Bridport Arts Newsletter

Privacy Policy

Bridport Arts Centre Privacy Policy

Website, venue, ticketing, marketing and public Wi-Fi privacy information
Last updated: 30 June 2026
Recommended review date: 30 June 2027

↑ Back to contents

1. Introduction

Bridport Arts Centre is committed to protecting your personal information and being clear about how we use it. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and the rights you have under UK data protection law.

This policy is written for visitors, ticket buyers, members, donors, supporters, artists, workshop participants, online event attendees, website users, public Wi-Fi users, volunteers, job applicants, suppliers and anyone else who interacts with Bridport Arts Centre. It replaces the previous website privacy information and should be read together with our Cookie Policy, ticketing terms, event terms, competition terms, website terms and any privacy notice shown at the point where we collect your information.

For the purposes of this policy, “personal data” means information that identifies you or could reasonably be used to identify you. “Processing” means anything we do with personal data, including collecting, storing, using, sharing, deleting or anonymising it.

↑ Back to contents

2. Who we are

Bridport Arts Centre (“BAC”, “we”, “our” or “us”) is a multi-arts venue and charitable organisation based in Bridport, Dorset. We present and support arts, culture, heritage, education and community activities through our venue, website, ticketing systems, digital services and partner activities.

Bridport Arts Centre is a registered charity and a company limited by guarantee.

  • Registered charity number: 1069780
  • Company number: 3550280
  • VAT number: 416192311
  • Address: Bridport Arts Centre, South Street, Bridport, Dorset, DT6 3NR
  • Website: www.bridport-arts.com
  • Data protection contact: [email protected]

For the personal data covered by this policy, Bridport Arts Centre is normally the “data controller”. This means we decide why and how the information is used. Some of our suppliers also act as independent controllers for parts of their own services, for example payment processors where they must meet their own legal and regulatory obligations.

↑ Back to contents

3. How to contact us about privacy

Please contact us if you have any questions about this policy, want to exercise your data protection rights, or want to raise a concern about how we use personal data.

Data Protection Lead
Bridport Arts Centre
South Street
Bridport
Dorset DT6 3NR
Email: [email protected]

You also have the right to complain to the Information Commissioner’s Office (ICO), the UK regulator for data protection. We would appreciate the chance to deal with your concerns first, so please contact us if you are comfortable doing so.

↑ Back to contents

4. Scope of this policy

This policy applies when you interact with us in any of the following ways:

  • using our website, including www.bridport-arts.com and related online services;
  • creating an account, buying tickets, making bookings or attending events;
  • becoming a member, supporter or donor, including Gift Aid donations;
  • joining our mailing list or receiving marketing communications;
  • registering for workshops, classes, talks, family events or community projects;
  • taking part in online events, webinars or livestreams;
  • using our public Wi-Fi service provided through Wireless Social;
  • using customer service, helpdesk, live chat or chatbot tools on our website where available;
  • entering competitions, prize schemes, promotions or surveys run by us;
  • visiting our venue, where CCTV may be in operation;
  • applying for a job, volunteering or working with us as a freelancer, artist or supplier;
  • contacting us by email, phone, post, social media or in person.

Some activities may have additional privacy information, for example ticketing terms, competition terms, safeguarding information, Wi-Fi sign-in wording or supplier privacy notices. Where there is any inconsistency, the more specific privacy information provided for that activity should also be taken into account.

↑ Back to contents

5. The personal data we collect

The personal data we collect depends on how you interact with us. We only collect information that is relevant to the purposes described in this policy.

