Westcountry Rivers Trust Privacy Notice

Last updated: 19th February 2026

1. Introduction

Westcountry Rivers Trust (“WRT”, “we”, “us”, “our”) is committed to protecting your personal information and being transparent about how we collect, use, and store it.

This Privacy Notice explains:

• what personal data we collect and why;
• the lawful bases we rely on;
• how long we keep it;
• who we share it with; and
• your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have any questions, please contact us:
Email: [email protected] | Tel: +44 (0)1579 372 142
Address: Rain-Charm House, Kyl Cober Parc, Stoke Climsland, Cornwall PL17 8PH

2. Who We Are

Westcountry Rivers Trust is a registered charity (No. 1135007) and company limited by guarantee (No. 03847430).

Our mission is to restore and protect the rivers, streams, and wetlands of the West Country for people, wildlife, and future generations.

For data protection purposes, WRT is the Data Controller for the personal data we collect.

3. What Information We Collect

We collect different types of personal data depending on your relationship with us:

Category	Examples / Notes
Contact details	Name, postal address, phone number, email address
Engagement data	Event or training bookings, volunteering activities, surveys or consultations, donations, newsletter subscriptions, participation in citizen science projects (e.g. water sampling, habitat surveys), public enquiries, or feedback forms
Professional data	Employer, role, partner organisation, contractor or consultant details, affiliation with community groups or networks
Technical data	IP address, browser type, device information, cookie identifiers, website analytics, interaction with social media posts or digital campaigns
Images and media	Photos, video, or audio recordings taken at WRT events, training sessions, project sites, or fieldwork (with appropriate notice or consent)
Sensitive data (where applicable)	Health or access needs for event participation, allergy information for fieldwork, equality or diversity monitoring (processed with explicit consent)
Diversity data	Anonymised equality monitoring information (e.g. age range, gender, ethnicity, disability status) used to promote inclusion and report under legitimate interest or legal obligation
Landowner and Farmer data	Name, address, contact details, land location details, survey history, participation in environmental schemes, correspondence relating to land management activities

We collect information directly from you and occasionally from third-party sources (such as funding partners, event platforms, or publicly available data).

Staff data is processed under a separate Employee Privacy Statement.

4. Fish Pass App and Platform

WRT is the developer and operator of the Fish Pass app and platform, which allows users to find, book and manage fishing opportunities, log catches, and purchase fishing tokens.

When you use the Fish Pass app or website, the following personal information may be collected and processed:

• contact details (name, email address, phone number);
• account information and booking history;
• payment and transaction details (handled securely by payment processors such as Stripe or PayPal);
• user-generated content such as photos, catch logs, or location data; and
• technical data such as device identifiers or app usage statistics.

WRT acts as the Data Controller for information collected through the Fish Pass app.

Our app development partner and hosting providers act as Data Processors, processing your data under strict contractual terms to ensure it is secure and only used for its intended purpose.

5. How and Why We Use Your Data

We only process your personal data where we have a lawful basis.

Purpose	Lawful Basis	Example
Managing events, volunteering, or programme participation	Contract (Art.6(1)(b)) / Legitimate Interest (Art.6(1)(f))	Processing bookings, sending event or volunteering updates
Administering Fish Pass accounts and bookings	Contract / Legitimate interest	Providing app functionality and customer support
Sending newsletters, updates, or fundraising information	Consent (Art.6(1)(a))	You opt in via our website or email form
Administering donations and Gift Aid	Legal obligation (Art.6(1)(c)) / Contract	HMRC compliance, processing donations
Recording stakeholder or partner engagement	Legitimate interest	Partnership reporting, Catchment Partnership activities, project monitoring
Responding to enquiries or feedback	Legitimate interest	Customer service
Safeguarding or incident management	Legal obligation (Art.6(1)(c)) / Public task (Art.6(1)(e))	Health and safety or child protection
Website analytics and cookies	Consent (non-essential cookies) / Legitimate Interest (essential analytics, security)	Google Analytics and website performance monitoring
Use of staff photos and professional profiles	Legitimate Interest (with opt-out available)	Staff profiles on WRT website or promotional materials
Long-term environmental monitoring and landowner re-engagement	Legitimate Interest (Art.6(1)(f))	Contacting landowners about future surveys, catchment initiatives, or follow-up environmental projects

We may use photographs or recordings taken at our events, activities or project sites to report on our work, promote our activities, or support fundraising and communications. Where individuals are clearly identifiable, we do this under Legitimate Interest with appropriate notice and opt-out options, or with consent where required (for example, for children, vulnerable individuals, or close-up images).

We do not sell your personal information and will only use it for the purpose it was collected, or a compatible purpose.

WRT may use staff photos/profiles for professional or promotional purposes under Legitimate Interest.

6. When We Collect Data

You may provide data when you:

• register for or use the Fish Pass app;
• subscribe to a newsletter or mailing list;
• book an event or volunteering opportunity;
• make a donation or purchase;
• complete surveys or forms;
• visit our website or social media channels; or
• contact us directly.

We may also collect limited technical data automatically (for example, through cookies or analytics).

