EQUISS Privacy Policy
Last updated: 02/07/2026
1. Introduction
EQUISS CIC values your privacy and is committed to protecting your personal information. We are an independent organisation working to support people across the equestrian world, including those at risk of harm or abuse, and to improve safeguarding, accountability and standards across the sector.
EQUISS CIC is a not-for-profit Community Interest Company registered in England and Wales. Company No. 16627362.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, EQUISS CIC is the Data Controller responsible for the personal information we collect and process.
This Privacy Policy explains how we collect, use, disclose, store and protect your personal data when you engage with us, including through our website, services, support line, advocacy work, events or other interactions.
We recognise that some people who engage with EQUISS may be sharing sensitive or personal experiences. We take this responsibility seriously and aim to ensure your information is handled in a safe, respectful and transparent way.
For the purposes of the UK Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR), EQUISS CIC is the data controller of the personal information we process.
2. What is “personal information”?
“Personal information” (or “personal data”) is any information that identifies you, or by which you can be identified directly or indirectly.
This may include your name, contact details such as email address, postal address and telephone number, your IP address, job title, company affiliation, service usage information, or any other data which can identify you or your device.
We may also, in certain circumstances, process “special category” information (sensitive personal data). Due to the nature of our work, this may include information relating to health, experiences of harm or abuse, racial or ethnic origin, religion or belief, sexual orientation or other information that requires additional protection.
3. Special category (sensitive) data
Some categories of personal information are more sensitive. These are known as special category data and can include information about a person’s health or wellbeing, experiences of harm or abuse, racial or ethnic origin, sexual orientation, gender identity, religion or belief, or other personal characteristics.
Due to the nature of our work, you may choose to share this type of information with us when accessing our support, advocacy or services. You are not required to provide more information than you feel comfortable sharing. We are not looking to collect sensitive personal information beyond what is necessary, and in many cases you can access our support without identifying yourself.
If you provide any special category data to us, we will only use this information for the purposes outlined in this policy, including providing support, fulfilling our safeguarding responsibilities, and improving our services.
Where we process this type of data, we ensure that it is protected through appropriate technical and organisational measures, including secure systems, restricted access and clear internal processes. This information is only accessed by those who need it to carry out their role.
All special category data is processed in accordance with our obligations under UK data protection law, including the additional safeguards required for handling sensitive personal information.
4. How we collect and use your personal information
How we collect and use your personal data depends on how you interact with us. The sections below explain how your datais used in different situations.
5. If you are browsing our website
Purpose:To provide a better user experience, monitor website performance and improve our services
Type of data used: IP address, browser type and version, device information, usage data
Legalbasis: Consent (for non-essential cookies) ; Legitimate interests (for essential functionality)
How long we keep your data: In line with our Cookies Policy
6. If you contact the EQUISS support line or request support
Purpose:
- To provide support, respond to your enquiry, understand your needs and improve our services
- To monitor demand and usage of the service
- To maintain appropriate safeguarding records where necessary
Type of data used:
- Name (or name you choose to give)
- General location (e.g. region)
- Information about your situation or experiences
- Optional demographic information
- Technical data such as call duration or system information
Legal basis:
- Legitimate interests (providing support and improving services)
- Vital interests (where necessary to protect you or another person from serious harm)
- Explicit consent (whereappropriate)
How long we keep your data:
- Identifiable information retained only as long as necessary for support and safeguarding purposes (up to 12 months, depending on the nature of the interaction)
- Anonymised data retained for longer periods (up to 5 years) to support insight, service improvement and campaigning
- Technical data retained for a limited period (6 weeks) for system management and troubleshooting
Additional information:
Information may be recorded within our secure case management system, IIZUKA, to manage interactions and ensure continuity of support.
We do not require you to identify yourself to access support. The amount of information recorded will depend on what you choose to share.
We may collect limited technical data (such as call duration or system data) to enable the service to operate effectively.
We may collect limited technical data (such as call duration or system data) to enable the service to operate effectively.
We will usually seek your consent before sharing information with another organisation. However, there may be circumstances where we need to share information without your consent where we believe this is necessary to protect a child, vulnerable adult or another person from serious harm, where required by law, or where safeguarding concerns outweigh an individual's right to confidentiality.
Where possible, we will explain this to you and discuss any proposed information sharing.
7. If you receive advocacy or casework support
Purpose:
- To provide advocacy and casework support
- To support you through reporting processes and engagement with relevant organisation
- To ensure safe and consistent handling of safeguarding concerns
Type of data used:
- Contact details (if provided)
- Information about your situation or experiences
- Records of communications and actions taken
- Any information necessary to support your case
Legal basis:
- Legitimate interests (providing advocacy support)
- Vital interests (where there is a risk of serious harm)
- Substantial public interest (safeguarding individuals at risk)
- Explicit consent (where required)
This may include situations where processing is necessary to protect you or another person from serious harm, or where safeguarding concerns mean information must be recorded and acted upon.
Howlong we keep your data: Retained in line with safeguarding, legal and operational requirements (for the duration of the case and for a defined period afterwards in accordance with safeguarding and legal obligations)
Additional information:
Information is managed within secure systems including IIZUKA to ensure safe and accountable case management.
Case records may be retained for extended periods where necessary to meet safeguarding, legal, regulatory or operational requirements. Retention periods are determined in accordance with our internal data retention schedule.
