Privacy Policy

The Royal British Legion Poppy Factory Ltd (The Poppy Factory) takes the privacy of our beneficiaries; clients; funders; staff; supporters; tenants; visitors and volunteers very seriously and is committed to protecting their personal information.

This Privacy Notice explains how we collect, store and use the personal data you provide us with, as well as your choices and rights in relation to this personal information.

How to contact us

If you have any queries about this Privacy Notice and Data Protection at The Poppy Factory, please contact:

The Data Protection Officer
TRBL Poppy Factory Ltd
20 Petersham Road
TW10 6UR


The Poppy Factory complies with The Data Protection Act 2018 and is registered with the Information Commissioner’s Office, registration no: ZA179142.

The Poppy Factory’s Privacy Statement

The General Data Protection Regulation (GDPR) provides the legal framework that defines how personal information can be used.  The Poppy Factory is committed to complying with the principles set out in the GDPR and will take all necessary steps to ensure it meets its legal obligation to protect any personal information we collect as follows:

  • Your personal information is only used for the purpose for which we collect it
  • Only information that we need is collected
  • Your personal information is only seen by those who need it to do their jobs
  • We will not share your personal information with any other third party without your consent unless we are required to do so by law, including safeguarding
  • We will only retain your personal information for as long as is required for the purpose for which it was collected
  • We will never sell your contact details to anyone
  • We will, where necessary, keep your information up to date
  • We will protect your information from unauthorised or accidental disclosure
  • We will provide you with a copy of your personal information upon request (see section below on access rights and requests)
  • We will take steps to correct inaccurate or misleading data as soon as possible when alerted

The above will apply whether the personal information is held on paper or in electronic form.

How do we collect information?

We collect personal information when you: enquire about our services and activities; register with us, send or receive an email; make a donation; ask a question about our services; if we have a property relationship with you; if you are a beneficiary or otherwise and provide us with personal information.  We may also receive information about you from third parties; for example other military charities or other referral agencies who signpost you to our services.

We collect this information by various methods including, for example, by mail, face to face, over the telephone; through our website or through completion of online or paper forms.

If you provide goods or services to The Poppy Factory, we will collect information in line with your contract for services.

What information do we collect?

The personal information we collect might include name, date of birth, email address, postal address; telephone number and credit/debit card details.  We may also collect sensitive personal information for example relating to health if this is required for the purpose for which you have contacted The Poppy Factory.

We may also gather general information about the use of our website, such as which pages users visit most often and which services, events and activities are of most interest.   Information gathered in this way will only be used to improve our online presence for users.

How do we use this information?

We use this information for the purpose of promoting and delivering the charitable objectives of The Poppy Factory.  This includes delivering an employment service to our clients; communicating effectively and appropriately with beneficiaries;  supporters and for fundraising to support our charitable activities (which may include communication with you on areas in which you have indicated an interest).  We may use information to personalise and improve our service to users claim Gift Aid on donations and for administrative purposes.

The lawful basis for which we process your information can be one or more of the following, depending on the particular subject and context:

  • You give your consent
  • Processing is necessary in order to deliver a service to you
  • Processing is necessary to comply with the law, for example, as an employer to meet our responsibilities to disclose salary information to HMRC;
  • Processing is necessary to protect your interests or that of another person
  • Processing is necessary for the performance of a task carried out in the public interest
  • Processing is necessary to pursue the legitimate interest of The Poppy Factory except where your individual rights override this. The legitimate interest will be subject to assessment based on the specific context and circumstance.

We will make every reasonable effort to communicate to data subjects the specific basis for legal data processing that has been adopted for a particular processing activity.

Do we share your information with anybody else?

We may need to share information with other parties in the course of providing services to you. We will make every effort to ensure that you are informed as to the reason for this and if appropriate have given explicit consent that we may do so.

We may share your personal information with our contractors who we engage to process data on our behalf, for example, we use contractors to process our payroll.  In such circumstances, information is processed  under relevant Data Processing Agreements.

We may also need to disclose your information if required to do so by law or as expressly permitted under applicable data protection law.

We will not sell your personal details to other charities or other third parties.

Storing and Protecting Your Data

We take appropriate measures to ensure that personal information disclosed to us is secure and to protect against the loss, misuse and alteration of personal data for which we are responsible:

  • Information is stored on servers located in the UK, with appropriate firewalls and cyber security measures in place
  • Electronic records are secured by encryption and passwords as appropriate
  • Paper records are kept in locked cabinets
  • Access to information (including sensitive personal information) is restricted only to staff who need to use the data
  • Staff receive training on data protection practice
  • We require all third parties who process data on our behalf to do so in accordance with the GDPR principles

Personal data is kept only for the period necessary for the purpose for which it was collected.  Thereafter it will be securely destroyed or anonymised in line with our data retention and disposal procedure.

Your Rights

You have several rights in relation to how The Poppy Factory uses your information.  They are:

  • Right to be informed
  • Right of access
  • Right to request your personal information be rectified
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights related to automatic decision making including profiling

If you wish to exercise any of your rights above please contact the Data Protection Officer. Contact details of which are outlined in this notice.

You also have the right to report any of your concerns about the use of your data to the Information Commissioner’s Office.  Its helpline number is: 0303 123 1113.

Useful links