7. Sharing Your Information

We sometimes share data with trusted third parties who help us deliver our services, such as:

• Mailing and marketing services (e.g. Mailchimp, Eventbrite);
• Payment processors (e.g. Stripe, PayPal);
• IT and hosting providers (e.g. Microsoft 365, Google Workspace, Therapy Box for Fish Pass);
• Funders or statutory authorities (for reporting or compliance).

All third parties are bound by contract to keep your data secure and act only on our instructions.
We never sell your personal data.

8. International Data Transfers

Where data is transferred outside the UK (for example, to cloud service providers in the US), we ensure appropriate safeguards are in place — such as the UK Extension to the EU-US Data Privacy Framework or Standard Contractual Clauses — to keep your data protected.

9. Data Retention

We retain personal data only for as long as necessary for the purposes collected, or as required by law.

Donor and financial records (including Gift Aid)	6–7 years after the relevant financial year	HMRC requirements, Charities Act, audit and legal defence
Fish Pass bookings and transaction data	7 years	Financial compliance and audit requirements
Fish Pass anonymised or aggregated usage data	Up to 6 years	Evaluation, environmental reporting, project monitoring
Project and beneficiary data (including landowners, farmers, and funded project participants)	Retained for the duration of catchment engagement and environmental monitoring activity. Where no active relationship exists, records are subject to periodic review.	Long-term environmental monitoring, baseline comparison, funder audit requirements, contractual obligations, and legitimate interest in future re-engagement
Professional contacts and partnership engagement records	Retained while the professional relationship remains active, reviewed periodically	Legitimate interest in partnership working and catchment coordination
Mailing list subscriptions (consent-based)	Until consent is withdrawn or 2 years of inactivity	UK GDPR and PECR compliance
Suppression (opt-out) lists	Retained permanently	To ensure individuals who opt out are not contacted again
Safeguarding records – children	Retained until the individual’s 25th birthday (or longer in serious cases)	Statutory safeguarding duties
Safeguarding records – adults	7 years after case closure (longer in serious cases)	Statutory safeguarding duties and public protection
Serious safeguarding cases	Retained permanently	Public protection and legal obligations
Unsuccessful job applicants	6 months after recruitment decision (unless consent for longer retention is provided)	ICO and ACAS best practice; defence of legal claims
Employee and contractor records	6 years after employment ends (longer where legally required)	Employment law and limitation periods
Right to Work checks	2 years after employment ends	Home Office requirements
Payroll and pension records	6–7 years after employment ends	HMRC requirements
Health and safety records	3 years (40 years for COSHH health surveillance records)	Workplace safety legislation
Accident or incident records	3 years after settlement or closure	Insurance and legal defence
Photos, video and media (consent-based)	Until consent is withdrawn or the material is no longer required	UK GDPR consent requirements
Drone and land imagery (with landowner consent)	Retained while relevant to environmental monitoring or project reporting, and reviewed periodically	Landowner permission, environmental monitoring, funder reporting

At the end of these periods, data is securely deleted or anonymised. Where we rely on Legitimate Interests as our lawful basis, we carry out an assessment to ensure our interests are balanced against your rights and freedoms. You may object to this processing at any time (see “Your Rights” below).

We take reasonable steps to ensure personal data we hold is accurate and up to date, particularly where we maintain long-term engagement records. We may periodically review and update contact details where appropriate.

10. How We Protect Your Data

We use technical and organisational measures to protect your information, including:

• password protection and access controls;
• encryption and secure (SSL) data transmission;
• staff data protection training;
• regular monitoring and review of data security.

• We maintain a Data Breach Response Procedure and conduct Data Protection Impact Assessments (DPIAs) where required.

Although we take all reasonable precautions, data transmitted over the internet can never be guaranteed as completely secure.

11. Cookies and Website Analytics

Cookies are small text files stored on your device to help websites function properly.

We use essential cookies for site operation and optional analytics cookies (such as Google Analytics) to help improve performance and understand visitor behaviour.

You can accept or reject non-essential cookies when you visit our site, and can change your preferences in your browser at any time.

12. Your Rights

Under UK GDPR you have the following rights:

• To be informed about how we use your data;
• Access – to request a copy of your personal data (Subject Access Request);
• Rectification – to correct inaccurate or incomplete data;
• Erasure – to request deletion (“right to be forgotten”);
• Restriction – to limit processing;
• Data portability – to obtain and reuse your data;
• Objection – to processing for legitimate interests or marketing;
• Rights related to automated decision-making and profiling.

To exercise these rights, contact:
[email protected]

We will respond within one month of verifying your identity.

If you are unhappy with how we handle your data, you can contact the Information Commissioner’s Office (ICO):
www.ico.org.uk/concerns | Tel: 0303 123 1113

13. Children and Vulnerable People

When we work with children, young people or vulnerable adults, we collect only the minimum necessary information and obtain consent from a parent, guardian, or authorised representative as required by law.

14. Changes to This Notice

We may update this notice periodically to reflect changes in law or our operations.
Please check this page for the most recent version — the date at the top shows when it was last updated.

Contact Us

Data Protection Officer

Westcountry Rivers Trust
Rain-Charm House, Kyl Cober Parc, Stoke Climsland, Cornwall PL17 8PH
[email protected] | +44 (0)1579 372 142