Privacy Notice

Last updated: October 2025
Next Review: October 2026

At Bradford Producing Hub (BPH), we gather information from our website visitors and audiences (including but not limited to: our mailing list, event attendees, training participants and beneficiaries) for various purposes. This Privacy Notice explains what information we collect, how we use it, and how we keep it safe. It also explains what rights you have regarding your personal information, and how you can exercise those rights.

We appreciate the trust you place in us when sharing your personal information. We will treat it with respect and store it securely.

We will use any personal information you provide for the purposes of providing our services, such as: administering events, training and development programmes, grants and donations; communicating sector news and opportunities; and for the continued improvement and development of our work.

We will never sell your personal information, and will only ever share it with organisations we work with where necessary to deliver our services. We will ensure the information is stored securely and that it is not stored for longer than necessary.

Please note, we have separate Privacy Notices and a Data Protection (Employment) Policy which cover employment with us (including employee recruitment and service provider engagement). If you work with us or are applying for a role with us and would like to know more about how your data is handled, please contact hello@bdproducinghub.co.uk to request a copy.

Accessibility

We are committed to making this Privacy Notice accessible. If you require it in an alternative format (such as large print, Easy Read, or audio), please contact us and we will provide it on request.

Who we are

Bradford Producing Hub (BPH) is an arts development organisation in Bradford, United Kingdom. We are a company limited by guarantee (No. 14734568) and a registered charity (No. 1212627).

Our registered address (for mail only) is:
Bradford Producing Hub, Assembly Bradford, 20 North Parade, Bradford, BD1 3HT.

If you have questions about how we process personal data, or would like to exercise your data subject rights, please contact us by email at hello@bdproducinghub.co.uk or at the above address.

The type of personal data we process

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

The personal information we collect may include personal details such as your name, postal address, email address, telephone number, date of birth, financial information, interests and preferences.

The methods in which we actively collect data include, but are not limited to: booking, sign-up, and application and information forms; surveys; and when processing payments to you, or payments or donations from you.

Special category data

We occasionally process special category data (e.g. relating to protected characteristics or health) about our audiences and participants. Specific situations where this may happen include:

• Health and access information provided during sign-up or application processes. We use this information so that we can adequately meet your needs at our events and training sessions.
• Demographic information provided during applications to our training and development programmes. We occasionally use this information to apply positive action during our selection processes to ensure diversity in our cohorts. Anonymised demographics data is also used for monitoring and reporting purposes.
  
  

Where we collect information relating to health, access needs, or protected characteristics, we do so only where necessary and with your explicit consent. For equality and monitoring purposes, we may also process demographic data under the ‘substantial public interest’ condition in the UK General Data Protection Regulation (UK GDPR). Monitoring data is anonymised after collection and may be kept indefinitely in anonymised form for reporting and research.

Photography and filming

We often take photographs and record video or audio at our events, workshops, and activities. These may be used by BPH and our relevant partners to:

• Share news and celebrate our events (e.g. on our website, social media, newsletters, or printed materials);
• Report to our funders and partners;
• Promote future activities run by BPH.

Our lawful basis for using photography and filming is our legitimate interest in documenting and promoting our charitable activities, balanced with individuals’ rights.

We make attendees aware of photography and filming through signage at events, and we will respect anyone who does not wish to be photographed or filmed. If you prefer not to appear in photographs or recordings, please let a member of staff know at the event, and we will do our best to accommodate this.

If at any time you would like an image of yourself removed from our website, social media, or promotional materials, please contact us at hello@bdproducinghub.co.uk and we will take appropriate action.

General communication

As Bradford’s main arts development organisation, we also have a legitimate interest in sector overview for the fulfilment of our aims. To this end, we may occasionally contact people whom we believe to be involved in delivering arts and culture activity across the Bradford District and the wider area. These people or organisations may be contacted, but their information will not be added to a marketing list or a regular mailing list without their express permission.

Why we process this information

Under UK GDPR, we rely on different lawful bases depending on the activity:

Activity	Lawful basis
Event bookings/sign-ups	Consent (when you choose to register)
Training/development programme applications	Consent (for equality monitoring) and Contract (to assess and deliver programmes)
Grant/bursary applications & payments	Contract (to process and pay awards) and Consent (for monitoring data)
Newsletter/e-news subscriptions	Consent (when you opt-in)
Partner projects/collaborations	A mixture of Consent, Contract and Legitimate Interest, depending on the nature of the project
Sector outreach	Legitimate Interest, where we contact people involved in the arts and culture sector to support our charitable aims

We use the personal information you have consented to give us to:

• provide you with information and/or a service that you have requested;
• administer our events, grants, and training and development programmes;
• help us meet your needs at our events;
• help us respect your choices and preferences;
• share news and interesting opportunities in Bradford’s arts and culture sector via newsletters you have opted in to receive.

