Our trains on Saturday 23rd August are SOLD OUT. Do not travel to the railway unless you have booked train tickets.

Find out more.

Privacy Policy

In this section:

1. Introduction

Your privacy is important to us. As a data controller, DCDR will not store or process more data about you than we have to, and it will always be processed lawfully and securely.

This policy explains what data we process about you, how we process it, and our legal justifications for processing it. It also tells you how to exercise your data rights, such as your right to have the information that we hold about you deleted or amended. We will not process your data in a way that is inconsistent with this policy, unless we agree otherwise with you in accordance with the law. Any information that is processed by DCDR will only be accessible to authorised personnel. We are registered with the UK Information Commissioner’s Office (ICO), who regulate our data processing.

Any reference to “DCDR” refers to the Downpatrick and County Down Railway Society Limited, a registered company and charity trading at The Railway Station, Market Street, Downpatrick, County Down, Northern Ireland, BT30 6LZ. You can contact us by post at this address, by phone at 00 44 28 4461 5779, or by email at info@downrail.co.uk.

DCDR is registered in Northern Ireland as a limited company, registration number NI018685, and as a charity, Northern Ireland Charity Commission number 101640.

2. Data Protection Principles

When processing personal data, we will comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), and any other applicable laws. This means that we adhere to the following data protection principles:

  • We will process data lawfully, fairly, and in a transparent manner
  • We will only collect data for specific, explicit, and legitimate purposes
  • The data that we collect will be adequate, relevant, and limited to the purposes for which it was collected
  • The data we hold about you will be accurate and up to date
  • The data we hold about you will be kept for no longer than is necessary for the purpose(s) for which it was collected
  • The data we hold about you will be kept safe and secure, using appropriate technical or organisational measures to protect its integrity and confidentiality
  • We will be responsible and accountable regarding the processing of your personal data

3. Lawful bases for processing

We must have a legal justification for processing personal data. These justifications are:

  1. Consent: an individual has clearly given consent for us to use their information for a specific purpose. To be valid:
    • Consent must be freely given (e.g., it isn’t a good lawful basis if there’s an imbalance of power)
    • Consent must be recorded
    • Individuals must be able to withdraw their consent at any time
  2. Contract: the processing is necessary for a contract with another party, or because they have asked for specific steps to be taken before entering into a contract
  3. Legal obligation: the processing is necessary to comply with the law (not including contractual obligations)
  4. Vital interests: the processing is necessary to protect someone’s life
  5. Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law
  6. Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the person’s information which overrides those legitimate interests
  7. Additional recognised legitimate interests established by law:
    • Safeguarding vulnerable people
    • Responding to emergencies
    • Preventing or investigating crime
    • National security, public safety and defence
    • Sharing personal information with an organisation that needs it for their public task or function at their request

4. Our Data Processing Activities 

Ticket sales and providing our services

We operate an online ticket sales facility for most of our events throughout the year. This enables you to buy tickets and pay for them online.

We work with a third party ticket processor, Digitickets, to manage our ticketing systems, with all transactions being secure, and personal data stored in a secure location.

To make a purchase, standard information requested by Digitickets will include:

  • Your name
  • Your home address
  • Your email address
  • Your phone number (if you wish to share this)
  • The date and time you will be attending our event
  • The number of people covered by your ticket
  • The types of tickets you are purchasing (for example, whether they’re for adults, children, or senior citizens)

We use this information to facilitate online sales and your visit to our railway.

This information is held securely by Digitickets and may be accessed by authorised DCDR personnel to deal with any queries you may have about your purchase. This can include if you lose your ticket reference or confirmation email, or if you wish to modify your booking before you travel. Other authorised DCDR personnel, such as Duty Managers and Platform Staff, will also be able to access your name and booking details so that they can welcome you to our railway.

Financial transactions for our ticket sales are carried out using our payment partner, Stripe. DCDR does not have access to your credit or debit card information. Your financial information will be retained securely by Stripe for legitimate record keeping, processing of refunds, fraud tracking, and other purposes.

We also process health data to allow us to accommodate people with mobility, dietary, and carer needs. We rely on your explicit consent to process this information, alongside our contractual obligation to provide the requested service. This information is subject to additional protection due to its sensitive nature. You can find more about accessibility at our railway by clicking here, and about our carers policy by clicking here.

​​Our lawful bases for collecting or using personal information to provide our services are:

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

Marketing and service updates

We operate a mailing list that enables you to receive occasional emails about events that we are running, appeals for help and donations, and other related communications.

