Cardiff Artspace takes your privacy seriously. This privacy notice provides you with details of how we collect and process your personal data through your use of oue services and the website www.cardiffartspace.co.uk. This includes any information you may provide when you purchase a service, attend a class, sign up to the mailing list or contact us.
Cardiff Artspace is the data controller and is responsible for your personal data (referred to as “we”, “us” or “our” in this privacy notice).
Our full details are:
Full name of legal entity: Kate Broadhurst trading as Cardiff Artspace
Email address: email@example.com
Postal address: Cardiff Artspace, Meanwhile House, Curran Embankment, Cardiff, CF10 5FX
We only collect and process personal data required to provide our services to you, whether that’s attending a course or workshop, hiring our space, or entering into a contract of employment.
This policy provides a breakdown of how we use this data. This information relates to our entire business, not just our website.
- WHAT DATA DO WE COLLECT ABOUT YOU
We may process certain types of personal data about you as follows:
- Identity Data: first name, last name, title, date of birth and photography.
- Contact Data: billing address, email address and telephone numbers.
- Financial Data: may include your bank account and payment card details.
- Transaction Data: details about payments between us.
- Technical Data: may include your internet protocol addresses, browser type and version, browser plug-in types and versions, time zone setting and location, operating system and platform and other technology on the devices you use to access our website.
- Profile Data: may include your purchases or orders, your interests, preferences, feedback and survey responses.
- Usage Data may include information about how you use our website, products and services.
- Marketing and Communications Data: your preferences in receiving marketing communications from us.
We collect this data through a variety of methods including:
Direct interactions: You may provide data by filling in forms on our site (or in person) or by communicating with us by post, phone, email or otherwise, including when you:
- purchase our services;
- make an enquiry;
- subscribe to our mailing list;
- give us feedback
- attend a class in person
Third parties or publicly available sources: We may receive personal data about you from various third parties and public sources as set out below:
- analytics providers such as Google based outside the EU;
- contact information from Mailchimp, an automated marketing service provider based in the USA.
- contact, financial and transaction data from third party payment providers such as: Stripe and Paypal, both based in the USA.
- HOW WE USE YOUR PERSONAL DATA
We will only use your personal data when legally permitted. The most common uses of your personal data are:
- Where we need to fulfil the contract between us - when you sign up to a course or workshop, hire our space, or enter into a contract of employment.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
Generally, we do not rely on consent as a legal ground for processing your personal data, other than in relation to sending marketing communications to you via email and in some cases for photography. You have the right to withdraw consent to marketing or photography at any time by emailing us at firstname.lastname@example.org
We may process your personal data without your knowledge or consent where this is required or permitted by law.
When you sign up and attend a course or workshop at Cardiff Artspace you will be informed in writing that photographs are sometimes taken during classes. These photographs support our core business activities, enabling a record of classes and marketing content for future students who want to see what the experience of taking a class will be like. Photographs may be shared on our website, newsletters and social media channels. Photographs will be used for these purposes only and never associated with any other personal data. No names or other personal information will ever be published by Cardiff Artspace alongside photographs. You will be informed a second time, verbally when their class commences of photography taking place and the context in which these images may be used. You have the right to object and be able to opt out of any photography, either before or at any time after the image is captured. If photographs are going to be used in anyway other than the context stated (press/pr etc.) then additional consent will be sought from the individual in the image.
- WHO WE SHARE YOUR DATA WITH
We only share relevant personal data with other organisations where it is necessary to enable you to take part in our services, including where we use a service to manage your contract with us. We use the following third party services which act as ‘data processors’ to support our services and operations.
Shopify and Payment Gateways
Our website is hosted on Shopify Inc. They provide us with the online e-commerce platform that allows us to sell our services to you. Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall.
If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.
All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover.
PCI-DSS requirements help ensures the secure handling of credit card information by our store and its service providers.
The direct payment gateways you can use via our website are:
Stripe - Shopify uses the 3rd party payment platform, Stripe (185 Berry Street Suite 550 San Francisco, CA 94107) to process credit and debit card transactions. By using the Stripe CheckOut you are agreeing to Stripe’s Connected Account Agreement, which includes the Stripe Terms of Service (collectively, the 'Stripe Services Agreement').
