Privacy and Data Protection

Our Data Protection Policy

We value the trust you place in us by giving us your personal information. We will always use your personal information in a way that is fair and worthy of that trust. That means letting you know what information we collect and why, how we use it and who to contact if you have any concerns. We will also do everything we can to protect the data we hold about you.

General principles

We adhere strictly to the Principles of Data Protection, as set out in the General Data Protection Regulation (GDPR). This includes the obtaining, holding, using or disclosing of such data and covers computerised records, as well as manual filing systems and card indexes.

We will hold the minimum personal data necessary. All such data is confidential and will be treated with due care.

We have proper safeguards to protect all personal data we hold. It will be kept safe from unauthorised access, accidental loss or destruction.

All data we hold about you will be obtained for a specified and lawful purpose, and processed fairly and lawfully in accordance with your rights.

We will hold your data for up to two years for financial, legal and regulatory compliance.

We will not transfer your data to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.

How we collect data and what information we collect

We will collect data through forms, and indirectly through platforms such as, but not limited to, Facebook, Twitter and LinkedIn, as well as through third parties such as, but not limited to, CACI, Experian and approved data warehouses.

The data we collect includes:

First and Surname

Date of Birth

Email address

Address including postcode

Phone and mobile number

Social identifiers

Preference data – provided by you at the point of sign up

Cookie and behavioural data – based on web and email activity

Marketing opt-in data

Email communications responses

History – full audit trail of data usage for compliance requirements

If we hold data, or are asked to process data for, a child under 13, we will hold additional data, including but not limited to:

Parent or guardian name and contact information

Parental or guardian consent for marketing communications

We also collect information about how you use our website and mobile apps to improve SEO, PPC, online advertising, email marketing, web analytics or other digital services.

Your consent

We use a valid opt-In consent as grounds for processing your data, given at the point of collection. You can unsubscribe at any time via an email or by contacting us at

How we use your personal information

We may use your personal information for:

  • email communication with valid consent, for example updates on events and promotions
  • promotion of 'More Nottingham'
  • profiling to improve our communication
  • research and statistical analysis to inform the BID strategy and update levy payers.

Your data will be shared with approved third parties in order to provide these services. For an up-to-date list of these third parties, please email

Your right to be informed

We will email you to inform you that we hold information about you, with a link to our Data Protection Policy. We will inform you of any update to this policy via email.

How we store your data

We will only store data on our approved secure environments, which are GDPR compliant, including:

CRM Platform

Email service provider

Email software

Data stored on local PCs and other devices will be protected with a strong password and encrypted.

Data will be removed from local PCs and other devices, and any memory sticks or cloud storage platforms, as soon as it is no longer required.

All hard copies will be kept in a locked cabinet or drawer and put away when not in use.

How to access your data

You have the right to request access to the data we hold on you.

Please provide two forms of identification from the following to prove the data relates to you:


Driving licence

Birth certificate

Utility bill (from last 3 months)

Current vehicle registration document

Bank statement (from last 3 months)

Within one month of receiving your request, we will contact you with details of how you can access your data.

Please contact

Correcting your data

If you notice any errors in the information we hold about you, you have the right to request that your record is updated. We will respond within one month.

Please contact

If you object to us holding your data or want to restrict its usage

You have the right to opt out of all data usage or to restrict what we can do with your data. We will respond within one month.

Please contact

Having your data erased

You have the right to request all information about you is erased from our systems.

Although we respect your wish to remove all data we hold, there is a level of data we may need to retain for legal, accounting and compliance reasons. We will review your request and tell you what data we can remove. We will do our best to respond within one month.

Please contact

Transferring your personal information

When transferring your personal information, either internally or externally to clients or partners, we will ensure that the recipient is authorised to receive the data.

  • If we are transferring the data via email, we will take the following steps:
  • If possible, we will de-personalise the information before transfer. This may not be possible with some items of data.
  • The data will be encrypted and protected with a strong password.
  • The password will be sent separately from the email, either by telephone or instant messaging platform.
  • The email will be deleted from the inbox/sent items folder and the deleted items folder as soon as the dataset has been exported.
  • We will log the date, time, recipient, filename, format, method of transfer and classification of the data in the transference log. We will also obtain a read receipt.

Operational procedures to protect your personal information

To ensure our employees are aware and comply with data policies we have:

  • presented and communicated our policies to all employees
  • updated the company handbook
  • developed an induction procedure for all new employees
  • updated employee contracts so any action leading to a breach of data policy will be considered 'gross misconduct'.

Reporting a potential data breach

If we suspect a data breach of any kind, we will report it to the Information Commissioner’s Office immediately.

If you suspect a data breach, which you believe may have involved us and the information we hold on you, please email with the subject 'Data Breach' and we will respond within 72 hours.

Data accountability

Our appointed Data Controller (the individual within our organisation who ensures our data policies and processes are followed and enforced) is:

Lee Walker, BID Manager

If any issue is not resolved by the above individual, please contact:

Neil Fincham, Director

The GDPR in the UK is governed by the ICO –

Stay in touch

Sign up for the latest events & offers