CAT Logo

Privacy Notice


Home » Privacy Notice

Our promise to you:

Your information is in safe hands. We take our obligations very seriously and will only use your personal data in the ways you’ve agreed to, and as described below.

We’re committed to protecting your privacy. For example, we would never share your personal information with others for their own marketing purposes without your explicit, informed consent.

We’ll always strive to communicate with you appropriately. We’ll be clear about how you can expect to hear from us, and we’ll communicate with you in ways that we think you’ll appreciate and anticipate. We hold ourselves to the highest standards, for example we follow the Chartered Institute of Fundraising’s guidance on responding to the needs of people in vulnerable circumstances.

You’re in control. If you have any questions or requests, or if you would like to stop or change how we communicate with you at any time, please contact us at:

     fundraising@cat.org.uk

     01654 705988

     Centre for Alternative Technology, Llwyngwern Quarry, Machynlleth, Powys, SY20 9AZ

You can also indicate that you do not wish to receive our marketing emails by clicking the ‘unsubscribe’ link in at the end of any of our marketing emails.

Recent updates to this privacy notice

In Summer 2022 we made a few changes to this privacy notice and contacted everyone who may be affected by post and/or email. Here is a summary of some of the changes we made:

We’ve simplified it, making some parts shorter and easier to understand.

For example, we removed some repetition by combining the sections for membership, our conference, donations, legacies, card payments, Gift Aid and other ways you may provide data.

We’ve given you more information and control over website cookies and analytics.

It’s now much easier for you to see and choose exactly which types of cookies you’d like to enable or disable on this website. This can now be found at cat.org.uk/cookie-policy/

We’ve updated the section on Information and marketing communications, and other ways we use your data.

For example:

  • We added information about how we may request and use your sensitive personal information, such as allergies and dietary requirements, when this is strictly necessary.
  • We provided more specific information about third party suppliers we may share your data with so they can carry out specific services on our behalf and how we may share your data with others for their own purposes, such as other attendees at a conference who you’ve said you’d like to continue connecting and networking with.
  • We added details about ways we may collect your personal data directly, indirectly, from third parties and/or from publicly available sources.
  • We described how we may use this information to carry out analysis, sometimes using third parties, to ensure we are contacting you with the most appropriate and relevant communications and to identify those who may be able to provide higher levels of support and engagement, and how you can opt-out of this.
  • We have updated some details about the length of time we will retain your personal data for.

We’ve made a few other changes

For example, we have updated the section on Graduate School Enquirers, Applicants, Students and Alumni to say that we may share student data with the UK Government’s Higher Education Statistics Agency, for statistical reporting.

What's included in this Privacy Notice

Who we are

In this policy, the words “we”, “us” “our”, “CAT”, “Centre for Alternative Technology”, “GSE” “Graduate School of the Environment”, “WISE”, “Wales Institute for Sustainable Education”, “ZCB” and “Zero Carbon Britain” refers to the Centre for Alternative Technology Charity Limited.

Our registered office address is: Llwyngwern Quarry, Machynlleth, Powys, SY20 9AZ.

We are a company limited by guarantee with company number 1090006 and a charity registered in England and Wales with charity number 265239.

Our Information Commissioner’s Office Data Protection Registration Number is Z7490876.

About this privacy notice

This Privacy Notice was written to help you (the ‘Data Subject’) understand what personal information we collect from you, from others or generate ourselves when you use our services, why we collect it, how we use it, who we need to share it with to best provide these services and what your rights are in relation to your personal information.

As we provide a wide range of services, we’ve split this privacy notice into sections to help you easily find those sections that will be relevant to you. We welcome any questions or comments you may have on this privacy notice.

We use the term personal information to mean any information you give us from which you can be identified. This might include your name, your home address, your personal email contact details, or your telephone number. Personal information does not include information where your identity has been removed (i.e. anonymous data).

We use the term special categories of personal information to mean information about your race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation.

Website, Cookies, Analytics and Wi-Fi

While you are onsite using our Wi-Fi, we will collect information about your device’s use of our network, i.e. IP address and network usage including sites visited. We cannot identify a person from their IP address and this information is for network and general security purposes but may be shared with law enforcement if it is of concern.

For information about our website, cookies and analytics and to configure your cookie choices, please visit cat.org.uk/cookie-policy/

External Links

Our website contains many links to other sites on the Web. If you leave our site via an external link, we cannot be held responsible for their privacy practices. If in doubt, please review their privacy notice.

Social Media Platforms

We also have a digital presence on social media. The information you share with us on social media platforms is dictated by your own privacy settings on these sites (please check your social media privacy settings for more details) but would normally include your name, any comments you make on our posts or updates and any direct or private messages sent to us on these platforms.

For other ways we may collect and use your data related to social media platforms, see the section on ‘Information and Marketing Communications, and other ways we use your data’.

Supporting NHS Wales Test, Trace, Protect

The NHS Wales Test, Trace, Protect service helps trace close recent contacts of anyone who tests positive for COVID-19 and, if necessary, notifies them that they must self-isolate at home to help stop the spread of the virus.

CAT is supporting this service by collecting names and contact details of all visitors to our site.

What information we collect

We will collect the following information from visitors, students, short course participants, staff, volunteers, and anyone else who visits our site.

  • Name and telephone number as provided by yourself
  • Date of visit, arrival time and, where possible, departure time

As per government guidance, if you are visiting as a group we will record the contact details for all adult members of the group.

For staff and volunteers, we will use the contact information you have provided to us and which we have on file.

What we use this information for

Where it is necessary for us to collect information for the purposes of NHS Wales Test, Trace, Protect that we would not normally collect in our usual course of business it will only be used for the purposes of NHS Wales Test, Trace, Protect.  

Lawful basis

Our lawful basis for processing your personal data for the purposes of NHS Wales Test, Trace, Protect is legitimate interest.

Who it will be shared with and why

NHS Wales Test, Trace, Protect will only ask CAT for this information where it is necessary, either because someone who has tested positive for COVID-19 has listed CAT as a place they visited recently, or because CAT has been identified as the location of a potential local outbreak of COVID-19.

We will only share this information when it is requested by NHS Wales Test, Trace, Protect, and we will ensure that this information is shared in a safe and secure way.

How long we will retain this information for

Information that is collected solely for the purposes of NHS Wales Test, Trace, Protect will be retained for 21 days from the date of your visit.

Information collected in the course of normal business is covered elsewhere in this privacy notice.

Your rights

  • Right to be informed – as implemented here
  • Right of access
  • Right to rectification

Please read the “Your rights” section for more information.

Visitor centre tickets

This section applies to tickets purchased online without being converted to a donation.

If you are converting your entry fee to a donation, please see ‘Donations’ and ‘Gift Aid’ sections for details.

To process your ticket booking, we need to collect some information from you.

What information do we collect?

  • Your name and contact details as provided by yourself.
  • Correspondence records.
  • Your order history.
  • Records of what payments you have made when.

What do we use this information for?

We use your name and contact details to communicate with you about your ticket booking.

We keep records of our correspondence with you for our reference to best communicate with you in future and best deliver this and future services to you.

We collect your booking history to monitor what you have booked for administrative, marketing and business analysis purposes. This is also for your reference if required.

We compile a record of your payment history which also includes your booking for your reference, administrative, marketing and audit purposes. We also use this information for business analysis and store it to comply with financial regulations.

For other ways we may collect and use your data related to our visitor centre, see the section on ‘Information and Marketing Communications, and other ways we use your data’.

This information may be used in conjunction with other information we hold on you for reference, business analysis and marketing purposes as described in the sections relating to those services.

Lawful Basis

Our lawful basis for collecting, storing and processing your contact details is contractual, as we need this information to be able to fulfil our contractual agreement of organising your booking.

Correspondence details are important for us in providing our service to you. We use contract as our lawful basis for processing this information.

We use legal obligation as our lawful basis for storing your contact details, booking and payment records for financial record keeping and audit purposes, contract for administrative purposes. We also use this information for your reference, for business analysis and marketing, which we use legitimate interest as our lawful basis for.

We use legitimate interest as our lawful basis for using this information in conjunction with other information we hold on you to provide you with more relevant Information & Marketing Communications.

Who will it be shared with and why?

Your details are collected and processed via our online booking system (Checkfront).

During COVID-19, we may also share details with NHS Wales Test, Trace, Protect (as outlined in that section of this Privacy Notice).

How long we will retain this information for?

We will continue to hold your name, contact details and booking and payment history for reference, administrative, marketing, business analysis, financial record keeping and audit purposes for no longer than 7 years and 1 month after each individual invoice/payment/etc.

After this time your data may be anonymised for business analysis purposes.

Your rights

  • Right to be informed – as implemented here
  • Right of access
  • Right to rectification
  • Right to erasure – Not applicable to those details that we hold and process to fulfil our contract to you or as part of a legal obligation (as described above).
  • Right to restrict processing
  • Right to data portability
  • Right to object

Please read the “Your rights” section for more information.

Online Shop/Mail Order

What information do we collect?

  • Your name and contact details as provided by yourself.
  • Correspondence records.
  • Your order history.
  • Records of what payments you have made when.

What do we use this information for?

We use your name and address to deliver your order. We may use your email address and phone number to clarify aspects of your delivery or send you confirmations or receipts. Otherwise this will be included in your order.

For other ways we may collect and use your data related to our online shop/mail order, see the section on ‘Information and Marketing Communications, and other ways we use your data’.

We will always consider what and how much mail is appropriate and likely to be of interest to you. We will not send you mail if you have told us you do not want this.

We keep records of our correspondence with you for our reference to best communicate with you in future and best deliver this and future services to you.