G-Suite by Google
We use G Suite for Business to help us administer many sides of our business. This includes GMail for email services and Google Drive for file storage. We also use Google Docs, Google Slides, Google Sheets, Google Contacts, Google Hangouts and Google Calendar.
These are online systems developed by Google (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043,USA). Personal data which you provide us when booking or taking part in a class may be stored in these systems to allow us to manage our services.
Google is committed to GDPR compliance across G Suite and Google Cloud Platform services. You can read more about their data processing terms for G Suite here.
Your data will be stored in Google's network of data centers. Information about the locations of Google data centers is available at: https://www.google.com/about/datacenters/inside/locations/index.html
You will only receive marketing communications from us if you have opted in by:
- filling in a sign up form on our website or in person; or
- if you provided us with your details when making a purchase and ticked the box at the point of entry of your details for us to send you marketing communications; and
- in each case, you have not opted out of receiving that marketing.
You can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or OR by emailing us at email@example.com at any time.
Where you opt out of receiving our marketing communications, this will not apply to personal data provided to us as a result of a purchase, experience or other contact.
ShopSync synchronizes your information between Shopify and Mailchimp. The synchronization process requires transfer of information over a secure connection to servers hosted by Amazon Web Services in the United States.
Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to your personal data, so European law has prohibited transfers of personal data outside of the EEA unless the transfer meets certain criteria.
Many of our third party service providers (listed above) are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA, we ensure at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission; or
- Where we use certain service providers, we may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give personal data the same protection it has in Europe; or
- Where we use providers based in the United States, we may transfer data to them if they are part of the EU-US Privacy Shield, which requires them to provide similar protection to personal data shared between the Europe and the US.
Third party links
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
- DATA RETENTION
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
When you contact us you will provide your Name, Email Address and Phone Number. We hold this information to respond to your enquiry and retain in case of any follow ups. Generally, if more than 6 months have passed since your last contact and you have not entered into any further engagement with us, then we will delete your data.
When you have entered into a contract with us
(be this booking a class, hiring our space or becoming a sub-contractor)
We will hold your data for the duration of our contractual agreement. Following this, we will hold onto this data for a period of 6 years. By law we have to keep basic information about our customers and contractors (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers or contractors for tax purposes. If you ask us to delete your information we will delete what we can but will not delete all of your data until this 6 year period has ended.
When you have subscribed to our mailing list
If you have consented to receive marketing emails from us, your name and email address will remain on our list until you unsubscribe which you can do at any time by contacting us or clicking the link to unsubscribe on any email. When you have unsubscribed we will delete your data within 6 months. This does not apply to other communications that may be required to fulfil our contractual obligations.
- YOUR LEGAL RIGHTS
You have the right to object to our processing of your personal information and may do so at any time.
Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include the right to:
- The right to be informed - this notice tells you what information we collect, what we do with it, who we share it with and how long we hold it for.
- The right to access - You can ask us at any time to let you know what personal information we hold about you and we will provide you with a copy. We have a month to do this.
- The right to rectification - We try to ensure your information is up to date. If we have got anything wrong, you have the right to correct it. You can do this at any time.
- The right to erasure - You can make a request for erasure verbally or in writing. We have one month to respond to this request. This right is not absolute and only applies in certain circumstances.
- The right to restrict processing - you have the right to request the restriction or suppression of your personal data. We have one month to respond to this request. This right is not absolute and only applies in certain circumstances.
- Object to processing of your personal data.
- The right to data portability - You can ask us to provide your data in a form that is easily transferable to another organisation and in a machine readable format.
- Right to withdraw consent - where consent has been sought (when subscribing to a newsletter or consenting to photography) you have the right to withdraw it by contacting us. This does not apply to any communications or data processing required for contractual or legal reasons.
You can see more about these rights at:
If you wish to exercise any of the rights set out above, please email us at firstname.lastname@example.org
You also have the right to complain to the Information Commissioner’s Office. Find out more on their website - https://ico.org.uk/concerns/
Last updated 15th August 2019