This privacy notice was last updated on 25 March 2025.

We know you care about your privacy and security, so we treat your information with the highest standards of confidentiality and security.

We are committed to protecting your privacy. We will only use the information that we hold about you lawfully, in accordance with the Data Protection Act (2018),The General Data Protection Regulation 2016/679 (GDPR), the Privacy and Electronic Communications Act (2003) and other regulatory requirements.

We will never process sensitive information about you without your explicit consent. The information we hold will be accurate and up to date. You can check the information that we hold about you at any time by contacting us at pr@cryptic.org.uk or writing to us at CCA, 350 Sauchiehall Street, Glasgow G2 3JD.

Privacy Policy

Using personal information allows us to develop a better understanding of our audiences and in turn provide you with relevant and timely information about the work that we do – both on and off stage. As a charity, it also helps us to engage with potential donors and supporters and to report back to our funders.

The purpose of this policy is to give you a clear explanation about how we collect and use the information we collect from you directly and from third parties.

This policy explains:

  • What information we may collect about you;
  • How we may use that information;
  • In what situations we may disclose your details to third parties;
  • Our use of cookies;
  • Information about how we keep your personal information secure and your rights to be able to access it.

 We may change portions of this privacy notice from time to time, so be sure to check it regularly. If we make a change that significantly affects your rights, or significantly changes how we use your personal information, we will notify you by prominently posting this on our websites and/or email within a reasonable period prior to the change becoming effective.

Who we are

We are a charity and Creative Scotland Multi Year Funded Organisation. We also receive funding from various trusts, foundations and individual donors and supporters. Our registered charity number is SCO22476 and we are also registered as a company limited by guarantee and registered in Scotland under registration number SC150281.

Cryptic is registered with the Information Commissioner’s Office in accordance with current data protection legislation: our registration number is ZA24873.

We are the data controller for the personal information you share with us and we otherwise collect in respect of you. Our Data Protection Officer is Claire Moran. You can contact her here or via our postal address. Please mark the envelope ‘Data Protection Officer’.

Our office and postal address is: Cryptic, CCA, 350 Sauchiehall Street, Glasgow, G2 3JD or you can contact us by telephone: +44 (0)141 354 0544


Information Collection

Under the GDPR there are six identified reasons for processing these are:

  • Consent: you have given clear consent for us to process your personal data for a specific purpose.
  •  Contract: the processing is necessary for a contract we have with you, or because we have asked you to take specific steps before entering into a contract.
  • Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
  • Vital interests: the processing is necessary to protect someone’s life.
  • Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
  • Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests.

We collect various types of personal information and in a number of ways.

We currently operate two websites www.cryptic.org.uk and www.sonic-a.co.uk (“the Websites”).

Information you give us

The law requires us to be open with you about what personal data we process, and what we do with it. We only hold personal information about you that you have shared with us, including but not exclusively, forename, surname, address, telephone number, email address, IP address, device type, lifestyle and demographic data.
Under GDPR we have 28 days in which to respond to a Subject Access Request.

We do not obtain any personal information about you simply through you browsing our websites. Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • You have made an enquiry to us.
  • You have asked us for information.
  • You wish to attend, or have attended, an event.
  • You subscribe to our e-newsletter.
  • You have applied for a job with us.
  • You are representing your organisation.

We may also receive personal information indirectly, in the following scenarios:

  • Where you have made your contact information available on your organisation’s website and we use this to contact you and your organisation.
  • An employee of ours gives your contact details as an emergency contact or a referee.

For example, when you register on our website, subscribe to our e-mails, buy tickets,  make a donation or when you join our Cryptic Angels scheme, we will store personal information you give us such as your name, email address, postal address and telephone number. We will also store a record of your purchases and donations. All this information is stored securely in our systems.

About your communication with us

When you communicate with us, whether by phone, e-mail or via other means, for example to ask for information, we collect information relating to this communication. We use this information to answer any issues or concerns and to provide you with the information and services you require from us.

When you visit our website, we collect information about how you interact with our content and adverts. When we send you a letter or email, we store a record of this, and in the case of emails, we keep a record of which ones you have opened and which links you have clicked on.

