1. Who we are and how to contact us?

We are Crystal Palace Community Trust, a company registered in England with company number 05090173 and a registered charity with charity number 1107343. You can contact us in writing at Crystal Palace Community Trust, Anerley Town Hall Anerley Road, Penge SE20 8BD, or by email at info@cpct.org.uk.

Any changes you make to your communication preferences will be processed by us with receipt of your instruction; however, you may still receive non-essential communications in the intervening time between the submission of your change and when we process that change.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance by following our Complaints Procedure.

  1. Definitions

In this Privacy Policy:

“Member” means a young person who is a member of Crystal Palace Community Trust or applies to be a member. “Membership” shall be construed accordingly.

“Personal data” means any personal data relating to an identified or identifiable natural person.

“Process” or “Processing” means anything that we do with your data, including collecting, sharing, storing, using, and/or deleting personal data.

“Services” means the Sports and Art activities and other services provided for Members at Crystal Palace Community Trust, the services provided concerning your Membership; and

“You” refers to an individual who visits our website; a Member and/or the parent/guardian of a Member; a supporter; funder; or a member of staff or volunteer of Crystal Palace Community Trust, in respect of whom we process personal data.

  1. Why do we process your data?

Privacy is very important to us. We will only use your data in a way that is fair to you and in a clear, honest, and transparent way. We will only collect your data where we must do so and if it is relevant to our dealings with you.

Essential uses:

We may need to process personal data about you for many essential purposes. We could give lots of examples, but we have set out below a list of the main reasons that we may need to collect and use your data. We may not use your data for all of these purposes; it will depend on the nature of your relationship with us, and how you interact with Crystal Palace Community Trust.

Delivery of core charitable services:

Delivery of our core charitable activities may require us to record your contact details, eligibility for our charitable services, records of financial transactions, and other communications with you.

Communication about, and administration of, your Membership:

Where you are a Member (or the parent/guardian of a Member) we at Crystal Place Community Trust use your data to send you essential information about your Membership and/or the Services and to help us effectively carry out our charitable activities. For example, we may need to use your data to keep you updated about your Membership, to send you information generally relevant to the Services (including informing you about developments or changes to the Services), and to identify any misuse or abuse of our Services.

Due diligence on donations:

Our trustees must ensure that there is no reputational or financial risk to accepting a donation or other kind of support. Where you are a supporter or potential supporter, we may therefore use publicly available sources to carry out due diligence on you to ensure that we are fundraising within the law. For more information on the circumstances this may apply in and the type of information required please visit https://www.gov.uk/government/publications/charities-due-diligence-checks-and-monitoring-end-use-of-funds. If we cannot process your data for these purposes, then we may be unable to accept your donation or other support.


We may collect data to research our supporter base. This is to improve our communications and ensure that we understand how best to interact with our valued supporters. Information we gather from individuals as part of this process is only used for our internal research purposes.


In some circumstances, we may combine the personal data a supporter gives to us with information available in the public domain to create a profile of a supporter’s interests and preferences where they are relevant to that individual’s engagement with Crystal Palace Community Trust. Information collected for these purposes may include information about your corporate directorships, shareholdings, published biographical information, employment, philanthropic interests and networks, charitable giving, and relevant media coverage. We do this to help us understand how our supporters can support our work sooner, and more cost-effectively. The use of publicly available sources helps us determine what support we should ask you for and helps us engage you in activities that are relevant to your areas of interest and influence.

Management of volunteers:

If you are one of our valued volunteers, we may need to use your data to manage your volunteering activities, deliver training, involve, and update you on our projects and campaigns, and ensure your safety. This may include sending you newsletters or information about our fundraising appeals so that you are best equipped to perform your role and advise the public about our work. If we cannot process your data for these purposes, then we may be unable to involve you in our volunteering activities.

Staff administration:

Crystal Palace Community Trust employs staff who are crucial to both delivering our projects and raising the funds to provide our charitable services as well as providing a range of professional and technical support. We process the personal data of our staff for recruitment, staff administration, remuneration, pensions, and performance management purposes.

