Cookie & Privacy Policy

Privacy and Cookies Policy

Last updated: 01/06/2026

1. Who we are and how to contact us

This policy explains how Rye Museum Association (“RMA”, “we”, “us”, “our”) collects and uses your personal information. RMA operates Rye Castle Museum & Prison (RCM Ypres Tower) and RCM East Street Museum in Rye, East Sussex, and is the data controller responsible for your information.

Registered charity number: 1057421
Company registered in England and Wales (limited by guarantee): 03226143
Registered office: Rye Museum Association, 3 East Street, Rye, East Sussex, TN31 7JY
Email: info@ryemuseum.co.uk · Telephone: 01797 226728

If you have any questions about this policy or about how we use your information, please contact our nominated person for data protection by email at info@ryemuseum.co.uk or by post at the address above.

2. About this policy

This policy applies to people who visit www.ryemuseum.co.uk & www.ryecastle.co.uk, subscribe to one of our newsletters, become members, book event tickets, make donations, volunteer with us, or otherwise contact us. It covers the personal information we collect, why we use it, who we share it with, how long we keep it, and your rights. It also explains our use of cookies (section 6) and our newsletters and marketing (section 5).

3. The information we collect

Information you give us — for example when you join as a member, book an event ticket, make a donation or Gift Aid declaration, sign up to our newsletter, make a group or school booking, volunteer or enquire about volunteering, enter a competition, or contact us with a question or feedback. This typically includes your name, email address, postal address, and telephone number, and the details of your booking, membership, or donation.

Information we collect automatically — when you use the Website we may collect technical and usage information such as your IP address, browser and device type, the pages you visit, and how you arrived at the site. We collect this through cookies and analytics, as explained in section 6, and wherever possible we use it in an aggregated or anonymous form.

Information from third parties — when you book a ticket or membership through our Tickettailor box office, or pay through a payment provider, we receive the details we need to fulfil and administer your order (but not your full card details).

Sensitive information — we do not usually collect “special category” data (such as health information). Where we do need it — for example to make reasonable adjustments for an accessibility requirement — we will collect only what is necessary and rely on an appropriate lawful basis, and we will explain this at the time.

4. How we use your information, and our lawful bases

We use your information for the purposes below. Under UK GDPR we must have a lawful basis for each use:

Administering memberships, event tickets, and other orders you place with us — performance of a contract.
Processing donations and Gift Aid — legitimate interests in funding the charity, and legal obligation for the Gift Aid and financial records we must keep.
Sending you our newsletters and other email marketing — consent, or (for the members’ newsletter) as part of your membership (see section 5).
Responding to your enquiries and providing information you ask for — legitimate interests, or steps taken at your request before entering a contract.
Sending postal updates, news, and fundraising appeals to our supporters — legitimate interests, and you can ask us to stop at any time.
Keeping the Website safe and improving it, including analytics — consent for non-essential cookies, and otherwise our legitimate interests.
Supporting and managing volunteers — legitimate interests or contract.
Internal administration, record-keeping, and handling complaints — legitimate interests.
Meeting our legal and regulatory duties (for example accounting, safeguarding, and responding to lawful requests from authorities) — legal obligation.

Where we rely on consent, you can withdraw it at any time; where we rely on legitimate interests, you have the right to object (see section 11).

5. Our newsletters and marketing

We send two separate email newsletters:

General newsletter (open to everyone): a newsletter for non-members, supporters, and anyone interested in the museum. It is managed and sent through our RyeCastle.co.uk website and carries museum news, events, and exhibitions.
Members’ newsletter (active members only): a newsletter sent to current, paid-up members of the Rye Museum Association as a benefit of membership, with members’ news and updates. It is managed and sent using Mailchimp (a service provided by Intuit Inc.).

We add you to the general newsletter when you sign up; members receive the members’ newsletter as part of their active membership. We aim to email no more often than is useful and as described in the membership terms, and the tools we use may record whether messages are opened and which links are clicked so that we can improve future editions.

You can unsubscribe from either newsletter at any time using the unsubscribe link included in every email we send, or by emailing info@ryemuseum.co.uk. Unsubscribing from the members’ newsletter does not affect your membership (you will still be emailed about your active membership or when it’s due for renewal, however you will not be informed of events etc), and unsubscribing does not affect anything we sent beforehand. If you would prefer not to be contacted for marketing by any method, just let us know.

6. Cookies and similar technologies

Cookies are small text files placed on your device when you visit a website. They let a site recognise your device, remember your choices, and understand how the site is used.

