Home Privacy and Data Policy

Privacy and Data Policy

Updated May 2026

1. Who We Are

The Holburne Museum Trust (“we”, “us”, “our”) is a registered charity and the Data Controller responsible for your personal data.

Registered address:

The Holburne Museum
Great Pulteney Street
Bath, BA2 4DB

Registered Charity number:310288

Email: enquiries@holburne.org
Telephone: 01225 388569

We are registered with the Information Commissioner’s Office (ICO).


2. The Personal Data We Collect

Depending on how you interact with us, we may collect:

Identity Data
Name, title, date of birth (if required for concessions), membership number.

Contact Data
Postal address, email address, telephone number.

Financial Data
Payment card details (processed securely via our ticketing/payment provider), transaction history.

Membership Data
Membership status, renewal dates, donation history, event attendance.

Marketing Data
Your preferences for receiving communications from us.

Technical Data
IP address, browser type, pages visited (via cookies and analytics tools).


3. How We Collect Your Data

We collect data when you:

  • Purchase tickets (via Digitickets)
  • Purchase or renew membership (via Beacon CRM)
  • Sign up to our newsletter (via Mailchimp)
  • Make a donation (via Beacon)
  • Contact us by email, phone, or webform
  • Visit our website (via cookies)


4. Our Lawful Bases for Processing

Under UK GDPR, we rely on the following lawful bases:

  • Contract – to process ticket purchases, memberships, and event bookings.
  • Legal obligation – for financial records and charity compliance.
  • Legitimate interests – to administer memberships and improve our services.
  • Consent – for email marketing and certain cookies.
  • Vital interests – where necessary for safeguarding.


5. Our Systems and Processors

We use trusted third-party processors to operate our services:

  • Membership Management: Beacon CRM
    Purpose: Membership administration, supporter records, donation tracking
    Location of processing: UK
  • Ticketing: Digitickets
    Purpose: Ticket sales, event bookings, payment processing
    Location: UK
  • Email Marketing: Mailchimp
    Purpose: Newsletter distribution and marketing communications
    Location: United States
  • Payment processing: Stripe
    Purpose: Payment processing
    Location: US

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as:

  • UK International Data Transfer Agreement (IDTA)
  • Standard Contractual Clauses (SCCs)
  • UK adequacy regulations (where applicable)

We have Data Processing Agreements in place with all processors.


6. Data Retention

We retain personal data only as long as necessary:

  • Ticket purchase records: 7 years (financial compliance)
  • Membership records: Duration of membership + 6 years
  • Marketing data: Until consent is withdrawn or 3 years of inactivity
  • Enquiry data: 2 years after last contact


7. Marketing Communications

If you subscribe to our newsletter, we process your data based on your consent.

You can:

  • Unsubscribe at any time using the link in our emails
  • Contact us to withdraw consent

We do not sell your data.


8. Sharing Your Data

We may share personal data with:

  • Service providers listed above
  • Professional advisers (legal, accounting)
  • Regulatory bodies where required by law

We do not sell or trade personal data.


9. International Transfers

Some of our service providers (e.g. Mailchimp) are based outside the UK. Where personal data is transferred internationally, we ensure lawful safeguards are in place.


10. Safeguarding and Children’s Data

The Holburne is committed to safeguarding and promoting the welfare of children and young people.

School and Organised Group Visits

When schools or organised groups book visits, we typically collect personal data from the school or group organiser, rather than directly from children. This may include:

  • Teacher or group leader name
  • Contact details (email, phone number)
  • School name and address
  • Number and age range of pupils
  • Access, medical, or additional needs information where necessary to support individuals during the visit

We process this information to:

  • Administer and deliver educational visits
  • Ensure appropriate staffing and supervision
  • Make reasonable adjustments for access or medical needs
  • Maintain health and safety and safeguarding standards

Our lawful basis for processing this data is:

  • Contract – to deliver the booked visit
  • Legal obligation – to meet safeguarding and health & safety requirements
  • Vital interests – where necessary to protect a child’s safety
  • Legitimate interests – to ensure safe and effective educational delivery

Photography and Filming

We do not knowingly photograph or film children without appropriate consent.

Where photography or filming takes place during a school visit:

  • Consent will be obtained from the school or directly from parents/guardians, as appropriate
  • Images will only be used for the purposes specified at the time of consent and will never include children or young people’s names
  • Consent can be withdrawn at any time

Safeguarding Records

In the unlikely event that a safeguarding concern arises, we may record relevant information in line with our Safeguarding Policy. Such records:

  • Are stored securely
  • Are only accessible to authorised personnel
  • May be shared with appropriate authorities where required by law

Safeguarding records are retained in accordance with our safeguarding retention schedule and legal obligations.

Data Relating to Children

Our website and membership systems are not intended for use by children under 13 without parental or school involvement. We do not knowingly collect personal data directly from children online.

If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that information.

11. Your Rights

Under UK GDPR, you have the right to:

  • Access your data
  • Rectify inaccurate data
  • Erase your data (where applicable)
  • Restrict processing
  • Object to processing
  • Data portability
  • Withdraw consent

To exercise your rights, contact: enquiries@holburne.org


12. Complaints

If you are not satisfied, you may complain to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
www.ico.org.uk


13. Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Secure hosting
  • Access controls
  • Encryption
  • Regular security reviews


14. Cookies

Our website uses cookies. Please see our separate Cookie Policy for full details.


15. Updates

We may update this policy from time to time. The latest version will always appear on our website.