Privacy Policy

TheWe respect your privacy and are committed to protecting your personal data. Data Orchard CIC is a Data Controller registered with the Information Commissioner’s Office, registration reference: ZA045001.

This policy explains how we manage the personal information of users of Data Orchard’s websites (www.dataorchard.org.uk; mapio.cymru and www.data4goodconf.org.uk), products and services including the Data Maturity Assessment Tool subdomain (datamaturity.dataorchard.org.uk).

Data Orchard CIC, ‘Data Orchard’, or ‘us’ or ‘we’ is a social enterprise registered as a community interest company and company limited by guarantee in England and Wales with Companies House. Our company number is 08674626 and our registered office at Lower House Business Park, Staunton-on-Wye, Hereford HR4 7LR.

You can access and browse our website without disclosing your personal data although in that case some functionality might not be available to you. Some of our services require you to register an account with us for which we will process your personal data as set out in this policy.

Personal data

Personal data we collect about you, the legal basis of processing, and how long we hold it.

Personal data, or personal information, means any information about an individual from which that person can be identified as the subject or source. You can find out more about personal data from the Information Commissioners Office. We may collect, use, store and transfer different kinds of personal data about you as follows:

Contact data and our mailing list

If you interact with us and do not unsubscribe from marketing, including where you subscribe to our mailing list, we will process your first and last name, email address, phone number (optional), job title, organisation name, your organisation’s address (optional) and national and regional location, and sector type (“Contact Data”).

You may also wish to provide other data as part of any free text response option we provide, which we will process in accordance with this policy. We do this on the basis of our legitimate interest in contacting you to let you know about our services where you’ve previously expressed an interest in them and you didn’t opt out of this processing at the time. You can always opt out of this by either contacting us directly or by clicking on the unsubscribe link we provide at the bottom of our email communications to you.

We will hold your data until you unsubscribe (or until we decide to unsubscribe you) and we may keep some Contact Data for a further 6 years after that so that we can apply a suppression to our marketing list to ensure you aren’t contacted for marketing purposes. If you exercise your right to be forgotten and we delete your personal data then you may receive marketing from us in the future if you interact with us and do not opt out of marketing at the time.

Creating an account to use our Data Maturity Assessment Tool

If you set up an account to use our free Data Maturity Assessment Tool: We will request that you provide your first name and last name, email address, job title/role, organisation name, organisation national and regional location and sector type. We will also capture your IP address to monitor spamming by rogue users and/or potentially malicious attacks. The legal basis for collecting your personal data as a user of our free Data Maturity Assessment Tool will be consent. We will also add you to our mailing list on the basis of our legitimate interest for which the terms described above for ‘Contact Data’ apply.

We will continue to hold your personal data for 2 years from the date you complete the assessment for the purposes of research and benchmarking data maturity. After 2 years we will delete your personal data and aggregate your response into a larger pool of data that can’t be traced back to any single individual.

If your organisation has a licence for our premium Organisation Data Maturity Assessment, either directly or as part of a cohort programme: We will request that you provide your email address and job title/role. We will also capture your IP address to monitor spamming by rogue users and/or potentially malicious attacks. The legal basis for processing will be consent. Your personal data may also be shared with your organisation in which case you will be informed by your organisation of their privacy terms.

We will continue to hold your personal data for 2 years from the date you complete the assessment for the purposes of research and benchmarking data maturity. After 2 years we will delete your personal data and aggregate your response into a larger pool of data that can’t be traced back to any single individual.

Contacting us

If you contact us: Your email address, message, and phone number if you’ve requested a call, will be accessible to our small team of support staff and may be forwarded to the person or people in the organisation we think are best equipped to respond to your enquiry. The basis of processing is our legitimate interest. We will hold your data for 3 years from the date you contact us. We will never use your phone number for our marketing purposes unless you expressly consent to this by ticking the box to confirm your request that we or one of our consultants calls or texts you.

Booking on our training courses

If you book to attend one of our online training courses: we will request your name, email address, job title, organisation and postal address (the billing address of your card and/or your home address — if applicable). Your contact data will be used to ensure receive the necessary information and joining instructions to participate in the course, and to request feedback.

Your name, payment and security details will be held by our secure third-party payments processors (Paypal and/or Stripe) who process some of your data as a Controller in their own right according to their own privacy policy.

Your name, email address, organisation, job title and postal address (the billing address of your card and/or your home address — if applicable), the last few digits of your card or bank account number, and the payment amount are then made available to our finance staff.

