Whizz Kidz

Hello, we are Whizz Kidz, the UK’s leading charity for young wheelchair users. We want to see a society in which every young wheelchair user is mobile, enabled and included.
At Whizz Kidz, it’s really important to us that we show you that we care about looking after your personal information. This is our Privacy and Cookie Notice, where we tell you honestly how we use and look after your personal information. This privacy notice tells you what to expect us to do with your personal information if you apply for our services, support our work with a donation or by fundraising for us, apply for a voluntary or paid position with Whizz Kidz or use our website. We will tell you what information we collect about you, how we use this data, with whom we share it, and how we store it and keep it safe.
Because privacy and cookie notices are often quite long, full of helpful information, ours is broken up into smaller sections. To read a section, click the heading that interests you. To help you find the information you need, we have created a section for everybody to read, followed by sections which are written especially for the type of interaction you have with Whizz Kidz. All words and phrases in bold can be found in a glossary in Appendix I.
If we make any important changes to the way in which we use, share, or store your information, we’ll update our Privacy and Cookie Notice and will let you know so that you can tell us if you have any concerns.
When making smaller changes, we’ll update this notice and post a summary of the changes on our website. We last updated our privacy notice in October 2023.
27th October 2023
We added information about our use of the Facebook Pixel in the following section:
Website Users section – The cookies we use
We are Whizz Kidz, the UK’s leading charity for young wheelchair users. We want to see a society in which every young wheelchair user is mobile, enabled and included. We are a registered charity (802872), a company registered in England and Wales (2444520) and a charity registered in Scotland (SC042607). Our main office is based in central London, but we run our services throughout England, Scotland and Wales. Whizz Kidz is the Data Controller for the personal information we process.
There are many ways to contact Whizz Kidz, including by post, phone, email, and social media.
Our registered address is:
Whizz Kidz
30 Park Street
London
SE1 9EQ
Telephone Number: 020 7233 6600
Email (general enquiries): info@whizz-kidz.org.uk
Website: www.whizz-kidz.org.uk
To get in contact please use this page of our website.
Facebook: Whizz Kidz - Empowering Young Wheelchair Users - Home | Facebook
Instagram: Whizz-Kidz (@whizzkidzuk) • Instagram photos and videos
Twitter: Twitter
Whizz Kidz’ Data Protection Officer is contactable at data.protection@whizz-kidz.org.uk or write to ‘Data Protection Officer’ at our postal address.
As well as a Data Protection Officer Whizz Kidz also have a Caldicott Guardian.
Whizz Kidz’ Caldicott Guardian is Louise Viner. You can contact them at caldicott.guardian@whizz-kidz.org.uk or write to ‘Caldicott Guardian’ at our postal address.
As a Data Subject, under UK GDPR (data protection law) you have rights. You can choose to use any of these rights by contacting us at data.protection@whizz-kidz.org.uk or writing to us at this address with your request. Your rights are:
- Access – You have the right to ask for copies of all information we have about you.
- Rectification – You have the right to ask us to correct personal information you think is wrong. You also have the right to ask us to complete information you think is incomplete.
- Erasure – You have the right to ask us to delete your personal information in certain circumstances.
- Restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Objection to processing - You have the right to object to the processing of your personal information in certain circumstances.
- Data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
- Withdraw consent – if Whizz Kidz have asked your consent to use your data for a specified reason, you have the right to take back that consent so that Whizz Kidz cannot use your data like that in the future. Withdrawing your consent does not affect anything that Whizz Kidz have used your data for in the past with your consent.
You do not have to pay to use any of these rights. If you make a request, Whizz Kidz has one month to respond to you.
If you would like to make a request, email data.protection@whizz-kidz.org.uk
If you are unhappy or concerned about how Whizz Kidz collects, uses or stores your personal information, you can let us know by emailing data.protection@whizz-kidz.org.uk or writing to:
Data Protection Officer
Whizz Kidz
30 Park Street
London
SE1 9EQ
You can also complain to the ICO (the UK supervisory authority for data protection) if you are unhappy with how we have used your data.
