This Privacy Policy applies to information we, St Sidwell’s Community Centre, collect about individuals who interact with our organisation. It explains what personal information we collect and how we use it.
If you have any comments or questions about this notice, feel free to contact us at manager@stsidwells.org.uk. This policy was last updated in November 2025.
1. Personal data that we process
We collect and process personal data only where we have a lawful basis under Article 6 of the UK GDPR. The table below sets out the purposes, the data involved, and the lawful basis:
| Purpose | Data (key elements) | Lawful Basis |
| Enquiring about our organisation and its work (email, online form, phone, in person) | Name, email and/or phone, message | Legitimate interests – necessary to respond to your enquiry in the way you would reasonably expect. |
| Subscribing to email updates | Name (optional), email | Consent – freely given, specific, informed and unambiguous. You may withdraw consent at any time. |
| Making a donation | Name, email, address, payment information, tax status for Gift Aid | Payment processing and confirmation – Name, email, address, payment information: processed under our legitimate interests, as this is necessary to fulfil your donation and provide confirmation. Gift Aid records – Name, address, tax status: processed under our legal obligation, as required by HMRC for Gift Aid claims. |
| Volunteering | Name, email, address, emergency contact, medical information you choose to share | Legitimate interests – necessary to support you in volunteering and ensure appropriate conditions. Special category data (e.g. health, mental health and wellbeing information) will only be processed with your explicit consent, or where necessary to comply with legal obligations relating to health and safety or safeguarding. |
| Signing up as a member | Name, email address, address, skills and knowledge you are willing to share with St Sidwell’s. | Contract – necessary to fulfil our membership terms and conditions. We invite members to share skills or knowledge they are willing to contribute. This is processed under our legitimate interests to support community activities. You are not obliged to provide this information. |
| Booking a room | Name, email, invoice address, phone number | Contract – necessary to fulfil our booking terms and conditions. |
| Booking for an event | Name, email, phone number, dietary requirements | Legitimate interests – necessary to process your booking and meet your expectations. If the event is free to attend then the lawful basis is legitimate interest. A paid event will use contract as the lawful basis. |
2. How we use your data
We will only use your personal data for the purposes stated above and in line with the lawful basis. We do not use automated decision-making or profiling.
3. When we share your data
We will only share your data:
- where required by law (e.g. HMRC for Gift Aid);
- with your consent (e.g. if you ask us to share details with another organisation);
- with trusted third-party processors under written contracts compliant with Article 28 UK GDPR (e.g. cloud service providers). If data is transferred outside the UK, appropriate safeguards under UK GDPR will be applied.
4. How long we keep your data
We retain personal data only for as long as necessary, in line with our Register of Systems and legal obligations. Examples:
- Personnel and volunteer records: Core records will be retained for 6 years after engagement ends, in line with the statutory limitation period for most legal claims.
- Financial records: minimum 6 years from end of financial year. 10+ years for meeting minutes.
- Safeguarding records: 10 years for adults, until age 25 for children (or longer if legally justified).
- DBS certificate details: retained for audit purposes, but certificate itself destroyed within 6 months.
5. Your rights
Under UK GDPR, you have the following rights:
- Access – to request a copy of your personal data.
- Rectification – to correct inaccurate or incomplete data.
- Erasure – to request deletion of your data (subject to legal obligations).
- Restriction – to limit processing in certain circumstances.
- Data portability – to receive and transfer your data.
- Objection – to processing based on legitimate interests or direct marketing.
- Withdraw consent – where processing is based on consent.
Requests will be handled within one month (extendable by two months for complex cases). Identity verification may be required. If we refuse a request, we will explain why and inform you of your right to complain to the ICO.
6. Cookies & usage tracking
We use cookies to improve website functionality and collect anonymous usage statistics via Google Analytics. These do not identify individuals. You can manage cookies through your browser settings. For more information, see Google’s privacy policy.
7. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with us using the following details. If you are unhappy with ourt response you have the right to complain to the ICO.
Data Controller (Charity): St Sidwell’s Centre Exeter
Operating Name: St Sidwell’s Community Centre
Address: St Sidwell’s Centre, Sidwell Street, Exeter, EX4 6NN
Contact Email: manager@stsidwells.org.uk
8. Modifications
We may update this Privacy Notice from time to time. The latest version will always be published on our website. If changes significantly affect your rights, we will notify you directly where possible.