When you access our social media channels, including Twitter, Instagram, YouTube, Facebook and TikTok we only receive personal information that you share with us voluntarily and that is compatible with your privacy settings. To find out more about how these social media companies process your personal information, we recommend that you read their individual privacy policies.

We use social media to publish messages and updates about events and news. On occasion we may reply to comments or questions you make to us on social media platforms. You may also see adverts from us on social media that are tailored to your interests.

Under 18s

If you are under 18, please make sure that you obtain your parent/guardian’s permission whenever you provide personal information to us. If you don’t have their permission, you must not provide personal information to us.

Information from third parties 

We occasionally receive information about you from third parties. For example, we may use third party research companies to provide general information about you, compiled using publicly available data. We may also receive information about you from venues where you have booked a performance or event. This is for research and reporting purposes only, unless you have given your consent to receive communication from us.

Special categories of Personal Data 

Data Protection law recognises that certain categories of personal information are more sensitive such as information relating to health, race, religious beliefs and political opinions. We do not usually collect this type of information about you unless there is a clear reason for doing so. For example, we sometimes collect health information about participants in our workshops.

We will only retain your personal information for as long as necessary and to fulfil our legal obligations.  It will be kept secure using appropriate security measures to prevent unauthorised access, modification or disclosure.

How we keep your details safe and secure

Your personal data is personal to you and it should stay safe and private. We know this is crucial in maintaining your trust in us. We protect your details in many ways. These include staff training, investing in technology and following strict handling and storage procedures.

​The personal data processed is limited to information that is relevant and necessary.  We take all appropriate steps to keep your data secure. We always follow data protection law and aim to apply best practice for information security.

​Our technology and information security systems are there to protect your personal data. We apply up to date data encryption tools and have specific policies in place, with dedicated staff training materials and contracts to ensure personal data is fully protected. This aims to prevent your data being lost, damaged or destroyed, or its unauthorised or unlawful use.

We train our staff to take care of your personal data and give them detailed guidance on security requirements. So, if you contact us, we’ll always ask you to identify yourself before we share any of your data with you.

Your personal data will be held and processed on our systems or systems managed by suppliers on our behalf. We maintain a customer relationship management (CRM) system to hold contact details and a record of your interactions with us such as ticket purchases, donations, queries, complaints and attendance at special events. Where possible we aim to keep a single record for each customer.

Your data is always held securely. Access to your information is strictly controlled. The CRM system can only be accessed by people who need it to do their job. Certain data, for example,  some sensitive information, is additionally controlled and is only made visible to members of staff who have a reason to use it.

We will only ever share your data in other circumstances if we have your explicit and informed consent, such as where we are under a duty to disclose your personal information to comply with any legal obligation (for example to government bodies and law enforcement agencies). Your personal information may also be processed if it is necessary to defend a legal claim. We will not delete personal information if relevant to an investigation or a dispute and it will continue to be stored until those issues are fully resolved.

Finally, your personal data may be shared if it is anonymised and aggregated, as in such circumstances the information will cease to be personal data.

We aim to be clear and transparent when we collect your data and not to do anything you wouldn’t reasonably expect.

If you make a purchase, sign up for an event or give a donation we usually collect your name, contact details and your bank or credit card information (if making a transaction).

We use this data to provide you with information about the events, services or information you asked for, ensure we know how you prefer to be contacted, understand how we can improve our communications or events, administer your donation or to process Gift Aid.

When you subscribe to our mailing list on our website, you can choose whether you would like to receive direct marketing communication and details of how you can support our work by email or post. We will include opt-out instructions in any communications you receive from us.

Marketing

We classify our audience into groups and segments based upon their booking history and ticket purchases, attendance over time and information that is provided when you create an account, such as your postcode.

We use analytics to better understand our development as an organisation. We use anonymised data for this analytical research. We consider the growth and sales rate of our tickets and combine this with other relevant data such as interactions with our website and social media.

We may also undertake in-depth audience research by email, online and/or in person after each event. You are under no obligation to participate. Full details of the process are provided when we ask you to participate.

