Privacy Policy for Cornish Mining & Mineralogy Records

Effective Date: 1st October 2023
Last Updated: 1st October 2023

Welcome to CornishMiningRecords.com (the "Site"), the definitive online repository for Cornish mining and mineralogy records. We are committed to protecting and respecting your privacy. This Privacy Policy (the "Policy") explains in detail how Cornish Mining & Mineralogy Records ("we", "us", "our") collects, uses, stores, shares, and protects your personal data when you use our website and related services (collectively, the "Services").

This Policy is designed to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws. By accessing or using our Services, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree, please do not use our Services.

1. Data Controller

The data controller responsible for your personal data is Cornish Mining & Mineralogy Records. For any questions regarding this Policy or our data practices, you can contact us at:

2. The Data We Collect About You

We collect and process different types of personal data, which we have grouped as follows. Personal data, or personal information, means any information about an individual from which that person can be identified.

2.1. Data You Provide Voluntarily

• Identity & Contact Data: Includes your name, title, email address, postal address, telephone number, and professional affiliation (e.g., university, historical society) when you create a research account, subscribe to our newsletter, make an enquiry, or purchase a document reproduction service.
• Account & Profile Data: Username, password, security questions, research interests, saved searches, and bookmarks within our archival system.
• Financial & Transaction Data: If you make a purchase, we collect billing address, payment card details (processed securely by our third-party payment processor; we do not store full card numbers), and details of the documents or services you have purchased.
• Communication Data: Includes any correspondence when you contact us via email, contact forms, or post.
• User Contributions: Any data you voluntarily submit for publication or correction on the Site, such as transcriptions, family history links, photographs of artefacts, or scholarly notes. Please be aware that such contributions may be made publicly accessible and are subject to our Terms of Use.

2.2. Data Collected Automatically

• Technical & Usage Data: Includes your Internet Protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this Site. We also collect information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through, and from our Site (including date and time), pages you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
• Cookies & Similar Technologies: Our Site uses cookies and similar tracking technologies to distinguish you from other users, improve user experience, and analyse Site traffic. For detailed information on the cookies we use and their purposes, please see our Cookie Policy.

2.3. Data from Third Parties or Public Sources

• Technical Data: From analytics providers such as Google Analytics (based outside the UK).
• Contact & Transaction Data: From providers of technical, payment, and delivery services (e.g., Stripe, PayPal).
• Publicly Available Historical Data: As a historical archive, we process data contained in public records, published genealogies, historical journals, and other archival sources. This may include names, dates, occupations, and locations of historical individuals. This processing is carried out for archiving purposes in the public interest, scientific, and historical research purposes under Article 89 of the UK GDPR.

3. How We Use Your Personal Data (Purposes & Legal Bases)

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances and for the following lawful bases:

3.1. Performance of a Contract

To provide our Services to you, including:

• Registering and managing your research account.
• Processing and fulfilling orders for document reproductions or other services.
• Providing customer support and responding to your enquiries.

Legal Basis: Necessary for the performance of a contract with you.

3.2. Legitimate Interests

To operate and improve our Services, and to ensure security, including:

• Administering and protecting our business and this Site (including troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting of data).
• Using data analytics to improve our Site, Services, marketing, and user relationships.
• Preventing fraud and ensuring network and information security.
• Managing our archival operations, historical research, and public engagement.
• Facilitating the publication of user contributions (e.g., transcriptions) to further historical research.

Legal Basis: Necessary for our legitimate interests (to run our archive, ensure security, study how users interact with our Services, develop them, grow our organisation, and inform our outreach strategy).

3.3. Legal Obligation

To comply with our legal and regulatory obligations, such as retaining financial records for HMRC or responding to lawful requests from courts or law enforcement agencies.
Legal Basis: Necessary to comply with a legal obligation.

3.4. Consent

For specific, optional purposes where we have asked for and you have given clear consent:

• Sending you our newsletter, research updates, and promotional communications via email (you can withdraw consent at any time by clicking 'unsubscribe').
• Placing non-essential cookies on your device (managed via our Cookie Preferences).

Legal Basis: Your consent.

3.5. Public Interest / Archiving in the Public Interest

For the processing of special category data (where applicable) and personal data contained in historical archives for:

• Scientific, historical, and genealogical research.
• Archiving purposes in the public interest.

