top of page

Privacy Notice

1. Introduction

Oxford Climate Alumni Network (OxCAN) is committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (GDPR), the Data Protection Act (DPA), and the Data Use and Access Act (DUAA). This Privacy Notice explains how we collect, use, share, and protect your personal information, as well as your rights in relation to that data.

 

2. The Data We Collect

We may collect the following categories of personal data:

  • Identity data: name, title, date of birth, or gender.

  • Contact data: postal address, email address, or telephone number.

  • Donation data: payment history, bank or card details (where collected securely), and Gift Aid status.

  • Volunteer data: application details, references, and background/DBS check information (if applicable).

  • Communications data: records of correspondence and preferences regarding our contact or newsletters.

  • Technical data: IP address, browser/device identifiers, and website usage data (via cookies and analytics).

 

Cookies:

We use cookies and analytics to improve our website and user experience. We will give you clear information about cookies and obtain consent when required - noting that under DUAA, some storage/access technologies may be used without explicit consent in certain lower-risk cases.

We collect some data when you visit our website and consent to the electronic cookies we use. These data are anonymous. If you consent to our electronic ‘cookies’ when you visit our website, we will collect some information, e.g., on the pages you’ve visited, how you interacted with our pages and content, and whether you browsed our website on a computer or mobile device. We will generally use such data for the purposes of ‘analytics’, i.e., to understand how people use our website.

 

Third-party cookies:

Our site contains links to and from various third-party websites. If you follow a link to any of these websites, please note that they have their own privacy policies, for which OxCAN is not responsible. Before you submit any personal data to third-party websites, please consult their own privacy policies.

 

Other anonymous data:

We may also run online anonymous surveys that include questions on sensitive personal data, such as ethnic origin or gender orientation. We will clearly stipulate how we will protect your identity in such cases.
 

Non-anonymous data:

Sometimes we will need to collect data that identify you. For example, when you apply to join OxCAN, subscribe to our newsletter, or join the OxCAN members directory, we will ask you to provide us with details such as your full name, course details, and contact details. We will use these data to communicate with you or inform you about events and OxCAN news. If you join the OxCAN members directory, we will also make the data you’ve agreed to share with us for that purpose available to other OxCAN members. 

  • We will always explain transparently which data we collect and for which purposes.

  • We will make clear whether we associate your email address with the collection of data and always give you the option to consent or decline to be identified.

  • When we use third parties to process your data (e.g., to invite you to an online event), we will state clearly who these third parties are and refer you to their privacy policy.

  • Currently we use Mailchimp to store and process members’ data. When you subscribe to OxCAN, you acknowledge that your information will be transferred to Mailchimp for processing. You can learn more about Mailchimp’s privacy practices here.

 

3. How We Collect Data

We collect your data via:

  • Direct interactions (e.g., donation forms, volunteer applications, or events).

  • Indirect interactions (e.g., when you join one of our events through the website of a third party, respond to our surveys, or join our campaigns).

  • Online forms or correspondence by email or post.

  • Automated methods (e.g., website analytics or cookies).

  • Publicly-available sources (e.g., Companies House or Charity Commission of England and Wales), where permitted.

 

4. How We Use Your Data and Legal Basis

Under GDPR and DPA (as amended by DUAA), we rely on one or more of the following lawful bases:

  • Consent: where you have given consent (e.g., to receive our newsletter).

  • Contractual necessity: to fulfil our obligations when you donate or volunteer.

  • Legal obligation: to comply with legal duties (e.g., Gift Aid record-keeping).

  • Legitimate interests: for our administration, fundraising, volunteer management, and supporter communications - subject to balancing your rights.

  • Recognised legitimate interests: under DUAA, we may rely on a new ground for processing where it is ‘necessary for the purposes of a recognised legitimate interest’ (e.g., direct marketing, internal administrative transfers, network security) without needing a full balancing test. 

 

We will only use your data for the purposes for which it was collected (or compatible uses), as described below:

  • Administering donations and claiming Gift Aid.

  • Managing volunteer recruitment, training, deployment, and safeguarding.

  • Communicating with you about our mission, activities, fundraising, and events (where you have opted in or we otherwise have a lawful basis).