The information we require for this is:

  • Your email address, otherwise we cannot send the email to you
  • Your name, so we can identify you in communications

You will also specifically have to tell us that you consent to us sending you marketing communications. This authorisation will be recorded via the signup form. You can remove yourself from the mailing list at any time by contacting info@downrail.co.uk or by clicking the “unsubscribe” link at the bottom of our marketing emails.

Mailing lists are managed by a third party partner, MailChimp.com, who store your information securely in line with UK and EU law. Only authorised personnel are permitted to send emails to you and access the marketing information we store.

We also collect or use the following personal information for other marketing purposes or service updates:

  • Names and contact details
  • Marketing preferences
  • Recorded images, such as photos or videos
  • Purchase history
  • Donation history
  • Website and app user journey information
  • Records of consent, where appropriate

Our lawful bases for collecting or using personal information for service updates or marketing purposes are:

  • Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are raising awareness about the railway so we can bring in revenue through ticket sales and donations, and keeping customers updated about our services.

CCTV and the prevention and detection of crime

We have high-definition CCTV cameras installed across our property, as indicated by signage along our perimeter. This means that we record, store, view, and share audiovisual recordings of our property (including both public and staff-only areas) and adjacent areas (such as the car park in front of our station building).

We use information that we gather from our CCTV system for the purposes of:

  • Detecting, investigating, and preventing crime
  • Identifying, apprehending, and prosecuting offenders or suspected offenders
  • Deterring persons who may have criminal intent
  • Investigating complaints or health and safety incidents
  • Defending against legal claims or exercising our legal rights 

We also collect and use witness statements, contact details, and information relating to health and safety for these purposes.

Our lawful bases for collecting or using personal information for the prevention, detection, investigation, and prosecution of crime are:

  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are protecting our property, ensuring the safety of people on our premises, exercising our legal rights, and deterring, apprehending, and prosecuting criminals.

Donations, funding, organising fundraising activities, and finances

As a charity, DCDR relies on sales, donations, and funding to pay for our operations, vehicle restorations, and museum. We will therefore collect some personal information from you when you make certain payments to us. Any information provided for this purpose will only be accessed by authorised DCDR personnel.

If you make a donation or membership payment by cheque, we will securely store it on site and then cash it based on the information written on it. This can include:

  • Your name and signature
  • Your banking institution
  • Your cheque number, sort code, and account number
  • The amount of money that you want to donate
  • Your home address, if you decide to share it with us

Any donations or membership payments made via www.downrail.co.uk will be handled by our payment partner, PayPal. These financial transactions are carried out by PayPal. DCDR does not have access to your credit, debit card or bank account information via your PayPal payments, but we will be able to see:

  • Your name and PayPal ID, which may include your email address
  • The amount of money that you’ve donated
  • Your Gift Aid status
  • Your home address, if you decide to share it with us
  • Your phone number, if you decide to share it with us

Most users will already have a PayPal account, and will have agreed to the use of their personal and financial information by PayPal. If you sign up for a new PayPal account while making a DCDR donation, you are entering into an agreement with PayPal to securely store and protect your personal data, not DCDR. Your agreement with DCDR is limited to the current PayPal transaction.

In relation to payments made by you, we process the above information in addition to:

  • Your donation history
  • Gifts in wills
  • Bank details that you provide to us
  • Any other information that we need to process in order to facilitate funding and to organise fundraising activities

Our lawful bases for collecting or using personal information to receive donations or funding and organise fundraising activities are:

  • Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Gift Aid

Current UK taxpayers can boost the value of their donations to us by 25% by filling in a Gift Aid donation form. As a UK-registered charity, we can claim this 25% from the tax that you pay for the current tax year. By submitting a Gift Aid form, we will process your:

  • Name
  • Status as a UK taxpayer
  • Home address
  • Email address, if you decide to provide it

We will share this information with His Majesty’s Revenue and Customs (HMRC) so that we can claim the Gift Aid that you have given your consent for us to collect. We may contact you if we have any issues with collecting Gift Aid from your donation. We will not use this information for any other purpose.

Our lawful bases for collecting or using personal information to receive donations or funding and organise fundraising activities are:

  • Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Membership details

As an essential part of running the membership of DCDR, a database of active members is maintained. When a new member submits a completed membership form, we collect and store their:

  • Name
  • Email address
  • Home address
  • Membership category (for example, whether they’re an adult or a concession member)
  • Membership number (which we generate)

We use this information to provide benefits to our members, such as exclusive offers and updates about our railway.

