Privacy Policy

This privacy policy sets out how Sistren Legal Collective CIC (Sistren) uses your personal data including through your use of our website and social media channels. We are committed to protecting your privacy. We will only collect your personal data on lawful grounds.  

Important information and who we are:

Controller 

Sistren is the controller and responsible for your personal data. We are a Community Interest Company (company number 16262011). For information on the services we provide, please refer to our website.  

If you have any questions about this privacy policy, including any requests to exercise your legal rights, please reach out to us using the contact us form on our website. 

The types of personal data we collect about you:

Personal data means any information about an individual from which that person can be identified. We will not intentionally collect or keep information about you unless we need it.   

We may collect, use, store and transfer different kinds of personal data about you which may include: including: 

  • Identity Data includes first name, last name, any previous names, username or similar identifier, marital status, title, date of birth and gender. 
  • Contact Data includes postal address, email address and telephone numbers. 
  • Financial Data includes bank account and payment card details. 
  • Transaction Data includes details about payments to and from you and other details of  services you may have availed from us. 
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website.  
  • Profile Data includes your username and password, any requests for support made by you, your interests, preferences, feedback and survey responses (collected with your consent and anonymised by a third party if appropriate under certain circumstances).   
  • Usage Data includes information about how you interact with and use our website, toolkits,  resources including blogs and services.  
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences. We also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals’ Usage Data to calculate how many individuals are accessing our online blogs and toolkits to monitor usage and to improve our services. 

How is your personal data collected? 

We use different methods to collect data from and about you including through: 

Your interactions with us  

This is the primary source of how we have access to your data. You may give us your personal data by filling in online forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you: 

  • contact us using our website; 
  • correspond with us over email for  services or support; or 
  • give us feedback when requested.  

Automated technologies or interactions  

As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.  

  • Third parties or publicly available sources 

We may receive personal data about you from various third parties including for example: 

  • Identity and Contact Data from publicly available sources such as Companies House based inside the UK or search engines such as Google based outside the UK; or 
  • Identity and Contact Data from partners in Sistren’s networks in the context of the types of services that we typically provide.  

Legal basis 

The law requires Sistren to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases: 

  • Performance of a collaborator agreement or a contract with you: Where we need to perform our duties as per the terms of a collaborator agreement or any other form of a contract or agreement (whether current or prospective) with you. 
  • Legitimate interests: Sistren may use your personal data where it is necessary to conduct our business and pursue our legitimate interests (for example to prevent money laundering), and to enable us to provide you with services rooted in care, solidarity and mutual learning. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). 
  • Legal obligation: We may use your personal data where it is necessary for compliance with a legal obligation that we are subject to, for example to establish the identity of our clients or the people we work with. We will identify the relevant legal obligation when we rely on this legal basis. 
  • Consent: We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example, if you sign-up to join a workshop or training session.  

Purposes for which we will use your personal data  

We have set out below a description of the ways we plan to use the various categories of your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. 

  • To set up a call with you or your organisation for support or an initial consultation, we may use identity and contact data. 
    This processing is necessary to take steps prior to entering into a contract or collaborator agreement, and for our legitimate interests in recording and managing new enquiries and responding effectively. 
  • To provide information and/or services or support, we may use identity data, contact data, information relating to your enquiry, project, or organisation, and any correspondence or documents you share with us. 
    This processing is necessary for the performance of a contract or collaborator agreement with you, for our legitimate interests in ensuring quality, accountability, and continuity of support, and to comply with our legal and professional obligations (including record-keeping and professional conduct requirements). 
  • To organise and deliver workshops, events, and training sessions, we may use identity data, contact data, profile data, organisation or employer details, and attendance or participation information. 
    This processing is necessary for the performance of a contract or collaborator agreement with you, and for our legitimate interests in facilitating events, providing responsive support, and maintaining accurate attendance records. Where we collect optional feedback after events, this is based on your consent. In cases where you are attending one of our in-person events, we may also collect information about you or your needs (for example, information on your dietary requirements or any accessibility needs). We will not retain such information for longer than we need to. 
  • To manage payments and financial contributions for legal support or workshops, we may use identity data, contact data, financial data, and transaction data. 
    This processing is necessary for the performance of a contract or collaborator agreement with you, for our legitimate interests in managing our finances responsibly, and to comply with our legal and regulatory obligations such as SRA regulations and accounting requirements. 
  • To send periodic email newsletters, we may use identity and contact data. 
    This processing is carried out on the basis of your consent, which you can withdraw at any time. 
  • To send occasional updates, resources, or invitations to relevant events, we may use identity data, profile data and contact data. 
    This processing is based on your consent, or where appropriate, our legitimate interests in keeping community partners and collaborators informed in ways that are expected and relevant. 
  • To analyse anonymous or optional survey responses to develop open-source toolkits for the communities we serve, we may use survey response data, and where provided, optional identity or contact data. 
    This processing is based on your consent to participate in surveys and our legitimate interests in improving our legal resources, tools, and community impact. Survey responses are analysed in an anonymised or aggregated form wherever possible. 
  • To manage our internal operations and relationships with collaborators and community partners, we may use basic identity data, contact data and transaction data. 
    This processing is necessary for our legitimate interests in maintaining accurate records, strengthening relationships, and improving the overall experience of working with Sistren. 
  • To operate, maintain, and improve our website and digital platforms, we may use technical data (such as IP address, browser type, and pages visited). 
    This processing is necessary for our legitimate interests in understanding how our website is used, improving its functionality and accessibility, and ensuring information is presented clearly for community members. 
  • To comply with legal, regulatory, and professional obligations, including record-keeping, safeguarding, financial accountability, and responding to lawful requests from regulators or authorities, we may use basic data, identity data, contact data, transaction data, and compliance-related information. 
    This processing is necessary to comply with legal obligations to which we are subject. 
  • To consider individuals for employment, consultancy, or contractor opportunities and to manage onboarding, we may use job applicant data and relevant compliance information. 
    This processing is necessary for recruitment, onboarding, and to comply with employment and equality law obligations. 