Fundraising

As a charity, we undertake research to support our fundraising and income generation activities to ensure our fundraising campaigns, events and fundraising communications are targeted in the most effective way.  This also includes:

  • evaluating the effectiveness of these campaigns and making changes where required;
  • deciding whether certain individuals may be interested in supporting us;
  • ensuring we conduct campaigns and fundraising activity in compliance with the law and industry codes of practice; and ensuring that we have reasonable knowledge of prospective donors to minimise the risk of reputational damage.

We may also undertake an analysis of our audience by attendance, donations, postcode and other information contained on our own database to contact individuals who might be interested in supporting our fundraising campaigns (which could include donations and individual giving schemes).  The analysis activity where our audience is segmented is not targeted at specifically identifiable individuals in the first instance and communications sent to individuals is done so in accordance with their consent or our legitimate interests.

We may carry out research on our own database such as connections to ticket buying and history of giving and we may seek additional information from third party sources.

We endeavour to make sure that any research and data collection we do is only sourced from publicly available sources where an individual would, in our view, have a reasonable expectation that their information may be freely read by the public or the individual has freely made information available in respect of their business and philanthropic interests.

We carefully balance our legitimate interests against your interests as an individual. You can exercise your rights over your personal information at any time.

We will always keep your rights and interests at the forefront to ensure they are not overridden by your own interests or fundamental rights and freedoms. You have the right to object to any of this processing at any time. If you wish to do this, please contact our Data Protection Officer, Claire Moran.

We do not sell or share personal details with other organisations for the purposes of direct marketing.   We will only share personal details for the purposes of marketing if you have given your explicit consent for us to do this. If you have opted out of marketing communications, we may still get in touch with you. For example, we may email you to give you important information about the events you’ve booked or to tell you about any changes.

We use data processors who are third parties who provide services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

You do have the opportunity to opt out, at any time, from any communications you receive from us.
Your personal information will be held, at all times, within the EEA.

Your Rights
You have certain rights in relation to your personal information. These rights and the ways in which you can use them are set out below in more detail. Some of these rights will only apply in certain circumstances. If you would like to exercise, or discuss, any of these rights, please contact us using the contact details below.

Access: you have the right to ask us if we are using or storing your personal information. You can also ask us for copies of your personal information, verbally or in writing. This is called the right of access and is commonly known as making a subject access request or SAR.

You can use a SAR to find out:

  • What personal information we hold about you;
  • how we are using it;
  • who we are sharing it with; and where we got your data from.

Correction: You have the right to ask us to correct information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Erasure: you may sometimes hear this called the ‘right to be forgotten’. The right only applies in the following circumstances:

  • We no longer need your data for the original reason we collected or used it for.
  • You initially allowed to us using your data, but have now withdrawn your consent.
  • You have objected to the use of your data, and your interests outweigh our interests.
  • You have objected to the use of your data for direct marketing purposes.

Restriction: you are entitled to ask us to suspend the processing of certain of your personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

Transfer: You have the right to receive your personal data in a way that is accessible and machine-readable. You also have the right to ask us to transfer your data to another organisation. We must do this if the transfer is “technically feasible”. This only applies to information that is stored electronically and that you have provided directly to us.  This may include website or search usage history or traffic and location data.

Objection: you have the right to object to us processing (using) your personal data at any time. You can object where we use your data:

  • for a task carried out in the public interest;
  • for the exercise of official authority;
  • for our legitimate interests;
  • for scientific or historical research, or statistical purposes; or
  • for direct marketing purposes.

Automated Decisions: you may object to any automated decision making and profiling.

More information regarding your legal rights in respect of personal information can be found here. You also have a right to lodge a complaint in the Member State in the European Union where you are habitually resident, where we are based, or where an alleged infringement of Data Protection law has taken place.

In the UK you can make a complaint to the Information Commissioner’s Office (Tel: +44 (0)303 123 1113 or online).

To make a request, please send us a description of the information you would like to access or the rights you would like to exercise. The request should be sent to our Data Protection Controller, Claire Moran.

How to contact us
If you have any questions or comments please contact us using the following details:
Via email: pr@cryptic.org.uk
In writing: Cryptic, CCA, 350 Sauchiehall Street, Glasgow G2 3JD
Via telephone: 0141 354 0544