Why do we collect information?
CPO is committed to protecting your privacy. The information collected about you is so that we can process orders effectively and provide you with a better shopping experience.
What information do we collect?
When you order online, we need to know your name, address, e-mail address, delivery address and your credit or debit card details. We may also ask for your telephone number this is to enable us to contact you if there is a problem with your order. We do not collect sensitive personal data unless as part of an anonymised customer survey which cannot be linked to other information.
We do not keep a copy of your credit/debit card details on any of our systems once your payment has been approved – this is why you will always be asked to add it at each point of sale.
How does CPO protect customer information?
When you place orders, we use a secure server. Secure server software encrypts all information you input before it is sent to us. Furthermore, as required by the 2018 General Data Protection Regulations (GDPR) and the proposed UK Data Protection Act of 2019, we follow strict security procedures in the storage and disclosure of information that you provide, to prevent unauthorised access. Our security procedures mean that we may occasionally request proof of identity before we are able to disclose sensitive information to you.
Do we share your information?
As you can see from our website we sometimes sell products from partner organisations in order to help fulfil our purpose to distribute resources and media which promote the Christian faith. If you order these third party products we will share some information with them in a secure manner so that they can ensure you are satisfied with your purchase and are able to develop their products accordingly. As we do not retain credit, debit card or financial details we cannot, and would not share this with partner organisations.
On occasion we may share delivery information with our agents for the due processing of orders and in these cases these third parties have access to information which may only be used for that purpose and must be treated in accordance with this privacy statement and the Data Protection Acts described above.
We do not sell your personal data or information to any third party organisations.
Do we disclose your information?
We may disclose your information in special cases when we have reason to believe that doing so is reasonably necessary to comply with the law, apply or enforce our terms and conditions, or to protect our rights.
What is the e-mail policy of www.cpo.org.uk?
Once you have registered with, or placed an order with www.cpo.org.uk you may occasionally receive an e-mail advising you of special offers or information that may be of interest to you unless you have chosen to opt-out at this stage. If you later choose that you would prefer not to receive these e-mails, please use the unsubscribe option or contact us at email@example.com. If you have ordered a third party product you may also receive occasional e-mails from the third party organisation offering you information or offers – you will always retain the right to opt-out or unsubscribe from these communications.
Emails received from CPO
Email messages and any associated files are confidential, intended solely for the use of the individual or entity to whom they are addressed and contain the views of the author. If you have received a CPO email in error, please reply immediately and delete it from your computer. CPO and its subsidiaries shall not be bound by anything stated in an email and shall not be liable for any losses as a result of virus transmission, although endeavours are made to protect against this. E-mails are susceptible to alteration. You should not assume that the contents originated from Christian Publishing & Outreach or that they have been accurately reproduced from their original form. Christian Publishing & Outreach Ltd accepts no responsibility for information, errors or omissions in this message, nor for its use or misuse, nor for any act committed or omitted in connection.
What about cookies?
What about links to other internet sites?
www.cpo.org.uk may be linked to other internet sites not operated by CPO and, as such, CPO cannot be responsible for the content or privacy policies of these sites. Visitors should refer to the separate policies and practices of these sites.
Terms and conditions and changes to this privacy notice
Using the CPO website is subject to this privacy notice and our terms and conditions. If you have any queries about privacy, please send a clear description through to firstname.lastname@example.org and we will do our best to respond to them.
CPO GDPR POLICY
Who are we?
Christian Publishing and Outreach (thereafter called CPO) is a registered charity in England and Wales, number 221462.
CPO is a registered company in England and Wales, registration number 588731.
CPO is registered with the Information Commissioner’s Office (ICO) as a data controller, registration number Z9128713
Where does this policy apply?
This policy applies to all the websites we operate, our use of emails and postal mailings for marketing purposes, and any other methods we use for collecting information. It covers what we collect and why, what we do with the information, what we won’t do with the information, and what rights you have.
What information do we collect and where do we collect it from?