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk

Whizz Kidz collects personal information such as name, contact information, assigned sex at birth, preferred pronouns, NHS number, parent or carer’s contact information, education information, household income, communication preferences, appointment history, activity attendances and where written permission is given photos and videos. We also collect your responses to surveys about your experience of Whizz Kidz.
We also collect the following sensitive category information: health and medical data, religion, ethnicity, and sexual orientation.
At Whizz Kidz we do our very best to stick to the GDPR principles of data minimisation and purpose limitation, and only collect information that we need when we need it. We only use information for the intended purpose. For example, we only ask for information on religion, ethnicity and sexual orientation for monitoring and evaluation purposes and so that we can improve our services; we only ask for information on household income to monitor if we are reaching lower income households.
Most of the personal information Whizz Kidz collects is given by you when you apply for mobility equipment or to attend an activity group. Some information is collected in a secure online form, other information is collected during a telephone assessment with one of our therapists or at a face-to-face appointment.
Sometimes, information may be shared with us by your education provider, residential care provider or NHS wheelchair service so that we can provide you with the best possible care.
We collect this information so that we can assess your eligibility for our services, apply for or match your requirements with funding, and provide you with the best possible care. Whizz Kidz collects this information so that we can fulfil your request for equipment or a service (contractual performance).
We also collect data in optional surveys (both online and on paper) and interviews (telephone, face to face, virtual meeting) which help us to decide on the most important things to campaign on and influence. Whizz Kidz collects data in this way for public interest.
We collect sensitive category information, such as ethnicity and sexual orientation so that we can conduct monitoring and evaluation and ensure that Whizz Kidz is providing services to everyone who needs our support. We also use this anonymised data to help us decide what to focus on as a charity. Whizz Kidz is collecting information for our legitimate interest, to understand more about our service users so that we can make sure that we are providing the best possible service.
Whizz Kidz also collects information with your consent to share your story and experience on our social media channels or in communications (both internally with colleagues and externally with the public). We will never share photos, videos or your story identifying you with anyone unless you give your permission. In some cases, we may share your story anonymously with a funder as they would like to know how we have spent their money. We ensure that you cannot be identified by the information we share with funders unless you give your consent.
Whizz Kidz also uses your contact information to share surveys about your Whizz Kidz experience with you. These surveys help us to find out the good and bad things we do and improve our services. These surveys are optional to complete. You do not have to share your experiences if you don’t want to.
We use your contact information with your consent to send communications about other exciting things going on at Whizz Kidz, such as volunteering opportunities, work experience placements, fun activities or fundraising appeals. You can opt out of receiving these communications at any time: to opt out please contact data.protection@whizz-kidz.org.ukor follow the instructions in each communication to unsubscribe.
Whizz Kidz also works with companies to look at the personal information we store in our database and match it against publicly available records to add value to our database and improve the quality of the data. This also helps us to avoid sending communications to people who are recently deceased. We also add dates of birth and record home moves and changes of address where the data is publicly available. This helps us to save money by only contacting those people who would be most interested in our communications. Whizz Kidz uses our legitimate interest to work with these companies. Whizz Kidz is the data controller and the companies are the data processor.
Whizz Kidz stores personal information on secure servers we own in central London. Whizz Kidz is also a customer of Microsoft business services and stores data in Microsoft’s cloud document and storage system, SharePoint, as well as in other Microsoft applications. To read more about Microsoft’s data storage and security please visit Microsoft’s Trust Centre: Microsoft Privacy & Data Storage | Where Your Data Is Stored.
