This privacy notice was last updated on 18 January 2019.
Cryptic is committed to protecting your personal information and being transparent about what information we hold about you.
Using personal information allows us to develop a better understanding of our patrons and in turn to provide you with relevant and timely information about the work that we do – both on and off stage. As a charity, it also helps us to engage with potential donors and supporters and to report back to our funders.
The purpose of this policy is to give you a clear explanation about how we collect and use the information we collect from you directly and from third parties.
This notice explains:
- What information we may collect about you;
- How we may use that information;
- In what situations we may disclose your details to third parties;
- Information about how we keep your personal information secure and your rights to be able to access it.
We regularly review our practices to ensure that your privacy is appropriately protected. We may update or modify this Privacy Statement from time to time so be sure to check it regularly.
Who We Are
Cryptic is a charity and Creative Scotland Regularly Funded Organisation. We also receive funding from various trusts, foundations and individual donors and supporters. Our registered charity number is SCO22476 and we are also registered as a company limited by guarantee and registered in Scotland under registration number SC150281.
Cryptic is registered with the Information Commissioner’s Office in accordance with current data protection legislation: registration number ZA24873. We are the data controller for the personal information you share with us and we otherwise collect in respect of you. We operate in accordance with current data protection legislation.
Contact details for Cryptic: CCA, 350 Sauchiehall Street, Glasgow, G2 3JD
You can contact us by telephone +44 (0)141 354 0544. If you would like to speak to someone about your personal information and its use, please contact: firstname.lastname@example.org
We collect various types of personal information and in a number of ways.
In general terms, we do not obtain any personal information about you simply through you browsing our Websites. It is only when you contact us through the Websites or by e-mail (for instance, if you sign up to our mailing list) that we obtain personal information about you, such as your name and your email address. You also give us your information when you buy a ticket, sign up for one of our events, make a donation or communicate with us. We also keep your details when you sign up to receive email from us.
The personal information which we collect from you will only be used for the purposes of processing and/or dealing with the matter you have contacted us about. So, for instance, if you sign up to our mailing list to receive news about Cryptic and our activities, we will only use your personal information for that purpose. We will always try to let you know what we will do with your information at the point we collect it. By providing your personal details to us, you are consenting to us processing your personal data for such purposes.
We occasionally receive information about you from third parties. For example, we may use third party research companies to provide general information about you, compiled using publicly available data. We may also receive information about you from theatres where you have booked a Cryptic show or from information that is publicly available, such as newspapers. This is for research and reporting purposes only unless you have given consent to receive communication from us.
Data Protection law recognises that certain categories of personal information are more sensitive such as health information, race, religious beliefs and political opinions. We do not usually collect this type of information about our patrons unless there is a clear reason for doing so. As an example, we sometimes collect health information about participants in our programme of classes and courses.
We will only retain your personal information on our databases for as long as we deem necessary and to fulfil our legal obligations and it will be kept secure using appropriate security measures to prevent unauthorised access, modification or disclosure.
There are three bases under which we may process your data:
When you make a purchase from us or make a donation to us, you are entering into a contract with us. In order to perform this contract, we need to process and store your data. For example, we may need to contact you by email or telephone in the case of cancellation of a show, or in the case of problems with your payment.
LEGITIMATE BUSINESS INTERESTS
In certain situations we collect and process your personal data for purposes that are in our legitimate organisational interests. However, we only do this if there is no overriding prejudice to you by using your personal information in this way. We describe below all situations where we may use this basis for processing.
WITH YOUR EXPLICIT CONSENT
For any situations where the two bases above are not appropriate, we will instead ask for your explicit consent before using your personal information in that specific situation.
How we keep your details safe and secure
Your personal data will be held and processed on Cryptic’s systems or systems managed by suppliers on behalf of Cryptic. We maintain a customer relationship management (CRM) system to hold contact details and a record of your interactions with us such as ticket purchases, donations, queries, complaints and attendance at special events. Where possible we aim to keep a single record for each customer.
Your data is always held securely. Access to customer information is strictly controlled. The CRM system can only be accessed by people who need it to do their job. Certain data, for example some sensitive information, is additionally controlled and is only made visible to members of staff who have a reason to work with it.
We will only ever share your data in other circumstances if we have your explicit and informed consent.
Where we are under a duty to disclose your personal information in order to comply with any legal obligation (for example to government bodies and law enforcement agencies). Your personal information may also be processed if it is necessary in the defence of a legal claim. We will not delete personal information if relevant to an investigation or a dispute. It will continue to be stored until those issues are fully resolved.
Finally, your personal data may be shared if it is made anonymous and aggregated, as in such circumstances the information will cease to be personal data.
What we use your personal information for
We aim to be clear and transparent when we collect your data and not to do anything you wouldn’t reasonably expect.
If you make a purchase, sign up for an event or give a donation we usually collect your name, contact details and your bank or credit card information (if making a transaction). Where it is appropriate (and you have the right to decline to give this information) we may also ask for your age, gender, ethnicity, or information relating to your health.