We will only ever collect the information we need - including data to help improve our services, or which you agree we can collect.
Personal data is any information that can be used to identify you. For example, it can include information such as your name, email address, postal address, telephone number, mobile telephone number, bank account details, credit/debit card details, and whether you are a taxpayer so that we can claim Gift Aid on any donations you may make. It also includes Internet Protocol (IP) addresses (the location of the computer on the internet), details of pages visited on our websites and files downloaded.
We collect information in the following ways:
We collect this information in connection with specific activities, for example, when you use our websites or printed forms or telephone our offices to:
Purchase goods or services
Purchase a subscription
Register for an event
Create an account on any of our websites
Engage with us on social media
Sign up for our email newsletter
Complete a survey, questionnaire or feedback form
Give a donation
Or in any other way provide us with information
You don’t have to disclose any of this information to browse our websites. However, if you choose to withhold requested information, we may not be able to provide you with certain services.
Information that we collect from your use of our websites
Information from third parties
We may receive information about you from third parties, for example from a friend who wants to send you a gift subscription.
We may receive updated delivery and address information from our delivery agents so that we can correct our records and deliver your next purchase or communication more easily. If we receive information about you from third parties, we will provide you with details of whom we received it. We will do this as soon as practically possible.
Information from public sources
We may combine information you provide to us with information available from public sources or records in order to gain a better understanding of our supporters and those who engage with us. Such information may be found in places such as Companies House, The Charity Commission and information that has been published online and in print.
Sensitive/special categories of data
GDPR law recognises that certain categories of personal information are more sensitive. This is known as sensitive personal data or special categories of data and covers health information, race and ethnicity, religious or philosophical beliefs and political opinions amongst other things.
We do not collect sensitive personal information about you unless there is a clear reason for doing so, such as involvement in an event where we need this information to ensure safeguarding, to carry out appropriate checks on volunteers, or care for participants. For some events we will collect health information so that leaders on our events have the relevant information to care for participants.
When we collect this information, we will make it clear to you what we are collecting and why and what are our legitimate interests or other legal grounds for processing this information.
We use Google Analytics and other services to collect information about how our websites are used. These help us to know how often users visit our websites, what pages they visit when they do so, and how they use our content online.
How do we use personal data?
We may use the personal data that you provide in the following ways:
- to process and send you your goods and any other resources you have ordered from CPO
- to process any donation(s) we may receive from you, to claim Gift Aid on these donations and to update you on how your donations are being used
- to process event bookings
- to set up direct debits, standing orders and one-off credit/debit card payments
- to provide you with information that you have requested about our work or our activities
- to provide you with information about other resources, events or programmes we offer that are similar to those you have already purchased or enquired about and to which you have not objected to receiving
- to communicate with supporters
- to record the contact that we have with you
- to provide you with information about CPO and how you can support our work as a charity (where you have consented to receiving this information as applicable)
- to invite you to participate in surveys or research
- for administration purposes, e.g. we may contact you about a donation you have made or where you have expressed an interest or registered for an event
- for internal record keeping, such as the management of feedback or complaints
- to notify you about changes to our services
- to analyse and improve the services we offer
- to analyse the use of our websites and ensure their content is presented in the most effective manner for you and your device (see also our cookies policy)
- to further our legitimate charitable aims such as sending you information about how donations are being used
You can choose at any time which marketing materials you want to receive from CPO. If there is something you would prefer not to receive, please email, phone or write.
Links to other websites
Our website contains links to other websites belonging to third parties and we sometimes choose to participate in social networking websites including, but not limited to, YouTube, Facebook, Twitter, Pinterest and Instagram.
Do we sell or share personal information?
We never sell or share your personal information with other organisations to use for their own purposes.
However, if we run an event in collaboration with another named organisation, your details may need to be shared with them and those who provide services to help us deliver the event. We will make it clear what will happen to your data when you register.
