Climbing Out Of Depression (also referred to as “COOD”) is committed to protecting your privacy. This policy explains when, how and why we use your personal data, to ensure you are informed and in control of your information.
The UK General Data Protection Regulation (“UK GDPR”), UK Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) govern how we process your personal data and how we can communicate with you. We rely on you giving us your consent about how we can contact you in connection to marketing. Our policies allow you to choose if and how you want to receive communications from us (e.g. phone, email, text, post). We may use other lawful grounds for processing your personal data, depending on the relationship we have with you (see Section 4).
If you have any questions about this policy or want to make changes to your privacy settings please email firstname.lastname@example.org
2. ABOUT US
Your personal data (e.g. any information which identifies you, directly or indirectly) will be collected and used by Climbing Out Of Depression (charity no. 1189274 in England) based at 122 Cardinal Avenue, Morden SM4 4SX.
Climbing Out Of Depression will be considered the controller for the purposes of data protection law.
3. WHAT INFORMATION WE COLLECT
Personal data you provide
We collect data you provide to us. This includes information you provide when you register to use the COOD services, make a donation, buy merchandise or communicate with us. Here are some examples:
Personal Details (e.g. name, email, phone, date of birth, address, etc.) when you register with us on our sign up form.
Financial Information (e.g. credit/debit card or direct debit bank details) and other relevant information such as whether donations are gift-aided.
Activity Related Information such as if you have climbed before, where and when you would like to climb and any relevant health conditions.
Information created by your involvement with COOD
Your activities and involvement with COOD will result in personal data being created about you. This could include details of the activities you have taken part in with us, how you’ve helped us by volunteering or donating, as well as when you engage with our social media or digital advertising.
If you decide to donate to us then we will keep records of when and how much you give.
Information from third parties
We sometimes receive personal data about individuals from third parties. We primarily receive personal data from the following third parties:
Referrals for service users. If you are referred to our service by your GP, healthcare provider or another charity, we will receive your name and email address from the referring party so that we can verify that you are receiving clinical care.
Feedback from instructors after sessions. If you use COOD’s services, we may receive, collect and retain feedback from climbing instructors after the sessions to improve our service users’ experience.
Safeguarding / Incident reports. If you use COOD’s services, we may receive incident reports from instructors, volunteers, or members of the public for safeguarding purposes.
Payment providers. If you make a donation, we will receive payment details from our payment service providers.
Sensitive personal data
Due to the nature of our work, we may collect and store special categories of personal data (or “sensitive personal data”), such as information relating to medical conditions, disabilities or ethnicity. We only collect this information with the explicit consent of the data subject or otherwise in accordance with the UK GDPR and the DPA 2018. For example, if a service user consents to such use, we use information concerning their medical conditions to ensure they receive the right support to take part in activities in a fun and safe way. Separately, if a member of our staff or one of our volunteers consents to such use, we may use information about their ethnicity to help the charity review its diversity and inclusion goals.
We may also receive sensitive personal data in our Safeguarding / Incident Report form. Where applicable, we will process such data in accordance with Schedule 1, Part 2, Section 18 of the UK Data Protection Act 2018 (Safeguarding of children and of individuals at risk).
Due to the sensitive nature of this kind of data, we take extra care when processing, storing and using it to ensure that your privacy is respected. We implement access permissions for sensitive data (e.g. medical information) so that it is only accessible to the limited number of people within COOD who need to see it.
Accidents or incidents
If an accident or incident occurs at one of our activities or events involving service users or staff (including volunteers) then we’ll keep a record of this (which may include personal data and sensitive personal data). This includes physical injury as well as any safeguarding incidents.
If you are a volunteer (whether specifically for COOD, or if you are helping us for other reasons - for example you work for another organisation that is running an event with us) then we may collect extra information about you (e.g. references, criminal records checks, etc.), in compliance with applicable laws. We process and store this information to comply with our legal obligations, and where necessary, to defend legal or insurance claims. You may also receive communications from us providing you with information about your duties as a volunteer.
4. HOW WE USE INFORMATION
We use your personal data in the following circumstances (or otherwise as set out in this policy):
As part of delivering our service, we process personal data for purposes such as:
Organising and booking our climbing sessions
Receiving donations (e.g. direct debits or gift-aid instructions)
Fulfilling orders (e.g. merchandise)
Maintaining databases of our service users, instructors, staff, volunteers and donors
In general, we will rely on either performance of a contract with you (if a contract exists), or our legitimate interests in providing our services and running COOD in order to process personal data for these purposes.
We may process your personal data to comply with a legal requirement, such as safeguarding, or to conduct legally-required background checks. We may also process your personal data to comply with our tax and financial regulatory obligations.
In exceptional circumstances, we may process personal data where it is necessary to protect an individual’s vital interests. For example, we may process data on this basis where we believe processing is necessary to intervene to protect someone’s life.
We use personal data to send out communications helping to promote COOD, it’s services and assist us with fundraising. These can include:
Updates and news about the charity
Options to donate
We will only send marketing messaging or promotions to you if you have provided consent to receive such communications. You can withdraw your consent at any time by sending an email to email@example.com
Analytics & Improving our Service
We use data collected from our supporters, donors and volunteers in the form of interactions and feedback to help us identify ways that we can improve our services and help more people.
This can also include analysing your use of our website. Please see Section 11 for information on how to control cookies.
