Privacy Notice

Updated November 2022

Under the General Data Protection Regulation (GDPR), we have a legal duty to protect any personal data that we collect from you, to be explicit about what purposes we are using it for and to make it easy for you to opt out from receiving communication from us at any time. In this context, personal data refers to any information relating to an identifiable person, whether directly or indirectly.

This page explains how we protect and respect the data we collect from you.


  • Whose information do we collect?
  • What personal data do we collect about you?
  • How will we use the personal data about you?
    • COVID-9 – Test and Trace
    • Chapter Marketing/Fundraising
  • Access to your personal data and correction
  • Encryption on payment processing
  • Transferring of information out of the EEA
  • Cookies
  • Other websites
  • Changes to our privacy policy
  • How to contact us


Whose information do we collect

We collect personal information about the following categories of people:

  • Audience members;
  • Caffi Bar patrons;
  • Gallery visitors;
  • Participants in engagement activities;
  • Participants in customer surveys and feedback forms;
  • Hirers / Tenants of spaces in our building;
  • Supporters – Friends, Donors;
  • Other stakeholders.


What personal data do we collect about you?

Depending on which activity you engage with at Chapter, we may collect some or all of the following information:

  • Biographical – name, title, previous last name, date of birth or age, gender, ethnicity, faith, or information that indicates your socio-economic status;
  • Contact details – postal address, email address, phone number;
  • Access requirements;
  • Record of donations or payments (payment for tickets, food and drink and regular donations are managed through a third party – bank account details are retained only for the purposes of processing direct debits and details are held on a secure server);
  • Attendance at events, and attendance in areas across the building (Gallery, Caffi Bar, etc).
  • The use of CCTV recording equipment in and around our premises for monitoring and security purposes.

We will only collect this information when there is a legitimate reason for doing so.


How will we use the personal data about you?

We collect personal data about you to process any order you make, to enable you to use Chapter services and to let you know if there are any changes to our events or services (for instance a change in start time or very occasionally regarding a cancellation). 

Covid 19 – Test and Trace

In light of Covid 19 Chapter is also now legally obliged to collect data to support NHS Test and Trace and when you visit Chapter you will be asked to provide your name and contact details using either:

Chapter is required by law to hold records for 21 days. Records will be stored on the system relevant to your use of Chapter (via ticketing, café bar etc). This reflects the incubation period for Covid 19 (which can be up to 14 days) and an additional 7 days to allow time for testing and tracing. After 21 days, this information will be securely disposed of or deleted. This will be done in a way that does not risk unintended access (for example shredding paper documents and ensuring permanent deletion of electronic files).

If you provide your details directly to Chapter, the following will apply.


Chapter Marketing/Fundraising

We will also collect personal data about you, if you agree, so we can email you about other Chapter events and services we think may be of interest to you. We would also like to contact you from time to time regarding our fundraising activities. We will only do this if you have given your consent when asked at the initial point of contact. If you have consented to receive marketing or fundraising information, you may opt out at a later date. You will also be offered the opportunity to opt-out every time we communicate with you. If you have an online account, you can also log in at any time and update your preferences.

In relation to personal data voluntarily given through customer surveys and feedback forms, this data is used to inform future programme plans and improve services and is occasionally shared with stakeholders and is sometimes required as a condition of funders. In these instances, all data is anonymised, with no identifiable data being passed on. For the purposes of competitions, personal data is collected for that specific purpose and destroyed after completion.

If you also consent, we will use your personal data to let you know about our Fundraising activities and selected activities in which Chapter is involved. From time to time Chapter engages with third parties to deliver fundraising campaigns and to process donations e.g. Charities Aid Foundation, Facebook, Paypal etc. Chapter will always make clear if we are using a third party, at which point the privacy policy related to the third party will apply. Chapter only ever engages with companies who have robust privacy policies in place.

We will never share your personal data with external companies other than those selected to process our customers details for the purposes of ticket or product transactions (Spektrix); room hire (Artifax); café table bookings (Resdiary) and café bar transactions (Tevalis and Onvi).  We have put in place contractual arrangements with these organisations to ensure that your data is secure and protected at all times. Requests for information to be removed from these systems should be made directly to Chapter.

Suppliers who we hold contractual arrangements with include:

Supplier Function

Processing ticket and product purchases

DotDigital Combined with Spektrix to send Newsletters and keep in touch via email.
Artifax Processing room and office hires
Tevalis Processing Café Bar transactions
Onvi Processing Café Bar transactions online
Breathe  HR system recording holiday and sickness of Chapter employees
Sage  Processing of invoices
RotaReady   Rota system which records details of staff contact information and pay details
ResDiary Processing Café Bar table bookings- credit card details may be required on certain bookings












Chapter will not share your personal data for marketing purposes with external companies.

We use ‘Cookies’ on our website to allow us to see how our website is used and to improve our services to you. None of this information identifies you personally. For more information see below.


