Privacy Policy
Last updated: 25 February 2026
Data protection contact: secretary@stirlingarchaeologysociety.org.uk
1. Who We Are
The Stirling Field & Archaeological Society ("the Society", "we", "us", "our") is a Scottish registered charity (SC026822) regulated by the Office of the Scottish Charity Regulator (OSCR). Our registered address is 8 Berkeley Street, Stirling, Stirlingshire, FK7 9AQ.
We are the data controller for any personal data you provide to us or that we collect through our website, our email communications, our events, and our membership processes.
Data protection contact: secretary@stirlingarchaeologysociety.org.uk
2. What This Policy Covers
This privacy policy explains how we collect, use, store, and protect your personal data when you:
- Visit our website
- Join the Society as a member
- Subscribe to our newsletter
- Register for or attend our events
- Submit a contact enquiry or volunteer expression of interest
- Donate to the Society or the 150th Anniversary Founders' Circle
- Access the members-only area of our website
- Interact with us by email, post, or in person
We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
3. What Personal Data We Collect
The types of personal data we collect depend on how you interact with us.
3.1 Website Visitors
- IP address (anonymised by Google Analytics)
- Browser type and version
- Operating system
- Pages visited, time spent on pages, and referring website
- We use Google Analytics 4 with IP anonymisation enabled. No advertising features are active.
- See the Cookies section for details on cookies we use.
3.2 Newsletter Subscribers
- Email address
- Name (if provided)
- Sign-up source (e.g. homepage, event page, blog, QR code, membership form)
- Whether you are a current member
- Date of subscription
- GDPR consent confirmation
3.3 Members
- Full name
- Email address
- Phone number
- Postal address
- Membership type (standard, taster, honorary)
- Membership start and expiry dates
- Payment information: we do not store your card details. Payments are processed securely by Stripe. We store only the Stripe customer reference.
- Referral source (if you were referred by another member)
- Newsletter and GDPR consent preferences
- Any notes relevant to your membership (e.g. accessibility requirements)
3.4 Event Attendees
- Name and email address (where registration is required)
- Dietary requirements or accessibility needs (where relevant)
- Photographs taken at events (see Photography at Events)
3.5 Contact Enquiries and Volunteer Expressions of Interest
- Name
- Email address
- Phone number (volunteers only, if provided)
- Message content or areas of interest
- Skills and availability (volunteers only)
3.6 Donors
- Name
- Email address
- Donation amount
- Whether you wish to be recognised in the Founders' Circle
- Gift Aid declaration (if applicable)
- Payment information: processed securely by Stripe. We do not store card details.
4. How We Use Your Personal Data
We use your data only for the purposes set out below. We never sell, rent, or share your personal data with third parties for marketing purposes.
| Purpose | Data Used | Legal Basis (UK GDPR) |
|---|---|---|
| Processing your membership application and managing your account | Name, email, address, phone, payment reference, membership dates | Contract (Art. 6(1)(b)) — necessary to fulfil your membership |
| Sending you the Society newsletter | Email, name | Consent (Art. 6(1)(a)) — you can unsubscribe at any time |
| Sending membership renewal reminders | Email, name, expiry date | Legitimate interest (Art. 6(1)(f)) — ensuring continuity of your membership |
| Processing event registrations | Name, email | Legitimate interest (Art. 6(1)(f)) — managing our charitable events programme |
| Following up with non-member event attendees | Email, name | Legitimate interest (Art. 6(1)(f)) — furthering our charitable purposes. You can opt out. |
| Responding to your contact enquiry | Name, email, message content | Legitimate interest (Art. 6(1)(f)) — responding to correspondence |
| Processing donations and Gift Aid | Name, email, address, donation amount | Contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for Gift Aid |
| Managing volunteer expressions of interest | Name, email, skills, availability | Consent (Art. 6(1)(a)) |
| Recognising donors in the Founders' Circle | Name | Consent (Art. 6(1)(a)) — only with your explicit permission |
| Website analytics and performance monitoring | Anonymised IP, browser data, page views | Legitimate interest (Art. 6(1)(f)) — improving our website |
| Providing access to the members-only area | Email (login credential), membership status | Contract (Art. 6(1)(b)) — delivering membership benefits |
| Tracking referrals for the member referral programme | Your referral code and the name of the person you referred | Legitimate interest (Art. 6(1)(f)) — growing our membership |
| Fulfilling our obligations as a registered charity | Trustee records, financial records, OSCR correspondence | Legal obligation (Art. 6(1)(c)) — Charities and Trustee Investment (Scotland) Act 2005 |
5. Who We Share Your Data With
We share your personal data only with the following service providers, and only to the extent necessary. We do not sell or rent your data to anyone.
