Privacy Policy
At Broken Spoke Bike Co-op our vision is to build a collaborative, inclusive, and sustainable cycling and fixing community rooted in Oxford. We see protecting people’s data and empowering them to understand how it is used as part of this!
So we do our best to be GDPR compliant and work with your data sparingly and minimally, as well as doing everything we can to make you are aware of how we gather your data, what we need it for, and what we do with it.
Broken Spoke may work with a variety of information on you, depending upon how you work with us. This friendly notice describes to you how it may be used, and what the consequences may be for you!
WHO WE COLLECT DATA FROM AND WHY
If you are a Supporter, we may have information on you such as your name, e-mail address and address.
We will use this to manage our relationship with you and keep in touch. We may also have other information about you, such as details of the donations you give us, or attendance at events.
We will only keep in touch with you if we have your consent to do so (or if you have attended an event, workshop, or bought something from us and what we’re getting in touch with is related to that - called ‘soft opt-in’), or for administering our relationship with you.
If you are a Customer, we will generally not store your personal data as it relates to your purchases; we may store transaction records or other details (e.g. address and name) if you make a transfer by BACS, rather than via cash or card.
If you make a payment via card, your personal data is not shared with us by our payment provider (iZettle) — you can check out their website to understand how they may use the data collected from you via their payment process.
Anyone using our workshop spaces, courses, or premises: Rarely we might store data on you if you leave us your details (e.g. you order a part), or if you have an accident in our workshop or during cycle training. We might also work with data about you to safeguard users, staff, and volunteers or if there are legal obligations to do so.
If you are a staff member, or volunteer, we will have information on you which you have given to us, and which we use to help manage Broken Spoke.
This will include your name and contact details, and may also include a variety of other things - like your address, your emergency contact details, details of your hours and interests, and what you work on.
In very rare cases we may have information on you which we do not collect from you - this is only likely to be the case in the event that we are going through a mediation, grievance, complaint, or similar process.
We store most of this information for the legal reasons of “Legitimate Interest” - to allow us to keep Broken Spoke running, to promote what we do, and administer activities we run (like events, workshops, and courses), and rarely for legal reasons or to meet regulatory obligations (e.g. Health & Safety Law).
HOW INFORMATION WILL BE USED
All information you give us will be stored securely - on paper, or on electronic systems.
If we no longer need your information we will delete/destroy it in accordance with our data destruction procedures unless we have a legal obligation to retain personal information for a certain period.
WHO INFORMATION WILL BE SHARED WITH
In some cases it may be stored with third party providers such as Google, Dropbox, Xero, Mailchimp, or another IT provider, or shared with a professional service provider (like an accountant or other professional advisor).
Where you make purchases, our payment provider (currently iZettle, Stripe, and Paypal) may also be responsible for your data - and you should check out their privacy policy to understand how they may use your data.
For managing volunteering, we are just starting to work with a third party called Power To Change by using software, Twine, they have developed to support community businesses to track volunteer contributions. Power To Change will also be a Controller for your data, as part of their mission is to enable communities to learn from their data and to work together, so comparable data is anonymised and fed into insight and benchmarking blogs so Twine users can learn from each other. They have a separate privacy policy which you can read on their website (particularly see point 5b for details about Twine).
Rarely, if we had serious concerns about safeguarding, or to prevent crime, dishonesty, or to protect staff, volunteers, or those we work with (or if required by law) we may transfer information to a third party including police forces, a regulator, or other government body.
If outside the European Economic Area (EEA), we will put in place “adequate” protection for your data - such as EU Model Clause Contracts - for instance, our Data Processing Agreement (DPA) DPA with google.
HELP I AM WORRIED
If you have any further questions or comments concerning your privacy, wish to access your personal data held about you, delete, or update information we hold about you, please contact the team at info@bsbcoop.org
You also have the right to see, update, restrict, object to the use of, or withdraw your data at any time and at no cost. If you wish to exercise any of these rights, please get in touch!
You have the right to lodge a complaint in relation to the processing of your data with the Information Commissioner’s Office, the public body responsible for information rights. More information can be found on their website at https://ico.org.uk, or you can write to them at:
Information Commissioner's Office Wycliffe House, Water Lane Wilmslow, Cheshire , SK9 5AF