When we hold or use your personal information as a data controller (see below for a description of what this is) below sets out the information we hold about you (such as your contact details, address, etc.), how your personal information may be used and the reasons for these uses, together with details of your rights.
THE DIFFERENCE BETWEEN DATA CONTROLLERS/PROCESSORSA data controller is the organisation who controls how personal information is processed and used. A data processor is an organisation who processes and uses personal information in accordance with the instructions of a third party, i.e. the data controller. This distinction is important.
In most cases, we will not be a data controller of your personal information. In any case, where we are not a data controller, this means that you cannot exercise these rights against us directly (i.e. where we only act as a data processor), but you can do so against the data controller (i.e. the organisation who controls how we process the personal information). In these cases, we will endeavour to inform you who is the data controller of your personal information so that you can direct any such requests to them.
1. What data do we collect and from wherea. We may collect, store and use the following kinds of personal information either directly or in conjunction with and on behalf of our clients or via the contact form on our website (www.tahdah.me)
This data includes the following:
- Full name
- Your email address
- Date of birth
- Postcode and address
- Emergency Contact details
b. We also collect information that you voluntarily provide to us when you contact us with queries, complaints, comments or praise.
c. Information relating to any financial transactions carried out between you and us on or in relation to this system, including information relating to additional services you may purchase.
d. Information that you provide to us for the purpose of subscribing to our services, email notifications and/or newsletters, provided that you have indicated that you are happy to be contacted for these purposes.
e. Any other information that you choose to send to us including download, uploads and communication via your account control panel on the system.
2. Under 16’sUnder the General Data Protection Regulation (GDPR), the lawful basis we rely on for processing child information as per Article 6 and Article 9 is for the basis of: Registering for courses/workshops or awards.
The accounts for those aged under 16 can optionally be accessed by parents or legal guardians by using our parental account feature. The information that we will process will be limited and will include:
Date of birth
This will have been obtained either via the parent/guardian or entered into the system by the provider of the course the child is registering on. For Parents/guardians of a child under 16 we may process limited personal data about you so that you can give consent for your child to access relevant workshops/ courses/awards. We may also use your contact details to communicate with you either directly or on behalf of a client about the child account or use of services.
a. develop and maintain an accurate record of individuals, companies, charities or organisations;
b. enable your use of the services available on the system; c. supply to you services purchased via the system;
d. send reminders and receipts to you, and collect payments from you;
e. send you general (non-marketing) commercial communications;
f. send you email notifications which you have specifically requested;
g. send you our newsletter, periodic emails about new features, solicit your feedback, or just keep you up to date with what is going on with our product together with other marketing communications relating to our business or the businesses of carefully-selected third parties which we think may be of interest to you, by post or, where you have specifically agreed to this.
h. provide third parties with anonymised statistical information – but this information will not be used to identify any individual user;
i. deal with enquiries and complaints made by or about you relating to the system;
j. keep the system secure and prevent fraud;
k. verify compliance with the terms and conditions governing the use of the system under the terms of our disclaimer in our terms and conditions.
Your privacy settings can be used to limit the publication of your information on the system. You can adjust your privacy settings at https://cms.tahdah.me/manage. We will not, without your express consent, provide your personal information to any third parties for the purpose of direct marketing.
4. Financial TransactionsAll of our system's financial transactions are handled through our payment services providers, Stripe and GoCardLess. You can review their privacy policies here:
We will share information with Stripe and GoCardLess only to the extent necessary for the purposes of processing payments you make via our website, refunding such payments and dealing with complaints and queries relating to such payments and refunds. Organisations or Boards will be able to view and manage payments you make to them. They will not be able to view payments made to other organisations. They will however be able to view a payment made to an Organisation or Board in respect of their financial transaction. TVL will be able to see all transactions made to all Organisations or Boards.
a. to the extent that we are required to do so by law;
b. in connection with any ongoing or prospective legal proceedings;
c. in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk);
d. to the purchaser (or prospective purchaser) of any business or asset that we are (or are contemplating) selling; and
6. Data PortabilityThe data connected to your profile is unique, there is no way to transfer it to another system. However, we do plan to give you the ability to download certain data as CSV files in the future which will be password protected.
The data controller for your data will be Organisation or Board and the data processor will be TVL.
7. Security of your personal informationWe will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. We will store all the personal information you provide on secure (password and firewall-protected) servers. All electronic transactions entered via our system will be protected by encryption technology. You acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet. You are responsible for keeping your password and other login details confidential. We will not ask you for your password (except when you log in to the system). Our system utilises two-factor authentication and we would encourage all users to use this functionality for added security.
