Privacy Policy
Controller: East Sussex, Brighton & Hove Registered Care Association (“ESPIC”)
Legal entity: Registered Care Association Ltd (ESPIC)
Registered office: Oakdown House, Burwash Common, Etchingham, TN19 7JR
Privacy queries: administrator@espic.co.uk
Company number: 09476471 (Companies House, UK)
Introduction
As part of the services we offer, we process personal data about our website visitors, members/applicants, and staff/contractors. “Processing” includes collecting, recording, organising, storing, sharing or deleting data.
We are committed to being transparent about why we need your personal data and what we do with it. This notice explains what we collect, our lawful bases, who we share it with, how long we keep it, your rights, and how to contact us.
Scope
This notice covers:
-
Use of our website (including contact forms, cookies and analytics, member login areas).
-
Membership applications/renewals and management (including Gold Membership via our membership system).
-
Staff and contractors engaged by ESPIC.
What data we collect
1) Website visitors
-
Technical data: IP address, device/browser, pages viewed, timestamps, referral sources, error logs.
-
Cookies & similar technologies: essential cookies for site operation; optional analytics/marketing cookies (only with consent). See our Cookie Notice for details and choices.
-
Contact/enquiry forms: name, email, phone, organisation, message content.
-
Accounts / members area: username, email, login history, roles/permissions.
2) Members & applicants (including Gold Membership)
-
Organisation & contact details: organisation name (as listed on CQC), service address(es), phone, email, registration/service types, Local Authority, other services operated, any notes you provide.
-
Applicant/signatory details: first name, last name, role/job title, declarations/confirmations, date.
-
Account & subscription data: chosen plan/tier, subscription status, invoices/receipts, renewal history, access to Gold Members area.
-
Payment data: payment status, transaction IDs, timestamps, amounts. (Processed by our payment provider; we do not store card numbers.)
-
Preferences/consents (optional): newsletters/updates; permission to share details with patrons/sponsors; directory listing preference.
3) Staff & contractors
-
Basic details and contact information: name, address, date of birth, National Insurance number, next of kin.
-
Financial details: bank/payment details, insurance, pension and tax details.
-
Employment/engagement records: contracts, training records, performance information.
-
Criminal records (where roles require it): unspent convictions/DBS results as permitted by law.
-
Special category data (only if necessary and lawful): e.g., sick pay/maternity information; demographic data only with explicit consent.
Where the data comes from
-
You / your organisation (forms, emails, phone, website, events).
-
Public sources (e.g., CQC register) to verify organisational details.
-
Our systems and services (website logs, membership system).
-
Payment provider (transaction confirmations).
Why we process your data (lawful bases)
We process personal data under one or more of the following lawful bases:
-
Contract – to process membership applications/renewals, provide member services, manage accounts, issue invoices/receipts, and administer access to the Gold Members area.
-
Legitimate interests – website security/diagnostics; responding to enquiries; maintaining accurate records; governance/audit; preventing fraud and abuse; improving our services.
-
Legal obligation – accounting/tax records; safeguarding disclosures; responding to lawful requests from authorities.
-
Consent – sending newsletters/updates; sharing your contact details with patrons/sponsors; placing non-essential cookies/analytics. You can withdraw consent at any time.
For staff/contractors we also process data where necessary to comply with employment law and, where applicable, to perform tasks in the public interest. Criminal records checks are conducted only where legally justified (Data Protection Act 2018; Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975).
We do not intentionally collect special category data through membership forms. If you include such information in free-text fields, we will handle it appropriately and avoid retaining it unless necessary.
Data processing consent
In certain cases we rely on your explicit consent to process your personal data. This includes:
-
Sending marketing communications
-
Sharing your contact details with patrons/sponsors
-
Placing non-essential cookies
-
Administering membership applications through our website
Consent is collected through clear opt-in mechanisms (e.g., tick-boxes on registration forms). You can withdraw consent at any time by contacting administrator@espic.co.uk.
Who we share data with
We only share data when necessary for the purposes above:
-
Service providers (processors): secure website hosting/IT support; WordPress plugins and membership software (e.g., MemberPress); forms and email tools (e.g., Ninja Forms, MailPoet); analytics providers (if enabled); secure document/email services.
-
Payment provider: e.g., Stripe/PayPal — for processing payments. We receive transaction confirmations but not full card details.
-
Patrons/sponsors: only if you have given explicit consent for us to share your contact details for relevant offers or information.
-
Public bodies/law enforcement: where required by law (e.g., safeguarding, court orders, tax authorities).
We do not sell your personal data.
International transfers
Some providers may process data outside the UK. Where transfers occur, we ensure appropriate safeguards are in place (e.g., UK adequacy regulations, International Data Transfer Agreement/Standard Contractual Clauses).
How long we keep your data (retention)
-
Website enquiries: typically up to 12 months after last contact (unless needed longer to handle a query/claim).
-
Membership/account & billing records: for the duration of membership and up to six (6) years after it ends (to meet accounting, tax and legal requirements).
-
Marketing/consent preferences: until you withdraw consent or your account is deleted.
-
Staff/contractor records: retained in line with statutory/employment guidelines and our internal retention schedule.
-
Server logs/security data: retained for a limited period for security, diagnostics and abuse prevention.
Security
We use secure hosting, TLS encryption in transit, access controls, least-privilege permissions, staff/admin training and regular updates/patching. Access to data is limited to those who need it to perform their role.
Your rights
You have the right to:
-
Access your data and receive a copy.
-
Rectify inaccurate or incomplete data.
-
Erase your data where it is no longer required and no legal basis requires retention.
-
Restrict or object to certain processing (including where based on legitimate interests).
-
Data portability (where processing is based on consent or contract and carried out by automated means).
-
Withdraw consent (for marketing, sponsor-sharing, and non-essential cookies) at any time.
We may need to verify your identity before responding. We aim to respond within one month. To exercise your rights, contact: administrator@espic.co.uk.
If you are unhappy with how we handle your data, you can complain to the UK regulator:
Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF • www.ico.org.uk
Children
Our site and membership services are directed at organisations and adults. If you believe a child has provided us with personal data without appropriate consent, please contact us so we can delete it.
Automated decision-making
We do not use automated decision-making or profiling that produces legal or similarly significant effects.
Updates to this notice
We may update this notice from time to time. The latest version will always be available on our website. Significant changes will be highlighted on this page.
Last updated: September 2025