Optional uses:

We may also process personal data about you for other optional purposes. We have set out a list of examples below. This usage of your data is on an opt-in basis. If you have opted in, you can choose to opt out of your data being used for any of these purposes by contacting us at 02086765666 or info@cpct.org.uk.

Fundraising, campaigning, and marketing:

We have a range of fundraising and marketing activities that are designed to raise income or promote the aims and objectives of the charity. Where you have opted-in to receive such communications, we may use your data to contact you about projects, campaigns, competitions, commercial trading activities, sponsorships, events, or volunteering opportunities, which we think you may be interested in. If you confirm that you are interested in supporting Crystal Place Community Trust projects, we will share your information with our internal network. We may also ask if you are able and prepared to Gift Aid any of your donations.

Analysis, targeting, and segmentation:

To fund our charitable work by giving young people somewhere safe and inspiring to go in their leisure time, we must communicate our aims and objectives and ask people for financial support. Efficiency is very important to us, as we value every single donation. Therefore, we only want to send communications that are genuinely interesting and relevant to you. We will make use of the information you have given us and your interactions with our Services, to help us predict your interests and tailor and personalize our communications in the future. This may also involve the use of focus groups to understand our supporters better.

  1. Lawfulness of our Processing

It’s lawful for us to process personal data where the following conditions apply:


This applies where you have given your consent to the processing of your data for one or more specific purposes.

For example, we will always ask for your consent to contact you for direct marketing by email or SMS text message. Also, should we ever ask you to provide any special categories of personal data (or “sensitive personal data”) about yourself (for example, information about any health condition that may be relevant if you are participating in our activities) we will always seek your explicit consent to process this data. We will always ask for your consent to process your data as stated above at the time that we collect the relevant personal data.

Where we are relying on consent to process your data and you are aged under 16, we will ask your parent or guardian to give their consent to such processing.

Where you (or your parent or guardian, as applicable) have given us consent to use your data in any way, you (or your parent or guardian, as applicable) have a right to withdraw that consent at any time by contacting us on 02086765666 or info@cpct.org.uk In some cases, withdrawing your consent may impact our ability to provide the Services to you.

Contractual Necessity:

This will apply where you are a Member, our staff, and/or in some cases a volunteer and the processing of your data is necessary for the performance of our contract with you or to take steps at your request before entering a contract with us. Where you are a Member, we process personal data about you to make the Services available to you. We cannot provide the Services without access to this personal data.

Legal Obligation:

This will apply where the processing is necessary for us to comply with a legal obligation that applies to us. This might include, for example, where we have a legal obligation concerning a safeguarding issue or with our statutory reporting requirements.

Your Vital Interests:

This will apply where the processing of your data is necessary to protect your vital interests. For example, this would apply if you were ill, and we needed to share your data with the emergency services.

Legitimate Interests:

This will apply where the processing of your data is necessary for the legitimate interests of Crystal Palace Community Trust (or a third party), provided that such processing is fair and balanced and does not have a disproportionate impact on your rights to data privacy. We have set out below a list of the legitimate interests that we may rely upon.

  1. What are our legitimate interests?

We may rely on the following legitimate interests to process your data:


  • Delivery of our charitable purposes as set out in our charitable objects, including providing information about your Membership to our suppliers, funders, and/or sponsors as required for the development, coordination, and support of Crystal Palace Community Trust.
  • Reporting criminal acts and compliance with the legal instructions of law enforcement agencies.
  • Internal and external audits for financial or regulatory compliance purposes; and/or
  • Statutory reporting.
  • Publicity and income generation:
  • Direct marketing by post and other forms of marketing, publicity, or advertisement which are not directed at an individual.
  • Personalization to tailor and enhance the supporter experience in our communications.
  • Analysis, targeting, and segmentation to develop a fundraising strategy and improve communication efficiency.
  • Processing for research purposes; and
  • Profiling, including the use of publicly available information.
  • Operational management:
  • Employee and volunteer recording and monitoring for recruitment, safety, performance management, or workforce planning purposes.
  • Provision and administration of staff benefits such as pensions.
  • Physical security, IT and network security.
  • Maintenance of suppression lists; and
  • Processing for historical, research, or statistical purposes.
  • Financial management and control:
  • Processing of financial transactions and maintaining financial controls.
  • Prevention of fraud, misuse of services, or money laundering; and
  • Enforcement of legal claims.
  • Purely administrative purposes, which may include (without limitation):
  • Responding to any solicited inquiry from any of our stakeholders.
  • Delivery of requested products, resources, or information packs.
  • Administration of direct debits and other existing financial transactions.
  • Administration of Gift Aid.
  • Provision of ‘thank you’ communications and receipts; and
  • Maintenance of ‘do not contact’ suppression lists.
  • When we use your data for our legitimate interests (as set out above), we will always consider if it is fair and balanced to do so and whether it would be within your reasonable expectations that we would use your data in this way.
  • We will balance your rights and our legitimate interests to ensure that how we use your data never goes beyond what you would expect and is not unduly intrusive or unfair.
  1. Personal data that we collect.

