Updated 28 October 2022

This Privacy Notice sets out how we collect, use and store your personal information (this means any information that identifies or could identify you).

The CAfS Privacy Notice may change so please remember to check back from time to time. Where we have made any changes to this Privacy Notice, we will make this clear on our website or contact you about any changes.

This Privacy Notice covers the following:

  1. Who we are
  2. How we collect information about you
  3. Information we collect and why we use it
  4. Fraud prevention and identity checks
  5. Profiling: making our work more unique to you
  6. Legal basis for using your information
  7. Marketing
  8. Sharing your information
  9. Keeping your information safe
  10. How long we hold your information for
  11. Your rights
  12. Photographs and video
  13. Cookies


  1. Who we are

Here at CAfS (Cumbria Action for Sustainability), we are committed to protecting your personal information and making every effort to ensure that your personal information is processed in a fair, open and transparent manner.

We are a “data controller” for the purposes of the Data Protection Act 2018 and United Kingdom General Data Protection Regulation. This means that we are responsible for, and control the processing of, your personal information.

  1. How we collect information about you

We collect information from you in the following ways:

When you interact with us directly: This could be if you ask us about our activities, register with us for training or an event, make a donation to us, ask for information or advice on suppliers, apply for a job or volunteering opportunity, enquire about or apply for grants or otherwise provide us with your personal information. This includes when you phone us, visit our website or get in touch through the post, or in person.

When you interact with us through partners or suppliers working on our behalf: This could be if you access a service such as home energy advice visits which are delivered through trusted contractors working on our behalf and always under our instruction.

When you interact with us through third parties: This could be if you provide a donation through a third party such as Just Giving or one of the other third parties that we work with and provide your consent for your personal information to be shared with us.

When you visit our website: We gather general information which might include which pages you visit most often and which services, events or information are of most interest to you. We also use “cookies” to help our site run effectively. There are more details below – see ‘Cookies’.

From other information that is available to the public: In order to tailor our communications with you to your background and interests we may collect information about you from publicly available sources or through third-party subscription services or service providers (we have provided further details about this below – see ‘Profiling: Making our work unique to you’).

  1. Information we collect and why we use it

Personal Information

Personal information we collect includes details such as your name, date of birth, email address, postal address, telephone number and credit/debit card details (if you are making a donation), as well as information you provide in any communications between us. We may also collect details such as health, income, ethnicity and religion. You will have given us this information whilst making a donation, registering for an event, using one of our services, or any of the other ways to interact with us.

If you contact us about or apply for a grant, we will collect personal data about you and other people connected to your organisation. We may do this through conversations, at events or during visits to your organisation, or if you call our staff to discuss funding applications. If your organisation applies for funding, we will also collect personal data on application forms. Sometimes our grant holders and evaluators also send us information about individuals who benefit from projects funded by our grants.

We may keep in contact with you throughout the life of your grant and we will send you regular advice about your grant. This will contain useful information on a range of things including how to publicise your grant, information on other funding available and project ideas and tips from other grant holders.

If you provide us with personal data of people who benefit from your project’s work, we will treat this in the same way. You must tell the individuals and if they have any questions about this, you must refer them to this notice.

We will only use this information:

  • To provide the services or goods that you have requested.
  • To process your donations, to claim Gift Aid on your donations and verify any financial transactions.
  • To update you with important administrative messages about your donation, an event or services you have requested.
  • To keep a record of your relationship with us.
  • Where you volunteer with us, to administer the volunteering arrangement.
  • Where you are contracted or employed with us, to administer any contractual agreement.
  • To comply with the Charities (Protection and Social Investment) Act 2016 and follow the recommendations of the official regulator of charities, the Charity Commission, which require us to identify and verify the identity of supporters who make major gifts so we can assess any risks associated with accepting their donations.
  • To administer grant funding. For example, we may use your personal data to help your organisation apply for grants and to assess its applications.
  • If a grant is awarded, we use your personal data to manage and monitor the grant and to check the money is being used appropriately.
  • We may also use your personal data to evaluate and research the impact of our grants and to let you know about our grants and other activities. The results of our evaluations and research may be published but we won’t publish your personal data without your agreement.
  • To report back to our funders and partners where required.

If you do not provide this information, we may not be able to process your donation, sign you up for a particular event, make a grant or provide services you have requested.

Where permitted we may also use your personal information:
• To contact you about our work and how you can support CAfS (see section 7 on ‘Marketing’ below for further information).
• To inform you of events and services that may be of interest to you
• To carry out targeted fundraising activities

We may also occasionally use publically available information about individuals, such as media reports or information on Companies House about business interests, or information available from internet searching, to inform our communications.

We may aggregate and anonymise personal data before we analyse it so that it can no longer be linked to an identifiable person.

  1. Fraud prevention and identity checks

If you apply for a grant or receive a grant from us, we may undertake checks for the purposes of preventing fraud and money laundering and to verify your identity. These checks require us to process personal data you have provided about you and your nominated representatives and data we have received from third parties.

