top of page

Privacy & Data Protection Policy – Project HSH

Last updated: 17/10/2025

Project HSH (Home Sweet Home) is committed to protecting your personal information. This policy explains how we collect, use, store, and share data when you engage with our project, including when you submit testimonies, evidence, or contact details.

Privacy Policy

Last updated: 17 October 2025

Project HSH (“we”, “us”, “our”) is committed to protecting your personal information and respecting your privacy in line with the UK GDPR and the Data Protection Act 2018.

We are registered with the Information Commissioner’s Office (ICO) under registration number ZC015578, and are insured for professional activities through Markel Direct.

Who we are & how to contact us

Controller: Project HSH
Data Protection Lead: Matthew King
Email: phsh.co.uk@gmx.com

Not a law firm - no legal privilege

Project HSH provides advocacy, signposting and practical support.
We are not a law firm and do not provide formal legal services.
This means communications with us are not protected by legal advice privilege or litigation privilege.
Please bear this in mind before sharing highly sensitive information and contact a qualified solicitor if you need confidential legal advice.

What data we collect 

We may collect and process the following types of data:

  • Contact details (such as name, email, phone if provided)

  • Case-related information you choose to share (tenant statements, documents, photos, audio, video, utility or repair references, complaint IDs, etc.)

  • Technical data such as IP address, browser type, device information, approximate location, and website usage data (via cookies)

  • Communications, including emails, messages, and call notes

  • Consent records and preferences

  • In some cases, we may collect “special category data” - this includes information about health, disabilities, or other circumstances where the issue being raised has a physical, emotional, or psychological impact.

    • Such data is handled with extra care and only processed where there is a clear lawful basis, typically explicit consent, vital interests, or substantial public interest (for safeguarding or advocacy purposes).

How we use your data

We only use your data where we have a lawful basis under data protection law. Typical purposes include:

  • Responding to enquiries or requests for help (performance of a contract / legitimate interests)

  • Collecting and organising evidence for advocacy, complaints, or regulatory purposes (consent / legitimate interests)

  • Keeping accurate records for governance, insurance, and compliance (legal obligation / legitimate interests)

  • Sending you updates you’ve asked for (consent / legitimate interests)

  • Acting to protect life or safety in a safeguarding situation (vital interests / legal obligation)

Where your data comes from

We mainly receive information directly from you. With your consent, we may also receive information from relevant third parties such as a landlord, local authority, utility provider, or ombudsman service.

Sharing your data

We will only share personal data when it is necessary and lawful, for example:

  • At your request or with your consent (for instance, forwarding evidence to a council, housing association, or ombudsman)

  • With service providers that securely process or store data for us (email, cloud storage, hosting, analytics)

  • With our insurer or legal adviser where necessary

  • Where required by law or to prevent serious harm (e.g., safeguarding)

International data transfers

If any service provider stores or processes data outside the UK, we ensure that adequate safeguards (such as the UK’s International Data Transfer Addendum or EU Standard Contractual Clauses) are in place to protect your information.

How long we keep your data

We retain data only as long as necessary:

  • General enquiries: up to 12 months

  • Active case files: up to 6 years after closure

  • Consent and opt-out records: as long as required for compliance
    When the retention period ends, we securely delete or anonymise your data.

Security

We take security seriously. Safeguards include restricted access, encryption, audit trails, and offline (“air-gapped”) storage for sensitive materials. Only authorised personnel can access your data.

Your data protection rights

Under the UK GDPR, you have the following rights:

  • Access: Request a copy of the data we hold about you.

  • Rectification: Ask us to correct inaccurate or incomplete data.

  • Erasure: Request deletion of your data where no lawful reason exists for retention.

  • Restriction: Ask us to limit how your data is used.

  • Portability: Receive your data in a transferable format.

  • Objection: Object to certain uses, such as marketing or legitimate interest processing.

  • Withdraw consent: Withdraw consent at any time (where applicable).

  • Complain to the ICO: You have the right to complain to the Information Commissioner’s Office if you believe we’ve mishandled your data.

How to make a request

To make a data access, correction, or deletion request, email phsh.co.uk@gmx.com with the subject line:
“Data Request - Project HSH”

Include your name, preferred contact method, and details of the request.
We will acknowledge your request within five working days and provide a full response within one calendar month (extensions may apply for complex cases).

Requests are free of charge unless they are manifestly unfounded or excessive.

Cookies & analytics

Our website uses minimal cookies to ensure it functions correctly and to understand general visitor activity.

We only use:

  • Essential cookies - to keep the site running (cannot be disabled)

  • Analytical cookies - to help improve content and usability

You can manage or disable cookies through your browser settings. No personal identifiers are stored in analytical cookies.

Children’s data

Our services are aimed at adults. Where a case involves a child, any information shared is handled with extra care and only with the parent or guardian’s consent (or where required by law).