Who do we collect it about? We may collect and use various personal data about Members, Members’ parents and/or guardians, enquirers, employees, volunteers, suppliers, customers, supporters and/or funders, participants at events, job applicants, and other professional contacts as required to carry out the operation of the charity.

What do we collect? We may collect and use some or all the following types of personal data, which may include information that you provide to us at Crystal Place Community Trust, information that we collect about you, for example, concerning your use of the website and/or the Services, and information that we collect from third parties:

  • Title.
  • Full name.
  • Contact information (address, telephone number, email address, etc.).
  • Contact names and contact information of your emergency contact, spouse/partner, assistant, and/or referee.
  • Images (print and digital photographs, moving images, CCTV recordings).
  • Personal and demographic information (date of birth, age, gender, nationality, etc.).
  • Professional information (organization, title, board memberships, connections, employment records, etc.).
  • Support services (Looked After Children, support/ key workers, etc.).
  • Safeguarding records (concerns, disclosures, meetings, etc.).
  • Identification numbers.
  • Financial information.
  • Information relating to a Member’s use of their Membership and activities at Crystal Palace Community Trust.
  • Concerning your visits to our website, we may collect the following information:
  1. Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system, and platform.
  1. Information about your visit to the website, including the full Uniform Resource Locators (URL), clickstream to, through, and from our website (including date and time), pages you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page.
  • Special Categories of Personal Data relating to you that we may process may include (without limitation):
  • Racial or ethnic origin.
  • Religious or other beliefs of a similar nature.
  • Physical or mental health or condition.
  • Sexual health.
  • The commission or alleged commission by you of any offence; and/or
  • Any proceedings for any offence committed or alleged to have been committed by you, the disposal of such proceedings, or the sentence of any court in such proceedings.
  1. Who do we share information with?

Personal data:

We may share your personal information with our funders and/or sponsors and within Crystal Place Community Trust, where it is necessary for the provision of the Services or the delivery of our core charitable services or where you have asked us about a Crystal Palace Community Trust project.

We may also share your data with statutory and regulatory bodies (for example, the Charity Commission, Companies House, Health and Safety Executive, and Information Commissioner’s Office) where there is a legal requirement to do so. This might include, for example, registration and maintenance of statutory information.

We may also pass personal data to various third parties who provide various goods and/or services to us, or on our behalf, which we require to provide you with the Services. In all of these situations, we ensure that we always have a written contractual agreement in place that will ensure that those organizations can only use the personal data provided for the specific purposes we direct them to do and that they have in place strict security requirements to protect your data.

The table below sets out a non-exhaustive list of examples of some of the third-party data processors that we share personal data with as of the date of this Privacy Policy. These third-party data processors may change from time to time. You can request a copy of the current register of third-party processors that we share personal data with by contacting us at 02086765666 or info@cpct.org.uk.

Recipient Purpose

  • Cloud-based database systems storing data.
  • Database system and application developers and consultants Development of data storing systems including migration of data from one system to another.
  • Website developers Development of website and linked functionality such as online payment systems
  • Website analytics

(Google Analytics)

  • Analysis of website activity
  • Social media analytics Analysis of social media activity
  • Wi-Fi tracking system provider

(Wi-Fi System)

  • Analysis of centre usage using location tracking and targeting delivery and communications based on this usage.
  • Marketing, communication, and PR consultants Marketing, communication, and PR support
  • Consultants and evaluators Assessment of the impact of charitable services, projects, needs assessments, or research reports.
  • Recruitment services with applicant recommendation or tracking systems Targeted recruitment of staff.
  • DBS checking service.
  1. Where do we store your data?

