Who we are
Our website address is: https://quayclimbingcentre.co.uk.
Privacy and Fair Processing Policy Notice
1. Key principles of our approach
The Quay Climbing Centre Limited (‘The Quay’) is committed to protecting your privacy. Everyone working for the Quay Climbing Centre Ltd has a legal duty to keep information about you secure and confidential.
This notice contains important information about your rights to privacy, our data processing practices and your rights and options regarding ways in which your data is used and collected. Please read it carefully to understand how we use your personal information.
At all times we aim to respect any personal information you share with us, or that we receive from others, and keep it safe.
The provision of your personal information to us is voluntary. However, without providing us with your personal information your use of services or your interaction with us may be impaired. For example you may be unable to register with us to climb in the centre or to make an online booking for one of our activities.
2. General Data Protection Regulations (‘GDPR’)
The General Data Protection Regulations (GDPR) law came into effect on 25th May 2018, replacing the Data Protection Act. The new rules mean that we, like other businesses in the UK, will be making sure we are even clearer about how we handle your data.
This Privacy and Fair Processing Notice provides you with all the information you need to know about the information we collect from you, how we use it, how we store it and how we keep it secure.
This notice applies to all customers of The Quay and individuals engaged in the provision of activities at the centre.
All references to we, our or us in this privacy notice are to The Quay Climbing Centre Limited (‘The Quay’), registered company number 07532722.
3. The Quay Climbing Centre Limited – About Us
Opened in 2011, the Quay Climbing Centre is a multi-use climbing facility which offers top rope climbing, lead climbing and bouldering to independent users and attendees of clubs and courses, as well as Clip ‘n Climb sessions which run by the hour. As part of these services we offer birthday parties, events and sub-let a space for physiotherapy, yoga and other holistic treatments.
Our customers access and use our facilities in a variety of ways including, but not limited to: participation in a Clip ‘n Climb session; participation in an individual or group climbing session led by one of our instructors; participation in a group session led by appropriately qualified third party instructors; participation in a course delivered by our instructors; participation in youth climbing clubs or squads and climbing independently following suitable induction and safety checks.
In order to provide our services in a safe and efficient manner we need to collect certain information from customers including contact and payment information, information about their climbing experience and fitness to participate in the activities we offer, and information that may provide access to marketing or product promotions by ourselves and our sponsors.
Our employees support our products and services in a variety of roles including but not limited to: the provision of instruction in climbing techniques, the supervision of group sessions, the oversight of safety in the climbing arena, the oversight of Clip ‘n Climb sessions, the provision of administrative and reception facilities and the provision of catering services in our café and birthday party spaces.
4. We collect personal information about you:
a. When you give it to us directly
For example, personal information that you submit through our website or directly at the centre by making a booking to use our facilities, registering as a member or centre users, joining one of our youth clubs or squads or signing up for email marketing or communications; or personal information that you give to us when you communicate with us by email, phone or letter
b. When we obtain it indirectly
For example, your personal information may be shared with us by third parties including, for example, The Association of British Climbing Walls (Britain) Limited (‘ABC’), an organisation established to promote safe management practices in climbing walls of which we are a member; The Association of British Climbing Walls (Britain) Training Trust (‘ABCTT’) who administer NICAS and NIBAS climbing schemes for young climbers or analytics providers and search information . To the extend we have not done so already, we will notify you when we receive personal information about your from them and tell you how and why we intend to use that personal information.
c. When it is available publicly
Your personal information may be available to us from external publicly available sources
d. When you visit our websites (including but not limited to www.quayclimbingcentre.co.uk, www.clipnclimbexeter.co.uk and www.deepwatersoloexeter.co.uk) the web server automatically collects the following types of personal information:
i. Technical information, including the internet protocol (IP) address used to connect your device to the internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems and platforms
ii. Information about your visit to the websites, including the uniform resource locator (URL) clickstream to, through and from the website (including the date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, referral sources, page interaction information (such as scrolling and clicks) and methods used to browse away from pages
