At the Grassmarket Community Project we respect the privacy of our members, volunteers and wider network of supporters.  

We are passionate about providing sanctuary and a safe environment to vulnerable people in Edinburgh and the Lothians. Through mentoring, social enterprise, training and education we help individuals develop their full potential.  

We only collect information we consider necessary to help us achieve our charitable purposes and ensure the success of our social enterprises that support these. In particular, we do not share or sell information to any other organisations for marketing purposes.  

What personal data we collect and why we collect it


When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: After approval of your comment, your profile picture is visible to the public in the context of your comment.


If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms


If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.


If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.

How we protect your data

We store your data with your permission in a secure cloud based database salesforce. This is password protected as well as mandatory periodic password changes and 2 stage pin authentication. 

Member and Volunteers 

If you are interested in becoming a member of our community, or volunteering with us, you will need to complete a registration form. This includes an explanation of the purposes for which we require your information and asks for confirmation of your understanding and consent. You can find this form on the  page on our website. Your confidentiality is extremely important to us at the Grassmarket Community Project and we consider this necessary to develop trusting and supportive relationships. If you have any questions about how we will use your information please let us know. You can contact us by calling 0131 225 3626 or by emailing [email protected]. 

Our wider network 

We cannot achieve our charitable purposes without our wider network of friends and supporters. This includes funders, donors, customers, suppliers, referral agencies, general friends and other interested parties. We occasionally contact our friends and supporters for legitimate community interests including fundraising initiatives, marketing for our social enterprises, event listings, community related news and furthering our charitable aims.  

We grow this network through our own efforts which include networking at events and occasional targeted research into individuals and organisations who we believe may wish to support us in some way. We do not buy data from other organisations for this purpose. Our privacy notices is made available to professional contacts we would like to invite to join our network. We will seek consent from individuals acting in their personal capacity for these purposes.  

If you do not wish to be included in our network any more, you can unsubscribe using the option included in that communication or email  [email protected] and ask to be removed.

Data Policy

Policy Statement 

The Grassmarket Community Project (GCP) respects the privacy of members, volunteers and its wider network of supporters. We only collect data necessary to help achieve our charitable purposes and ensure the success of the social enterprises that support these.  

  1. Scope 

This policy applies to all staff and volunteers collecting and/or processing data relating to individuals as part of their GCP duties. This applies to processing of data for members, volunteers and our wider network. [Staff data is primarily used to fulfill employment contracts. [If you have any questions please speak to our CEO.] 

2. Context

Data Protection legislation is in place in the UK and the EU, with which the GCP adheres. GCP policy has been developed in line with its understanding of guidance developed by the Information Commissioner’s Office (ICO) for organisations in the UK.  

3. Definitions 

Data Controller 

Jonny Kinross, CEO 

Data Processors 

All staff and volunteers collecting and processing data 

Board Contact  

Richard Frazer, Chair

Personal Data/Info 

Any information that relates to an individual 

Business Contact 

An organization or individual in their business capacity e.g.  [email protected] or [email protected]. Email is a useful example. The distinction applies for all info e.g. tel etc. 

Private Contact 

An individual in their private capacity e.g. [email protected], unless you know they use this address for their business, in which case they are a business contact 

 4. General Policy 

The privacy notice on the website ( and registration form are the primary statements outlining the basis on which we collect and process personal data. Individuals should be comfortable with our general data policy in order to become a member or volunteer of the GCP, this is necessary to facilitate their membership and the wider community overall. Individuals can unsubscribe from Mailchimp and Voodoo group texting and remain Members (they may need to call or come in to the Grassmarket Centre to find out what is going on). Personal data is only be kept as long as it is required. 

 5. Primary personal data collected and held 


Data Forms & Systems 

Processing Notes – also see Appendix One re: Salesforce “Data Policy” Field 

Members & Volunteers (including Peer Mentors and Facilitators) 

Registration (referral) Forms 





PVG Form 





  • Posted into locked post box in café or put into registration form drawer in admin office 
  • Data entered onto new record on Salesforce, copy form scanned and attached Salesforce record 
  • original Shredded and securely disposed of 


  • Posted into locked post box in café or retained discreetly in staff office until given to CEO to send to PVG body 
  • Result retained by CEO in locked filing cabinet 


  • Restricted access: staff and volunteers given passwords only 
  • Data Policy field: leave blank until data section on registration form or equivalent completed, then mark as “consent 

Wider network 













Other systems 

All of our business contacts and private contacts  should be on Salesforce, including funders, donors, customers, agencies, friends, supporters & wider network – unless they have asked not to be added or to be deleted. 

