Accessibility Note

This Privacy Notice is available in alternative formats upon request. Please contact us via our website contact form if you require this information in a different format.

​

Introduction.

This notice (together with our Conditions of Use and any other documents referred to on it) tells you what to expect when The Echo Society Ltd uses your personal data.

 

It does not provide exhaustive detail of all aspects of our collection and use of personal data but we are happy to provide any additional information or explanation needed.

 

Any requests for this should be sent to info@theechosociety.org.uk

 

This privacy notice applies to information we collect about:

 

• visitors to our websites;

• those who sign up to our support services e.g. peer/social, support group and counselling services;

• people who use our online services e.g. who subscribe to our newsletter;

• Supporters, volunteers and donors;

 

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

​

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 3rd July 2025.

 

Who is The Echo Society Ltd?

The Echo Society Ltd (The Echo Society) is a limited company registered in England & Wales No 10330786 and our registered address is:

 

71 - 75 Shelton Street, Covent Garden, United Kingdom, WC2H 9JQ

 

The Echo Society is a volunteer-driven not-for-profit organisation providing peer support groups, social groups, training, counselling service, UK outreach workshops, and a grassroots movement for raising awareness and campaigning for those impacted by narcissistic abuse.​

 

The Echo Society is committed to protecting and respecting your privacy and our use of personal data on this website is aimed at helping us achieve these aims and to provide our users with the best service we can.

​

Data Protection Officer

The Echo Society Ltd has appointed an internal data protection officer who you can contact if you have any questions or concerns about our personal data policies or practices.

​

The Echo Society Ltd

71 - 75 Shelton Street

Covent Garden,

London.

WC2H 9JQ.

 

Email: info@theechosociety.org.uk

​

Your Rights: Understanding Your Data Control

In the UK, you have specific rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These rights are designed to help you understand, access, and control how your personal data is used.

​

If you’d like more detail, you can visit the Information Commissioner’s Office (ICO): www.ico.org.uk.

​

Your Right to Be Informed

You have the right to know how and why we collect and use your personal data. This notice is designed to provide that clarity.

Your Right to Access (Subject Access Requests – SARs)

You can request a copy of the personal data we hold about you.

How to ask:

Please contact us using the details in the “Contacting Us” section. If you can be specific about what you’re looking for, we’ll be able to help more quickly.

Our response time:

We aim to respond within one month. If your request is complex or you’ve made multiple requests, we may need up to two additional months — but we’ll let you know and explain why.

Verification and clarification:

If we need more information to understand your request or confirm your identity, we’ll pause the response timeline until we receive it.

How we search:

We’re legally required to make reasonable and proportionate efforts to find your data. We’ll always provide it in a clear, easy-to-understand format.

When we can’t disclose:

Sometimes, we may not be able to share certain information — for example, if it affects someone else’s rights or is legally protected. If that happens, we’ll explain why.

Your Right to Correct Inaccurate Data (Rectification)

If you believe any data we hold is incorrect or incomplete, you can ask us to correct it. You can also ask us to pause using that data while we investigate.

Your Right to Delete Your Data (Erasure / ‘Right to be Forgotten’)

You can ask us to delete your data in certain situations — for example, if it’s no longer needed or you withdraw consent. We’ll always explain if we’re legally required to keep some data.

Your Right to Restrict Processing

You can ask us to limit how we use your data — for example, while we’re checking its accuracy or if you’ve objected to its use.

Your Right to Data Portability

Where technically possible, you can ask for your data in a structured format (like a CSV file) or request that we send it directly to another organisation.

Your Right to Object

You can object to us using your data in certain ways — including for direct marketing or where we rely on legitimate interests. If you object to marketing, we’ll stop immediately.

Your Rights Regarding Automated Decisions

You have the right not to be subject to decisions made solely by automated systems if they significantly affect you. We don’t currently use such systems, but we’ll always offer a human review if needed.

Your Right to Complain to The Echo Society

If you’re concerned about how we use your data, you can contact us directly. We’ll respond promptly and do our best to resolve things with care and transparency.

Your Right to Complain to the ICO

If you’re not satisfied with our response, you can contact the Information Commissioner’s Office: www.ico.org.uk

​​

The reasons we can lawfully use your data

We only use your personal data when we have a lawful basis to do so.

 

Data Protection legislation sets out a number of these, but the ones we most commonly use are:

 

Consent

In many situations, we collect and use your personal data with your consent.

 

Performance of a Contract

There are situations where we need to use your personal data in order to provide the service you have asked us for (or to allow others to do so on our behalf).

 

Legal Obligation

If the law requires us to, we may need to collect and process your data – generally under the Health and Social Care Act 2012 or Mental Capacity Act 2005.

​

• Vital Interest: Where processing is necessary to protect someone's life or physical integrity, for example, in an emergency situation.

 

Legitimate interest

We may use your personal data to pursue our legitimate businesses interests in a way which might reasonably be expected as part of running our business as long as it does not materially impact your interests, rights and freedoms.

