PRIVACY & DATA PROTECTION POLICY

1) WHO ARE WE?

Headlong is a charity and is funded by Arts Council England as well as various trusts, foundations and individual donors and supporters. Our registered charity number in England and Wales is 267965 and we are also registered as a company in England and Wales under registration number 1171757.

Headlong treats the handling of personal data seriously. As such we have created a Privacy & Data Protection Policy, to ensure everyone in our workplace knows how to handle the personal data we receive from individuals and details how Headlong will treat personal data after it has been collected by us.

Information about individuals is held by Headlong with the right of subject access, allowing any individual access to the information held about them.

Please get in touch with us if you have any questions about any aspect of this privacy policy, and in particular if you wish to exercise any of the rights detailed in section 7.

Contact us at:

Headlong Theatre
17 Risborough Street
London
SE1 0HG

info@headlong.co.uk

2) DATA WE MAY COLLECT
 

You will be asked for personal information when you register, make an enquiry, make a donation or order products and services from us, apply for or accept a job or opportunity or participate in an outreach programme or workshop.

When you buy from us

We will retain your name, date of birth, contact details and contact preferences when you make a purchase from our box office or otherwise buy products from us. We will keep a record of your bank or credit card details used to make the purchase, but only temporarily and solely to process your transaction.

When you make a donation or otherwise provide us with your information

We will record details when you sign up to our mailing list or make a donation. Where you make a donation, we will keep a record of the details of the gift (amount, date, purpose) and your Gift Aid status. We may also ask you to provide details about your current interests and activities, and the details of your family and spouse/partner details where appropriate.

We are committed to fundraising best practice and abide by the Fundraising Regulator’s key principles and behaviours of a fundraising organisation: to be legal, open, honest and respectful. We undertake to comply with relevant law and regulations, including the Proceeds of Crime Act, Data Protection, Tax and Gift Aid legislation and Charity Commission guidance.

When you use our website

We log your Internet Protocol (IP) address, in order to receive and send information from and to you over the internet. Our website also uses cookies to enable online transactions, understand how people use our website and inform our digital advertising. For more information on cookies, please see section 6.

Information from third parties

We occasionally receive information about you from third parties. As we sell tickets through the venues that we tour to, who may be based both inside or outside of the EU, we may receive third party information from them about you, including your name, email address, postal address and booking information. We will only ever receive information about you with your consent or in the performance of a contract, with your knowledge, and we ensure that a data agreement is in place. If you book tickets through a partner venue you should check their Privacy Policy when you provide your information to understand fully how they will process and safeguard your data. If you wish to withdraw your consent for us to contact you, you can contact us using the information in section 1.

We may also receive personal data from our website developer, IT support provider and payment service provider who are based inside the EU.

If you are a job applicant we may contact your recruiter, current and former employers and/or referees, who may be based inside or outside the EU, to provide information about you and your application.

Depending on your settings or the privacy policies for social media services like Facebook, Instagram or Twitter, you may give us permission to access information from those accounts or services, such as your behaviour on these services and across our site. The majority of this behaviour is anonymised. For more information on how to control your privacy settings for these services, go to the following links:

Facebook - Privacy Policy
Twitter - Privacy Policy
YouTube - Privacy Policy
Vimeo – Privacy Policy

Special categories of personal data

Special categories data is personal data that is more sensitive and therefore needs more protection, such as information about health and biometric data, race, religious or philiosophical beliefs, sex life, sexual orientation, trade union membership and political opinions. We will only process this type of data:

• In limited circumstances, with your explicit written consent
• where we need to carry out our legal obligations or exercise rights in connection with employment 
• where it is needed for reasons of substantial public interest, such as for equal opportunities monitoring
• where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent
• where you have already made the information public
• when required by our Arts Council England NPO funding. The information provided in this instance will always be anonymised. This initiative builds an aggregate picture of local and national audiences across all Arts Council England National Portfolio Organisations.Their tools allow us to understand how our audience in a local and national context and helps us to identify new audience opportunities

If you are an applicant or an employee, we will collect special categories of information about your race, ethnicity, religious or philosophical beliefs and sexual orientation for the purpose of our diversity and equal opportunities records (on the basis that it is needed for reasons of substantial public interest, for equal opportunities monitoring).

