Privacy Notice

“We” and “us” means Central YMCA. We are a registered charity delivering education and training programmes across England. Our registered address is: 120 Cromer Street, London, England, WC1H 8BS 

At Central YMCA we are committed to keeping your personal data safe and secure.

This notice sets out in detail the purposes for which we process information about you, who we share it with, what rights you have in relation to that information and everything else we think it’s important for you to know.

If you have any questions about the processing of your personal information, or you would like to exercise any of your rights, please reach out to us in the following ways:

Email us: data.protection@ymca.co.uk

Write to us:

Data Protection Officer

Central YMCA

120 Cromer Street

London

WC1H 8BS

To understand how we process your personal information, please visit the relevant appendix below:

If you are an employee, trustee or volunteer please view our HR privacy notice.

Changes to this Privacy Notice

We aim to keep this privacy notice regularly updated.  If we make any significant changes to the way in which we process your information, we will let you know by either reaching out to you or posting a banner on the website.

This notice was last updated in April 2026.

How we collect your information:

We collect information on you if you are a participant of one of our education and training programmes, including a study programme, apprenticeship, Skills Bootcamp or other short course. Your details will be registered on our learner management systems, and may be shared with funders, government departments and local authorities. The information collected includes name, date of birth, gender, ethnicity, learning needs, audiovisual recording, financial information, bursary forms and identification documents.

How we use this information:

We process your information for the following reasons:

• To administer learners’ and apprentices’ registration
• For delivering our services, courses and training
• To record attendance, participation and performance
• To support quality assurance processes during our programmes
• To provide assessment and certification for different programmes
• To link you with different apprenticeship employers
• To share your information with third parties to support the drawdown of funding
• To create and manage apprenticeship vacancies, including shortlisting applicants
• Record and manage any safeguarding concerns, including reporting safeguarding concerns to relevant local authorities or government agencies
• Record and manage any health and safety concerns

Lawful Basis we use:

We process most of your information on the basis of contractual obligation when you engage with us for one of our courses such as study programmes, apprenticeship programmes, Skills Bootcamps etc. For supporting learners with any additional needs, we rely on legitimate interest. For processing any special category data such as health information or Equality, Diversity and Inclusion (EDI) information, we rely on substantial public interest read with additional conditions from the Data Protection Act 2018, and employment and social security condition.

To share your information with third parties, rely on contractual obligation, public task or legitimate interest. For sharing it with funding agencies, we rely on legitimate interest.

In situations of safeguarding, we rely on legitimate interest, substantial public interest and conditions from the DPA.

Who we share your information with?

• We share your information with several organisations involved in providing our services. These organisations act as data processors for us.
• Additionally, we may also share your information with Ofsted, Department for Education, Department for Work and Pensions, Local Authorities, Councils and other Government Agencies. Each party acts as a separate data controller for your information.
• When we work as joint controllers, both parties (Central YMCA) and the other party will process your information.

How we store your information and for how long?

We store your information in line with our retention policy. For any queries, please reach out to us with the details above.

How we collect your information:

We collect your personal directly from you when you engage with us to use our facilities at KX or when you enquire about any of these services. 

We may collect several pieces of information in this process through different channels, such as application forms, day pass forms, health and safety information, and safeguarding information.  

The information we collect includes the following: your name, email address, bank details, address, health information, and gender.

How we use this information: 

We use this information to:

• Provide access to our facilities, including room hire, use of health and fitness facilities and class bookings
• Process your payments, cancellations, refunds etc.
• Recording any safeguarding concerns during service delivery or reporting safeguarding concerns to relevant local authorities or government agencies
• To facilitate your enquiries and help you use our centres
• For internal evaluation and monitoring

Lawful Basis we use:

• To process your membership on any of our sites, we rely on contractual obligation to process your personal information. For any health information or information on your race, ethnicity, gender, we rely on your explicit consent for processing this information.
• For processing information about your child when they register and use one of our services, we rely on contractual obligation for processing your information and your child’s information
• For any safeguarding information that we record, we rely on legitimate or vital interest, read with substantial public interest and conditions from the Data Protection Legislation

How we store your information and for how long?

We store your information in line with our retention policy. For any queries, please reach out to us with the details above.

Events:

We host many events in a year, and your personal information is collected when you register for an event with us. We may collect basic personal information, such as your name, email, phone number. We rely on legitimate interest to administer your registration for the event. When we collect other information such as dietary information, we rely on your explicit consent.

If you have attended an event with us previously, we may reach out to you to invite you for our future events. We rely on consent to send you emails and legitimate interest to call you on your registered number with us.

