Privacy Policy

1. Introduction

Inclusive Capture ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our event management platform. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

2.1 Account Information (Event Organisers)

When you register as an event organiser, we collect:

• Email address
• Name (optional)
• Organization name
• Password (stored in encrypted form)
• Account creation and last login timestamps

2.2 Event Information

When you create events, we collect:

• Event name, description, location, and venue
• Event dates and times
• Age ranges, target audience, and other event details
• Uploaded documents (risk assessments, information packs)

2.3 Participant Information (Schools/Teachers)

When schools register participants for events, we collect:

• School name
• Contact person name
• Contact email address
• Total number of participants
• Demographic data: disabilities, ethnicities, genders, age brackets
• Pupil premium status
• Intersectionality data
• Other needs or requirements

2.4 Technical Information

We automatically collect:

• IP address (for security and fraud prevention)
• Browser type and version
• Device information
• Usage data (pages visited, actions taken)

3. How We Use Your Information

We use your personal data to:

• Provide and maintain our event management services
• Process event registrations and participant data
• Send verification emails and account-related communications
• Generate reports and analytics for event organisers
• Enable CSV export of participant data
• Ensure platform security and prevent fraud
• Comply with legal obligations
• Improve our services and user experience (anonymised data only)

4. Legal Basis for Processing

Under UK GDPR, we process your personal data based on:

• Contract: To provide the services you request (event management, registration)
• Legitimate Interest: To improve our services, ensure security, and prevent fraud
• Consent: Where you have provided explicit consent (e.g., marketing communications, if applicable)
• Legal Obligation: To comply with applicable laws and regulations

4.1 Special Category Data

Some participant data constitutes "special category data" under UK GDPR (e.g., health data, ethnicity). We process this data as a data processor on behalf of event organisers.

Important: Event organisers are solely responsible for ensuring they have the appropriate legal basis and any required explicit consent for processing special category data. We process this data only in accordance with the organiser's instructions.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your information with:

• Event Organisers: Participant data is shared with the organiser of the specific event for which participants register. Event organisers act as independent data controllers in respect of this data once it is shared with them.
• Service Providers: Third-party services necessary for platform operation (hosting, email delivery, payment processing if applicable)
• Legal Requirements: When required by law, court order, or government regulation

5.1 Event Organiser Third-Party Sharing

Once participant data is shared with an event organiser, the organiser becomes the data controller. If an organiser shares your data with third parties (vendors, sponsors, partners, etc.), this is done under their responsibility and control.

Important: Inclusive Capture is not responsible for how event organisers use or share participant data after it has been provided to them. Any questions about how an organiser processes or shares your data should be directed to that organiser, who is responsible for compliance with UK GDPR.

6. Data Storage and Security

We implement appropriate technical and organisational measures to protect your personal data:

• Encrypted password storage (bcrypt hashing)
• Secure database connections (PostgreSQL with encryption)
• Regular security updates and monitoring
• Access controls and authentication requirements
• Secure file storage for uploaded documents

Data is stored on secure servers. While we take reasonable steps to protect your data, no internet transmission is 100% secure.

7. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations:

• Account Data: Until account deletion or 7 years after last activity (for legal compliance)
• Event Data: Retained while events are active and for 7 years after event completion
• Participant Data: Retained for the duration of the event and 7 years after event completion
• Email Verification Tokens: Deleted after verification or expiry (24 hours)
• Password Reset Tokens: Deleted after use or expiry (1 hour)

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data (subject to legal obligations)
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Rights Related to Automated Decision-Making:We do not use automated decision-making
• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing before withdrawal

To exercise these rights, please contact us using the details below. We will respond within one month (or within three months for complex requests, in which case we will inform you of the delay).

Note for Participant Data: If you are a participant whose data has been registered for an event, please note that the event organiser is the data controller for your data. You should direct data subject rights requests to the relevant event organiser. However, we will assist in forwarding such requests where appropriate.

9. Children's Data

Our platform is designed for use by schools and event organisers. We do not directly collect data from children. All participant data is provided by authorised school representatives or teachers who have appropriate consent and authority to share this information.

We process children's data as a data processor on behalf of event organisers and schools. Schools and event organisers are responsible for ensuring they have appropriate parental consent or legal authority to process children's data. Parents or legal guardians have the same rights under UK GDPR as adult data subjects, and should direct any requests to the relevant event organiser or school, who are the data controllers.

10. International Data Transfers

Your data is primarily stored and processed within the UK/EEA. If data is transferred outside the UK/EEA, appropriate safeguards will be in place as required by UK GDPR.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice on our platform. The "Last updated" date at the top indicates when changes were last made.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Email: info@inclusivecapture.uk
Address: 39 High Street, Puddletown, Dorset, United Kingdom, DT2 8RT

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your personal data in accordance with UK GDPR:

ICO Website: https://ico.org.uk