We collect your booking history to monitor what you have booked for administrative, marketing and business analysis purposes. This is also for your reference if required.

We compile a record of your payment history which also includes your booking for your reference, administrative, marketing, audit and debt recovery purposes. We also use this information for business analysis and store it to comply with financial regulations.

We may also use the above information to better tailor information & marketing communications. More information can be found in the Information & Marketing Communications section.

This information may be used in conjunction with other information we hold on you for reference, business analysis and marketing purposes as described in the sections relating to those services.

Lawful Basis

Our lawful basis for collecting, storing and processing your contact details is contractual, as we need this information to be able to fulfil our contractual agreement of fulfilling your order.

We use legitimate interest as our basis for using your address to send you information and marketing communications by post.

Correspondence details are important for us in providing our service to you. We use contract as our lawful basis for processing this information.

We store your contact details, order and payment records in order to comply with our legal obligations (for financial record keeping, audit and debt recovery purposes, contract for administrative purposes). We also use this information for your reference, for business analysis, marketing and debt recovery purposes, where we are satisfied that we have a legitimate interest to do so.

We use legitimate interest as our lawful basis for using this information in conjunction with other information we may hold on you to provide you with more relevant Information & Marketing Communications.

Who will it be shared with and why?

We may share your details with third party suppliers who carry out services for us. We will always hold a supplier to our own high standards of data protection, to ensure that they treat your information with the same care as we do. We never sell or swap your details with any other organisation for their marketing purposes.

These are some examples of how we work with third parties:

  • Suppliers or manufacturers who produce and/or deliver products and mail for us, and who may need to get in contact with you, if necessary, to fulfil your order. Examples include Royal Mail, Parcel Force, Anevay, Gardening Works and Tango Group.
  • Suppliers who deliver other communications for us by email and post. Examples include Atlas Direct Mail, The Delivery Group and MailChimp.
  • Our online shop is powered by Shopify. While administering your order they collect and process some of the information you provide during your order. For more information, see the privacy policy of Shopify (listed in the Contacts, Resources and Further Information section).

How long we will retain this information for?

We will continue to hold your name, contact details and booking and payment history for reference, administrative, marketing, business analysis, financial record keeping and audit purposes for no longer than 7 years and 1 month after each individual invoice/payment/etc.

If there is a debt on your account with us however, this retention period will be extended until 7 years and 1 month after the debt has been cleared, for debt recovery, reference, administrative, marketing, business analysis, financial record keeping and audit purposes.

After this time your data may be anonymised for business analysis purposes.

Your rights

  • Right to be informed – as implemented here
  • Right of access
  • Right to rectification
  • Right to erasure – Not applicable to those details that we hold and process to fulfil our contract to you or as part of a legal obligation (as described above).
  • Right to restrict processing
  • Right to data portability
  • Right to object

Please read the “Your rights” section for more information.

Accommodation

To provide you with the comfortable stay we expect for all our guests we need to collect some information from you.

What information do we collect?

  • Your name and contact details as provided by yourself.
  • Correspondence records.
  • Your gender.
  • Any pertinent health details.
  • Emergency contact name and details
  • Your order history.
  • Records of what payments you have made when.

What do we use this information for?

We use your name and contact details to communicate with you about your accommodation booking.

We keep records of our correspondence with you for our reference to best communicate with you in future and best deliver this and future services to you.

We use your gender to allocate sharing rooms (if applicable).

We collect any pertinent health details so we can provide you with meals that meet your dietary requirements and to provide adjustments to your accommodation to better meet your needs.

Emergency contact details are obtained should we need to contact someone if you are ill or injured while you are on the course. You should confirm with this person that they are happy for their contact details to be used for this purpose and should show them this Privacy Notice.

We collect your booking history to monitor what you have booked for administrative, marketing and business analysis purposes. This is also for your reference if required.

We compile a record of your payment history which also includes your booking for your reference, administrative, marketing, audit and debt recovery purposes. We also use this information for business analysis and store it to comply with financial regulations.

For other ways we may collect and use your data related to accommodation, see the section on ‘Information and Marketing Communications, and other ways we use your data’.

This information may be used in conjunction with other information we hold on you for reference, business analysis and marketing purposes as described in the sections relating to those services.

If we wish to use this information for other purposes, we will ask for your consent to do this first.

Lawful Basis

Our lawful basis for collecting, storing and processing your contact details is contractual, as we need this information to be able to fulfil our contractual agreement of organising your booking.

Correspondence details are important for us in providing our service to you. We use contract as our lawful basis for processing this information.

We use legal obligation as our lawful basis for storing your contact details, booking and payment records for financial record keeping, audit and debt recovery purposes, contract for administrative purposes. We also use this information for your reference, for business analysis, marketing and debt recovery purposes, which we use legitimate interest as our lawful basis for.

We use legitimate interest as our lawful basis for using this information in conjunction with other information we hold on you to provide you with more relevant Information & Marketing Communications.

We want to provide you with a visit that meets the highest levels of safety. To fulfil this, we require emergency contact details and as such we use legitimate interest as our lawful basis for collecting and using this information.

We use explicit consent as our lawful basis for collecting, storing and processing health details.

Who will it be shared with and why?

Your details are collected and processed via our online booking system (Checkfront).

We may share any pertinent health details with emergency responders if necessary.

How long we will retain this information for?

We will delete health and emergency contact details as part of our post-course procedures. At the same time, we will anonymise the gender splits of the course.

We will continue to hold your name, contact details and booking and payment history for reference, administrative, marketing, business analysis, financial record keeping and audit purposes for no longer than 7 years and 1 month after each individual invoice/payment/etc.

If there is a debt on your account with us however, this retention period will be extended until 7 years and 1 month after the debt has been cleared, for debt recovery, reference, administrative, marketing, business analysis, financial record keeping and audit purposes.

We may anonymise this data for business analysis purposes.

After this time your data may be anonymised for business analysis purposes.

Your rights

  • Right to be informed – as implemented here
  • Right of access
  • Right to rectification
  • Right to erasure – Not applicable to those details that we hold and process to fulfil our contract to you or as part of a legal obligation (as described above).
  • Right to restrict processing
  • Right to data portability
  • Right to object

Please read the “Your rights” section for more information.

Events

For some events you can arrive on the door and we don’t collect any personal information from you, however sometimes to organise an event and ensure you have the best experience we need to collect some personal information from yourself as an event organiser/booker or guest. If you are an organiser who is providing us with other people’s information, please inform them of the way we use their personal information which you provide us.

What information do we collect?

  • Your name and contact details as provided by yourself.
  • Names and contact details of other people in your group.
  • Correspondence records.
  • Any pertinent health details
  • Your booking records.
  • Payment records.

What do we use this information for?

We use your name and contact details to contact you about your event booking. If you are an event organiser we may contact you to ask if you’d be interested holding future events with us.

We keep records of our correspondence with you for our reference to best communicate with you in future and best deliver this and future services to you.

We collect any pertinent health details so we can provide you with meals that meet your dietary requirements and to provide adjustments to your accommodation or your access to the event to better meet your needs; we may use your contact details to communicate with you to discuss this further.

We collect your booking history to monitor what you have booked for administrative, marketing and business analysis purposes. This is also for your reference if required.

We compile a record of your payment history which also includes your booking for your reference, administrative, marketing, audit and debt recovery purposes. We also use this information for business analysis and store it to comply with financial regulations.

For other ways we may collect and use your data related to events, see the section on ‘Information and Marketing Communications, and other ways we use your data’.

This information may be used in conjunction with other information we hold on you for reference, business analysis and marketing purposes as described in the sections relating to those services.

If we wish to use this information for other purposes, we will ask for your consent to do this first.

Lawful Basis
Our lawful basis for collecting, storing and processing your contact details (and any contact details you provide for other people in your group) is contractual, as we need this information to be able to fulfil our contractual agreement of organising your booking.

We use legitimate interest as our lawful basis for contacting you as event organiser to see if you’d be interested in holding future events with us.

Correspondence details are important for us in providing our service to you. We use contract as our lawful basis for processing this information.

Explicit consent is our lawful basis for processing any health details that may be pertinent.

We use legal obligation as our lawful basis for storing your contact details, booking and payment records for financial record keeping, audit and debt recovery purposes, contract for administrative purposes. We also use this information for your reference, for business analysis, marketing and debt recovery purposes, which we use legitimate interest as our lawful basis for.

We use legitimate interest as our lawful basis for using this information in conjunction with other information we hold on you to provide you with more relevant Information & Marketing Communications.

Who will it be shared with and why?

Your details are collected and processed via our online booking system (Checkfront).

We may share any pertinent health details with emergency responders if necessary.

How long we will retain this information for?

We will anonymise health details as part of our post-event procedures as we may wish monitor needs for business analysis.

Your name, contact details and correspondence relating to your booking will be deleted no later than 3 years since your most recent booking with us.

Your event booking history will no longer be used for or organisational and administrative purposes will be anonymised (for business analysis) by us deleting your name and contact details.

We will continue to hold your name, contact details and booking and payment history for reference, administrative, marketing, business analysis, financial record keeping and audit purposes for no longer than 7 years and 1 month after each individual invoice/payment/etc.
If there is a debt on your account with us however, this retention period will be extended until 7 years and 1 month after the debt has been cleared, for debt recovery, reference, administrative, marketing, business analysis, financial record keeping and audit purposes.

After this time your data may be anonymised for business analysis purposes.

Your rights

  • Right to be informed – as implemented here
  • Right of access
  • Right to rectification
  • Right to erasure – cookies can be deleted through your browser or on your computer.
  • Right to restrict processing
  • Right to data portability
  • Right to object

Please read the “Your rights” section for more information.

