Privacy Notice

This Privacy Notice sets out how Yorkshire True Grit Ltd (known as a Data Controller) collects and uses your personal data. This Privacy Notice has been updated to reflect the changes introduced in May 2018 by both the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18).

When we refer to “we”, “us” “our” or “controller” in this Privacy Notice we mean Yorkshire True Grit Ltd.

Our Privacy Notice is structured in a way for you to easily find the specific details of what we do with your personal data, depending on which of our services you are using, for example entering one of our events or being a sponsor at an event.

Part 1 of our Privacy Notice is information we must tell everyone regardless of the nature of our relationship with you.  Parts 2 to 7 give information that is specific to your relationship with us.

PART 1 – GENERAL INFORMATION

Our contact details

Yorkshire True Grit Ltd is the data controller for the personal data we process about you.

You can contact us regarding the use of your personal data via one of the following ways:

Email: info@yorkshiretruegrit.co.uk
Postal Address: Yorkshire True Grit Ltd Ltd, 2 Mill Lane, Stillington, YO61 1NG

Our Data Protection Officer contact details

Our Data Protection Officer is Samantha Dunwell (from Dunwell Data Protection).  You can contact her via one of the following ways:

Email: samantha@dunwelldataprotection.co.uk
Telephone: 07534 258800
Postal Address: Dunwell Data Protection, 12 Manor Garth, Fridaythorpe, YO25 9SZ

How we get your personal data

Most of the time we obtain personal data directly from you, for example when you enter one of our events or you give us your business card at a networking event.

There are some occasions when we obtain personal data indirectly, for example buying in a contact details mailing list (such as media contacts).

Your rights

Depending on the purpose and legal basis we rely on for processing your personal data, there are various rights available to you.  You can:

  • access the personal data we keep about you and be given specific information about the processing.  This right always applies regardless of the processing activity we undertake.  
  • ask us to rectify personal data we hold about you that you think is inaccurate.  This right always applies regardless of the processing activity we undertake. 
  • ask us to delete your personal data but only when specific circumstances apply. 
  • ask us to restrict the processing of your personal data but only when specific circumstances apply. 
  • object to the processing when we have relied on legitimate interest to undertake that processing activity and you believe we have infringed your rights. 
  • transfer your personal data from us to another service provider or give it to you.  This right only applies to personal data you have given to us and when the processing is based on your consent or contractual basis and the processing is automated. 

To find out more about how to exercise your rights please refer to the guidance on the Information Commissioner’s Office website - https://ico.org.uk/your-data-matters/.

We do not undertake any solely automated decision-making, including profiling, about you.

You do not have to pay a fee to us to exercise any of your rights.  However, if your request is manifestly unfounded or excessive we may either charge a reasonable fee or refuse the request.

We shall respond to your request within one month of receiving it.

If you wish to make a request, please contact our Data Protection Officer.

How to make a complaint about us to the Information Commissioner’s Office

If you are not happy with how we are processing your personal data or you believe we have not dealt with one of your rights correctly you are entitled to make a complaint to the Information Commissioners Office (ICO).  The ICO has several ways in which you can get in touch with them, including post, email, and online forms.  For full details how to make a complaint please refer to their website - https://ico.org.uk/make-a-complaint/.

Sharing your information

We do not share your information with any third parties for the purposes of direct marketing.

Should we need to use data processors who are third parties to provide any aspect of the service we provide to you we ensure we have appropriate contracts in place that are GDPR compliant.  The data processor is not allowed to do anything with your personal data unless we have instructed them to do it. They will not share your personal data with any organisation apart from us, unless they are required to do so by law. They will hold it securely and retain it for the period we instruct.

Our data processors include:

  • Mailchimp – used to store your contact details and other information about you;
  • Dropbox for Business – used to store Yorkshire True Grit Ltd business data which may include your personal data;
  • Website Developer & Hosting – can access data stored on our website which includes data input on the events entry page, receiving newsletters page, and contact us page.