When you first visit the Website you will see a cookie banner that lets you accept or reject cookies that are not essential. Strictly necessary cookies are always on because the site cannot work properly without them, but you can choose whether to allow the others, and you can change your choice at any time using the cookie settings link on the Website. You can also block or delete cookies through your browser settings, though some features may then not work; general guidance is available at www.allaboutcookies.org.

The cookies we use fall into these categories:

Strictly necessary — needed for the site to function and to remember your cookie choices.
Functional / preferences — remember choices you make to improve your experience.
Performance / analytics — we use Google Analytics to collect information about how visitors use the site (such as which pages are most visited) so that we can improve it. This is set only with your consent. You can opt out of Google Analytics across all sites using Google’s browser add-on.
Third-party / embedded content — some pages include content served by others, such as Vimeo video, our Tickettailor box office, and social media. These providers may set their cookies, which are governed by their policies; we do not control them.

Cookie / provider Type Purpose Duration
[name] Strictly necessary [purpose] 6m
Google Analytics (_ga, etc.) Analytics Measure site usage 6m
[Vimeo / Tickettailor / social] Third-party Display 6m

Cookie / provider	Type	Purpose	Duration
[name]	Strictly necessary	[purpose]	6m
Google Analytics (_ga, etc.)	Analytics	Measure site usage	6m
[Vimeo / Tickettailor / social]	Third-party	Display	6m

7. Who we share your information with

We never sell your personal information. We share it only as follows, and only as far as needed:

Service providers acting on our behalf, under contracts that require them to protect your data and use it only on our instructions — including FES Enterprises (website and marketing support), Mailchimp (our members’ newsletter), the platform behind our RyeCastle.co.uk website (our general newsletter), Tickettailor (ticketing and membership bookings), our payment provider(s), our website host, and Google (analytics).
HMRC, where needed to claim Gift Aid on eligible donations.
Professional advisers (such as auditors and legal advisers) where necessary.
Authorities or other third parties where we are required to do so by law, or to prevent or detect crime.

8. Transfers outside the UK

Some of our providers — for example Mailchimp and Google — are based in or store data in the United States. Where your information is transferred outside the UK, we make sure an appropriate safeguard is in place, such as the UK’s “data bridge” extension to the EU–US Data Privacy Framework, or the International Data Transfer Agreement / standard contractual clauses approved for use in the UK.

9. How we keep your information secure

We take appropriate technical and organisational measures to keep your information secure and to prevent unauthorised access, loss, or misuse. Card payments are handled securely by our payment and ticketing providers in line with the Payment Card Industry Data Security Standard, and we do not store your full card details. Please remember that email is not always secure; please do not send us financial details such as card numbers by email.

10. How long we keep your information

We keep your information only for as long as we need it for the purposes set out in this policy, in line with our records-retention schedule, and then securely delete or anonymise it. As a general guide: records relating to Gift Aid, donations, and our accounts are kept for around six years to meet tax and audit requirements; membership and supporter records are kept for the duration of your relationship with us and a reasonable period afterwards; and we keep your details for marketing until you unsubscribe or ask us to stop. (Committee: confirm against your actual retention schedule.)

11. Your rights

Under UK data protection law you have the right to:

ask for a copy of the information we hold about you (a subject access request);
ask us to correct information that is inaccurate or incomplete;
ask us to delete your information in certain circumstances;
ask us to restrict or object to how we use it, including an absolute right to object to direct marketing;
ask us to transfer certain information to another organisation; and
withdraw any consent you have given, at any time.

To exercise any of these rights, please email info@ryemuseum.co.uk or write to us at the registered office. We may need to confirm your identity first. We will respond within one month, and there is normally no charge.

If you are unhappy with how we have handled your information, you can complain to the Information Commissioner’s Office (ICO) at www.ico.org.uk or on 0303 123 1113. We would, however, appreciate the chance to put things right first.

12. Children’s privacy

We are committed to protecting the privacy of young people who attend our events or take part in our school and education activities. Where we collect and use the personal data of a child, we will obtain the consent of a parent or guardian.

13. Links to other websites

The Website links to and embeds content from other sites, including our RyeCastle.co.uk website (where you can sign up to our general newsletter), our Tickettailor box office, Vimeo, and social media. This policy does not cover those sites, and we are not responsible for their privacy practices; please read their own policies.

14. Changes to this policy

We may update this policy from time to time. Any changes will be posted on this page, and the “last updated” date above will tell you when it was most recently revised. Please check back from time to time.

15. Contact us

For anything to do with your privacy or this policy, contact us at info@ryemuseum.co.uk, call 01797 226728, or write to Rye Museum Association, 3 East Street, Rye, East Sussex, TN31 7JY.