Tai Pawb is committed to protecting your personal information and respecting your privacy. We will only use your personal information in ways that are lawful, fair and transparent.
This notice applies to personal information we collect about:
- visitors to our website;
- people who sign up to our mailing list or other communications;
- people who book onto or attend our events, training or webinars;
- people who contact us by email, phone, website form or social media; and
- people who otherwise engage with us online.
This notice may be updated from time to time. The latest version will be available on our website.
Who we are
We’re Tai Pawb. A registered charity, number 1110078 and a company registered at Companies House in Wales with the company registration number 05282554.
Address: Trident Court,. Mariners House,. East Moors Road,. Cardiff. CF24 5TD.
You can contact us using details on this website, or speak to our Data Protection contact, Alicja Zalesinska.
We are registered with the Information Commissioner’s Office (ICO) in the UK, reference Z9078718.
What personal information means
Personal information means any information relating to an identified or identifiable living person. This may include your name, email address, phone number, organisation, job title, IP address, online identifiers, booking details or information you provide when you contact us.
Some information is classed as “special category data” because it is more sensitive. This can include information about health, disability, ethnic origin, religion or belief, or other protected characteristics. We will only collect this type of information where necessary and where we have a lawful basis and an additional condition under data protection law.
Personal information we collect
The information we collect depends on how you interact with us.
Website visitors
When you visit our website, we may collect:
- IP address;
- browser type and version;
- device type;
- operating system;
- pages visited;
- date and time of visit;
- referring website;
- cookie preferences (if applicable); and
- information about how people use our website.
Some technical information may be collected automatically when you use our website. For information about the cookies and similar technologies used on our website, please see our Cookie Policy.
Mailing list subscribers
If you sign up to receive our newsletter, updates or event information, we may collect:
- name;
- email address;
- organisation;
- job title or role;
- communication preferences;
- areas of interest;
- IP address; and
- information about whether you open or click links in our emails.
Event, training and webinar participants
If you book onto or attend one of our events, training sessions or webinars, we may collect:
- name;
- email address;
- phone number;
- organisation;
- job title or role;
- booking details;
- payment or invoicing information, where relevant;
- attendance information;
- dietary requirements;
- access requirements; and
- any other information you choose to provide in connection with the event.
Dietary or access requirements may include special category data, for example health, disability or religious information. We collect this only where needed to support your participation and we will not use it for unrelated purposes.
People who contact us
If you contact us by website form, email, phone, post, social media or another channel, we may collect:
- name;
- contact details;
- organisation;
- job title or role;
- details of your enquiry;
- any information you include in your message; and
- records of our communications with you.
How we collect personal information
We collect personal information directly from you when you:
- complete a form on our website;
- sign up to our mailing list;
- book onto an event or training session;
- contact us with an enquiry;
- respond to a survey or consultation;
- interact with our emails or online communications; or
- otherwise provide information to us.
We may also collect limited technical information automatically when you use our website. Where this involves cookies or similar technologies, more information is provided in our Cookie Policy.
Mailchimp
We only use personal information where we have a lawful basis under UK data protection law.