| Service Provider | Purpose | Data Shared | Safeguards |
|---|---|---|---|
| Stripe | Membership payments and donations | Name, email, payment card details (entered directly into Stripe's secure form) | PCI DSS Level 1 certified. Standard Contractual Clauses. |
| Mailchimp or MailerLite | Newsletter and welcome emails | Email address, name, member status | Standard Contractual Clauses and EU-US Data Privacy Framework |
| Google Workspace | Society email, documents, calendar | Email correspondence, committee documents | EU data centres. Google Data Processing Amendment. |
| Heroku / Salesforce | Website hosting | All data submitted through the website | Salesforce Standard Contractual Clauses |
| Amazon Web Services | Media storage and content delivery | Uploaded files (images, documents) | eu-west-2 (London). AWS Data Processing Addendum. |
| Eventbrite | Event registration (where used) | Name, email | Standard Contractual Clauses |
| Google Analytics | Website usage analytics | Anonymised IP, browser data, page views | IP anonymisation enabled. No advertising use. |
| Sentry | Website error monitoring | Technical error data only | Sentry Data Processing Agreement |
| OSCR | Charity regulatory compliance | Trustee names, annual returns, financial reports | Legal obligation — Charities and Trustee Investment (Scotland) Act 2005 |
We require all third-party service providers to respect the security of your personal data and to treat it in accordance with the law.
6. How Long We Keep Your Data
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Data Category | Retention Period | Reason |
|---|---|---|
| Membership records | Duration of membership plus 2 years after expiry | Managing renewals and historical records |
| Newsletter subscriber data | Until you unsubscribe | You can unsubscribe at any time |
| Event registration data | 12 months after the event | Follow-up communications and activity reporting |
| Contact enquiries | 12 months after resolution | Record of correspondence |
| Volunteer expressions of interest | 24 months, or until you ask us to remove your data | Contacting you about future opportunities |
| Donation records | 7 years from the date of donation | HMRC requirement for Gift Aid and charity accounting |
| Financial records | 7 years from end of financial year | HMRC and OSCR requirements |
| Trustee records | Duration of trusteeship plus 7 years | OSCR compliance and institutional records |
| Website analytics | 26 months | Understanding long-term website usage trends |
| Governance documents | Permanently | Institutional memory (personal data minimised) |
At the end of the relevant retention period, we securely delete or anonymise your personal data.
7. How We Protect Your Data
7.1 Technical Measures
- All data in transit is encrypted using HTTPS (TLS 1.2+)
- Passwords are stored using Django's PBKDF2 hashing algorithm and are never stored in plain text
- Payment card data is handled entirely by Stripe and never touches our servers
- Private administrative documents are stored in a separate, encrypted S3 bucket with no public access
- Access to private documents is controlled via time-limited signed URLs
- Database backups are encrypted at rest
- Our website is hosted on Heroku with automatic security patching
7.2 Organisational Measures
- Access to personal data is restricted to committee members and trustees who need it to carry out their roles
- Committee members and trustees are briefed on data protection responsibilities
- We use role-based access controls: Members, Committee, and Trustees groups have different levels of access
- We review data access permissions annually
- We maintain a record of processing activities as required by UK GDPR
7.3 Breach Notification
In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to you, we will also contact you directly.
8. Photography at Events
- We may take photographs at Society events for use on our website, newsletter, social media, and in the digital archive.
