Westcountry Rivers Trust Privacy Notice

Last updated: 10 October 2025

 

1. Introduction

Westcountry Rivers Trust (“WRT”, “we”, “us”, “our”) is committed to protecting your personal information and being transparent about how we collect, use, and store it.

This Privacy Notice explains:

• what personal data we collect and why;
• the lawful bases we rely on;
• how long we keep it;
• who we share it with; and
• your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have any questions, please contact us:
Email: [email protected] | Tel: +44 (0)1579 372 142
Address: Rain-Charm House, Kyl Cober Parc, Stoke Climsland, Cornwall PL17 8PH

2. Who We Are

Westcountry Rivers Trust is a registered charity (No. 1135007) and company limited by guarantee (No. 03847430).

Our mission is to restore and protect the rivers, streams, and wetlands of the West Country for people, wildlife, and future generations.

For data protection purposes, WRT is the Data Controller for the personal data we collect.

3. What Information We Collect

We collect different types of personal data depending on your relationship with us:

Category	Examples / Notes
Contact details	Name, postal address, phone number, email address
Engagement data	Event or training bookings, volunteering activities, surveys or consultations, donations, newsletter subscriptions, participation in citizen science projects (e.g. water sampling, habitat surveys), public enquiries, or feedback forms
Professional data	Employer, role, partner organisation, contractor or consultant details, affiliation with community groups or networks
Technical data	IP address, browser type, device information, cookie identifiers, website analytics, interaction with social media posts or digital campaigns
Images and media	Photos, video, or audio recordings taken at WRT events, training sessions, project sites, or fieldwork (with appropriate notice or consent)
Sensitive data (where applicable)	Health or access needs for event participation, allergy information for fieldwork, equality or diversity monitoring (processed with explicit consent)
Diversity data	Anonymised equality monitoring information (e.g. age range, gender, ethnicity, disability status) used to promote inclusion and report under legitimate interest or legal obligation

We collect information directly from you and occasionally from third-party sources (such as funding partners, event platforms, or publicly available data).

Staff data is processed under a separate Employee Privacy Statement.

4. Fish Pass App and Platform

WRT is the developer and operator of the Fish Pass app and platform, which allows users to find, book and manage fishing opportunities, log catches, and purchase fishing tokens.

When you use the Fish Pass app or website, the following personal information may be collected and processed:

• contact details (name, email address, phone number);
• account information and booking history;
• payment and transaction details (handled securely by payment processors such as Stripe or PayPal);
• user-generated content such as photos, catch logs, or location data; and
• technical data such as device identifiers or app usage statistics.

WRT acts as the Data Controller for information collected through the Fish Pass app.

Our app development partner and hosting providers act as Data Processors, processing your data under strict contractual terms to ensure it is secure and only used for its intended purpose.

5. How and Why We Use Your Data

We only process your personal data where we have a lawful basis.

Purpose	Lawful Basis	Example
Managing events, volunteering, or programme participation	Contract (Art.6(1)(b)) / Legitimate Interest (Art.6(1)(f))	Processing bookings, sending event or volunteering updates
Administering Fish Pass accounts and bookings	Contract / Legitimate interest	Providing app functionality and customer support
Sending newsletters, updates, or fundraising information	Consent (Art.6(1)(a))	You opt in via our website or email form
Administering donations and Gift Aid	Legal obligation (Art.6(1)(c)) / Contract	HMRC compliance, processing donations
Recording stakeholder or partner engagement	Legitimate interest	Partnership reporting, Catchment Partnership activities, project monitoring
Responding to enquiries or feedback	Legitimate interest	Customer service
Safeguarding or incident management	Legal obligation (Art.6(1)(c)) / Public task (Art.6(1)(e))	Health and safety or child protection
Website analytics and cookies	Consent (non-essential cookies) / Legitimate Interest (essential analytics, security)	Google Analytics and website performance monitoring
Use of staff photos and professional profiles	Legitimate Interest (with opt-out available)	Staff profiles on WRT website or promotional materials

We do not sell your personal information and will only use it for the purpose it was collected, or a compatible purpose.

WRT may use staff photos/profiles for professional or promotional purposes under Legitimate Interest.

6. When We Collect Data

You may provide data when you:

• register for or use the Fish Pass app;
• subscribe to a newsletter or mailing list;
• book an event or volunteering opportunity;
• make a donation or purchase;
• complete surveys or forms;
• visit our website or social media channels; or
• contact us directly.

We may also collect limited technical data automatically (for example, through cookies or analytics).

7. Sharing Your Information

We sometimes share data with trusted third parties who help us deliver our services, such as:

• Mailing and marketing services (e.g. Mailchimp, Eventbrite);
• Payment processors (e.g. Stripe, PayPal);
• IT and hosting providers (e.g. Microsoft 365, Google Workspace, Therapy Box for Fish Pass);
• Funders or statutory authorities (for reporting or compliance).

All third parties are bound by contract to keep your data secure and act only on our instructions.
We never sell your personal data.