 

These legitimate business interests can include:

 

• enhancing, modifying, personalising or otherwise improving our services and communications for the benefit of our customers and users.

• understanding how people interact with our websites

• determining the effectiveness of our marketing and services.

 

This can also apply to uses which are in your interests and those of others such as those which

 

• identify and prevent fraud or other illegal activity

• enhance the security of our network and information systems

​

You have the right to object to our processing of your personal data for our Legitimate Interests at any time.

 

Please contact us if you have any further questions about our use of your data in our legitimate interests.

 

When do we collect your personal data?

 

• When you visit our website.

• When you register for our counselling services, support groups, workshops, or events;

• When you enquire about our sponsorship and other funding opportunities;

• When you engage with us on social media or our campaign work;

• When you contact us by any means with queries, complaints etc;

• When your information is provided to us by someone who is receiving counselling or another service from us.

• When we receive a referral or other information from other healthcare professionals such as GPs, mental health teams, crisis teams etc

 

What happens if you don’t give us your data?

We gather only the information we need to provide the services you ask us to. Much of the information on our website is available without giving us your personal data.

 

However, some personal data is needed so we can supply you with the services and information you have requested.

 

What personal data do we collect, why and how do we use it?

We only collect the personal data we need to provide you with the services you have asked us to — including counselling, support groups, workshops, and events.

 

Contact Information

To begin with, this is normally your name and preferred contact method.

 

How we use it

We use this information to keep in touch with you and provide the services you have asked us to.

 

We may also use your contact information to send you survey and feedback requests to help improve our services. These messages will not include any promotional content and our legitimate interest to do this is to help make our services more relevant to you as an existing user.

 

Biographical Information

We initially ask for high-level details of the abuse you have experienced, as well as the services you are interested in — such as counselling, support groups, workshops, or events. Your counsellor may ask for further details in line with your counselling needs.

​

How we use it

This helps us identify a counsellor and services which are suitable to your needs.

 

Your contacts with us

Details of your contact with us online, by email, telephone, the postal service, or through one of our counsellors, support groups, workshops, or events. This may include your contact details and social media username(s).

 

How we use it

To respond to your queries and complaints. We need to use the information we hold about you to respond. We may also keep a record of your contacts with us to inform any future counselling needs and our communication with you. We do this on the basis of our contractual obligations to you and our legitimate interests in providing you with a good level of service and understanding how we can improve our service based on your experience.

 

Sensitive data

We collect and use this data only with your explicit consent and only to provide you with the counselling and support services you have requested from us. This information is never shared for any other purpose although we are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations.

 

The data of children

We only collect the information we need to provide counselling services to people over the age of 18.

 

We do not attempt to solicit or knowingly receive information from children under 18.

 

Technical Data that identifies you, how you use www.theechosociety.org.uk and our applications

Your IP address, login information, browser type and version, session ID, time zone setting, browser plug-in types, geolocation information, operating system and version.

 

The pages you visit, the path you take through our site, page load times, errors you receive, how long you stay on our pages, what you do on those pages, how often, details of jobs viewed or applied for and any search terms you entered etc

 

This information is normally gathered using cookies in your web browser. Learn more about our use of cookies and similar technologies.

 

How we use it

We use this information for a number of purposes related to providing the services you ask us to from login and authentication to remembering your settings.

 

We also use this information in our legitimate business interests such as improving and personalising our website and online services and to protect our business and your account from fraud and other illegal activities

 

The use of your data for marketing purposes

We never use information provided to us as part of our counselling services for marketing purposes.

 

With your consent, we collect the information of people who are willing to support our fundraising efforts and community initiatives. In those instances will use your personal data, preferences and details of the events you have attended to keep you informed about funding raising events, initiatives and other ways in which we need your financial support or time as a volunteer.

 

You can withdraw your consent at any time as described earlier in this notice.

 

How we protect your personal data

We take the privacy of our users and the security of their data seriously. With this in mind we maintain physical, technical and administrative safeguards.

 

Access to your account  is password-protected and we secure access to all transactional areas of our websites and apps using SSL encryption meaning that any information you give us through www.theechosociety.org.uk remains private and secure.

 

We regularly monitor our system for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security.

 

We restrict access to your personal data to those team members who need that information to perform their role and help provide services to you.

 

We provide training to all our team members about the importance of maintaining the confidentiality and security of your information.

 

Please contact us if you have any questions about the security measures we have in place.

 

How long will we keep your personal data?

We’ll only keep your personal data for as long as is necessary for the purpose for which it was collected and to comply with applicable law or resolve disputes. This means we set retention periods for all the personal data we collect.

When that retention period has passed, your data will either be completely deleted in a secure manner or anonymised e.g. by aggregation with other data in a non-identifiable way for statistical analysis and service planning purposes.

We retain our data in line with the Information Governance Alliance’s guidelines. Please contact us if you have any questions about our Data Retention policies or to request specific examples of retention periods.

