Privacy & Security Policies

Our standard Privacy Policy is set out below. 

The Privacy Policy which applies to our Volunteers and Community Supporters is accessible here.

Our Recruitment and Onboarding Privacy Policy is here.


Privacy and Security Policy (Standard)


The Churches Conservation Trust (CCT) understands that your privacy is important to you and that you care about how your personal data is used and shared online.  We respect and value the privacy of everyone with whom we communicate and will only collect and use personal data in ways that are described here, and in a manner that is consistent with our obligations and your rights under the law.

We only ask for the information we need.  We always let you decide what you are comfortable telling us, explain why we need it and treat it as confidential.  When we record and use your personal information we:

  • only access it when we have a good reason
  • only share what is necessary and relevant
  • don't sell it to anyone

About The Churches Conservation Trust

Your personal data (ie any information which identifies you, or which can be identified as relating to you personally) will be collected and used by The Churches Conservation Trust (charity number 258612, with data controller number Z6207323) and Churches Conservation Trust Enterprises Limited (CCTEL), a private limited company with registration number 812965 and data controller number ZB555390.  Both CCT and CCTEL are based at Unit G14 Vulcan Works, 34-38 Guildhall Road, Northampton, NN1 1EW.

What Information We Collect

Personal data you provide

We collect data you provide to us.  This includes information you give when joining or registering, placing an order or communicating with us. For example:

  • personal details (name, date of birth, email, address, telephone etc.) when you join as a member or supporter
  • financial information (payment information such as credit/debit card or direct debit details, and whether donations are gift-aided, and
  • details of your interests and preferences (such as campaigns, the ways you support us or types of activities you enjoy)

If you purchase CCT membership as a gift for someone, your details will be recorded (as will the recipient’s) and your relationship to that person will be recorded.

Information created by your involvement with CCT

Your activities and involvement with us will result in personal data being created.  This could include details of how you’ve helped us by volunteering or being involved with our campaigns and activities.  If you decide to donate to us then we will keep records of when and how much you give to a particular cause.

Information we generate

We conduct research and analysis on the information we hold, which could in turn generate personal data.  For example, by analysing your interests and involvement with our work we may be able to build a profile which helps us decide which of our communications are likely to interest you.

Information from third parties

We sometimes receive personal data about individuals from third parties, for example, if we are partnering with another organisation (eg you provide your information to another charity we’re collaborating with).  We may use third parties to help us conduct research and analysis on personal data (and this can result in new personal data being created).

We may collect information from social media where you have given us permission to do so, or if you post on one of our social media pages.

Occasionally, we may collect information about certain supporters (eg particularly well known or influential people) from public sources.  This could include public databases (such as Companies House), news or other media.  We don’t do this to everyone, and it is the exception not the rule.

Sensitive personal data

We do not normally collect or store sensitive personal data (such as information relating to health, beliefs or political affiliation) about supporters and members.  There are, however, some situations where this will occur (eg if you volunteer with us or if you have an accident at one of our churches).  If this does occur, we’ll take extra care to ensure your privacy rights are protected.

Accidents or incidents

If an accident or incident occurs at one of our churches, at one of our events or involving one of our staff (including volunteers) then we’ll keep a record of this (which may include personal data and sensitive personal data).


If you are a volunteer (whether specifically for the CCT, or if you are helping us for other reasons, for example you work for another organisation which is running an event with us), then we may collect extra information about you (eg references, criminal records checks, details of emergency contacts, medical conditions etc).  This information will be retained for legal reasons, to protect us (including in the event of an insurance or legal claim) and for safeguarding purposes.

What We Do With Your Information

How we handle your personal information depends on how you interact with us.  This may include:


We use personal data to communicate with people, to promote the CCT and to help with fundraising.  This includes keeping you up to date with our news, updates, campaigns and fundraising information.


We use personal data for administrative purposes (ie to conduct our charitable and conservation work).  This includes:

  • receiving and acknowledging donations (eg direct debits or gift-aid instructions) and pledges of future gifts, including legacies
  • administer membership and membership renewals
  • maintaining databases of our volunteers, members and supporters
  • performing our obligations under membership contracts
  • fulfilling orders for goods or services (whether placed online, over the phone or in person)
  • helping us respect your choices and preferences (eg if you ask not to receive marketing material, we’ll keep a record of this)

Internal research and analysis

We carry out research and analysis on our supporters, donors and volunteers to determine the success of campaigns and appeals, better understand motivation for support, responses and identify patterns and trends.  This helps inform our approach towards communication and makes the CCT a stronger and more effective organisation.  Understanding our supporters, their interests and what they care about also helps us provide a better experience (eg through more relevant communications).

Supporter research and profiling

We evaluate, categorise and profile personal data in order to tailor materials and communications (including targeted advertising) and prevent unwanted material from filling up your inbox.  This also helps us understand our supporters, improve our organisation and carry out research.

