This privacy policy explains how Colchester Archaeological Trust uses and protects information that you provide when using this website.

CAT (Colchester Archaeological Trust) is a company registered in England & Wales (1578133) and registered charity (283354). CAT is also a registered organisation with the Chartered Institute for Archaeologists.

CAT is the data controller, based at: Roman Circus House, Roman Circus Walk, Colchester, Essex CO2 7GZ

Colchester Archaeological Trust always seeks to be transparent about its collection and use of data, to stay in line with data protection requirements.

This policy is in effect from 10 April 2023, but will be updated when required.

If you have any questions about this Privacy Notice, please contact jc@catuk.org or by writing to us at Roman Circus House, Roman Circus Walk, Colchester, Essex CO2 7GZ.

What data will we collect?

Colchester Archaeological Trust does not ask you to enter any personal data as part of your interaction with our general website.

When you place an order through our website, including purchasing tickets for the Roman Circus Visitor Centre or items through our shop, CAT requires some personal data from you. This includes: your name, billing address, delivery address, email address, telephone number and product selections. This information is necessary for CAT to fufill your order and contact you about it.

Customer’s details will be processed by third parties, such as our website provider WordPress, WooCommerce and Stripe which process payments.

Your rights

As a ‘data subject’ you have a number of rights. You can:

  • access and obtain a copy of your data on request
  • require CAT to delete your data
  • require CAT to change incorrect or incomplete data.

To exercise any of these rights, or to raise a complaint, please contact jc@catuk.org

Online Shop Privacy Policy

Colchester Archaeological Trust Limited
Company Registration No: 1578133, Charity No: 283354
Version Date: 7 May 2025

1. Introduction

Colchester Archaeological Trust Limited (“we”, “our”, or “us”) is committed to protecting your personal data and respecting your privacy.

We are the Data Controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This means we are responsible for how your personal information is collected, used, and stored. We are committed to processing personal data lawfully, fairly, and transparently, in accordance with these regulations.

This Privacy Policy explains what data we collect, how and why we use it, your rights, and how we keep it secure.

2. Personal Data We Collect

We collect and process the following categories of personal data:

– Identity Data: name, title
– Contact Data: billing address, delivery address, email address, telephone number
– Transaction Data: records of purchases and order history
– Technical Data: IP address, browser type and version, time zone setting, operating system, and platform
– Usage Data: information about how you use our website
– Communication Data: correspondence, queries, and feedback

We do not collect or process sensitive personal data (e.g., health, ethnicity, political opinions) via our website. We do not knowingly collect personal data from children under 13. If we discover we have done so, we will delete it promptly.

3. How We Collect Your Data

We collect your data in the following ways:

– Direct interactions: You provide data by placing an order, filling in forms, subscribing to updates, or contacting us.
– Automated technologies: As you browse our website, cookies and analytics tools collect usage and technical data.
– Third-party sources: Payment processors and delivery services may share limited data with us to fulfil your order.

4. How We Use Your Data and Our Legal Basis

We use your personal data for the following lawful purposes under Article 6 of the UK GDPR:

– To process and deliver orders – Contractual necessity
– To contact you regarding your purchase – Contractual necessity
– To manage returns, cancellations, and queries – Legitimate interests
– To improve our website and services – Legitimate interests
– To comply with legal and regulatory obligations – Legal obligation

We do not use your data for unsolicited marketing or sell it to third parties.

5. Sharing Your Data

We only share your personal data where strictly necessary and always under a lawful basis:

– Delivery providers: to ship your order
– Payment processors (e.g., Stripe, PayPal): to securely process transactions
– IT and website support providers: to maintain system functionality

All third-party providers are bound by legally enforceable Data Processing Agreements (DPAs) in accordance with UK GDPR Article 28. They are contractually required to safeguard your data and only process it on our instructions.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

– Order and transaction records: 6 years, for financial and legal compliance
– Communications and enquiries: up to 2 years
– Website analytics data: up to 14 months, in anonymised form

We review our retention policies regularly. When retention is no longer required, we delete or anonymise your data securely.

7. Cookies

Our website uses cookies to enhance your browsing experience and collect anonymised analytics data. Cookies are small text files stored on your device.

You can manage or disable cookies via your browser settings. For more information, please refer to our Cookie Policy.

Cookies used may include:
– Essential cookies: for site functionality
– Analytics cookies: to monitor website use
– Performance cookies: to improve speed and usability

We comply with the Privacy and Electronic Communications Regulations (PECR) and request consent where required.

8. Your Rights

Under the UK GDPR, you have the following rights:

– Access – request a copy of your personal data
– Rectification – correct inaccurate or incomplete data
– Erasure – request deletion where lawful
– Restriction – limit how we use your data in certain cases
– Objection – to certain types of processing (e.g., direct marketing)
– Portability – request to move your data to another provider
– Withdraw consent – where processing is based on consent
– Not to be subject to automated decision-making, including profiling

To exercise any of these rights, contact us at info@catuk.org. We will respond within one calendar month.

If you are dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO): www.ico.org.uk

9. Data Security

We have implemented appropriate technical and organisational security measures to prevent your data from being lost, misused, accessed, or disclosed unlawfully. These include:

– SSL encryption on all transactions
– Restricted access to administrative areas
– Regular system monitoring and data backups

In the event of a personal data breach, we will notify the ICO within 72 hours where required, and inform affected individuals in accordance with Article 33 of the UK GDPR.

10. International Data Transfers

We do not knowingly transfer your data outside the UK or the European Economic Area (EEA). If such transfers become necessary, we will implement appropriate safeguards such as Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA).

11. Changes to This Policy

We may update this Privacy Policy from time to time. The most current version will always be posted on our website, with the revision date clearly marked. If we make material changes, we will notify users via the website or by email if appropriate.

12. Contact Us

If you have questions about this Privacy Policy or how we process your personal data, you may contact us at:

Colchester Archaeological Trust Limited
Roman Circus House, Roman Circus Walk, Colchester, Essex, CO2 7GZ
Email: info@catuk.org
Phone: 01206 501785
Website: www.thecolchesterarchaeologist.co.uk

© 2025 Colchester Archaeological Trust Limited. All rights reserved.