CAST Privacy Policy

Policy overview

This policy relates to the following websites, owned and/or operated by the Centre for the Acceleration of Social Technology (CAST):

This policy also applies to their programmes, which are owned and managed by CAST, whose registered address is 8 The Briars, Waterlooville, PO7 7YH. Registered company number 9544506 and charity number 1161998.

CAST is a charity which helps people use digital for social good. In order to do this, we often partner with external service providers and organisations (also referred to as “CAST partners”, “partners” or “partnering organisations”). We enter into legal agreements such as service contracts and data sharing agreements with our partners to ensure we can share relevant information with them and deliver better services to our users.

This privacy policy explains the personal data we collect, who we may share it with and your rights as a data subject.

Processing your data

Personal data that we collect

Contact data

Analytics and tracking data

Marketing and communications data

Marketing and website cookies

A “cookie” is a file stored on your computer’s web browser. The main purpose of a cookie is to track usage, tailor web pages and remember login information.

Cookies don’t give us access to your computer, and the information we collect through cookies doesn’t include personal information.

How we use cookies

We use cookies to track how and when you access this site. This helps us to analyse the performance of this site.

Controlling cookies

You can accept or decline the use of cookies through functionality built into your web browser. If you want to learn more about cookies, or how to control or delete them, please visit for detailed guidance.

We process information relating to:

Unless we obtain your permission, information that is identifiable as relating to you (i.e. it has not been edited to make it anonymous) is not sold to other organisations for commercial or other purposes. We may share data with our partners who sign data protection or data sharing agreements with us in order to deliver, monitor, evaluate and report the outcomes of our services (such as Design Hops). More information on this is available under “Transferring information to third parties”.

Why do we collect and process your personal information?

We will only collect and process your personal information in accordance with data protection laws. Our legal bases for processing your personal information are as follows:


We will usually only collect and process your personal information if you have given your consent for us to do so, for example, we will only send you certain marketing emails and process any information about you if we have your consent.

Legitimate Interests

 We may use and process some of your personal information where we have sensible and legitimate business grounds for doing so. Under European privacy laws there is a concept of “legitimate interests” as a justification for processing your personal information.

Legitimate interest could exist for example where there is a relevant and appropriate relationship between you and CAST in situations such as where you are our supplier, client or benefiting from one of our services. Similarly, it may arise in the event that we have awarded funding to you or your organisation and need to process your personal data in the public interest or for the prevention of crime.

CAST’s legitimate interest may also include processing your personal data to authenticate you and give you access to our online services.

You have a right to object to our use of your personal information for these legitimate interests including where we may use your personal information to create a profile to inform customer demographics. If you raise an objection, we will stop processing your personal information unless very exceptional circumstances apply, in which case we will let you know why we are continuing to process your personal information.

Performance of a contract

The processing may be necessary for a contract that we hold with you. For example, if we are awarding a grant to you there may be data that is required such as bank details in order to enter into that contract. We may require you to share data with us as part of the contracting terms. 

This may also include processing your personal data through third-party websites or hosting platforms to deliver services to you (e.g. Design Hops), in which case you would be notified of such processing.

How we store your data

CAST and our partners use third-party vendors and hosting partners to provide services such as training, newsletter signup and mailing lists. Data is transferred to or mirrored on servers within the United Kingdom, the European Economic Area (EEA) and outside the EEA in certain instances (for example, when using the third-party online learning platform Thinkific, website design platforms Tilda and Webflow). CAST authorised partners and service providers reserve the right to transfer or mirror data to servers outside the EEA.

CAST collaborators will apply all reasonable measures to ensure that data held on our servers is secure but cannot guarantee that security measures will not be breached.

How we manage your data

As a Data Controller, CAST decides how and why the data we collect is used. We also work with our data to achieve the goals of Catalyst. When working with collaborators in the Catalyst network, we use data sharing agreements that set clear expectations on how and when collaborators can use our data.

Any third party vendors that we use to process your data must be GDPR compliant and CAST will hold a Data Protection Agreement with those third parties.

Transferring information to third parties

To meet our obligations and provide you with our services, we may need to process your personal data via third parties. Personal data will only be transferred to, or processed by, third-party companies where such companies are necessary for the fulfilment of services you have consented to, our contractual obligations or a legitimate interest.

We will not transfer personal data to a country or territory outside the European Economic Area (EEA) unless the transfer is made to a country or territory recognised by the EU as having an adequate level of Data Security, or is made with the consent of the Data Subject, or is made to satisfy the legitimate Interest of CAST in regard to its contractual arrangements with our partnering organisations.

If it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our terms of service, or as otherwise required by law.

If we transfer information about you as a result of CAST (or other partnering organisations) being acquired by or merged with another organisation.In this event, the partnering organisation will notify you before information about you is transferred and becomes subject to a different privacy policy.

COVID-19 Emergency response and data usage

In light of the changing needs of the charity sector due to COVID-19, we are working with a growing network of collaborators who are able to support charitable organisations. 

We will be collecting and sharing data across our collaborator network in order to identify charities’ needs, collect and share contact details with partners who can respond to those needs, analyse those needs and publish our aggregate findings for the benefit of the wider community.

Your rights

If we hold your personal data you have rights under the General Data Protection Regulation and the Data Protection Act 1998 and 2018.

You have the right to request we remove all identifiable information we store on you. Including the removal of any email subscriptions. To do so, please email

The data we hold on you will be removed from our systems after a year from our last interaction with the data subject, unless we need to keep the information for legal or auditing purposes.

If you believe that your personal data has been compromised, you have a right to complain to the Information Commissioner’s Office (ICO).


Data Controller

(Article 4 of the GDPR): this means the person or company that determines the purposes and the means of processing personal data.

Data Processor

(Article 4 of the GDPR): means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

Data Subject Rights

(Chapter 3 of the GDPR) each Data Subject has eight rights. These are:

Resolving complaints

If you have concerns about the way CAST is handling your User Personal Information, please let us know immediately. You may contact us by emailing us directly at with the subject line “Privacy Concern”. We will respond within 30 days at the latest.

You may also contact our Data Protection Officer directly. Our Data Protection Officer is Gilly Clyde-Smith (

Changes to this policy

CAST may periodically update this policy. We will notify you about significant changes in the way we treat personal information by placing a prominent notice on this site.


Any questions about this Privacy Policy should be sent to

This policy was last reviewed on 10 July 2020.