8. If you engage withour training or events
Purpose:
- To manage bookings and participation
- To deliver training or events
- To communicate relevant information
Type of data used: Name; Contact details; Organisation and job title
Legal basis: Performance of a contract; Legitimate interests
How long we keep your data: Retained only for as long as necessary to deliver the training or event, and meet legal or regulatory requirements
9. If you receive marketing communications
Purpose: To send updates about our work, services and activities
Type of data used: Name; Email address; Communication preferences
Legal basis: Consent; Legitimate interests (where appropriate)
How long we keep your data: Until you unsubscribe or withdraw consent
10.If you make a donation or financial contribution
Purpose:
- To process your donation
- To manage financial records and compliance
Type of data used: Name; Contact details; Payment information
Legal basis: Legitimate interests; Legal obligation
How long we keep your data: In line with financial and regulatory requirements (typically up to 6 years)
Additional information:
Donations made through our website are processed securely by Stripe, our third-party payment processor. Your payment card details are entered directly into Stripe's secure payment system and are not stored or accessible by EQUISS.
Stripe processes payment information on our behalf in accordance with its own Privacy Policy. As a global provider, Stripe may process or store personal data outside the UK. Where this happens, appropriate safeguards are in place to protect your information, as explained in the Data transfers outside the UK section of this Privacy Policy.
You can find more information about how Stripe processes personal data in the Stripe Privacy Policy: https://stripe.com/gb/privacy
11. Legal basis for processing
We will only process your personal data where we have a lawful basis to do so under UK GDPR. These include performance of a contract, legitimate interests, legal obligation, consent and vital interests.
Where we process special category data, we will also rely on additional conditions such as explicit consent, safeguarding and substantial public interest, or vital interests where appropriate.
12. Sharing your information
We may share your personal data with employees, agents, contractors and service providers where necessary to deliver our services.
This includes trusted third-party providers such as IT systems, hosting providers, customer relationship management systems, email communications, telephone services, secure payment processors (including Stripe), and case management platforms, including IIZUKA, which process personal data on our behalf under appropriate contractual safeguards.
We use a number of trusted third-party service providers to support our operations, including providers of website hosting, customer relationship management systems, email communications, telephone services, case management systems, cloud storage and IT support.
All service providers processing personal information on our behalf are required to do so under appropriate contractual and security arrangements.
We may also share information with regulatory, governmental or law enforcement authorities where required by law or where necessary to protect our rights, property, safety or the safety ofothers.
In some circumstances, particularly where there is a risk of serious harm, or where a child or vulnerable person may be at risk, we may need to share information without your consent.
This may include sharing information with safeguarding authorities, regulatory bodies or law enforcement agencies, such as the police.
Where possible, we will explain this to you. However, there may be situations where we are not able to inform you in advance or at the time the information is shared.
We do not sell your personal data.
13. Data retention and storage
We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected and in accordance with applicable laws.
When determining retention periods, we consider the nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, and our legal and safeguarding responsibilities.
Where possible, we minimise the amount of identifiable data retained and may retain anonymised data for longer periods to support insight, service improvement and campaigning.
14. Data minimisation and anonymity
We are committed to collecting only the information we need and allowing individuals to access support without identifying themselves where possible.
We may use anonymised data to understand patterns, improve services and inform our work. This data does not identify you.
15. Children and young people
We recognise that some individuals who engage with our services may be under the age of 18, or that information shared with us may relate to children and young people.
We take additional care when handling information relating to children and young people and process this information in accordance with safeguarding requirements and applicable data protection legislation.
Where appropriate, we will consider the age, understanding and best interests of the child when processing personal information.
16. Keeping your information safe
We take the security of your information seriously and have implemented appropriate technical and organisational measures to protect it.
This includes secure systems, restricted access to data, and staff training in confidentiality and safeguarding.
Only those who need access to your information to perform their role will be able to access it.
17. Data transfers outside UK
Where your data is transferred outside of the UK, we make sure that your data is given the same level of protection, either because that country has a comparable data protection standard (Adequacy), or by using another safeguard such as an enhanced contractual agreement. If you want additional information about the mechanisms relied on when transferring your data to another country, please contact us.
Some of our service providers, including Stripe, may process personal data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as UK adequacy regulations or approved contractual safeguards, to protect your personal information.
18. Your rights
Under UK data protection law you have the following rights in relation to your personal data:
The right to request access to the personal data we hold about you (“Right of Access”).
The right to request correction of inaccurate or incomplete personal data (“Right to Rectification”).
The right to request deletion of your personal data (“Right to Erasure”) when we no longer have a lawful basis for retaining it.
The right to restrict or object to certain processing of your personal data (“Right to Restrict/Objection”).
The right to data portability, meaning you can request a copy of your personal data in a structured, commonly-used, machine-readable format, and transfer it to another organisation, where applicable.
The right to withdraw consent at any time where the processing is based on consent (this will not affect processing that took place before you withdrew consent).
The right to lodge a complaint with the UK supervisory authority, the Information Commissioner’s Office (ICO) if you believe our processing of your personal data infringes the law.
To exercise any of these rights, please contact us. We may ask you to verify your identity and provide additional information to locate the correct records.
19. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top will indicate when the policy was most recently revised. We encourage you to check back periodically. Where required by law or our internal governance, we will notify you of significant changes.
20. Contact us
If you have any questions, comments or concerns about our privacy practices or this policy, please contact us via Data Protection Officer: DPO@equiss.org.uk
Address: EQUISS CIC, C/O Keysoe International, Church Road, Keysoe, Bedford, Bedfordshire, United Kingdom, MK442JP
You also have a right to contact the UK Information Commissioner’s Office at www.ico.org.uk or call 0303 123 1113. Our ICO registration number is ZC060828