Through surveys, with your explicit consent, we may collect special categories of information such as your race, ethnicity, religious or philiosophical beliefs, and sexual orientation. This allows us to understand how our audience in a local and national context and helps us to identify new audience opportunities.

When you provide us information in relation to an event that you are attending with us, we may ask you about your access requirements and dietary preferences.

3) WHAT WE USE YOUR DATA FOR

Depending on the preferences you have indicated and your relationship with Headlong Theatre we will use the personal information you have provided in the following instances:

To carry out our business and to provide a service or carry out a contract with you:

• To fulfil ticket and donation requests
• To invite you to events or book corporate workshops as per your sponsorship benefits
• Process payments
• Provide the best possible customer services and to help us with internal administration
• Contact you with important information relating to your booking or purchase, such as confirming your order, reminding you of an upcoming performance you’ve booked for or letting you know about cast changes or information that may affect your visit

Where we have your consent to:

• Capture access requirements in order to ensure you have an enjoyable experience attending our productions
• Capture personally identifiable information through our post show surveys
• Take pictures of you as a participant on a project
• Share your details with other arts organisations who have co-produced work you may have seen at or in collaboration with Headlong. These organisations should contact you to let you know how they collected your data and to check that you’re happy to hear from them. You will always be able to opt out of their communications by contacting them directly

Where we have a legal obligation to:

• Detect and reduce fraud and credit risk

Where we have legitimate interest to:

• Send you updates via email about what’s on, ticket or membership offers, and news
• Email you about a specific topic you’ve requested to hear more on such as specific productions, our community work or opportunities to support our work
• Learn about your interests and preferences so that we can contact you with information that is relevant to you
• Help us target our marketing and development communications and adverts so that they’re more relevant to you
• Send relevant invitations to events, press night or other fundraising opportunities via post or phone if we believe this would be of interest
• Use your pseudonymised details to show you advertising on such Social Media platforms as Facebook and Instagram or via other third party advertising that may appear on other websites you use. The information shared with these platforms is pseudonymised to protect your personal data
• Classify our audience into groups or segments, using booking and publicly available information. These segments help us to understand our audience better and ensure we’re sending relevant messages to each group. We may use third party processors to help achieve this. We also submit these anonymously as part of reporting to fundraising and public funding bodies (such as Arts Council England)
• Participate in the Audience Finder initiative or other initiatives as required by our Arts Council England NPO funding. This initiative builds an aggregate picture of local and national audiences across all Arts Council England National Portfolio Organisations. Their tools allow us to understand how our audience in a local and national context and helps us to identify new audience opportunities
• Measure and understand how our audiences respond to a variety of marketing activity so we can ensure our activity is well targeted, relevant and effective
• Analyse and continually improve the services we offer including our artistic output, our website and our other products
• Ensure we are maximising our ticket sales wherever possible
• Enable us to fundraise effectively because we are a charity

Building an understanding of audiences, members and supporters and improving communications

We use various techniques including market research and audience profiling techniques to help us understand our audiences, customers, donors and potential supporters. This includes gathering information from you as well as publicly available resources to give an insight into your interests and inclination to attend Headlong events or support Headlong.

We do this because it allows us to understand our audience members and the people who support us, and helps us to send appropriate communications and make appropriate requests to those who may be able and interested in attending or giving more than they already do.

When building a profile we may analyse geographic, demographic and other information relating to you in order to better understand your interests and preferences in order to contact you with the most relevant communications.

Opting into and out of marketing and other fundraising communications

With your consent, we will contact you to let you know about upcoming events, updates on our plans and progress we are making, and to ask you to make a donation or give other types of support. Occasionally, we may include information from our partner organisations or organisations who support us in these communications.

We make it easy for you to tell us how you want us to communicate, in a way that suits you. Our forms have clear marketing and we include information on how to opt out when we send you marketing. If you don’t want to hear from us, that’s fine. Just let us know when you provide us with your information or change your preferences at any time by contacting info@headlong.co.uk.

4) WHO WE MIGHT SHARE YOUR PERSONAL DATA WITH

Your personal information might be passed to a third party if they need it to fulfil your order(s) for our services, to execute the communications we send to you, to process a donation, or where you have otherwise consented to being contacted by selected third parties, such as artistic partners and associates. We do comprehensive checks on these companies before we work with them, and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal information they have collected or have access to.