Marketing  

We rarely send any form of direct marketing materials. However, you may receive marketing communications from us if you have requested information from us on our  services and you have not opted out of receiving the marketing. We will get your express consent before we share your personal data with any third party for their own direct marketing purposes. 

We may also analyse your Identity, Contact, Technical, Usage and Profile Data to form a view which services, resources and events may be of interest to you so that we can then send you relevant marketing communications.  
 
You can ask us to not send you any marketing communications at any time by writing to us through the contact us form on our website.  
 
If you opt out of receiving marketing communications, you may still receive service-related communications that are essential for administrative or legal support purposes for example, sharing any Companies House updates with you which may affect you as the Director of a non-profit organisation. 

Disclosures of your personal data 

Sistren will only share your personal data with third parties where you have given your express consent; disclosure is required by law; disclosure is necessary to assert, exercise or defend legal claims; sharing is legally permissible and necessary for the performance or settlement of a contractual relationship with you; or disclosure follows from our legitimate interests based on the data collection purposes listed above.  

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. Sistren does not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. 

International transfers: 

We do not transfer your personal data outside the UK. 

Data security:

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where Sistren is legally required to do so. 

Data retention:

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. 

In determining appropriate retention periods, we take into account the nature, sensitivity, and volume of the data, the risk of harm from unauthorised use or disclosure, the purposes of processing, and applicable legal requirements. 

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research, for improving our services, developing internal templates or developing external resources in which case we may use this information indefinitely without further notice to you.  

Cookies:

Cookies are small text files that are placed on your device (such as a computer, smartphone, or tablet) when you visit a website. Our website is built using WordPress and currently only uses essential cookies that are strictly necessary for the website to function properly. These cookies enable core functionality such as page navigation, basic security, and, for site administrators only, login and administration features. We do not knowingly use analytics, advertising, marketing, or social media tracking cookies. For general site visitors, WordPress does not create persistent user profiles and pages are served without identifying individual users. The website server may temporarily process limited technical information, such as IP addresses, browser type, device information, and the time and pages requested, for purposes including website security, error logging, and spam prevention. This information is processed in a technical and transient manner and is not used to identify individuals.  

Your legal rights:

You have a number of rights under data protection laws in relation to your personal data.  

You have the right to: 

  • Request access to your personal data (commonly known as a “subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. 
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. 
  • Request erasure of your personal data in certain circumstances (commonly known as the “right to be forgotten)”. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. 
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object. 
  • Object any time to the processing of your personal data for direct marketing purposes. 
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. 
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent. 
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios: 
  • If you want us to establish the data’s accuracy; 
  • Where our use of the data is unlawful but you do not want us to erase it; 
  • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or 
  • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. 

If you wish to exercise any of the rights set out above, please reach out to us using the contact us form on our website.  

No fee usually required 

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances. 

What we may need from you 

Sistren may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. 

Time limit to respond 

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.  

Contact Details:

If you have any questions about this privacy policy or about the use of your personal data or you want to exercise your privacy rights, please reach out to us using the contact us form on our website.  

Complaints 

You have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues arising from this policy (www.ico.org.uk). However, before doing so please make sure you have first made your complaint to us or asked us for clarification on any data protection issues. You can submit a complaint to us using the contact us form on our website.  

Changes to the privacy policy and our duty to inform you of changes:

We will review our privacy policy annually. However, we may also review it any time in case there are significant changes to the applicable laws. 

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new email address. 

Third-party links    

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.