Privacy Policy

CASS is committed to protecting your privacy. We want to be transparent when it comes to data, this page shows you what data we collect from you and how we use it. If you have any questions or concerns please email us at

This document shows CASS (‘we’) as the data controller and also explains any third parties we use for administration purposes. 

We collect data from you when you:
+ Purchase something from us. This could be an entrance ticket, an item from our shop or a sculpture.
+ Support us by making a donation or becoming a member.
+ Sign up to our e-newsletter mailing list.
+ Give your consent for filming/photography onsite or at an event.
+ Complete a form for our records e.g. for use of the mobility scooter, group/school bookings or registering interest for volunteering.
+ Use our website and other online platforms. Examples of these are, Facebook, Instagram, Twitter.
+ Complete a feedback form or survey or if you contact us directly to give feedback via email, telephone or in person.
+ Attend one of our events or workshops.
+ Interact with links on our digital communications.  

Different kinds of data we collect

Personal data is any data that can identify you. Some or all of these are collected when you interact with us as detailed above.  

Personal data includes but is not limited to: contact details, date of birth, contact preferences, details of past communications, images of you, details of transactions, IP addresses.

Sensitive data is more specific and is only asked for in certain circumstances.

Sensitive data includes but is not limited to: medical information and next of kin, direct debit information, ethnicity, gender.

How this data is processed and why


We are required to process your details whenever you make a
transaction with us. Only trained CASS staff complete these transactions and
do not have access to full payment details.

If making a payment to us onsite via credit or debit card to buy entrance tickets or shop items your payment details will be processed via iZettle. For their privacy policy click here.

Online entrance and events tickets are sold via Blackboard Merchant Services. For their privacy policy click here.

Contact details

We store members’ details so we can log repeat visits and send updates, event information and offers. It also helps us to understand who our members are and where they come from. Only select front of house staff and volunteers have access to this information.  Membership details are stored on our till system which is hosted by Vend. For their privacy policy click here

Select members of the CASS team have access to our central database. This is used for mailing, events bookings and recording details where required. It is hosted by Blackbaud for eTapestry. For their privacy policy click here. 


Only trained front of house staff have access to Audience Finder Surveys and the host website. Surveys about your visit are inputted into the Audience Finder website controlled by The Audience Agency so we can compare our audience profile and experience with other organisations nationally. We use this data to improve the quality of your visit and create a more accessible offering. Surveys are conducted anonymously and reports do not identify individuals. For the Audience Finder privacy policy click here


We have various ways to sign up for our e-newsletter. Contact details are inputted by select CASS staff and volunteers to our central database which is hosted by Blackbaud. For their privacy policy click here. 

Online (IP and cookies)

Our website utilizes Google Analytics to track how visitors land on our website. It also shows varying degrees of information about you i.e. IP address, age, location, page visit. The level of detail available to us is dependent on your privacy settings within Google. We use this information to help improve the customer experience and for marketing purposes.   To read more about Google Analytics and their privacy policy click here.


We report on sales and tickets sold to CASS so we can analyze this data. However, this data is aggregated and is not identifiable by the individual. All information is stored on CASS’ private server only accessible by CASS staff.

Marketing and your preferences

We contact our customer base with marketing materials, based on their communication preferences.

Our marketing strategy is based on segmentation provided by the Audience Agency in response to surveys. We occasionally use other information like previous bookings, purchases and location to send relevant events and offers to you.

If you would like to update your preferences you can do so by emailing

If you wish to opt-out of receiving all correspondence from us, our emails contain a clear unsubscribe link within the footer.

If you have agreed to sharing data with third parties via social media, this data may influence our digital advertising. For example if you have expressed an interest in Arts and Culture on Facebook and we create a specific campaign to be shown to people on Facebook with this selected interest, Facebook may link you to our advert. Advertising you receive like this is linked to your privacy settings for each individual online platform. Please edit your privacy preferences on the online platform (e.g. Facebook) if you do not want your data to be shared with us or to stop seeing advertising from us.

Storage of data

All our data is stored with your privacy in mind. If we believe there has been a serious breach of data we will notify the Comissioners Officer within 72 hours of becoming aware of this.

For all external companies who process and store data on behalf of CASS we have entered into agreements with these organisations whereby they cannot sell, share or use your data for any other purpose other than those agreed with CASS. We ensure that suppliers who handle financial data on behalf of CASS are PCI DSS compliant.

All staff are trained to handle data respectfully and with security at the forefront of their mind. We ensure only staff required to view each type of data have access to do so. Special category data is only accessible to a small selection of staff for whom it is required.

We digitize paper files onto our private server and destroy paper files wherever possible. Those that have to be kept as physical copies are stored securely.

Your data will only be shared if we have your consent to do so however if we are asked to share information with the police, regulatory bodies or legal advisors we are required to do this by law.

Retention periods
Each piece of data has its own retention period based on the uses of that data.

For digitized records we regularly review information we have stored.

Our central database only holds contacts from the last three years.

Membership records are only kept while the membership is valid or until cancelled.

School and group booking details are kept for the year the booking was made. After this, personal data is removed and only basic non-personal details stored.

Surveys are destroyed once uploaded onto systems (Audience Finder). The system then aggregates the data meaning no individual can be identified.

Comment cards and suggestions are digitally stored for 1 year. Then the personal information is removed and the unidentifiable data is aggregated and used within plans.

We retain accounting and HR records as required by law.


If you are employed by CASS or apply to volunteer with us we collect personal and sensitive data as part of our duty as an employer and to ensure your safety when onsite.

Your rights

If you would like to amend your data, ask us to stop using processing your data (unless we are required to do so by law), or erase your data please contact us at

If you would like to request a copy of the information we hold about you please
email Requests will require time to process therefore please allow 30 days for your information to be supplied. If the request cannot be completed within this time you will be notified by a member of CASS staff.