Whizz Kidz have a retention schedule which we use to decide how long to store personal information. Sometimes, this is for as long as we are actively using the data. In other cases, there is a legal requirement for us to store data (such as safeguarding reports, or health and care records) for a fixed minimum period of time. For all our health and care records, Whizz Kidz follows the guidelines as set out by ‘The Records Management Code of Practice for Health and Social Care 2016’ (published by the Information Governance Alliance for the Department of Health). We keep children’s health records until their 25th birthday if aged under 16 at the conclusion of a clinical intervention, or until their 26th birthday if aged 17 or above after being discharged or last seen from Whizz Kidz clinical services. For more detailed information, contact us at data.protection@whizz-kidz.org.uk
We never sell personal information. We do share it with organisations who we work with to deliver the best possible care and experience to you, such as NHS wheelchair services, your education provider, healthcare agencies, mobility equipment suppliers and content providers for our clubs and activities. We may also need to share some data (usually with your name removed) with funders who are paying for equipment. Unless otherwise stated, Whizz Kidz is the data controller and other organisations are the data processor. However, sometimes we will be joint controllers or at other times independent data controllers. We make sure that all suppliers of services to us take as much care with your data as we do. Where possible, we ensure that suppliers process your data in the UK, or in the EEA (European Economic Area) and therefore are subject to the same rules as we are. Occasionally, the best decision is to use a supplier outside of the UK and EEA and we need to transfer your data outside of this area. Please see ‘Do we transfer your data outside of the UK?’ for more information.
With your permission, we may also work with you to share your story (including photos and videos) on our social media channels and in our digital and postal communications to potential donors of Whizz Kidz. We will never share photos, videos or your story identifying you with anyone unless you give your permission. In some cases, we may share your story anonymously with a funder as they would like to know how we have spent their money. We ensure that you cannot be identified by the information we share with funders unless you give your consent.
Occasionally, we will share your data when we are legally required to do so, for example to comply with the law, or a court order or where there is a clear safety risk to you or to someone else.
Where possible, we ensure that suppliers process your data in the UK, or in the EEA (European Economic Area) and therefore are subject to the same rules as we are. Occasionally, the best decision is to use a supplier outside of the UK and EEA and we need to transfer your data outside of this area.
We take steps to make sure that, when we transfer your personal information to another country, appropriate protection is in place, in line with global data protection laws. Some countries are considered to provide an adequate level of protection because of the data protection laws in place in those countries (for example, the UK, New Zealand and Japan). If this is not the case, (for example, the US) the protection may be based on a contract with the organisation who receives the information.

Your personal information is looked after by the NHS commissioned service, who are the data controller. This information is not shared with Whizz Kidz. If you have any questions about how your personal information is cared for please contact epunft.info.gov@nhs.net (Southend) or bartshealth.info.gov@nhs.net(Tower Hamlets).

Whizz Kidz collects personal information like name(s), contact information (for example email address, postal address, mobile telephone number), donation history, card payment details*, bank details (for Direct Debits)*, accessibility requirements, dietary requirements, medical information, emergency contact information, incident and accident reports (for events management) relationships, job title and employer, whether a donor pays tax (for Gift Aid), date of birth, communication preferences, reason for support, and communication history. At Whizz Kidz we do our very best to stick to the GDPR principles of data minimisation and purpose limitation, and only collect information that we need when we need it. We only use information for the intended purpose. For example, we only ask for accessibility and dietary requirements if a fundraiser is attending an in-person event, or we only ask if an individual is a UK tax payer to work out if we can claim Gift Aid on their donation.
*Any information you give us relating to credit card and bank account details is handled by a PCI DSS compliant supplier (Committed Giving) and encrypted using secure server technology. For more information please contact data.protection@whizz-kidz.org.ukor Committed Giving directly.
Most of the information we process for our donors and fundraisers is given directly by you when we request it online. This may be when you make a donation (Committed Giving), register for a fundraising event (RealBuzz, Skyline Direct), complete a survey (JotForm), or click through an advert on social media (Facebook, Instagram). We partner with suppliers (in brackets) to host these forms to provide the best experience to you and anyone who fills out these forms. Whizz Kidz is the data controller, and these suppliers are data processors. Whenever we use an online form to collect information we will always make you aware that we are using a supplier and provide you with both our and their privacy notice so that you know how we and they will look after your information. Often when Whizz Kidz collects this information using online forms we are doing this to so that we can carry out an agreement with you (contractual performance) such as processing a donation, claiming Gift Aid or registering you to run in the London Marathon. Sometimes, Whizz Kidz is collecting information for our legitimate interest, to understand more about our donors and fundraisers so that we raise money sustainably to continue the great work we do to support young wheelchair users.
