Privacy Policy

INTRODUCTION

This privacy policy explains how The Halesworth Narrow Gauge Railway CIO (‘The

CIO’) uses personal data

The CIO is the data controller of this information for the purposes of this policy.

Personal data (is defined in Data Protection law and is essentially personal data by

which an individual can be identified.

Keeping your data safe and secure is one of the CIO’s top priorities. This statement

makes it easier for you to find out how we use and protect it.

We respect your privacy and confidentiality and will not use your personal data for

any purpose unintended by you and except where we are required to do so by Law

or Governance we will not transfer or otherwise transmit it to a third party.

Any changes to this policy will be made by publishing an updated version of this

policy on our website and where appropriate, notified to you by e-mail.

WHEN DOES THIS POLICY APPLY?

This policy applies to the personal data that the CIO collects and holds about you

when you become a member of the CIO or create a website account or when you

use our website.

WHAT TYPES OF PERSONAL DATA DO WE HOLD?

Information we hold about you may include any one or more of the following types

of data:

• Account information:

When you become a member of the CIO, the minimum information we will usually

ask you to provide is your name, email address, contact mail address, telephone

numbers, and year of birth. We may also ask you to provide additional information

if for example you are interested in volunteering in relation to any of our activities

or projects.

• Transactional information:

When you purchase event tickets, merchandise and other products from the CIO

and any other official offline sales channels, we will keep a record of your

transaction, including what you purchased and when, and any information youprovide to us to fulfil the transaction. This may include your name, billing

information, telephone number, and delivery address.

• Information from you: If you contact us (by email, telephone or letter), we may

keep a record of that correspondence. Your e-mail address is recorded when you

send e-mails to us. We will use it only to correspond with you or otherwise strictly

in accordance with your instructions. Unless we are required to do so we will not

under any circumstances divulge your e-mail address to any other person who is

not a member of the CIO or our suppliers or contractors and even then only if it is

necessary in any particular circumstance that they need to know it.

• Information you provide to us in response to a survey:

We may contact you occasionally to ask for your feedback about the CIO’s products,

goods and/or services so that we can make them better and more relevant.

Your browser software provides help on how to manage and disable cookies. We

recommend that you allow the use of cookies so you can take advantage of the

features of our website that rely on their use. If you prevent their use, you may not

be able to use all the functionality of our website.

WHERE WE HOLD YOUR INFORMATION

The personal data that we collect from you is stored in the UK by members of the

CIO. They may be engaged in, among other things, the processing of your payment

details and the provision of support services. By submitting your personal data, you

agree to this storing or processing. We will take all reasonable steps to ensure that

your personal data is treated securely and in accordance with this privacy policy.

All information you provide to us is stored on secure servers. Any payment

transactions will be encrypted. Where we have given you (or where you have

chosen) a password which enables you to access certain parts of our site, you are

responsible for keeping this password confidential. You must not share a password

with anyone.

Unfortunately, the transmission of information via the internet is not completely

secure. Although we will do our best to protect your personal data, we cannot

absolutely guarantee the security of it when it is being transmitted to our website;

any transmission is at your own risk. Once we have received your information, we

will use strict procedures and security features to try to prevent unauthorised

access.

THE PURPOSES FOR WHICH WE USE YOUR INFORMATION

• Contract performance: the CIO may use account information and transactional

information data, as necessary, to carry out or perform any contract which you may

have entered into with us, including contracts for the purchase of tickets for

events, merchandise and other products and when we administer your online

accounts. We also use this information to communicate with you and handle your

enquiries regarding these contracts. If you order goods, products or services from

us on behalf of another person or persons (for example, membership or event

tickets for family or friends) we may ask you for their personal information and we

will use this to provide the services you have ordered. Please ensure that you have

their permission before providing this information to us.

• we retain records of all of our financial transactions with you in order to comply

with our legal obligations to maintain adequate accounting records. We may use

(and disclose) the information we hold about you in order to comply with any

investigative demand, court order, or a request for cooperation from a law

enforcement or other government agency.

• Marketing with your consent: If you consent to it, we may contact you with news

and offers from any official sponsors and partners which we think may be of

interest to you. You have the right to withdraw your consent at any time.

• We may also use online usage information to administer and improve the function

and content of the our website including to ensure that content is presented in the

most effective manner for you and your device and browser, to allow you to

participate in interactive features when you choose to do so and to keep our online

services safe and secure.

