Policy

Privacy policy.

Last reviewed 12 May 2026. Reviewed annually by the trustees.

The short version: we collect the minimum personal information we need to run our workshops and stay in touch with people who ask us to. We don't sell it, we don't share it with third-party advertisers, and you can ask us to delete it at any time.

1. Who we are

Lockarts is a Charitable Incorporated Organisation registered in England and Wales (charity number 1163484), with its registered office at Friday Lane Cottage, Church Lane, Hitcham, Ipswich, IP7 7NN.

For the purposes of UK GDPR and the Data Protection Act 2018, Lockarts is the data controller for personal information collected through this website, our enquiry inbox, and our workshops.

2. What we collect, and why

We collect different information in different settings, and only what's necessary for the purpose at hand.

If you email or phone us

We keep your name, contact details and the substance of our correspondence so we can reply, follow up, and keep a record of what was discussed. Lawful basis: legitimate interest (responding to your enquiry).

If you book or attend a session

We hold the information you give us at booking — typically a name, contact detail, any access or health information you choose to share, and emergency contact details. For sessions involving safeguarding-sensitive groups (children, adults at risk), we record attendance and any incidents in line with our safeguarding policy. Lawful basis: contract (delivering the session you've asked to attend) and legal obligation (safeguarding duties).

If you're referred to us by a partner service

NHS, GP, school or social-prescribing partners may share contact details with your knowledge and consent so we can reach out to invite you to a session. Lawful basis: consent (yours, given to the referring service).

If you sign up to news from us

Your email address and first name, used only to send the newsletter you've asked for. Lawful basis: consent. You can unsubscribe from any email we send you.

When you visit this website

We do not use third-party analytics or advertising cookies. The only cookies set are those strictly necessary for the site to work, plus any first-party cookies set when you choose to interact (e.g. dismiss a banner). The embedded Google Map on our contact section is loaded from Google and may set cookies under their privacy notice — you can avoid this by not scrolling to the map.

3. How long we keep it

General enquiries: up to two years from last contact, then deleted.
Workshop records: for the duration of the programme plus six years (in line with our accounts and safeguarding retention requirements).
Safeguarding records: retained for as long as required by statutory guidance (typically until the subject's 25th birthday for child records, or as advised by the local safeguarding partnership for adults).
Newsletter: until you unsubscribe.

4. Who we share it with

We do not sell personal data, and we do not pass it to third parties for their own marketing. We will share information only in these circumstances:

With service providers we use to run the charity — for example our email host or accountant — who process data on our behalf under written agreements.
With safeguarding, healthcare or police services where we have a legal duty or a serious concern about someone's wellbeing, in line with our safeguarding policy.
Where you have asked us to (for example, providing a reference to a referring service).
Where required by law — for example, responding to a court order or HMRC enquiry.

5. Your rights

Under UK GDPR you have the right to:

Ask us what personal data we hold about you, and receive a copy.
Ask us to correct anything that's inaccurate.
Ask us to delete information we no longer have a lawful reason to keep.
Object to processing based on legitimate interests.
Withdraw any consent you've given us, at any time, without penalty.
Make a complaint to the Information Commissioner's Office (ico.org.uk) if you think we've handled your information badly. We'd appreciate the chance to put things right first.

6. Keeping it safe

Personal information is held on access-controlled cloud services with reputable UK / EU-based providers. Paper records (where they exist) are kept locked at our registered office. We review who has access annually and remove it when people leave their role.

7. Changes to this policy

If we change how we use personal data in any material way, we'll update this policy and note the date at the top. The board reviews this policy at least once a year.

Data questions or requests

Please email info@lockarts.org.uk with "Data request" in the subject line, or write to: Lockarts, Friday Lane Cottage, Church Lane, Hitcham, Ipswich, IP7 7NN.

We aim to respond to data-rights requests within one calendar month.