We follow Market Research Society (MRS) best practice and their Code of Conduct, and we are registered with the Information Commissioners Office (ICO).
As a general principle, we will only gather, process and/or store data that is necessary and we do so in compliance with the General Data Protection Regulation (GDPR) that takes effect on 25thMay 2018.
This policy affects your use of our website. It also provides information on other ways in which we may collect data through other areas of our work, which may not be relevant to you if you are only visiting the website. The differences are made clear in this document.
Your use of our website is contingent on your understanding and acceptance of this policy and we deem you to have understood and accepted this if you access our website.
If you do not accept and agree with this policy then you may not use our website and if you have accessed this policy online via our website then you must leave our website immediately.
We always try to communicate using plain English, but there are some terms that require definition in order for you to understand this document, as follows:
- “aggregate data” is the collation of a large set of individual responses into one or more summaries, and where we use that term in this policy this means that it would not be possible to identify an individual from that data;
- a “data controller” determines the purposes and means of processing personal data;
- a “data processor” is responsible for processing personal data on behalf of a controller;
- a “data subject” is a living individual to whom data relates;
- “personal data” is defined by the UK Information Commissioner’s Office (ICO) as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier” – the ICO further clarifies that this relates to ‘living individuals’;
- “raw data” when used in this policy means a full set of data that is searchable by individual entries, in other words someone viewing the file could see each individual response and therefore it is possible to see the information that any one individual has provided;
- “We/Us/Our/The company” means Urban Foundry Ltd., a limited company registered in England under company number 6992527, whose registered office is 2 Princess Way, Swansea SA1 3LW; and
- “Our/This Site” means: urbanfoundry.co.uk
At times, we will be a data controller, and at other times we will be a data processor.
The overriding principles are that the gathering, processing and storing of data has a legal basis and that it is fair. Part of the process of making it fair is to be open and honest about the data we collect. The nature of our work means that it is difficult to keep a document transparent whilst also covering every eventuality, so we have tried to balance these in this document. However, if at any time you are concerned or wish to know more about how we collect, process and store data then you can contact us via our website and we will do our best to help.
Before gathering, processing and storing any information, we have an internal test where all those gathering data, whether on staff or from a third party that we contract, can clearly articulate why we need to gather that personal data and what our legal basis for doing so is. We also determine in advance the length of time for which we will need to retain that data.
At the outset, prior to collecting data, we also consider any risks posed to the individual, for us and our clients and balance the need to gather data against risks. Our researchers are all highly experienced and trained in research ethics.
Once we have determined that we do need to gather, process and store personal data, then we will always be clear about:
- who we are and how we can be contacted (in using Our Site we work on the basis that this is already clear, in all other instances we will clearly identify ourselves and what we do in advance);
- who we are collecting the data for;
- who else we may share the data with (if anyone); and
- what data we are collecting (including whether it is anonymous) and how we will do it.
Sometimes we will be gathering data for ourselves, sometimes we will have been commissioned to gather it for a third party. On occasions where we gather data for a third party we will determine with the third party in advance whether they require access to ‘raw data’ sets – often, the third party will only require ‘aggregate data’, in which case they cannot access any personal data. In other instances, the client will require access to the raw data set and in these instances we are a data processor and they are a data controller.
This policy applies to your use of Our Site and other ways in which we gather, process and store data. Our Site may contain links to other websites – please note that We have no control over how your data is collected, stored, or used by other websites and We advise you to check the privacy policies of any such websites before providing any data to them.
As a data subject, you have the following rights under the GDPR, which this Policy and Our use of personal data have been designed to uphold:
- the right to be informed about Our collection and use of personal data;
- the right of access to the personal data We hold about you;
- the right to rectification of any personal data We hold about you is inaccurate or incomplete;
- the right to erasure (often called the ‘right to be forgotten’) – i.e. the right to ask Us to delete any personal data We hold about you – please note that this right is not absolute and only applies in certain circumstances, we give a summary of this below;
- the right to restrict (i.e. prevent) the processing of your personal data in certain circumstances (see below);
- the right to data portability (obtaining a copy of your personal data to re-use with another service or organisation) in certain circumstances (see below);
- the right to object to Us using your personal data for particular purposes (this too is summarised below) in certain circumstances (see below); and
- rights with respect to automated decision making and profiling.
If you have any cause for complaint about Our use of your personal data, please contact Us using the details provided below and We will do Our best to solve the problem for you. If We are unable to help, you also have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office.
This policy is designed to give a summary of your rights but it is not a legal document or legal interpretation. If you want to obtain further information about your rights, you can contact the Information Commissioner’s Office (ICO) or your local Citizens Advice Bureau.