We do not use your financial data for any purposes other than processing your booking, and company accounting — which may involve sharing data with our professional advisors such as accountants or if we are required by law to disclose that information to government entities such as HMRC. The basis of processing is fulfilling a contract with you (making sure your booking is processed) and carrying out our legal obligations relating to finance and tax. We will hold your data for 7 years after you made the payment.

We will generally hold your data relating to your course booking for 6 years after the course has taken place. Unless you have unsubscribed at the time, we may also add you to our mailing list on the basis of our legitimate interest following the soft-opt-in exemption (see “Contact Data and our mailing list above”).

Events

If you sign up to attend one of our in-person or online events: Your name, email address, job title/role, organisation, address, and event preferences (preferences may be different for each event, e.g. dietary requirements, session ideas or preferences where we specifically ask for your consent to put your name on a shared guest or attendee list, attendance preferences, accessibility needs etc). If you do provide accessibility data, this will only be used to ensure that your accessibility requirements are met and for no other purposes except compliance with the law. The basis for processing is performance of a contract (our event) with you.

Your contact data will be used to ensure receive the necessary information and joining instructions to participate in the event, and to request feedback to improve future events.

We will generally hold your data relating to this event for 6 years after the event has taken place. Unless you have unsubscribed at the time, we may also add you to our mailing list on the basis of our legitimate interest following the soft-opt-in exemption (see“Contact Data and our mailing list above”).

Recording, photography, and filming

If you consent to be recorded, photographed, or filmed. With your explicit consent we will use audio recordings, photographs or recorded film footage of you for the purposes of marketing and display on our website, including sharing via major social media platforms and tagging you or your organisation. We will keep a copy of your consent for at least as long as we use those images, for the purpose of demonstrating our compliance with data protection laws.

Speakers

If you are a speaker at a Data Orchard event, or a trainer for a workshop or programme: We will publicly promote your involvement. This may include on our websites, in our marketing and communications, on social media platforms. Your data may continue to be processed by external platform providers after the event has ended.

Sponsoring or exhibiting at our events

If you register interest to sponsor or exhibit at our events: Your name, job title, organisation, email address, phone number and additional information you provide will be forwarded to the person handling these enquiries. The basis of processing in this instance will be contract (including any steps taken with a view to entering into a contract). We will hold your data for 6 years after the event has taken place for tax and legal reporting purposes.

Donations

If you make a donation: Your name, payment and security details are held by our secure third party payments processors (Paypal and/or Stripe) who process some of your data as a Controller in their own right according to their own privacy policy. Your name, email address, postal address (the billing address of your card and/or your home address — if applicable), the last few digits of your card or bank account number, and the donation amount are then made available to us. We do not use this data for purposes other than processing your donation, and company accounting — which may involve sharing data with our professional advisors such as accountants or if we are required by law to disclose that information to government entities such as HMRC. The basis of processing is fulfilling a contract with you (making sure your gift is processed) and carrying out our legal obligations relating to finance and tax. We will hold your data for 7 years after you made the donation.

Other research and consultations

If you take part in any Data Orchard online research or consultations via our website we may use Google Forms or Survey Monkey to collect personal and other data. The purposes for these will be specified in the context of the individual survey or consultation concerned and we will generally only use that information strictly for the purpose of producing a specific report on that topic (or a closely related topic) commissioned by a client, unless we get your explicit permission to use that data for another purpose. We may also use this information to contact you to raise further queries about your response if you raise an interesting question or issue that we would like to discuss further with you, and this policy will apply to any other information you provide to us should you agree to a further interview. The basis of processing will be either performance of a contract or legitimate interest depending on the research context. We do not collect any other Special Categories of Personal Data about you other than those which we specifically ask you about in the context of a particular application (always with your express informed consent in each case) or to comply with laws regarding accessibility and to respect any personal requirements you tell us about relating to an event that we host. Special Category data includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We do not collect any information about criminal convictions and offences.

Other purposes

We do not collect or use personal data via our website for any purpose other than those indicated at the time you provide, or the time we collect, your personal data and we will not use this data in any new ways that we consider you would find surprising or that you would not expect to follow from the purpose that you originally provided that data for.

We may combine or aggregate your data, or that of your organisation, with publicly available registers such as Companies House, The Charity Commission, or the Post Code Authentication service provided by Royal Mail. We will only combine or aggregate data in this way where we don’t consider our processing to be overly intrusive. For example, we might use the registered addresses of organisations we work with to create a heat map, and we may update our records based upon the information available from public sources from time to time to ensure that it remains as accurate as possible.