Transferring personal data outside of the UK and EU

We use the marketing platform Mailchimp to store your contact details and other personal data which allows us to undertake our marketing activities.  Mailchimp is operated by The Rocket Science Group LLC, who are based in Georgia in the United States of America.  All our data on the Mailchimp platform is therefore transferred and stored in the USA.  We rely on the following exception in GDPR to undertake the transfer of personal data:

Adequacy decision in place (GDPR Article 45)
Mailchimp is registered under the EU-US Privacy Shield Framework.  Their certificate can be viewed U.S. Department of Commerce’s Privacy Shield website - https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active

We use Dropbox for Business to store our business data, which may also include any personal data we process about you.  Dropbox is based in California in the United States of America.  All our data on Dropbox for Business is therefore transferred and stored in the USA.  We rely on the following exception in GDPR to undertake the transfer of personal data:

Adequacy decision in place (GDPR Article 45)
Dropbox for Business is registered under the EU-US Privacy Shield Framework.  Their certificate can be viewed U.S. Department of Commerce’s Privacy Shield website - https://www.privacyshield.gov/participant?id=a2zt0000000GnCLAA0&status=Active

Visitors to our website

In operating our website, www.yorkshiretruegrit.co.uk, we use a third-party service, Google
Analytics, to collect and process standard internet log information about your visits to our
website and the resources that you access, including, but not limited to, traffic data, location
data, weblogs and other communication data all of which enables us to improve our services to you.  We are not able to identify anyone from this data.

To gather the standard internet log information we place cookies on your computer.  Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.  The cookies are downloaded to your computer automatically and stored on the hard drive of your computer.  All computers have the ability to decline cookies.

We rely on the legitimate interests legal basis (GDPR Article 6(1)(f)) to allow us to place cookies on your computer.  You always have the right to not have cookies placed on your computer and this can be done by activating the setting on your browser which enables you to decline the cookies.  However, should you choose to decline cookies, you may be unable to access particular parts of our website

Children’s information

We do not collect personal data directly from children.  We do however collect personal data of a child indirectly from the parent or guardian under the following circumstance:

When a parent or guardian would like their child/children to ride the event, or part of the event, with them they must complete all official paperwork for the event, which includes providing the name, data of birth and medical condition of the child taking part. 
We rely on your consent to give this information to us.  If you are not able to provide this information we may not be able to allow your child to ride the event with you.  We advise parents or guardians to explain our privacy notice to the child so that they understand what we do with personal data or ask the child to read the privacy notice if they are likely to understand it.

Links to other websites

Our website provides links to websites of other organisations.  Our Privacy Notice does not cover how those organisations process your personal data when you visit their website.  We advise you to read their Privacy Notices.

Changes to our Privacy Notice

We keep our Privacy Notice under review to ensure it remains accurate and up to date.  This Privacy Notice was last updated in November 2018.

PART 2 – IF YOU TAKE PART IN ANY OF OUR EVENTS

What personal data do we need?

We need to collect the following personal data from you:

  • Name (first and last name)
  • Postal address
  • Email address
  • Mobile number
  • Date of birth
  • Medical conditions, including current medication and any known allergies
  • Next of kin contact details
  • Any other personal data you give to use that you feel is relevant for us to know

We also collect other information from you, which includes the type of bike you intend to ride at an event and whether you will be camping at an event

How do we get your personal data?

We gather your personal data directly from you when you register to take part in one of our events.

Why we need your personal data and the legal basis we rely on for the processing

We need your personal data to process your entry to take part in our events.  We need to communicate event information to you primarily prior to and during the event and in some cases after the event.  We need to know your health and medical conditions so that we can attend to and manage a medical situation or emergency that happens during the event.

We also like to keep you informed of other events that you may be interested in.

The legal basis we rely on are:

Contractual obligation (GDPR Article 6(1)(b))
Entry into our events is done so under contract or with a view to entering into a contract (i.e. you have asked us to provide more details about a particular event).