Sensitive/special categories of data
If you provide us with sensitive/special categories of personal data including, but not limited to, your racial or ethnic origin, political opinions, religious or philosophical beliefs or your physical or mental health, we will only use this for the specific purpose for which you gave permission and where it is within our legitimate interests to process or where we have other legal grounds to do so.
What is our legal basis for processing data?
GDPR allows various legal basis for processing data. They are:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they
have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your
official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
We use a legitimate interest basis for processing data relating to purchase of goods, services, subscriptions and other resources you have ordered and events you have booked.
This includes sending you information about related resources and events that you might be interested in, given your previous purchases, if you have not objected to being sent this further information at the time at which we collected your data, or at any later stage.
We rely on legitimate interests for a variety of purposes. Legitimate interest is about balancing the interests of CPO and your rights, freedom and having due regard to your reasonable expectations about the use of your data. These purposes include:
- mailing CPO News your magazine subscription
- mailing other information about CPO
- thanking you for your donation (either by mail or telephone)
We also rely on the legitimate interest to share with you the fundraising needs of the charity and to ask for your support, given your engagement with CPO’s resources, events and programmes, provided that we have also previously obtained any additional consents required to send this information to you in particular formats. For example, we will not send fundraising information or requests to you by email or other electronic means or via automated telephone calls where you have not opted in to these beforehand. You can let us know at any time if you would prefer not to receive these communications.
Every email newsletter you receive provides a clear opportunity for you to opt out of/unsubscribe from future email newsletters.
We use the contract legal basis for processing data that is necessary to comply with a contract. For example, CPO may enter into a contact with a data controller and that forms the legal basis for processing data, or taking specific tasks before entering into a contract.
We use compliance with a legal obligation as the basis for processing any legally required activities such as Gift Aid returns to HMRC.
Who has access to your personal information for processing data and how do we keep it safe?
We maintain a high level of security in relation to the collection, storage and disclosure of your information. This is very important to us and we take all necessary steps to ensure that any information we hold about you is safe.
Storing your information
We place great importance on the security of all personal data associated with our customers, subscribers and supporters.
Information is stored by CPO on secure servers at our offices, off-site and in the cloud. We may also store information in paper files.
We have security measures in place to attempt to protect against the loss, misuse and alteration of personal data under our control. For example, only authorised personnel are able to access personal information, we ensure access to information is password protected or secured via locked filing cabinets and we encrypt financial information you input before it is sent to us.
While we cannot ensure or guarantee that loss, misuse or alteration of data will not occur while it is under our control, we use our best efforts to try to prevent this.
Any sensitive or special categories of data you may provide to us are only shared on an absolute need to know basis, and are deleted after each relevant event unless we need to keep that information for a longer period e.g. for safeguarding reasons.
We enforce strict procedures and security features to protect your information and prevent unauthorised access, although we cannot completely guarantee the security of any information you transmit to us.
Where you or we have provided a password enabling you to access parts of our websites or use our services, it is your responsibility to keep this password confidential. Please don’t share your password with anyone. If you think anyone else has gained access to your password, please let us know as soon as possible.
Transferring your information outside of Europe
Although most of the information we store and process stays within the UK, some information may be transferred to countries outside the UK or the European Union (EU).
By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EU.
Payment by credit or debit card
If you use your credit or debit card to buy, subscribe or donate to CPO, or pay online or over the phone, we will ensure that this is done securely and in accordance with the (PCI DSS) Payment Card Industry Data Security Standard. Only those staff authorised to process payments will be able to see your card details. Once your transaction is completed, we do not store your full credit or debit card details.
All transactions online are processed by Barclaycard or iZettle.
We hold bank account details for the purpose of collecting direct debits in accordance with direct debit mandate rules.
Sharing your information
CPO does not sell or share any information about you to other organisations. CPO may disclose your personal information only in the following circumstances:
To third parties who provide a service to us and are our data processors. We employ other companies and individuals to perform functions on our behalf. Examples include delivering packages, sending postal mail and email, removing repetitive information from customer lists, analysing data, providing marketing assistance, processing credit card payments, and providing computer support. These data processors have access to personal information needed to perform their functions, but may not use it for other purposes. We require these third parties to comply strictly with our instructions and data protection laws and will make sure that appropriate controls are in place.
