21 Young Hearts

Privacy Policy

Privacy Policy

Last updated: 2 May 2026

1. Who we are

21 Young Hearts CIC (“21 Young Hearts”, “we”, “us”, “our”) is a Community Interest Company registered in England and Wales. We operate an inclusive café that provides meaningful employment opportunities for young adults with learning disabilities.

For the purposes of UK data protection law (the UK GDPR and the Data Protection Act 2018), we are the data controller of any personal data we collect through this website and through our café operations.

Our details:

  • Registered address: 20 The Square, Martlesham Heath, Martlesham, Ipswich IP5 3SL, United Kingdom
  • Email: hello@21younghearts.co.uk
  • ICO registration number: [TO BE ADDED — see note below]

This policy explains what personal data we collect, why we collect it, how we use it, how long we keep it, and what rights you have over it.

2. What personal data we collect

We only collect personal data that we genuinely need. The data we collect depends on how you interact with us.

2.1 Information you give us directly

When you use our contact form, email us, or get in touch by phone, we may collect:

  • Your name
  • Your email address
  • Any other information you choose to share with us in your message

If you visit our café, attend an event, or apply for a role or work-experience opportunity with us, we may also collect additional information appropriate to that interaction (for example, dietary requirements, accessibility needs, or details relevant to a job application). Where this involves more sensitive information, we will explain at the point of collection what we are doing and why.

2.2 Information collected automatically

When you visit our website, certain information is collected automatically by our website platform and the third-party services we use. This includes:

  • Your IP address (typically truncated or anonymised for analytics purposes)
  • The type of device, browser, and operating system you are using
  • The pages you visit on our site, and the time and date of your visit
  • The website you came from (if any)
  • Information collected via cookies and similar technologies (see Section 7)

2.3 Information from third parties

If you contact us through our social media channels, we may receive information from those platforms in line with their own privacy policies. We do not buy personal data from third-party data brokers.

3. How we use your personal data

We use your personal data for the following purposes:

  • To respond to your enquiries — when you contact us through our website, by email, or by phone.
  • To provide our café services — including taking and fulfilling orders, bookings, and managing your visit.
  • To manage employment, volunteering, and work-experience opportunities — including processing applications and supporting our team members.
  • To improve our website and services — using aggregated, anonymised analytics data to understand how visitors use our site.
  • To send you updates, news, or marketing communications — but only where you have asked us to, and you can unsubscribe at any time.
  • To protect our website and prevent fraud or abuse — for example, through Google reCAPTCHA on our contact form.
  • To comply with our legal obligations — including health and safety, safeguarding, employment, and tax obligations.

4. Our legal basis for processing your data

Under UK GDPR, we must have a lawful basis for processing your personal data. The basis we rely on depends on the purpose:

  • Consent — for non-essential cookies, marketing emails, and any optional information you choose to share.
  • Legitimate interests — for responding to enquiries you send us, protecting our website from spam and abuse, and improving our services. We balance our legitimate interests against your rights and freedoms.
  • Contract — where we need your information to provide a service you have asked for, or to take steps before entering into a contract with you (for example, a job application).
  • Legal obligation — where we are required by law to process your data, including for safeguarding, employment, and accounting purposes.
  • Vital interests — in rare cases where processing is necessary to protect someone’s life or health.

You can withdraw your consent at any time where consent is the basis for processing. This will not affect any processing carried out before you withdrew your consent.

5. Who we share your data with

We do not sell your personal data. We only share it with trusted third parties where it is necessary to operate our website and our services. These include:

  • Our website platform provider — which hosts our website and provides the technical infrastructure (including the contact form) on our behalf.
  • Google — we use Google reCAPTCHA on our contact form to protect against spam and abuse. Google processes IP addresses and interaction data in accordance with the Google Privacy Policy and Google Terms of Service. We may also use Google Analytics or similar tools to understand how our site is used.
  • Email and communication providers — to send and receive emails on our behalf.
  • Professional advisers — such as accountants, auditors, and legal advisers, where necessary.
  • Public authorities — where we are legally required to share information (for example, with HMRC, the police, or safeguarding authorities).