DISCLOSURE OF YOUR INFORMATION

• Our suppliers and contractors: we may share your information with appointed

suppliers and sub-contractors from time-to-time in order that they can process it

on our behalf for the purposes set out in this privacy policy. For example, payment

processing, mailing services and hosting service providers. However, where we do

so we will put in place suitable measures in order to protect your information.

These third parties may include: (i) direct debit providers; (ii) payment processors

(iii) IT service providers (such as hosting providers); (iv) delivery services; (v)

analytics and search engine providers; (vi)) credit reference agencies; and/or (vii)

payment processing companies.• Disclosures for legal reasons: we may also disclose the information we hold about

you to those persons that have a reasonable need to know such information, if we

believe in good faith that this is necessary to: (i) establish, exercise or enforce our

legal rights, including contractual rights; (ii) to defend ourself against a legal claim;

(iii) report a crime or prevent a crime; (iv) prevent harm to any individual or any

property (including intellectual property, for example if you misuse images or

videos or any other content we make available to you); or (v) to prevent fraud (for

example, payment card fraud) or for credit risk reduction.

HOW LONG DO WE KEEP YOUR INFORMATION?

We will keep your information for as long as necessary for us to fulfil the

requirements and provisions of this policy.

As a general rule:

• our financial transactions with you for six years in order to comply with our

obligations to maintain adequate accounting records;

• our contracts with you for six years so that we have appropriate evidence in place

if there is a claim for breach of contract made within the statutory limitation

periods;

• your membership account information until you cease to be a member.

• any other information you post online for 3 years if it is on our official website;

and

• online usage information for 3 years.

If any information falls into more than one category and that has a longer storage

period then that storage period will apply.

YOUR RIGHTS

You have the right under applicable data protection laws to access information held

about you and you can do so by contacting us using the details provided below in

this policy. Your right of access can be exercised in accordance with applicable data

protection laws.

To better safeguard your information, we will also take reasonable steps to verify

your identity before granting access or making corrections to your information.

You have several rights under applicable data protection laws, which we have

summarised below. These rights can be exercised by contacting us using the details

given below in this policy.You have the right to:

• Ask us not to process your personal data for direct marketing purposes;

• Request access to personal information held about you and a copy of it;

• Obtain, without undue delay, the rectification of inaccurate or incomplete data;

• Obtain, without undue delay, erasure of your personal data in certain

circumstances, for example if our processing of your personal data is no longer

necessary for the purpose for which we collected it;

• Restrict the processing of your personal data in certain circumstances rather than

having it erased;

• Object to the processing of personal data in certain circumstances, for example,

where we process personal data for legitimate purposes but you do not feel that

your interests or fundamental rights and freedoms have been protected;

• Receive personal data, which you have provided to us, in a structured, commonly-

used and machine-readable format and transmit that data to another data

controller, or have us do so on your behalf where technically feasible;

• Be informed about any use of your personal data to make automated decisions

about you, and to obtain meaningful information about the logic involved, as well as

the significance and the envisaged consequences of this processing; and

• Lodge a complaint to a supervisory authority about the way in which your

personal data is being used

CHILDREN

We appreciate that many children have access to the Internet, We would therefore

ask that parents and guardians supervise their children when they are online and

that children under 16 do not submit personal information or content to us, make

purchases of our goods, products or services, or take part in our promotions or

competitions, without the consent of their parent or guardian.

We encourage children under 16 to consult with their parent or legal guardians

before submitting or requesting any content or information to/from us. Any users

of our online services who indicate they are under 16 will be asked for contact

details for their parent / legal guardian so we can verify legal consent.

We will not actively market to children nor pass on personal information to third

parties for commercial purposes.Some of the facilities or functions accessible through our online facilities are not

intended to be accessible by minors. Parents or legal guardians should supervise

children when online and we recommend parental controls be put in place. Any

children using our online facilities will be deemed to have confirmed that they have

received the consent of their parents or guardians to do so.

HOW YOU CAN CONTACT US

This policy has been compiled to comply with current GDPR legislation as far as we

are aware and from directives currently available from the Information

Commissioner’s Office (https://ico.org.uk), as at the date stated at the end of this

policy.

Should you wish to contact us about this policy or any of the legal rights outlined in

it, you can email our Chairman at james.hewett1950@yahoo.co.uk telephone him

on 01986 874240 or 07379789665 or write to him, James Hewett at 59F

Thoroughfare Halesworth IP19 8AR

This privacy policy was last updated on 23 April 2025