Access to your personal data and correction

You have the right to request a copy of the personal data that we hold about you. If you would like a copy of the personal data that we hold on you, please email or write to us at the following address, c/o Data Manager, Chapter, Market Road, Cardiff CF5 1QE.  

We want to make sure that your personal data is accurate and up to date. You may ask us to correct or remove data you think is inaccurate by contacting us on the address above, by calling our Box Office on 029 2030 4400, or by emailing


Encryption on payment processing

Your payment details are processed by Secure Sockets Layer (SSL). SSL is a security protocol used by Web browsers and Web servers to help users protect their data during transfer. An SSL Certificate contains a public and private key pair as well as verified identification information. When a browser (or client) points to a secured domain, the server shares the public key with the client to establish an encryption method and a unique session key. The client confirms that it recognises and trusts the issuer of the SSL Certificate. This process is known as the ‘SSL handshake’ and it can begin a secure session that protects message privacy and message integrity.


Transferring of information out of the EEA

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (EEA). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted during transit using TLS 1.2 encryption. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site. You are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the internet and the transmission of information via the internet are not fully secure. Although we will use reasonable endeavours to protect your personal data and prevent unauthorised access to it by storing it on a secure server which is password protected and hidden behind a firewall from the outside world, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.

Messages delivered to us via our Ticketing system will be stored within the European Economic Area on our email provider’s servers.

Our third-party email or provider is Microsoft Office 365. Their privacy policy is available here:



Cookies are small text files stored by your Web Browser (e.g. Internet Explorer, Chrome, Safari, Firefox) on your computer, tablet or mobile phone to enable functionality on a website (for example storing user preferences).

For further information, visit or

How does the Chapter website use Cookies?

The Chapter website uses a Cookie to record whether a user's browser is enabled to use JavaScript, a common website tool for providing interactivity such as the animation of page elements e.g. fading them in and out. The Cookie is a simple yes/no flag, and contains no personal data. Our website also uses Google Analytics. Google Analytics is a tool that allows the behaviour of users on a website to be analysed, to help a website owner to provide the best user experience. Google Analytics generates Cookies that identify whether you've visited the website before, which pages you visit, etc. These Cookies cannot be used to identify individuals; they are used for statistical purposes only and the data never shows any confidential information. The data itself is only visible to the website owner, the website provider 21st Century Web Design and the relevant team at Google.

This website includes functionality to interact with social media websites such as Facebook, Twitter, Disqus and uses Share This services that allow interaction with a wide range of third party social media websites.  You should be aware that those sites may also set Cookies while you're using this website, again to improve functionality. Chapter is not responsible for these third party Cookies and you have the option not to enable them although this may affect functionality.  For more details please consult the privacy policies of the various services in question.

This website includes video/audio content from You Tube or Vimeo you should be aware that those sites may set Cookies while you're using this website, again to improve functionality. Chapter is not responsible for these third party Cookies and you have the option not to enable them although this may affect functionality.  For more details please consult the privacy policies of the various services in question.

In direct relation to Chapter’s own website, you can restrict or block the Cookies used by the website through your browser settings but this will impact your user experience. The Help function within your browser should tell you how.

Spektrix Ticket Sales

We use a mixture of essential and non-essential Cookies as part of the booking process in order to ensure you have the best possible experience.

Essential Cookies

In order to keep track of your order it is essential that we store a ‘Session Cookie’ on your computer. This Cookie will last for 24 hours.

A Session Cookie is erased when the user closes the Web browser. The Session Cookie is stored in temporary memory and is not retained after the browser is closed. Session Cookies do not collect information from the user’s computer. 

Non-essential Cookies

We use a few Non-essential Cookies to customise your booking experience and help make it easier and more enjoyable for you. These extra Cookies are used to store things like your login details so you will be automatically logged in each time you visit our site.

Before storing any of these Cookies for the first time, we will alert you and ask your permission before proceeding. If you do not wish to store these Cookies you will not be able to use that particular feature, but the rest of the site will continue to work correctly.

Other websites

Our website contains links to other websites. This privacy policy only applies to this website so when you link to other websites you should read their own privacy policies.



Chapter operates CCTV camera surveillance throughout the building and on the perimeter of the premises. The system is in place for the purposes of reducing the threat of crime generally, protecting Chapter’s premises and helping to ensure the safety of Chapter’s staff and visitors. The images are stored securely and monitored in a controlled space. Images may be shared with our insurance company and relevant authorities.


Changes to our privacy policy

We keep our privacy policy under regular review and we will place any updates on this web page. This privacy policy was last updated on 23 September 2020.


How to contact us

Please contact us if you have any questions about our privacy policy or personal data we hold about you:

by email –

by phone – 029 2030 4400

by post – c/o Chapter, Market Road, Cardiff CF5 1QE