top of page



This notice (together with our Conditions of Use and any other documents referred to on it) tells you what to expect when The Echo Society (UK) Ltd uses your personal data.


It does not provide exhaustive detail of all aspects of our collection and use of personal data but we are happy to provide any additional information or explanation needed.


Any requests for this should be sent to


This privacy notice applies to information we collect about:


visitors to our websites;

those who sign up to our support services e.g. peer/social, support group and counselling services;

people who use our online services e.g. who subscribe to our newsletter;

Supporters, volunteers and donors;


Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 15th April 2021.


Who is The Echo Society (UK) Ltd?

The Echo Society (UK) Ltd (The Echo Society) is a limited company registered in England & Wales No 10330786 and our registered address is:


71 - 75 Shelton Street, Covent Garden, United Kingdom, WC2H 9JQ


The Echo Society is a volunteer-driven not-for-profit organisation providing peer support groups, social groups, training, counselling service, UK outreach workshops, and a grassroots movement for raising awareness and campaigning for those impacted by narcissistic abuse.​


The Echo Society is committed to protecting and respecting your privacy and our use of personal data on this website is aimed at helping us achieve these aims and to provide our users with the best service we can.

Data Protection Officer

The Echo Society Ltd has appointed an internal data protection officer who you can contact if you have any questions or concerns about our personal data policies or practices.

The Echo Society Ltd

71 - 75 Shelton Street

Covent Garden,





1) Your Rights

The European Union’s General Data Protection Regulation provides you with certain rights. A good explanation of them (in English) is available on the website of our National Privacy Regulator, the Information Commissioner’s Office.

In the UK you have rights as an individual under the Data Protection Bill 2018 which you can exercise in relation to the information we hold about you.


You can read more about these rights here –


A right to information and access

You have the right to know whether The Echo Society (UK) Ltd is processing your personal data and to have access to the personal we may have about you.


You may also request information about: the purpose of the processing; the categories of personal data concerned; who we might have shared the data with; what the source of the information was (if you didn’t provide it directly to us); and how long it will be stored for. 

Reasonable access to your personal data will be provided at no cost upon request made to The Echo Society (UK) Ltd at

To make sure we do not disclose your information to someone else, we may ask you to provide information to confirm your identity. This may include asking you to provide identification documents.


If access cannot be provided within 30 days, The Echo Society (UK) Ltd will provide you with a date when the information will be provided.

If for some reason access is denied, The Echo Society (UK) Ltd will provide an explanation as to why access has been denied.


A right to correct

You have a right to correct the information we hold about you if it is inaccurate. Where we need to investigate the accuracy of the data, you have the right to request we restrict our use of that data.


A right to erasure

You may request that we erase the data we hold about you; but this is not an absolute right and is subject to exceptions. Where we have a lawful reason to retain your data even when you request we delete it, you have the right to restrict our use of your data to that reason only.


A right to object to the use of your personal data for direct marketing

You can stop direct marketing communications from us by clicking the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails.


Note: We will retain a copy of that email address on our “master do not send” list in order to comply with your no-contact request.


Please note that you may continue to receive communications for a short period while our systems are fully updated.


A right to not be subject to automated decision making

You have the right to object to a decision which has been made solely by automated reasons. Essentially, this right allows you to request that the decision is reviewed by a human. We do not use any automated decision-making tools but please contact us if you require any more information on how this right may apply to you.


A right to data portability

When technically feasible, The Echo Society (UK) Ltd will—at your request—provide your personal data to you or transmit it directly to another controller in a commonly used, machine readable format e.g. csv.


A right to complain

You have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how we use your personal data. 


In the UK this is the Information Commissioner’s Office –


The reasons we can lawfully use your data

We only use your personal data when we have a lawful basis to do so.


Data Protection legislation sets out a number of these, but the ones we most commonly use are:



In many situations, we collect and use your personal data with your consent.


Performance of a Contract

There are situations where we need to use your personal data in order to provide the service you have asked us for (or to allow others to do so on our behalf).


Legal Obligation

If the law requires us to, we may need to collect and process your data – generally under the Health and Social Care Act 2012 or Mental Capacity Act 2005.