Short Courses and Webinars

What information do we collect?

  • Your name and contact details as provided by yourself.
  • Correspondence records.
  • Your order history.
  • Records of what payments you have made and when.
  • Your gender.
  • Any pertinent health details.
  • Emergency contact name and details.

For our HETAS Courses specifically:

  • Previous qualifications
  • Performance details

For our Graduate School Short Courses specifically:

  • Images and audio of you (photographs and video)

What do we use this information for?

We use your name and contact details to communicate with you about your Short Course booking.

We keep records of our correspondence with you for our reference to best communicate with you in future and best deliver this and future services to you.

We collect your booking history to monitor what you have booked for administrative, marketing and business analysis purposes. This is also for your reference if required.

We compile a record of your payment history which also includes your booking for your reference, administrative, marketing, audit and debt recovery purposes. We also use this information for business analysis and store it to comply with financial regulations.

For other ways we may collect and use your data related to short courses and webinars, see the section on ‘Information and Marketing Communications, and other ways we use your data’.

We use your gender to allocate sharing rooms on Short Courses (if applicable).

We collect any pertinent health details so we can provide you with meals that meet your dietary requirements and to provide adjustments to your accommodation or the course to better meet your needs; we may communicate with you to discuss this further.

Emergency contact details are obtained should we need to contact someone if you are ill or injured while you are on the course. You should confirm with this person that they are happy for their contact details to be used for this purpose and should show them this Privacy Notice.

We may use this in conjunction with other information we hold on you for reference and business analysis purposes as described in the sections relating to those services.

If we wish to use this information for other purposes, we will ask for your consent to do this first.

For our HETAS courses and webinars specifically:

We require details of your previous qualifications and collate details of your performance during the course to ensure you meet the requirements of the course.

For our Graduate School Short Courses and webinars specifically:

When you attend Graduate School Short Courses you will be learning alongside GSE students. We record GSE teaching sessions and activities for students’ reference. As a participant, you will likely appear in these videos and be heard asking questions or joining in with discussions. You can find more information on this in the Photographs and Videos section.

Lawful Basis

Our lawful basis for collecting, storing and processing your contact details is contractual, as we need this information to be able to fulfil our contractual agreement of organising your booking.

Correspondence details are important for us in providing our service to you. We use contract as our lawful basis for processing this information.

We use legal obligation as our lawful basis for storing your contact details, booking and payment records for financial record keeping, audit and debt recovery purposes, contract for administrative purposes. We also use this information for your reference, for business analysis, marketing and debt recovery purposes, which we use legitimate interest as our lawful basis for.

We use legitimate interest as our lawful basis for using this information in conjunction with other information we hold on you to provide you with more relevant Information & Marketing Communications.

Our lawful basis for videos, you can find more information on this in the Photographs and Videos section.

We want to provide you with a visit that meets the highest levels of safety. To fulfil this, we require emergency contact details and as such we use legitimate interest as our lawful basis for collecting and using this information.

We use consent as our lawful basis for collecting, storing and processing health details.

We collect, store and process your previous qualifications and performance details under the lawful basis of contract as per our obligations as a HETAS accredited course provider.

For our National Botanic Gardens of Wales webinars and courses specifically:

The lawful basis for this processing is ‘Public task’ (the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.)

Who will it be shared with and why?

Your details may be collected and processed via our online booking systems. These currently include Checkfront and 123formbuilder.

If you are booking on to HETAS course we will share your details with HETAS so they can certify you. Their details can be found in the Contacts, Resources and Further Information section.

We may share any pertinent health details with emergency responders if necessary.

For our National Botanic Gardens of Wales webinars and courses specifically:

CAT runs courses and webinars in partnership with the National Botanic Garden of Wales, as part of their Growing the Future project. These are made possible through funding from the European Union, via the Welsh Government’s Welsh European Funding Office (WEFO).

In order to comply with the funding requirements, CAT will share the full name and email address of webinar participants with the National Botanic Garden of Wales, who may use the data for operation level evaluations.

The National Botanical Garden of Wales will transfer the data to The Welsh Government/Welsh European Funding Office (WEFO). The Welsh Government/WEFO uses this data to monitor and evaluate the EU funds in Wales. For example, the Welsh Government/WEFO commissions surveys of participants (ESF Participants Surveys). Welsh Government may also link participant records to other information about them held by the Welsh Government and UK Government departments. The data may be shared with Welsh Government teams, European Commission auditors and independent auditors, and used for other purposes as described in WEFO’s GDPR Information Document.

The Welsh Government, the National Botanic Garden of Wales and CAT are joint data controllers. Any third parties the Welsh Government shares the personal data with would be data processors. The Data Protection Officer for the Welsh Government can be contacted on Data.ProtectionOfficer@gov.wales

How long we will retain this information for?

We will delete health and emergency contact details as part of our post-course procedures. At the same time, we will anonymise the gender splits of the course.

We will continue to hold your name, contact details and booking and payment history for reference, administrative, marketing, business analysis, financial record keeping and audit purposes for no longer than 7 years and 1 month after each individual invoice/payment/etc.

If there is a debt on your account with us however, this retention period will be extended until 7 years and 1 month after the debt has been cleared, for debt recovery, reference, administrative, marketing, business analysis, financial record keeping and audit purposes.

After this time your data may be anonymised for business analysis purposes.

HETAS Courses Bookers’ Employer References, Previous Qualifications and Participants’ Performance Details will be deleted between 3 and 4 years after the relevant course.

Your rights

  • Right to be informed – as implemented here
  • Right of access
  • Right to rectification
  • Right to erasure – Not applicable to those details that we hold and process to fulfil our contract to you or as part of a legal obligation (as described above).
  • Right to restrict processing
  • Right to data portability
  • Right to object

Please read the “Your rights” section for more information.

School, University & Group Visits

If you are a student of a visiting school or university, or you’re a member of a group visit we won’t collect your personal information. We will collect some information from you if you are the group’s leader or organiser.

What information do we collect?

  • Your name and contact details as provided by yourself.
  • Correspondence records.
  • Emergency contact details.
  • Booking History
  • Payment Records

What do we use this information for?

We use your name and contact details to contact you about your booking and to organise your visit. We may also use this to contact you about repeat bookings.

We keep records of our correspondence with you for our reference to best communicate with you in future and best deliver this and future services to you.

Your emergency contact details are obtained should we need to contact someone if you are involved in an emergency while at CAT. You should confirm with this person that they are happy for their contact details to be used for this purpose and should show them this Privacy Notice.

We collect your booking history to monitor what you have booked for administrative, marketing and business analysis purposes. This is also for your reference if required.

We compile a record of your payment history which also includes your booking for your reference, administrative, marketing, audit and debt recovery purposes. We also use this information for business analysis and store it to comply with financial regulations.

For other ways we may collect and use your data related to school, university and group visits, see the section on ‘Information and Marketing Communications, and other ways we use your data’.

This information may be used in conjunction with other information we hold on you for reference, business analysis and marketing purposes as described in the sections relating to those services.

If we wish to use this information for other purposes, we will ask for your consent to do this first.

Lawful Basis

Our lawful basis for collecting, storing and processing your contact details is contractual, as we need this information to be able to fulfil our contractual agreement of organising your booking.

We use legitimate interest as our lawful basis for contacting you about repeat bookings.

Correspondence details are important for us in providing our service to you. We use contract as our lawful basis for processing this information.

We want to provide you with a visit that meets the highest levels of safety. To fulfil this, we require emergency contact details and as such we use legitimate interest as our lawful basis for collecting and using this information.

We use legal obligation as our lawful basis for storing your contact details, booking and payment records for financial record keeping, audit and debt recovery purposes, contract for administrative purposes. We also use this information for your reference, for business analysis, marketing and debt recovery purposes, which we use legitimate interest as our lawful basis for.

We use legitimate interest as our lawful basis for using this information in conjunction with other information we hold on you to provide you with more relevant Information & Marketing Communications.

Who will it be shared with and why?

How long we will retain this information for? We will continue to hold your name, contact details and booking and payment history for reference, administrative, marketing, business analysis, financial record keeping and audit purposes for no longer than 7 years and 1 month after each individual invoice/payment/etc.
If there is a debt on your account with us however, this retention period will be extended until 7 years and 1 month after the debt has been cleared, for debt recovery, reference, administrative, marketing, business analysis, financial record keeping and audit purposes.
For the purpose of organising your visit and contacting you about repeat bookings, this information will be anonymised no later than 4 years since your last booking.

After this time your data may be anonymised for business analysis purposes.

Your rights

  • Right to be informed – as implemented here
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object

Please read the “Your rights” section for more information.

Graduate School Enquirers, Applicants, Students and Alumni

Our Masters degrees are certified by our awarding universities. As part of our contract with them we are required to provide up-to-date information for them.

What types of information might we collect?

  • Your name and contact details as provided by yourself.
  • Correspondence records.
  • A copy of your ID (e.g. Passport or Driver’s License) and therefore any information listed on the ID.
  • Images and audio of you (photographs and video)
  • Qualifications
  • Employment History
  • Emergency contact name and details
  • Nationality
  • Ethnicity
  • Gender
  • Sex
  • Religion
  • Date of Birth
  • Any pertinent health details.
  • Emergency contact name and details
  • Parent’s Level of Education
  • Academic Work – Dissertation
  • Academic Work – Other assignments
  • Course performance
  • Attendance and Study Modes (incl. Full-time or Part Time modes, intermissions, attendances onsite or logins by distance learning, etc.)
  • Student Finance Entitlement
  • Bursary Status
  • Booking history (i.e. modules, workshops, accommodation, etc).
    Payment records.

