The Crediton Heart Project • Registered Charity No. 1189549
Adopted: February 2023 • Reviewed: April 2026 • Next review: April 2029
Part 1 — General Privacy Policy
1. About this policy
This policy explains how the Crediton Heart Project collects, uses and protects personal data, in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It covers data collected through our website, at events, and in day-to-day operations.
2. Data Controller and contact details
The Crediton Heart Project is the Data Controller. Our Data Protection Officer (DPO) is the Chair:
Organisation: The Crediton Heart Project | Charity No. 1189549
Address: The Old Vicarage, Colebrooke, Crediton, EX17 5JQ
DPO: Kate Lock (Chair) |
Website: creditonheartproject.org
Contact the DPO to exercise any of your rights, update your data, or raise a concern.
3. What data we collect, why, and our lawful basis
3.1 Trustees, Associates, Suppliers and Partners
We collect name, contact details, address, emergency contacts, CV and bank details (for payment) to manage our relationship with you and run our activities. Data is held on a secure, password-protected drive accessible to Trustees only.
Lawful basis: contractual obligation; or consent for optional communications (withdraw at any time by contacting the DPO).
3.2 Mailing list subscribers
We collect your name and email address when you sign up — online or via a paper sheet at an event — to send you news about our activities and relevant local events. Paper sheets are securely destroyed after transfer to our digital list. Every email includes an unsubscribe option.
Lawful basis: consent.
3.3 Event attendees
We may use third-party ticketing software (subject to its own privacy policy) and collect anonymised demographic data (e.g. age range, postcode) to evaluate events and support funding bids. This is processed by Committee Members only and not shared with suppliers.
Lawful basis: legitimate interests (improving and funding our events).
3.4 Children’s data
Our Kick Start Art (KSA) programme may collect children’s first name, school, year group, artwork images and — where appropriate consent has been obtained — photographs, solely to administer the project and celebrate their work (exhibitions, social media, printed materials or a not-for-profit publication). KSA relies on schools and parents/carers to obtain consent. Data is held securely, not shared commercially, and deleted when no longer needed.
3.5 Website visitors
We may collect anonymised, aggregate statistics on site usage (pages visited, time spent) to help us improve the website. Lawful basis: legitimate interests (Article 6(1)(f) UK GDPR); the data is fully anonymised and does not identify individuals.
If you submit a contact form, we store your details to respond to your enquiry. Lawful basis: legitimate interests (responding to your enquiry) or consent where you opt in to further contact. We do not collect payment card data — payments are handled by a third-party provider.
4. Privacy notices at the point of collection
In line with UK GDPR, we inform individuals how their data will be used at the point it is collected:
- Website contact forms: a notice beneath the submit button links to this policy.
- Online mailing list sign-up: a clear statement of purpose, a link to this policy, and an unticked consent checkbox.
- Paper sign-up sheets: a printed notice stating what the data is used for, who holds it, and how to opt out, with a reference to this policy.
- Trustees, Associates, Suppliers and Partners: a copy of or link to this policy is provided at the outset of the relationship.
5. How we protect your data
Data is stored on secure, password-protected systems accessible only to authorised Trustees. Our website uses HTTPS with Let’s Encrypt certificates to protect data in transit. No internet transmission is completely secure, but we take all reasonable precautions.
6. How long we keep your data
We review all personal data at least annually and delete it when there is no longer a legitimate reason to retain it. Where you have withdrawn consent (e.g. unsubscribed), we may keep a record of that withdrawal for up to two years.
7. Your rights
Under UK GDPR you have the right to: be informed; access your data; correct it; erase it; restrict processing; object to processing; and rights relating to automated decision-making and portability (unlikely to apply here).
To exercise any right, contact the DPO at — no charge, response within one month.
8. Complaints
Please contact us first (Section 2). If you remain unhappy, you may complain to the Information Commissioner’s Office (ICO): Wycliffe House, Water Lane, Wilmslow, SK9 5AF | 0303 123 1113 | www.ico.org.uk
9. Changes to this policy
Material changes will be posted on our website. Where changes significantly affect how we use your data, we will notify affected individuals by email and seek consent where required by law.
Part 2 — Website Terms of Use
10. About these terms
creditonheartproject.org (‘the website’) is owned and managed by the Crediton Heart Project (charity no. 1189549). By using this website you accept these terms. If you do not agree, please do not use the website.
11. Use of this website
- Purpose: the website provides information about our work, events, activities and venues to hire.
- Accuracy: we aim to keep content accurate and up to date but cannot guarantee it is error-free.
- Availability: we are not responsible for the availability or timeliness of the website and may change or restrict access at any time without notice.
- Prohibited use: do not use the website fraudulently, unlawfully, to harm minors, or to transmit malicious code.
12. Limitation of liability
To the fullest extent permitted by law, the Crediton Heart Project is not liable for loss of data, profit, revenue, business or goodwill, or any indirect or consequential damages arising from use of, or inability to use, this website. Users are responsible for decisions made on the basis of content on the site.
13. Intellectual property
All intellectual property rights in this website belong to or are licensed to the Crediton Heart Project unless otherwise stated. Images must be the contributor’s own work or used with appropriate permission. Any reproduction of our content does not extend to third-party material on this site.
14. Third-party content, links and cookies
- Embedded content: behaves as if you visited those third-party sites directly — they may collect data or use cookies independently of us.
- Links: we do not endorse linked sites. Links to this website must not misrepresent our association, damage our reputation, or transmit harmful code; we may require removal at any time.
- Cookies: we use cookies to improve your experience. They do not identify you personally. You can disable them in your browser, though some features may stop working. We will seek your consent for non-essential analytics cookies in line with UK GDPR and PECR.
15. Changes, compensation and governing law
We may update these terms at any time; continued use of the website constitutes acceptance. You are liable for any losses we suffer from your breach of these terms. These terms are governed by English law and subject to the non-exclusive jurisdiction of the courts of England and Wales.
Document version history
| Version | Change | Date | Approved by |
| 1.0 | General Privacy Policy adopted | February 2023 | Board of Trustees |
| 2.0 | Website Terms of Use adopted | April 2026 | Board of Trustees |
| 3.0 | Policies merged; Privacy Policy updated and revised | Board of Trustees |
The Crediton Heart Project Trustees
April 2026