Where we are under a duty to disclose your personal information in order to comply with any legal obligation (for example to government bodies and law enforcement agencies), or in order to enforce or apply our rights (including in relation to our website or other applicable terms and conditions) or to protect CPO (for example, in cases of suspected fraud or defamation).
Where we use our wholly owned subsidiary, Heritage Studios, to provide services, which has an identical GDPR policy under the same management.
How long do we keep your data for?
- We will hold your personal information on our systems for as long as is needed to fulfil the function for which we hold the data or as long as is required by law for the relevant activity. For example, HMRC requires us to keep a record of donations, Gift Aid and financial transactions for seven years.
- If you request that we stop sending you marketing or fundraising information, we will keep a record of your contact details and appropriate information to enable us to comply with your request to not to be contacted by us.
- Where your information is no longer required we will ensure that it is disposed of in a secure manner.
- Information will only be kept as long as is necessary for the purposes for which you provided it or we obtained it and will be minimised to ensure we only keep what is necessary.
What are your rights?
We’d like to keep all who engage with CPO up to date with our news. We will not use your information for marketing or fundraising purposes if you have asked us not to or we do not have your permission to use it for these purposes. (In certain circumstances we must obtain your permission before we contact you for marketing or fundraising purposes.) However, we will retain your basic details on a suppression list to help ensure that we do not continue to contact you.
If you are registered to receive one of our email newsletters, every email communication provides a clear opportunity for you to opt out of/unsubscribe from future email communications.
The General Data Protection Regulation give you certain rights over your data and how we use it.
The lawful basis for processing, affects which rights are available to individuals. This can be summarised as follows:
You have the right to:
- request a copy of the information we hold about you and details of what we do with that information (known as a subject access request)
- update or amend the information we hold about you if it is wrong
- change your communication preferences at any time
- withdraw your consent to use of your personal information where we are relying on consent as the legal ground for processing it
- ask us to remove your personal information from our records
- ask us to restrict the processing of your personal information
- obtain a portable copy of certain personal information where this is processed automatically
- object to the processing of your information for marketing purposes or profiling
- raise a concern or complaint about the way in which your information is being used
- ask us to explain any automated processing or profiling we carry out and the impact of this on you
If you wish to exercise any of these rights, please contact us. If we are not sure who you are, we may ask for reasonable proof of your identity before providing you with information or carrying out any of the above actions.
Complaints, compliments or comments
If you are unhappy with our work or something that we have done or failed to do, we want to know about it. We also welcome your views on what we do well. Your comments enable us as an organisation to learn and continuously improve our services.
If you wish to raise a data protection concern or complaint with a supervisory body, you can address a complaint to the Information Commissioner’s Office.
We keep this policy under regular review. If we make any significant changes in the way we treat your personal information, we will make this clear on our websites or by contacting you directly.
You do not have to agree to any changes if these are not compatible with the initial purposes for which you provided or we collected your data.
In a nutshell
We collect information that is personal data. Personal data is information that can be used to help identify an individual, such as name, address, phone number, email address, IP addresses or website pages accessed.
We collect information about everyone who engages with CPO. This could be customers, partners, businesses, magazine subscribers, those who participate in our programme of events, donors, freelancers, illustrators, employees or trustees.
We collect information to provide goods and services, to provide information, to resource our activities and fulfil our charitable objectives and for administration. This information may also be used for research, analysis and for the prevention or detection of crime.
We only collect the information that we need or that you agree we can collect.
We do our best to keep personal information secure whenever we collect personal data online.
We never sell your data and we will never share it with another company or charity for their own purposes.
We only share data where we are required by law or with carefully selected service providers who carry out work for us. We recognise the importance of ensuring that all our service providers treat your data as carefully as we would, use it only as instructed, and allow us to check that they do this.
This policy replaces all previous versions and is correct as of 17th April 2018.