FOR Cardiff PRIVACY POLICY

FOR CARDIFF PRIVACY POLICY

This privacy policy explains how we, FOR Cardiff, collect and use your personal data. We are committed to protecting your privacy and handling your personal information in an open and transparent manner, in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1.Who we are

We are FOR Cardiff, a Business Improvement District (BID) that works to make Cardiff a better place for businesses, residents, and visitors.

Data controller: Cardiff BID Ltd (known as FOR Cardiff)
Contact details: info@forcardiff.com

2. The types of personal data we collect about you

Personal data means any information about an individual from which that person can be identified.

We may collect, use, store, and transfer different kinds of personal data about you. This includes:

Identity data: Name, job title, and business/employer name. This also includes your image, audio, and likeness (as captured in photographs or on recordings we make at our events).
Contact data: Postal address, email address, and telephone number.
Technical data: Internet Protocol (IP) address, browser type and version, operating system and platform, and information about how you use our website.
Usage data: Information about your preferences, interests, and how you interact with our website, events, and services.
Marketing and communications data: your preferences for receiving marketing communications from us and your communication preferences.

Certain personal data we collect is treated as a special category to which additional protections apply under data protection law, We only collect details about your health in relation to dietary requirements and access requirements.

We do not collect any information about criminal convictions and offences.

3. How we collect your personal data

We use different methods to collect data from and about you, including through:

Direct interactions: you may give us your personal data when you:

Book or attend one of our events.
Sign up for our newsletters or other communications.
Give us feedback.
Enter competitions or respond to surveys.
Contact us directly via email, phone or a submission form.

Automated technologies: As you interact with our website, we may automatically collect technical and usage data through cookies and similar technologies.

Third parties: We may receive data about you from third parties, such as analytics providers and event management partners, including Google analytics and Eventbrite.

4. Lawful basis for processing

We rely on the following legal bases for processing your personal data under UK GDPR:

Legitimate interests: Where the processing is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. For example, to provide you with relevant information as a BID member.
Consent: Where you have given us clear consent for us to process your personal data for a specific purpose, such as signing up for a newsletter.
Contract: Where the processing is necessary for a contract we are about to enter into or have entered into with you.
Legal obligation: Where the processing is necessary to comply with a legal or regulatory obligation. This includes fulfilling statutory duties under the BID ballot process. Company information may also be used where necessary in cases of non-payment of the BID levy, including when legal action through the courts is required.

5. How we use your data

We will only use your personal data when the law allows us to.

Purpose/Use

Legal basis

Provide services: To register you for events, send you business security alerts, and manage your membership.

(a) Necessary for our legitimate interests (to manage your membership)

Send communications: To send you our newsletters and other communications you have signed up for.

(a) Consent

Non-marketing communications: to send you communications not related to marketing, including about changes to our terms or policies or other important notices, and dealing with your requests, complaints, and queries.

(a) To comply with our legal and regulatory obligations

(b) Necessary for our legitimate interests (to keep our records updated and manage our relationship with you)

Improve our services: To analyse website usage, understand user behaviour, and improve our website and services.

(a) Necessary for our legitimate interests (to define types of customers for our services, to keep our website updated and relevant, to develop our business, and to inform our marketing strategy)

Marketing: to inform you about our events, promotions, and services that may be of interest to you.

(a) Necessary for our legitimate interests (to carry out direct marketing, develop our products/services and grow our business).

Promote Cardiff: To use photos and videos from events for promotional purposes.

(a) Consent (if a minor at family events hosted by us)

(b) Necessary for our legitimate interests (to carry out direct marketing, develop our products/services and grow our business).

Legal rights: Enforcing legal rights or defend or undertake legal proceedings

(a) To comply with our legal and regulatory obligations

(b) Necessary for our legitimate interests, i.e. to protect our business, interests and rights

Surveys/competitions: to enable you to partake in a prize draw, competition or complete a survey

(a) Necessary for our legitimate interests (to study how customers use our services/take part in campaigns, to develop them and to grow our business)

Event management: to enable you to attend our events

(a) Necessary for our legitimate interests (to provide access to the event venue and to ensure dietary requirements are followed)

Direct Marketing

You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and you have not opted out of receiving the marketing.

We may also analyse your Identity, Contact, Technical, and Usage Data to form a view which products, services and offers may be of interest to you so that we can then send you relevant marketing communications.

Opting out of marketing

You may request to stop receiving marketing communications from us at any time by emailing info@forcardiff.com or by using the unsubscribe option provided in our emails.

If you opt out of receiving marketing communications, you will still receive service-related communications that are essential for administrative or customer service purposes.

6. Who we share your data with

We routinely share your personal data with trusted third parties, including:

Service providers: Partners who help us operate our events and website:

Our website developer/service provider
Venues that host events

Creatives: those who help promote our events and website:

Event managers
Photographers
Designers
Agency partners

We occasionally also share personal data with:

Professional advisors: professional advisors (such as lawyers and other advisors).
Law enforcement/Authorities: to comply with our legal and regulatory obligations and where we consider it reasonable to report such issues.
Other parties: to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

We will not sell your personal data.

7. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way.

We may transfer your personal data to service providers (such as Dropbox, our web hosting provider, and Eventbrite) that carry out certain functions on our behalf. This may involve transferring personal data outside the UK to countries which have laws that do not provide the same level of data protection as the UK law.

Whenever we transfer your personal data out of the UK to service providers, we ensure a similar degree of protection is afforded to it by ensuring that the following safeguards are in place:

We will only transfer your personal data to countries that have been deemed by the UK to provide an adequate level of protection for personal data, or
We may use specific standard contractual terms approved for use in the UK which give the transferred personal data the same protection as it has in the UK. To obtain a copy of these contractual safeguards, please contact us.

8. Data retention

We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including for satisfying any legal, accounting, or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

9. Your data protection rights

Under UK data protection law, you have the following rights:

Right of Access: You have the right to ask us for copies of your personal information.
Right to Rectification: You have the right to ask us to correct information you think is inaccurate or incomplete.
Right to Erasure: You have the right to ask us to erase your personal information in certain circumstances. Please note that this right of erasure is not available in all circumstances, for example where we need to retain the personal data for legal compliance purposes. If this is the case, we will let you know.
Right to Restriction of Processing: You have the right to ask us to restrict the processing of your information in certain circumstances.
Right to Object to Processing: You have the right to object to the processing of your personal data in certain circumstances. If so, we shall stop processing your personal data unless we can demonstrate sufficient and compelling legitimate grounds for continuing the processing which override your own interests.
Right to Data Portability: You have the right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations.

To exercise any of these rights, please contact us at info@forcardiff.com.

You may also find it helpful to refer to the guidance from the UK’s Information Commissioner on your rights under UK GDPR.

10. No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

11. What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

12. Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

13. Contact details

If you have any questions about this privacy policy or about the use of your personal data or you want to exercise your privacy rights, please contact us at info@forcardiff.com.

14. Complaints

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk).

However, before doing so please make sure you have first made your complaint to us or asked us for clarification if there is something you do not understand. You can contact us on info@forcardiff.com

ICO contact details:

Website: ico.org.uk
Helpline: 0303 123 1113

15. Changes to this privacy notice

We may update this privacy notice from time to time. Any changes will be posted on this page. We encourage you to review this notice periodically to stay informed about how we are protecting your personal data.

16. Third party links

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

Last reviewed: November 2025

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

MEMBERS LOG IN