Summary of personal data categories

Category Examples
Identity and contact details Name, title, postal address, email address, phone number, account username, organisation, role and communication preferences.
Ticketing and booking details Events booked, seats, access requirements, booking references, attendance history, cancellations, refunds and customer service notes.
Payment and transaction details Payment amount, payment method, transaction reference, billing details and limited payment status information. Full card details are handled by payment processors and are not stored by BAC.
Membership and supporter details Membership type, renewal dates, supporter preferences, donation history, Gift Aid declarations and fundraising communications.
Accessibility and special requirements Information you choose to provide about access needs, companion tickets, mobility requirements, hearing or visual support, dietary needs, medical considerations or other reasonable adjustments.
Children, young people and family participation data Child name, age, school or group, parent/guardian details, emergency contacts, permissions, attendance, safeguarding notes where required and relevant medical/accessibility information.
Marketing and communication data Email preferences, mailing list subscriptions, consent records, unsubscribe records, email opens and clicks, responses to campaigns and communication history.
Website, cookie and analytics data IP address, browser type, device type, pages viewed, referral source, cookie identifiers, analytics events and website interaction information.
Public Wi-Fi data Wi-Fi sign-in details, email address where provided, consent choices, device identifiers, MAC address, IP address, access point/location, connection times, session duration, data usage and technical logs needed to provide and secure Wi-Fi.
CCTV and venue safety data Images captured by CCTV, incident records, accident reports, security logs and relevant witness information.
Online event participation data Registration details, attendance, questions, chat messages, poll responses, comments and recordings where the event is recorded or streamed.
Survey, feedback and audience research data Survey responses, demographic information you choose to provide, feedback, complaints, testimonials and audience development information.
Job applicant, volunteer, artist and supplier data Application details, CVs, references, right-to-work information, contact details, contracts, invoices, bank details, insurance and safeguarding checks where relevant.
Social media and public interaction data Messages, comments, handles, profile information you make public, and interactions with our social media posts or pages.

↑ Back to contents

6. Special category data

Special category data is more sensitive personal data, such as information about health, disability, ethnicity, religious beliefs, political opinions, trade union membership, sexual orientation, sex life, genetic data or biometric data. We do not routinely collect special category data unless it is relevant to an activity or you choose to provide it.

We may process special category data where needed to provide access support, make reasonable adjustments, support safeguarding, respond to an incident, administer inclusive programmes, meet equality or funding reporting requirements, or comply with legal obligations. Examples include access requirements, medical information for a workshop, emergency information for a child participant, or anonymised demographic information in a survey.

Where we use special category data, we rely on an appropriate UK GDPR lawful basis and a special category condition. These may include explicit consent, employment and social security obligations, vital interests, substantial public interest, legal claims, or processing that you have manifestly made public. We minimise this data, restrict access to staff who need it, and do not use it for unrelated purposes.

↑ Back to contents

7. Children and young people

We run family events, workshops, education activities and community projects that may involve children and young people. We take extra care with children’s personal information and provide age-appropriate information where appropriate.

Where a child or young person participates in an activity, we may collect information such as their name, age, school or group, parent or guardian contact details, emergency contact information, attendance records, access needs, medical information needed for safety, and permissions relating to photography, publicity or participation.

We normally collect children’s information from a parent, guardian, school, youth organisation or other responsible adult. Where it is appropriate to collect information directly from a child or young person, we aim to explain clearly what information is needed and why. We do not knowingly send direct marketing to children without appropriate consent and safeguards.

If an event or activity involves safeguarding concerns, we may record and share relevant information with safeguarding leads, local authorities, emergency services or other responsible bodies where necessary to protect a child, young person or vulnerable person.

↑ Back to contents

8. How we collect personal data

We collect personal data in several ways:

  • Directly from you, for example when you buy tickets, create an account, join a mailing list, make a donation, fill in a form, contact us, register for Wi-Fi, take part in a survey or apply for a role.
  • Automatically when you use our website, digital services, cookie tools, analytics, email communications, CCTV or public Wi-Fi.
  • From third-party systems we use to provide services, such as Spektrix, Dotdigital, Crowdcast, Wireless Social, payment providers, Microsoft 365, Monday.com and website support tools.
  • From partner organisations, schools, community groups, artists, promoters, funders or public sources where they provide information for a legitimate purpose connected with our activities.
  • From social media platforms when you interact with our pages, posts, adverts, messages or events.

We may combine information from different sources where this is necessary to provide a service, keep accurate records, respond to you, understand our audiences, improve our services or meet legal obligations.

