.png)
PRIVACY POLICY.
Introduction
Climate Action for Associations Limited (CAFA) respects and is committed to protecting your privacy. We aim to maintain consistently high standards in our use and storage of your personal data, and endeavour to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other relevant legislation.
To reflect changes in privacy laws, this updated Privacy Policy aims to clearly inform you of how we use your personal data, how we ensure it is kept secure and your choices about its use. We hope this can help you to make informed decisions when using our website or other services we provide.
In this Privacy Policy, references to "we", "us" and "our" refer to CAFA. Personal data, as defined by the UK GDPR, means any information which relates to a living individual who can be identified, either directly or indirectly, from this information. For example, your name, email address, postal address, telephone number and other personal details.
From time to time we will update this Privacy Policy, so we encourage you to refer back to this page regularly. In addition to this Privacy Policy, each service offered by us may have additional privacy provisions that are specific to the particular service. You will always be informed of these supplemental provisions at the time you provide your personal data.
Using Links to External Sites
Please remember that when you use a link to go from our website to another website, our Privacy Policy no longer applies. Your browsing and interaction on any other website, or your dealings with any other third party service provider, is subject to that website's or third party service provider's own rules and policies.
We do not monitor, control, or endorse the information collection or privacy practices of any third parties. This Privacy Policy applies solely to information collected by us through our website or services and does not apply to these third party websites and third party service providers.
Our Contact Details
If you have any questions about this Privacy Policy you can contact us in the following ways:
-
Write to us: Data Protection Officer, Climate Action for Associations Limited, 6th Floor, Charles House, 108-110 Finchley Road, London NW3 5JJ. Registered in England and Wales under the company number 13206511.
-
Email us: dataprotection@cafacollective.org
Collection of Your Personal Data
We collect personal data from you when you enquire about or request a product or service directly from us. The information we routinely collect will include your contact details (e.g. name and email address).
When You Visit Our Website
When you visit our website for the first time, you will receive a notice informing you that we use cookies. Some personal data (for example a unique identifier, your IP address and geographical location) will be collected through our and our technology partners' use of cookies and similar technologies.
We may also research publicly available sources (e.g. websites and LinkedIn) and use external suppliers to identify business contacts who are likely to be interested in CAFA relevant offers. We will only collect the minimal amount of information required for this purpose (e.g. name, job title, company and contact details) and when we contact you we will endeavour to ensure we provide you with a way to object to us continuing to retain your personal data.
Data Collection Through CAFA Tools and Applications
Certain CAFA tools and applications collect information provided by users in the course of using them. This may include responses to surveys, assessments, and other interactive tools available through our platforms.
Information collected through these tools may be stored and processed across a range of platforms that support the development and operation of our services, including database infrastructure and development platforms. By using any CAFA tool or application, you acknowledge that information you provide may be stored or processed on these platforms.
CAFA ensures that all third-party platforms used meet appropriate data protection and security standards in line with UK GDPR requirements. Where any such platform is based outside the UK or European Economic Area (EEA), we will take all reasonable steps to ensure your data is handled securely and in accordance with applicable data protection law.
The Lawful Bases We Rely On
Under the UK GDPR there are six lawful bases under which organisations can collect, use and store personal data. We have identified four which we rely upon for our business activities:
-
Contractual – in many circumstances we rely on the lawful basis of "performance of a contract". This enables us to respond to you when you express an interest in CAFA and/or CAFA solutions and to fulfil any requests.
-
Consent – in some circumstances we rely on your specific consent, whereby you actively agree and "opt-in". We will always make it clear how you can withdraw your consent at any time.
-
Legal Obligation – there will be circumstances under which we are legally obliged to hold your personal data or required to disclose it to a third party by law.
-
Legitimate Interests – for some of our activities we rely on our legitimate business interests to collect and use your personal data. In such cases, we have balanced our interests with yours and do not believe these activities will have a negative impact on your privacy rights and freedoms. We specifically rely on legitimate interests to:
-
Manage specific topics and aspects of our digital and live events.
-
Send you marketing and communications related to relevant and selected solutions, innovations, products and services.
-
Ask you to respond to surveys and polls.
-
Connect you with like-minded CAFA members to encourage learning.
-
Promote selected partners.
-
You can always object to our marketing messages. If you wish to object to our reliance on legitimate interests for any other purpose, please use our contact details above.