Our lawful basis for collecting or using personal information for these purposes is legitimate interests. This means that we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are to incentivise people to become and remain members of our company.

Recruitment of volunteers and paid staff

If you are an existing DCDR member and you express an interest in volunteering at our railway, we will send you an online form which asks you about:

  • Your age
  • Details of any criminal convictions – in particular, any unspent convictions, or spent convictions that could impact your ability to work around children or vulnerable adults
  • Health conditions, including medical conditions, disabilities, medical requirements, and medical history
  • Your phone number
  • The name and contact details of your emergency contact
  • General background information, including education, skills, and work history, where relevant

We will process this data, in addition to the membership data we already have about you, to facilitate your work on our railway as far as practicable.

We will require additional information from volunteers who want to work in certain roles, including Access NI criminal background checks and specific health information such as test results and medical certificates. Health and criminal background information are subject to additional protection due to their sensitive nature.

In addition, we collect or use the following personal information for the purposes of recruiting new members of paid staff:

  • Contact details (e.g. name, address, telephone number or personal email address)
  • Date of birth
  • Employment history (e.g. job application, employment references or secondary employment)
  • Education history (eg qualifications)
  • Details of any criminal convictions (e.g. Access NI checks)
  • Security clearance details (e.g. basic checks and higher security clearance)

Our lawful bases for collecting or using personal information for recruitment purposes are:

  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are ensuring that our staff and volunteers are sufficiently skilled and are capable of working at our railway.

Queries, complaints, and claims

If you have a complaint or query, you can give us a call, send us a letter, or email us via the contact details at the top of this page.

We collect or use the following personal information for dealing with queries, complaints or claims:

  • Names and contact details
  • Payment details
  • Purchase or service history
  • Video recordings of public areas
  • Audio recordings of public areas
  • Witness statements and contact details
  • Customer or client accounts and records
  • Information relating to health and safety (including incident investigation details and reports and accident book records)
  • Correspondence

Our lawful basis for collecting or using personal information for these purposes is legitimate interests. This means that we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are providing information to customers and potential customers, receiving feedback so we can improve our services, and defending our business against legal claims.

Research and archiving

As a museum, we collect or use the following personal information for research or archiving purposes:

  • Names and contact details
  • Addresses
  • Audio and visual recordings
  • Photographs 
  • Records of consent, where appropriate

Our lawful basis for collecting or using personal information for research or archiving purposes is consent. This means that we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

Complying with legal requirements

We collect or use the following personal information to comply with legal requirements:

  • Name
  • Contact information
  • Health and safety information
  • Safeguarding information
  • Criminal offence data
  • Any other personal information required to comply with legal obligations

We will also collect or use health and criminal offence data. This information is subject to additional protection due to its sensitive nature.

We have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Doing business with other organisations

When we’re doing business or dealing with other organisations, such as companies, public authorities, societies, or agencies, we collect or use the following personal information:

  • Name
  • Role and organisation
  • Contact information
  • Health and safety information
  • Bank details, if appropriate 
  • Any other personal information required to comply with legal obligations
  • Any other information that we process in the course of doing business with you

Our lawful bases for collecting or using personal information for these purposes are:

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are ensuring that we can maximise the potential of our railway by cooperating and working with other organisations.

Our website – analytics and server access logs

We collect general usage statistics for our www.downrail.co.uk website, to enable us to analyse how it is used. This includes information such as your country, language, which web browser you use, what sort of device you use, and screen resolution. This information can help us decide overall trends in usage of our website, and decide which browsers or devices we should design it for.

In common with almost all other websites in the world, www.downrail.co.uk records server access logs when people access our website. This includes general information, as above, and also the IP address you use to access our website or other services. Server logs are not publicly accessible and will not be disclosed to anyone outside our organisation, except when required by law.

Our lawful basis for collecting or using personal information for these purposes is legitimate interests. This means that we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are tracking how our website is used and improving our services, and preventing fraud and misuse of our website.

5. Where we get personal information from

We do not buy personal information from third parties. We get personal information from:

  • Individuals who provide it directly to us
  • Regulatory authorities
  • Family members or carers
  • Schools, colleges, universities or other education organisations (for students who want to carry out work experience with us)
  • CCTV footage or other recordings
  • Councils and other public sector organisations

6. Data retention

How long we store personal information depends on the type of data, what it is being used for, and any legal retention requirements. We will only use and store your information for as long as it is required for the purposes it was collected for, or for as long as we are required by law to do so.