Third-party links

Our site may link to third-party websites. These sites have their own privacy policies, and we are not responsible for their content or practices.

How to complain

If you have any concerns about how we handle your data, please contact us first at phsh.co.uk@gmx.com.
You can also contact the Information Commissioner’s Office (ICO):
Website: ico.org.uk
Telephone: 0303 123 1113

Changes to this policy

We may update this notice periodically. The “last updated” date will always show when it was last revised.

Project HSH
Registered with the ICO under number ZC015578
Insured by Markel Direct
© 2025 All rights reserved.

Appendix: Definitions

This appendix explains key terms used in this Privacy Policy to help you understand how we protect and handle personal data.

“Personal data”

Any information that can identify an individual directly or indirectly.
Examples include names, addresses, contact details, ID numbers, photos, or case references.

“Processing”

Any action performed on personal data such as collecting, recording, organising, storing, sharing, altering, or deleting it — whether by manual or automated means.

“Data controller”

The person or organisation that decides how and why personal data is processed.
Project HSH, represented by Matthew King, is the data controller for all information collected under this policy.

“Data processor”

A third party that processes data on behalf of the controller, under written instruction (for example, cloud storage providers, email servers, or form platforms used by Project HSH).

“Lawful basis”

The legal justification for processing personal data under Article 6 of the UK GDPR.
Project HSH typically relies on:

  • Consent (you have given clear permission)

  • Contract (we are helping you or taking steps at your request)

  • Legal obligation (we must process data to comply with the law)

  • Legitimate interests (to run our advocacy and community services)

  • Vital interests (to protect someone’s life or safety)

 

“Special category data”

Sensitive information requiring extra protection under Article 9 of the UK GDPR.
This includes data about a person’s:

  • Health or disabilities

  • Racial or ethnic origin

  • Political opinions

  • Religious or philosophical beliefs

  • Trade union membership

  • Genetic or biometric data

  • Sex life or sexual orientation

Project HSH may process health-related data only when it is directly relevant to a case (for example, the health impact of housing disrepair). Such data is processed under explicit consent, vital interests, or substantial public interest (safeguarding or advocacy).

“Consent”

A freely given, specific, informed, and unambiguous indication of a person’s wishes, signifying agreement to the processing of their personal data.

“Legitimate interests”

A lawful basis that allows Project HSH to process data when it is necessary for our legitimate organisational purposes - provided it does not override the rights or freedoms of individuals.

“Data subject”

The individual whose personal data is being processed - for example, a tenant, advocate, or case participant who contacts Project HSH.

“Third party”

Any individual or organisation other than the data subject, controller, or processor. This may include councils, housing associations, ombudsmen, or professional service providers.

“Data breach”

A security incident that results in unauthorised access to, or loss, alteration, or disclosure of personal data.
All breaches are recorded internally and, where required, reported to the ICO within 72 hours.

“ICO” (Information Commissioner’s Office)

The UK’s independent regulator for data protection and information rights.
Website: https://ico.org.uk
Telephone: 0303 123 1113

“UK GDPR”

The retained EU General Data Protection Regulation as incorporated into UK law under the Data Protection Act 2018. It governs how personal data must be collected, used, and protected.

“Data protection rights”

The legal rights granted to individuals under the UK GDPR, including access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with the ICO.

“Anonymisation”

A process that removes all personal identifiers from data so that it can no longer be linked to an individual.

“Retention period”

The length of time personal data is kept before being securely deleted or anonymised.

“Air-gapped device”

A storage system physically isolated from the internet and local networks.
Project HSH uses such devices for sensitive or evidential materials to reduce cyber-risk and improve data security.

“Advocacy”

In the context of Project HSH, advocacy means assisting tenants or vulnerable individuals by collecting, organising, and presenting evidence or statements to help them pursue fair treatment or redress.
This is not a legal service and does not create a solicitor-client relationship.

“Safeguarding”

Actions taken to protect the health, well-being, and rights of individuals who may be at risk of harm or neglect.
Project HSH may process or share data under this principle when necessary to prevent serious harm.

End of Appendix

Anchor 1
Anchor 2
Anchor 2

Contact Us

Nature of Your Enquiry (Dropdown)

© 2025 Project HSH (Home Sweet Home)
Safeguarding • Fairness • Accountability

Registered with the Information Commissioner’s Office (ICO) – Registration No. ZC015578
Insured for professional activities by Markel Direct.
Independent, non-profit housing advocacy initiative.

Project HSH is not a law firm and communications are not legally privileged.

📩 Contact: phsh.co.uk@gmx.com |🔒 Privacy Policy | 📜 Code of Practice | 🍪 Cookie Policy | 🌍 www.phsh.co.uk

bottom of page