5. What personal information do we use?
We may collect, store and otherwise process the following kinds of personal information:
a. Your name and contact details, including postal address, telephone number, email address and, where applicable, social media identity
b. Your date of birth and gender
c. Your financial information, such as bank details and/or credit/debit card details, account holder name, sort code and account number
d. Information about your computer/mobile devise and your visits to us and use of our websites such as your IP address and geographic locations
e. Personal descriptions and photographs, including photographs taken to identify you on our registered customer database, Rock Gym Pro, which are used to identify you as part of our customer check in process
f. Information about next of kin or emergency contacts that we may need to communicate with in the event of an emergency or incident relating to you or your party whilst using the centre facilities. This information includes name, contact telephone number and relationship of the contact to you as the customer
g. Details of your qualifications and experience, in particular if you are a third party instructor or bringing groups to the centre
h. Medical information where you feel it is appropriate to inform us of a medical condition that we may need to be aware of to keep you safe whilst using the centre facilities.
And/or any other personal information which we obtain as per Section 6 below.
Do we process special categories of data?
The EU General Data Protection Regulation (“GDPR”) recognises certain categories of personal information as sensitive and therefore requiring more protection, for example information about your health, ethnicity and actual or alleged criminal offences.
In certain situations, The Quay may collect and/or use these special categories of data (for example, information about disability and access requirements or medical conditions that may be relevant to your use of the facilities at the centre). We will only process these special categories of data if there is a valid reason for doing so and where the GDPR allows us to do so.
6. How and why will we use your personal information?
Your personal information, however provided to us, will be used for the purposes specified in this Notice. In particular, we may use your personal information:
a. To register you as a member of the The Quay climbing facilities, as part of the annual registration process for climbers or when you sign up to our Induction Courses or become a member of one of our youth clubs and squads
b. To allow you to make a booking to use our facilities including but not limited to bookings for Clip ‘n Climb Exeter, for instructed sessions and courses offered in the climbing wall and for group bookings onto group specific packages
c. To administer bookings for groups to bring their own instructors to the centre to use our facilities
d. To otherwise provide you with services, products or information you have requested
e. To provide further information about our work, services or activities (where necessary, only where you have provided your consent to receive such information)
f. To assist you with, and administer your registration onto, accreditation schemes such as the NICAS Scheme (administered via the ABCTT)
g. To answer your questions/requests and communicate with you in general
h. To allow you to apply for a job or volunteer with us
i. To register you for ad hoc events and competitions that we may run.
j. To manage relationships with our partners and service providers
k. To analyse and improve our work, services, activities, products or information (including our website), or for internal records
l. To keep our facilities safe and secure.
m. To manage incidents, such as accident or near miss logs and records, and to communicate with third parties as required in such situations (health and safety executive, industry regulators, emergency services)
n. To run and administer the activities offered at The Quay, including our website, and to ensure our content is offered in the most effective manner for you and the devices you use
o. To audit and/or administer our accounts
p. For the prevention of fraud or misuse of our services
q. For the establishment, defence and/or enforcement of legal claims
r. To satisfy legal obligations which are binding on us, for example in relation to regulatory government and/or law enforcement bodies with whom we may work
7. Lawful bases
The GDPR requires us to rely on one or more lawful bases to use your personal information. We consider the grounds listed below to be relevant:
a. Where you have provided your consent for us to use your personal information in a certain way (for example, we may ask for your consent to use your personal information to send you email newsletters).
b. Where necessary so that we can comply with a legal obligation to which we are subject (for example, where we are obliged to share your personal information with regulatory bodies which govern our work and services).
c. Where necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering a contract (for example, to provide you with services in return for your organisation’s membership fee).
d. Where it is necessary to protect your vital interests (for example, in an emergency situation).
e. Where there is a legitimate interest in us doing so.
f. During the Covid-19 management phase to support PHE NHS Track and Trace processes where required to do so by Local Authorities.
The GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve our or others’ legitimate interests (as long as that processing is fair, balanced and does not unduly impact your rights as an individual).
In broad terms, our “legitimate interests” means the interests of running The Quay and the activities offered by The Quay as a commercial entity and ensuring the best possible user experience.
When we process your personal information to achieve such legitimate interests, we consider and balance any potential impact on you (both positive and negative), and on your rights under data protection laws. We will not use your personal information for activities where our interests are overridden by the impact on you, for example where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).