For more information on how long we store your personal information, or the criteria we use to determine this, please contact us using the details provided above. 

7. Sharing your Personal Information

DCDR will not sell your personal information to anyone. DCDR can use or disclose your personal data and other information:

  • With our third party suppliers and service providers
  • With emergency services
  • ​​With organisations we need to share information with for safeguarding reasons
  • In response to legal requests from law enforcement agencies, regulatory bodies, or authorised government agencies
  • With external auditors or inspectors
  • In response to court orders, warrants, or legal processes
  • To otherwise establish or exercise our legal rights or defend against legal claims 
  • If you violate or breach an agreement with us
  • With any other organisation that we’re legally obligated to share personal information with.

Our third party suppliers and service providers include:

  • Google – we use Google Workspace, including Google Docs, Google Sheets, Google Forms, Google Meet, Google Chat, and Gmail, to process communications and documents and to collect information
  • Digitickets – to facilitate online bookings
  • PayPal – to process payments
  • Stripe – to process payments
  • MailChimp – to host our mailing list
  • Shopify – to host our online shop
  • Dojo – to accept card payments
  • SumUp – to accept card payments
  • Square – to accept card payments

Third party companies working with DCDR do not have the right to share or otherwise profit from your personal information. Financial details (credit and debit card details and bank details) processed by our third party service providers are not stored by us and are not accessible by DCDR personnel. Such information must be retained by these processors for fraud prevention and other legitimate purposes, and is stored in an appropriate secure manner.

8. Storing your data

All personal data that we process is stored in a secure manner. This includes emails you send us, donation details, ticket sales and your details held on our mailing lists.

Any personal information that we store is only accessible by authorised personnel at DCDR. Where relevant, our security measures include:

  • Encryption
  • Access controls 
  • Two-factor authentication
  • Physical security

We also maintain a record of processing activities (RoPA) to keep track of how and why we store and use personal data.

9. International data transfers

We have volunteers who live in the Republic of Ireland, and our web services may be hosted throughout the European Union and the United States of America. This means that we transfer personal data outside of the UK. When doing so, we comply with the UK GDPR, making sure that appropriate safeguards are in place:

  • Data transfers to the European Union have been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations)
  • Our data transfers to the United States of America are subject to data transfer agreements to ensure that your personal information benefits from a high level of protection when transferred outside the UK

For further information, please contact us using the details provided at the top of this page.

10. Your data rights

According to UK data protection law, you have certain rights over what we can do with your data, subject to certain circumstances and exceptions – you can find out more information on the ICO’s website. Your rights are:

  • The right to be informed – you have a right to be told how we collect and use your data, such as purposes for processing, retention periods, and who your data is shared with
  • The right to access – you have a right to access and receive a copy of the personal data we hold about you, as well as supplementary information
  • The right to rectification – you have a right to have inaccurate or incomplete information to be corrected or completed in our records
  • The right to erasure (or the “right to be forgotten”) – you have a right to have all personal information we hold about you to be erased
  • The right to restrict processing – you have a right to limit the way we process your data
  • The right to data portability – you have a right to obtain and reuse the personal data we hold about you for your own purposes
  • The right to object – you have a right to stop us from processing your data, in certain circumstances

We will respond to your rights requests within one calendar month. If your request is complex, or if you make more than one request, we may take up to three calendar months to respond.

We can refuse requests that are manifestly unfounded or excessive.

11. Links to third party websites

DCDR is not responsible for content on any third party websites that we link to. As soon as you leave the www.downrail.co.uk domain, your relationship is between you and the third party website, not DCDR.

12. Cookies And Tracking Technologies

Visit our Cookie Information page to learn about our use of cookies and to change your preferences.

13. Questions about this policy

If you have any questions or concerns about this privacy policy, or if you would like to exercise your data subject rights, please contact us at info@downrail.co.uk.

14. How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy policy.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the Information Commissioner’s Office (ICO).

The ICO’s address is:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire

England, UK

SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

1. Introduction

Your privacy is important to us. DCDR will never store more data about you than we have to to permit use of our web-based services.

This policy explains what data we store about you, what we use it for, how it is stored and how we use it. It also tells you how to contact us to query the data we store about you, and how to have your personal data removed or updated.

