PRIVACY POLICY
Introduction
This policy outlines the collection and use of personal data by Grow + Play in accordance with GDPR.
At Grow + Play we take the safety of your personal data very seriously.
Our promise is:
-
To never ask for information from you that we do not legitimately need.
-
To take all reasonable precautions to keep your data safe at all times.
-
To never share your data (unless there is a legitimate business or legal requirement to do so) and to never sell your personal data.
-
To ask for your consent before we retain any information about you or your children.
What personal data do we store and why?
We only ever ask you for information which we have a legitimate business requirement for. The types of data we keep and the legal basis for doing so can be found in the appendices at the end of this policy.
Length of time information is retained
Data will be retained for the minimum time required to fulfil its purpose. This may be until you delete your account with us, or until it is no longer needed for other business needs such as retaining financial records in line with HMRC requirements.
Once this data is no longer required, it will be deleted.
How your data is stored
All personal data collected by Grow + Play is subject to GDPR and all reasonable steps will be taken to safeguard this data from unauthorised access.
The data we collect is held in secure servers owned by Wix, IONOS, Mailchimp and Google. You can read their privacy policies here:
https://www.wix.com/about/privacy
https://policies.google.com/privacy?hl=en-US#europeanrequirements
https://www.intuit.com/privacy/statement/
https://www.ionos.co.uk/terms-gtc/privacy-policy/
Data will not be transferred to a third party unless there is a legitimate and legal business need to do so, for example, in the event of the sale of the company.
It is important to note that our website is hosted by Wix, a global company with servers around the world. As such data collected via our website may be transferred to servers outside of the EU/EEA. This also applies with data held in servers owned by Google, IONOS and Mailchimp.
If the Processing of the User Customer Data involves transfer of such data outside of the European Economic Area (EEA) and the European data protection regulations apply to the transfers of such data, these transfers will be conducted in compliance with all applicable data protection regulations.
Any paper records are retained in a locked box and transferred to digital files as soon as is reasonably possible and then destroyed.
Right of access requests
You have a right to request a copy of any data stored about you or your children under GDPR.
To request a copy of any data we hold about you or your children, please email our data protection lead: dawn@growandplay.co.uk
Queries, concerns and complaints
If you have any questions or concerns, please contact our data protection lead:
Dawn Colebrook
Grow + Play
SME CoE
17 Main Street
Newcastle
NE20 9NH
If we are unable to resolve any issues, you can also speak to the Information Commissioner’s Office: https://ico.org.uk/make-a-complaint/
Updates and amendments
We will never change our policy to include the sharing or selling of your personal data to third parties, however we reserve the right to update or amend this privacy policy at any time and advise our customers to revisit it periodically. This policy was last updated on 20/05/2023.
Appendices
Appendix 1 – Contact Details - Mailing lists, enquiry forms and contact us
Contact details are provided by customers either via our website, social media, verbally or by filling out a contact details form at a public event.
What information is held?
-
Customer first and last names
-
Town/City of residence (i.e. “Gateshead” but not full address)
-
Contact number
-
Email address
Where is this data stored?
In Gmail, Wix and Mailchimp.
Why do we keep this data?
-
To contact customers who have opted into our newsletters regarding upcoming Grow + Play events.
-
To contact customers to provide updates to bookings they have made.
How do we keep this data safe?
-
All data is held electronically on secure servers.
-
All electronic devices with access to this data have appropriate security controls to prevent unauthorised access.
-
All newsletters from the mailing list include the option to unsubscribe.
-
Any paper contact details forms are stored in a locked box before being transferred to a digital file and destroyed.
Who has access to this data?
-
Grow + Play and its employees.
Basis for processing this data under GDPR:
-
To fulfil a legitimate business need.
-
On the basis of consent from the customer.
Appendix 2 – Customer details (class and event bookings)
What information is held?
When a customer makes a booking, we retain:
-
Customer first and last names
-
Town/City of residence
-
Billing address
-
Contact number
-
Email address
-
Child(ren)’s first name
-
Child(ren)’s age
-
Child(ren)’s medical requirements such as allergies and dietary requirements
-
Consent for photographs and video
-
Value of services provided
Payment details are processed by Wix and Paypal and not retained or seen by Grow + Play.