8. Communications for marketing/promotional purposes
We may use your contact details to provide you with information about our work, events, services and/ or products which we consider may be of interest to you (for example, about services you previously used, or updates about fundraising appeals and/or volunteering opportunities via our newsletter).
Where we do this via email, SMS or telephone, we will not do so without your prior consent (unless allowed to do so via applicable law).
Where you have provided us with your consent previously but do not wish to be contacted by us about our projects and/or services in the future, please let us know by email at climb@quayclimbingcentre.co.uk. You can opt out of receiving emails from The Quay at any time by contacting us using the email address above.
9. Children’s personal information
When we process children’s personal information, where required we will not do so without their consent or, where required, the consent of a parent/ guardian. We may receive the personal information from another data controller who is required to gain this consent. We will always have in place appropriate safeguards to ensure that children’s personal information is handled with due care.
10. How long do we keep your personal information?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. In general, unless still required in connection with the purpose(s) for which it was collected and/or processed, we remove your personal information from our records six years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure (please see Section 11 below), we will remove it from our records at the relevant time.
If you request to receive no further contact from us, we will keep some basic information about you on our suppression list in order to comply with your request and avoid sending you unwanted materials in the future.
11. Will we share your personal information?
We do not share, sell or rent your personal information to third parties for marketing purposes. However, in general we may disclose your personal information to selected third parties in order to achieve the purposes set out in this Notice.
These parties include but are not limited to:
a. The ABCTT and the ABC
b. Local and national government agencies;
c. Funding bodies such as Sport England;
d. Awarding bodies such as Mountain Training;
e. Other members of the ABC
f. Healthcare professionals;
g. Partner bodies such as the British Mountaineering Council
h. Providers of kit and equipment
i. Suppliers and sub-contractors for the performance of any contract we enter into with them, for example IT service providers such as website hosts or cloud storage providers;
j. Professional service providers such as accountants and lawyers;
k. Parties assisting us with research to monitor the impact/effectiveness of our services; and
l. Regulatory authorities, such as tax authorities;
In particular, we reserve the right to disclose your personal information to third parties:
· In the event that we sell or buy any business or assets, in which case we will disclose your personal information to the (prospective) seller or buyer of such business or assets;
· If substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets;
· If we are under any legal or regulatory duty to do so; and/or
· To protect the rights, property or safety of The Quay, its personnel, users, visitors or others.
12. Security/ storage of and access to your personal information
The Quay is committed to keeping your personal information safe and secure and we have appropriate and proportionate security policies and organisational and technical measures in place to help protect your information. Your personal information is only accessible by appropriately trained staff, volunteers and contractors, and stored on secure servers which have features to prevent unauthorised access.
We always ensure that we have the necessary controls in place to protect the personal data you provide us with.
We carry out regular audits of who has access to data so that we can ensure that your information is only accessed by trained staff. The Quay makes every effort to maintain customer confidentiality in all aspects of our business including but not limited to: when you secure an online payment; when you provide personal data as part of the registration process for membership, courses or clubs and when you complete forms related to activities at the centre such as booking forms, employment forms and club membership forms.
a. Your credit and debit card information
The Quay makes every effort to maintain customer confidentiality when securing an online payment. This includes ensuring the security of your credit card details and other personal information. We don’t store your card details on any system used by The Quay, including our Rock Gym Pro database which processes customer information and bookings. All of your personal information is encrypted as it travels over the internet. When you make a booking, you enter a secure internet site. When you make a payment you enter your card details directly into our payment provider’s secure web page. To protect you against credit card fraud (where someone has discovered your credit card details but do not have your card), you will be asked to enter the unique security code printed on the back of your payment card.
When we process memberships and payments via our Rock Gym Pro Customer database (‘RGP’) uses the Stripe system to process payments. This ensures that the Customer Database, RGP, has no visibility over credit or debit card numbers and any data entered into the system is in fact entered directly into the web portal of the payment processer, currently Stripe.
