Your privacy is important to us. DCDR will never store more data about you than we have to to permit use of our web-based services.
This policy explains what data we store about you, what we use it for, how it is stored and how we use it. It also tells you how to contact us to query the data we store about you, and how to have your personal data removed or updated.
It is essential for us to store some data about users of our web-based services to provide basic functionality.
Our web-based services are:
- The public website, www.downrail.co.uk
- Our mailing lists, where a User can agree to be sent periodic emails about events and appeals we are running
- Our online ticketing systems, where a user can purchase tickets to visit DCDR
- Payment partners, specifically Stripe.com and PayPal, who carry out financial transactions on our behalf (for ticket sales, membership payments and donations)
Any references to “DCDR” refer to the Downpatrick & County Down Railway, a registered company and charity trading at The Railway Station, Market Street, Downpatrick, County Down, BT30 6LZ.
DCDR is registered in Northern Ireland as a Limited Company Registration No. N.I. 18685, and as a charity, No. NI 101640
2. What information we collect
We collect general usage statistics for the www.downrail.co.uk website, to enable us to analyse overall usage of our website. This does not comprise any personally identifiable data about users. It includes information such as your country, language, which web browser you use, what sort of computer or device you use, and screen resolution.
This information can help us decide overall trends in usage of our website, and decide which browsers or devices we should design for.
Web site logs
In common with almost all other websites in the world, www.downrail.co.uk records server access logs when people access our website.
This may include general information, as per the Anonymous Information above, and also the IP address you use to access our website or other services. This information is required to prevent fraud and misuse of our web services, and is considered a legitimate interest of us as a Data Controller.
Server logs are not publicly accessible and will not be disclosed, ever, except on demand by law enforcement agencies or other authorised bodies.
When we require Personally Identifiable Information:
Most users of www.downrail.co.uk will not disclose any personal information to us. You will only ever be required to disclose some information to us if:
- You want to sign up to our mailing list (in which case it is legitimate to require your email address and name to be shared)
- You purchase tickets from our online ticket office
- You make a donation via our website
- You apply for membership and pay online
- You send us a message via the contact form
In these cases, this information is deemed essential for us to do business with us in the specific area listed. Without this information we cannot enter into any relationship or offer the stated service to you.
Collection of data from children
We do not knowingly collect any personal data from, or about children. We define a child as anyone aged under 18 for this purpose.
If you are responsible for a child and believe they have supplied any Personally Identifiable Information (via the means identified above, or any other means), then you may contact us at firstname.lastname@example.org, explain the concerns to us fully, and we will remove the data immediately. See also “My right to be forgotten” later in this policy.
3. How do you use my information?
We operate a mailing list that enables you to receive occasional information about events that we are running and appeals for help, donations and other related communications.
The information we require for this is:
- Your email address, otherwise we cannot send the email to you
- Your name, so we can identify you in communications
You will also specifically have to tell us that you agree to us sending you marketing communications. This authorisation will be recorded via the signup form. You can remove yourself from the mailing list at any time.
Mailing Lists are managed by a third party partner, MailChimp.com, who store your information securely. Only authorised personnel are permitted to access the limited information we store and send you emails.
We operate an online ticket sales facility for most of our events throughout the year. This enables you to buy tickets and pay for them online.
We work with a third party ticket processor, www.digitickets.co.uk, to manage our ticketing systems, with all transactions being secure, and Personally Identifiable information stored in a secure location.
To make a purchase, standard information requested by www.digitickets.co.uk will include:
- Your name
- Your address
- Your email address
- Your phone number (if you wish to share this)
- The date and time of your ticket
- The number of people covered by your ticket
- The types of ticket you are purchasing
This information is held securely by www.digitickets.co.uk and may be legitimately accessed by authorised DCDR personnel in conjunction with any queries you may have about your purchase. For example, you may lose your ticket reference or confirmation email, or wish to modify your booking before you travel.
Financial transactions are carried out using our payment partner, Stripe.com. DCDR will never have access to your credit or debit card information.
Your financial information will be retained securely by Stripe.com, for legitimate record keeping, processing of refunds, fraud tracking, and other purposes.
This process is deemed essential for the legitimate business of ticket sales, as without this the ticket purchase process would not be possible.
Donations and Membership payments
As a charity, DCDR relies on donations and membership subscriptions, to carry out our activities in the area of heritage railways.
Any donations or membership payments made via www.downrail.co.uk will be handled by our payment partner, PayPal.
