The Eddystone Trust is committed to protecting your privacy.

In accordance with the General Data Protection Regulation (GDPR), we have implemented this privacy notice to inform how we use and protect personal data that we process about you and tells you what to expect when Eddystone collects personal information.  It applies to information we collect:

  • From people who contact us via our website, telephone, email or in person to enquire about our services, meet or receive support from us, provide feedback from our services, make a referral to us, donate to us or otherwise provide us with personal information
  • From third parties i.e. a referral from another organisation, or sign up through another website such as Eventbrite to attend our training
  • From people who sign up to our mailing lists

DATA PROTECTION PRINCIPLES

Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:

  • processing is fair, lawful and transparent. We will ask you for your information and tell you what we are doing with it
  • personal information is collected for specific, explicit, and legitimate purposes. Only information that we need will be collected
  • we will ensure your personal information is kept accurate and up to date. Inaccurate or misleading data will be corrected as soon as possible
  • personal information is not kept for longer than is necessary for its given purpose
  • your personal information is processed in a manner that ensures appropriate security including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical and organisation measures
  • we will provide you with a copy of your personal information on request
  • we comply with the relevant GDPR procedures for international transferring of personal data

YOUR RIGHTS

You have the following rights in relation to the personal data we hold on you:

  1. the right to be informed about the data we hold on you and what we do with it;
  2. the right of access to the data we hold on you. We operate a separate Subject Access Request policy and all such requests will be dealt with accordingly;
  3. the right for any inaccuracies in the data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
  4. the right to have data deleted in certain circumstances. This is also known as ‘erasure’;
  5. the right to restrict the processing of the data;
  6. the right to transfer the data we hold on you to another party. This is also known as ‘portability’;
  7. the right to object to the inclusion of any information;
  8. the right to regulate any automated decision-making and profiling of personal data.

In addition to the above rights, you also have the unrestricted right to withdraw consent, that you have previously provided, to our processing of your data at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.

If you wish to exercise any of the rights explained above, please contact our appointed compliance officer listed at the end of this policy.

WHAT INFORMATION DO WE COLLECT?

We collect personal information from you when you enquire about our services or ask to engage with the work we do.  This may include your name, address, post code and contact telephone and email details, date of birth and the nature of the enquiry.  Normally the only information we hold comes directly from you. We will need to collect certain basic information dependant on the service you require however you do not have to provide us with any additional information unless you choose to. We may also collect sensitive information know as special category information such as sexual orientation, sex life, racial and ethnic data, health and medical information and generic and biometric data if this is required for the purpose you are involved with The Eddystone Trust and to review whether our services reach all sections of the community.  We may also have a contractual obligation under any funding we receive to produce monitoring reports, but you will not be able to be identified by that information. 

In some cases, we will collect data about you from third parties, such as a referral from partner agencies and health care professionals to enable us to provide the services that you have requested. We will always ensure that you have read a copy of the privacy statement that relates to the service you are receiving so that you understand what will happen to your personal and special category data.

You may access training and resources via our website and partner websites including Eventbrite or make a donation via a third- party website. We only use trusted partners who are GDPR compliant in their storing and processing of information.

The Eddystone Trust website uses cookies (see Section 11, below) and other technologies to personalise and improve your experience and to help us understand what areas of the website are of interest to our visitors (e.g. via Google analytics). Wherever possible we use anonymous information which does not identify individual visitors to our website.

HOW WE USE THE INFORMATION

We will use and store the information collected to provide a range of services and for monitoring and evaluation to enable us to continually review the services we offer. For people who have contacted us directly for any of our services or been referred to us by another organisation we only use the information provided for the purpose of the service that is relevant. 

We will not share your personal information with other parties without your consent, however we may have a legal responsibility to share information if required to do so by law or to protect or defend or prevent or investigate possible wrongdoing in connection with our services. We will ask for your consent to share information outside of the organisation e.g. when a service we currently provide transfers to a new service provider.