↑ Back to contents

9. Our lawful bases for processing

Under UK data protection law we must have a lawful basis for each way we use personal data. The main lawful bases we rely on are:

  • Contract: where processing is necessary to provide a service you have requested, such as booking tickets, administering membership or delivering an event.
  • Legal obligation: where we must process information to comply with the law, such as tax, accounting, Gift Aid, health and safety or safeguarding obligations.
  • Legitimate interests: where we have a genuine and proportionate reason to use personal data and your rights and freedoms do not override that reason, such as running our venue, improving services, maintaining security, preventing fraud, managing relationships and understanding our audiences.
  • Consent: where you have given clear permission, such as opting in to certain marketing, agreeing to non-essential cookies, or providing optional information for a specific purpose.
  • Vital interests: where processing is necessary to protect someone’s life or immediate safety, for example in a medical emergency.

Where we rely on legitimate interests, we consider the purpose, necessity and impact of the processing. You can object to processing based on legitimate interests, and we will consider your objection in accordance with data protection law.

↑ Back to contents

10. Why we use personal data

The table below summarises our main processing activities. This is intended to make the policy easier to understand online.

Main processing activities

Activity Data used Purpose and lawful basis Shared with Typical retention
Ticket purchases and event bookings Name, contact details, account details, event choices, access requirements, payment status and booking history. To process bookings, issue tickets, manage attendance, handle refunds and provide customer service. Lawful basis: contract, legal obligation and legitimate interests. Spektrix, Spektrix Payments, payment providers, box office and relevant event staff. Customer account and booking records are kept for as long as needed for service, finance, tax, audit and audience relationship purposes, normally up to 7 years for financial records.
Customer accounts and CRM Account details, contact details, booking history, preferences, correspondence and relationship notes. To manage your relationship with us, provide support, maintain accurate records and improve services. Lawful basis: contract and legitimate interests. Spektrix, Microsoft 365 and authorised staff. For the duration of your relationship with us, then reviewed and deleted, anonymised or retained where legally required.
Memberships and supporters Member details, contact details, benefits, renewal dates, payment status, donation history and preferences. To administer membership, provide benefits, communicate about supporter matters and manage renewals. Lawful basis: contract, legitimate interests and legal obligation. Spektrix, payment providers, Dotdigital where marketing applies. Membership records are normally kept during membership and for up to 7 years afterwards where required for finance, tax or audit.
Donations, fundraising and Gift Aid Name, address, donation amount, payment details, Gift Aid declaration, donor history and communication preferences. To process donations, claim Gift Aid, thank supporters, meet charity accounting obligations and raise funds for charitable purposes. Lawful basis: legal obligation, legitimate interests, consent where required and contract where relevant. Spektrix, payment providers, HMRC for Gift Aid, accountants/auditors and Dotdigital where marketing applies. Financial and Gift Aid records are normally kept for up to 7 years. Suppression records may be kept longer to respect opt-outs.
Email newsletters and marketing Name, email address, consent records, preferences, booking/supporter relationship, email opens and clicks. To send news, event information, fundraising communications and supporter updates. Lawful basis: consent or legitimate interests where the law permits soft opt-in communications, with PECR compliance. Dotdigital, Spektrix and authorised staff. Until you unsubscribe, withdraw consent or the information is no longer useful. Minimal suppression records are kept to avoid contacting you again.
Service messages Contact details, booking details and account information. To send essential information about bookings, events, cancellations, venue changes, safety notices, account administration and policy updates. Lawful basis: contract, legal obligation and legitimate interests. Spektrix, Dotdigital or Microsoft 365 depending on the message. Kept with relevant booking or account records.
Website operation IP address, device information, browser type, server logs, contact forms, helpdesk/live chat interactions and security logs. To operate, maintain, secure and improve the website. Lawful basis: legitimate interests and legal obligation. This is Fever, WordPress/hosting providers, security tools and customer service tools where used. Technical logs are kept for a limited period for security and troubleshooting. Contact enquiries are kept as long as needed to respond and maintain records.
Cookies and analytics Cookie identifiers, analytics events, page views, device/browser data, referral source and consent choices. To remember settings, keep the website secure, understand website use and improve digital services. Essential cookies: legitimate interests/strictly necessary. Non-essential analytics and marketing cookies: consent. Google Analytics, Google Tag Manager or similar tools where enabled, cookie consent tools and website support providers. According to cookie settings and analytics retention settings. Aggregated data may be retained longer.
