Our Privacy Policy

This privacy policy explains how Everybody’s Cycling CBS (“we”, “us”, “our”) collects, uses and protects your personal data.

We are committed to respecting your privacy and protecting your personal information in line with UK data protection law, including the UK GDPR and Data Protection Act 2018.

This policy was last updated: June 2026

 

Our contact details

Everybody’s Cycling CBS is the data controller and can be contacted via:

25 Skeldergate, York YO1 6DH

hello@everybodyscycling.org.uk

01904 951900

 

What information we collect about you

We may collect and process the following personal data:

  • your name, title, gender, and date of birth
  • contact details (postal address, email address, telephone number)
  • social media account details
  • family or household details where relevant
  • relationships to donors, trustees, staff or partners
  • current interests and activities

We may also collect special category data, including:

  • information about your disability, mobility or support needs

We only collect this where necessary to provide appropriate services and support, and with your explicit consent or another lawful basis.

 

Information collected through our website

We use cookies to improve how our website works. These may include:

  • Essential cookies – required for basic site functionality
  • Analytics cookies – to help us understand how people use our website
  • Third-party cookies – set by services such as Google Analytics

Where required, we will ask for your consent before placing non-essential cookies on your device. You can control cookies through your browser or our cookie settings (where available).

We use Google Analytics to collect information such as how users access and use our website. This information is generally anonymised and used only to improve our services.

 

Information about your interactions with us

We may also hold information about your interactions with us, including:

  • enquiries, purchases, or service use
  • event or programme registrations and attendance
  • communication preferences
  • donations, Gift Aid declarations or Direct Debit details
  • correspondence with you
  • employment or professional information where relevant
  • feedback and survey responses

 

How we get your personal information

We collect most personal data directly from you, for example when you:

  • contact us or make an enquiry
  • register for a programme or event
  • sign up to receive communications
  • make a donation
  • invest in our community share offer
  • complete a survey
  • work with us as a partner or supplier
  • become a member

 

How we use your personal information

We use your data to:

  • provide and manage our services and activities
  • respond to enquiries and manage relationships
  • process transactions and donations
  • administer member/shareholder records and communications
  • send relevant updates and communications
  • improve our services through feedback and research
  • meet legal and regulatory obligations
  • carry out internal analysis and reporting

We may analyse communications (e.g. email open rates) to improve effectiveness. This is usually done in an aggregated and anonymised way.

 

Sharing your information

We may share your personal data with trusted service providers who support us in delivering our services. This may include providers of:

  • cloud-based storage and collaboration tools (such as Microsoft 365)
  • customer relationship management (CRM) systems
  • providers who support the administration of shareholdings and investment (such as Ethex)
  • finance and accounting software
  • payroll and HR systems
  • email communication and marketing platforms
  • subcontractors delivering services on our behalf
  • funders or partner organisations (usually in anonymised or aggregated form)

Some of these providers may be based outside the UK or European Economic Area (EEA) or may process data internationally. Where this occurs, we ensure appropriate safeguards are in place to protect your personal data.

 

Lawful bases for processing

We rely on the following lawful bases:

  • Consent – where you have given clear permission
  • Contract – where processing is necessary to provide a service
  • Legal obligation – where we must comply with the law
  • Legitimate interests – where processing is necessary for our legitimate organisational interests (such as improving services, ensuring security, or maintaining relationships), provided your rights are not overridden

You can withdraw consent at any time using our contact details.

 

How we store and retain your information

We have appropriate security measures in place to prevent your personal data from being lost, misused, or accessed without authorisation.
Access to personal data is restricted to those who need it for their role and is managed through secure access controls.

We use secure, cloud-based systems (including Microsoft 365) to store and manage data, which provide appropriate technical and organisational security measures.

We only retain personal data for as long as necessary to fulfil the purposes it was collected for, including to meet legal, accounting, or reporting requirements.

Retention periods are reviewed regularly. When data is no longer needed, it is securely deleted or anonymised.

 

International data transfers

We primarily store personal data within the UK or European Economic Area (EEA). However, we use trusted service providers (such as Microsoft 365) who may process or access personal data outside the UK/EEA as part of their global operations. Where this occurs, we ensure that appropriate safeguards are in place, such as standard contractual clauses or other lawful transfer mechanisms, to protect your personal data. We rely on established providers with strong data protection and security standards.

 

Automated decision-making

We do not carry out automated decision-making or profiling that has legal or similarly significant effects on individuals.

 

Your data protection rights

Under UK data protection law, you have rights including:

  • the right to access your personal data
  • the right to correct inaccurate or incomplete data
  • the right to request erasure of your data
  • the right to restrict processing
  • the right to data portability

You do not usually have to pay a fee to exercise your rights. We will respond within one month.

 

How to complain

If you have concerns about how we use your data, please contact us using the details above. We aim to respond to complaints within 30 days.

You also have the right to complain to the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
ico.org.uk
Helpline: 0303 123 1113