Water of Leith Conservation Trust – Privacy Notice (Version 5, 2025)
Last updated: December 2025
Your privacy matters to us. The Water of Leith Conservation Trust is committed to protecting your personal data and being transparent about how we use it. This summary outlines what we collect, why we collect it, how we keep it safe, and your rights.
1. Who we are
The Water of Leith Conservation Trust (“we”, “us”, “our”) is a registered charity (SC000015). We act as a Data Controller under UK data protection law.
Contact details:
Address: Water of Leith Visitor Centre, 24 Lanark Road, Edinburgh, EH14 1TQ
Email: [email protected]
Telephone: 0131 455 7367
Data Protection Contact: Helen Brown, Chief Executive
We are committed to protecting your privacy and ensuring your personal information is handled securely, lawfully, and transparently.
This notice explains:
- What personal data we collect and why,
- How we use and protect it,
- Who we share it with, and
- Your rights under data protection law.
2. What personal information we collect and why
We collect and process personal information only when necessary for our charitable purposes, including managing staff, volunteers, supporters, and visitors.
| Purpose | Examples of Data Collected | Why We Use It (Lawful Basis) |
|---|---|---|
| Volunteering | Name, contact details, emergency contact, age, health information (where relevant) | To manage your involvement and ensure safety (contract, legitimate interest, consent for health data) |
| Events and activities | Names, contact details, photographs, health or dietary info, marketing preferences | To organise events and ensure participant safety (contract, legitimate interest, consent) |
| Membership | Name, contact details, payment details, taxpayer status (Gift Aid) marketing preferences | To manage your involvement, to process subscription payments / donations and claim Gift Aid (contract, legitimate interest, legal obligation) |
| Donations and fundraising | Name, contact details, payment details, taxpayer status (Gift Aid), marketing preferences | To process donations and claim Gift Aid (legal obligation, consent) |
| Employment and recruitment | Contact details, ID, DOB, NI number, references, right to work, health data, Disclosure checks | To meet employment obligations and legal requirements (contract, legal obligation) |
| General enquiries, feedback and complaints | Names, contact details, correspondence, CCTV footage | To respond to queries and maintain safety (legitimate interest, legal obligation) |
| Marketing and email communications | Name, email, preferences | To send news and updates with your consent (consent, legitimate interest) |
3. Who we share your personal information with
We only share your personal data when necessary and with trusted organisations that support our activities, such as:
- Payment processors: Worldpay, PayPal, CAF, SumUp (for donations and payments)
- Email and membership services: Mailchimp, MemberPress
- Financial and auditing bodies: HMRC (Gift Aid), ICO (in the event of an incident)
- IT and hosting providers: Microsoft 365 and secure UK-based web hosts
- Organisational tools: Spond (volunteer task organisation), Eventbrite (events management), WordPress
All third parties must comply with data protection law and are bound by confidentiality agreements. We do not sell or rent personal data to any other organisations.
If you wish to unsubscribe from our news feed (mailchimp service), use the unsubscribe link at the bottom of the email. We do not administer your subscription to this service.
4. Where your personal data is processed
Most data is stored and processed in the United Kingdom or European Economic Area (EEA).
Where third-party services (such as Mailchimp or PayPal) may transfer data outside the UK/EEA, they do so under approved data protection safeguards such as the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses.
5. How long we keep your data
We keep personal data only as long as necessary to fulfil the purpose for which it was collected and to meet legal or regulatory obligations:
- Event or activity participants: deleted within 12 months after completion.
- Volunteers: deleted within 12 months of leaving the Trust.
- Members: deleted within 12 months of non-renewal after gift aid analysis, unless record requires for gift aid (see next).
- Gift Aid records: retained for 7 years (legal requirement).
- Employee records: retained for 6 years after employment ends.
- CCTV footage: normally retained for up to 30 days and is automatically overwritten unless required for investigation.
Data is securely deleted or shredded once no longer required.
6. How we protect your personal information
We take appropriate steps to keep your personal information secure, whether it is collected on paper, online, or through any other method. We use technical and organisational measures designed to prevent your information being lost, misused, accessed without permission, or damaged accidentally or deliberately.
Our security measures include:
- Password-protected systems and secure Microsoft 365 storage
- Controlled access to data so only authorised staff can view it
- Regular updates, antivirus protection, and secure backups
- Locked physical storage for paper records
- Confidential waste disposal (e.g. shredding)
Where we use trusted third-party providers (such as payment processors, email platforms or cloud services), we ensure they meet UK data protection standards and protect your information to an equivalent level.