For Bursary Applicants only:

  • Description of financial situation.

What do we use this information for?

Your name and contact details will be used to administer your enquiry or application and to contact you about it or about your course and to keep in touch with you after you graduate.

If you apply for one of our bursaries we will use this information to identify you in relation to your application.

Your address (specifically country of residence) at the start of the course will be used to determine whether you are charged Home/EEA or Overseas Tuition Fees.

We keep records of our correspondence with you for our reference to best communicate with you in future and best deliver this and future services to you.

We require a copy of your ID to prove your identity and to provide our contractual obligation to our course’s awarding university.

An ID-style photo will be used for your student ID card and to help staff identify you. If you consent, we may share this photo with other students for academic purposes (e.g. group work, etc).

We record GSE teaching sessions and activities for students’ reference. As a GSE student, you will likely appear in these videos and be heard asking questions or joining in with discussions. You can find more information on this in the Photographs and Videos section.

Your qualifications, employment history and references are collected and held to help us to ascertain your suitability for the course or for bursary applications and to serve as a record for our decision.

This will also be used for business analysis purposes.

After you graduate we may want to discuss opportunities for engagement based on your area of expertise. We would use your contact details, qualifications and employment history for this purpose.

We may ask for nationality, ethnicity, gender, sex, religion, date of birth and health details for the purpose of monitoring and encouraging equality and diversity. We are also contractually obliged to ask for these details by our courses’ awarding universities.

These details may be used for Business Analysis but will be anonymised for this purpose.

Nationality may be used to assess suitability for attending the whole course onsite (as we do not hold a Tier 4 immigration sponsor license).

We use your gender to allocate shared accommodation (if applicable).

We collect any pertinent health details so we can provide you with meals that meet your dietary requirements and to provide adjustments to your accommodation or the course to better meet your needs; we may communicate with you to discuss this further.

Throughout your course you may provide us with further information about your health (e.g. doctors’ notes) as evidence of mitigating circumstances.

Emergency contact details are obtained should we need to contact someone if you are ill or injured while you are on the course. You should confirm with this person that they are happy for their contact details to be used for this purpose and should show them this Privacy Notice.

We may ask for your parent’s level of education to monitor and improve diversity and provide this information to our courses’ awarding university as part of our contractual agreement with them.

We collect copies of your academic work for assessment towards completion of your course. It will also be held on Turnitin for plagiarism checks and may be available to other institutions when plagiarism is detected. This may be anonymised to provide example coursework to future students and potential students. We may wish to display or publish your work to the public and credit you for this; in which case we will ask for your consent to do this.

Your dissertation (which includes your name as the author) will be kept by CAT and the GSE and after assessment may be made available to the public to read. You may apply a non-disclosure condition to this. More details are available upon request.

We generate a record of your course performance to record and prove your achievements towards your qualification. If you have a strong academic record in a particular area, we may wish to contact you for marketing and promotional purposes and alumni opportunities.

Attendance and Study Modes (incl. Full-time or Part Time modes, intermissions, attendances onsite or logins by distance learning, etc.) is held for administrative and reference purposes and to inform funders if contractually required.

Your study mode may be used in conjunction with your contact details to contact you about opportunities to contribute to promotion that may focus on the experience of students or alumni who studied by a particular study mode.

To administer your receipt of student finance or to make amendments to fees etc., we may require information about your student finance entitlement. Some of this will be provided to us by the funder but we may ask for additional information to this to make administration and release of funds quicker and easier.

We will use your bursary status to administer your receipt of the funding and in conjunction with your contact details to contact you regarding terms of the bursary award and to identify you as a bursary recipient so we can contact you for promotional purposes.

We collect your booking history to monitor what you have booked for administrative, marketing and business analysis purposes. This is also for your reference if required.

We compile a record of your payment history which also includes your booking for your reference, administrative, marketing, audit and debt recovery purposes. We also use this information for business analysis and store it to comply with financial regulations.

For other ways we may collect and use your data related to Graduate School enquirers, applicants, students and alumni, see the section on ‘Information and Marketing Communications, and other ways we use your data’.

We may use your booking history in conjunction with your contact details to contact you about opportunities to contribute to module-specific promotion.

This information may be used in conjunction with other information we hold on you for reference, business analysis and marketing purposes as described in the sections relating to those services.

If we wish to use this information for other purposes, we will ask for your consent to do this first.

Lawful Basis

Much of the information we request is integral to your course, qualification and your contract with the certifying body which we are required by them to collect and process on their behalf. Contract is the lawful basis for collecting, storing and processing the following information:

  • Your name and contact details as provided by yourself.
  • Records of correspondence
  • A copy of your ID (e.g. Passport or Driver’s License) and therefore any information listed on the ID.
  • ID-style photo for student card and GSE staff use.
  • Images and audio of you in recording of teaching sessions and activities.
  • Qualifications for the purpose of course or bursary applications and record keeping.
  • Employment History for the purpose of course or bursary applications and record keeping.
  • Emergency contact name and details
  • Nationality
  • Date of Birth
  • Any pertinent health details.
  • Emergency contact name and details
  • Parent’s Level of Education
  • Academic Work – Dissertation
  • Academic Work – Other assignments for the purpose of assessment towards your qualification and for plagiarism prevention purposes.
  • Course performance for certification and record keeping purposes.
    Attendance and Study Modes (incl. Full-time or Part Time modes, intermissions, attendances onsite or logins by distance learning, etc.) for the purpose of course administration, your qualification and fulfilling contractual obligations to certifying bodies and funders etc.
    Student Finance Entitlement (when we have contractual obligations with the funder)
  • Booking history (i.e. modules, workshops, accommodation, etc).
  • Payment records.

Our lawful basis for processing the following data is consent:

  • ID-style photo for the purpose of sharing with other students.
  • Ethnicity
  • Religion
  • Academic Work as an anonymous coursework example.
  • Additional student finance information.

We use legitimate interest as our lawful basis for holding the following information and for contacting you by phone or post for the purpose of alumni opportunities and promotion specific to this data:

  • Name and contact details
  • Qualifications
  • Employment History
  • Course performance
  • Attendance and Study Modes (incl. Full-time or Part Time modes, intermissions, attendances onsite or logins by distance learning, etc.)
  • Bursary Status
  • Booking History
  • Academic Work – Dissertation
  • Academic Work – Other assignments
  • Photography and Videos

We use legal obligation as our lawful basis for storing your contact details, booking and payment records for financial record keeping, audit and debt recovery purposes, contract for administrative purposes. We also use this information for your reference, for business analysis, marketing and debt recovery purposes, which we use legitimate interest as our lawful basis for.

We use legitimate interest as our lawful basis for using this information in conjunction with other information we hold on you to provide you with more relevant Information & Marketing Communications.

Who will it be shared with and why?

Our Masters degrees are certified by our awarding universities. As part of our contract with them we are required to provide up-to-date information for them. This covers all the information we collect or produce.

The forms related to the GSE are provided by 123 Form Builder. All information input into these are processed and stored by 123 Form Builder where we access the information from. You can find more information on this under 123 Form Builder in the Contacts, Resources and Further Information section.

  • Your name, e-mail address and skype name will be shared with other students as necessary for academic purposes (for example: sign-up sheets, skype tutorials, group work, etc).
  • Your image and voice may be shared with other students in the form of recordings of teaching sessions and activities.
  • Payments made through our online forms use a payment gateway. For more information on this see the ‘Information and marketing communications, and other ways we use your data’ section.
  • Information input in the application and pre-enrolment forms is also input into Google Sheets so various staff members involved in your application and enrolment can access and administer live information.
  • How long we will retain this information for? Applicants who have not enrolled or deferred:

The following information will be deleted in the December following your proposed intake:

  • A copy of your ID (e.g. Passport or Driver’s License).
  • Photo
  • Emergency contact name and details
  • Any other documents submitted in support of your application

The following information will be anonymised in the December following your proposed intake:

  • Postcode
  • Qualifications
  • Employment History
  • Nationality
  • Ethnicity
  • Gender
  • Sex
  • Religion
  • Date of Birth– changed to month and year of birth.
  • Any pertinent health details.
  • Emergency contact name and details
  • Parent’s Level of Education
  • Planned Study Modes (Full-time or Part Time modes)

The following information will be anonymised (by deleting personally identifying information) for business analysis in the December following your proposed intake. It will be kept for financial record keeping, audit and debt recovery purposes for 7 years and 1 month after each individual invoice/payment/etc:

  • Your name and contact details as provided by yourself.
  • Student Finance Entitlement
  • Records of correspondence
  • Booking history (i.e. modules, workshops, accommodation, etc). This will be anonymised (for business analysis) in the December following your proposed intake.
  • Payment records.

We may pass your personal data to other third parties, as detailed in the section on ‘Information and Marketing Communications, and other ways we use your data’. We will not normally pass your personal data to any other third parties without your consent for any other reasons, unless required to do so by law, or in response to a request for assistance from law enforcement bodies such as the Police or the Student Loans Company.

To perform regulatory and/or legal responsibilities or purposes, we may, from time to time, need to share your information and data with the following organisation for statistical reporting: HESA https://www.hesa.ac.uk/about  (Higher Education Statistics Agency).

Details on how HESA processes your personal data are set out in the HESA Student Data Collection Notice.

Your rights

  • Right to be informed – as implemented here
  • Right of access
  • Right to rectification
  • Right to erasure – Not applicable to those details that we hold and process to fulfil our contract to you or as part of a legal obligation (as described above).
  • Right to restrict processing
  • Right to data portability
  • Right to object

Please read the “Your rights” section for more information.

Photographs and Video

What information do we collect?