Public Wi-Fi Wi-Fi sign-in details, email address where provided, device identifiers, MAC address, IP address, access point/location, connection times, session duration, data usage, consent choices and technical logs. To provide Wi-Fi, authenticate users, maintain security, troubleshoot faults, prevent misuse, comply with legal obligations and understand anonymised venue usage. Lawful basis: contract or legitimate interests; legal obligation where applicable; consent for marketing. Wireless Social, IT support providers and authorised BAC staff. Information may be disclosed to law enforcement where legally required. Identifiable Wi-Fi logs are retained only as long as needed for network operation, security, troubleshooting and legal purposes. BAC’s working approach is to keep identifiable connection logs no longer than 12 months unless incident, legal or contractual reasons require otherwise.
Online events and webinars Registration details, attendance, questions, comments, poll responses, chat messages and recordings where used. To deliver online events, manage attendance, enable participation, improve events and respond to queries. Lawful basis: contract, legitimate interests and consent where required. Crowdcast, payment providers, event partners and authorised staff. Event records are kept as long as needed for administration, finance and evaluation. Recordings are kept according to event purpose and permissions.
Workshops, education and family activities Participant details, parent/guardian details, age, emergency contacts, access or medical information, permissions and attendance. To administer activities, keep participants safe, make reasonable adjustments and meet safeguarding obligations. Lawful basis: contract, legal obligation, legitimate interests, vital interests and consent where relevant. Activity leaders, safeguarding leads, schools/partners where relevant and emergency services/local authorities where necessary. Kept for the duration needed for activity administration, safeguarding, insurance and legal purposes. Safeguarding records may be kept longer in line with safeguarding requirements.
CCTV and venue safety CCTV images, incident reports, accident records and security notes. To protect visitors, staff, artists, volunteers and property; investigate incidents; support insurance or legal claims; and comply with health and safety obligations. Lawful basis: legitimate interests and legal obligation. Authorised staff, insurers, legal advisers, police or other authorities where necessary. CCTV is normally kept for a short period, usually up to 30 days, unless needed for an incident, investigation, insurance matter or legal claim.
Surveys and audience research Survey responses, feedback, demographic information you choose to provide, participation data and anonymised statistics. To evaluate activities, improve services, report to funders and understand audience needs. Lawful basis: legitimate interests and consent where required. Survey providers, funders such as Arts Council England where required, usually in aggregated or anonymised form. Identifiable responses are kept only as long as needed for the research purpose. Anonymised statistics may be kept longer.
Competitions, prize schemes and promotions Entry details, contact information, submissions, eligibility information, judging records and winner details. To administer competitions, contact entrants, select winners, award prizes and meet legal or contractual obligations. Lawful basis: contract, legitimate interests, legal obligation and consent where required. Judges, administrators, payment providers, promoters and partners where relevant. Kept for the competition period and a reasonable period afterwards for administration, audit, publicity permissions and legal purposes.
Social media Your social media handle, profile information you make public, comments, messages and interactions. To respond to enquiries, promote activities, moderate content and understand engagement. Lawful basis: legitimate interests and consent where relevant. Social media platforms and authorised staff. Platform retention is controlled by the relevant social media provider. BAC keeps direct messages only as long as needed.
Complaints, enquiries and rights requests Contact details, correspondence, records of requests, identity verification where needed and investigation notes. To respond to you, resolve issues, meet legal obligations and defend or establish legal rights. Lawful basis: legal obligation and legitimate interests. Microsoft 365, advisers, insurers, regulators and relevant staff. Normally kept for up to 6 years after resolution where needed for legal, insurance or governance purposes.
Job applications, volunteers, artists and suppliers Contact details, applications, CVs, contracts, invoices, bank details, references, right-to-work checks, DBS/safeguarding checks where relevant and communications. To recruit, manage relationships, pay suppliers, comply with legal obligations and safeguard participants. Lawful basis: contract, legal obligation, legitimate interests and consent where relevant. Microsoft 365, Monday.com, payroll/finance providers, DBS providers, referees, HMRC and advisers where needed. Unsuccessful applications are normally kept for 6 to 12 months. Supplier, freelancer and finance records are normally kept for up to 7 years. Safeguarding records may be kept longer where required.