All third parties we use are required to keep your data secure and to process it only in line with our instructions and applicable data protection law.

6. International transfers

Some of the third-party services we use (including Google) may transfer your data outside the United Kingdom. Where this happens, we make sure appropriate safeguards are in place — such as the UK International Data Transfer Agreement, an adequacy decision by the UK government, or another lawful transfer mechanism — so your data continues to receive a similar level of protection to that provided in the UK.

7. Cookies

Our website uses cookies and similar technologies. A cookie is a small text file placed on your device when you visit a website.

We use:

  • Strictly necessary cookies — required for the website to function. These do not require your consent.
  • Analytics cookies — to understand how visitors use our site so we can improve it. These cookies are only set if you accept them via our cookie banner.
  • Third-party cookies — set by services like Google reCAPTCHA when you interact with them.

You can accept or decline non-essential cookies via the banner shown when you first visit our site. You can also control cookies through your browser settings — but please note that blocking some cookies may affect how the site works for you.

8. How long we keep your data

We only keep your personal data for as long as we need it for the purposes set out in this policy, or for as long as the law requires. In general:

  • Enquiries through our website or by email — kept for up to 2 years from your last contact with us, unless we need to keep them longer for a legal reason.
  • Marketing contact details — kept for as long as you remain subscribed, plus a short period afterwards to record your unsubscribe.
  • Job applications — kept for up to 12 months after the recruitment process ends, unless you ask us to delete them sooner or you join us as a team member.
  • Employment and volunteering records — kept in line with our statutory obligations (typically up to 6 years after the end of the working relationship).
  • Financial and tax records — kept for at least 6 years, in line with HMRC requirements.
  • Website analytics — kept in aggregated, anonymised form.

When we no longer need your data, we will securely delete or anonymise it.

9. How we keep your data secure

We take appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration, or disclosure. This includes secure hosting, restricted access to personal data, and using reputable third-party providers who maintain their own security standards.

No method of transmission over the internet is completely secure, but we work hard to protect your data and to respond promptly if anything ever goes wrong.

10. Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • The right to be informed — about how we use your data (this policy is part of how we meet that right).
  • The right of access — to ask for a copy of the personal data we hold about you.
  • The right to rectification — to ask us to correct any inaccurate or incomplete data.
  • The right to erasure — to ask us to delete your data, in certain circumstances.
  • The right to restrict processing — to ask us to limit how we use your data, in certain circumstances.
  • The right to data portability — to receive a copy of certain data in a portable format.
  • The right to object — to processing based on legitimate interests, and to direct marketing at any time.
  • Rights in relation to automated decision-making — we do not make decisions about you using purely automated means.
  • The right to withdraw consent — at any time, where we rely on consent.

To exercise any of these rights, please email hello@21younghearts.co.uk. We will respond within one month. We will not charge a fee unless your request is clearly unfounded or excessive.

11. Children’s data

Our website is not directed at children. We do not knowingly collect personal data from children under the age of 13 without the consent of a parent or guardian. If you believe we have collected information from a child without appropriate consent, please contact us and we will delete it.

12. Complaints

If you are unhappy with how we have handled your personal data, please contact us first at hello@21younghearts.co.uk so we can try to put things right.

You also have the right to complain to the Information Commissioner’s Office (ICO), which is the UK data protection regulator:

  • Website: ico.org.uk/make-a-complaint
  • Helpline: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

13. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices or for legal reasons. When we do, we will update the “Last updated” date at the top of this page. If the changes are significant, we will let you know more prominently — for example, through a notice on our website.

14. Contact us

If you have any questions about this privacy policy or how we handle your personal data, please get in touch:

21 Young Hearts CIC
20 The Square
Martlesham Heath
Martlesham
Ipswich IP5 3SL
United Kingdom

Email: hello@21younghearts.co.uk

Accessibility by WAH