Legitimate interest

We may use your personal data to pursue our legitimate businesses interests in a way which might reasonably be expected as part of running our business as long as it does not materially impact your interests, rights and freedoms.


These legitimate business interests can include:


enhancing, modifying, personalising or otherwise improving our services and communications for the benefit of our customers and users.

understanding how people interact with our websites

determining the effectiveness of our marketing and services.


This can also apply to uses which are in your interests and those of others such as those which


identify and prevent fraud or other illegal activity

enhance the security of our network and information systems

You have the right to object to our processing of your personal data for our Legitimate Interests at any time.


Please contact us if you have any further questions about our use of your data in our legitimate interests.


When do we collect your personal data?


When you visit our website.

When you register for our group or individual counselling services;

When you enquire about our sponsorship and other funding opportunities;

When you engage with us on social media or our campaign work;

When you contact us by any means with queries, complaints etc;

When your information is provided to us by someone who is receiving counselling or another service from us.

When we receive a referral or other information from other healthcare professionals such as GPs, mental health teams, crisis teams etc


What happens if you don’t give us your data?

We gather only the information we need to provide the services you ask us to. Much of the information on our website is available without giving us your personal data.


However, some personal data is needed so we can supply you with the services and information you have requested.


What personal data do we collect, why and how do we use it?

We only collect the personal data  we need to provide you with the services you have asked us to.


Contact Information

To begin with, this is normally your name and preferred contact method.


How we use it

We use this information to keep in touch with you and provide the services you have asked us to.


We may also use your contact information to send you survey and feedback requests to help improve our services. These messages will not include any promotional content and our legitimate interest to do this is to help make our services more relevant to you as an existing user.


Biographical Information

We initially ask for high-level details of the abuse you have experienced as well as details of the services you are interested in. Your counsellor may ask for further details in line with your counselling needs.


How we use it

This helps us identify a counsellor and services which are suitable to your needs.


Your contacts with us

Details of your contact with us online, by email, telephone, the postal service or through one of our counsellors or groups. Your contact details including social media username(s).


How we use it

To respond to your queries and complaints. We need to use the information we hold about you to respond. We may also keep a record of your contacts with us to inform any future counselling needs and our communication with you. We do this on the basis of our contractual obligations to you and our legitimate interests in providing you with a good level of service and understanding how we can improve our service based on your experience.


Sensitive data

We collect and use this data only with your explicit consent and only to provide you with the counselling and support services you have requested from us. This information is never shared for any other purpose although we are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations.


The data of children

We only collect the information we need to provide counselling services to people over the age of 18.


We do not attempt to solicit or knowingly receive information from children under 18.


Technical Data that identifies you, how you use and our applications

Your IP address, login information, browser type and version, session ID, time zone setting, browser plug-in types, geolocation information, operating system and version.


The pages you visit, the path you take through our site, page load times, errors you receive, how long you stay on our pages, what you do on those pages, how often, details of jobs viewed or applied for and any search terms you entered etc


This information is normally gathered using cookies in your web browser. Learn more about our use of cookies and similar technologies.


How we use it

We use this information for a number of purposes related to providing the services you ask us to from login and authentication to remembering your settings.


We also use this information in our legitimate business interests such as improving and personalising our website and online services and to protect our business and your account from fraud and other illegal activities


The use of your data for marketing purposes

We never use information provided to us as part of our counselling services for marketing purposes.


With your consent, we collect the information of people who are willing to support our fundraising efforts and community initiatives. In those instances will use your personal data, preferences and details of the events you have attended to keep you informed about funding raising events, initiatives and other ways in which we need your financial support or time as a volunteer.


You can withdraw your consent at any time as described earlier in this notice.


How we protect your personal data

We take the privacy of our users and the security of their data seriously. With this in mind we maintain physical, technical and administrative safeguards.


Access to your account  is password-protected and we secure access to all transactional areas of our websites and apps using SSL encryption meaning that any information you give us through remains private and secure.


We regularly monitor our system for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security.


We restrict access to your personal data to those team members who need that information to perform their role and help provide services to you.


We provide training to all our team members about the importance of maintaining the confidentiality and security of your information.


Please contact us if you have any questions about the security measures we have in place.


How long will we keep your personal data?