How We Use Your Personal Data
We will use your personal data for the purposes of fulfilling a product or service you have requested, which includes:
-
Responding to your enquiries about our products and services.
-
Provision and delivery of a product or service.
Marketing Communications
When we collect your personal data, we will include a specific notice to inform you and give you choices about future direct marketing communications from us.
We will only send you direct marketing communications when you have either:
-
Provided your consent (e.g. ticked a box or clicked a button to submit a form).
-
Where we believe we can demonstrate a legitimate business interest and have balanced this with your interests and privacy.
It is always your choice and you can stop receiving direct communications from us at any time. We will provide a clear and easy way to do this.
For electronic marketing communications we adhere to the rules of the Privacy and Electronic Communications Regulations (PECR).
Personalised Marketing Content
We want to ensure our communications are of interest to you. We therefore use the information we know about you to tailor messages to be as relevant to you as possible. We will use publicly available sources to try and do this. You have the right to object, but once you do, this will mean we will be unable to send you marketing communications in future.
Access Your Personal Data
You can request a copy of the personal data we may hold relating to you, and the purposes for which we are using it, at any time. This is known as a Subject Access Request.
In responding to such a request we may ask for proof of your identity, to ensure we do not inadvertently send your personal data to another person. We will endeavour to respond to any such requests as soon as possible, and within one calendar month as required by law. Please use our contact details above.
Amend Your Personal Data
If you discover or believe the personal data we hold for you is out of date or incorrect please let us know and we will rectify this as soon as possible. Please use our contact details above.
Delete Your Personal Data
If you wish for your personal data to be deleted we will assess any such request on a case-by-case basis. We will respond to you as soon as possible, and within one calendar month of receiving your request as required by law. Please use our contact details above.
Your Rights
Under the UK GDPR you have a number of rights in relation to your personal data, including the right to access, rectify, or erase your data, the right to restrict or object to processing, and the right to data portability. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk if you believe your data has been handled unlawfully.
Keeping Your Data Secure
Ensuring your personal data is kept secure is of the highest importance to us. We hold your personal data on our secure systems, primarily based within the UK and the European Economic Area (EEA).
Your personal data may be transferred to a country outside the EEA. This may be required for the purposes of our staff based outside the EEA or where a supplier of a service is based outside the EEA, including where we use database, development or AI platforms to support our tools and applications. We will take all reasonable steps necessary to ensure your personal data is treated securely and in line with this Privacy Policy.
We are committed to protecting the security of the personal data we hold. We deploy appropriate technical and organisational measures to ensure your personal data is kept securely and to prevent any unauthorised access.
We hold personal data for a variety of different purposes and the length of time we keep your information will vary depending on the products and services we are providing to you. We will only keep your personal data for a reasonable period of time, based on the purpose for which we are using it.
If you discover a potential security vulnerability, we would ask you to please report it to us responsibly by emailing us directly. This provides us with an opportunity to work with you to quickly address and resolve any issue. Publicly disclosing a potential vulnerability could put the wider community at risk, so we encourage you to come to us first.
Cookie Notice
The aim of our Cookie Notice is to provide you with a summary of the tracking technologies we use and how you can control what is set and when. We keep our Cookie Notice under regular review to best reflect the technology we use on our sites.
Flash Cookies: A local shared object, sometimes called a "Flash cookie," is a data file that can be created on your computer by the website you visit. They are most often used to enhance your web-browsing experience.
Log Files: We use log files to record events that occur on our website. This may include, though not exclusively, the type, content or time of transaction made via your device. These audit trails allow us to analyse activities on our websites.
Your Cookie Control Options
When you use our website for the first time you will be notified about our use of cookies via a banner notice. You can choose to disable your web browser's ability to accept cookies. Please note that if you choose to do this, you may not be able to access or take advantage of many features of the service and some parts of the website may not work properly.
You can control how cookies are set within your browser settings. Each browser is different so check the 'Help' menu of your particular browser to learn how to change your cookie preferences.
Our Main Technology Partners
We work directly with a number of technology partners to maintain and enhance our website, including Google Analytics, to provide insight into how visitors find and use our web pages so that we can evaluate and develop them.
External Web Services
We use a number of web services to display external content. These could set cookies or track your activity. CAFA takes no responsibility for external content providers' data protection practices. For full information you should read the privacy policies of those sites.
Last updated: May 2026