We require certain information from you to enable us to fulfil our pre-contractual and contractual obligations.  If you are not able to provide all the necessary information we need we may not be able to process your event application and you will not be able to take part.

Explicit Consent (GDPR Article 9(2)(a)
We need your explicit consent to gather and use your medical data.

Vital interests (GDPR Article 6(1)(d) & Article 9(2)(c)
We may need to share your medical data with a medical professional, such as a doctor or paramedic, if you have been involved in an accident or have medical emergency/incident at one of our events that requires medical attention and where you are not able to inform the medical professional of any conditions you have or medication you are taking.

Legitimate interests (GDPR Article 6(1)(f)
GDPR allows us to rely on legitimate interests for direct marketing purposes.  We have undertaken a legitimate interest assessment, which balances our business purposes for the processing against your right to privacy.  The outcome of the balancing test justifies our use of legitimate interests for this purpose as it would not be an unreasonable expectation for anyone who enters our events to receive information about upcoming events from us.

This also complies with e-Privacy laws, currently the Privacy & Electronic Communication Regulations 2003, which governs how a business can undertake electronic direct marketing.  We can rely on soft opt-in for individual customers to undertake email marketing to both existing and prospective customers. 

We always give you the opportunity to object to receiving marketing communications from us, when we first collect your personal data and with every marketing communication thereafter.  You can change your marketing preferences at any time by clicking the “unsubscribe” link in the marketing email you receive.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

Some customers personal data (name and email) may be shared with a sponsor if that customer has won a prize donated by that sponsor for the purposes of order fulfilment.

On very rare occasions we may need to share your medical data with a medical professional (such as a paramedic) if you have been involved in an accident at one of our events.

How long do we keep your personal data?

We only keep your personal data for as long as is necessary. 

Some of your personal data, such as medical information and next of kin details, is only retained until the event has taken place before it is securely destroyed.

Marketing contact details are held for as long as you want to remain on our marketing contact list.

We retain anonymised data for marketing purposes.

Do we use any data processors?

We use Paypal and Stripe to process payment for entry to our events.

PART 3 – IF YOU JUST WANT TO RECEIVE OUR NEWSLETTERS & MARKETING

What personal data do we need?

We only need to collect an email address from you.

We do not collect any of the special categories of personal data.

How do we get your personal data?

We gather your personal data directly from you when you sign up to receive marketing information from us, which includes our newsletters and other interesting Yorkshire True Grit Ltd information.

Why we need your personal data and the legal basis we rely on for the processing

We need your personal data to be able to send you marketing information by email.

The legal basis we rely on is:

Consent (GDPR Article 6(1)(a)
By submitting your contact details to receive marketing from us you have given your consent for us to use your personal data for this purpose.

You always have the right to withdraw your consent to receive marketing, you can do this by clicking the “unsubscribe” link in the marketing email you receive.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

We use Mailchimp to distribute our newsletters and marketing information.

How long do we keep your personal data?

We only keep your personal data for as long as is necessary. 

Marketing contact details are held for as long as you want to remain on our marketing contact list.

PART 4 – IF YOU VOLUNTEER AS A MARSHAL AT OUR EVENTS

What personal data do we need?

We need to collect the following personal data from you:

  • Name (first and last name)
  • Email address
  • Mobile number
  • First Aid competencies (including whether you have a First Aid Certificate by an approved trainer)
  • Any other personal data you give to use that you feel is relevant for us to know

How do we get your personal data?

We gather your personal data directly from you when you sign up to be a volunteer marshal at one of our events.

Why we need your personal data and the legal basis we rely on for the processing

We need your personal data to be able to communicate with you about the event you have signed up to marshal at, both prior to and during the event.  We also need to ensure we have adequate numbers of marshals who are experienced first aiders so need to know your qualifications and experience.

The legal basis we rely on are:

Consent (GDPR Article 6(1)(a)
We always ask for your consent to process your personal data to be a volunteer marshal.