Purpose | Type of information | Lawful basis |
|---|---|---|
To operate, secure and manage our website | Technical information generated when people use our website, such as IP address in hosting or server logs, browser and device information, pages requested, date and time of access, error logs and security events. | Legitimate interests, namely operating a reliable website, keeping our website secure, preventing spam, abuse and cyber-attacks, and resolving technical issues. |
To understand and improve how people use our website | Privacy-friendly analytics information from Plausible, such as pages visited, referring website, browser, device type, general location information and aggregated website statistics. Plausible does not use cookies or track visitors across other websites | Legitimate interests, where UK data protection law applies, namely understanding how our website is used and improving our website, content and services. |
To respond to enquiries | Name, contact details, organisation, enquiry details | Legitimate interests, namely responding to people who contact us. In some cases, contract or steps before entering into a contract |
To send newsletters, updates and information about our work | Name, email address, organisation, preferences, engagement data | Consent, or legitimate interests where we rely on a lawful soft opt-in or other lawful basis for charity communications |
To promote events, training and activities connected with our charitable purposes | Name, email address, organisation, preferences, engagement data | Consent, or legitimate interests where the charitable purposes soft opt-in or another lawful basis applies |
To manage event, training or webinar bookings | Name, contact details, organisation, booking details, attendance details | Contract, steps before entering into a contract, or legitimate interests in managing our events and services |
To provide access support or meet dietary requirements at events | Access needs, dietary requirements and related information | Explicit consent, or another applicable special category condition where relevant |
To process payments, invoices and financial records | Name, organisation, billing details, payment records | Contract, legal obligation and legitimate interests in managing our finances |
To monitor and improve our communications | Email open rates, link clicks and engagement information | Legitimate interests, namely understanding the effectiveness of our communications |
To keep records and manage our organisation | Contact details, correspondence, transaction records and related information | Legal obligation and legitimate interests in good governance and administration |
To comply with legal, regulatory or safeguarding obligations | Relevant personal information depending on the obligation | Legal obligation, public task where applicable, vital interests or legitimate interests depending on the circumstances |
To establish, exercise or defend legal claims | Relevant personal information depending on the matter | Legitimate interests and, where special category data is involved, legal claims |
Where we rely on legitimate interests, we consider whether our interests are overridden by your rights and freedoms. You have the right to object to processing based on legitimate interests in certain circumstances.
Where we rely on consent, you can withdraw your consent at any time.
Marketing and charity communications
We may use your contact details to send you newsletters, updates, event information, training opportunities, consultation opportunities or information about Tai Pawb’s charitable work.
We will only send electronic marketing communications where the law allows us to do so. This may be because:
- you have given consent;
- you have signed up to receive our communications;
- you have expressed an interest in or supported Tai Pawb’s charitable purposes and the charity soft opt-in applies; or
- another lawful basis or exemption applies.
Where we rely on the charity soft opt-in, we will only do so where the legal conditions are met. This includes giving you a clear opportunity to opt out when we collect your details and in every subsequent message.
You can unsubscribe or opt out at any time by:
- clicking the unsubscribe link in our emails;
- contacting us; or
- using any other opt-out method provided in the communication.
We may keep a suppression record of your email address if you opt out, so that we do not contact you again for marketing purposes.
Special category data
We may occasionally collect special category data, for example where you provide access requirements, dietary requirements, equality monitoring information, or information relevant to a consultation, event or enquiry.
We will only use special category data where:
- it is necessary for a specific purpose;
- we have a lawful basis under UK GDPR; and
- we have an additional special category condition, such as explicit consent, substantial public interest, legal claims, or another condition that applies in the circumstances.
Where you provide access or dietary requirements for an event, we will use that information only to support your participation and will delete it when it is no longer needed.
Who we share personal information with
We do not sell your personal information.
We may share personal information where necessary with:
Supplier/system | What we use it for | Personal information involved |
|---|---|---|
Beacon | Managing contacts, membership, relationships, events, communications and organisational records. | Name, contact details, organisation, role, communication
preferences, event or service engagement, correspondence and related records.