Personal data that we collect, process and store
Whenever we gather data about you directly using our website we will always make this clear at the time and you will have to take an action to submit the data by ticking a box or filling in a form and clicking on something to submit that information.
The type of information that we may ask for from time to time may include:
- your name;
- business/company name;
- job title/profession;
- contact information such as email addresses, telephone numbers, postal addresses and postcode;
- demographic information such gender, ethnicity, religious beliefs, preferences, and interests;
- your engagement or non-engagement with certain activities/institutions/organisations;
- IP address;
- web browser type and version;
- operating system;
- financial information;
- a list of URLs starting with a referring site, your activity on Our Site, and the site you exit to; and/or
- your opinions.
The list above is not exhaustive.
We will only collect, process and store personal data for the reasons for which it is first collected, which we will state clearly at the time it is gathered (this includes use of this Site).
Frequently, when we undertake surveys, we do not require personal identifiers such as name, address, postcode and the like and data may be anonymized and used in aggregate – this means that we are interested in the overall opinions of a group of people. Where we do this, your data is anonymous and we construct such surveys so that it is not possible to identify an individual from their responses (this includes setting any e-surveys not to collect IP addresses).
If we conduct an anonymous survey but it could still be possible to identify an individual from their responses then it is treated as if you have supplied us with personal data.
We will only hold data that we gather for as long as is necessary and only for the reasons it was first collected.
We will comply with the GDPR requirements to safeguard your rights at all times.
The following table summarises the various forms of lawful basis for gathering data and your rights to erasure, portability and to object for each (table adapted from ICO guidance):
|Right to erasure||Right to portability||Right to object|
|*but with the right to withdraw consent|
The ICO defines and exemplifies each of the above as follows:
“(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)”
Whenever we gather, process or store personal data it will have a clear legal basis as shown in the list above. The principal reasons for us gathering, processing and storing personal data and their lawful basis are as follows:
- where it is for gathering opinion (e.g. as a community engagement process or research) or for our own or other’s marketing (including photography where the individual is clearly the subject of the photograph and is not someone that are in a contractual relationship with), then our lawful basis will be consent and we will ask you if you (or a legal guardian/carer for children and vulnerable adults) wish to provide this data (you have the right to withdraw your consent to Us using your personal data at any time, and to request that We delete it);
- where we have entered into a contract with you either because you are receiving a product/service from us (this includes intern placements via universities, schools or other referring agencies where we are required to share data between us and the referring agency) or where we are receiving a product/service from you, then our legal basis will be contract – this includes photography that features staff/volunteers of an organisation with whom we have a contractual basis where the individuals are over 18 and are not a vulnerable adult (but we will always be sensitive to any requests not to take photographs of certain individuals);
- where we may run activities that require us to gather data to comply with regulation imposed by law, for example for licensing of certain activities, or for record keeping that are legally obliged to conduct such as maintaining accounts, then our legal basis will be legal obligation;
- where we gather information for health and safety or other general safeguarding purposes (for example a list of names of the people in a building or at an event we run at any one time), then our legal basis is vital interests;
- occasionally we may be commissioned by a public body to gather data that will assist them in fulfilling non-statutory roles that are in the public interest – usually consent will still be the lawful basis for gathering personal data in these circumstances but occasionally it may be public task, and where it is we will make this clear; and/or
- there is certain personal data that we deem to be in our legitimate interest to gather, such as: analytics for use of Our Site; data from past clients and/or key individuals in formal roles (e.g. employees of public bodies and limited companies) that have participated in/collaborated with us in past commissions – we use these for marketing and communications purposes; and photography at events that we may run or participate in. If an individual is clearly the subject of the photograph then this will fall under consent, but where images are taken of crowds, where a person’s features may be visible but where they are not clearly the subject of the photograph (e.g. long shots of crowds) then our lawful basis is our legitimate interest. We will, wherever possible, post information at venues and locations to make it clear that photographs may be taken and we will respect any requests from individuals not to have the photograph taken. In all instances, we will always pay care and attention to safeguarding of children and vulnerable adults.
We will not send you any unsolicited marketing/spam and will take all reasonable steps to ensure that We fully protect your rights and comply with Our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
Third party links on our website or other media
With the exception of any links to data processers acting on our behalf (see below) all links on this Site to third party websites are provided solely as a convenience to you. If you use these links, you will leave Our site.
Where any third-party website links are for the purposes of our gathering data (e.g. a link to an online survey platform that we may use to help us to gather data) we will make that clear everywhere the link is posted and we will have checked that the data processor is GDPR compliant and also that they are compliant with our own high standards of privacy.
