Privacy Policy

1.General

Preservation of your privacy is important to the Norfolk Archives and Heritage Development Foundation (‘NORAH’) and we are committed to letting you know how we use your personal information and to making only responsible use of your data. Under data protection legislation, including the General Data Protection Regulation, we have a legal duty to protect any information we collect from you.

NORAH is a charity registered in England and Wales, registered charity number: 1167279 and is Data Controller for all of the data it collects during its day-to-day activities.

NORAH has contracted the Norfolk Record Office (‘NRO’) to process personal data on its behalf in accordance with the General Data Protection Regulation and UK data protection legislation. It will not be used by the NRO for any of their administrative purposes.

Any queries regarding NORAH’s handling of personal data, including subject access requests, should be directed to Mr Gary Tuson, Data Protection of NORAH, The Archive Centre, Martineau Lane, Norwich, NR1 2DQ, email privacy@norah-df.org.uk. NORAH’s website address is https://www.norah-df.org.uk.


2. NORAH’s Use of Companies to Deliver Services

NORAH has contracted trusted third party companies to perform services on its behalf. In some instances, these companies may act as data controllers in their own right. In each case, agreements exist between NORAH and the company to ensure personal data is processed in accordance with data protection legislation.

NORAH uses Paragon Internet Group Limited, trading as Tsohost Limited, to host its website and provide its email accounts. Paragon’s parent company is Go Daddy Operating Company. Tsohost only processes personal data in order to fulfil the service they provide to NORAH and do not carry out any other processing other than storing NORAH’s website on their secure servers, which are all based in the UK. Tsohost’s standard SSL certificates are issued by Starfield Technologies. Tsohost’s privacy policy is available at https://www.tsohost.com/legal/privacy-policy.

BT MyDonate is used by NORAH to collect donations and process Gift Aid and in doing so, they collect, store and process names, contact details and financial details regarding donations made. In some instances, they will pass personal details to other agencies, such as HM Revenue and Customs when processing Gift Aid and donors’ banks. The MyDonate service is run by British Telecommunications plc. Their privacy policy is available at https://www.btplc.com/mydonate/aboutmydonate/Privacypolicy/.

NORAH accepts payments and donations through PayPal. When processing payments, some of your data will be passed to PayPal, including information required to process or support the payment, such as the purchase/donation total and billing information. PayPal’s privacy policy can be found at https://www.paypal.com/uk/webapps/mpp/ua/privacy-full.

NORAH accepts payments through Stripe, Inc. When processing payments, some of your data will be passed to Stripe, including information required to process or support the payment, such as the purchase/donation total and billing information. Stripe’s privacy policy can be found at https://stripe.com/gb/privacy.

NORAH uses Google Analytics to measure user interactions with its website. Details about how Google uses information from sites or applications that use its services can be found at www.google.com/policies/privacy/partners/.

NORAH uses MailChimp to distribute emails to people on its mailing list. MailChimp is an American company, and consequently, data is held on secure servers in the United States as well as secure servers in the United Kingdom. MailChimp is owned and operated by The Rocket Science Group LLC. MailChimp uses cookies to monitor recipients’ interaction with distributed emails. MailChimp’s privacy policy can be found at https://mailchimp.com/legal/privacy/. MailChimp is certified under both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.

NORAH uses Akismet, part of the Automatic Group, to prevent spam comments appearing on our website. Their privacy policy can be found at https://automattic.com/privacy/.


3. NORAH’s Mailing List

NORAH maintains a mailing list for the purpose of fundraising and promoting its interests. NORAH uses the mailing list to tell people about its activities, including fundraising campaigns. NORAH will only add someone to the mailing list if that person has agreed. The personal data processed for this purpose is name, contact details and location (via a postcode). NORAH’s legal basis for adding someone to its mailing list is therefore consent. An individual can withdraw their consent at any time without detriment. NORAH will not share an individual’s details with anyone else, without first getting that individual’s permission. NORAH uses MailChimp to manage its electronic mailing list. NORAH manages its postal mailing list itself.


4. When Else Do We Collect Personal Information?

There are occasions when NORAH processes personal information. It processes information relating to its trustees and authorised officers in order to operate as a charity. The legal basis for doing so is legal obligation under charity and fiscal legislation, except in the case of a trustees’ or authorised officers’ financial information, for which the legal basis is legitimate interest. Name, contact details and financial information of trustees and authorised officers may be passed to HM Revenue and Customs and The Charity Commission of England and Wales.

Correspondence with donors as well as advisers and representatives of other organisations, which contain names and contact details, is processed on the basis of legitimate interest. Payment details of customers and donors are processed on the basis of legal obligation and in the case of donors, details may be passed to HM Revenue and Customs. Name and contact details of customers are processed on the legal basis of contract.

When you purchase from us, we’ll ask you to provide information including your name, billing address, shipping address, email address, phone number, and credit card/payment details. We will use this information about your account order; respond to requests, including refunds and complaints; process payments and prevent fraud; comply with any legal obligations we have, such as calculating taxes; improve our store offerings.