Where is this data stored?
-
In the Wix booking system
-
Any exports to excel are stored on a password protected computer with up-to-date anti-virus software.
-
Paper registers for sessions
Why do we keep this data?
-
To generate class lists and registers (all data)
-
To ensure the activities provided are suitable for the child(ren)’s age and stage (child(ren)’s age and name)
-
To ensure snacks and activities are safe for the particular child(ren) (child(ren)’s medical requirements)
-
To ensure we have relevant consent before taking and sharing photographs (consent for photographs) – Children are never named in any photographs we use.
-
To keep accurate accounting records (value of services)
How do we keep this data safe?
-
All data relating to bookings is held in secure servers owned by Wix.
-
Exports to excel are retained on a password protected computer with up-to-date anti-virus software.
-
Paper class registers are destroyed at the end of the session.
Who has access to this data?
-
Grow + Play and its employees
-
Wix and Paypal will have access to payment data in order to process payments
-
Relevant information may be made available to our accountant for the purpose of fulfilling our requirements to HMRC
-
Government officials conducting an audit or investigation may have access to relevant elements of this data
Basis for processing this data under GDPR:
To fulfil a legitimate business need and to meet a legal requirement.
Appendix 3 – Photographs and videos from classes and events
We take the safety of the children who use our services incredibly seriously.
Consent must be obtained by parents before any photographs or videos are taken of their children.
Consent must be obtained from parents before any photographs are shared online and children are never named in any photographs we share online.
What information is held?
-
If consent has been provided, photographs and videos may be taken of children during Grow + Play sessions.
Where is this data stored?
Photographs and videos are taken on a digital camera, tablet or smartphone (device) and then uploaded to private, individual Google drive folders accessible only to Grow + Play employees and the parent of the child. They are then immediately deleted from the device.
Why do we keep this data?
-
To provide a record for parents
-
To track progress and inform planning for the next Grow + Play session
-
If consent has been provided, the photographs and videos may also be used on our website, social media and in promotional materials such as flyers and posters.
How do we keep this data safe?
-
All photographs and videos are stored in password protected Google drive folders which have the parent’s name as the identifier and not the child’s
-
All photographs and videos are deleted from devices once they have been uploaded
-
All devices have appropriate security controls to prevent unauthorised access
-
Children are never named in photographs and videos shared online
-
Parents can request the deletion of photographs and videos at any time and withdraw consent for photographs and videos at any time by emailing dawn@growandplay.co.uk
Who has access to this data?
-
Grow + Play and its employees
Basis for processing this data under GDPR:
-
Consent from parents
-
To fulfil a legitimate business need (namely tracking progress, informing planning and promotion).
Appendix 4 – Email
What information is held?
When customers contact us by email, we will assume they have provided consent for us to retain this email and any data contained with it.
Where is this data held?
In secure servers owned by gmail, wix and IONOS.
Why do we keep this data?
-
To respond to customer enquiries.
-
To keep a record of interest outside of the current area we provide services in.
How do we keep this data safe?
-
All data is held electronically on secure servers.
-
All electronic devices with access to this data have appropriate security controls to prevent unauthorised access.
Who has access to this data?
-
Grow + Play and its employees
Basis for processing this data under GDPR:
-
Consent from customers is implied by them making contact
-
To fulfil a legitimate business need
Appendix 5 – Cookies
We use cookies to monitor and improve the function of our website. All data collected is reported anonymously.
Essential cookies are used by our website to:
-
To improve the experience of visitors to our website
-
To monitor and analyse the performance, operation and effectiveness of Wix's platform.
-
To ensure our platform is secure and safe to use.
Statistical cookies are used to understand how visitors interact with our website by collecting anoymised data.
Users are given the option to opt out of these non-essential cookies when they enter our website.
More information about cookies can be found here: https://allaboutcookies.org/
Basis for processing this data under GDPR:
-
To fulfil a legitimate business need