This Privacy Notice describes how we respect privacy when we deal with personal information collected by our organisation (Deeside Bike Collective). It explains what personal information we collect, why we collect it and how we secure it and use it. If you have any comments or questions about this privacy notice, feel free to contact us at firstname.lastname@example.org. Our website address is https://www.deesidebikecollective.co.uk.
1. Personal data that we collect and why we collect it
The following list explains the types of data we collect and the legal basis, under current data protection legislation, on which this data is processed.
|Purpose||Data Type||Legal basis|
|Managing registered website users and Members||Name, email address, date of birth, postcode, join date and other information you share in your profile’s “About You” field, on the Join Us or Edit Profile form.||Consent: you have actively consented via signing up to become a member through our website|
|Communicating with members who have subscribed to email updates||Name, email address, date of birth, membership details, postcode and mailing preferences shared with us within your members profile (as above) and/or email list signup form (via Mailchimp)||Consent: you have actively consented by signing up to receive the emails. Sharing this information with Mailchimp enables us to customise our communications where necessary, to help improve the relevance and effectiveness of our communications with our members.|
|Responding to enquiries about our organisation, its work or events||Name, email address, any other information you share in the Contact Us form on this website or send to us via email||Legitimate interests: it is necessary for us to read and store your message so that we can respond in the way that you would expect|
|Organising events/volunteering||Name, email, phone number, emergency contact information, other specific information relevant to the event.||Legitimate interests: it is necessary for us to store your contact details to contact you quickly or in an emergency and to pass your details on to the event organiser(s).|
|Processing donations via our fundraising page or paypal through the website||Name, email, payment information||Legitimate interests: this information is necessary for us to fulfill your intention of donating money and your expectation of receiving a confirmation message|
|Promoting the cause and applying for funding||Anonymised and aggregated data regarding our members||Legitimate interests: in order to evidence the level of support we have from the community, our Administrator or Members Manager may access membership data and share it in an appropriately anonymised format.|
IP address, the attempting user’s email address/username and browser agent, as well as all IP-related HTTP headers attached to the attempting user may be recorded for login attempts, password reset requests and comment submissions
|Legitimate interests: Necessary cookies may be used, for example, to temporarily store information about a booking in progress as well as any error/confirmation messages whilst submitting or managing your events or event bookings. Stored information may be used to block malicious attempts to hack into users accounts or destabilise the website. Data stored is deleted after 30 days or 100 entries, which is deemed the minimum necessary for preventing and/or investigating a security breech. Users have access to erasure or export of data associated with their user name.|
|Providing authentication services and app-based publishing||Nextend Social Login collects data when a visitor register, login or link the account with with any of the enabled social provider (Google or Facebook). It collects the following data: email address, name, social provider identifier and access token. |
JetPack Connect (used by authors & editors only) require sharing of: WordPress.com-connected site ID, Jetpack active/inactive status, Jetpack version, locale/language, title, URL, and icon.
Additionally, for activity tracking by JetPack: IP address, WordPress.com username, user agent, visiting URL, referring URL, timestamp of event, browser language, country code.
|Consent: Users consent to these terms when they join the website and are reminded again of the terms when they activate these services. Users cannot access the authentication services until they have an existing account on the website and have agreed to our terms and privacy notice.|
|Sharing information with the public about the team||Name, email address, join date and other information you share in your profile’s “About You” field, on the Join Us or Edit Profile form.||Consent: Core and Trustee members can opt in to sharing their profile publicly on the website.|
2. How we use your data
We will only use your data in a manner that is appropriate considering the basis on which that data was collected, as described in the table in section 1. For example, we may use your personal information to:
● reply to enquiries that you send to us;
● handle donations or other transactions that you initiate;
● where you have specifically agreed to this, send you communications by email relating to our work and events which we think may be of interest to you.
3. When we share your data
We will never sell your data or pass it on for commercial gain in any way.
We will only pass your data to third parties in the following circumstances:
● you have provided your explicit consent for us to pass data to a named third party;
● for the purposes of a third party processing data on our behalf where we have in place data processing agreements with those third parties which fulfil our legal obligations in relation to the use of third party data processors;
● we are required by law to share your data;
3.1. Data Processors
We will only pass data to third parties outside of the EU where appropriate safeguards are in place in accordance with EU/UK Law through the adoption of Standard Contractual Clauses. These are usually incorporated into the contractual terms for the service, making them binding terms for the data processor.
- We use Google Cloud Platform for internal organisation, receiving and sending emails, document storage and website login authentication (if users choose to log in with Google). Google Cloud may transfer your data outwith the EU in accordance with their Terms and EU Standard Contractual Clauses and we have a signed Data Processing Agreement with Google Cloud. Find out more about GDPR and Google Cloud.