  • Your image (Photographs, Video and CCTV)
  • Your voice (Video)

What do we use this information for?

Photographs and Video might be captured for the following purposes:

  • Marketing, promotion or other CAT-related media.
  • We record GSE teaching sessions and activities for students’ reference. As a GSE student, you will likely appear in these videos and be heard asking questions or joining in with discussions.
  • CCTV may be used for security and safety reasons on CAT premises.
    CCTV footage is retained for a set period of time in which it will only be viewed for safety and security purposes as per the Data Protection Act 1998, the General Data Protection Regulation (GDPR) and any applicable replacement legislation, and ICO CCTV Code of Practice. Signs will show you if CCTV is in operation.
  • Your record of consent to appear in photographs or videos may be used in conjunction with other information we hold on you for reference and business analysis purposes as described in the sections relating to those services.
  • If we wish to use this information for other purposes, we will ask for your consent to do this first.

Lawful Basis

We use explicit consent as our lawful basis for capturing, holding and sharing your image in photographs and video where you are not in a crowd and are clearly recognisable.

Our lawful basis for capturing and sharing recordings of you in GSE teaching sessions and activities is contractual as the provision of recordings is an integral part of our contractual offer to students and we cannot reasonably avoid your inclusion.

Our lawful basis for collecting video through CCTV is legitimate interest.

Who will it be shared with and why?

Promotional, marketing and media photographs and video will be shared in publications both physical, digital and online. It may be shared with third party websites or publications who are marketing or promoting us.

Videos taken for GSE teaching and learning will be shared with other students through our virtual learning environments.

Your image captured by CCTV will never be shared with third parties except law enforcement bodies.

How long we will retain this information for?

We will retain photographs and videos for as long as necessary to fulfil the specific marketing and promotional purposes we collected it for. Please contact us using the contact details provided in the Contacts, Resources and Further Informationsection if you would like more information about how long we will keep photographs and/or videos of you.

You should be aware that photographs and/or videos may still be available in old publications (physical or digital) after we have deleted them from our systems. We do require third parties to obtain our permission before they use any images, audio or video etc, and we make reasonable efforts to inform shared parties to stop using material without our permission. However, once an image is shared publically other parties may circulate it against our wishes and we cannot guarantee your privacy once the material has left our systems.

CCTV footage is only retained long enough for any incident to be recognised as in need of investigation and for it to be investigated or provided to law enforcement bodies if necessary.

Your rights

  • Right to be informed – as implemented here
  • Right of access
  • Right to rectification – this may not be applicable for unedited images or audio.
  • Right to erasure – Not applicable to those details that we hold and process to fulfil our contract to you or as part of a legal obligation (as described above).
  • Right to restrict processing
  • Right to data portability
  • Right to object

Please read the “Your rights” section for more information.

Accidents and ‘Near Miss’ Reporting

If you have an accident or a ‘near miss’ at our Visitor Centre, other property or one of our events we will report it in our Accident or ‘Near Miss’ Books.

What information do we collect?

  • Contact Details
  • Date of Birth
  • Health Details
  • Description of what happened to what part of you.
  • Any prior or ongoing health conditions that may be pertinent to the accident or ‘near miss’.

What do we use this information for?

We use this to monitor trends of ‘near misses’ so we can avoid further accidents or ‘near misses’ happening in future.

We may also refer to it as a description of what happened if you were to make a legal claim or if we were audited by an external auditor.

We use your date of birth to determine how long we keep the information for (see ‘How long we will retain this information for’ below).

We may use this in conjunction with other information we hold on you for reference and business analysis purposes as described in the sections relating to those services.

If we wish to use this information for other purposes, we will ask for your consent to do this first.

Lawful Basis

This processing is necessary for compliance with our obligations under health and safety legislation and regulation and, as such, this our lawful basis for processing.
Who will it be shared with and why? Not applicable.
How long we will retain this information for?
If you are an adult, we will keep this information for no longer than 4 years after the accident.

If you are a child at the time of the accident or near-miss, we will keep this information for no later than 6 months after your nineteenth birthday.

Your rights

  • Right to be informed – as implemented here
  • Right of access
  • Right to rectification
  • Right to restrict processing
  • Right to data portability
  • Right to object

Please read the “Your rights” section for more information.

Volunteers

What information do we collect?

  • Application information:
  • Your name and contact details as provided by yourself.
  • Correspondence records.
  • Referee’s name and contact details.
  • Employment History
  • Qualifications
  • Nationality
  • Ethnicity
  • Gender
  • Date of Birth
  • Health details
  • Criminal Convictions

Volunteer records [Successful applicants who have started a volunteer placement only]:

  • Emergency Contact details
  • Health & Safety records and declaration
  • Declarations and agreements
  • IT Usage
  • Training and Development records
  • Short Courses records
  • All other correspondence relating to the volunteer (as distinguishable from their role)
  • Booking Records (e.g. accommodation and meals)
  • Payment Records

What do we use this information for?

Your name and contact details will be used to administer your application and to contact you about it and during or after your placement if necessary.

We keep records of our correspondence with you for our reference to best communicate with you in future and best deliver this and future services to you.

Your employment history and qualifications are collected and held to help us to ascertain your suitability for the role you are applying for and to offer you other opportunities which may be of interest to you.

We may ask for ethnicity, nationality, gender, date of birth and health details for the purpose of monitoring and encouraging equality and diversity.

There are a wide variety of volunteering tasks at CAT but some have certain health requirements (e.g. Hepatitis A immunity for working with our reed beds), so we may ask for information like this to ensure you are safe to perform these tasks, other tasks can be found otherwise or if consent for this information is not given.

We ask you to provide information about criminal convictions to observe the Rehabilitation of Offenders Act 1974 and to follow our Safeguarding Policy.

Your emergency contact details are used to contact someone in the event of you being involved in an emergency.

Emergency contact details are obtained should we need to contact someone if you are involved in an emergency while at CAT. You should confirm with this person that they are happy for their contact details to be used for this purpose and should show them this Privacy Notice.

After you have been offered your role we will ask for health details again and may request expert advice (in the form of occupational health or a doctor’s note) if there is concern that even with reasonable adjustments, that the role may not be suitable for your health.

Throughout your placement there may be instances where we have to collect further health details for the purpose of ensuring we have met our contractual obligations to ensure you are fit to work or otherwise.

We hold your short courses record to monitor how many of your free courses entitlement you have used.

As part of your contract with us we may require you to sign various declarations and agreements. We will also hold various employment records relating to performance, training and development, disciplinaries and grievances, etc to ensure both you and CAT are following CAT policies and procedures and to be used in the case of any disagreements, disciplinaries or legal claims etc.

We collect your booking records to monitor what you have booked for administrative, marketing and business analysis purposes. This is also for your reference if required.

We compile a record of your payment history which also includes your booking for your reference, administrative, marketing, audit and debt recovery purposes. We also use this information for business analysis and store it to comply with financial regulations.

We may also use the above information to better tailor Information & Marketing Communications to you if you have signed up to receive these. More information can be found in the Information & Marketing Communications section.

This information may be used in conjunction with other information we hold on you for reference, business analysis and marketing purposes as described in the sections relating to those services.

If we wish to use this information for other purposes, we will ask for your consent to do this first.

Lawful Basis

Our lawful basis for requesting your name, contact details and for recording your declarations and agreements is contract as part of our written agreement of volunteering.

Correspondence details are important for us in providing our service to you. We use contract as our lawful basis for processing this information.

We use consent as our lawful basis for collecting your employment history, qualifications, references, health details, nationality, ethnicity, gender and date of birth for monitoring and encouraging equality and diversity purposes.

Legal obligation is our lawful basis for collecting, storing and processing your criminal convictions.

Further health details that may need to be disclosed through the course of your employment are collecting as per your contract with CAT, so the lawful basis of contract is used.

Your emergency contact details, declarations and agreements and volunteer records relating to short courses usage, training and development, etc are created, collected, stored and processed with contract as our lawful basis.

We use legal obligation as our lawful basis for storing your contact details, booking and payment records for financial record keeping, audit and debt recovery purposes, contract for administrative purposes. We also use this information for your reference, for business analysis, marketing and debt recovery purposes, which we use legitimate interest as our lawful basis for.

We use legitimate interest as our lawful basis for using this information in conjunction with other information we hold on you to provide you with more relevant Information & Marketing Communications.

Who will it be shared with and why?

How long we will retain this information for?

  • Volunteer candidates who do not start a volunteering placement:
  • This information is erased between 1 and 2 years since your application. This allows you 1 year to start a placement without having to re-apply.

Volunteers on placement:

This information is erased between 3 and 4 years since the end of your placement.

This is with exception of your short courses usage which may be retained longer for other uses (please see Short Courses section).

We will continue to hold your name, contact details and booking and payment history for reference, administrative, marketing, business analysis, financial record keeping and audit purposes for no longer than 7 years and 1 month after each individual invoice/payment/etc.
If there is a debt on your account with us however, this retention period will be extended until 7 years and 1 month after the debt has been cleared, for debt recovery, reference, administrative, marketing, business analysis, financial record keeping and audit purposes.
We may anonymise this data for business analysis purposes.

After this time your data may be anonymised for business analysis purposes.

Your rights

  • Right to be informed – as implemented here
  • Right of access – you may not have the right to access references or some aspects of disciplinary and grievance information if it infringes on the rights of others e.g. others’ personal details will be redacted, etc.
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object

Please read the “Your rights” section for more information.

Employees

We collect a wealth of information all the way from an application for a job, right the way through your employment here at CAT.

What information do we collect?