We’ll only keep your personal data for as long as is necessary for the purpose for which it was collected and to comply with applicable law or resolve disputes. This means we set retention periods for all the personal data we collect.


When that retention period has passed, your data will either be completely deleted in a secure manner or anonymised e.g. by aggregation with other data in a non-identifiable way for statistical analysis and service planning purposes.


We retain our data in line with the Information Governance Alliance’s guidelines  and some examples of personal data retention periods are available in our full Privacy Notice but please contact us if you have any questions about our Data Retention policies.

Who do we share your personal data with?


We do not reveal your personal data to third-parties unless:


you request or authorise it (e.g. when you agree to be referred to one of our external counselling partners);

the information is provided to comply with the law (for example, to comply with a court order);

to protect our rights, property or safety, or the rights, property or safety of our team members or others. This includes exchanging information with law enforcement organisations for the purposes of the detection or prevention of crime; or

the information is provided to protect your health, safety or other vital interests or the health, safety or other vital interests of another; or

the information is provided to our sub-contractors, agents, vendors or service providers who perform functions on our behalf; or

to address disputes, claims, or to persons demonstrating legal authority to act on your behalf; or

Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals; or

The Local Authority; or

Organisations we have a legal obligation to share information with i.e. for safeguarding purposes or the Care Quality Commission;


Your privacy and security are our priority. We will not share your information or the information you give us about them with perpetrator (s) unless we are legally obliged to do under a court order.


Examples of the kind of third parties we work with

IT, software and SaaS companies who support our website and other business systems such as Wix.


These companies are data processors for The Echo Society (UK) Ltd which means they only use your data in order to provide the technical services we ask them to.


Sharing your data with third parties for their own purposes:

We will only do this in very specific circumstances, for example:


With your consent, given at the time you supply your personal data, we may pass that data to a third party for their direct marketing purposes.


Your privacy and security are our priority. We will not share your information or the information you give us about them with perpetrators unless we are legally obliged to do under a court order.


We may, from time to time, expand, reduce or sell The Echo Society (UK) Ltd and this may involve the transfer of divisions or the whole business to new owners. If this happens, your personal data will, where relevant, be transferred to the new owner or controlling party, under the terms of this Privacy Notice.


Where your personal data may be processed

As part of our commitment to your Privacy, we always opt to have your data stored in the UK or EU where possible. This includes instances where a vendor offers a choice of storage locations but where the EU option is more expensive.


However, sometimes we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA), such as the United States.


The Echo Society (UK) Ltd transfers personal data outside the EEA only:

  1. to countries where there is an adequacy decision in place i.e. the EU has formally determined that there is a sufficient level of protection in place under that nation’s data protection laws; or

  2. where the recipient is certified under an internationally recognised privacy framework which helps to ensure your protection; or

  3. with your consent; or

  4. to perform a contract with you; or

  5. to perform a contract with another in your interests; or

  6. to fulfil a compelling legitimate interest of The Echo Society (UK) Ltd in a manner that does not outweigh your rights and freedoms.


Any transfer of your personal data will follow applicable laws and we will always treat your personal information in line with the principles of this Privacy Notice.


This includes measures such as imposing contractual obligations on the recipient with respect to how they treat your data.


If you would like more information about how we protect your rights and freedoms when transferring your data outside the EEA, please contact our Data Protection Officer.


Protecting your data transferred to the United States

Many online services are reliant on US providers and/or servers which means many companies need to transfer your data to the US to provide the services and/or online functionality many people expect.


The United States has neither sought nor received a finding of “adequacy” from the European Union under Article 45 of the GDPR.


The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.


Membership of the scheme is voluntary but, when choosing an infrastructure partner who transfers your data to the US, we select only those companies who are members of the EU-U.S. Privacy Shield


Along with the contractual and organisational measures we have in place, we believe this helps to ensure your rights and freedoms are protected as the Privacy Shield framework is recognised by the European Union (although this may be subject to challenge by the European Data Protection Board).


Review of this privacy notice.

We may update this privacy notice from time to time as necessary. The terms that apply to you are those posted here on our website on the day you use our website. We advise you to print a copy for your records.

If you have any question regarding our privacy notice, please contact us by clicking here.

bottom of page