- This website uses embedded Google services such as Analytics, Maps, and YouTube which use your web browser to send certain information to Google. This includes the URL of the page that you’re visiting and your IP address. We have taken steps to anonymise your IP address where possible (such as in Google Analytics reporting) in line with the principle of data minimisation. Google may also set cookies on your browser or read cookies that are already there. Find out more about how Google uses information from sites or apps that use their services.
- If you request a password reset, your IP address will be included in the reset email so that you can see if someone else is trying to gain access to your account.
- Nextend Social Login stores the personal data on your site and does not share it with anyone except the access token which used for the authenticated communication with the social providers (Google Cloud and Facebook).
- WordPress.Com provides two services. JetPack connect for content editing via an app is described above. Brute Force Protect by JetPack is switched on when the website is under a sustained brute force login attack. It monitors attempts to access the site and blocks IP addresses known for malicious activity before they even get access to the website. WordPress.com have provided a signed DPA. Other than the number of attempts blocked, visitors data is not stored.
4. How long we retain your data
We take the principles of data minimisation and removal very seriously and have internal policies in place to ensure that we only ever ask for the minimum amount of data for the associated purpose and delete that data in a timely manner once it is no longer required.
Member and Registered User data is retained in our website’s database indefinitely whilst the membership remains active. Data can be exported or removed upon users request using the Download Your Data or Erase Your Data tools in your Privacy Settings (visit our Privacy Centre for help with this). Members who opt in to email communications will have their data passed to MailChimp via our the Ulitimate Member MailChimp extension. Data is retained by MailChimp until you have unsubscribed from the mailing list or deleted your profile from the website, upon which your data is erased by MailChimp.
Event registration data for logged in website users entered via the website is stored in the same way as Member and Registered User data.
Event Registration data entered via the website will be stored on this website and may be transferred to our secure online cloud storage and managed in the same way as described below.
Events-related and volunteering information will a secure online cloud storage system such as Google Drive. Once relevant information is no longer required, it will be erased within 28 days (or sooner if requested by the data subject as detailed below).
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
5. What rights you have over your data
You have a range of rights over your data, described here:
You have a right to be informed about how your data is used. That is what this document is for.
You have the right of access to your information. If you have an account as a member on our site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. For members, this is a provided in a format which allows the possibility of data portability. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes. You can find information about and links to the relevant tools on the Privacy Centre Page.
You have the right to ask for rectification and/or erasure of your information. See the relevant links on the Privacy Centre Page.
Where data processing is based on consent, you may revoke your consent or object to data processing at any time and we will make it as easy as possible for you to do this (for example by putting ‘unsubscribe’ links at the bottom of all our emails). You can limit how much data you share with us down to the minimum data set required for membership / comment verification.
You have the right to lodge a complaint with the Information Commissioner if you feel your rights have been infringed. A full summary of your legal rights over your data can be found on the Information Commissioner’s website here: https://ico.org.uk/
If you would like to access the rights listed above, or any other legal rights you have over your data under current legislation, please refer to information in the Privacy Centre, and Contact Us if you require any guidance. Please note that relying on some of these rights, such as the right to delete your data, will make it impossible for us to continue to deliver some services to you such as counting you as a member or including you in our email newsletters. However, where possible we will always try to allow the maximum access to your rights while continuing to deliver as many services to you as possible.
7. Website specifics
This website uses SSL technology to encrypt data sent to and from the website. We have implemented privacy-friendly measures to prevent unauthorised logins (“I’m a human” check box on login). Backups are stored as securely as the rest of our organisations data. We used a managed hosting solution to provide additional security features such as monitoring and automatic updates. Username and password complexity requirements, fine-grained permission settings, and modified login, join and password reset pages bolster user authentication and access control. Administrators, editors and the small number of users who require access to members information are required to use 2 factor authentication to log in to the website, mailing list system and hosting configuration interfaces and access to FTP and Database is tightly controlled. Access attempts and potential security hazards are monitored and alerts sent to the website administrator who actively manages risks, keeping software updated and locking out users exhibiting suspicious activity.
The website will attempt to resize and remove EXIF data on upload to protect your privacy but if you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS).
6. Cookies & usage tracking
8. Events Manager, Event Bookings, Volunteering and Google Maps
We collect and store information you submit to us when making a booking, for the purpose of reserving your requested spaces at our event and maintaining a record of attendance. This information may be shared with the relevant event organiser(s).
We may modify this Privacy Notice from time to time and will publish the most current version on our website. If a modification meaningfully reduces your rights, we’ll notify people whose personal data we hold and is affected.