Beacon privacy policy: https://www.beaconcrm.org/legal/privacy |
Bevan and Buckland | Audit, accountancy, tax, payroll and financial advice or support. | Audit, accountancy, tax, payroll and financial advice or support. |
Microsoft 365 | Email, documents, calendars, Teams meetings, internal administration and file storage. | Information contained in emails, documents, meeting records, contact records and internal organisational files. Microsoft privacy statement: https://www.microsoft.com/en-gb/privacy/privacystatement |
Mailchimp | Mailing lists, newsletters and email updates. | Name, email address, organisation, preferences and email engagement information. Mailchimp legal and privacy information: https://mailchimp.com/legal/ |
Plausible | Privacy-friendly website analytics. | Aggregated website usage information, such as pages visited, referral source, browser, device type and general location information. Plausible does not use cookies or track visitors across other websites. Plausible data policy: https://plausible.io/data-policy |
Ethical Pixels® | Website design, development, hosting, maintenance and support. | Website technical information, website enquiry information and any personal information they may need to access when supporting or maintaining the website. Ethical Pixels privacy policy: https://www.ethicalpixels.com/privacy/ |
Orbits IT | IT support, systems maintenance, cyber security support and technical troubleshooting. | Information contained in emails, files, devices, user accounts, support requests and other systems where access is is needed to provide IT support. Orbits IT privacy policy: https://www.orbitsit.co.uk/privacy-policy/ |
Zoom | Online meetings, webinars, training and events. | Name, contact details, organisation, registration details, attendance information, meeting participation information and any information shared during online sessions. Zoom privacy statement: https://www.zoom.com/en/trust/privacy/privacy-statement/ |
Stripe / payment provider | Processing payments, invoices, bookings or donations where applicable. | Name, contact details, billing details, transaction details and payment-related information. Stripe privacy policy: https://stripe.com/privacy |
Funders or partners, where necessary and lawful; | Delivering, funding, evaluating, reporting on or collaborating on our charitable activities, projects, events, training, research or policy work. | Information relevant to the specific activity or partnership. This may include name, contact details, organisation, role, attendance or participation information, project involvement, feedback, monitoring information, case studies or correspondence. |
Regulators, public authorities or law enforcement bodies, where required or permitted by law; | Complying with legal, regulatory, safeguarding, governance, audit or law enforcement requirements. | Relevant information depending on the request or obligation. This may include contact details, correspondence, records of involvement with us, financial or governance records, safeguarding information, or other information we are legally required or permitted to share. |
We only share the personal information necessary for the relevant purpose. Where we use suppliers to process personal information on our behalf, we require them to protect it and only use it in line with our instructions.
Mailchimp and email communications
We use Mailchimp to send newsletters, updates and event communications.
Mailchimp helps us manage our mailing lists, send emails, process unsubscribes and understand how people interact with our communications, such as whether emails are opened or links are clicked.
You can unsubscribe from Mailchimp emails at any time by clicking the unsubscribe link in the email or by contacting us.
For more information about how Mailchimp handles personal information, please see Mailchimp’s Data Security and Privacy page.
International transfers
Some of our suppliers may process personal information outside the UK. This may include cloud, email, website, analytics, event or mailing list providers.
Where personal information is transferred outside the UK, we will make sure appropriate safeguards are in place, such as:
- a UK adequacy decision;
- the UK International Data Transfer Agreement;
- the UK Addendum to the EU Standard Contractual Clauses; or
- another lawful transfer mechanism.
You can contact us if you would like more information about international transfer safeguards relevant to your personal information.
How long we keep personal information
We will only keep personal information for as long as necessary for the purpose for which it was collected, including to meet legal, accounting, audit, reporting or regulatory requirements.
Our usual retention periods are:
Type of information | How long we usually keep it |
|---|---|
Website analytics information | No personally identifiable information is collected by the service we use, which is privacy-friendly. The information we collate is anonymous and is stored by the service indefinitely. |
Website security logs | Up to 12 months, unless needed to investigate an incident or protect the security of our systems. |
Contact form enquiries | Up to 3 years after the enquiry is resolved, unless we need to keep it longer because of an ongoing relationship, complaint, legal matter, safeguarding concern or other justified reason. |
Mailing list information | We keep mailing list information in our CRM, Beacon and Mailchimp for as long as you remain subscribed (Mailchimp) or continue to have an active relationship with Tai Pawb (Beacon), for example as a member, supporter, stakeholder, partner, professional contact or event participant. If you unsubscribe or withdraw consent, we will stop sending you marketing communications and may keep a minimal suppression record to make sure we respect your preferences. |
Suppression records for people who opt out | As long as necessary to make sure we respect your opt-out and do not contact you again for marketing purposes. |
Event booking and attendance records | We keep event booking and attendance records in our CRM, Beacon, for as long as we have an active relationship with you, for example as a member, supporter, subscriber, stakeholder, partner, professional contact or regular event participant. This helps us manage our relationship with you, understand engagement with our charitable work, avoid duplicate records and provide relevant updates. Where the relationship ends, we will review the record and delete, anonymise or minimise the personal information unless we need to keep it for finance, audit, reporting, legal, complaints, safeguarding or suppression purposes. |
Dietary or access requirements for events | Deleted as soon as no longer needed, usually shortly after the event, unless there is a clear ongoing reason and lawful basis to keep the information. |
Invoices, payments and accounting records | Usually 6 years from the end of the financial year to which they relate, or longer if required by law. |
Data protection rights requests and complaints | Usually 6 years after the matter is closed, unless a shorter or longer period is justified. |
Legal, regulatory or safeguarding records | As long as necessary for the relevant legal, regulatory or safeguarding purpose. |
We periodically review CRM records and delete, anonymise or minimise personal information that is no longer needed.