We and fraud prevention agencies may also enable law enforcement agencies, regulators, Government, Lottery distributors and other funders to access and use your personal data to detect, investigate and prevent crime.

Fraud prevention agencies can hold your personal data for different periods of time. If you are considered to pose a fraud or money laundering risk, your personal data can be held for up to six years.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to award a grant and we may withdraw existing grants.

A record of any fraud or money laundering risk will be retained by us and the fraud prevention agencies and may result in others refusing to provide you with services, financing or employment. If you have any questions about this, please contact us on the details below.

  1. Profiling: making our work more unique to you

We want to improve how we talk to you and the information we provide through our website, services, products and information. To do this we sometimes use profiling and screening methods so that we can better understand our supporters, your preferences and needs to provide a better experience for you. For example, we might send you details about an event we think you’d be interested in, based on CAfS events you’ve been to in the past – if you’ve given us permission to do so when you signed up for our newsletters.

We may carry out targeted fundraising activities using profiling techniques based on the information that we hold about you – for example, the length of time you’ve been a supporter of CAfS or whether you’ve donated to CAfS in the past.

We do not use any third-party services to acquire additional information about you.

  1. Legal basis for using your information

In some cases, we will only use your personal information where we have your consent or because we need to use it in order to fulfil a contract with you.

However, there are other lawful reasons that allow us to process your personal information and one of those is called ‘legitimate interests’. This means that the reason that we are processing information is because there is a legitimate interest for CAfS to process your information to provide you with a service or an opportunity to support our mission of a zero carbon Cumbria.

Whenever we process your personal information under the ‘legitimate interest’ lawful basis we make sure that we take into account your rights and interests and will not process your personal information if we feel that there is an imbalance.

  1. Marketing

We will contact you about our work and how you can support CAfS by email, phone or letter, if you have given us permission to do so, or if we have determined that we are able to process your information under legitimate interest

We may occasionally send you information about the activities of third parties which we consider to be directly relevant to our charitable objectives.

You can update your choices by clicking on the ‘Update Profile’ link at the bottom of our email newsletters, or if you’d like us to stop sending you these communications, click the unsubscribe link.

We do not subject your data to any automated decision-making.

  1. Sharing your Information

The personal information we collect about you will mainly be used by our staff (and volunteers) at CAfS so that they can support you.
Where we are the Data Controller, we will never sell or share your personal information with organisations so that they can contact you for any marketing activities. Nor do we sell any information about your web browsing activity.

CAfS may however share your information with our trusted partners and suppliers who work with us on or on our behalf to deliver our services, but processing of this information is always carried out under our instruction. We make sure that they store the data securely, delete it when they no longer need it and never use it for any other purposes.

We enter into agreements with these service providers that require them to comply with Data Protection Laws and ensure that they have appropriate controls in place to secure your information.

We currently use:

CarbonLite IT Solutions (IT support and maintenance)
PHD Computer Consultants Ltd (Website and CRM support)
Bytemark (Webserver hosting)
Wordpress (Website software)
CiviCRM (Customer Relationship Management software)
Cumbria CVS* (Independent Examiners)
Unity Trust* and CAF (Banking)
Connexions Group (Telecoms and broadband provider)
BrightPay (Payroll processing software & support)
The Carbon Literacy Trust* (accreditation body for Carbon Literacy Training)
Quickbooks (Finance processing software & support)
The Books Accountants Ltd* (Accountancy Support)
Paypal* (Payment provider)
Microsoft (Email and diary hosting, Teams meeting platform, Telecoms provider)
Acton Jennings (HR support)
Zoom* (Online meeting and webinar hosting)
Various local contractors – you will be advised when appointments are made (Home Energy Visits and Energy Audits)
Various local contractors – you will be advised when appointments are made (Installation of energy measures and draughtproofing)
Various climate trainer contractors (delivery of Carbon Literacy Training)

*These organisations are data controllers in their own right and may process your personal information differently so we advise that you read their privacy notices.

Where we are contracted to do work for another organisation

When we act under instruction from another organisation we are the Data Processor. In these cases there will be a contract in place which will tell us what to do with the information and you will be given a different privacy notice by them which will tell you about it. Your rights are unlikely to be affected if your information is used in this way.

If you apply for a grant

If you apply for a grant we might share your information with:

  • Members of the assessment panel as part of the process for assessing your application and making a decision
  • The funding body for their monitoring and review processes and for their promotion and publicity of the fund
  • Our monitoring and evaluation contractors for the purposes of evaluating the impact of the grant

Legal disclosure

We may disclose your information if required to do so by law (for example, to comply with applicable laws, regulations and codes of practice or in response to a valid request from a competent authority).

  1. Keeping your information safe

We take looking after your information very seriously. We’ve implemented appropriate physical, technical and organisational measures to protect the personal information we have under our control, both on and off-line, from improper access, use, alteration, destruction and loss.