↑ Back to contents

11. Ticketing, CRM and payments

We use Spektrix as our ticketing and customer relationship management system. Spektrix helps us manage customer accounts, bookings, ticket sales, event attendance, memberships, donations, Gift Aid and customer communications. When you buy tickets or interact with our box office, information may be entered into or processed through Spektrix.

We use payment providers including Spektrix Payments, Stripe, PayPal and Worldpay to process payments securely. These providers may process payment information as processors or independent controllers depending on the service and legal obligations. BAC does not store full card numbers. We retain transaction references and finance records needed for accounting, refunds, audit, fraud prevention and legal compliance.

When you book through third-party promoters, partners or external platforms, their own privacy policies may also apply. We will only share personal data with event partners where it is necessary and appropriate, for example to manage access requirements, guest lists, safety or event administration.

↑ Back to contents

12. Donations, membership, fundraising and Gift Aid

As a charity, BAC relies on supporters, members, donors, funders and audiences. We use supporter information to process donations, administer membership, provide supporter benefits, thank donors, claim Gift Aid, understand supporter relationships and communicate about our charitable work.

If you make a Gift Aid declaration, we must keep the declaration and related donation records for HMRC purposes. We may share relevant information with HMRC, accountants, auditors or other professional advisers where needed.

We may contact supporters about events, fundraising and charitable activities where you have consented or where the law permits us to rely on a soft opt-in or legitimate interests. You can opt out of fundraising or marketing communications at any time.

↑ Back to contents

13. Marketing and communications

We use Dotdigital to manage email newsletters and marketing communications. We may also use Spektrix and Microsoft 365 to manage communication records and send service messages.

We may send you marketing communications if you have opted in, if you have an existing customer or supporter relationship with us and the law allows us to use a soft opt-in, or where another lawful basis is available. Marketing may include event information, exhibitions, performances, cinema, workshops, membership, fundraising, supporter updates, surveys and related opportunities.

You can unsubscribe from marketing at any time by clicking the unsubscribe link in an email or contacting [email protected]. We will keep a minimal suppression record to make sure we do not contact you again for marketing unless you later opt back in.

Service messages are different from marketing. We may still contact you about bookings, account administration, event changes, venue safety, policy updates or other essential information even if you have opted out of marketing.

Email analytics may tell us whether a message was opened or a link was clicked. We use this information to understand engagement, improve communications and avoid sending irrelevant messages. You can opt out of marketing emails at any time.

↑ Back to contents

14. Website, cookies and online services

Our website is built on WordPress and is maintained by This is Fever. We use website hosting, security, analytics and support tools to keep the website available, secure and useful.

Our website may use cookies, pixels, scripts, local storage or similar technologies. Some are essential for the site to work, such as security, session and booking functionality. Others, such as analytics or marketing cookies, are optional and require consent where required by law. Our cookie banner and Cookie Policy should explain which cookies are in use and how to manage your preferences.

We may use Google Analytics, Google Tag Manager or similar analytics tools to understand how people use the website. Analytics information helps us improve navigation, content, accessibility and audience engagement. Where analytics cookies or similar technologies require consent, we will ask for consent before setting them.

If our website includes embedded content or links to third-party websites, such as YouTube, Vimeo, Google Maps, social media platforms, ticketing widgets, helpdesk tools or partner websites, those third parties may collect personal data when you interact with them. Their privacy policies apply to their services.

↑ Back to contents

15. Public Wi-Fi provided through Wireless Social

BAC provides public Wi-Fi for visitors through Wireless Social. This section explains what happens when you connect to the Wi-Fi network and should be linked from the Wi-Fi login page or captive portal.

When you connect to public Wi-Fi, Wireless Social and BAC may process information needed to provide, authenticate, manage and secure the service. Depending on the sign-in method and configuration, this may include your name, email address, consent choices, device identifiers, MAC address, IP address, access point or venue location, connection time, session duration, data volume and technical logs.