Where your data is stored
We use third party providers to host our website and to provide third party cookies (see right) and also for our online backups of our administrative files. As a result, some or all of your data when using our websites and data that we collect about you that is stored on our own systems could be stored outside of the European Economic Area (“the EEA”) (which consists of all EU member states, plus Norway, Iceland, and Liechtenstein). If We do store data outside the EEA, We will take all reasonable steps to ensure that your data is treated as safely and securely as it would be within the UK and under GDPR.
We provide reasonable safeguards for use of your data – key measures are as follows:
- check that any suppliers who may process data on our behalf are compliant with GDPR;
- using SSL connections for email;
- use secure username/passwords for our electronic data storage devices;
- never store personal data on USB or similar portable drives unless there is no other option – ordinarily the only files that require us to store and transfer data on USB sticks are very large video files, in these cases it would be to transfer between machines or to a third party that has contracted the work; for the former the USB is erased after use, for the latter it is sent recorded delivery via Royal Mail or using a trustsed courier service;
- maintain an ability to remotely delete data from any laptop should it be lost or stolen; and
- storing hard copies containing personal information in our offices, transferring data to a secure digital format wherever possible and as soon as possible, and shredding hard copies once they are no longer required.Whe
A ‘first party Cookie’ is one that would be placed directly by us and used only by us – presently, this Site does not use ‘first party Cookies’ and will not place these on your computer or device because of your use of this website.
However, in using this site you may also receive certain ‘third party Cookies’ on your computer or device. ‘Third party Cookies’ are those placed by parties other than us. Third party Cookies are not essential for the functioning of this website, but do help us by helping us analyse the use of our site so that we can better understand our audience. Data is aggregated and presented to us in an anonymized format – we do not receive your personal details through any ‘Third party cookies’.
Before third party Cookies that use your personal data are placed on your computer or device, you will be shown a popup requesting your consent to set those Cookies. By giving your consent to the placing of Cookies you are enabling Us to provide the best possible experience and service to you. You may, if you wish, deny consent to the placing of Cookies; however, as Our Site develops certain features of Our Site may no longer function fully or as intended. You will be given the opportunity to allow only first party Cookies and block third party Cookies that use your personal data.
As Our Site evolves, certain features may be created that will depend on Cookies to function. Cookie Law deems these Cookies to be “strictly necessary”. Your consent will not be sought to place these types of Cookies, but it is still important that you are aware of them. You may still block these Cookies by changing your internet browser’s settings, but please be aware that Our Site may not work properly if you do so. We will always take care to ensure that your privacy is not at risk by allowing them.
The following third party Cookies may be placed on your computer or device because of using Our Site:
- Google Analytics
Our Site uses analytics services provided by Google Analytics. Website analytics refers to a set of tools used to collect and analyse anonymous usage information, enabling Us to better understand how Our Site is used. This, in turn, enables Us to improve Our Site and the products/services offered through it. You do not have to allow Us to use these Cookies, however Our use of them does not pose any risk to your privacy or your safe use of Our Site, and it does enable Us to continually improve Our Site, making it a better and more useful experience for you.
Note that as Our Site evolves, the third-party cookies that we use may change, so you should regularly check this policy for updates.
In addition to any controls that We provide, you can choose to enable or disable Cookies in your internet browser. Most internet browsers also enable you to choose whether you wish to disable all cookies or only third party Cookies. By default, most internet browsers accept Cookies but this can be changed. For further details, please consult the help menu in your internet browser or the documentation that came with your device.
You can choose to delete Cookies on your computer or device at any time, however you may lose any information that enables you to access Our Site more quickly and efficiently including, but not limited to, any login and personalisation settings that we may add from time to time.
It is recommended that you keep your internet browser and operating system up-to-date and that you consult the help and guidance provided by the developer of your internet browser and manufacturer of your computer or device if you are unsure about adjusting your privacy settings.
Sharing your data
We will only share your data under the following circumstances:
- with other projects that are directly affiliated with us that we administer, which presently include:
- Uplands Market Ltd. (which also runs the Marina Market); and
- Canolfan Ltd. which is an independent not for profit vehicle that we have set up to operate several sub-projects.
- where the reason for gathering the data is our role as a data processor for a third-party client e.g. survey data that we may gather (in these instances we will have made it clear to you who we are gathering the data for and what it’s purpose is in advance);
- where the use of our websites involves data gathered by a third-party cookie provider (see below);
- where we are legally obliged to disclose the data; and/or
- (only in exceptional circumstances) where we deem that the safeguarding of an individual overrides their right to privacy.
In all instances We will take all reasonable steps to ensure that your data will be handled safely, securely, and in accordance with your rights, Our obligations, and the obligations of the third party under the law.