 

Who do we share your personal data with?

• you request or authorise it (e.g. when you agree to be referred to one of our external counselling partners);

• the information is provided to comply with the law (for example, to comply with a court order);

• to protect our rights, property or safety, or the rights, property or safety of our team members or others. This includes exchanging information with law enforcement organisations for the purposes of the detection or prevention of crime; or

• the information is provided to protect your health, safety or other vital interests or the health, safety or other vital interests of another; or

• the information is provided to our sub-contractors, agents, vendors or service providers who perform functions on our behalf; or

• to address disputes, claims, or to persons demonstrating legal authority to act on your behalf; or

• Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals; or

• The Local Authority; or

• Organisations we have a legal obligation to share information with i.e. for safeguarding purposes or the Care Quality Commission;

 

Your privacy and security are our priority. We will not share your information or the information you give us about them with perpetrator (s) unless we are legally obliged to do under a court order.

 

The categories of third parties we work with include:

1. IT, Software, and SaaS Providers: These companies provide essential technical support for our website and business operations. This includes:

   • Website Hosting and Platform Providers: Such as Wix, which hosts our website and provides core functionality.

   • Website Enhancement Tools: Such as the 'All in One Accessibility widget', which we use to improve our website's accessibility features for all users. According to the provider, this widget does not collect or store any personal data or personally identifiable information (PII) from our website users. Any user preferences set through the widget are typically stored locally in your browser for the duration of your session or for your convenience on subsequent visits.

   • Other Business Systems: Providers of tools for website analytics (e.g., Google Analytics), relationship management (CRM), and internal administrative operations.

2. Service Providers and Specialist Counsellors: Where applicable, we may share your data with specific service providers or specialist counsellors to deliver the services you have requested or that are tailored to your needs. These parties are carefully vetted to ensure they adhere to our privacy standards and data protection laws. They are bound by professional ethical codes and strict contractual obligations of confidentiality.

​

Safeguards with Third Parties:

We ensure that all third-party providers who process personal data on our behalf are subject to appropriate data processing agreements (DPAs) or equivalent contractual safeguards. These agreements legally bind them to process your data securely, in accordance with our instructions and in compliance with UK GDPR requirements.

 

Sharing your data with third parties for their own purposes:

We will only do this in very specific circumstances, for example:

• With your consent, given at the time you supply your personal data, we may pass that data to a third party for their direct marketing purposes.

​

We may, from time to time, expand, reduce or sell The Echo Society Ltd and this may involve the transfer of divisions or the whole business to new owners. If this happens, your personal data will, where relevant, be transferred to the new owner or controlling party, under the terms of this Privacy Notice.

 

Where your personal data may be processed

We always try to keep your data stored in the UK or European Union (EU) whenever possible. This includes choosing EU storage options from our service providers, even if they cost a little more.

​

However, sometimes we need to share your personal data with organisations or suppliers located outside the UK or European Economic Area (EEA), for example, in the United States.

​

When The Echo Society Ltd transfers your personal data outside the UK/EEA, we do so only if one of the following conditions is met:

​

• Adequate Protection: The country or territory has been officially recognized by the UK government as providing a sufficient level of data protection (these are called "adequacy decisions," and include EU member states).

• Approved Frameworks (like the UK-U.S. Data Bridge): The organization receiving your data is certified under an international data transfer framework approved by the UK government. A key example is the UK Extension to the EU-U.S. Data Privacy Framework (often called the UK-U.S. Data Bridge), which helps ensure your data is protected.

• Strong Contractual Safeguards: We have put in place appropriate agreements that legally bind the recipient to protect your data to UK standards. Examples include the UK’s International Data Transfer Agreement (IDTA) or the Addendum to the EU Standard Contractual Clauses (which modifies the standard EU contracts for UK transfers).

• Your Clear Consent: You have given us your specific permission (explicit consent) to transfer your data.

• Contractual Necessity: The transfer is necessary to fulfil a contract we have with you.

• In Your Best Interest: The transfer is necessary for a contract between us and another party, but it's done in your interest.

• Our Legitimate Interest: The transfer is necessary for a compelling legitimate interest of The Echo Society Ltd, provided your rights and freedoms are not overridden.

 

Any international transfer of your personal data will always follow applicable laws. We are committed to treating your personal information according to the principles outlined in this Privacy Notice, no matter where it's processed.

 

If you would like more information about how we protect your rights and freedoms when your data is transferred outside the UK/EEA, please contact our Data Protection Officer using the details in the "Contacting Us" section below.

​

Contacting Us

If you have any questions or concerns about this privacy notice, our personal data policies or practices, or if you wish to exercise any of your data protection rights, please contact our Data Protection Officer:

The Echo Society Ltd

71 - 75 Shelton Street

Covent Garden

London.

WC2H 9JQ.

Email: info@theechosociety.org.uk​

​

Review of this Privacy Notice

We may update this Privacy Notice from time to time. The version that applies is the one posted on our website on the day you use our services.

​