5. DISCLOSING & SHARING DATA
We may share personal data with subcontractors or suppliers who provide us with services. For example, if you buy merchandise from COOD, your name and address will be shared with our delivery company.
Occasionally, where we partner with other organisations, we may also share information with them (for example, if you register to attend an event being jointly organised by us and another charity or business). We’ll only share information in compliance with applicable laws and we’ll make sure to notify you first.
We always require opt-in consent from users before we will send you any marketing or promotional material about COOD. This means you have the choice as to whether you want to receive these messages and are able to select how you want to receive them (e.g. by phone, email, text or post).
If at any time you decide that you no longer want to receive marketing communications or want to change how we contact you, please notify us by emailing firstname.lastname@example.org
What does ‘marketing’ mean?
Marketing can cover a variety of topics including;
Latest news about the charity
Upcoming or recent events
When you receive a communication, we may collect information about if/how you respond to or interact with that communication, and this may affect how we communicate with you in future.
As a charity, we rely on members of the public and businesses for donations and support. Where we have consent to do so, we may contact existing supporters of the charity or potential supporters to inform them of ways to donate, offer promotional merchandise or let them know about any new fundraising appeals.
Mental Wellbeing Data
When a user joins the service we give them the option to complete a version of The Warwick-Edinburgh Mental Wellbeing Scale (“WEMWBS”). This will also be periodically offered throughout the use of the service, for example after 4 sessions or after 6 months. Participation in these surveys is voluntary.
We conduct these surveys to allow us to understand if and how the service offered by the charity is benefiting the mental wellbeing of our users. This may involve us processing sensitive personal data about our users, which we will handle in accordance with the “Sensitive personal data” section under Section 3. When analysing this data we make sure to anonymise and/or aggregate responses to help protect individuals’ privacy. We do not share this data, at an individual level, with any third parties without prior written consent from the individual. These surveys allow us to prove the efficacy of our approach, and consequently can help us to obtain funding.
8. YOUNG PEOPLE
Information for Parents
We take great care to protect and respect the rights of individuals in relation to their personal data, especially in the case of children. We will only process your child’s personal data in accordance with applicable laws and regulatory guidance.
Media, Photographs and Stories
We want to encourage more young people to use our service. Part of this is to share their stories and photos through our website and social media profiles. For children under 18 we will need permission, in the form of an email, from their parent or guardian before we will share anything on our website and social media profiles.
Marketing and Fundraising
We do not deliberately target or send marketing communications to anyone under the age of 18. Similarly, we can only accept donations from adults of the age 18 and over.
9. HOW WE PROTECT DATA
Keeping your data safe from unauthorised access, whether from members of the charity or third parties, is of paramount importance to us. We have a number of protections in place, including;
We store all the personal data we process on a secure server with restricted user access. We implement access permissions so that sensitive data (e.g. medical information) is only accessible by a limited number of people.
We use the Secure Sockets Layer (“SSL”) protocol on all electronic forms on our website to encrypt the data transferred between your browser and our servers.
We protect all charity email accounts and logins with passwords and two-factor authentication.
We ensure that trustees, volunteers and instructors are vetted thoroughly, have a valid criminal background check and have read and understood their obligations under our Data Protection Policy.
Third-party payment providers handle all of our donation transactions. If you use a debit/credit card to donate or purchase merchandise on-line we will pass your credit card details securely to our payment provider. Other payment methods (e.g. GooglePay or ApplePay) are handled in a similar manner. COOD complies with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council, and will never store card details.
We cannot guarantee the security of your home computer or the internet, and any online communications (e.g. information provided by email, forms or our website) are at the user’s own risk.
Where we store information
COOD’s operations are based in the UK. Where we transfer personal data out of the UK and into the EEA, this is pursuant to UK adequacy regulations. In addition, some organisations that provide services to us may transfer personal data outside of the UK & EEA.
For example, some of our systems use Google and Salesforce (including Slack) products. As US companies, it may be that using their products results in personal data being transferred to or accessible from the US. Where we transfer personal data to the US, we do so pursuant to appropriate safeguards, such as standard contractual clauses.
How long we store information
We will only use and store information for as long as it is required for the purposes for which it was collected, until you request that it is deleted, or as required by law. We never store payment card information.
10. KEEPING YOU IN CONTROL
We want to ensure you remain in control of your personal data. Part of this is making sure you understand your legal rights, which are as follows:
The right to confirmation as to whether or not we have your personal data and, if we do, to obtain a copy of the personal information we hold (this is known as subject access request);
The right to have your data erased (though this will not apply where it is necessary for us to continue to use the data for a lawful reason);
The right to have inaccurate data rectified;
The right to restrict our processing of your personal data;
The right to portability of your personal data; and
The right to object to our processing of your data, including for for marketing or profiling purposes.
Please keep in mind that there are exceptions to the rights above and, though we will always try to respond to your satisfaction, there may be situations where we are unable to do so.
If you would like further information on your rights, acting on them or have any other questions about your data please email email@example.com
If you would like to make a complaint about COOD’s processing of your personal data, you can contact the UK Information Commissioner’s Office here.
11. COOKIES AND LINKS TO OTHER SITES
Links to other sites
Our website contains hyperlinks to many other websites. We are not responsible for the content or functionality of any of those external websites, but you can let us know if a link is not working by emailing firstname.lastname@example.org