This policy relates to the following websites, owned and/or operated by the Centre for the Acceleration of Social Technology (CAST):
This policy also applies to their programmes, which are owned and managed by CAST, whose registered address is 8 The Briars, Waterlooville, PO7 7YH. Registered company number 9544506 and charity number 1161998.
CAST is a charity which helps people use digital for social good. In order to do this, we often partner with external service providers and organisations (also referred to as “CAST partners”, “partners” or “partnering organisations”). We enter into legal agreements such as service contracts and data sharing agreements with our partners to ensure we can share relevant information with them and deliver better services to our users.
Processing your data
Personal data that we collect
- Email address – when you communicate through email
- Email address – when you sign up to our newsletter
- Personal information – when you enquire through our forms
- Contact data – when shared with us, may include your address, email address and telephone numbers.
Analytics and tracking data
- Technical data – this may include your login data, internet protocol addresses, browser type and version, browser plug-in types and versions, time zone setting and location, operating system and platform and other technology on the devices you use to access this site
- Usage data – this may include information about how you use our website, products and services (see our section ‘About cookies’)
Marketing and communications data
- this may include your preferences in receiving marketing communications from us and our third parties and your communication preferences
Marketing and website cookies
A “cookie” is a file stored on your computer’s web browser. The main purpose of a cookie is to track usage, tailor web pages and remember login information.
Cookies don’t give us access to your computer, and the information we collect through cookies doesn’t include personal information.
We process information relating to:
- job applicants
- customers and clients
- complainants (via our External Complaints procedure)
- professional advisers and consultants
- website visitors
Unless we obtain your permission, information that is identifiable as relating to you (i.e. it has not been edited to make it anonymous) is not sold to other organisations for commercial or other purposes. We may share data with our partners who sign data protection or data sharing agreements with us in order to deliver, monitor, evaluate and report the outcomes of our services (such as Design Hops). More information on this is available under “Transferring information to third parties”.
Why do we collect and process your personal information?
We will only collect and process your personal information in accordance with data protection laws. Our legal bases for processing your personal information are as follows:
We will usually only collect and process your personal information if you have given your consent for us to do so, for example, we will only send you certain marketing emails and process any information about you if we have your consent.
We may use and process some of your personal information where we have sensible and legitimate business grounds for doing so. Under European privacy laws there is a concept of “legitimate interests” as a justification for processing your personal information.
Legitimate interest could exist for example where there is a relevant and appropriate relationship between you and CAST in situations such as where you are our supplier, client or benefiting from one of our services. Similarly, it may arise in the event that we have awarded funding to you or your organisation and need to process your personal data in the public interest or for the prevention of crime.
CAST’s legitimate interest may also include processing your personal data to authenticate you and give you access to our online services.
You have a right to object to our use of your personal information for these legitimate interests including where we may use your personal information to create a profile to inform customer demographics. If you raise an objection, we will stop processing your personal information unless very exceptional circumstances apply, in which case we will let you know why we are continuing to process your personal information.
Performance of a contract
The processing may be necessary for a contract that we hold with you. For example, if we are awarding a grant to you there may be data that is required such as bank details in order to enter into that contract. We may require you to share data with us as part of the contracting terms.
This may also include processing your personal data through third-party websites or hosting platforms to deliver services to you (e.g. Design Hops), in which case you would be notified of such processing.
How we store your data
CAST and our partners use third-party vendors and hosting partners to provide services such as training, newsletter signup and mailing lists. Data is transferred to or mirrored on servers within the United Kingdom, the European Economic Area (EEA) and outside the EEA in certain instances (for example, when using the third-party online learning platform Thinkific, website design platforms Tilda and Webflow). CAST authorised partners and service providers reserve the right to transfer or mirror data to servers outside the EEA.
CAST collaborators will apply all reasonable measures to ensure that data held on our servers is secure but cannot guarantee that security measures will not be breached.
How we manage your data
As a Data Controller, CAST decides how and why the data we collect is used. We also work with our data to achieve the goals of Catalyst. When working with collaborators in the Catalyst network, we use data sharing agreements that set clear expectations on how and when collaborators can use our data.
Any third party vendors that we use to process your data must be GDPR compliant and CAST will hold a Data Protection Agreement with those third parties.