Donations:

Your personal Information is provided by you via a donation form on our website or via third party donation platforms (e.g. Just Giving and Virgin Money Giving). The information gathered may be: name, email address, Gift Aid sign up, company name if donation made by an organisation, donation details, reasons to engage, postal address. 

This information allows us to process your donation, and deal with any potential enquiry. We rely on our legitimate interest to process this data.  If you agree that we can claim Gift Aid on your donations we are legally required to keep a record of the claim and your Gift Aid declaration.  If you are donating using a third party, please also refer to the privacy notice published on their websites. 

Fundraising and Marketing:

We may reach out to you for fundraising purposes if you have previously engaged with us in an event, made a donation, or if we believe that you may be interested in engaging with our organisation. We may also email you marketing communications if you have signed up for marketing emails. We do not send any marketing or fundraising materials via post.  

We rely your consent to send your email communications, except where this is a business email address, whereby we rely on legitimate interest.

If you would like to change your marketing preferences, please reach out to us on the email address provided in the first section of this privacy notice, or you can simply unsubscribe with the option on the bottom of the emails.

Central YMCA has transferred its awarding organisation activities to a new, separate legal entity: Y Awards Limited which is owned by the Access Training group. As a result of this change, Y Awards Limited is now the data controller for all personal data processed in connection with its awarding functions.

We will only continue to hold limited personal data as part of its historic records, where retention is required for audit, legal, or regulatory purposes. Central YMCA is no longer a registered awarding organisation and therefore no longer processes personal data for awarding‑organisation activities. 

If you would like to exercise any rights in relation to our awarding activities, please contact Y Awards Limited at enquiries@dataprivacysimplified.co.uk. Further information can be found on Y Award’s Privacy Notice. 

As of 1^st April 2026, YMCAfit, previously part of Central YMCA, was transferred to Access Training (Wellbeing) limited. Central YMCA retains responsibility for all students funded by an Advanced Learner Loan, and all training and contract liability remains the responsibility of Central YMCA.   

Central YMCA has retained a copy of all student records, for which we continue to be data controllers, in line with our record retention policy. Information concerning all active learners, including new bookings and records of students still to complete their programmes, have been shared with YMCAfit under its new ownership.  

We will continue to hold limited personal data where retention is required for audit, legal, or regulatory purposes. We will also continue to hold full records for any students who have completed a course funded by an Advanced Learner Loan. 

If you are a current student and would like to exercise any rights in relation to YMCAfit, please reach out to datarequest@accesstraininguk.co.uk. Further information can be found on YMCAfit’s privacy policy.

Your rights

You have the following rights:

• ‘Right to be informed’, which means we will be completely clear and transparent about how we plan to use your personal information.
• ‘Right of access’, which means you can request details of the personal information we hold about you and how we use it. We will provide this within one month.
• ‘Right to rectification’, which means you can ask us to update or amend the personal information we hold about you, if it is incorrect.
• ‘Right to restrict processing’, which means you can ask us to change, restrict or stop the way we are using your personal information.
• ‘Right to erasure’ (or ‘right to be forgotten’), which means you can ask us to remove your personal information from our records.
• ‘Right to object’, which means you can object to us using your personal information for marketing purposes.
• ‘Right to data portability’, which means you can obtain the personal information we hold about you and reuse it for your own purposes.
• ‘Right not to be subject to automated decision making’, which means if we use systems to make a decision about you, you have the right to ask for a person to intervene, which may change the outcome.
• Right to lodge a complaint with a supervisory authority, such as the Fundraising Regulator or the Information Commissioner’s Office (ICO), if you are not satisfied with our response to a request you make to us, or you feel we are not using your information correctly.

International Data Transfer

Where personal data is stored outside of the UK and the EEA, safeguards to protect personal data may include but are not limited to the UK Addendum used in conjunction with the EU Standard Contractual Clauses (SCCs), or UK International Data Transfer Agreement (IDTAs). Such safeguards will be subject to Transfer Risk Assessments (TRAs).  

Complaints procedure 

If you are unhappy with the way we process your data, please get in touch with the Data Protection Officer using one of the contact methods above.

What Happens Next?

• We will acknowledge your complaint within 30 days of receiving it. 
• We will investigate your concerns. 
• We may contact you if we need further information. 
• We will respond as soon as possible and without undue delay.

Our response will explain:  

• What we have found 
• Whether any action has been taken 

You can also make a complaint to the Information Commissioner’s Office (ICO) which regulates the use of information in the UK. They can be contacted by at 0303 123 1113 or you can write to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.