Data is also shared with us by other companies, with your permission. For example, funeral directors, Memory Giving, JustGiving, Enthuse, Time Outdoors and London Marathon Events all share personal information with us, such as your name, contact information and communication preferences with your consent. This enables us to say thank you and where appropriate send follow up communications and information about fundraising events and ask for donations in the future. When we receive data from other companies in this way, both the companies and Whizz Kidz are acting as data controllers.
Whizz Kidz also works with companies to look at the personal information we store in our database Raisers Edge and match it against publicly available records to add value to our database and improve the quality of the data. This helps us to avoid sending communications to people who are recently deceased. We add dates of birth and record home moves and changes of address where the data is publicly available. This helps us to save money by only contacting those people who would be most interested in our communications. Whizz Kidz uses our legitimate interest to work with these companies. Whizz Kidz is the data controller and the companies are the data processor.
We also work with companies to research the potential of donors and fundraisers to be a significant donor and collect additional details relating to their employment and any philanthropic activity. We may estimate gift capacity, based on visible assets, history of charitable giving and their connection to Whizz Kidz. This helps us to understand our donors and fundraisers more and means that we can be more cost-effective. Whizz Kidz uses our legitimate interest to work with these companies. Whizz Kidz is the data controller and the companies are the data processor.
We never sell personal information. We do share it with organisations who are completing a service on our behalf: where this is the case we will let you know at the point that we request your personal information. Examples include our fulfilment house Partridges, who send our letters and fundraising materials to our donors and fundraisers on our behalf, or couriers or venues who are helping us to put on an event. We make sure that all suppliers of services to us take as much care with your data as we do. Where possible, we ensure that suppliers process your data in the UK, or in the EEA (European Economic Area) and therefore are subject to the same rules as we are. Occasionally, the best decision is to use a supplier outside of the UK and EEA and we need to transfer your data outside of this area. Please see ‘Do we transfer your data outside of the UK?’ for more information.
Occasionally, we will share your data when we are legally required to do so, for example to comply with the law, or a court order or where there is a clear safety risk to you or to someone else.
We store the data of our donors and fundraisers in our database Raiser’s Edge. We host Raiser’s Edge on our own servers in London. There will also be occasions when we store information in secure locations on other servers, also held in London. Whizz Kidz is also a customer of Microsoft business services and stores data in Microsoft’s cloud document and storage system, SharePoint, as well as in other Microsoft applications. To read more about Microsoft’s data storage and security please visit Microsoft’s Trust Centre: Microsoft Privacy & Data Storage | Where Your Data Is Stored.
Whizz Kidz has a retention schedule which we use to decide how long to store personal information. We keep personal information for as long as this document states. Sometimes this will be for as long as we are actively using the data. In other cases, there is a legal requirement for us to store data (such as financial data, or Gift Aid declaration information) for a fixed minimum period of time. For more information, please contact data.protection@whizz-kidz.org.uk.
Where possible, we ensure that suppliers process your data in the UK, or in the EEA (European Economic Area) and therefore are subject to the same rules as we are. Occasionally, the best decision is to use a supplier outside of the UK and EEA and we need to transfer your data outside of this area.
We take steps to make sure that, when we transfer your personal information to another country, appropriate protection is in place, in line with global data protection laws. Some countries are considered to provide an adequate level of protection because of the data protection laws in place in those countries (including New Zealand and Japan). If this is not the case, the protection may be set out under our contract with the organisation who receives the information.