8. How long do we keep your personal informationUsers' personal data - We will keep your personal information for as long as necessary to provide you with a service in line with our legitimate interests. Details will be retained for a minimum of 40 years so that TVL, Organisations or Boards are able to comply with legal requests including investigations in respect of insurance claims or by the police or other authorities in the future, however, you have the right to withdraw consent for specific organisations to access your updated information.
9. Your rightsa. All data held about you is viewable in your personal account, so there should be no need to contact us to request your personal data, however you may request us to provide you with any personal information we hold about you. However, where the request is manifestly unfounded, unnecessary or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request. We can also charge a reasonable fee if an individual requests further copies of their data following a request.
b. the supply of appropriate evidence of your identity (for this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank plus an original copy of a utility bill showing your current address).
We may withhold such personal information to the extent permitted by law. You may instruct us not to process your personal information for marketing purposes, by sending an email to us at firstname.lastname@example.org. In practice, you will usually either expressly agree in advance to our use of your personal information for marketing purposes, or we will provide you with an opportunity to opt-out of the use of your personal information for marketing purposes. Right to erasure
TVL and our customers affirm that they have a legitimate interest to access the information you are supplying as part of specific system activity. This activity forms part of the records of the relevant organisation therefore once you complete your activity there is no right to remove any of the above information unless you cancel within the specified time limit as indicated at the time of the transaction.
10. Third party websitesTahdah Verified Ltd employs third party suppliers to provide services. These suppliers may process personal information on our behalf as data processors and are subject to written contractual conditions to only process that personal information under our instructions and protect it. In the event that we share personal information with external third parties, we only share such information strictly required for specific purposes and take reasonable steps to ensure recipients shall only process the disclosed personal information in accordance with those purposes.
- Stripe Ltd: process credit and debit card payments on our behalf. We pass them your name, email address and postcode in order to perform fraud checks when making payments and they keep a record of this against all payments.
- GoCardless Ltd: process direct debits on our behalf. We pass them your name, email address and postcode and they may also collect additional information from you including bank details in order to process direct debit payments. They do not report your bank details back to us.
- Twilio Ltd: provide SMS services to us for the purpose of sending two-factor access codes, we will only provide them with your mobile number in order to send you an access code and only if you opt into two-factor authentication by SMS.
- Zendesk: provide our support desk services. If you send us a contact only the information you enter into the contact form will be sent to Zendesk.
1. Verification services. These services will already have a record of your personal details. When you connect your tahdah account to these services we exchange basic information about you sufficient only to establish a link, and in general these services do not record any further information. At the time of writing these services are :
a. Azolve Ltd – We use this to verify your membership of organisations that use their software to manage membership. Currently, we use this to verify membership of Mountaineering Scotland and Cycling Ireland
b. Mountaineering Ireland – to verify membership of Mountaineering Ireland
c. British Mountaineering Council – to verify membership of the BMC
2. Account linking. These services let you link elements of your account to tahdah for your own convenience. These links are initiated by you. We do not send any data to these services. We use a process called OAUTH to allow their API to communicate securely with us to share information from those services that we can use to improve your experience of tahdah. You are not required to use our services. At the time of writing the services, we link to are.
a. Facebook – you can link to Facebook for the purposes of creating a single login to your tahdah account. You can unlink this at any time. Facebook do not share any additional information with us
b. Twitter – As with Facebook
c. Google Health – You can run one-off imports of data from your Google Health account. We do not provide google with any additional information about you
d. Fitbit, Runkeeper, MapMyFitness and Strava all work the same as Google Health.
3. Cross-site login. These services allow you to log in to other websites using your tahdah login. When you do this we share a list of your active qualifications, award registrations and memberships as well as a marker if you are a director or work for any provider. These websites use this information to show you restricted content and training material. At the time of writing the websites that use this service are:
a. Mountain Training, including MTA and AMI
b. NICAS / ABC Training Trust
11. Updating informationFor your convenience updates to your personal details including address changes and name changes are held in a central record and controlled by you. If you do not wish updates to be shared with an Organisation you are no longer actively associated with you can apply to disconnect.
For further information on GDPR - click here
TahDah is fully registered with the Information Commissioners' Office (ICO). We abide by all of their guidelines and endeavour to safeguard our customer's data in any way we can.
The ICO's mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
To view our ICO registration certificate - click here