We have in place appropriate technical and security measures to prevent unauthorized or unlawful access to or accidental loss of or destruction or damage to your information. We store your details on a secure server. We use firewalls on our servers.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.

We may transfer or store your data outside the European Economic Area (“EEA”) for example a third-party e-mail service based in the US, Mail Chimp.

Where third-party data processors transfer data outside the EEA, we ensure a similar degree of protection is afforded to your data by ensuring at least one of the following safeguards is implemented:

We will allow the transfer of your data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission; or

We may allow the transfer of personal data to third-party providers in the USA if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the USA.

In respect of the transfer of personal data to other countries outside the EEA, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.

Please contact us at 02086765666 or info@cpct.org.uk if you want further information on the specific mechanism used if your data is transferred out of the EEA.

  1. Your rights - You have the following rights in respect of your data:
  2. A right to request from us access to your data.
  3. A right to request rectification of your data.
  4. A right to request the erasure of your data.
  5. A right to ask us to restrict the processing of your data and a right to object to our processing of your data.
  6. A right to ask us for a copy of any personal data that we hold in respect of you; and
  7. A right to complain about how we treat your data with the Information Commissioner’s Office.
  8. Please contact info@cpct.org.uk for further information about any of your rights.
  9. Please note if you ask us to erase your data and/or restrict the processing of your data, we may not be able to provide you with the Services.
  1. How long do we keep personal data?
  • We will only keep personal data for as long as we are either required to by law or as is relevant for the purposes for which it was collected in line with our Data Retention policy, a copy of which is available on request by contacting us on 02086765666 or info@cpct.org.uk

After this point, the data will either be deleted or rendered anonymous.

Retention of data will normally be in line with statutory requirements, except where legitimate interest or best practice recommendations relevant to the ongoing provision of the charitable services dictate alternative periods, for example where an insurance company requires the retention of Member information for 50 years in the event of an abuse claim.

We will keep a record of your name and email address on our ‘do not contact’ suppression list if you request that we not send you direct marketing.

  1. Cookies

By visiting www.cpct.org.uk (“our website”) you are accepting and consenting to the practices described in this Privacy Policy.

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and allows us to improve our website. For further information about the cookies that we use and what to do if you don’t want to receive cookies, please see our Cookie Policy.

  1. External Links

Our website may, from time to time, contain links to and from the websites of our partner networks, advertisers, and affiliates. If you follow a link to any of these websites, please note that these websites have their privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

  1. Social Media Platforms (e.g., Facebook or Twitter)

Any communication through external social media platforms that we participate in is subject to the terms and conditions as well as the privacy policies held with each social media platform, respectively.

Users are advised to use social media platforms wisely and communicate/engage with them with due care and caution regarding their privacy and personal details. We will never ask for personal or sensitive information through social media platforms and encourage users wishing to discuss sensitive details to contact us by telephone or email.

Our website may use social sharing buttons which help share web content directly from web pages to the social media platform in question. Users are advised before using such social sharing buttons that they do so at their discretion and note that the social media platform may track and save your request to share a web page respectively through your social media platform account.

  1. Shortened Links in Social Media

We may share links to relevant web pages through our social media platform accounts. By default, some social media platforms shorten lengthy URLs (web addresses), this is an example: http://bitly.ws/JoNh. Users are advised to take caution and good judgment before clicking any shortened URLs published on social media platforms by us. Despite the best efforts to ensure only genuine URLs are published, many social media platforms are prone to spam and hacking and therefore we cannot be held liable for any damages or implications caused by visiting any shortened links.

  1. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time and any amended Privacy Policy will be posted on our website. The Privacy Policy current at that time shall apply to all information that we hold about you.

  1. Version

This Privacy Policy is version 1 and was most recently updated in June 2023.