We use this data to provide you with the events, products, services or information you asked for, ensure we know how you prefer to be contacted, understand how we can improve our communications or events, administer your donation or to process Gift Aid.
When you register on our website, you can choose whether you would like to receive marketing and fundraising communications from us by email or post. We will include opt-out instructions in any marketing or fundraising communications you receive from us.
We classify our audience into groups and segments on the basis of booking history and ticket purchases, attendance over time and information that is provided when you create an account, such as your postcode.
We conduct analytics to better understand our development as an organisation. We use anonymised data for this analytical research. We consider the growth and sales rate of our tickets and combine this with other relevant data such as interaction with our website and social media.
We conduct in-depth audience research by email, online and/or in person after each event. You are under no obligation to participate. Full details of the process are provided when we approach you to participate.
In order to improve our website we may analyse information about how you use it and the content and ads that you interact with.
Cryptic’s websites may contain links to other websites owned and operated by third parties. We cannot guarantee the privacy policies of these websites, and cannot accept any responsibility or liability for the privacy practices of third party websites.
We conduct research to support a number of our fund-raising and income generation activities as a charity to ensure our fund-raising campaigns, events and fund-raising communications are targeted in the most effective way. This also includes evaluating the effectiveness of these campaigns and making changes where required; determining whether certain individuals may be interested in supporting us; ensuring we conduct campaigns and fund-raising activity in compliance with law and industry codes of practice; and ensuring that we have reasonable knowledge of prospective donors to minimise the risk of reputational damage.
We may conduct analysis of our audience by attendance, donations, postcode and other information on our own database to contact individuals who might be interested in supporting our fund-raising campaigns (which could include donations and individual giving schemes) to the extent permitted by applicable data protection laws. The analysis activity where our audience is segmented is not targeted at specifically identifiable individuals in the first instance and communications sent to individuals thereafter are done so in accordance with consent or our legitimate interests.
We may carry out research on information in our own database such as connections to ticket buying and history of giving to Cryptic and we may seek additional information from third party sources.
We endeavour to make sure that any research and data collection we do is only sourced from publicly available sources where an individual would, in our view, have reasonable expectation that their information may be freely read by the public or the individual has freely made information available in respect of their business and philanthropic interests.
We carefully balance our legitimate interests against your interests as an individual. You can exercise your rights over your personal information at any time.
In all of the above cases we will always keep your rights and interests at the forefront to ensure they are not overridden by your own interests or fundamental rights and freedoms. You have the right to object to any of this processing at any time. If you wish to do this, please use the contact details at the end of this policy.
We do not sell personal details to third parties for any purpose. We will only share personal details for the purposes of marketing if you have given explicit consent for us to do this. If you have opted out of marketing communications, we may still get in touch with you. For example, we may email you to give you important information about the events you’ve booked or to tell you about any changes.
We will give you the opportunity to opt out, at any time, from any marketing or fundraising email communications and postal fundraising communications you receive from us.
Your personal information will be held at all times within the EEA.
You have certain rights in relation to your personal information. The availability of these rights and the ways in which you can use them are set out below in more detail.
Some of these rights will only apply in certain circumstances. If you would like to exercise, or discuss, any of these rights, please contact us using the details above.
Access: you are entitled to ask us if we are processing your information and, if we are, you can request access to your personal information. This enables you to receive a copy of the personal information we hold about you and certain other information about it to check that we are lawfully processing it.
Correction: you are entitled to request that any incomplete or inaccurate personal information we hold about you is corrected.
Erasure: you are entitled to ask us to delete or remove personal information in certain circumstances. There are also certain exceptions where we may refuse a request for erasure, for example, where the personal data is required for compliance with law or in connection with claims.
Restriction: you are entitled to ask us to suspend the processing of certain of your personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Transfer: you may request the transfer of certain of your personal information to another party.
Objection: where we are processing your personal information based on a legitimate interest (or that of a third party) you may challenge this. However, we may be entitled to continue processing your information based on our legitimate interests or where this is relevant to legal claims. You also have the right to object where we are processing your personal information for direct marketing purposes.
Automated Decisions: you may contest any automated decision made about you where this has a legal or similar significant effect and ask for it to be reconsidered.
More information regarding your legal rights in respect of personal information can be found at www.ico.org.uk/for-the-public. You also have a right to lodge a complaint with a supervisory authority, in particular in the Member State in the European Union where you are habitually resident, where we are based, or where an alleged infringement of Data Protection law has taken place. In the UK you can make a complaint to the Information Commissioner’s Office (Tel: 0303 123 1113 or at www.ico.org.uk).
In order to initiate a request with us about your personal information, please send us a description of the information you would like to access or the rights you would like to exercise by using the contact details set out above.
We use social media to broadcast messages and updates about events and news. On occasion we may reply to comments or questions you make to us on social media platforms. You may also see adverts from us on social media that are tailored to your interests.
Depending on your settings or the privacy policies social media and messaging services like Facebook, LinkedIn or Twitter, you might give third parties (like us) permission to access information from those accounts or services.