It is essential for us to store some data about users of our web-based services to provide basic functionality.

Our web-based services are:

  • The public website, www.downrail.co.uk
  • Our mailing lists, where a User can agree to be sent periodic emails about events and appeals we are running
  • Our online ticketing systems, where a user can purchase tickets to visit DCDR
  • Payment partners, specifically Stripe.com and PayPal, who carry out financial transactions on our behalf (for ticket sales, membership payments and donations)

Any references to “DCDR” refer to the Downpatrick & County Down Railway, a registered company and charity trading at The Railway Station, Market Street, Downpatrick, County Down, BT30 6LZ.

DCDR is registered in Northern Ireland as a Limited Company Registration No. N.I. 18685, and as a charity, No. NI 101640

2. What information we collect

Anonymous information

We collect general usage statistics for the www.downrail.co.uk website, to enable us to analyse overall usage of our website. This does not comprise any personally identifiable data about users. It includes information such as your country, language, which web browser you use, what sort of computer or device you use, and screen resolution.

This information can help us decide overall trends in usage of our website, and decide which browsers or devices we should design for.

Web site logs

In common with almost all other websites in the world, www.downrail.co.uk records server access logs when people access our website.

This may include general information, as per the Anonymous Information above, and also the IP address you use to access our website or other services. This information is required to prevent fraud and misuse of our web services, and is considered a legitimate interest of us as a Data Controller.

Server logs are not publicly accessible and will not be disclosed, ever, except on demand by law enforcement agencies or other authorised bodies.

When we require Personally Identifiable Information:

Most users of www.downrail.co.uk will not disclose any personal information to us. You will only ever be required to disclose some information to us if:

  • You want to sign up to our mailing list (in which case it is legitimate to require your email address and name to be shared)
  • You purchase tickets from our online ticket office
  • You make a donation via our website
  • You apply for membership and pay online
  • You send us a message via the contact form

In these cases, this information is deemed essential for us to do business with us in the specific area listed. Without this information we cannot enter into any relationship or offer the stated service to you.

Collection of data from children

We do not knowingly collect any personal data from, or about children. We define a child as anyone aged under 18 for this purpose.

If you are responsible for a child and believe they have supplied any Personally Identifiable Information (via the means identified above, or any other means), then you may contact us at info@downrail.co.uk, explain the concerns to us fully, and we will remove the data immediately. See also “My right to be forgotten” later in this policy.

3. How do you use my information?

Mailing lists

We operate a mailing list that enables you to receive occasional information about events that we are running and appeals for help, donations and other related communications.

The information we require for this is:

  • Your email address, otherwise we cannot send the email to you
  • Your name, so we can identify you in communications

You will also specifically have to tell us that you agree to us sending you marketing communications. This authorisation will be recorded via the signup form. You can remove yourself from the mailing list at any time.

Mailing Lists are managed by a third party partner, MailChimp.com, who store your information securely. Only authorised personnel are permitted to access the limited information we store and send you emails.

Ticket sales

We operate an online ticket sales facility for most of our events throughout the year. This enables you to buy tickets and pay for them online.

We work with a third party ticket processor, www.digitickets.co.uk, to manage our ticketing systems, with all transactions being secure, and Personally Identifiable information stored in a secure location.

To make a purchase, standard information requested by www.digitickets.co.uk will include:

  • Your name
  • Your address
  • Your email address
  • Your phone number (if you wish to share this)
  • The date and time of your ticket
  • The number of people covered by your ticket
  • The types of ticket you are purchasing

This information is held securely by www.digitickets.co.uk and may be legitimately accessed by authorised DCDR personnel in conjunction with any queries you may have about your purchase. For example, you may lose your ticket reference or confirmation email, or wish to modify your booking before you travel.

Financial transactions are carried out using our payment partner, Stripe.com. DCDR will never have access to your credit or debit card information.

Your financial information will be retained securely by Stripe.com, for legitimate record keeping, processing of refunds, fraud tracking, and other purposes.

This process is deemed essential for the legitimate business of ticket sales, as without this the ticket purchase process would not be possible.

Donations and Membership payments

As a charity, DCDR relies on donations and membership subscriptions, to carry out our activities in the area of heritage railways.

Any donations or membership payments made via www.downrail.co.uk will be handled by our payment partner, PayPal.

Most users of PayPal will already have an account with PayPal, and will have agreed to the use of their personal and financial information by PayPal.