5. How Long Do We Keep Personal Data For?

NORAH retains records containing personal information for various durations. Records relating to the successful appointment of trustees are retained for six years after an individual stops acting as a trustee. Trustee declarations are kept for four years after the year when that individual stops acting as a trustee. Personal information relating to unsuccessful applicants for the post of trustee are retained for one year after their application.

Finance records are kept for seven years.

Administrative records are kept for four years after the year in which they were received or created, including enquiries received by NORAH. The exception to this is invitation lists for events which are retained for three months after the event.

Records retained for the legal purpose of contract are retained for a maximum of six months after the end of the customer relationship. Evidence of an individual’s consent to join NORAH’s mailing list is destroyed when they are removed from the mailing list.

Under Article 89 of the GDPR and the provisions of the Data Protection Act 2018, NORAH will retain the register of trustees and trustee meeting minutes on a permanent basis for archiving purposes in the public interest.


6. Security

We take all reasonable precautions to prevent the loss, misuse or alteration of information you give us. Any physical records which contain personal information are kept in a secure office environment and then in locked cabinets. Any electronic records which are kept by NORAH, are kept on secure servers based in the United Kingdom on systems provided to it by Norfolk County Council. All officers acting on behalf of NORAH receive training in data protection procedures every three years.


7. Website

NORAH uses Secure Socket Layer (SSL) encryption technology whenever personal information is entered on the NORAH website, such as booking a talk. Where NORAH uses other companies, via its website, including MailChimp, PayPal, Stripe and BT MyDonate, these companies use encryption technology to protect personal data.

When visitors leave comments on NORAH’s website, we collect the shown in the comments form and also the visitor’s IP address and browser user agent string to help spam detection. If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

NORAH uses Akismet to prevent spam comments appearing on our website. Akismet collects the commentator’s IP address, user agent, referrer and site URL, along with other information provided by the commentator such as their name, username, email address and the comment itself.


8. Cookies

NORAH uses cookies on its website. A cookie is a text file sent to your browser and stored there. This enables the web server to recognise your computer when you revisit our website. We use cookies for things like collecting website usage data (via Google Analytics) which helps us to display more relevant content.

Cookies on Our Website

Our website content management system, WordPress, uses cookies for various purposes including authentication when users log on to the site or when someone leaves a comment.

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

NORAH uses an application called WooCommerce to sell products on its website. This uses three cookies; woocommerce_cart_hash; woocommerce_items_in_cart; and wp_woocommerce_session_. The first two, contain information about the cart as a whole and helps WooCommerce know when the cart data changes. The final cookie contains a unique code for each customer so that it knows where to find the cart data in the database for each customer. No personal information is stored within these cookies.

Cookies in Email Marketing

MailChimp, which we use to deliver email marketing, uses cookies in order to help us send relevant content. MailChimp automatically places single pixel gifs, also known as web beacons, in every email sent by NORAH. These are tiny graphic files that contain unique identifiers that enable MailChimp and NORAH to recognize when our subscribers have opened an email or clicked certain links. These technologies record each subscribers email address, IP address, date, and time associated with each open and click for a campaign. MailChimp uses this data to create reports for NORAH about how an email campaign performed and what actions subscribers took. Further details about MailChimp’s use of cookies can be found at https://mailchimp.com/legal/cookies/#Cookies_served_through_our_Websites.

Cookies in Embedded Content

NORAH attempts to not use embedded content (e.g. videos, images, articles, etc.) in articles on its website. However, if it does, embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Cookies in Analytic Software

NORAH uses Google Analytics to analyse visits to our website. Google Analytics may use a set of cookies to collect information and report website usage statistics without personally identifying individual visitors to Google. The main cookie used by Google Analytics is the ‘_ga’ cookie which lasts for two years and is used to distinguish users. More information about Google Analytics’ use of cookies can be found at https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage?hl=en.

Most browsers allow you to refuse to accept cookies. More information about cookies, including how to block them or delete them, can be found at AboutCookies.org.


9. What Rights You Have Over Your Data

You have certain rights in relation to the personal information NORAH holds about you. Some of these only apply in certain circumstances. To exercise your rights, please contact NORAH’s data protection officer. If NORAH has any legal reasons to refuse your request, we will let you know if that is the case.

You have the right to access personal data we hold about you.

You have the right to request that inaccurate personal data we hold about you is rectified, or completed if it is incomplete.

In some instances, you can request that information we hold about you is deleted. Trustees, donors and those making enquiries can request NORAH to delete administrative paperwork where the legal basis of processing is legitimate interest. NORAH will delete any individual’s personal data from its mailing lists upon request.

Trustees, donors and those making enquiries can request NORAH to restrict processing to storage of administrative paperwork where the legal basis of processing is legitimate interest.

In some circumstances, individuals may obtain and reuse personal data which NORAH holds, for their own purpose. This relates to information provided purchasing items or services from NORAH, or when the legal basis for NORAH holding that information is consent, such as information on NORAH’s mailing list.

In some circumstances, you have the right to object to our processing of data about you and we will consider your request. You have an absolute right to object to your personal data being included in our mailing list.


10. Version Control

This document was revised on 25 January 2019 (version 4.0).