Members Privacy Policy

Last Updated: November 2025
Organisation: Red House Farm Allotment Society (RHFAS)
Website: https://stage.rhfas.co.uk
Status: Not-for-profit members’ organisation
Supervisory Authority: UK Information Commissioner’s Office (ICO)

1. Who We Are

Red House Farm Allotment Society (RHFAS) is a volunteer-run, not-for-profit association responsible for managing allotment plots, memberships, and community activities for our members.

We are the data controller for any personal information processed through this website or as part of your membership.

For any privacy enquiries, please contact:
📧 [email protected]

2. What Personal Data We Collect

We only collect the information necessary to manage your membership, your plot, and your participation in society activities.

2.1 Information You Provide Directly

  • Name
  • Address
  • Email address
  • Phone number
  • Emergency contact (optional)
  • Plot number(s)
  • Membership and rent information
  • Communications sent to the committee
  • Any information you enter on forms (e.g., risk reports, expense claims)

2.2 Website Interaction Data

We collect limited technical data for security and performance:

  • IP address
  • Browser user-agent
  • Login activity
  • Cookies (see section 4)
  • Anti-spam identifiers

2.3 Uploaded Media

If you upload photos, please avoid including location data (EXIF). Visitors may be able to extract this information.

2.4 Comments and Forms

When you leave comments or submit a form:

  • We collect the information submitted in the form
  • We store metadata (time, IP address) to prevent abuse
  • A hashed version of your email may be checked by Gravatar
    (see https://automattic.com/privacy/)

3. How We Use Your Personal Data

We process your data only when necessary for:

3.1 Society Administration

  • Managing your membership
  • Allocating and administering plots
  • Communicating important notices
  • Managing rent and membership renewals
  • Sending AGM updates and required information

3.2 Safety and Compliance

  • Responding to incidents on site
  • Managing risk assessments
  • Fulfilling legal obligations (e.g., RIDDOR if applicable)

3.3 Website Operation

  • Secure login and authentication
  • Spam protection
  • System administration and debugging
  • Access control for member-only pages

3.4 Legitimate Interests

We may process limited data to:

  • Maintain site security
  • Improve convenience for members
  • Deliver required society services

We do not use your data for marketing or for any commercial purposes.

We never sell your data.

4. Cookies

We use essential cookies to operate the website. These include:

4.1 Login Cookies

Set when you log in to keep your session active.

4.2 Preference Cookies

Store your display and accessibility preferences.

4.3 Comment Convenience Cookies

If you leave a comment, you may opt-in to store your name and email.

No advertising, profiling, or tracking cookies are used.

5. Legal Basis for Processing (UK GDPR Article 6)

We process your data under the following legal bases:

  • Membership contract – to provide the services and obligations of being a member.
  • Legal obligation – where required (e.g., accident reporting, charity records).
  • Legitimate interest – site safety, fraud prevention, secure operation.
  • Consent – for optional communications or features (you may withdraw at any time).

6. How Long We Keep Your Data

  • Membership data: kept for the duration of your membership.
  • Financial records: retained for 7 years (legal requirement).
  • Incident or risk reports: kept as long as required for safety or compliance.
  • Website comments: stored indefinitely unless you request removal.
  • Photos uploaded by members: retained until deleted by the uploader or admin.

When you leave the society, we archive essential information but delete optional profile data.

7. Who We Share Your Data With

We only share data when strictly necessary:

Internal

  • Committee members (e.g., Treasurer, Membership Secretary)
  • Safety officers (risk/incident management)

External (Limited and Controlled)

  • Anti-spam services (e.g., Akismet or similar)
  • Email sending providers (e.g., WordPress mailer)
  • Payment processors if you choose to pay online (Stripe, Square)
    ⚠️ We never store card or bank details on our website.

When Required by Law

We may disclose information when legally obligated (e.g., insurance, authorities).

We never share, sell, rent, or trade member data for commercial purposes.

8. Your Rights Under UK GDPR

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Request deletion (right to be forgotten)
  • Restrict processing in certain situations
  • Request portability of your data
  • Object to certain types of processing
  • Withdraw consent where processing is based on consent

To exercise these rights, email:
📧 [email protected]

If you are unhappy with our response, you may complain to the ICO:
https://ico.org.uk/

9. Where Your Data Is Stored and Sent

  • Data is stored securely on UK/EU-based servers.
  • Access is restricted to authorised committee members.
  • Visitor comments may be checked through automated spam detection services.

We do not transfer personal data outside the UK unless adequate safeguards exist.

10. How We Protect Your Data

We use multiple layers of security including:

  • Encrypted website (HTTPS)
  • Access limited to authorised committee members
  • Secure passwords and multi-layer authentication
  • Encrypted backups
  • No storage of payment card details
  • Regular security updates and monitoring

11. Account Deletion

If you no longer wish to be a member, you may request account deletion.
Essential information required for legal or financial records may be retained securely for statutory periods.

12. Changes to This Policy

We may update this policy when required for compliance or operational reasons. Any substantial changes will be communicated to members.