 FOR STAFF: Please refer to our separate GDPR Data Policy HR

For JOB AND VOLUNTEER APPLICANTS: Please refer to our separate Privacy Notices for Job and Volunteer Applicants

YOUR CHOICES ON RECEIVING INFORMATION

If we have received consent from you to be added to our mailing list we will process your personal information to inform you of events, fundraising and campaign services. You can choose if you wish to be contacted by us for marketing purposes and you are able to decide which services you would like to be contacted for.  You can change your mind at anytime and change your subscription choices by contacting the relevant service.

ACCESS RIGHTS AND REQUESTS

You have the right to see what personal information we hold. (apart from a very few things which we may be obliged to withhold because they concern other people as well as you). Although a request may be made verbally, we would advise that a request may be dealt with more efficiently and effectively if it is made in writing. Usually, we will comply with your request without delay and at the latest within one month.

We may refuse to deal with your subject access request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner.

LAWFUL BASIS FOR PROCESSING INFORMATION

The law on data protection allows us to process your data for certain reasons only.

The information below categorises the types of data processing we undertake and the lawful basis we rely on:

  • HR & Recruiting: Legal Obligation, and Our Legitimate Interests
  • Support & Prevention Services: Our Legitimate Interests, and where necessary, Consent
  • Mailing Lists: Consent
  • Contraception Scheme for Young People: Consent

PROTECTING YOUR DATA

We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We store your information securely on our computer system, we restrict access to those who have a need to know, and we train our staff in handling the information securely. We operate an electronic system where possible to minimise the risk of personal data being left unattended and operate duo security login systems.  Any paper-based systems are held securely in lockable filing cabinets.

AUTOMATED DECISION MAKING

Automated decision-making means making decisions about you using no human involvement e.g. using computerised filtering equipment. No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.

DELETING PERSONAL DATA

We only keep personal data for the time necessary to carry out the relevant service unless you have consented for us to use or store the information for future use, i.e. an unsuccessful job applicant may consent for us to keep their details for a specific time in case of a future vacancy. Please see our Data Retention Policy for further details.

When we no longer require your personal information, we will delete or securely destroy your personal information by putting it “beyond use” as defined by Data Protection Information Commissioner’s Office guidelines.  We may keep other information that doesn’t identify you personally but that we may need for monitoring or contractual reasons.

COOKIE USAGE

About Cookies

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

We use cookies for the following purposes:

Necessary cookies

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Cookie Name: _cfduid

Used by: Cloudflare

Description: Used by the content network, Cloudflare, to identify trusted web traffic. It does not contain any personal information.

Expiration: 1 year

Cookie Name: ASP.NET_SessionId

Used by: Website

Description: Used for authenticating a user's session after logging in. Closes when the user exits the browser. It does not contain any personal information.

Expiration: End of session

Cookie Name: ARRAffinity

Used by: Website

Description: Tells our infrastructure which server to handle the request. It does not contain any personal information and is used only for analytical purposes.

Expiration: End of session

Cookie Name: MemberLoggedIn

Used by: Website

Description: A binary flag which stores whether a user is logged in or not. It does not contain any personal information.

Expiration: End of session

Cookie Name: _stripe_sid

Used by: Stripe

Description: Used by our payment provider, Stripe, in order to process payments on checkout.

Expiration: End of session

Cookie Name: _stripe_mid

Used by: Stripe

Description: Used by our payment provider, Stripe, in order to process payments on checkout.

Expiration: 1 year

Cookie Name: nsr

Used by: Stripe

Description: Used by our payment provider, Stripe, in order to process payments on checkout.

Expiration: End of session

Statistic cookies

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

Cookie Name: @@History/@@scroll|#

Used by: Website

Description: Used by AppInsights to allow for monitoring of the platform database. It does not contain any personal information and is used only for analytical purposes.