You always have the right to withdraw your consent from being a volunteer marshal, you can do this by emailing us at info@yorkshiretruegrit.co.uk

Legitimate interests (GDPR Article 6(1)(f)
We rely on legitimate interests to share your mobile number with other volunteer marshals at an event to enable us to maintain a contact network and for the safety of both yourself and competitors.

We have undertaken a legitimate interest assessment, which balances our business purposes for the processing against your right to privacy.  The outcome of the balancing test justifies our use of legitimate interests for this purpose as it would not be an unreasonable expectation for volunteer marshals to be able to communicate with each other at events.

We give you the opportunity to object to sharing your mobile number both at the point of collecting your details and at the event you are marshalling at.

Who do we share your personal data with?

Your personal data is only used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

We will always ask for your consent to share your mobile number with other volunteers to enable us to maintain a contact network at events. AND safety reasons.

How long do we keep your personal data?

We only keep your personal data for as long as is necessary. 

Volunteer contact details are held for as long as you want to remain a volunteer with Yorkshire True Grit Ltd.

PART 5 – IF YOU ARE AN EXHIBITOR OR SPONSOR

What personal data do we need?

We need to collect the following personal data from you:

  • Name (first and last name)
  • Postal address (of your organisation)
  • Email address (work email)
  • Landline telephone number (work number)
  • Mobile number (work number)

You can also provide us with any other information you feel is relevant for the work we are undertaking with you.

We do not collect any of the special categories of personal data.

How do we get your personal data?

We obtain personal data directly from you, for example when you get in touch direct with us to discuss exhibiting at or sponsoring an event or when you give us your business card at a networking or trade event.

Why we need your personal data and the legal basis we rely on for the processing

We need your personal data to be able to communicate with you about exhibiting at or sponsoring any one of our events.

The legal basis we rely on are:

Contractual obligation (GDPR Article 6(1)(b))
To be an exhibitor at or sponsor one of our events we will enter into a contract with you.  This also includes any prospective contract discussions.

We require certain information from you to enable us to fulfil our pre-contractual and contractual obligations.  If you are not able to provide all the necessary information we need we may not be able to use you as a sponsor or exhibitor and any arrangements we have entered into may need to be terminated.

Legitimate interests (GDPR Article 6(1)(f)
GDPR allows us to rely on legitimate interests for our processing activities.  We have undertaken a legitimate interest assessment, which balances our business purposes for the processing against your right to privacy.  The outcome of the balancing test justifies our use of legitimate interests for this purpose as it would not be an unreasonable expectation for a business to expect another business to contact them.  The use of personal data in a business context is less likely to significantly impact an individual personally.

This also complies with e-Privacy laws, currently the Privacy & Electronic Communication Regulations 2003, which governs how a business can undertake electronic direct marketing. 

You always have the opportunity to object to us processing your personal data in this way, when we first collect your personal data and with every communication we have with you thereafter.  You can change your marketing preferences at any time by emailing the individual at Yorkshire True Grit who you have been liaising with or emailing us at info@yorkshiretruegrit.co.uk

Who do we share your personal data with?

Your personal data is only used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

How long do we keep your personal data?

We only keep your personal data for as long as is necessary. 

Generally, sponsor and exhibitor contact details are held for as long as you want to remain on our list of potential sponsors or exhibitors.  However, we do also undertake a refresh of our sponsor and exhibitor list every 2 years to ensure it remains as up to date as possible.

PART 6 – IF YOU ARE A JOURNALIST

What personal data do we need?

We need to collect the following personal data from you:

  • Name (first and last name)
  • Postal address
  • Email address
  • Telephone number (either mobile or landline)

We also need to know the publications you write for.

We do not collect any of the special categories of personal data.

How do we get your personal data?

We primarily obtain journalists contact details from buying in a media contacts mailing list.

There are occasions when we do also obtain personal data directly from you, for example when you have got in touch with us to discuss writing an article covering one of our events.

