Privacy Policy

Last updated: 23 April 2026

Who we are

The New Hunting Ban (“we”, “us”, “our”) is the controller of personal data collected through thenewhuntingban.com and related campaign communications, unless this policy says otherwise.

Our contact details are:

The New Hunting Ban
5th Floor, 167–169 Great Portland Street
London W1W 5PF
Telephone: +44 07877 471109
Email: info@thenewhuntingban.com

This policy explains how we collect, use, store, share and protect personal data when you visit our website, contact us, sign up to our mailing list, apply to join our Change Network, respond to a consultation, use campaign tools, or otherwise interact with us. We provide this information when personal data is collected so that our processing is lawful, fair and transparent. 

The personal data we collect

We may collect and use the following categories of personal data:

  • identity and contact details, such as your name, postal address, email address, phone number and organisation;

  • correspondence and form data, such as messages you send us, application content, consultation responses, event registrations and campaign-action content;

  • supporter and marketing data, such as mailing-list sign-up details, consent records, preferences, unsubscribe history, suppression-list status and records of how you engaged with our campaign;

  • technical and online data, such as IP address, browser type, device information, referral source, approximate location, page views, timestamps, server logs and cookie or similar-technology preferences;

  • payment and donation data, if we later enable donations, such as donor details, receipt information, payment metadata and Gift Aid declarations, while payment card details should be collected directly by the payment processor rather than stored by us;

  • account and community data, if we later enable user accounts or comments, such as login credentials, password hashes, user preferences, moderation records and public-submission content.

We also ask you not to send us special category data or criminal-offence data unless we specifically request it or it is clearly necessary for your interaction with us. If such data is provided, we will only process it where we have both a valid Article 6 lawful basis and an appropriate additional condition where required. Free-text consultation and contact forms should be reviewed carefully for this reason. 

How we use personal data

We use personal data to operate and secure our website, respond to enquiries, administer our mailing list, review Change Network applications, manage consultations and campaign actions, keep records of consent and objections, comply with legal obligations, maintain suppression lists, prevent misuse, and where appropriate establish, exercise or defend legal claims.

The lawful basis depends on the purpose. For ordinary enquiries, supporter administration, applications, website security and postal campaign updates, the recommended basis is generally legitimate interests, provided we have carried out and documented an appropriate balancing test. For email or text campaigning, fundraising or newsletter messages to individuals, the recommended basis is consent because PECR requires it in most cases and ICO guidance says legitimate interests cannot be used to legitimise electronic marketing where PECR requires consent. For accounting, tax, fraud prevention, complaints and regulatory matters, legal obligation and legitimate interests may also apply. Schedule 1 below gives an operational table you can use in your privacy notice and record of processing activities. 

Direct marketing and your mailing-list subscription

We will not send campaign or fundraising emails or texts to individuals unless they have actively opted in for that channel. Our consent request will be clear, concise, separate from general terms, and unticked by default. We keep records of who consented, when, how, and what they were told at the time. You can withdraw consent at any time. Each marketing email will identify us and include a valid unsubscribe mechanism. 

If you unsubscribe or object to direct marketing, we will stop sending those messages and will keep a minimal suppression-list record so that we do not contact you again by mistake. We keep only the minimum information needed for that purpose and clearly mark it so that it is not used for any other direct-marketing purpose. 

If we use our email platform’s open-tracking, click-tracking or similar email analytics, we will explain that clearly in the mailing-list notice and will only enable those features where we are satisfied that the configuration is lawful, proportionate and transparent. ICO guidance treats tracking pixels separately from the email-marketing rules and links them to PECR’s storage/access rules where they store or access information on the recipient’s device. 

Cookies and similar technologies

We use strictly necessary cookies and similar technologies where needed to run the website, remember essential settings, protect forms, maintain security and prevent abuse. We will ask for consent before placing or enabling non-essential analytics, advertising, social-media, embedded-media or similar tracking technologies. Those non-essential technologies will be off by default until you choose to enable them. We will make it as easy to reject non-essential technologies as it is to accept them, provide clear information about the purposes and third parties involved, and offer a persistent way to change your choice later. 