Examples of the data we share and who we share it with include:

• Name on card, credit card number, billing address, CVV, amount of transaction and order number with Sagepay in order to process credit card transactions
• Name and email address with dotmailer in order to produce e-marketing campaigns and pre & post show emails
• Service providers who aggregate data in order for us to do benchmark reporting across the industry, specifically: The Audience Agency for the purposes of the Audience Finder initiative. For more information on the data they collect, head to their Privacy Policy: https://audiencefinder.org/audience-finder-privacy-notice/
• Named third party organisations if you ticked the relevant opt-in box when you purchased tickets. In these instances, we may supply your personal information to that specific organisation only. We will only supply full name, email address and postal address in these data shares and only with your consent
• Other organisations such as competition organisers if you choose to take part in such activities that need administration by third parties and you choose to opt in for contact from those organisations. We will only supply full name and email address in these data shares and only with your consent
• Any answers you give in one of our post-show surveys via Survey Monkey. For more information on how Survey Monkey protects your data, refer to their privacy policy https://www.surveymonkey.co.uk/mp/legal/privacy-basics/
• Third party advertisers (such as Facebook or Google) to help us identify customers similar to our audience or to serve adverts they deem relevant to you on third party websites. The information shared with these advertisers is pseudonymised to protect your personal data
• Our ticketing system provider Spektrix who provide support should our ticketing system require maintenance
• Where required to do so (for example, if required to do so by the ‘know your donor’ principles under charity law or a court order), or when requested by the police or a regulatory or government authority investigating illegal activities

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following transfer solutions are implemented:

(a) We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries;

(b) Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, European Commission: Model contracts for the transfer of personal data to third countries; and

Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.

5) HOW WE PROTECT YOUR DATA

We ensure that there are appropriate technical controls in place to protect your personal details. The personal information that you provide will be held securely and will not be used for any other purpose than as provided for in this policy. We ensure that there are appropriate technical controls in place to protect your personal information; for example, any information which we transfer is encrypted and password protected, and all of our staff receive data protection and security training. We also ensure that any physical copies of personal data are protected, and our premises are kept safe with multi-lock security. We archive our email and paper correspondence regularly and destroy information older than 7 years.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

How do we keep your information up to date?

We endeavour to keep your personal information accurate and up to date. If you become aware of errors or inaccuracies, please email info@headlong.co.uk or update the information we hold about you by using the "My Account" section of our website.

We use publicly available sources to keep your records up to date; for example information provided to us by other organisations as described in this policy.

We would really appreciate it if you could let us know if your contact details change.

Credit and Debit Card Information

If you use your credit or debit card to purchase from us or to make a donation, we will ensure that this is carried out securely and in accordance with the Payment Card Industry Data Security Standard (PCI-DSS).

We optionally allow you to store your card details for use in a future transaction. This is carried out in compliance with PCI-DSS and in a way where none of our staff members are able to see your full card number. We never store your 3 or 4 digit security code.

6) COOKIES

Cookies are small text files that are automatically placed onto your device by some websites that you visit. They are widely used to allow a website to function (for example to keep track of your basket) as well to provide website operators with information on how the site is being used.

We use cookies to keep track of your basket as well as to identify how the website is being used and what improvements we can make.

Find out more information on what cookies we use here.

Links

Our website contains links to other third party websites. We are not responsible for the privacy practices of these websites and you should read their own privacy policies for more information.

7) WHAT ARE YOUR RIGHTS?

You can request full details of personal information we hold about you under the Data Protection Act 1998, or after 25 May 2018, The General Data Protection Regulation, by contacting the Data Team. Please send a description of the information you would like to see, together with proof of your identity to info@headlong.co.uk

At any time you have the right to ask the Headlong to amend or to stop how it uses your personal information including for marketing purposes. You can do this by signing in to the website and accessing your account details or if you don’t have an account or if you prefer to, you can contact us by phoning, emailing or writing using our contact details in section 1. You have the right to get information held about you by us corrected. If you have any concern about the accuracy of your personal data, please let us know using the above contact details.

You have the right to lodge a complaint with the supervisory authority, The Information Commissioner’s Office – www.ico.org.uk

More information about Data Subject Rights can be found here.

8) CHANGES TO THIS POLICY

Our privacy policy may change at any time, so you may wish to check it each time you visit our website. Any changes will apply from the time that they are posted to this page. If we make any significant changes in the way we treat your personal information we will make this clear on our website or by contacting you directly.