Why we need your personal data and the legal basis we rely on for the processing

We need your personal data for media relations purposes so that we can undertake the marketing and promotion of YTG events in magazines (both on line and offline).

The legal basis we rely on is:

Legitimate interests (GDPR Article 6(1)(f)
GDPR allows us to rely on legitimate interests for our processing activities.  We have undertaken a legitimate interest assessment, which balances our business purposes for the processing against your right to privacy.  The outcome of the balancing test justifies our use of legitimate interests for this purpose as it would not be an unreasonable expectation for journalists to be contacted by YTG to discuss either covering one of our events or providing you with content for an article which you can publish in a magazine.

You always have the opportunity to object to us processing your personal data in this way, either when we first contact your and with every communication we have you thereafter.  You can change your marketing preferences at any time by emailing info@yorkshiretruegrit.co.uk

Who do we share your personal data with?

Your personal data is only used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

How long do we keep your personal data?

We only keep your personal data for as long as is necessary. 

Generally, our journalists contact details are held for as long as you want to remain on our contact list.  However, we do undertake an update of this list after every time we have undertaken a mailout to journalists to ensure we remove any failed emails, i.e. when our email fails to reach you.

PART 7 – IF YOU ARE A SUPPLIER

What personal data do we need?

For us to pay you for the service or goods you have provided to us we need to collect and use a small amount of information about you and your business, this is also likely to include some information about the individuals who work at your business.  The personal data we are likely to need is:

  • Your business name;
  • The name (first and last name) of the person who we are liaising with at your business (in some cases this may be several staff members details);
  • Business postal address;
  • Business email address;
  • Business telephone number;
  • Business mobile number;
  • Bank details to enable payment to be made;
  • Any other information you feel is relevant for the purposes of the processing.

 

We do not collect any of the special categories of personal data.

How do we get your personal data?

We obtain your data directly when we start to use your services or have purchased goods from you.  We gather the relevant information from you to enable us to process payment to you for those services and goods.

We also obtain some data, such as your business name and contact details, indirectly from publicly available sources or recommendations from 3rd parties to enable us to contact you to enquire about the services and goods you provide prior to us making a purchase.

Why we need your personal data and the legal basis we rely on for the processing

We need your personal data to either enquire about the services or goods you provide that we may be interested in purchasing or to make a purchase.  We then use your personal data to pay for those goods and services when you invoice us or to raise any queries about the payment.

The legal basis we rely on are:

Contractual obligation (GDPR Article 6(1)(b))
The services or goods you have provided to us are done so under contract or with a view to entering into a contract (i.e. we have asked you for a quote for the goods or to undertake the service for us).

We require certain information from you to enable us to fulfil our part of the pre-contractual and contractual obligations, e.g. we need to have certain information to make the purchase and to process payment.  If you are not able to provide all the necessary information for us to do this, we will not be able to purchase the goods or services you provide or be able to make payment once purchased.

Legal obligation (GDPR Article 6(1)(c))
We have a legal obligation to pay for any services or goods we have purchased.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

Our Accountant will see personal data relating to suppliers and any payments we make.

How long do we keep your personal data?

We only keep your personal data for as long as is necessary. 

We keep all financial data (which includes supplier information) for 6 years from end of the financial year it relates to.

YORKSHIRE TRUE GRIT LTD
Shires Bridge Business Park
Easingwold York YO61 3EQ
01347 823963
info@yorkshiretruegrit.co.uk
Company No. 11165361
Newsletter Signup


Privacy policy
Terms & conditions

© 2018 Yorkshire True Grit
YORKSHIRE TRUE GRIT LTD
Shires Bridge Business Park
Easingwold York YO61 3EQ
01347 823963
info@yorkshiretruegrit.co.uk
Company No. 11165361

Privacy policy
Terms & conditions

© 2018 Yorkshire True Grit
Social
© 2018 Yorkshire True Grit