We use Wi-Fi information for the following purposes:

  • to provide internet access and authenticate users;
  • to keep the network secure and available;
  • to troubleshoot technical issues and monitor service performance;
  • to detect, prevent or investigate misuse, security incidents or unlawful activity;
  • to understand anonymised or aggregated visitor patterns, such as footfall and repeat visits;
  • to comply with legal obligations or lawful requests from authorities;
  • to send marketing communications only where you have opted in or where the law permits and you have not opted out.

We do not use Wi-Fi data to read the content of your private communications. However, like most network services, Wi-Fi systems may process technical network metadata needed to route traffic, secure the network, investigate misuse or comply with legal obligations.

Wireless Social processes Wi-Fi data on our behalf under appropriate contractual arrangements. Wireless Social may also provide its own privacy information at the point of sign-in. If you choose to sign in using a social media account or another third-party login method, that third-party service may also process your data under its own privacy policy.

You can use the Wi-Fi without agreeing to receive BAC marketing unless the sign-in screen clearly says otherwise. If you opt in to marketing through the Wi-Fi sign-in page, you can unsubscribe at any time using the link in our emails or by contacting us.

By using our public Wi-Fi, you must comply with the acceptable use terms in Appendix 2 of this policy and any terms shown on the Wi-Fi login page.

↑ Back to contents

16. CCTV, safety and incident records

CCTV may operate in and around parts of our venue for safety, security, crime prevention, incident management and protection of visitors, staff, volunteers, artists and property. CCTV areas should be indicated by signage where appropriate.

CCTV footage is accessed only by authorised people and is normally retained for a short period, usually up to 30 days, unless it is needed to investigate an incident, respond to a request from law enforcement, support an insurance claim or establish, exercise or defend legal rights.

We may also keep accident reports, incident records, safeguarding records and health and safety records where needed. Access to these records is restricted.

↑ Back to contents

17. Online events and recordings

We may use Crowdcast and other online platforms to deliver webinars, livestreams, talks, Q&A sessions, workshops and virtual events. When you register or attend, the platform may process your registration details, attendance, chat comments, questions, poll responses and technical information.

Some online events may be recorded. Where this happens, we will aim to tell participants in advance. If you ask a question, post in chat or appear on camera, your contribution may be included in a recording. We may use recordings for event delivery, archive, access, education, marketing or reporting where appropriate and lawful.

↑ Back to contents

18. Surveys, funder reporting and audience research

We may invite you to complete surveys or provide feedback about events, services, access, audience experience or community needs. Survey participation is usually voluntary unless clearly stated otherwise.

We may use survey and audience data to improve our work, report to funders, plan programmes, evaluate charitable impact and understand who we are reaching. Where possible, we use aggregated or anonymised data. We may share aggregated statistics and reports with funders such as Arts Council England, local authorities, grant makers or project partners. We do not normally share identifiable survey responses with funders unless you have consented or another lawful basis applies.

↑ Back to contents

19. Competitions, prizes and promotions

If you enter a competition, prize scheme or promotion administered by BAC, we will use your data to process entries, confirm eligibility, contact entrants, judge entries, award prizes, publish winners where appropriate and meet legal or contractual obligations. Additional terms and privacy information may apply to specific competitions or prize schemes.

Where entries include creative work, biographical information, images or publicity material, we will explain how that information may be used for judging, administration, publicity, archive or publication.

↑ Back to contents

20. Volunteers, job applicants, freelancers, artists and suppliers

If you apply for a role, volunteer with us, provide services, perform, exhibit, teach, freelance or supply goods or services to BAC, we may process personal data needed to manage recruitment, contracts, safeguarding checks, payments, insurance, communication, tax and legal obligations.

This may include contact details, CVs, references, right-to-work information, bank details, contracts, invoices, emergency contacts, safeguarding or DBS checks where relevant, and records of work carried out.