We only transfer data outside of the UK if it is to:

  • A country considered to have adequate data protection legislation as decided by the European Commission or
  • Where there are sufficient safeguards in place as approved by the Information Commissioner’s Office (ICO), for example use of the ICO’s standard contractual clauses.

Unfortunately, the transmission of information using the internet is not completely secure. Although we do our best to protect your personal information sent to us this way, we cannot guarantee the security of data transmitted to our site.

Our websites may contain links to other sites. While we try to link only to sites that share our high standards and respect for privacy, we are not responsible for the content or the privacy practices employed by other sites. Please be aware that advertisers or websites that have links on our site may collect personally identifiable information about you. This privacy statement does not cover the information practices of those websites or advertisers.

Any debit or credit card details which we receive are passed securely to Quickbooks (our accountancy provider) and Unity Trust Bank (our payment processing partner), according to the Payment Card Industry Security Standards. We also use trusted partners Paypal and Eventbrite for some transactions, and they also adhere to these standards.

  1. How long we hold your information for

We only keep it as long as is reasonable and necessary for the relevant activity, which may be to fulfil statutory obligations (for example, the collection of Gift Aid). Please contact us if you would like to ask about our retention periods for specific types of information.

  1. Your rights

You have various rights in respect of the personal information we hold about you – these are set out in more detail below.

  • Access to your personal information: You have the right to request access to a copy of the personal information that we hold about you, (known as a ‘Subject Access Request’) free of charge. This can include information on what personal information we use, why we use it, who we share it with and for how long we keep it. We may charge a fee. We will need to ask you to confirm your identity by getting in touch.
    • Right to object: You can object to our processing of your personal information where we are relying on a legitimate interest (see section 6) (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes, and for this to be stopped.
    • Consent: If you have given us your consent to use personal information (for example, for marketing), you can withdraw your consent at any time.
    • Rectification: You can ask us to change or complete any inaccurate or incomplete personal information held about you.
    • Erasure: You can ask us to delete your personal information where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for keeping it.
    • Portability: You can ask us to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred.
    • Restriction: You can ask us to restrict the personal information we use about you where you have asked for it to be erased or where you have objected to our use of it.
    • Profiling: You can ask us not to use your data to profile you.
    • Automated-decision making: CAfS does not use any of your personal data to make automated decisions.

Please note, some of these rights only apply in certain circumstances and we may not be able to fulfil every request.

If you wish to exercise any of these rights, you can do so by contacting our office at Eden Rural Foyer, Old London Road, Penrith (temporarily closed to visitors due to Covid 19), by phone on 01768 210276 or [email protected].

If you are unhappy about how your personal data has been used please refer to our complaints policy. You also have a right to complain about our use of your data to the Information Commissioner’s Office – which regulates the processing of personal data. You can contact the Information Commissioner’s Office on 0303 123 1113, via its website or at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

  1. Photographs and video

We often take images of multiple participants at our public events. It is our legitimate interest to do so for publicity purposes and as a record of our work. We may also share these pictures with trusted partners that share a common purpose with CAfS. We will ensure that people participating in our group events are given advance notice of our intention to collect images and reminders on the day. They will have the right to object to our use of them.

In the event that we are taking specific, close-up images of individuals whose names may be included in our use of those images, we will secure and retain the individual’s written consent.

If we are taking readily identifiable images of children, we will take extra care to ensure their privacy rights are respected. If under 16 years of age, we will secure written parental consent for the taking and use of the photograph or video. If 16 to 18 years of age, we secure consent from the child. Consent can be withdrawn at any time.

  1. Cookies

‘Cookie’ is a name for a small file, usually of letters and numbers, which is downloaded onto your device, like your computer, mobile phone or tablet when you visit a website.
They let websites recognise your device, so that the sites can work more effectively, and also gather information about how you use the site. A cookie, by itself, can’t be used to identify you.

How do we use cookies?

We use cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you come to our website and also allows us to improve the user experience.

The cookies we use

We use the categorisation set out by the International Chamber of Commerce in their UK Cookie Guide.

We use all four categories of cookies:

  • ‘Strictly necessary’ cookies are essential for you to move around our website and to use its features, like your account.
    • ‘Performance’ cookies collect anonymous information about how you use our site, like which pages are visited most.
    • ‘Functionality’ cookies collect anonymous information that remember choices you make to improve your experience, like your text size or location. They may also be used to provide services you have asked for such as watching a video or commenting on a blog.
    • ‘Targeting or advertising’ cookies collect information about your browsing habits in order to make advertising relevant to you and your interests. As such if you visit the CAfS website you may then be more likely to see adverts about CAfS’ work on other websites as your browsing suggests that this is an area of interest.

No cookies, please

You can opt out of all our cookies (except the strictly necessary ones). Find out how to control and delete cookies in your browser.

But, if you choose to refuse all cookies, our website may not function for you as we would like it to.

If you have any questions about how we use cookies, please contact us.