- We will announce at the start of events where photography is planned.
- If you do not wish to be photographed, please inform the event organiser at the start of the event.
- We will not publish photographs that identify children without the consent of a parent or guardian.
- If you appear in a photograph on our website and would like it removed, please contact us at secretary@stirlingarchaeologysociety.org.uk.
Historical photographs in the digital archive may depict individuals. Where possible, we include contextual information. If you believe a photograph in our archive raises a privacy concern, please contact us.
9. Cookies
Our website uses a minimal number of cookies.
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| csrftoken | Protects against cross-site request forgery on forms | 1 year | Strictly necessary |
| sessionid | Maintains your login session in the members-only area | 30 days | Strictly necessary |
| messages | Displays temporary notification messages | Session | Strictly necessary |
| _ga, _gid | Google Analytics (anonymised usage data) | Up to 2 years | Analytics (opt-out available) |
We do not use advertising, tracking, or third-party marketing cookies. You can disable cookies in your browser settings. To opt out of Google Analytics, install the Google Analytics Opt-out Browser Add-on.
10. Your Rights
Under UK GDPR, you have the following rights. Contact us at secretary@stirlingarchaeologysociety.org.uk to exercise any of them.
- Right of access — You can request a copy of the personal data we hold about you.
- Right to rectification — You can ask us to correct inaccurate or incomplete data.
- Right to erasure — You can ask us to delete your personal data where there is no compelling reason for us to continue processing it.
- Right to restrict processing — You can ask us to suspend processing of your data in certain circumstances.
- Right to data portability — You can request your data in a structured, commonly used, machine-readable format.
- Right to object — You can object to processing based on legitimate interest. We will stop unless we have compelling legitimate grounds.
- Right to withdraw consent — Where we rely on consent (e.g. newsletter), you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
We will respond within one calendar month. There is no fee.
11. Children's Privacy
Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child under 16, please contact us immediately and we will delete it.
12. Newsletter and Email Communications
When you subscribe to our newsletter or join as a member, we may send you emails about Society news, events, and activities. You can manage your preferences as follows:
- Every newsletter email includes an unsubscribe link at the bottom.
- Members can update their newsletter preferences through the members-only area of the website.
- You can also email us at secretary@stirlingarchaeologysociety.org.uk to update your preferences.
- Unsubscribing from the newsletter does not affect your membership status.
- We may still send you essential membership communications (e.g. renewal reminders, AGM notices) even if you unsubscribe from the newsletter, as these are necessary for the performance of your membership contract.
13. International Data Transfers
Some of our third-party service providers are based outside the United Kingdom. Where we transfer personal data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner
- EU-US Data Privacy Framework (where applicable)
- Adequacy decisions by the UK government
- Vendor-specific data processing agreements
Details of the safeguards for each service provider are set out in the Who We Share Your Data With section above.
14. Links to Third-Party Websites
Our website may contain links to third-party websites (e.g. Eventbrite, Stripe, OSCR, Historic Environment Scotland). We are not responsible for the privacy practices or content of these external sites. We encourage you to read the privacy policy of any website you visit.
15. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or the services we use. Any changes will be posted on this page with an updated "Last updated" date. For significant changes, we will notify members by email.
16. Complaints
If you are unhappy with how we have handled your personal data, we would appreciate the chance to resolve your concern. Please contact us at secretary@stirlingarchaeologysociety.org.uk in the first instance.
If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
As a Scottish registered charity, we are also regulated by the Office of the Scottish Charity Regulator (OSCR). You can contact OSCR at oscr.org.uk.
17. Contact Us
If you have any questions about this privacy policy or how we handle your personal data, please contact us:
- Email: secretary@stirlingarchaeologysociety.org.uk
- Post: Stirling Field & Archaeological Society, 8 Berkeley Street, Stirling, Stirlingshire, FK7 9AQ
- OSCR registration: SC026822
Stirling Field & Archaeological Society
Preserving Stirling's Heritage Since 1878
Scottish Charity No. SC026822