  • Ensuring our website and services are secure, up-to-date, and relevant.

  • Fulfilling our legal and regulatory obligations (e.g., to the Charity Commission of England and Wales or HMRC).

 

Who uses your data: 

The OxCAN Executive Committee is the ‘data controller’ of the information you provide. The data you have agreed for us to store in the OxCAN members directory will be accessible to OxCAN subscribers who have permission to search our members directory. Occasionally, the OxCAN Executive Committee may also process members’ data, e.g., for analytics purposes.

 

5. Changes under DUAA You Should Note

With the introduction of DUAA:

  • The lawful basis of ‘recognised legitimate interests’ is now explicitly provided for.

  • Further processing (i.e., reuse) of personal data is clarified, including better rules on when additional uses are compatible with original purposes.

  • Subject Access Requests (SARs) obligations: controllers can now apply a ‘reasonable and proportionate’ search standard when responding to requests.

  • Automated decision-making (ADM) rules are relaxed: organisations may, in wider circumstances, rely on automated decisions (with appropriate safeguards) under the UK GDPR as amended.

  • International data transfers: the legislation refers to ‘relevant international law’ as a potential lawful basis for certain processing.

  • A ‘soft opt-in’ for charities: DUAA allows charities to send electronic mail marketing to people whose personal information was collected when they support, or express an interest in, the charity’s work, unless they object. The DUAA provision is not retroactive.

 

6. Data Sharing

We do not sell your personal data. We may share data with trusted third-party service providers (such as payment processors, IT providers, or auditors), under contract and only where necessary. We may also share data if required by law or to protect vital interests. Under DUAA, some of the new processing possibilities and reuse of data for broader legitimate interests may become relevant, but any sharing will still respect your rights and our safeguards.

 

7. Data Retention

  • We keep personal data only as long as necessary: for legal, accounting, or operational purposes (e.g., Gift Aid records must be retained for six years after the end of the accounting period). We periodically review our retention periods and ensure data is securely destroyed or anonymised when no longer required.

  • We will store your data on OxCAN’s secure servers. In some cases, when we use a third party, we will transfer your data to that third party’s servers. However, we will always ensure that such third parties comply fully with UK law, and provide transparent information on how they store and process data. Currently, we use Mailchimp to store some of your data. You can find Mailchimp’s privacy policy with regard to GDPR here and with regard to UK law here.

  • We will take every possible measure to ensure that your data is secure. However, please be aware that it is not possible to guarantee that the transmission of information over the internet is 100% secure.

 

8. Your Rights

Under GDPR and the DPA 2018 you have the following rights (where applicable):

  • Access: you can request a copy of the personal data we hold about you (a Subject Access Request).

  • Correction: you can ask us to rectify inaccurate or incomplete data.

  • Erasure (‘right to be forgotten’): in certain circumstances, you can ask us to erase your personal data.

  • Restriction of processing: you can ask us to restrict how we process your data in specific situations.

  • Object: you can object to our processing of your personal data, e.g., for direct marketing.

  • Data portability: you may request that we provide your data to you or a new controller in a structured, machine-readable format, where applicable.

  • Withdraw consent: if processing is based on consent, you may withdraw it at any time.

  • Complaint: You can lodge a complaint with the Information Commissioner’s Office (ICO) about our processing of your data.

  • Under DUAA, we must provide clear complaint-handling mechanisms (e.g., an electronic form) if you believe we have breached data-protection legislation.

 

Where a data security complaint is raised, we have a duty to respond to you in 30 days. If we are unable to comply with a request you make, you have the right to discontinue using our website, services, and directory.

 

9. International Transfers

If we transfer your personal data outside the UK, we will ensure appropriate safeguards are in place (e.g., adequacy decisions or standard contractual clauses) and that the transfer complies with UK law (as amended by DUAA).
 

10. Changes to This Notice

We may update this Privacy Notice from time to time (for example, as new DUAA provisions commence). The revised version will be published on our website and will indicate the effective date.

 

11. Contact

If you have any questions about our handling of your personal data or wish to exercise your rights, please contact info@oxfordclimatealumni.org

 

​

​

Approved by the Trustees of the Oxford Climate Alumni Network on Thursday 11th December 2025.

bottom of page