7. Lawful bases for processing
We process personal information under the following lawful bases (as defined in Article 6 UK GDPR):
Consent – where you have given clear permission (e.g. newsletters, use of photographs).
Contract – where processing is necessary to deliver a service or role you requested.
Legal obligation – where we must comply with law (e.g. Gift Aid, employment).
Legitimate interests – where processing is needed to run our charitable operations and does not override your rights.
Vital interests – where it is necessary to protect someone’s life or safety (e.g. during an emergency).
8. Your data protection rights
You have the following rights under the UK GDPR:
- Right to be informed – about how we use your data (this notice fulfils that).
- Right of access – to request a copy of the data we hold.
- Right to rectification – to correct inaccurate or incomplete data.
- Right to erasure – to ask us to delete your data (where legally possible).
- Right to restrict processing – to limit how your data is used.
- Right to object – to certain types of processing such as marketing.
- Right to data portability – to move or transfer your data to another provider.
- Right to withdraw consent – at any time, if consent was the basis for processing.
Requests can be made by contacting us via [email protected].
We will respond within one month of receiving your request.
9. Website Cookies
We use cookies to make our website work properly, keep it secure, and improve your browsing experience. See Appendix 1
9. How to complain
If you have concerns about how your data is handled, please contact us first using the details above.
If you are not satisfied, you can contact the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113. Website: www.ico.org.uk/make-a-complaint
Version 5 – Prepared by: Helen Brown, Chief Executive
Approved by Trustees: 05/12/2025
Next review due: December 2026
Appendix 1:
WOLCT Cookie Policy Version 2
Cookies are short text files, saved within a user’s browser, that contain data relating to a user’s session (visit) and their interactions and usage of the website. 1st party cookies are cookies set by the website you are visiting and typically relate to essential functionality. 3rd party cookies relate to cookies set by external services that typically relate to the tracking of site traffic and user engagement.
This website uses 1st party cookies for a variety of purposes including the provision of an online membership signup (Memberpress, PayPal etc.) and other essential functional aspects of the site, such as noting user preferences and consent. A small number of 3rd party cookies are also used, where consent has been granted, to enable us to analyse user interaction with our site via analytics services and to help us market our content to the right audience via external platforms (MailChimp).
Consent, Cookie Usage and Data Sharing
In compliance with GDPR, this site asks users for consent via a ‘consent banner’ prior to the use of non-essential cookies or tracking software that may result in the transfer of user data to an external 3rd party. By clicking “Accept” within the consent banner or “Enable Consent” below, you agree to our use of additional non-essential cookies from 3rd party platforms that may make use of personal data, such as a user’s IP address, and that may in some instances be processed outwith the EEA.
If you no longer see the consent banner loading or the button below reads “Revoke Consent” this means you have previously chosen to accept our use of additional non-essential cookies and 3rd party tracking software. Clicking that button will reset your consent choice. Should you choose not to ‘accept’ or to ‘revoke’ consent, software that makes use of non-essential cookies or 3rd party software will not load where that restriction is possible, however, please follow the instructions below if you would like to remove cookies previously in use.
Essential Cookies / Essential Data Sharing
Several key site elements (such as membership signup) require the use of cookies to function. GDPR allows for this type of essential cookie and necessary data sharing to be used without consent.
WordPress – core site functionality, user preferences.
Memberpress – Member subscription signup.
Paypal – Payment processing gateway.
MailChimp – Mailing list signup.
EventBrite – Event signup
Google Analytics / Non-essential Data Sharing
Google Analytics is initially loaded using Google’s ‘consent’ framework. This ensures that no non-GDPR-compliant data is shared before gaining user consent for non-essential data sharing.
This site is not loading any additional tracking software.
External Content
This site attempts to load external embedded content (video, audio) from 3rd party platforms, such as YouTube and SoundCloud, in a compliant mode where that functionality is available. However, users should inspect the privacy policy of any 3rd party media provider before interacting with media players if they have any concerns. Please note we are not responsible for the content on external websites.
How can I remove or block cookies?
You can use your web browser to delete and block cookies, however, most modern browser have their own software that will automatically block 3rd party cookies from use (such as Private Browsing or Incognito modes). You can find information on changing the cookie settings within a number of popular browsers using the links below.
Version 2 – Prepared by: Helen Brown, Chief Executive
Approved by Trustees: 05/12/2025