Privacy policy
Introduction
Welcome to Children’s Sailing Trust’s privacy policy. Children’s Sailing Trust (“We“) respects your privacy and is committed to protecting your personal data.
This privacy policy applies to your use of our sites https://childrenssailingtrust.org.uk/ and https://trevassackholidays.com/ and https://cstexperiences.co.uk (“our sites”) and sets out the basis on which any personal data we collect from you or that you provide to us (whether as an individual or an individual acting on behalf of an organisation), will be processed by us. Such personal data may be collected when you enquire about our services, purchase our services, enquire about our accommodation, book our accommodation, make a donation or otherwise communicate with us.
Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. This privacy policy also tells you about your privacy rights and how the law protects you.
Our sites are not intended for use by children and we do not offer any booking services to children. However, a parent or guardian may provide details of children who will be attending sessions and occupying accommodation provided by us during the booking process for the purpose of delivering safe sessions and ensuring that the accommodation is suitable for the relevant child.
Your acceptance of this privacy policy is deemed to occur upon your first use of our sites. If you do not accept and agree with this privacy policy, you must stop using our sites immediately.
Personal data
You may be asked to provide personal data whilst you are in contact with us. Personal data is information that can be used to identify or contact you. You do not have to provide the personal data that we request, however, if you choose not to, we may not be able to provide you with the services that you have requested.
If we combine personal data with non-personal data, the combined information will be treated as personal data for as long as it remains combined. Personal data does not include data where the identity has been removed (anonymous data).
Controller
For the purpose of the retained law version of the General Data Protection Regulation ((EU) 2016/679) and the Data Protection Act 2018 (“Data Protection Legislation”) the data controller is Children’s Sailing Trust, a charitable incorporated organisation registered in England and Wales with charity number 1165396 whose address is at Trevassack Lake, Garras, Helston, Cornwall TR12 6LH. Our Data Protection Registration Number is ZA323439.
Children’s Sailing Trust is part of a group of companies which includes its subsidiary company, CST Trading Limited, (the “CST Group”). This privacy policy is issued on behalf of the CST Group so when we mention “Children’s Sailing Trust”, “we”, “us” or “our” in this privacy policy, we are referring to the relevant company in the CST Group responsible for processing your data. Children’s Sailing Trust is the controller and responsible for our sites.
We have appointed a data protection manager who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the data protection manager and CEO using the details set out at the end of this page.
Information we may collect from you and how we use it
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity Data: includes first name, last name, title, date of birth and gender. The identity data may be may be processed for the purpose of completing your booking, issuing certificates to you, recording your qualifications with the Royal Yachting Association (“RYA”), delivering safe sessions in line with operating procedures, contacting you in relation to a charity activity, requesting support for campaigns, managing gift aid claims, inviting you to events, managing our relationship with you (including notifying you about changes to our privacy policy and asking you to leave a review or complete a survey), enabling you to enter a competition, administering and protecting our charity and site (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). The legal basis for this processing is the performance of a contract and/or taking steps, at your request, to enter into such a contract and our legitimate interests (namely to recover debts due, keep our records updated, to study how our sites are used, for the running of our charity, provision of administration and IT services, network security).
- Contact Data: includes your next of kin (first name, last name, contact telephone number and relationship to customer or attendee), postal address, billing address, email address and telephone numbers. The contact data may be processed for the purpose of completing your booking, issuing certificates to you, recording your qualifications with the RYA, delivering safe sessions in line with operating procedures, contacting you in relation to a charity activity, requesting support for campaigns, managing gift aid claims, inviting you to events, managing our relationship with you (including notifying you about changes to our privacy policy and asking you to leave a review or complete a survey), enabling you to enter a competition, administering and protecting our charity and site (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). The legal basis for this processing is the performance of a contract and/or taking steps, at your request, to enter into such a contract and our legitimate interests (namely to recover debts due, keep our records updated, to study how our sites are used, for the running of our charity, provision of administration and IT services, network security).
- Financial Data: includes bank account, direct debit, standing order and payment card details (type, number, name on card, expiry date and CCV code). The financial data may be processed for the purposes of completing your booking (namely managing payments and charges and collecting monies) and processing your financial donation. The legal basis for this processing is the performance of a contract and our legitimate interests (namely to recover debts due).
- Transaction Data: includes details about payments to and from you, certificates issued to you (including the certificate number and date of issue) and other details of services you have purchased from us. The transaction data may be processed for the purpose of processing and completing your booking, issuing certificates to you and recording your qualifications with the RYA. The legal basis for this processing is the performance of a contract and our legitimate interests (namely our interest in the proper administration of our sites and the CST Group).