↑ Back to contents

21. Who we share personal data with

We do not sell personal data. We share personal data only where necessary, lawful and proportionate. The organisations we may share information with include:

Supplier and recipient summary

Recipient Purpose
Spektrix Ticketing, CRM, accounts, memberships, donations, Gift Aid and customer records.
Spektrix Payments, Stripe, PayPal and Worldpay Secure payment processing, refunds, fraud prevention and financial records.
Dotdigital Email newsletters, marketing preferences, campaign delivery and email engagement analytics.
Wireless Social Public Wi-Fi login, authentication, network management, visitor analytics and Wi-Fi marketing consent records.
This is Fever, WordPress, hosting and website support providers Website development, maintenance, security, hosting and technical support.
Crowdcast Online event registration, webinar delivery, participation features and event recordings where used.
Microsoft 365, SharePoint and Teams Email, documents, collaboration, administration, governance and secure internal communication.
Monday.com Project, workflow, task, event and operational management.
Google Analytics, Google Tag Manager or similar tools Website analytics, cookie-based measurement and digital performance reporting where enabled.
Customer service, helpdesk, live chat or chatbot tools Responding to enquiries and supporting website visitors where these tools are used.
Professional advisers Accountants, auditors, solicitors, insurers, consultants and other advisers.
Funders and public bodies Reporting on projects, impact and funding outcomes, usually in aggregated or anonymised form.
HMRC and regulators Tax, Gift Aid, charity, company, employment and regulatory obligations.
Police, emergency services, local authorities or safeguarding bodies Where necessary for safety, safeguarding, crime prevention, legal compliance or protection of vital interests.
Event partners, schools, artists, promoters and project partners Where necessary to deliver an event, workshop, school activity, competition, project or partnership.

Where suppliers process personal data on our behalf, we use appropriate contracts and require them to protect the data and use it only for the agreed purposes. Some suppliers may act as independent controllers for aspects of their services. Their own privacy policies may apply in those situations.

↑ Back to contents

22. International transfers

Some of our suppliers, or their sub-processors, may process personal data outside the UK. This can happen where cloud services, support teams, payment providers, analytics providers or digital platforms operate internationally.

Where personal data is transferred outside the UK, we take steps designed to ensure it receives appropriate protection. This may include relying on UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, supplier transfer assessments or other lawful safeguards.

↑ Back to contents

23. How we protect personal data

We use technical and organisational measures to protect personal data from accidental loss, misuse, unauthorised access, alteration or disclosure. Measures may include:

  • access controls and permissions based on role and need to know;
  • multi-factor authentication where appropriate;
  • secure passwords and account management;
  • encrypted connections and secure cloud services;
  • backup, recovery and continuity arrangements;
  • supplier due diligence and data processing contracts;
  • staff training and internal policies;
  • review of data retention and deletion;
  • incident response and breach reporting procedures.

No system is completely risk-free. If we identify a personal data breach that creates a risk to individuals, we will take appropriate steps, including notifying affected people and/or the ICO where required by law.

↑ Back to contents

24. How long we keep personal data

We keep personal data only for as long as necessary for the purpose for which it was collected, including legal, accounting, tax, insurance, safeguarding, audit, governance and reporting requirements. When information is no longer needed, we delete it, anonymise it or securely archive it where appropriate.