Who we share your information with

Working with partners

For some events and programmes, BPH acts as the sole data controller. For others, we may be a joint controller with partners (where we jointly decide how data is used), or a data processor for a partner (where they set the rules). Where this applies, we will make this clear to attendees and will direct you to our partners’ own privacy notices where relevant.

Occasionally, we will share information with partner organisations (e.g. if you register to attend an event or apply for a training and development programme which is being jointly organised, or is part of a partnership project by us and another organisation); or where disclosure is required by law.

We will only share personal information with subcontractors or suppliers as is necessary to provide our services (examples include our website developers Out of Place Studio, MailChimp for CRM and e-newsletter management, Typeform and Google Forms for applications, sign-ups, evaluation and feedback, Ticket Tailor for event ticket management, or Ticket Tailor or Square for donations and payments). Please note that this list is illustrative and we may change providers of these services at any time.

We will never sell your personal information.

How we protect and store your information

We use a variety of physical and technical measures to keep your data safe and to prevent unauthorised access to, use of, or disclosure of, your personal information.

Electronic data and databases are stored on secure computer systems, and we control who has access to information (using both physical and electronic means).

Our security measures include:

• Password-protected and encrypted systems;
• Two-factor authentication where available;
• Strict limits on which staff can access personal data;
• Regular reviews of security practices.

We also have a Data Breach Response Procedure, so that if a breach does occur, we can act quickly and transparently.

International transfers of data

Some of our service providers (for example, Mailchimp, Google, Typeform, Ticket Tailor) are based outside the UK. Where this is the case, we ensure appropriate safeguards are in place to protect your personal data. These may include:

• Adequacy regulations issued by the UK government; or
• Standard Contractual Clauses approved for use under UK GDPR.

This means your data will continue to be protected to UK GDPR standards, even when processed internationally.

How long we keep your information

We only keep personal data for as long as it is needed. In some cases, we keep the names of people who have engaged with us indefinitely, so that we can track our beneficiaries over time and understand who we have supported. All other personal details are deleted once they are no longer required. Our retention periods are set out below:

 

Type of data	Retention period	What happens after
Event sign-up/attendee data	Full data kept for six years; names retained indefinitely.	All other personal data securely deleted; only names kept for historical/event reference and to track beneficiaries.
Applications (grant & development programmes – successful & unsuccessful)	Full data kept for six years; names retained indefinitely.	All other personal data securely deleted; only names kept for records of applicants and to track beneficiaries.
Application forms & CVs (for employed roles & freelance opportunities – successful & unsuccessful)*	One year after notifying candidates of the outcome of the recruitment exercise.	Securely deleted or destroyed after this period.
Equality & monitoring data	Indefinitely (anonymised)	Retained only in anonymised form for reporting and research.
Mailing list subscribers	Until you unsubscribe or are removed as inactive	Securely deleted from the system.
Financial data in relation to grants/bursaries/expense claims (including related agreements)	Six years from the end of the accounting period they relate to	Securely deleted or destroyed after the statutory period.
Donations & Gift Aid records	Six years from the end of the accounting period they relate to as required by HMRC	Securely deleted or destroyed after the statutory period.

*For more information on employment records and retention periods, please see our separate Privacy Notices and Data Protection (Employment) Policy which cover employment with us (including employee recruitment and service provider engagement).

Cookies and tracking

Cookie consent

Our website uses a cookie consent banner that allows you to choose which cookies you accept. Non-essential cookies (such as analytics or remarketing) will only run if you opt in. You can also change your cookie preferences at any time via our website.

The information below explains which cookies are being used and why on our website:

Google Analytics cookies	We use Google Analytics on our website to anonymously provide information on browsing habits. This helps us to see the most popular content and whether visitors are having regular difficulty finding particular content. Information on how Google Analytics cookies are used can be found here.
Google Maps cookies	Our interactive maps use the Google Maps service. Google may set cookies to store preferences. Google’s privacy policy can provide more information on how Google uses cookies.
Google Translate	Google may place cookies to store your translation options if selected. Google’s privacy policy can provide more information on how Google uses cookies.
Google reCAPTCHA	Google may place cookies to protect our website from spam and abuse when you use any of our web forms. Google’s privacy policy can provide more information on how Google uses cookies.
YouTube	Videos on our website are stored on YouTube using the privacy-enhanced mode. YouTube may save cookies to your computer; however, they will not store personally-identifiable information. To find out more, please visit YouTube’s embedding videos information page.