  • If you sign up for a new PayPal account during a DCDR donation, you are entering into an agreement with PayPal to securely store and protect your personal data, not DCDR. Your agreement with DCDR is limited to the current PayPal transaction, and we accept no liability for PayPal’s continued use of your data.

These financial transactions are carried out by PayPal. DCDR will never have access to your credit, debit card or bank account information.

As with any PayPal transaction with any retailer or individual, DCDR will have access to the following Personally Identifiable Data for you:

  • Your name
  • Your postal address, if you decide to share it with us
  • Your email address
  • Your phone number, if you decide to share it with us

This information is legitimately required to contact you regarding your donation, and is only available to specific authorised DCDR personnel.

Membership details

As an essential part of running the membership of DCDR, a database of active members is maintained. This is considered a legitimate requirement of doing business with you as a member, and it is unreasonable to expect us not to hold this information about you.

We store membership information in a secure online system, with access restricted to authorised DCDR personnel only.

Membership information stored is:

  • Your name
  • Your postal address (so we can send your membership card, newsletters and important communications)
  • Your email address
  • Your phone number
  • Your membership type and expiry date
  • Any notes that are relevant to your membership of DCDR

Contact Form messages

If you wish to get in touch with us via our website, then you can use either a direct email to info@downrail.co.uk, or use the Contact Form webpage.

The contact form will ask for:

  • Your name
  • Your email address
  • Your phone number (optional)
  • Your message to us

Your communication is directly transferred to a secure email system, and an alert is sent to authorised DCDR personnel, who will deal with your query.

4. Sharing of your Personal Information

DCDR does not sell or share your personal information with anyone. It is only used for the purposes of doing business between you and DCDR.

Third party mailing list, ticketing and payment partners, a necessary feature of digital communication and payments, similarly do not share your information with any other parties.

5. Hosting and storage of your data

All data we store about you is stored in a secure manner. This includes emails you send us, donation details, ticket sales and your details held on our mailing lists.

Any personal information we store is only accessible by authorised personnel at DCDR.

Financial information (credit and debit card details and bank details) is NOT stored by us and is not accessible by DCDR personnel. Such information must be retained by payment processors for fraud prevention and other legitimate purposes, and is stored in an appropriate secure manner.

Web services provided by DCDR may be hosted outside the UK. Our web hosting and data management partners may host data in secure locations in the EU or USA. Third party companies working with DCDR do not have the right to share or otherwise profit from your personal information.

6. Your rights

At any time, you have the right to ask us to show you what data we hold about you. We will respond to this request in a reasonable timeframe, either supplying you with the information or directing you to a third party (such as a payment provider). We may seek proof of identity before disclosing any information.

You also have the right to ask us to remove (i.e. stop processing) or update any information we hold about you. Again, we will respond to this request in a reasonable timeframe, and will, if possible, remove or update the information. We may direct you to a third party if the information is actually held by them (e.g. it’s your own PayPal account, and not DCDR-managed data).

Your right to erasure of data is not absolute. Details can be read at the ICO website, here.

You will accept that if we cannot store specific information about you, then we are unable to provide you with the specified service. For example, if you wish us to remove your information from the membership database, you cannot reasonably expect to remain a member of DCDR.

Any such requests should be made to: info@downrail.co.uk

Examples of cases where we would direct you to a third party would include payment gateways such as PayPal, where your agreement is with them and not with DCDR.

7. Complying with Legal Process

DCDR reserves the right to use or disclose your Personally Identifiable Information and other information in response to legal requests from law enforcement agencies, authorised government agencies, or following court orders, warrants, or legal process, or to otherwise establish or exercise our legal rights or defend against legal claims or in the event you violate or breach an agreement with us.

We may use and disclose your Personally Identifiable Information if we believe you will harm the property or rights of DCDR and any of its members, volunteers or property.

8. Links to third party websites

DCDR is not responsible for content on any third party websites that we link to. As soon as you leave the www.downrail.co.uk domain, your relationship is between yourself and the third party website, not DCDR.

9. Cookies And Tracking Technologies

Visit the Cookie Information page to learn about our use of Cookies and to change your preferences.

10. Questions about this policy

If you have any questions or concerns about this Privacy Policy, please contact us at: info@downrail.co.uk

11. Document History

First added: 9th May 2018

Updated: 18th February 2020 (added link to enable users to revoke downrail.co.uk cookie consent more easily)

Updated: 22nd August 2020 (Cookies Information moved to a standalone webpage)