In the course of their activities, Data Orchard staff may obtain your details from for example, business cards, event delegate lists, during conversations, referrals and recommendations. We also undertake desk-based research using publicly available sources to identify not-for-profit sector staff who may be interested in joining our networks, attending our courses and events, or using our products and services. If we obtain your details in this way, we will inform you that we have obtained your details and inform you of Data Orchards activities and offers. We will make it clear how to object to the processing of your data and you may opt out of further contact at any time.

If you fail to provide personal data

Where we need to process your personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to provide you with goods or services. In this case, we may have to cancel, modify or reduce the functionality or extent of a product or service that we provide to you. We will notify you if this is the case at the time.

Security and encryption

Data Orchard takes appropriate technical and organisational measures, as required by law, to ensure we keep your information secure and accurate. We also take care to ensure that we have secure systems for processing payments through our third-party payment services provider who also apply stringent Payment Card Industry (PCI) security requirements.

We take great care to ensure that our websites operate as securely as possible at all times, using secure socket layer (SSL) protection and that our suppliers are committed to providing similarly high levels of security. All financial data is encrypted during transmission. However, the security of data transmission via the Internet and wireless networks can never be 100% guaranteed and may in some cases be susceptible to interception by third parties.

We have implemented security policies, rules and technical measures to protect the personal data that we have under our control from unauthorised access, improper use or disclosure, unauthorised modification and unlawful destruction or accidental loss. All our employees and data processors, who have access to, and are associated with the processing of personal data, are obliged to respect the confidentiality of the personal data we process.

We ensure that your personal data will not be disclosed to other institutions and authorities except if required by law or other regulation or unless we have already sought your consent.

Sharing your information with other organisations

Data Orchard will not sell or otherwise provide your information to any third party in any way that could be used to identify you except to the very limited extent we expressly set out in this policy. We may share your information with third parties where we have a legal duty to do so, where it is required to provide you with a service or to carry out any contractual rights or obligations we may have, or where you have given explicit consent for us to do so.

We will share aggregated non personal data for research and statistical analysis purposes, and for scientific research and associated legitimate interests in accordance with privacy laws in force at the time.

We may transfer personal data to external organisations where we have contracts to provide direct operational services for us (including hosting, cloud services, communications and financial processing); but unless you have given explicit consent, this does not extend to any arrangement to enable the external organisation to contact you on it’s own behalf or enable any other part to do so.

For example, we use third party suppliers acting as processors based in the United Kingdom (and sometimes in other countries such as those in the European Economic Area subject to similarly protective data laws as those in the UK or for other countries where we have appropriate measures in place to ensure your data remains protected to the same degree) who act under our instructions in the following scenarios:

• Marketing agencies and client relationship management platform and other SaaS product providers including:

  • Mailchimp who are based in the United States. Mailchimp are owned by Intuit Inc. and are part of the Intuit group of companies, their privacy policy is available at www.intuit.com/privacy/statement;

  • Tito who are based in Ireland and provide event booking and ticketing services, their privacy policy is available at https://ti.to/privacy;

  • Eventbrite who are based in the United States and provide event booking and ticketing services, their privacy policy is available at www.eventbrite.co.uk/support/articles/en_US/Troubleshooting/eventbrite-privacy-policy?lg=en_GB

  These third parties may assist or enable our marketing and communications for events and e-newsletter or they may assist with our processing of financial transactions and fulfilling our accounting obligations;

• Software developers and technical support providers for hosting, supporting, and developing our data maturity assessment products and other services.

• Airtable a marketing platform operated by Formagrid Inc (based in the USA), who act as a processor under our instruction. Their privacy policy is available at www.airtable.com/privacy

• Box.com, a content management services provider based in the USA, operated by Box, Inc. who act as a processor under our instruction. The UK’s Information Commissioner’s Office (ICO) has listed Box as a certified Processor and Controller of UK Binding Corporate Rules (BCRs) on the ICO website. Their privacy policy is available at www.box.com/en-gb/legal/regionalnotice

• Stripe, Inc. based in the USA provide secure payment services, and their European entity is called Stripe Payments Europe Limited who are based in Ireland. Stripe’s privacy policy is available at https://stripe.com/en-gb/privacy-center/legal

• PayPal (Europe) S.a.r.l. et Cie, S.C.A, based in Luxembourg also provide secure payment services and their privacy policy is available at www.paypal.com/uk/webapps/mpp/ua/privacy-full