Transferring information to third parties
To meet our obligations and provide you with our services, we may need to process your personal data via third parties. Personal data will only be transferred to, or processed by, third-party companies where such companies are necessary for the fulfilment of services you have consented to, our contractual obligations or a legitimate interest.
We will not transfer personal data to a country or territory outside the European Economic Area (EEA) unless the transfer is made to a country or territory recognised by the EU as having an adequate level of Data Security, or is made with the consent of the Data Subject, or is made to satisfy the legitimate Interest of CAST in regard to its contractual arrangements with our partnering organisations.
If it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our terms of service, or as otherwise required by law.
COVID-19 Emergency response and data usage
In light of the changing needs of the charity sector due to COVID-19, we are working with a growing network of collaborators who are able to support charitable organisations.
We will be collecting and sharing data across our collaborator network in order to identify charities’ needs, collect and share contact details with partners who can respond to those needs, analyse those needs and publish our aggregate findings for the benefit of the wider community.
A "cookie" is a file stored on your computer's web browser. The main purpose of a cookie is to track usage, tailor web pages and remember login information.
Cookies don't give us access to your computer, and the information we collect through cookies doesn't include personal information.
- _hjid – a Hotjar cookie that is set when the customer first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behaviour in subsequent visits to the same site will be attributed to the same user ID.
- _hjIncludedInPageviewSample – a Hotjar cookie to let Hotjar know whether that user is included in the data sampling defined by your site's pageview limit.
- _hjTLDTest – a Hotjar cookie used to determine the most generic cookie path we should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we try to store the _hjTLDTest cookie for different URL substring alternatives until it fails. After this check, the cookie is removed.
- _hjAbsoluteSessionInProgress – a Hotjar cookie used to detect the first pageview session of a user. This is a True/False flag set by the cookie.
- ajs_anonymous_id – a Hotjar cookie used, set by Segment as a randomly generated ID for anonymous users.
- _hjFirstSeen – a Hotjar cookie used to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
- _gid – a Google Analytics cookie used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
- _ga – a Google Analytics cookie used to identify unique users.
If we hold your personal data you have rights under the General Data Protection Regulation and the Data Protection Act 1998 and 2018.
You have the right to request we remove all identifiable information we store on you. Including the removal of any email subscriptions. To do so, please email email@example.com.
The data we hold on you will be removed from our systems after a year from our last interaction with the data subject, unless we need to keep the information for legal or auditing purposes.
If you believe that your personal data has been compromised, you have a right to complain to the Information Commissioner’s Office (ICO).
(Article 4 of the GDPR): this means the person or company that determines the purposes and the means of processing personal data.
(Article 4 of the GDPR): means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Data Subject Rights
(Chapter 3 of the GDPR) each Data Subject has eight rights. These are:
- The right to be informed – this means anyone processing your personal data must make clear what they are processing, why, and who else the data may be passed to.
- The right of access – this is your right to see what data is held about you by a Data Controller.
- The right to rectification – the right to have your data corrected or amended if what is held is incorrect in some way.
- The right to erasure – under certain circumstances you can ask for your personal data to be deleted. This is also called ‘the Right to be Forgotten’. This would apply if the personal data is no longer required for the purposes it was collected for, or your consent for the processing of that data has been withdrawn, or the personal data has been unlawfully processed.
- The right to restrict processing – this gives the Data Subject the right to ask for a temporary halt to processing of personal data, such as in the case where a dispute or legal case has to be concluded, or the data is being corrected.
- The right to data portability – a Data Subject has the right to ask for any data supplied directly to the Data Controller by him or her, to be provided in a structured, commonly used, and machine-readable format.
- The right to object – the Data Subject has the right to object to further processing of their data which is inconsistent with the primary purpose for which it was collected, including profiling, automation, and direct marketing.
- Rights in relation to automated decision making and profiling – data Subjects have the right not to be subject to a decision based solely on automated processing.
If you have concerns about the way CAST is handling your User Personal Information, please let us know immediately. You may contact us by emailing us directly at firstname.lastname@example.org with the subject line “Privacy Concern”. We will respond within 30 days at the latest.
You may also contact our Data Protection Officer directly. Our Data Protection Officer is Gilly Clyde-Smith (email@example.com).
Changes to this policy
CAST may periodically update this policy. We will notify you about significant changes in the way we treat personal information by placing a prominent notice on this site.
This policy was last reviewed on 10 July 2020.