Whizz Kidz collects personal information such as name, contact information, preferred pronouns, emergency contact information, marital status, communication preferences, references, proof of ID (e.g. passports, driving license), results of a criminal record (DBS) check, education information, employment history, relevant skills and experience, reason for applying, pre-interview assessment results, interview notes, and photos and videos (with consent).
We also collect the following sensitive category information: health and medical data, religion, ethnicity and sexual orientation.
At Whizz Kidz we do our very best to stick to the GDPR principles of data minimisation and purpose limitation, and only collect information that we need when we need it. We only use information for the intended purpose. For example, we only ask for information on religion, ethnicity and sexual orientation for monitoring and evaluation purposes.
We collect personal information when you apply for a paid position via Applied, or a voluntary or trustee position via our website. We use information you provide to assess your suitability for a position, and contact information to let you know if you have been successful (contractual performance).
We collect sensitive category information, such as ethnicity and sexual orientation so that we can ensure that our recruitment processes are fair and unbiased. We also use this anonymised data to help us decide on the best ways of recruiting talent. Whizz Kidz is collecting information for our legitimate interest, to understand more about our role applicants so that we can make sure that we are providing opportunities to all.
Whizz Kidz are also sometimes given personal information by recruitment agencies to increase the number of candidates applying for a position. At first, any information shared by a recruitment agency (the data controller) will be anonymous until we have decided to offer the potential candidate an interview. Only at this point are details such as name and contact details shared at which point Whizz Kidz will become a data controllerof the candidates’ data.
We store the data of role applicants, trustees and volunteers on secure servers in the UK. There will also be occasions when we store information in secure locations on other servers, also held in London. Whizz Kidz is also a customer of Microsoft business services and stores data in Microsoft’s cloud document and storage system, SharePoint, as well as in other Microsoft applications. To read more about Microsoft’s data storage and security please visit Microsoft’s Trust Centre: Microsoft Privacy & Data Storage | Where Your Data Is Stored.
Whizz Kidz has a retention schedule which we use to decide how long to store personal information. We keep personal information for as long as this document states. Sometimes this will be for as long as we are actively using the data. In other cases, there is a legal requirement for us to store data (such as financial data for payroll) for a fixed minimum period of time. For more information, please contact data.protection@whizz-kidz.org.uk.
Where possible, we ensure that suppliers process your data in the UK, or in the EEA (European Economic Area) and therefore are subject to the same rules as we are. Occasionally, the best decision is to use a supplier outside of the UK and EEA and we need to transfer your data outside of this area.
We take steps to make sure that, when we transfer your personal information to another country, appropriate protection is in place, in line with global data protection laws. Some countries are considered to provide an adequate level of protection because of the data protection laws in place in those countries (for example, the UK, New Zealand, and Japan). If this is not the case, (for example, the US) the protection may be based on a contract with the organisation who receives the information.

Our website collects information about how you use it and what your preferences are for browsing our website. To do this, we place cookies on your device. A cookie is a small file placed on your device’s hard drive. Cookies can be used to provide core functionality for a website (e.g., logins), for website traffic reporting or for marketing purposes.
A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. We use our legitimate interest to:
- Keep our website going: troubleshooting, testing, completing research, completing statistical analysis.
- Keep our website safe and secure.
- Be efficient: understand how well our adverts on social media sites or other websites are doing to help us spend every penny wisely.
- Improve your experience: make sure that you are getting the most out of our website and can view it in a way that works for any device you use to visit our website.
- Allow you to access interactive features of our website.
- Understand how our website is being used.
Necessary cookies are cookies essential to ensure our website works for you.
Preference based cookies help a website to ‘remember’ information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Statistical cookies count website visitors. With the use of these cookies, we are able to count visits and traffic sources to improve the performance of our website.
Unclassified cookies are cookies that we are working to define soon as necessary, marketing, preference based, statistical, first party or third party.
Marketing cookies are used to deliver adverts relevant to you. They are also used to limit the number of times you see an advert and help measure how effective an advert is. They can also be used to choose the adverts that are displayed to you on other websites.