  • Application information:
  • Your name and contact details as provided by yourself.
  • Correspondence records.
  • Referee’s name and contact details.
  • Employment History
  • Qualifications
  • References
  • Nationality
  • Ethnicity
  • Gender
  • Date of Birth
  • Health details
  • Criminal Convictions
  • Personnel records [Successful applicants only]:
  • Emergency Contact details
  • Expanded health details e.g.:
  • Occupational Health Records & Health Screening declaration
  • Sickness self-certifications
  • Return to work declarations
  • Doctors’ notes.
  • Health & Safety records and declaration
  • Disciplinary and Grievance records
  • Performance records
  • Training and Development records
  • All other correspondence relating to the member of staff (as distinguishable from their role)
  • Payroll information
  • Salary / Wages
  • Pension Details
  • National Insurance Number
  • Tax Details
  • Benefits Records
  • Next of Kin
  • Bank Details

What do we use this information for?

Your name and contact details will be used to administer your application and to contact you about it and during or after your employment if necessary.

We keep records of our correspondence with you for our reference to best communicate with you in future and best deliver this and future services to you.

We may use your Referee’s contact details to contact them for a reference. Please check with them first that they are happy for you to share their details with us for this purpose.

Your employment history, qualifications and references are collected and held to help us to ascertain your suitability for the role you are applying for.

We may ask for ethnicity, nationality, gender, date of birth and health details for the purpose of monitoring and encouraging equality and diversity.

We ask you to provide information about criminal convictions to meet our employment law obligations (e.g. Rehabilitation of Offenders Act 1974 and to follow our Safeguarding Policy).

Your emergency contact details are used to contact someone in the event of you being involved in an emergency.

Emergency contact details are obtained should we need to contact someone if you are involved in an emergency while at CAT. You should confirm with this person that they are happy for their contact details to be used for this purpose and should show them this Privacy Notice.

After you have been offered your role we will ask for health details again and may request expert advice (in the form of occupational health or a doctor’s note) if there is concern that even with reasonable adjustments, that the role may not be suitable for your health.

Throughout your placement there may be instances where we have to collect further health details for the purpose of ensuring we have met our contractual obligations to ensure you are fit to work or otherwise.

As part of your contract with us we may require you to sign various declarations and agreements. We will also hold various employment records relating to performance, training and development, disciplinaries and grievances, IT usage, leave, etc to ensure both you and CAT are following CAT policies and procedures and to be used in the case of any disagreements, disciplinaries or legal claims etc.

We use your payroll information to pay your salary / wages and to fulfil our obligations to HMRC and the DWP.

We may use this in conjunction with other information we hold on you for reference and business analysis purposes as described in the sections relating to those services.

If we wish to use this information for other purposes, we will ask for your consent to do this first.

Lawful Basis

Our lawful basis for requesting your name and contact details is contractual.

We use contract as our lawful basis for processing correspondence details.

We use legitimate interest as our lawful basis for collecting your employment history, qualifications, referee’s contact details, references. Health details, nationality, ethnicity, gender and date of birth are for monitoring and encouraging equality and diversity purposes.

Legal obligation is our lawful basis for collecting, storing and processing your criminal convictions and payroll details.

Further health details that may need to be disclosed through the course of your employment are collecting as per your contract with CAT, so the lawful basis of contract is used as well as preventive or occupational medicine additional lawful basis.

Your emergency contact details, declarations and agreements and employee records relating to performance, training and development, disciplinaries and grievances, IT usage, leave, etc are created, collected, stored and processed with contract as our lawful basis.

Who will it be shared with and why?
Your name will be shared with the referees you give us details for alongside the employment history of the role you held with that referee for the purposes of identifying you for a reference.

In some situations, we may suggest sharing your details with occupational health to evaluate your fitness to work for your particular role. This would include your name and health details. More specifics will be provided in this becomes necessary.

Your payroll information will be shared with HMRC and the DWP as we are obliged to provide by law and our bank (currently Triodos Bank) to process your payment.

How long we will retain this information for? Successful staff candidates:
This information is erased between 6 and 7 years after employment.
Unsuccessful staff candidates:
This information is erased between 6 and 7 months. This allows 6 months for you to request and be provided with feedback.

We will continue to hold your name, contact details and booking and payment history for reference, administrative, marketing, business analysis, financial record keeping and audit purposes for no longer than 7 years and 1 month after each individual invoice/payment/etc.
If there is a debt on your account with us however, this retention period will be extended until 7 years and 1 month after the debt has been cleared, for debt recovery, reference, administrative, marketing, business analysis, financial record keeping and audit purposes.
We may anonymise this data for business analysis purposes.

After this time your data may be anonymised for business analysis purposes.

Your rights

  • Right to be informed – as implemented here
  • Right of access – you may not have the right to access references or some aspects of disciplinary and grievance information if it infringes on the rights of others e.g. others’ personal details will be redacted, etc.
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object

Please read the “Your rights” section for more information.

Information and marketing communications, and other ways we use your data

What information do we collect?

We may collect information about you whenever you interact with us or with third parties with whom we work. This may include:

  • Your name and contact details.
  • The contact preferences and areas of interest you may have selected.
  • Your involvement with us and interests, including donations and other payments, membership details, communications and correspondence, the reasons you have given for supporting us or using our services, details about which of our services you’ve used and how you’ve interacted with us, and conversations we’ve had with you (including by email, phone, SMS or post).
  • Technical data such as how you interact with our emails e.g. what emails you open and have clicked on, your IP address and geo-location, timestamps showing when you completed our forms, etc.
  • Financial data such as your bank account details for setting up a regular Direct Debit and your credit/debit card details for processing card payments. (All online financial transactions are encrypted for security and we do not store your credit/debit card details.)
  • Your employer details for processing a payroll gift.
  • Your Gift Aid status and information.
  • Your gender and date of birth (e.g., where registering for an event or accomodation, or to confirm you are over 18.)
  • Information collected in the course of administering legacies and legacy pledges or enquiries, such as the amount pledged, expected or received, other beneficiaries to the will, or its executors. This may be received from you, or from others such as the executors of your will, other beneficiaries named in the will, legacy notification services (Smee & Ford) or the probate service.
  • Information provided via enquiries (including to our free Information Service) and/or complaints made by or about you.
  • Information from surveys, focus groups and opinions you share with us, for example if you have completed a feedback form after attending one of our short courses. This may include demographic data and other information you provide such as your previous experience, opinions, age and gender and so on. Any detailed information you provide through surveys will usually be anonymised or pseudonomised in order to add an extra layer of protection for your personal data.
  • Any other information you provide to us.

Where we have legitimate interest in doing so, we may collect other information about you where this is available to the public, including from third parties. This supplementary information will help us to ensure we are contacting you with the most relevant, timely and appropriate communications, to make better use of our resources and ultimately provide an improved experience for you.

For example:

  • We may check, amend and/or complete your address details, or update these if you have moved house, to ensure post is delivered efficiently.
  • We may collect information which identifies you as a contact person for an organisation, such as a school, or which will help us to identify or guess contact details (such as email addresses) for individuals in relevant roles acting on behalf of organisations who we feel would want to hear from us about getting involved and supporting us and our activities.
  • We may look up your parliamentary constituency, estimates of your age and the size and composition of your household, and information about your interests such as hobbies, shopping preferences and subscriptions.
  • We may collect information about your work and career (such as job titles), your previous charity support and organisations you have been connected with, your education, information that helps us identify any family ties, demographic information associated with your postcode, and financial information (including assessment of income and whether particular donations or funding appeals may be of interest).

This information may be compiled using publicly available data about you and/or information that you have already provided to us. Sources may include records, databases and documents made available by government bodies or organisations such as Royal Mail, archives from media outlets, archived press releases, and other reputable websites.

This information may be also used to help us identify individuals, trusts, foundations and companies who may be able to provide higher levels of support and engagement, such as major gifts, partnerships, introductions to networks and mutually beneficial relationships. Carrying out such analysis is sometimes referred to as profiling or wealth screening. We may do this directly and/or by using third party companies such as Factary or Prospecting for Gold. You can opt-out of allowing us to research and use background information about you from other sources for profiling purposes at any time by contacting us at fundraising@cat.org.uk / 01654 705988.

We may ask you to provide your personal data through surveys, quizzes, games, competitions, lotteries, raffles, signing up to receive communications from us, signing up to support our campaigns through petitions, statements of support or email-writing, donations and membership signups, webinars and short course registrations, event and conference bookings, visitor centre bookings, venue hire bookings, accommodation booking, school, university and group visits, graduate school enquirers, applicants, students and alumni, shop and café purchases, information service and other enquiries, and other methods not mentioned here.

You may be asked to provide your information to us indirectly, for example through third parties such as professional fundraisers, partners or subcontractors acting on our behalf, online form providers such as 123formbuilder or MailChimp, online quiz and survey providers such as Interact or SurveyMonkey, payment gateways such as Paypal or Worldpay, fundraising sites such as Justgiving or Virgin Money Giving or organisations which disburse payments on your behalf such as Charities Trust, CAF, Stewardship or Liverpool Charity and Voluntary Services. These organisations may have their own privacy policies and/or statements. Please do ensure you check these when providing your personal information to them.

When you have given other organisations permission to share your information with us, for example in order to sign up to a third party event, the information we receive will depend on your settings and the permissions and choices you have provided. We will always work to ensure it’s completely clear to you that your information will be shared with us.

When using social media and messaging services like Linkedin, Facebook and Twitter, depending on your settings and the permissions and choices you have provided you might give us permission to access information about you from those accounts or services.

When your personal information is available from public sources, such as from open social networks (e.g. LinkedIn and Twitter), company websites, political and property registers, the media, the Charity Commission or Companies House, we may collect this information.

