APES CIC Associate Members Portal — Privacy Policy

Version: 1.0

Effective date: 13 September 2025

Controller: Association of Protecting Exotic Species CIC ("APES CIC"), Company No. 16253848

Applies to: https://www.apesmembers.me.uk (the "Portal") and associated member communications.

1) Who we are and how to contact us

Association of Protecting Exotic Species CIC (APES CIC) is the controller of your personal data in relation to the Portal.

Registered office: Cross House, Unit 7, Sutton Road, St Helens, WA9 3YH, United Kingdom

Member support: accounts@apescoms.org.uk | 0300 302 0998

Privacy contact (Data Protection Lead): legal.apes@apescoms.org.uk

If you have questions about this policy or how we handle your data, please contact our Privacy Team at the above email.

2) Scope

This Privacy Policy explains how we collect, use, share and protect personal data processed via the Portal and related member support channels. It applies to UK‑resident individuals aged 18+ who apply for or hold Associate Membership and access member‑only content and features.

3) Personal data we collect

We only collect data that is necessary for running the Portal and managing membership. The data we process may include:

• Identity data — name, username, date/year of birth (for 18+ eligibility), residency confirmation (UK), membership ID.
• Contact data — email address, phone number, postal address (if provided), communication preferences.
• Membership data — membership status, join/renewal dates, fee payment status, role/permissions, consent records.
• Payment data — payment method, transaction ID, billing address, amount and date. Card details are handled by our payment processor; APES CIC does not store full card numbers.
• UGC and moderation data — posts, comments, messages, uploaded files, reports you submit, and moderation actions relating to community safety.
• Technical/usage data — IP address, device and browser information, login timestamps, pages viewed, referral URLs, error logs and security events.
• Communications — support emails, tickets and call notes.

Special category data: We do not intentionally collect special category data (e.g., health) via the Portal. Please avoid posting such information. If you voluntarily include it in UGC, we will process it only as necessary for moderation/community safety and then seek to minimise or remove it.

4) How we collect data

• Directly from you — when you create an account, verify eligibility, pay fees, post content, or contact support.
• Automatically — through cookies and similar technologies for security, functionality and (if enabled) analytics.
• From service providers — e.g., payment confirmations and fraud‑prevention signals from our processors.

5) Why we use your data (purposes and legal bases)

We use your data only where we have a lawful basis under UK GDPR:

• Create and manage your account; provide the Portal services — Contract (Terms & Conditions).
• Verify eligibility (18+, UK residency) — Legitimate interests (community integrity and compliance).
• Process membership payments and renewals — Contract; Legal obligation (financial records).
• Moderate community content and ensure safety — Legitimate interests (member safety; platform integrity).
• Security and fraud prevention (e.g., access logs, incident response) — Legitimate interests; may also be Legal obligation.
• Member communications (service messages, renewal reminders) — Contract / Legitimate interests.
• Voluntary marketing updates (if you opt in) — Consent. You may withdraw consent at any time.
• Analytics to improve the Portal — Consent where required for non‑essential cookies; otherwise Legitimate interests for privacy‑preserving, aggregated metrics.
• Legal and regulatory compliance; defending legal claims — Legal obligation / Legitimate interests.

6) Cookies and similar technologies

We use cookies to operate and secure the Portal and (optionally) to understand usage. Categories may include:

• Strictly necessary (e.g., session, authentication, CSRF).
• Functionality (e.g., preferences).
• Analytics (e.g., aggregated page usage). Used only with your consent where required.

You can manage non‑essential cookies via our banner or your browser settings. Blocking some cookies may affect Portal functionality. For the current list of cookies and providers, see our in‑Portal cookie notice or banner (if enabled).

7) Sharing your data

We do not sell your personal data. We may share it with:

• Service providers (processors) — hosting, security, payment processing, email/SMS delivery, analytics, customer support tools. They may process data only on our instructions and must protect it appropriately.
• Professional advisers — legal, accounting, insurance and compliance support.
• Authorities — law enforcement, regulators or courts where required by law or to protect rights, members or the public.
• Corporate transition — if we restructure our activities, data may transfer to the successor entity subject to this Policy.

8) International transfers

Some providers may process data outside the UK. Where this occurs, we use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or UK‑addendum to EU SCCs, plus risk assessments and technical/organisational measures. Contact us for copies of relevant safeguards where legally permissible.

9) Retention periods

We keep data only as long as necessary for the purposes above:

• Account and membership records: for the life of your membership and up to 6 years after, for audit, tax and legal purposes.
• Payment/finance records: 6 years from the end of the financial year of the transaction.
• UGC and moderation logs: retained while visible in the Portal or for up to 24 months after closure/removal (longer if required by law or to resolve disputes).
• Security logs: typically 12 months (shorter/longer where required for investigations).
• Support tickets/emails: 3 years from closure unless needed longer for compliance.
• Backups: encrypted backups are cycled on fixed schedules; residual data may persist temporarily per those schedules.

When data is no longer needed, we delete or anonymise it in a secure manner.

10) Security

We apply appropriate technical and organisational measures including encryption in transit, restricted access on a need‑to‑know basis, multi‑factor authentication for administrators, logging and monitoring, and staff training. No system is perfectly secure; please keep your login credentials secret and contact us promptly if you suspect misuse.

11) Your rights

Under UK data protection law, you have rights to:

• Access your personal data and receive a copy;
• Rectify inaccurate or incomplete data;
• Erase data in certain circumstances;
• Restrict or object to processing (particularly where based on legitimate interests or for direct marketing);
• Portability of data you provided, where processing is by automated means and based on consent or contract;
• Withdraw consent at any time (this does not affect prior lawful processing);
• Complain to the Information Commissioner’s Office (ICO).

To exercise rights, contact legal.apes@apescoms.org.uk. We may need to verify your identity. We aim to respond within one month. For the ICO: www.ico.org.uk, 0303 123 1113, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

12) Children

The Portal is for persons aged 18+ and UK residents only. We do not knowingly collect data from children. If you believe a child has provided data, please contact us so we can delete it.

13) Automated decision‑making

We do not use solely automated decision‑making that produces legal or similarly significant effects about you.

14) Third‑party links

The Portal may contain links to third‑party websites or services. Those sites have their own privacy policies; we are not responsible for their practices.

15) Changes to this policy

We may update this Policy to reflect changes in law or our practices. We will post the updated version on the Portal with a new "Effective date" and, where appropriate, notify members via the Portal or email. Please check back regularly.

16) Contact us

For privacy questions or requests:

• Email (Privacy): legal.apes@apescoms.org.uk
• Member support: accounts@apescoms.org.uk | 0300 302 0998
• Post: APES CIC, Cross House, Unit 7, Sutton Road, St Helens, WA9 3YH, United Kingdom