- Technical Data: includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access out sites. The technical data may be processed for the purpose of administering and protecting our charity and sites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) and to deliver relevant website content and measuring or understanding the effectiveness of the advertising we serve to you. The legal basis for this processing is our legitimate interests (namely to grow our charity and to inform our marketing strategy).
- Profile Data: includes your email, bookings made by you, your interests, sailing experience, qualifications, preferences, feedback and survey responses. The profile data may be processed for the purpose of completing your booking, issuing certificates to you, recording your qualifications with the RYA, delivering safe sessions in line with operating procedures, managing our relationship with you (including notifying you about changes to our privacy policy and asking you to leave a review or complete a survey), enabling you to enter a competition, to make suggestions and recommendations to you about offers and services that may be of interest to you. The legal basis for this processing is the performance of a contract and our legitimate interests (namely to keep our records updated, to study how our sites are used and to grow our charity and to inform our marketing strategy).
- Usage Data: includes information about how you use our sites and services. This usage data may be processed for the purposes of enabling you to enter a competition or complete a survey, delivering relevant website content and measuring or understanding the effectiveness of the advertising we serve to you, to use data analytics to improve our website, marketing, customer relationships and experiences and to make suggestions and recommendations to you about offers or services that may be of interest to you. The legal basis for this processing is the performance of a contract and our legitimate interests (namely to study how our sites are used and to grow our charity and to keep our sites updated and relevant).
- Health Data: includes information about health and any medical conditions. This is a “special category” of particularly sensitive personal information and requires a higher level of protection. This health data may be processed for the purpose of completing your booking and delivering safe sessions in line with operating procedures. The legal basis for this processing is explicit consent.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences. The marketing and communications data may be processed for the purposes of sending you the relevant notifications and/or newsletters. The legal basis for this processing is consent.
In addition to the specific purposes for which we may process your personal data set above, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also provide you with information about offers and services that are similar to those that you have already received or we feel may interest you. If you:
- have already concluded a contract with us, we will only contact you by electronic means (email or text) with information about offers and services similar to those which were the subject of a previous contract. If you do not want to be on our mailing list, you can opt out at any time by contacting us or unsubscribing by using the links provided in our electronic communications and at the point of providing your details.
- are a potential new customer (e.g. enquiring about our services), we will contact you by electronic means only if you have provided your explicit consent to this. If you are happy for us to use your personal data in this way, please tick the relevant box situated on the website page on which we collect your details. Again, if you do not want us to use your data in this way, you can opt out at any time by contacting us or unsubscribing by using the links provided in our electronic communications.
Cookies
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this site may become inaccessible or not function properly.
How is your personal data collected
We use different methods to collect data from and about you including through:
-
Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
order services, book an activity or book accommodation; subscribe to our newsletters; request marketing materials to be sent to you; enter a competition, promotion or survey; or give us some feedback or contact us.
- Automated technologies or interactions. As you interact with our sites, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.
- Third parties or publicly available sources. We may receive personal data about you from various third parties which include: Technical Data from analytics providers (such as Google) based outside the UK and search engine providers based outside the UK; Contact, Financial and Transaction Data from providers of technical, payment, fundraising and booking services; and Identity and Contact Data from publicly available sources such as Companies House and the Electoral Register based inside the UK.
- to allow you to participate in interactive features of our service, when you choose to do so;
- as part of our efforts to keep our site safe and secure;
- to make suggestions and recommendations to you and other users of our site about goods or services that may interest you or them.
- Information we receive from other sources. We may combine this information with information you give to us and information we collect about you. We may us this information and the combined information for the purposes set out above (depending on the types of information we receive).
International Transfers
Some of the third parties which we work closely with are based outside of the UK so their processing of your personal data will involve a transfer of data outside of the UK.
Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data; and
- where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our sites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Change of purpose
We will ask for your consent before using personal data for a purpose other than those set out in this privacy policy, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you would like further information on purpose compatibility, please contact us.
If we combine personal data with non-personal data, the combined information will be treated as personal data for as long as it remains combined. Personal data does not include data where the identity has been removed (anonymous data).