We may collect/use sensitive personal information, but we will only do this where appropriate and necessary in relation to your relationship with us, where data protection law allows it, for an appropriate timeframe only and normally only where we have your explicit consent. For example, we may record information about your health or dietary requirements in order for us to ensure we are communicating with you in the appropriate way and providing you with an appropriate level of service, or we may ask you about your ethnicity in surveys to help us better understand how we can develop and inspire more people to support us in the future. This is allowed under condition (d) of Article 9 of the UK GDPR (‘Not-for-profit bodies’). We may anonymise this data and use it for business analysis purposes. We will only use this special category data for the purpose we have identified and will apply appropriate measures and safeguards to ensure the protection of this.

What do we use this information for?

We use your information to provide you with updates, information and marketing communications. We may contact you by phone, SMS, email or post about our services and how you can get involved and support us. You can always opt-out of these communications.

We use information we hold about you to tailor our communications further to what we think you would be most interested in hearing about. This might for instance include information and marketing relating to our Visitor Centre, events, the Zero Carbon Britain project, volunteering and job opportunities, learning with us through our graduate school, short courses, school and university groups or other learning opportunities, membership, fundraising, campaigning, accommodation, venue hire, café, shop and mail-order services.

We may send you Clean Slate magazine in the post. This may include advertisements and marketing for other organisations that we think you may be interested in. All members receive Clean Slate magazine and may receive other membership post, such as invitations to members’ events, details of special members’ discounts and other key benefits of your membership. As you have signed up to receive these as part of their membership subscription, we continue to send these to members who have opted-out of receiving other fundraising and marketing communications by post. This is explained on membership subscription and renewal forms. We may also contact you with membership renewal reminders by post, phone or email. You can opt-out of receiving Clean Slate and other membership post at any time by contacting our Fundraising and Membership team.

We may use your information for a range of other purposes including to process your payments, to communicate with you better, to comply with financial regulations, to administer legacies, to undertake research for marketing purposes such as by asking you to participate in a survey, to undertake business analysis such as to predict your likelihood to donate to certain appeals and the potential extent of your donations or to monitor and illustrate the level of support for our projects and campaigns, for debt recovery and for other administrative purposes.

The information you provide may be used in conjunction with other information we hold about you.

Lawful basis

We process your personal information according to one or more of the following legal grounds under the GDPR:

  • Consent, for example to send marketing emails to individual supporters and users of our services. You can withdraw your consent at any time.
  • Your vital interests, for example to ensure you get assistance for specific health needs when visiting CAT or attending an event.
  • Contractual relationships.
  • Legal obligations, for example providing tax and gift aid information to HMRC.
  • Legitimate Interests, for example to contact you for marketing purposes by post or phone. We only use this where we are confident that the processing of your information is in our legitimate interests and does not override your own legitimate interests or rights and freedoms. Our legitimate interests include fulfilling our charitable purposes through income generation and publicity, such as marketing for our fundraising, membership, services and events, and analysis of the information you provide. They also include administration, such as Gift Aid, and financial management and control, such as processing donations.

Who will it be shared with and why?

We may share your details with third party suppliers who carry out services for us. We will always hold a supplier to our own high standards of data protection, to ensure that they treat your information with the same care as we do.

These are some examples of how we work with third parties:

  • Using suppliers, external fundraising entities and platforms to deliver communications for us by email, SMS, post or phone and/or provide marketing or research services for us, as well as to analyse and supplement your data. Examples include Royal Mail, The Delivery Group, Admail Ltd, Loqate, Welshpool Printing Group, Apex Direct Mail, Shopsync, MailChimp, and Neo Creative Limited.
  • Using suppliers who will help us ensure the information we hold on you is accurate and up to date and provide supplementary information about you, such as Post Office’s National Change of Address database, Factary or Prospecting for Gold. We may also check your details with the Mailing Preference Service and Telephone Preference Service.
  • Using information services companies, such as Experian, to verify your identity, address and/or account details. This may be required or recommended as best practice by payment service providers such as BACS, which operates the Direct Debit scheme, in order to reduce fraud by ensuring that the details provided relate to the payer.
  • Using payment and financial services providers, auditors, legacy notification services and personal or professional executors, government departments eg. to collect Gift Aid, and providers of online forms and other tools or platforms that collect and process information for us. Examples include HMRC, BACS, Paypal, Stripe, Worldpay, GoCardless, SAGEPay, Pay360 by Capita, 123formbuilder, Checkfront, Shopify, Interact, Justgiving, The Access Group, PT-X Bottomline Technologies, Google forms, MailChimp, SurveyMonkey and various WordPress applications that we use with our website, such as GiveWP.
  • We work with statutory funders, trusts, foundations and others whose financial support make some of our projects possible, for example Powys County Council, who may require information about you and your involvement in a funded project which you have taken part in, in order to evaluate the success of these projects.
  • We may occasionally use services that allow your personal information to be transferred, processed and stored outside of the European Economic Area (EEA). Where necessary we will always take steps to safeguard your information and ensure compliance with data protection laws. For more information please contact our Data Protection Officer.

We won’t sell or swap your information with other organisations for their own marketing purposes without your explicit, informed consent.

We may ask if you would like to add your personal information to directories which will be shared publicly or with selected recipients, such as other attendees at a conference you attend, in order to help you connect a community of people who wish to share their knowledge, skills and experience with each other to support action on the climate and biodiversity emergency. For some campaigns, we may share your contact details with the organisation to which the campaign is addressed, if we have explicitly stated this on the campaign page where you provided your details. For events and projects we co-organise with others, we may share your details with the co-organisers but only if this is made clear to you and all organisers have provided their privacy information to you when you registered or provided your details.

You are in control of how we use your information.

You can update your preferences at any time. If you would like to contact us about your marketing preferences, please contact us using the details at the top of this page. You can also unsubscribe from emails by clicking the link at the bottom of each email.

If you choose to unsubscribe from any of our Information & Marketing Communications, we will take you off our communication lists. We will retain your name, contact details and other relevant information and will record your preference not to be contacted. This allows us to comply with your request should you interact with us again in future. We may still send you administrative communications as needed. You can also contact us to change what kinds of communication you receive from us and how you receive these.

How long will we retain this information for?

In rare cases your information may be retained by us or third parties you have provided it to (including unsubscribed from emails status) indefinitely or until you request not only to unsubscribe but to have your data erased. However if you have not interacted with us for 8 years we will usually delete, anonymise or move your record to a separate secure storage location where it will only be accessed in specific circumstances, for instance if you have left us a legacy in your will and this information is required for the will to be executed.

Your rights

Right to be informed – as implemented here

Right of access

Right to rectification

Right to erasure

Right to restrict processing

Right to data portability

Right to object

Please read the “Your rights” section for more information.

Security of Information

We have appropriate security measures in place to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We have in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

CCTV is in operation in certain points of the site. For more information about how this collected footage of you is used, please see the Photographs and Videos section.

Your Rights: Right to be informed

It is our endeavour, through this document, is to be transparent regarding the information we collect and use relating to you. This includes our purposes for collecting and using your information, how long we keep it for and who we share it with and why.

We will regularly review and where necessary update this Privacy Notice. If we wish to use your information for new purposes, we will bring this to your attention before we begin processing it for this new purpose.

If we have received your information from a source other than yourself, we will send this document to you within one calendar month of receiving your information unless one of the following situations applies:

  • you already have the information;
  • providing the information to you would be impossible;
  • providing the information to you would involve a disproportionate effort;
  • providing the information to you would render impossible or seriously impair the achievement of the objectives of the data being processed or would render the data processing impossible;
  • we are required by law to obtain or disclose the personal data; or
  • we are subject to an obligation of professional secrecy regulated by law that covers the personal data.
Your Rights: Right of access

You may request a copy of the information we hold on you and information about how we use your personal information by contacting us using the contact details in the Contacts, Resources and Further Information section.

We will need to verify your identity using ‘reasonable means’ and may ask you to specify the information the request relates to. This will differ depending on the information requested.

A copy of your information will usually be provided to you free of charge within one calendar month of your request. If your request is complex and/or we receive numerous requests, we may extend this period by a further 2 months, in which case we will let you know within 1 month of receiving your request and explain why the extension is necessary.

If the request is made electronically, we will provide the information in a commonly used electronic format.

If a request is manifestly unfounded or excessive, in particular because they are repetitive we may refuse to respond, but will explain to you why and remind you of your right to complain to the supervisory authority within one month. Otherwise we may charge a ‘reasonable fee’ based on the administrative cost of providing the information and will not provide the information until the fee has been received.

The above fee may also be charged for further copies of the same information.

Your Rights: Right of rectification

We will always endeavour to hold the correct information relating to you. If, however, this information is incorrect you have the right for us to correct it. This could be, for example, by letting us know that you have changed your address.

We will need to verify your identity and check that the new information is accurate using ‘reasonable means’ proportionate to the what the data is used for. This will differ depending on the information requested. We will restrict the processing of the personal data in question while we verify its accuracy whether or not you have exercised your Right to restrict processing. We will act upon your request within one calendar month. We may contact you within this timeframe to ask for more information to verify your identity and/or to extend our ‘time to respond’ by a further two months if the rectification request is complex or we have received a number of requests from you. We will inform you of our reasons at the same time.

Rectified data will also be passed on to anyone else we shared the incorrect information with, unless this is impossible or involved disproportionate effort. The people who we share information with differs depending on the information and what it is used for but is listed throughout this document in the “Who will it be shared with and why?” sections of the tables throughout.

If we are satisfied that our data is accurate we will inform you that we will not be amending your data, explaining our decision and informing you of your right to make a complaint to the ICO or other supervisory authority and your ability to seek to enforce your rights through a judicial remedy.