Retention guide

Record type Typical retention approach
Ticketing, customer and CRM records For the duration of the customer relationship and then reviewed. Financial elements are normally kept for up to 7 years.
Payment, invoice, accounting and tax records Normally up to 7 years to cover accounting, audit, tax and legal obligations.
Gift Aid declarations and donation records Normally up to 7 years to meet HMRC and charity accounting requirements.
Membership records During membership and normally up to 7 years after expiry where linked to finance or supporter records.
Marketing lists and consent records Until unsubscribe or withdrawal, with minimal suppression records retained to respect opt-outs.
Email engagement analytics Reviewed periodically and deleted or anonymised when no longer needed for communication management.
Website contact forms and enquiries As long as needed to respond and maintain appropriate records, normally no longer than 2 years unless the matter requires longer retention.
Cookie and analytics data According to cookie settings and analytics retention configuration. Aggregated statistics may be kept longer.
Public Wi-Fi connection logs Only as long as needed for network operation, security, troubleshooting and legal purposes. BAC’s working approach is to keep identifiable logs no longer than 12 months unless a specific issue requires longer retention.
CCTV footage Usually up to 30 days unless needed for an incident, investigation, insurance matter or legal claim.
Accident, incident and health and safety records Normally up to 6 years, or longer where required by law, insurance, safeguarding or legal advice.
Safeguarding records Kept in line with safeguarding requirements and legal advice. Some records may need to be kept for an extended period.
Children’s workshop and education records Kept for the activity and a reasonable period afterwards; records linked to safeguarding, accidents or claims may be kept longer.
Survey and audience research data Identifiable responses are kept only as long as needed for the research purpose. Anonymised/aggregated data may be retained longer.
Competition and prize records Kept for the competition period and a reasonable period afterwards for administration, audit, publicity permissions and legal purposes.
Job applications Unsuccessful applications are normally kept for 6 to 12 months unless you agree to longer retention.
Volunteer, freelancer, artist and supplier records During the relationship and normally up to 7 years afterwards where linked to contracts, finance, insurance or legal obligations.
Complaints and data rights requests Normally up to 6 years after resolution where needed for governance, legal or audit purposes.

These periods are a guide. Specific records may be kept for shorter or longer where there is a legal requirement, a complaint, a safeguarding concern, an insurance requirement, a dispute, a legal claim or a continuing relationship.

↑ Back to contents

25. Your rights

You have rights under UK data protection law. These rights are not always absolute and may depend on the lawful basis, the nature of the data and any legal obligations that apply.

  • Right to be informed: to receive clear information about how we use your personal data.
  • Right of access: to request a copy of the personal data we hold about you.
  • Right to rectification: to ask us to correct inaccurate or incomplete information.
  • Right to erasure: to ask us to delete personal data in certain circumstances.
  • Right to restrict processing: to ask us to limit how we use your data in certain circumstances.
  • Right to data portability: to receive certain data in a structured, commonly used and machine-readable format where the right applies.
  • Right to object: to object to processing based on legitimate interests or direct marketing. The right to object to direct marketing is absolute.
  • Right to withdraw consent: to withdraw consent at any time where we rely on consent. Withdrawal does not affect processing carried out before consent was withdrawn.
  • Rights relating to automated decision-making: to have protections where a solely automated decision has legal or similarly significant effects.

To exercise your rights, contact [email protected]. We may need to verify your identity before responding. We normally respond within one calendar month. If a request is complex or you make several requests, we may extend the response period where the law allows and will tell you if we need to do this.

We will not normally charge a fee. We may refuse a request or charge a reasonable fee if a request is manifestly unfounded or excessive, as permitted by law.

↑ Back to contents

26. Your choices and controls

You can control how we use your information in several ways:

  • Email marketing: unsubscribe using the link in any marketing email or contact us.
  • Wi-Fi marketing: do not tick the marketing opt-in box when connecting, or unsubscribe later if you opted in.
  • Cookies: use the cookie banner or browser settings to manage cookies. Non-essential cookies should not be set unless consent is given where required.
  • Customer account: update your details through your account or contact box office/customer services.
  • Surveys: choose not to answer optional questions or ask us to anonymise responses where possible.
  • Social media: use platform privacy settings and avoid sharing sensitive information publicly.

↑ Back to contents

27. Automated decision-making and profiling

We do not make decisions about you that are based solely on automated processing and that have legal or similarly significant effects.

We may use limited profiling or segmentation to help us understand audiences, avoid irrelevant communications, identify supporter interests, analyse website usage or tailor marketing. For example, we may identify people who attend certain types of events or who have opted in to particular mailing preferences. You can object to direct marketing at any time.

↑ Back to contents

Our website, emails, social media pages and online services may link to third-party websites, platforms, plug-ins or applications. We do not control those third parties and are not responsible for their privacy practices. Please read their privacy policies before providing information to them.

↑ Back to contents

29. Changes to this policy

We review this policy regularly and may update it when our services, systems, suppliers or legal obligations change. Significant updates will be made available on our website and, where appropriate, communicated through other channels.

This version was last updated on 30 June 2026. The recommended review date is 30 June 2027.


↑ Back to contents