First party cookies are set by the website you're visiting and only Whizz Kidz can read them.
Third party cookies are not set by us and can be read by the owner of those cookies. They may be used by companies that provide tools that we have on our websites, such as when we include a form, map, or video. Usually, we can't control what information they collect but we can tell you the cookies we use.
If you don’t want to receive cookies, you can modify your browser so that it notifies you when cookies are sent to it, or you can refuse cookies altogether. You can also delete cookies that have already been set.
If you wish to restrict or block web browser cookies that are set on your device, you can do this through your browser settings – the Help function within your browser should tell you how. Alternatively, you may wish to visit Know Cookies, which contains information on how to do this on a variety of web browsers.
We place Facebook and Google Ads cookies on certain pages to help us understand what users do when they click on our online ads. For example, we want to see if users sign up to an event or donate after clicking on one of our ads. This helps us measure the success of any online advertising campaigns and ensures we only direct our Google and Facebook advertising towards those most likely to be responsive to us.

We use the Facebook Pixel to identify website users who have visited pages like our donation or events fundraising pages. The Facebook Pixel then enables us to show adverts for Whizz Kidz events, campaigns and services on Facebook and Instagram to users who have visited relevant pages on the Whizz Kidz website. Please note: We only use the Facebook Pixel on our fundraising and donation pages.
We also use social media buttons and/or plugins on this site that allow you to connect with your social network in various ways. For these to work the following social media sites including Facebook, Twitter, Linkedin, Disqus, will set cookies through our site.
We use Matomo Analytics to understand how the site is being used in order to improve the user experience. User data is all anonymous. For more information you can view Matamo’s privacy policy here: Privacy Policy - Analytics Platform - Matomo
Please see the cookie declaration below for all the cookies used on this site. All of these cookies may be used to enhance your profile on the third-party site or contribute to the data they hold for various purposes outlined in their respective privacy policies.

Caldicott Guardian – a senior person in the NHS responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing.
Cookies – a small file of information – like a username or password – that are stored on your device and identify the user. Cookies are used to work out what to show you, improving your web experience.
Consent – permission, usually only valid when you have been told exactly what you are consenting to. One of the ways that processing data can be justified under GDPR law.
Contractual Performance – the data processing is needed to carry out an agreement with an individual. One of the ways that processing data can be justified under GDPR law.
Data Controller – an organisation (or a person) who makes decisions about how and why data is processed.
Data Minimisation – collecting the smallest amount of personal data that you need.
Data Processor(s) – an organisation (or a person) who carries out the instructions of the Data Controller and processed data on behalf of the Data Controller.
Data Protection Officer – someone who is an independent expert in data protection and looks after the interests of the Data Subject.
Data Subject – the individual whose personal data is being processed.
Joint Controllers – two or more Data Controllers who together decide how and why data is processed.
Legitimate Interest – a strong reason (or reasons) for a Data Controller to process data for no other reason than it is beneficial to the Data Controller if it doesn’t have a bad effect on the Data Subject. One of the ways that processing data can be justified under GDPR law although whenever a Data Controller relies on it, they should have a written decision called a Legitimate Interest Assessment.
PCI DSS Compliant – a standard which sets out to regulate the card payments industry to help to prevent fraud.
Privacy and Cookie Notice – a publicly displayed explanation of how organisations process data.
Purpose Limitation – one of the principles of GDPR: personal data should only be used for the reasons it was collected.
Public Interest – beneficial for the public. One of the ways that processing data can be justified under GDPR law.
Retention Schedule – a table of how long organisations should store data.
Special Category Information – personal data that needs more protection because it is sensitive, and it could cause harm to the Data Subject if is found out by someone who has no right to access the information.
Standard Contractual Clauses (SCCs) – model (i.e., a good example to follow) data protection clauses, approved by the UK, which allow for the international transfer of personal data outside of the UK and the European Economic Area (EEA).

Privacy and Cookie Notice

Cookie Notice