Legal Basis: Necessary for archiving purposes in the public interest, scientific or historical research purposes, with appropriate safeguards in accordance with Article 89(1) of the UK GDPR and Schedule 1, Part 6 of the Data Protection Act 2018.

4. How We Share Your Personal Data

We may share your personal data with the following categories of third parties under strict confidentiality agreements and only for the purposes described in this Policy:

• Service Providers: Trusted third parties who provide essential services, such as IT and system administration, hosting, payment processing, email delivery, and analytics.
• Professional Advisers: Including lawyers, bankers, auditors, and insurers where necessary for our professional services.
• Authorities: HM Revenue & Customs, regulators, law enforcement, or other authorities if required by law or to protect our rights.
• Academic & Heritage Partners: In an anonymised or aggregated form for statistical research, or, with your explicit consent, for specific collaborative research projects.
• Public Forum: User Contributions you voluntarily submit for publication (e.g., a transcription) will be shared publicly on the Site alongside your chosen display name.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

5. International Transfers

We primarily store and process data within the United Kingdom (UK) and the European Economic Area (EEA). Some of our external third-party service providers (e.g., cloud hosting, analytics) may be based outside the UK, so their processing of your personal data will involve a transfer of data outside the UK.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by implementing at least one of the following safeguards:

• Transferring to countries deemed to provide an adequate level of protection for personal data.
• Using specific contracts approved for use in the UK which give personal data the same protection it has in the UK (e.g., UK International Data Transfer Agreement).

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

6. Data Security

We have implemented appropriate technical and organisational security measures designed to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. These include encryption, access controls, secure servers, and regular security reviews.

We limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions and are subject to a duty of confidentiality.

We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

7. Data Retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. We consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, and the purposes for which we process it.

Retention Periods:

• Account Data: Retained for as long as your account is active, plus a period of 3 years of inactivity before anonymisation or deletion.
• Transaction & Financial Data: Retained for 7 years after the end of the financial year of the transaction for tax and accounting purposes.
• Communication Data: Retained for 3 years from the date of last communication.
• Newsletter/Marketing Data: Retained until you withdraw your consent or opt-out.
• Historical & Archival Data: Personal data contained in historical records and user contributions intended for the permanent archive may be retained indefinitely for archiving purposes in the public interest, subject to appropriate safeguards.

In some circumstances you can ask us to delete your data: see Your Legal Rights below.

8. Your Legal Rights

Under data protection laws, you have rights in relation to your personal data. To exercise any of these rights, please contact us using the details in Section 1.

• The right to be informed: About how we use your personal data (this Privacy Policy).
• The right of access: To receive a copy of the personal data we hold about you (a "data subject access request").
• The right to rectification: To request correction of inaccurate or incomplete data.
• The right to erasure ("the right to be forgotten"): To request deletion of your personal data where there is no compelling reason for its continued processing. Note: This right is not absolute and may not apply to data held for historical research or archiving purposes.
• The right to restrict processing: To request a temporary halt on processing your data in certain circumstances.
• The right to data portability: To receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• The right to object: To object to processing based on legitimate interests or for direct marketing. You have an absolute right to object to direct marketing.
• Rights in relation to automated decision making and profiling: We do not engage in solely automated decision-making that produces legal effects concerning you.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. We may need to request specific information from you to help us confirm your identity. We try to respond to all legitimate requests within one month.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO.

9. Third-Party Links

This Site may include links to third-party websites, plug-ins, and applications (e.g., links to museum partners, academic journals). Clicking on those links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Site, we encourage you to read the privacy policy of every website you visit.

10. Children's Data

Our Services are not intended for children under the age of 16, and we do not knowingly collect data relating to children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us. If we learn we have collected personal data from a child without verification of parental consent, we will delete that information.

11. Changes to This Privacy Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other reasons. The updated version will be indicated by an updated "Last Updated" date at the top of this page. We will notify you of any material changes via email or a prominent notice on our Site. We encourage you to review this Policy periodically.

12. Contact Us

If you have any questions, comments, or requests regarding this Privacy Policy or our privacy practices, please contact our Data Protection contact using the details provided in Section 1.