Privacy Policy

– updated May 2018

We are committed to protecting your personal information and being transparent about what information we hold
about you. The processing of personal data is governed by legislation including the Data Protection Act 1998 (DPA)
General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR).
Using personal information allows us to develop a better understanding of our patrons and in turn to provide you
with relevant and timely information about the work that we do – both on and off stage. As a charity, it also helps us
to engage with potential donors and supporters.

Who we are
The Mill Arts Centre Trust is a Charitable Incorporated Organisation registered in England and Wales with Charity No.


Information collection
We collect various types of information and collect it in a number of ways:

  1. Information you give us
    For example when you register on our website, buy tickets or make a donation, we’ll store personal information
    you give us such as your name, email address, postal address, telephone number and card details. We will also
    store a record of your purchases and donations.
  2. Information about your interactions with us
    For example, when you visit our website, we collect information about how you interact with our content and
    ads. When we send you a mailing we store a record of this, and in the case of emails we keep a record of which
    ones you have opened and which links you have clicked on.
  3. Information from third parties
    We occasionally receive information about you from third parties. For example, we may use third party research
    companies to provide general information about you, compiled using publicly available data.
  4. Sensitive personal data
    Data Protection law recognises that certain categories of personal information are more sensitive such as health
    information, race, religious beliefs and political opinions. We do not usually collect this type of information
    about our patrons unless there is a clear reason for doing so.


Legal basis
There are three bases under which we may process your data:

  1. Contract purposes
    When you make a purchase from us or make a donation to us, you are entering into a contract with us. In order
    to perform this contract we need to process and store your data. For example we may need to contact you by
    email or telephone in the case of cancellation of a show, or in the case of problems with your payment.
  2. Legitimate business interests
    In certain situations we collect and process your personal information for purposes that are in our legitimate
    organisational interests. However we only do this if there is no overriding prejudice to you by using your
    personal information in this way. We describe below all situations where we may use this basis for processing.
  3. With your explicit consent
    For any situations where the two bases above are not appropriate, we will instead ask for your explicit consent
    before using your personal information in that specific situation.


Marketing communications
We aim to communicate with you about the work that we do in ways that you find relevant, timely and respectful. To do this we use data that we have stored about you, such as what events you have booked for in the past, as well as any preferences you may have told us about.

We use our legitimate organisational interest as the legal basis for communications by post and email. In the case of postal mailings, you may object to receiving these at any time using the contact details at the end of this policy. In the case of email, we will give you an opportunity to opt out of receiving them during your first purchase with us. If you do not opt out, we will provide you with an option to unsubscribe in every email that we subsequently send you, or you can alternatively use the contact details at the end of this policy.

We may also contact you about our work by telephone however we will always get explicit consent from you before
doing this. Please bear in mind that this does not apply to telephone calls that we may need to make to you related
to your purchases (as above).


Other processing activities
In addition to marketing communications, we also process personal information in the following ways that are within
our legitimate organisational interests:

We may analyse data we hold about you to ensure that the content and timing of communications that we send you
are as relevant to you as possible.

We may analyse data we hold about you in order to identify and prevent fraud.
In order to improve our website we may analyse information about how you use it and the content and ads that you
interact with.

In all of the above cases we will always keep your rights and interests at the forefront to ensure they are not
overridden by your own interests or fundamental rights and freedoms. You have the right to object to any of this
processing at any time. If you wish to do this, please use the contact details at the end of this policy. Please bear in
mind that if you object this may affect our ability to carry out tasks above that are for your benefit.


Third parties
There are certain circumstances under which we may disclose your personal information to third parties. These are
as follows:

To the subsidiaries described above when it is necessary for them to be able to provide you with products or services
that you’ve requested.

To our own service providers who process data on our behalf and on our instructions (for example our ticketing
system software provider). In these cases we require that these third parties comply strictly with our instructions
and with data protection laws, for example around security of personal data.

Where we are under a duty to disclose your personal information in order to comply with any legal obligation (for
example to government bodies and law enforcement agencies).

To specific named visiting companies whose performances you have attended. In these cases we will always ask for
your explicit consent before doing so.


Cookies are small text files that are automatically placed onto your device by some websites that you visit. They are
widely used to allow a website to function (for example to keep track of your basket) as well to provide website
operators with information on how the site is being used.

We use cookies to keep track of your basket as well as to identify how the website is being used and what
improvements we can make.


Your debit and credit card information
If you use your credit or debit card to purchase from us or to make a donation, we will ensure that this is carried out
securely and in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). You can find more
information about this standard here.

We optionally allow you to store your card details for use in a future transaction. This is carried out in compliance
with PCI-DSS and in a way where none of our staff members are able to see your full card number. We never store
your 3 or 4 digit security code.


Maintaining your personal information
We store your personal information indefinitely such that for any subsequent purchases you make we are able to
link them back to a single unique record that we hold for you on our system. If there are aspects of your record that are inaccurate or that you would like to remove, you can usually do this by logging in to your account through our website. Alternatively please use the contact details at the end of this policy.

Any objections you make to any processing of your data will be stored against your record on our system so that we
can comply with your requests.


Security of your personal information
We will put in place appropriate safeguards (both in terms of our procedures and the technology we use) to keep
your personal information as secure as possible. We will ensure that any third parties we use for processing your
personal information do the same.

We will not transfer, process or store your data anywhere that is outside of the European Economic Area.
Your rights to your personal information

  1. Access At any point you can contact us to request details of the personal data that we hold on you including
    why we have that data, who has access to the data and where the data was obtained from. We will respond
    to access requests within 1 month.
  2. Rectification If the data we hold about you is out of date, incomplete or inaccurate, you can inform us and
    your data will be updated.
  3. Erasure If you feel that we should no longer be using your personal data or that we are unlawfully using your
    personal data, you can request that we erase the personal data that we hold, or do so by logging in to your
    account through our website.
  4. Object to Data Processing You have the right to request that we stop processing your personal data or ask
    us to restrict processing. Upon receiving your request we will contact you and let you know if we are able to
    comply depending on the basis under which we are processing your data.
  5. Consent You can withdraw your consent to the processing of your data at any time for any processing of
    data to which consent was obtained.
  6. Complaint You have the right to lodge a complaint with the Information Commissioner’s Office on 0303 123
    1113 or via email or in writing to the Information Commissioner’s
    Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Please use the contact details at the end of this policy if you would like to exercise any of these rights.


Contact details and further information
Please get in touch with us if you have any questions about any aspect of this privacy policy, and in particular if you
would like to object to any processing of your personal information that we carry out for our legitimate
organisational interests.

The Mill Arts Centre Trust, Spiceball Park, Banbury , Oxfordshire OX16 5QE