Where we use a consent mechanism, we will keep records of the preference expressed and we will refresh consent where appropriate, including where our purposes materially change. ICO guidance gives a general recommendation to refresh storage/access consent every six months. Our template cookie table appears in Schedule 2 below; it must be updated after a live cookie scan and vendor review. 

Who we share personal data with

We may share personal data with carefully selected processors and service providers who help us run the website and campaign, such as:

  • Squarespace

  • MailChimp

  • Survey Monkey

  • Meta

  • Apple

We require processors to act only on documented instructions, keep data secure, and use appropriate contracts. If a processor appoints a sub-processor, the processor must have appropriate authority and flow down equivalent protections. We do not sell personal data and we do not share it with other organisations for their own independent marketing. 

If you use a tool on our site to contact an MP, public body or another external recipient, the recipient will usually become an independent controller of the personal data contained in the message you ask us to create or send. We will explain that at the point of use where such tools are active. 

International transfers

Some of our processors may store or access personal data outside the UK or EEA. Where that happens, we will only transfer personal data using a lawful transfer mechanism, such as adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU standard contractual clauses, together with any transfer risk assessment or supplementary measures that are needed. The EEA is currently recognised as adequate for UK transfer purposes, and the UK continues to benefit from EU adequacy for incoming EU/EEA flows, but you should still document the mechanism used by each processor. 

How long we keep personal data

We keep personal data only for as long as necessary for the purpose for which it was collected, plus any longer period required for legal, tax, accounting, audit, complaint handling or dispute purposes. The UK GDPR does not set fixed retention periods in most cases; instead, we must justify them. We therefore apply the retention criteria and periods in the retention schedule later in this report and in our internal record of processing activities. Where possible, we anonymise or aggregate information rather than keeping it in identifiable form. 

Security

We use appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures should include role-based access control, strong passwords, multi-factor authentication for administrator accounts, secure hosting, HTTPS, patching and updates, backups, supplier due diligence, breach-response procedures and staff confidentiality controls. If a personal data breach occurs and it is notifiable, it must be reported to the ICO without undue delay and, where feasible, within 72 hours. 

Your rights

Subject to the law, you may have the right to ask us for access to your personal data, correction of inaccurate data, erasure, restriction, portability, or to object to processing. Where we rely on consent, you can withdraw it at any time. Where we use personal data for direct marketing, you have the right to object at any time, and we must stop that processing for direct-marketing purposes. We may ask for information to verify your identity before responding. We will normally respond within one month, although the law allows limited extensions in some cases. 

Children’s privacy

Our website and mailing list are not directed at children under 13. We do not knowingly rely on a child’s own consent for mailing-list marketing below the age at which a child can consent for an online service in the UK. If we discover that we have collected personal data from a child in a way that is not lawful, we will delete or otherwise appropriately deal with that data. If we later create content or services specifically for children or young people, we will provide age-appropriate privacy information and review whether additional safeguards or notices are required. 

Automated decision-making and profiling

We do not intend to make decisions about you based solely on automated processing where those decisions produce legal effects or similarly significant effects. We may, however, use limited profiling or segmentation to make communications more relevant, for example by using broad location data, campaign interests, previous actions taken, or supporter preferences. If we introduce more sophisticated profiling, audience matching, supporter scoring, fundraising propensity models or similar tools, we will update this policy, identify the lawful basis, record the activity in our ROPA and carry out a DPIA where the activity is likely to be high risk. 

Complaints

If you have a concern about how we handle personal data, please contact us first at info@thenewhuntingban.com so that we can try to resolve it. You also have the right to complain to the Information Commissioner's Office, which is the UK supervisory authority for data protection. The ICO provides an online complaints route and helpline support, and it generally suggests that people raise complaints within three months of their last meaningful contact with the organisation. 

Changes to this policy

We may update this policy from time to time. Where changes are material, we will make reasonable efforts to bring them to your attention, for example through the website, a just-in-time notice, or an email where appropriate.