8. International Data Transfers

Where data is transferred outside the UK (for example, to cloud service providers in the US), we ensure appropriate safeguards are in place — such as the UK Extension to the EU-US Data Privacy Framework or Standard Contractual Clauses — to keep your data protected.

9. Data Retention

We retain personal data only for as long as necessary for the purposes collected, or as required by law.

Data Type	Typical Retention Period	Legal / Practical Justification
Event, volunteer, or project records	3 years	Programme evaluation and re-engagement
Donor / financial records	6 years	HMRC and Charities Act requirements
Fish Pass bookings and transaction data	6 years	Financial and audit compliance
Safeguarding records	25 years (children) / 10 years (adults)	Legal safeguarding duties
Mailing list consent	Until withdrawn or 2 years after last engagement	PECR / GDPR consent standards
Job applicant data (unsuccessful)	6 months – 1 year	ICO and ACAS best practice
Event registrations, training, volunteering enquiries	Up to 2 years after last engagement	To administer events, respond to enquiries, and manage volunteering activity
Volunteer records	6 months – 2 years after last volunteering activity (longer if required for safeguarding or incident review)	Duty of care, programme management, insurance and risk management
Project and beneficiary data (e.g., landowners, farmers, funded project participants)	Typically 6 years after project closure (longer where required by funders or contracts)	Funder audit requirements, contractual obligations, regulatory reporting
Financial and donor records	6–7 years	HMRC and Charities Act requirements
Gift Aid declarations	6 years after the end of the relevant tax year	HMRC requirements
Legacy pledges and stewardship records	Until withdrawn or up to 4 years after notification of death	Charitable stewardship and legal administration
Legacy administration records (actual gifts)	2 years after the estate is finalised	Audit and legal defence
Fish Pass bookings and transaction data	7 years	Financial and audit compliance
Fish Pass anonymised/aggregated usage data	6 years	Evaluation and project reporting
Safeguarding records – children	Retained until the individual’s 25th birthday	Statutory safeguarding duties
Safeguarding records – adults	7 years after death	Statutory safeguarding duties
Serious safeguarding cases	Retained permanently	Public protection and legal obligations
Mailing list subscriptions (consent-based)	Until consent withdrawn or 2 years of inactivity	GDPR/PECR requirements
Professional/academic contacts (Legitimate Interest)	Retained while the professional relationship remains active (reviewed annually)	Legitimate interest in partnership working
Suppression (opt-out) lists	Retained permanently	Ensures we do not contact people who have opted out
Unsuccessful job applicants	Usually 6 months after the recruitment decision	ICO/ACAS best practice; defence of legal claims
Employee and contractor records	6 years after employment ends	Employment law and limitation periods
Right to Work checks	2 years after employment ends	Home Office requirements
Payroll and pension records	6–7 years after employment ends	HMRC requirements
Health and safety records (general)	3 years	H&S compliance
Accident/incident records	3 years after settlement	Insurance and legal defence
Health surveillance (COSHH)	40 years	Workplace safety legislation
Photos, videos and media consent	Until consent is withdrawn or images are no longer required	GDPR consent requirements
Drone and land imagery (with landowner consent)	Until consent withdrawn or imagery is no longer required	Landowner permission and project reporting

At the end of these periods, data is securely deleted or anonymised.

10. How We Protect Your Data

We use technical and organisational measures to protect your information, including:

• password protection and access controls;
• encryption and secure (SSL) data transmission;
• staff data protection training;
• regular monitoring and review of data security.

• We maintain a Data Breach Response Procedure and conduct Data Protection Impact Assessments (DPIAs) where required.

Although we take all reasonable precautions, data transmitted over the internet can never be guaranteed as completely secure.

11. Cookies and Website Analytics

Cookies are small text files stored on your device to help websites function properly.

We use essential cookies for site operation and optional analytics cookies (such as Google Analytics) to help improve performance and understand visitor behaviour.

You can accept or reject non-essential cookies when you visit our site, and can change your preferences in your browser at any time.

12. Your Rights

Under UK GDPR you have the following rights:

• To be informed about how we use your data;
• Access – to request a copy of your personal data (Subject Access Request);
• Rectification – to correct inaccurate or incomplete data;
• Erasure – to request deletion (“right to be forgotten”);
• Restriction – to limit processing;
• Data portability – to obtain and reuse your data;
• Objection – to processing for legitimate interests or marketing;
• Rights related to automated decision-making and profiling.

To exercise these rights, contact:
[email protected]

We will respond within one month of verifying your identity.

If you are unhappy with how we handle your data, you can contact the Information Commissioner’s Office (ICO):
www.ico.org.uk/concerns | Tel: 0303 123 1113

13. Children and Vulnerable People

When we work with children, young people or vulnerable adults, we collect only the minimum necessary information and obtain consent from a parent, guardian, or authorised representative as required by law.

14. Changes to This Notice

We may update this notice periodically to reflect changes in law or our operations.
Please check this page for the most recent version — the date at the top shows when it was last updated.

Contact Us

Data Protection Officer

Westcountry Rivers Trust
Rain-Charm House, Kyl Cober Parc, Stoke Climsland, Cornwall PL17 8PH
[email protected] | +44 (0)1579 372 142