Last updated: 24 May 2021
We track/store only what is essential for reporting to funding bodies (mainly Arts Council England as part of applications and evaluations), and for clients who pay for advertisements on our website (mainly arts organisations in the North of England). Specifically, we use Analytics to track page visits and advert click throughs, and to indicate the broad geographic location of visitors. Personal data gathered through the website is only shared with our hosting provider Stablepoint and the security platform WordFence, and pseudonymous personal data is shared with Google Analytics. Newsletter signups are shared with MailChimp.
What data is collected and why?
Personal data is also known as personal information, personally identifying information (PII), or sensitive personal information (SPI). It refers to any information that may be used to identify a person such as a name or IP address.
We collect personal data primarily on the lawful basis of legitimate interest. More specifically, we use it to ensure we are meeting our projected engagement numbers, which are essential to our ongoing sustainability as a small, not-for-profit arts organisation without regular funding. When legitimate interest does not suffice, for example in the collection of email addresses for our e-newsletter, we do so on the lawful basis of consent. The nature of the collected data, how the data is used, who the data is shared with, and how long the data is retained is outlined below.
Web Hosting & Server Logs
Embedded content from other websites
We use Wordfence to configure a firewall, block malicious traffic, give immediate alerts in the event of malicious activity, and enforce strong passwords. These features are essential in maintaining the security of this website and in protecting personal data. Selected personal data including visitors’ IP addresses and accessed URLs is collected and sent to Wordfence so that they may accurately administer their security services. Wordfence is located at Defiant, Inc, 800 5th Ave, Suite 4100, Seattle WA 98104, USA. For further information, please see Wordfence’s GDPR policies and their Data Processing Agreement.
We use Google Analytics as our primary analytics provider. We configured Google Analytics to anonymize IP addresses, and we deliberately disabled Data Collection for Advertising Features, Demographics and Interest Reports, User-ID, and all data-sharing settings.
Cookies are text files placed on your computer to collect standard Internet log information and visitor behaviour information. When you visit our website, we may collect information from you automatically through cookies or similar technology. For further information, visit allaboutcookies.org.
How long we retain your data
Personal information provided when signing up to our newsletter is retained indefinitely. If you unsubscribe, you will no longer receive newsletters from us but we will retain your contact details. If you would like your contact details to be deleted, please get in touch so that we can do this for you.
Personal information provided by registered users of the website is stored in the relevant user profile indefinitely. All users can see, edit, or delete their own personal information at any time. Users cannot change their username but are welcome to get in touch with a website administrator if they wish to do so. Website administrators may also see and edit users’ personal information.
Google Analytics data is stored for 26 months.
How we protect your data
Wherever possible, we follow WordPress’s guidance regarding security and complete all CMS and plugin updates as soon as is feasible. We also use Wordfence for more advanced security features. We avoid transmitting passwords in plain text formats such as spreadsheets, text files, or emails whenever possible.
Data breach procedures
If there is a data breach where personal data may have been compromised, we will get in touch with the affected users where possible and will post an update on this site to let past and future visitors know the nature of the breach and what data may have been involved. Where feasible, we will do so within 72 hours of becoming aware of the breach. We will also report the breach to the relevant supervisory authority where required.
What rights you have over your data
- The right of access: Get in touch and we will provide you with an exported file of any data we hold about you, including data you have provided to us, and we will direct you to the third-party services listed above if your data may be held by them. If you have a WordPress account on this site, you can log in and access your account data at any time.
- The right to rectification: If there’s any personal data about you that should be corrected by us, please let us know and we will do our best to correct it.
- The right to erasure, a.k.a. the “right to be forgotten”: Let us know and we will delete all your personal data that we store and will direct you to the third-party services listed above if your data may be held by them. If you have a WordPress account on this site, you can delete your account at any time. If you have commented on the site or we hold your data for any other reason, you can request that we erase any personal data we hold about you. Please note that we cannot remove or erase data that we are obliged to keep for administrative, legal, or security purposes.
- The right to restrict processing: If you would like to restrict or suppress the processing of any data we hold about you, get in touch and we will work with you to accommodate this.
- The right to data portability: We will give you an exported copy of your data that we hold so that you can provide it to another service.
- The right to object: You have the right to file a complaint regarding our collection and use of your data. Please tell us first so that we have a chance to address your concerns. If we fail in this, you can address any complaint to your local data protection authorities.
Questions & Feedback