We may compile statistics about the use of Our Site including data on traffic, usage patterns, user numbers, sales, and other information. All such data will be anonymised and will not include any personally identifying data, or any anonymised data that can be combined with other data and used to identify you. We may from time to time share such data with third parties such as prospective investors, affiliates, partners, and advertisers. Data will only be shared and used within the bounds of the law.
Third party data processors
We use several third-party suppliers as data processors – we have satisfied ourselves that to the best of our ability to check they are all compliant with this policy and in line with GDPR requirements. Their privacy policies can be found on their respective websites:
- Dropbox for online backup and filesharing within the company;
- Eventbrite for e-ticket sales;
- Fasthosts for our website and email;
- Google for Google Analytics for analysing visitor statistics to our website and Google Maps for the location map on our website;
- iZettle for certain financial transactions;
- Lloyds Bank plc for financial transactions;
- Paypal for certain financial transactions;
- MailChimp for marketing; and
- SurveyMonkey for online research.
We use social media to market our work and our projects. The data from social media channels never enters our systems, but we will from time to time upload photographs to social media channels on our pages/twitter fees, so you should satisfy yourself of their privacy policies and how you can manage your own data on their sites. We currently use the following social media channels:
This list will change from time to time – we will always ensure that any third party processors are in line with GDPR requirements and we will update this list as soon as possible if we add further third party data processors.
What happens if we cease to operate or the business changes ownership
In the event that the company were to merge and a new company number created, then you will be contacted about any data we hold about you and how this may or may not be transferred to the new entity.
Should the business cease to trade then all data will be securely deleted/destroyed once all legal obligations for the wind up of the business are met and we will retain a reserve sufficient to cover the costs of doing this.
We aim to make this website accessible and easy to use for everyone, no matter what browser you use, regardless of your level of ability, or if you have a disability.
While embracing new technologies, we also aim to:
- ensure that users with a disability can gain access with their assistive software or computer settings; and
- ensure users are pointed to the right direction to get information on how to customise their computers.
The site’s layout takes into account users who are blind or visually impaired and is compatible with popular screen reading software.
Our website accessibility is guided by the Worldwide Web Consortium’s (W3C) Web Content Accessibility Guidelines 1.0 (or as updated) and we strive to meet the AA standard wherever possible.
Maintaining an accessible site is an ongoing process and we are continually working to offer a user friendly experience. Where the highest standards of accessibility cannot be met we will aim to provide the information in an accessible format on request.
If you experience any problems with the site or if you have any comments, please email us.
Changing text size
The website is designed to let you change the text size and other display settings through standard browser settings. You can get information on how to do this by clicking here (external link).
Certain information on this site requires that you have the right software to view it. Below we have signposted you to some freely available viewers and readers. Please note that these links are placed here for your convenience, we do not endorse any of these products and others may be available. Any links are to external websites and visiting those sites and/or downloading materials from them or any other action off this site is wholly your responsibility.
Readers and viewers allow you to read file-types associated with commercial programmes without having the program installed on your computer. Readers and viewers can be large files but usually only need to be downloaded once. We have not linked to the following, but you may wish to search for one or more of these using your browser or search engine:
- Word Reader for Linux
- Adobe Acrobat Reader
- Adobe Flash Player
- Microsoft Word Viewer
- Microsoft Excel Viewer
- Microsoft PowerPoint 2007 Viewer
If you are using a screen reader or similar assistive technology to read our site, you may wish to use Adobe’s online conversion tool to create html versions of pdf documents. You can access it at the following URL:
http://www.adobe.com/products/acrobat/access_onlinetools.html (external link)
How you can access the data we hold about you
Under GDPR legislation you have the right to request a copy of any personal data we hold that relates to you and in the areas identified above, to request that we delete that data. We will respond to your request promptly and there will be no cost to you of making or our responding to reasonable requests but it is important that you are clear what you are requesting.
Please use the Contact Details page of the website to get in touch with us.
If you wish to make a request for information about the data we hold about you then it is important that this request is made clear when you contact us.
Disputes, modification and review
Any dispute arising between a customer and Urban Foundry Ltd. will be settled by the Law in England and Wales and with the exclusive jurisdiction of the courts of England and Wales.
Urban Foundry Ltd. strives, to the fullest extent possible, to provide accurate and updated content on this website. Unfortunately, there may occasionally be price changes, unavailable services and other unintentional errors on our site.
We reserve the right not to be liable for any errors or changes and neither Urban Foundry Ltd., nor any employee or representative of the company will be liable for damages arising from the use of this website or the products/services sold here as a result of any such unintentional errors.
Changes to this policy
We regularly review all our policies and this policy may be updated from time to time to reflect changes in law and/or the evolving nature of how we conduct our business.
This policy was last updated on 24thMay 2018.