Your rights

We want to ensure you remain in control of your personal data, and so we want to make sure you understand your legal rights under data protection law. These are:

• the right to confirmation as to whether we have your personal data and, if we do, to ask for copies of the personal information we hold (this is known as a subject access request);
• the right to ask us to erase your personal data (though this will not apply where it is necessary for us to continue to use the data for a lawful reason);
• the right to ask us to correct personal data you think is inaccurate;
• the right to object to your personal data being used for direct marketing purposes.

If you would like to exercise any of your rights, please email hello@bdproducinghub.co.uk or write to us at Bradford Producing Hub, Assembly Bradford, 20 North Parade, Bradford, BD1 3HT, and we will respond within one month.

Making a complaint

You can make a complaint to Bradford Producing Hub about an issue concerning your data protection and privacy rights by emailing us at hello@bdproducinghub.co.uk or writing to us at Bradford Producing Hub, Assembly Bradford, 20 North Parade, Bradford, BD1 3HT.

If you are unhappy with our response or if you need advice, you can contact the Information Commissioner’s Office (ICO), which regulates and enforces data protection law in the UK. Details of how to do this can be found at https://ico.org.uk/your-data-matters/raising-concerns/ or you can contact the ICO directly at https://ico.org.uk/make-a-complaint or by phoning 0303 123 1113.

Copyright

All images on bdproducinghub.co.uk are copyright Bradford Producing Hub, unless otherwise stated. Where images have been provided by or are copyrighted to other individuals or organisations, this should be clearly stated on the website. Artists’ copyright lasts throughout their lifetimes and for 70 years from the date of death. When displaying artwork images, we have made every effort not to infringe copyright and only to display works in copyright if we have permission from artists or their estates. If we have made a mistake, please tell us and we will remove the image(s) from the site immediately.

Changes to our Privacy Notice

We will update this Privacy Notice from time to time to ensure that it accurately reflects how and why we process your personal information. The current version of our Privacy Notice will always be posted on our website.

Bradford Producing Hub – Data Breach Response Procedure

1. Purpose

This procedure explains how Bradford Producing Hub (BPH) will respond if personal data is accidentally or unlawfully accessed, lost, altered, disclosed, or destroyed. It ensures we act quickly to protect individuals, limit risks, and meet our legal obligations under the UK General Data Protection Regulation (UK GDPR).

2. What is a Data Breach?

A data breach is any incident that affects the confidentiality, integrity, or availability of personal data. Examples include:

• Sending personal data to the wrong person;
• Loss or theft of devices containing personal data;
• Accidental deletion of important personal records;
• Unauthorised access (e.g. hacking, phishing, compromised passwords);
• Publishing or sharing personal information without permission.

3. Roles and Responsibilities

All staff and contractors must immediately report any suspected breach to the Executive Director (Data Protection Lead).

• Executive Director: responsible for investigating the breach, coordinating the response, deciding whether to report it to the Information Commissioner’s Office (ICO) and keeping trustees informed.

4. Immediate Response Steps

When a breach is discovered:

1. Contain – stop the breach where possible (e.g. recall email, secure accounts, recover lost device).
2. Report – notify the Executive Director immediately via email or phone.
3. Record – log the incident in the Data Breach Register (see section 7).

4. Assess the Breach

The Executive Director will:

• Identify what data is involved (names, contact details, bank data, special category data, etc.).
• Assess how many people are affected.
• Consider potential harm (identity theft, financial loss, distress, reputational damage).
• Decide whether the breach is reportable to the ICO.

6. Notification Obligations

• To the ICO: If the breach is likely to result in a risk to individuals’ rights and freedoms, the ICO must be notified within 72 hours of becoming aware.
• To affected individuals: If the breach is likely to result in a high risk (e.g. financial data or sensitive personal data exposed), individuals must also be informed promptly, in clear language, including steps they can take to protect themselves.

7. Recording and Review

• All breaches (whether reportable or not) must be recorded in the Data Breach Register, including:
• Date/time of breach discovery;
• Nature of breach;
• Data involved;
• Containment and recovery actions taken;
• Risk assessment;
• Decision on whether ICO/individuals were notified.
• After each breach, the Executive Director will review what went wrong and put steps in place to reduce the chance of recurrence (e.g. staff training, process updates, technical fixes).

8. Staff Awareness and Training

• All staff, contractors, and freelancers handling personal data will be trained on how to recognise and report breaches.
• This procedure will be reviewed annually and after any serious breach.