General Data Protection Regulation (GDPR)

Same Roots Collective is committed to protecting and respecting your privacy. This Privacy Notice explains how we collect, use, and protect your personal data, and your rights under data protection law.

This notice is provided in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Definitions

Data Controller

The organisation that determines how and why personal data is processed.

Data Processor

A third party that processes personal data on behalf of the Data Controller.

Data Subject

The individual to whom the personal data relates.

Personal Data

Any information relating to an identifiable individual, either directly or indirectly (e.g. name, email address, IP address).

Special Category Personal Data

Sensitive data such as health information, religious or philosophical beliefs, racial or ethnic origin, genetic or biometric data.

Processing

Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

Who We Are

Same Roots Collective is the Data Controller for the purposes of this Privacy Notice.

This means we decide how your personal data is processed and for what purposes.

Data protection contact:

For any questions, concerns, or requests relating to your personal data, please contact:

info@samerootscollective.org.uk

Purpose of Processing Personal Data

We process personal data for the following purposes:

To send our email newsletter and occasional informational emails about our activities, events, and community work

To manage swimming pool bookings

To communicate with participants regarding their bookings

To process payments via Stripe

To maintain website functionality and security

Categories of Personal Data We Process

We process the following categories of personal data:

First and last name of the primary swimmer

Email address

Telephone number

Number of people attending a session

Booking date and time

Whether the participant agreed to our terms and conditions

Payment information is processed securely by Stripe; we do not store card details on our systems.

We collect this data when you:

Subscribe via our website or sign-up form

Book a swimming pool session

Provide consent directly to receive communications from us

We do not collect or process special category personal data for swimming pool bookings or mailing list purposes.

Lawful Basis for Processing

Under Article 6 of UK GDPR, our lawful bases for processing personal data are:

Consent — for marketing communications

Contract — where processing is necessary to fulfil a booking or provide services

Legal Obligation — where required for financial record keeping

Legitimate Interests — for the administration and security of our services

You may withdraw your consent at any time by using the unsubscribe link in our emails or by contacting us directly.

Sharing Your Personal Data

Your personal data is treated as strictly confidential and is not shared with third parties except where necessary to deliver our communications or services.

We use Mailchimp as our email distribution platform. Mailchimp acts as a Data Processor on our behalf and processes your data in accordance with their privacy and security policies. Data may be processed outside the UK, with appropriate safeguards in place.

We use Acuity Scheduling (a Squarespace company) to manage swimming pool bookings. Acuity acts as a Data Processor on our behalf and processes personal data in accordance with their privacy and security policies. Data may be stored or processed outside the UK, with appropriate safeguards in place.

Payments are processed securely via Stripe. We do not store full debit or credit card details. Stripe acts as an independent Data Controller for payment processing and may process personal data in accordance with their privacy policy. Data may be transferred outside the UK where appropriate safeguards are in place.

How Long We Keep Your Personal Data

We retain personal data only for as long as necessary for the purposes outlined in this notice:

Mailing list data is retained until you unsubscribe

Booking and financial records are retained for up to six years in accordance with UK legal and tax requirements

Cookies and Website Data

Our website is hosted on Squarespace, which uses essential cookies to ensure the proper functioning and security of the website.

We may also use analytics cookies to understand how visitors use our website. Where required, we obtain consent before placing non-essential cookies. You can manage your cookie preferences via our cookie consent banner.

Your Rights Under Data Protection Law

Under UK GDPR, you have the right to:

Request access to the personal data we hold about you

Request correction of inaccurate or incomplete data

Request erasure of your personal data where it is no longer necessary

Withdraw consent at any time (where consent is the lawful basis)

Request restriction of processing in certain circumstances

Request data portability where applicable

Object to processing in certain circumstances, including direct marketing

To exercise any of these rights, please contact us using the details above.

Automated Decision-Making

We do not use automated decision-making or profiling in relation to your personal data.

Further Processing

If we wish to use your personal data for a purpose not covered by this Privacy Notice, we will provide you with an updated notice before any new processing begins.

Changes to This Privacy Notice

We may update this Privacy Notice from time to time. Any changes will be posted on this page and, where appropriate, communicated to you by email.

How to Make a Complaint

If you have concerns about how we handle your personal data, please contact us first so we can try to resolve the issue.

You also have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues:

Website: ico.org.uk

Telephone: 0303 123 1113

Address: Information Commissioner’s Office,

Wycliffe House, Water Lane, Wilmslow,

Cheshire, SK9 5AF, England

Last reviewed: 14/02/2026
Next review: 14/02/2027

Safeguarding Policy

Same Roots Collective is committed to safeguarding and promoting the welfare of children, young people and vulnerable adults. We believe that everyone has the right to be safe, protected, and treated with dignity and respect.

1. Our Commitment

We recognise our responsibility to:

Protect children, young people and vulnerable adults who engage with our charity
Prevent harm, abuse and neglect
Respond appropriately to safeguarding concerns
Comply with relevant safeguarding legislation and guidance

2. Scope

This policy applies to:

Trustees
Employees
Volunteers
Contractors and partners
Anyone acting on behalf of Same Roots Collective

3. Definitions

Children and young people: anyone under the age of 18
Vulnerable adults: adults who may be unable to protect themselves from harm or exploitation due to age, disability, illness, or circumstance

4. Safeguarding Principles

We follow these key principles:

The welfare of the individual is paramount
Safeguarding is everyone’s responsibility
We take a proportionate, risk-based approach
We work in partnership with statutory agencies where required

5. Recognising and Reporting Concerns

All safeguarding concerns must be taken seriously.

If you are worried about someone’s safety:

Report concerns as soon as possible
Do not investigate or promise confidentiality
Record factual information only

6. Safeguarding Lead

Our designated Safeguarding Lead is:

Name: Dr Charlotte Naylor Davis
Role: Member of the board of Trustees
Email:drcharlottend@gmail.com

In an emergency, contact the police or emergency services immediately.

If a safeguarding concern involves the Safeguarding lead , the concerned should report the matter to:

Somerset Safeguarding Adults Board

adults@somerset.gov.uk

03001 232 224

or, Somerset safeguarding Children Partnership

childrens@somerset.gov.uk