When capturing a credit card for an EFT member, the same process happens and RGP receives an alias from Stripe which is then stored in the database. The aliases that RGP does store are generated by Stripe and they allow RGP to instruct Stripe to charge specific customers. For data exchange between RGP and Stripe, Stripe supports several cryptographic protocols, but RGP only connects via TLS 1.2 and not the older protocols (like HTTPS or TLS 1.1).
13. International Data Transfers
Given that we are a UK-based organisation and our members are based in the UK and Republic of Ireland, we will normally only transfer your personal information within the European Economic Area (“EEA”), where all countries have the same level of data protection law as under the GDPR. However, because we use agencies and/or suppliers to process personal information on our behalf, it is possible that personal information we collect from you will be transferred to and stored in a location outside the EEA), for example the United States.
Please note that some countries outside of the EEA have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals. Where your personal information is transferred, stored and/or otherwise processed outside the EEA in a country that does not offer an equivalent standard of protection to the EEA, we will take all reasonable steps necessary to ensure that the recipient implements appropriate safeguards (such as by entering into standard contractual clauses) designed to protect your personal information and to ensure that your personal information is treated securely and in accordance with this Notice. If you have any questions about the transfer of your personal information, please contact us using the details below.
Unfortunately, no transmission of your personal information over the internet can be guaranteed to be 100% secure – however, once we have received your personal information, we will use strict procedures and security features to try and prevent unauthorised access.
14. Exercising your Rights
Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for marketing or fundraising purposes or to unsubscribe from our email list at any time. You also have the following rights:
a. Right of access
You can write to us to ask for confirmation of what personal information we hold on you and to request a copy of that personal information. Provided we are satisfied that you are entitled to see the personal information requested and we have successfully confirmed your identity, we will provide you with your personal information subject to any exemptions that apply.
b. Right of erasure
At your request we will delete your personal information from our records as far as we are required to do so. In many cases we would propose to suppress further communications with you, rather than delete it.
c. Right of rectification
If you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated. You can also ask us to check the personal information we hold about you if you are unsure whether it is accurate/up to date.
d. Right to restrict processing
You have the right to ask for processing of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage.
e. Right to object
You have the right to object to processing where we are (i) processing your personal information on the basis of the legitimate interests basis (see paragraph 7), (ii) using your personal information for direct marketing or (iii) using your information for statistical purposes.
f. Right to data portability
To the extent required by the GDPR, where we are processing your personal information (that you have provided to us) either (i) by relying on your consent or (ii) because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contact, and in either case we are processing using automated means (i.e. with no human involvement), you may ask us to provide the personal information to you – or another service provider – in a machine-readable format.
g. Rights related to automated decision-making
You have the right not to be subject to a decision based solely on automated processing of your personal information which produces legal or similarly significant effects on you, unless such a decision (i) is necessary to enter into/perform a contract between you and us/another organisation; (ii) is authorised by EU or Member State law to which The Quay is subject (as long as that law offers you sufficient protection); or (iii) is based on your explicit consent.
Please note that some of these rights only apply in limited circumstances. For more information, we suggest that you contact us using the details in paragraph 17 below.
We encourage you to raise any concerns or complaints you have about our data processing by contacting us using the details provided in paragraph 17 below. You are further entitled to make a complaint to the Information Commissioner’s Office – www.ico.org.uk. For further information on how to exercise this right, please contact us using the details below.
15. Changes to this Notice
We may update this Notice from time to time. We will notify you of significant changes by contacting you directly where reasonably possible for us to do so and by placing an update notice on our website. This Notice (v1) was last updated on 23rd May 2018.
16. Links and third parties
We link our website directly to other sites. This Notice does not cover external websites and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any external websites you visit via links on our website.
17. How to contact us
Please let us know if you have any questions or concerns about this Notice or about the way in which The Quay processes your personal information by contacting us at the channels below. Please direct communications to Alison Smith, Data Protection Manager: Alison@quayclimbingcentre.co.uk; telephone 01392 426 850 or write to us at The Quay Climbing Centre, Haven Road, Exeter, EX2 8AX.
Website Privacy Statement
What personal data we collect and why we collect it
Comments
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.
Media
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
Contact forms
Cookies
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where we send your data
Visitor comments may be checked through an automated spam detection service.