Disclosure of your information
You agree that we may disclose your information (including personal data) to the following categories of third parties:
- any member of our group, which means our subsidiaries as defined in section 1159 of the UK Companies Act 2006;
- the RYA for the purpose of recording your qualifications, updating any records they may hold about you and to verify or replace your certificate if required On successful completion of your RYA Powerboat Level 2 course, your Identity Data, Contact Data and Transaction Data will be shared with the RYA through a secure web portal on www.rya.org.uk. The Identity Data, Contact Data and Transaction Data will be stored on the RYA’s central database. For further information on how the RYA will deal with your data, please see the RYA’s Privacy Policy at www.rya.org.uk/go/privacy; interactions. As you interact with our sites, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.
- the RYA for the purpose of quality assurance of RYA training, for example in the investigation of a complaint or incident. In this situation, the RYA may contact you to investigate the complaint or incident further;
- suppliers and sub-contractors for the performance of any contract we enter into with them or you;
- third party software providers (such as Checkfront Inc., Negys Limited (trading as Anytime), Mailchimp and MarketSmart LLC);
- analytics and search engine providers that assist us in the improvement and optimisation of our sites; and
- data storage providers, in connection with cloud storage and hosting services.
Your personal data will not be shared with third parties for third party marketing purposes unless you have provided your express consent.
We may disclose your personal data to third parties:
- where we have your consent to do so;
- to provide and/or improve our services;
- in the event that our charity merges with another body or similar legal entity, in which case we may disclose your personal data;
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights of Children’s Sailing Trust, our customers, donors, suppliers, contractors or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
- third party software providers (such as Checkfront Inc., Negys Limited (trading as Anytime) Mailchimp and MarketSmart LLC);
- analytics and search engine providers that assist us in the improvement and optimisation of our sites; and
- data storage providers, in connection with cloud storage and hosting services.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Your Rights
Under Data Protection Legislation, in certain circumstances you have the following rights in relation to your personal data:
- Right to access. You have the right to request access to information held about you. We will provide you with a copy of your personal data held by us free of charge (providing your request is not excessive or for multiple copies, in which case we may charge a reasonable fee to cover our costs) and certain information about the processing of your personal data and the source of such data (if not directly collected from you by us). You also have the right to request that your personal data is transferred to a third party.
- Right to object to data processing. You may withdraw your consent to the processing of your personal data at any time by contacting us or ticking a box to opt out of receiving marketing materials. Upon receipt of your notification, we shall promptly stop any processing of your personal data and (if requested by you) erase such information if we are not required to retain it for legitimate business or legal purposes.
- Right to restrict processing. You may ask us to suspend the processing of your personal data in the following circumstances: if you do not think your personal data is accurate; where we are found to be processing unlawfully but you do not want us to erase your personal data; where you need us to continue holding your personal data to establish, exercise or defend legal claims; or where you have objected to our use of your personal data but we need to verify whether we have overriding legitimate grounds to use it.
- Right of rectification and right of erasure. You have the right to request that we correct or erase any inaccuracies in your personal data if such information would be incomplete, inaccurate or processed unlawfully.
Where we are relying on consent to process your personal data, you may withdraw consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
You can also exercise these rights at any time by contacting us at hello@childrenssailingtrust.org.uk. We may reject requests that are unreasonable or require disproportionate effort (for example, such a request would result in a fundamental change to our existing practice) or risk the privacy of others.
Our sites may, from time to time, contain links to and from third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
Personal Data Retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any charitable, legal, regulatory, governing body (including the RYA), tax, accounting, or reporting requirements. For the purpose of the RYA requirements, we will retain your personal data for a minimum of 12 months or until the next RYA inspection of our premises, whichever is longer. We may retain your personal data for a longer period in the event of a complaint, incident, issue or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
Where an RYA certificate is issued which is not required to be registered online, we will retain records of certificates issued (including your Identity Data and Transaction Data) for the purpose of verification of lost certificates for a period of up to seven years.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. When personal data is no longer needed, we will securely delete or destroy it.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Changes to our Privacy Policy and your duty to inform us of changes
Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Contacting us
If you have any questions, comments or requests regarding this privacy policy or data processing or you would like to make a complaint, please contact us via email at hello@childrenssailingtrust.org.uk, by telephone on 01326 702326 and by post to Children’s Sailing Trust, Trevassack Lake, Garras, Helston, Cornwall TR12 6LH.
If you have any cause for complaint about our use of your personal data, please contact us using the details provided above and we will do our best to solve the problem for you. If we are unable to help, you also have the right to lodge a complaint with the Information Commissioner’s Office (www.ico.org.uk).
Last updated: 8 January 2024
(registered address)