• Slack – a forum/engagement platform based in Ireland that we use to discuss ideas and collect feedback. You can contact us regarding the information we process on Slack in order to exercise your rights, or it might be better for you to contact Slack under some circumstances, we will tell you where this is the case. Slack’s privacy policy is available at https://slack.com/intl/en-gb/trust/privacy/privacy-policy#information

• Survey Sparrow, a survey provider, acting as a processor under our instruction, with data storage in the EU. Survey Sparrow’s privacy policy is available at https://surveysparrow.com/legal/privacy-policy/

• Xero providing cloud accounting services, based in the US and providing standard contractual clauses (SCC) for data transfers between EU and non-EU countries. Their privacy policy is available at https://www.xero.com/uk/legal/privacy/

We have contracts in place with all third party suppliers to ensure they are obligated to treat our customers’ personal data in compliance with Data Protection Laws and to ensure confidentiality is maintained where applicable.

If Data Orchard is acquired by a third party, personal data held by Data Orchard will be one of the assets transferred as part of that transaction. Any personal data that is transferred to a new owner or newly controlling party will continue to be protected in accordance with this privacy policy and your rights will not be prejudiced as a result of that transfer. If only part of Data Orchard’s services are acquired by a third party then in order to continue to provide that service your personal data may need to be transferred to that third party, but we will tell you in advance where this applies so that you have the option to decline before that transfer takes place.

Note that, where we have a contract with your organisation for provision of data maturity assessment services we may share the information you provide to us with other members of your organisation. Your employer will tell you in advance if this is the case and will explain to you what they intend to use this information for if different from the purposes set out in this policy.

Your rights

Under certain circumstances you may request that your personal data be copied, transferred, erased, rectified, amended, or completed. Under certain circumstances you may also object to our processing your personal data and restrict our processing of your personal data.

Your right to complain

If you believe that we have mishandled your personal data, please let us know as soon as possible with as much detail as you can provide at the time. You have the right to lodge a complaint with the UK’s supervisory authority for personal data: the Information Commissioner’s Office (ICO). You can report a concern here (but we ask that you try to contact us first, so that we can try to resolve your complaint without the need to escalate it to the ICO).

Your right to access

You may contact us at any time to ask for a copy or summary of the personal data we hold about you. Please contact us to request this.

Although we may require you to provide proof of your identity in advance, we will aim to respond to your request within one month and we will provide the information without any charge unless we consider your request to be more significant or complex but only where we are legally allowed to charge you.

Your right to erasure

You may request that we destroy the personal data that we hold about you, provided that there is no legitimate reason for us continuing to hold it. If you want us to stop sending you marketing then it may be better to ask us to apply a suppression to your account rather than deleting your information as this may be best to avoid unwanted marketing in the future. If we delete all record of your email address then we won’t know not to contact you in case we collect that email address again in the future for any reason. Please contact us to request this or to find out more about your rights.

How to change your preferences

Every e-mail we send from Mailchimp contains a quick and easy unsubscribe link in its footer. When you unsubscribe from a newsletter managed via Mailchimp, your details remain on the list of past recipients. This is a measure to prevent circumstances such as a member of staff accidentally manually re-adding you e.g. where you attend one of our events. Mailchimp states: “As a compliance measure, subscribers who unsubscribe themselves can’t be deleted from your list.” However, provided you are still a subscriber at the point when you contact us, on request your details can be permanently removed from the list although this may mean that you could receive further marketing under some circumstances as described above – please get in touch if you would like this to happen.

Mailchimp may continue to process some of your data after our agreement with you ends. You can request that Mailchimp delete your information in compliance with the GDPR by using their privacy rights requests system or otherwise contacting them in accordance with their privacy policy as set out above.

Privacy compliance

Our privacy policy is designed to be compliant with Data Protection Laws which apply to UK and EU data subjects, including but not limited to the following laws as they are amended or replaced over time:

• The UK Data Protection Act 2018

• The General Data Protection Regulations 2016/679 (GDPR)

• The UKGDPR

• The Privacy and Electronic Communications regulations (PECR) which relate to direct marketing.

Changes to our privacy policy

We keep our privacy policy under regular review and we will place any updates on this website. This privacy policy was last updated on 9th April 2024.

Contact us about our privacy policy

If you have an enquiry or concern about our privacy policy, please contact us at info@dataorchard.org.uk or by phone Mon-Fri 9am-5pm on 01432 800523.

If you are not satisfied with our response to your concern you may wish to contact Information Commissioner’s Office (ico.gov.uk).