Your Rights: Right to erasure

In most cases you will have the right to erasure of information related to you. This differs depending on the information and what it is used for but is listed throughout this document in the “Your rights” sections of the tables throughout.

We will need to verify your identity using ‘reasonable means’ proportionate to the what the data is used for. This will differ depending on the information requested.

We will act upon your request within one calendar month. We may contact you within this timeframe to ask for more information to verify your identity and/or to extend our ‘time to respond’ by a further two months if it is manifestly unfounded or excessive, an exemption applies or we need proof of identity before considering the request. We will inform you of our reasons at the same time.

We will also erase your data with anyone else we shared the information with, unless this is impossible or involved disproportionate effort. The people who we share information with differs depending on the information and what it is used for but is listed throughout this document in the “Who will it be shared with and why?” sections.

If a request is manifestly unfounded or excessive, in particular because they are repetitive we may refuse to respond, but will explain to you why and remind you of your right to complain to the supervisory authority within one month. Otherwise we may charge a ‘reasonable fee’ based on the administrative cost of providing the information and will not provide the information until the fee has been received.

Your Rights: Right to restrict processing

You have the right to request we restrict the processing of your personal data in the following circumstances:

If you contest the accuracy of the personal data we are processing and we are verifying this (see Right to rectification).
If you have objected to us processing your data (see Right to object) and we are considering your objection request.
We wish to erase the data but you wish us to keep it without processing it, in order establish, exercise or defend a legal claim.
If you believe our processing of your data has been in breach of the lawfulness requirement of the first principle of the GDPR).
We will act upon your request within one calendar month. We may contact you within this timeframe to ask for more information to verify your identity and/or to extend our ‘time to respond’ by a further two months if it is manifestly unfounded or excessive, an exemption applies or we need proof of identity before considering the request. We will inform you of our reasons at the same time.

When restricting processing of your data we would only store your data and will contact any recipients of your data to do the same (unless this proves impossible or involves disproportionate effort), unless one of the following applies:

We have your consent,
It is if for the establishment, exercise or defence of legal claims
It is for the protection of the rights of another person (natural or legal)
It is for reasons of important public interest.
We can lift this restriction when we are satisfied that our data is accurate (in the case of your Right to rectification) or that our legitimate grounds override yours (in the case of your Right to object).

If a request is manifestly unfounded or excessive, in particular because they are repetitive we may refuse to comply with your request, but will explain to you why and remind you of your right to complain to the supervisory authority within one month. Otherwise we may charge a ‘reasonable fee’ based on the administrative cost of providing the information and will not provide the information until the fee has been received.

Your Rights: Right to data portability

You have the right to request a copy of your personal data that is held digitally if our lawful basis for collecting, holding and processing the information is “Consent” or “Contract”. This differs depending on the information and what it is used for but is listed throughout this document at the bottom of the “What do we use this information for?” sections of the tables throughout.

We will act upon your request within one calendar month. We may contact you within this timeframe to ask for more information to verify your identity and/or to extend our ‘time to respond’ by a further two months if it is manifestly unfounded or excessive, an exemption applies or we need proof of identity before considering the request. We will inform you of our reasons at the same time.

We will provide the data in a structured, commonly used and machine readable form. You may request for it to be send directly to another organisation if technically feasible.

If a request is manifestly unfounded or excessive, in particular because they are repetitive we may refuse to comply with your request, but will explain to you why and remind you of your right to complain to the supervisory authority within one month.

Your Rights: Right to object

You have the right to object to your data being processed:

  • if our lawful basis for doing so is “Legitimate Interest”. This differs depending on the information and what it is used for but is listed throughout this document at the bottom of the “What do we use this information for?” sections of the tables throughout;
  • for direct marketing; or
  • for the purpose of scientific/historical research and statistics.

If you are objecting to us processing your data:

  • based on legitimate interests:
    • You must have an objection on “grounds relating to your particular situation”
    • We will stop processing the data for the purpose unless the processing is for the establishment, exercise or defence of legal claims or we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.
  • for direct marketing:
    • We will cease processing your personal data as soon as we receive the objection.
  • for the purpose of scientific/historical research and statistics:
    • You must have an objection on “grounds relating to your particular situation”
    • We will cease processing your personal data as soon as we receive the objection.

We will act upon your request within one calendar month. We may contact you within this timeframe to ask for more information to verify your identity and/or to extend our ‘time to respond’ by a further two months if it is manifestly unfounded or excessive, an exemption applies or we need proof of identity before considering the request. We will inform you of our reasons at the same time.

If a request is manifestly unfounded or excessive, in particular because they are repetitive we may refuse to comply with your request, but will explain to you why and remind you of your right to complain to the supervisory authority within one month.

Contacts, Resources and Further Information

Please be aware that the web-links provided below work at the time of publishing but may have changed since then.

Contact Us:

If you have any questions or comments on this policy or our collection and use of your information, they can be sent to contactus@cat.org.uk or addressed to Data Protection, Centre for Alternative Technology, Llwyngwern Quarry, Machynlleth, Powys, SY20 9AZ.

123 Form Builder

We use 123 Form Builder as a provider of many of the forms on our website. We outline when we use them in the “Who will it be shared with and why?” sections of this Privacy Notice.

123 Form Builder receives the information you input into our forms and holds it on their cloud service for us to access. Their privacy policy can be found below.

Website: https://www.123formbuilder.com/privacy.html

Anevay

Anevay are a manufacturer of some of the outdoor technologies and stoves that we sell online and through our mail-order service. We may provide them with your information so they can send you your order directly.

Website: https://www.anevaystoves.com/privacy/?v=79cba1185463

Anu

Anu Internet Services host our website servers which will hold information on Short Courses bookings. These secure servers are based in Amsterdam and are beholden to GDPR.

Bing Webmaster Tools

Bing Webmaster Tools is one of the web analytics services we use to measure the success of our website and media campaigns.

Website: https://www.bing.com/toolbox/webmaster

Checkfront

Checkfront is one of the online booking systems we use on our website. You can find out more about how they use data at the following link: https://www.checkfront.com/gdpr

DWP – Department of Work and Pensions

We are sometimes required by law to provide information to the Department for Work and Pensions relating to payroll.

Website: https://www.gov.uk/government/organisations/department-for-work-pensions

Gardening Works

Gardening Works are a manufacturer of some of the products that we sell online and through our mail-order service. We may provide them with your information so they can send you your order directly.

Website: https://www.gardeningworks.co.uk/privacy-policy.html

Google Analytics

Google Analytics is one of the web analytics services we use to measure the success of our website and media campaigns.

Website: https://support.google.com/analytics/answer/6004245

To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout.

Google Sheets

Google Sheets is currently used for compiling the GSE applicant database, although there are plans to move to a different system in the future.

Website: https://privacy.google.com/intl/en-GB/index.html#

HETAS

HETAS is a not-for-profit organisation that approves biomass and solid fuel heating appliances, fuels and services, including the registration of competent installers and servicing businesses. We run HETAS accredited Short Courses for environmental service installation and installer registration.

Website: https://www.hetas.co.uk/

GDPR-specific HETAS information can be found here: https://www.hetas.co.uk/tag/gdpr/

HMRC – Her Majesty’s Revenue and Customs

We are required by law to provide information to Her Majesty’s Revenue and Customs with regards to payroll.

Website: https://www.gov.uk/government/organisations/hm-revenue-customs

ICO – Information Commissioner’s Office

The UK’s independent authority set up to uphold information rights in the public interest.

Website: https://ico.org.uk/

We have written this policy and set up all our data collection and use practices using ICO recommendations and in compliance with the Data Protection Act 1998 and General Data Protection Regulation (GDPR).

MailChimp

These are our current email platform. More information on their use of your data can be found at: https://mailchimp.com/legal/privacy/

Matomo

Matomo (previously Piwik) is a privacy conscious web analytics platform.

Website: https://matomo.org/privacy/

Pay360 by Capita

Pay360 by Capita is one of the payment gateways we use for processing your payments to us.

Website: https://www.pay360.com/about-us/privacy-policy

Paypal

Paypal is one of the payment gateways we use for processing your payments to us.

Website: https://www.paypal.com/en/webapps/mpp/ua/privacy-full

SAGEPay

SAGEPay is one of the payment gateways we use for processing your payments to us.

Website: https://www.sagepay.co.uk/policies/privacy-policy

Shopify

Shopify is an e-commerce solution that powers online shops and ordering systems. We outline when we use them in the “Who will it be shared with and why?” sections of this Privacy Notice.

While administering your order they collect and process some of the information you provide during your order. For a current list of this information, see Shopify’s privacy policy which can be found at the link below.

Website: https://www.shopify.com/legal/privacy

Smee & Ford

Smee & Ford is a legacy notification service provider who let us know when a legacy has been left for us.

Website: https://smeeandford.com/

Tango Group

Tango Group are a manufacturer of some of the products that we sell online and through our mail-order service, like our foldable e-bike. We may provide them with your information so they can send you your order directly.

Website: https://tangogroup.co.uk/

Triodos Bank

We sometimes provide your information to our bank, Triodos Bank for example when paying wages.

Website: https://www.triodos.co.uk/en/about-triodos/important-information/privacy-statement/

Worldpay

Worldpay is one of the payment gateways we use for processing your payments to us.

Website: https://www.worldpay.com/uk/privacy-policy

Resources:

Data Protection Act 1998:

https://www.legislation.gov.uk/ukpga/1998/29/contents

General Data Protection Regulation (GDPR):

http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf

Summary information can be found at the following websites:

https://www.eugdpr.org/eugdpr.org.html

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/