Expiration: End of session

Cookie Name: _ga and _gid

Used by: Google Analytics

Used to distinguish between website users in Google Analytics.

Expiration: 2 years

Cookie Name: _gat

Used by: Google Analytics

Description: Used to moderate calls to the Google Analytics service. It does not contain any personal information and is used only for analytical purposes.

Expiration: End of session

Cookie Name: ai_session and ai_user

Used by: Website

Description: Tracks users as they navigate the website predominately for infrastructure performance insights. It does not contain any personal information.

Expiration: End of session

Cookie Name: p.gif

Used by: Typekit

Description: Used by the font provider, Typekit, if you are using one of their fonts. Used for compliance and billing purposes only. It does not contain any personal information.

Expiration: End of session

Cookie Name: __utma

Used by: Google Analytics

Description: Stores the amount of visits of a user, the time of their first visit, the previous visit, and the current visit. It does not contain any personal information and is used only for analytical purposes.

Expiration: 2 years

Cookie Name: __utmz

Used by: Google Analytics

Description: This performance cookie stores where a user came from (eg. search engine, search keyword, link). It does not contain any personal information and is used only for analytical purposes.

Expiration: 6 months

Cookie Name: __unam

Used by: ShareThis

Description: Set as part of the ShareThis service and monitors "click-stream" activity, e.g. web pages viewed, navigation from page to page, time spent on each page etc. The ShareThis service only identifies a user if they have separately signed up with ShareThis for a ShareThis account and given them consent. Checks how long a user stays on a site: when a visit starts, and ends. It does not contain any personal information and is used only for analytical purposes.

Expiration: 14 months

Cookie Name: cc_cookie_accept

Used by: Website

Description: Stores whether the user has accepted the cookie message or not. It does not contain any personal information and is used only for analytical purposes.

Expiration: 365 days

Marketing cookies

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third-party advertisers.

Cookie Name: NID

Used by: Google

Description: Registers a unique ID that identifies a returning user's device. Can be used for targeted ads. It does not contain any personal information. 

Expiration: 6 months

Cookie Name: collect

Used by: Google Analytics

Description: Used to send data to Google Analytics a user's device and behaviour. It does not contain any personal information. 

Expiration: End of session

Cookie Name: r/collect

Used by: Doubeclick.net

Description: These cookies are managed by DoubleClick, an advertising platform we use to display adverts.

Expiration: End of session

Cookie Name: IDE, DSID, _ct_rmm

Used by: Doubleclick.net

Description: These cookies are managed by DoubleClick, an advertising platform we use to display adverts.

Expiration: 2 years

Cookie Name: DisplayName

Used by: Website

Description: Keeps track of a donors preference to show their name during a Direct Debit.

Expiration: End of session

Cookie Name: VISITOR_INFO1_LIVE

Used by: YouTube

Description: Used by Youtube if you've embedded a Youtube video in your posts. Tries to estimate a user's bandwidth on pages with integrated Youtube videos. It does not contain any personal information.

Expiration: 179 days

Cookie Name: YSC

Used by: YouTube

Description: Used by YouTube if you've embedded a YouTube video in your posts. Registers a unique ID to keep statistics of what videos from YouTube a user has seen. It does not contain any personal information

Expiration: End of session

Cookies used by our service providers

Our service providers use cookies and those cookies may be stored on your computer when you visit our website.

We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. This data may be stored outside the EU, under a EU-US Privacy Shield agreement. The information gathered relating to our website is used to create reports about the use of our website. Google's privacy policy is available HERE.

Managing cookies

Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:

Blocking all cookies will have a negative impact upon the usability of many websites. If you block cookies, you will not be able to use all the features on our website.

MAKING A COMPLAINT

If you think your data rights have been breached, you are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.

DATA PROTECTION COMPLIANCE

Our appointed compliance officer in respect of our data protection activities is: Vannessa Jones

Tel: 01752 254406   email: [email protected]