We may keep anonymised information for longer, where individuals can no longer be identified from it.
When personal information is no longer needed, we will securely delete, destroy or anonymise it.
Cookies and similar technologies
Our Cookie Policy explains the cookies and similar technologies used on our website, including what they do, how long they last and how you can manage your choices.
How we protect your personal information
We take appropriate technical and organisational measures to protect personal information from loss, misuse, unauthorised access, alteration, disclosure or destruction.
These measures may include:
- access controls;
- secure systems and passwords;
- staff training;
- data protection policies and procedures;
- supplier checks and contracts;
- secure storage;
- back-up and recovery arrangements; and
- procedures for dealing with data breaches.
No method of transmission over the internet is completely secure. However, we take reasonable steps to protect personal information and to reduce the risk of unauthorised access or loss.
Links to other websites
Our website may contain links to other websites. This privacy notice does not apply to those websites.
We are not responsible for the privacy practices of other organisations. We encourage you to read the privacy notices on any other websites you visit.
Your data protection rights
You have rights in relation to your personal information. These rights may include:
- Right of access: to ask for a copy of the personal information we hold about you.
- Right to rectification: to ask us to correct inaccurate or incomplete information.
- Right to erasure: to ask us to delete your personal information in certain circumstances.
- Right to restriction: to ask us to restrict how we use your personal information in certain circumstances.
- Right to data portability: to receive certain information in a structured, commonly used and machine-readable format.
- Right to object: to object to certain uses of your personal information, including direct marketing and processing based on legitimate interests.
- Right to withdraw consent: where we rely on consent, you can withdraw it at any time.
- Rights relating to automated decision-making: to challenge decisions made solely by automated means where they have legal or similarly significant effects.
These rights do not apply in every situation. We may need to ask for information to confirm your identity before responding to a request.
To exercise your rights, please contact us. We will respond to your request within the required legal timeframe, usually within one month.
Data protection complaints
If you have a concern about how we use your personal information, please contact us first so that we can try to resolve it.
We will acknowledge data protection complaints within 30 days. We will consider the complaint without undue delay, keep you informed, and let you know the outcome.
If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office.
Information Commissioner’s Office
Website: www.ico.org.uk
Phone: 0303 123 1113
We are registered with the Information Commissioner’s Office (ICO) in the UK, reference Z9078718.
Do you have to provide personal information?
You do not have to provide personal information to use most parts of our website.
However, if you choose not to provide certain information, we may not be able to:
- respond to your enquiry;
- send you newsletters or updates;
- process an event booking;
- provide access support at an event;
- issue invoices or receipts; or
- provide the service or information you have requested.
Automated decision-making
We do not use your personal information to make decisions about you based solely on automated processing that have legal or similarly significant effects.
Changes to this privacy notice
We may update this privacy notice from time to time to reflect changes in our work, our website, legal requirements or guidance.
The latest version will be available on our website. Where changes are significant, we may take additional steps to bring them to your attention.
Contact us
If you have any questions about this privacy notice or how we use personal information, please contact us.