Most users of PayPal will already have an account with PayPal, and will have agreed to the use of their personal and financial information by PayPal.
- If you sign up for a new PayPal account during a DCDR donation, you are entering into an agreement with PayPal to securely store and protect your personal data, not DCDR. Your agreement with DCDR is limited to the current PayPal transaction, and we accept no liability for PayPal’s continued use of your data.
These financial transactions are carried out by PayPal. DCDR will never have access to your credit, debit card or bank account information.
As with any PayPal transaction with any retailer or individual, DCDR will have access to the following Personally Identifiable Data for you:
- Your name
- Your postal address, if you decide to share it with us
- Your email address
- Your phone number, if you decide to share it with us
This information is legitimately required to contact you regarding your donation, and is only available to specific authorised DCDR personnel.
As an essential part of running the membership of DCDR, a database of active members is maintained. This is considered a legitimate requirement of doing business with you as a member, and it is unreasonable to expect us not to hold this information about you.
We store membership information in a secure online system, with access restricted to authorised DCDR personnel only.
Membership information stored is:
- Your name
- Your postal address (so we can send your membership card, newsletters and important communications)
- Your email address
- Your phone number
- Your membership type and expiry date
- Any notes that are relevant to your membership of DCDR
Contact Form messages
If you wish to get in touch with us via our website, then you can use either a direct email to email@example.com, or use the Contact Form webpage.
The contact form will ask for:
- Your name
- Your email address
- Your phone number (optional)
- Your message to us
Your communication is directly transferred to a secure email system, and an alert is sent to authorised DCDR personnel, who will deal with your query.
4. Sharing of your Personal Information
DCDR does not sell or share your personal information with anyone. It is only used for the purposes of doing business between you and DCDR.
Third party mailing list, ticketing and payment partners, a necessary feature of digital communication and payments, similarly do not share your information with any other parties.
5. Hosting and storage of your data
All data we store about you is stored in a secure manner. This includes emails you send us, donation details, ticket sales and your details held on our mailing lists.
Any personal information we store is only accessible by authorised personnel at DCDR.
Financial information (credit and debit card details and bank details) is NOT stored by us and is not accessible by DCDR personnel. Such information must be retained by payment processors for fraud prevention and other legitimate purposes, and is stored in an appropriate secure manner.
Web services provided by DCDR may be hosted outside the UK. Our web hosting and data management partners may host data in secure locations in the EU or USA. Third party companies working with DCDR do not have the right to share or otherwise profit from your personal information.
6. Your rights
At any time, you have the right to ask us to show you what data we hold about you. We will respond to this request in a reasonable timeframe, either supplying you with the information or directing you to a third party (such as a payment provider). We may seek proof of identity before disclosing any information.
You also have the right to ask us to remove (i.e. stop processing) or update any information we hold about you. Again, we will respond to this request in a reasonable timeframe, and will, if possible, remove or update the information. We may direct you to a third party if the information is actually held by them (e.g. it’s your own PayPal account, and not DCDR-managed data).
Your right to erasure of data is not absolute. Details can be read at the ICO website, here.
You will accept that if we cannot store specific information about you, then we are unable to provide you with the specified service. For example, if you wish us to remove your information from the membership database, you cannot reasonably expect to remain a member of DCDR.
Any such requests should be made to: firstname.lastname@example.org
Examples of cases where we would direct you to a third party would include payment gateways such as PayPal, where your agreement is with them and not with DCDR.
7. Complying with Legal Process
DCDR reserves the right to use or disclose your Personally Identifiable Information and other information in response to legal requests from law enforcement agencies, authorised government agencies, or following court orders, warrants, or legal process, or to otherwise establish or exercise our legal rights or defend against legal claims or in the event you violate or breach an agreement with us.
We may use and disclose your Personally Identifiable Information if we believe you will harm the property or rights of DCDR and any of its members, volunteers or property.
8. Links to third party websites
DCDR is not responsible for content on any third party websites that we link to. As soon as you leave the www.downrail.co.ukdomain, your relationship is between yourself and the third party website, not DCDR.
9. Cookies And Tracking Technologies
For end users of the website, cookies from Google Analytics may be stored on your device. This is used solely to record anonymous, aggregated statistics about usage of our website, to help us analyse how people use our website.
Cookies will be used by third parties such as mailing lists, ticketing providers and payment vendors as part of the management of the transaction with you.
10. Questions about this policy
11. Document History
Last Updated: 9th May 2018 (first release)