  • Ensure appropriate privacy notice included in communication with all new contacts.  
  • Data Policy field:  
  • Business contact  – privacy notice made available. 
  • Private contacts  can only be included in marketing with their consent – issue an appropriate private notice and leave this field blank, if consent is then received change to “consent”. 

These are only used as necessary. E.g. Event Pro for customers, Xero for receipt of payments etc. Other than Salesforce, only essential data for the purposes of a specific system should be held on that system. Only systems approved by the Data Controller should be in use.  

 6.  Personal data processing and activities 

Passwords – passwords are generally never shared with anyone. The only exceptions are:  

  • Administration assistant providing password to reception volunteer for data input. The volunteer should not share that password with anyone.  
  • When specifically requested by our IT providers for essential IT maintenance work on your individual account.  
  • When authorised by the Data Controller.  

7. Paper records, scans, server files and emails 

Personal information is only kept in a format other than Salesforce or appropriate password protected system, for example paper, word-file, excel, emails etc., when necessary for facilitation and support of an individual or activity within our community.  

Paper records containing personal information are kept in an enclosed folder or cabinet in a staff office (which is locked when no staff are present) when these are not in use. These are not left on desks, or elsewhere e.g. the photocopier, unattended. If any such papers are to be taken outside the Grassmarket Community Project for any purpose, the Data Controller’s consent must be obtained first. When paper files are scanned, the scanned version is deleted once this has been filed in the appropriate place on Salesforce, private server folder or emailed as required. When papers are no longer required these should be shredded and securely disposed of in a paper bin.  

Electronic files containing personal information are kept in an appropriate “private” folder (with restricted access) on the S drive of the GCP secure server. These are not left open on a screen unattended. If any are to be downloaded from GCP servers (e.g. on to a memo stick or disk or emailed externally) for any purpose, the Data Controller’s consent is obtained first.  

Personal information in emails is minimised and only shared with other GCP staff, the individuals themselves or third parties where we have the individual’s consent or we are required by law. Staff do not use their personal email account to share or give this for the purpose of receiving any GCP personal information.  

Any personal information included in the above is only retained as long as required. Staff are responsible for ensuring any data they have stored is deleted once its purpose has been served. In particular, staff carry out regular review of their email, desks, filing cabinets and folders on the GCP server.  

Photographers – are respectful of individuals, letting people know they are taking photos and the purpose, and giving individuals the opportunity to remove themselves from the area being photographed. Staff and volunteers organizing and facilitating photographers will ensure the photographer is aware of this. 

Social media – if any additional personal information is attached to a photo, e.g. an individual’s name or the position they hold at the GCP, the individual’s permission is sought for this. 

Emergency contact details – these are only be available to staff present at, or on call to support, any group or activity outside of the Grassmarket Centre. These are securely disposed of after the group or activity. 

Marketing – Marketing includes raising our profile e.g. with referral agencies, fundraising initiatives, marketing social enterprises, informing individuals of training opportunities, providing community news etc. Any communications must include a clear unsubscribe/opt-out option: 

  • Mailchimp – has an automatic unsubscribe option 
  • Voodoo – used for member and volunteer (and staff) comms; the author will manually include the unsubscribe wording provided on the voodoo site in their text 
  • Other – staff will include unsubscribe options if any other systems is used in future 

Benefit support – any personal information stored on paper during sessions is scanned and emailed to the benefit support email ([email protected]) then shredded and securely disposed of after the session. Any personal information shared otherwise is done by sending emails from and to the benefit support email account (advice.b through the secure GCP OWA application). 

8. Monitoring and Resources 

Breaches – if you are aware or suspect any GCP personal information has been collected or processed in some way that does not adhere to this policy, raise this immediately with the Data Controller, our CEO. Breaches and suspected breaches will be reported to the Board Contact for Data and appropriate action taken. This will include staff disciplinary action when necessary.  

Requests for deletion or information should be passed to the Administration team (Jonny or Hazel) who will arrange for appropriate action. 

Regular review – the Data Controller will instigate regular review of data held on databases and in particular Salesforce, synchronizing this with Mailchimp and voodoo (or any such systems that may replace these). 

Complaints  can be handled in line with the general complaints policy in the first instance. Those to whom that process escalates complaints will take into account any additional data protection related aspects and requirements. 


Information Commissioner’s Office (ICO)

We are registered with the UK’s independent authority, the Information Commissioner’s Office (ICO), which is set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

You can access information on your rights, make a complaint or report a suspected breach by GCP or any other organisation via their site.

Organisation name: Grassmarket Community Project
Registration Reference: ZA493100

You can contact the ICO by post: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Telephone. 0303 123 1113 or via their website for information about what personal data and privacy