When We Use Your Information Without Permission

In most cases, we will get your permission to collect, use, store and share your information.  Occasionally we might use or share your information without your permission.  If we do, we will always make sure there's a legal basis for it.  This could include situations where we have to use or share your information:

  • to comply with the law, called 'legal obligation'
  • to carry out our aims and goals as an organisation, called 'legitimate interests'
  • to carry out a contract we have with you, for example, if you're an employee we might need to store your bank details so we can pay you

Contacting Us About Your Data

You can contact us at any time and ask:

What information we have stored about you

You have the right to request, at any time, the information we hold about you.  Depending on the nature of the request, we may seek a form of identification to verify the identity of the person making the request.  The information will be supplied within 30 calendar days of the request or the verification, whichever is the later.

To change or update your details

If you believe the information we hold about you is incorrect or incomplete, you have the right to ask us to correct it.  We must respond within one month of the request being received.  You also have the right to ask CCT to stop processing your personal data.  In this situation, we can continue to store the data to ensure the request can be respected in the future, but all processing must cease, unless there is a legal purpose. 

To delete your details from our records

You have a right to have your personal data erased and for processing by CCT to stop:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
  • When you withdraw consent
  • When you object to the processing and there is no overriding legitimate interest for continuing the processing
  • The personal data was unlawfully processed (ie in breach of the GDPR)
  • The personal data has to be erased in order to comply with a legal obligation

The CCT can refuse to comply with a request for erasure where the personal data is processed for legal reasons or other scenarios that may be in the public interest as specified by the ICO. 

You can contact us to make a request by telephoning us on 0845 303 2760 or by sending an email to [email protected]

Sharing Information With Others


The CCT sometimes uses external companies to process personal data on the CCT’s behalf, for example to produce direct marketing materials.  In these circumstances, the CCT is the Data Controller and these suppliers are Data Processors.

The security practices of supplier companies are checked before the CCT appoints them and then on a regular basis.  The CCT puts contracts in place that set out the organisation’s expectations and requirements, especially regarding how suppliers store and process the personal data provided by the CCT.

Third party marketing

We will only use personal information within the organisation for the purposes for which it was obtained.  We will never sell your personal data, and will only ever share it with organisations we work with where necessary and if its privacy and security are guaranteed.

We will not, under any circumstances, share personal data with any third party organisations for their use or sell it to them for their own marketing purposes, and individuals will not receive marketing communications from any other companies, charities or other organisations as a result of providing their details to us.

Legal requests

We will comply with legal requests where disclosure is required or permitted by law and a written request is received, for example, to government bodies for tax purposes or law enforcement agencies for the prevention and detection of crime.

Processing within the EU

Our operations are based in the UK and we store our data within the European Union.  Some organisations which provide services to us may transfer personal data outside of the EEA, but we’ll only allow them to do if your data is adequately protected.  For example, some of our systems use Microsoft products.  As a US company, it may be that using their products result in personal data being transferred to, or being accessible from, the US.  We will allow this, however, as we are certain personal data will still be adequately protected.

How Long Is Personal Information Kept?

We will hold personal information on our systems for as long as it is necessary for us to carry out the relevant activity requested by the individual and as in line with the consent given.  The personal information of individuals who are no longer involved with us will be held for no longer than seven financial years.  This period meets our statutory obligation to retain information for Gift Aid and other tax purposes.

If someone asks us to cease contact with them, we will keep a record of the request, along with your personal details to enable us to comply with the request over time, but this period will be no longer than the seven financial years stated above.

Data Security

We ensure that there are appropriate controls in place to protect the personal details provided to us.  Online forms are encrypted and our databases are held on secure servers which are only accessible by approved staff, contractors and suppliers.  Paper-based information is stored securely as required by GDPR. 

We are Cyber Essentials accredited which provides additional confirmation of the security of our information systems.

Our staff receive data protection training and we have a set of detailed data protection procedures which personnel are required to follow when handling personal data.

Links To Other Websites

Our website may contain hyperlinks to websites owned and operated by other organisations.  These websites have their own Privacy Policies, including policies on their use of cookies.  These individual policies will govern the use of any personal information submitted or collected by cookies when individuals visit these websites.  We cannot accept any responsibility or liability for the privacy practices of third-party websites and the use of such websites is at individuals’ own risk.

Changes To Our Privacy Policy

We may update this privacy policy from time to time; the latest version will always be available at

If You Want To Make A Complaint

If you're not happy with how we have handled your data, you can make a complaint.  You can complain to the CCT directly by contacting our data protection officer using the details below.

If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you can complain to the UK Information Commissioner’s Office which regulates and enforces data protection law in the UK.  Details of how to do this can be found at


If you have any questions about this policy or how we use your personal data, please contact our data protection officer by email at [email protected], by telephone on 0207 841 0400 or in writing to The Churches Conservation Trust, Unit 14 - c/o Vulcan Works, 34-38 Guildhall Road, Northampton, NN1 1EW.