This privacy notice was last updated on 27 July 2023.

Cryptic is committed to protecting your personal information and being transparent about what information we hold about you.

Using personal information allows us to develop a better understanding of our audiences and in turn provide you with relevant and timely information about the work that we do – both on and off stage. As a charity, it also helps us to engage with potential donors and supporters and to report back to our funders.

The purpose of this policy is to give you a clear explanation about how we collect and use the information we collect from you directly and from third parties.

This policy explains:

  • What information we may collect about you;
  • How we may use that information;
  • In what situations we may disclose your details to third parties;
  • Our use of cookies;
  • Information about how we keep your personal information secure and your rights to be able to access it.

We may change portions of this privacy notice from time to time, so be sure to check it regularly. If we make a change that significantly affects your rights, or significantly changes how we use your personal information, we will notify you by prominently posting this on our websites and/or email within a reasonable period prior to the change becoming effective.

Who We Are

Cryptic is a charity and Creative Scotland Regularly Funded Organisation. We also receive funding from various trusts, foundations and individual donors and supporters. Our registered charity number is SCO22476 and we are also registered as a company limited by guarantee and registered in Scotland under registration number SC150281.

Cryptic is registered with the Information Commissioner’s Office in accordance with current data protection legislation: our registration number is ZA24873.

We are the data controller for the personal information you share with us and we otherwise collect in respect of you. Our Data Protection Officer is Claire Moran. You can contact her here or via our postal address. Please mark the envelope ‘Data Protection Officer’.

Our office and postal address is: Cryptic, CCA, 350 Sauchiehall Street, Glasgow, G2 3JD or you can contact us by telephone: +44 (0)141 354 0544

Information Collection

We collect various types of personal information and in a number of ways.

We currently operate two websites and (“the Websites”).


Information you give us

We do not obtain any personal information about you simply through you browsing our websites. Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • You have made an enquiry to us.
  • You have made an information request to us.
  • You wish to attend, or have attended, an event.
  • You subscribe to our e-newsletter.
  • You have applied for a job with us.
  • You are representing your organisation.

We may also receive personal information indirectly, in the following scenarios:

  • Where you have made your contact information available on your organisation’s website and we use this to contact you and your organisation.
  • An employee of ours gives your contact details as an emergency contact or a referee.

For example, when you register on our website, subscribe to our e-mails, buy tickets,  make a donation or when you join our Cryptic Angels scheme, we will store personal information you give us such as your name, email address, postal address and telephone number. We will also store a record of your purchases and donations. All this information is stored securely in our systems.


When you interact with us, whether by phone, e-mail or via other means, for example to ask for information, we collect information relating to those communications. We use this information to answer any issues or concerns and to provide you with the information and services you require from us.

When you visit our website, we collect information about how you interact with our content and adverts. When we send you a mailing, we store a record of this, and in the case of emails, we keep a record of which ones you have opened and which links you have clicked on.

When you access our social media channels, including Twitter, Instagram, YouTube, Facebook and TikTok we only receive personal information that you share with us voluntarily and that is compatible with your privacy settings. To find out more about how these social media companies process your personal information, we recommend that you read their individual privacy policies.

We use social media to publish messages and updates about events and news. On occasion we may reply to comments or questions you make to us on social media platforms. You may also see adverts from us on social media that are tailored to your interests.


If you are under 18, please make sure that you obtain your parent/guardian’s permission whenever you provide personal information to us. If you don’t have their permission, you must not provide personal information to us.


We occasionally receive information about you from third parties. For example, we may use third party research companies to provide general information about you, compiled using publicly available data. We may also receive information about you from venues where you have booked a performance or event. This is for research and reporting purposes only, unless you have given your consent to receive communications from us.


Data Protection law recognises that certain categories of personal information are more sensitive such as information relating to health, race, religious beliefs and political opinions. We do not usually collect this type of information about you unless there is a clear reason for doing so. For example, we sometimes collect health information about participants in our workshops.

We will only retain your personal information for as long as necessary and to fulfil our legal obligations.  It will be kept secure using appropriate security measures to prevent unauthorised access, modification or disclosure.

Legal Basis

There are three bases under which we may process your data:


When you make a purchase from us or make a donation to us, you are entering into a contract with us. In order to perform this contract, we need to process and store your data. For example, we may need to contact you by email or telephone in the case of cancellation of a show, or in the case of problems with your payment.


In certain situations, we collect and process your personal data for purposes that are in our legitimate organisational interests. However, we only do this if there is no overriding prejudice to you by using your personal information in this way. We describe below all situations where we may use this basis for processing.


For any situations where the two bases above are not appropriate, we will instead ask for your explicit consent before using your personal information in that specific situation.

How we keep your details safe and secure

Your personal data will be held and processed on Cryptic’s systems or systems managed by suppliers on our behalf. We maintain a customer relationship management (CRM) system to hold contact details and a record of your interactions with us such as ticket purchases, donations, queries, complaints and attendance at special events. Where possible we aim to keep a single record for each customer.

Your data is always held securely. Access to your information is strictly controlled. The CRM system can only be accessed by people who need it to do their job. Certain data, for example,  some sensitive information, is additionally controlled and is only made visible to members of staff who have a reason to use it.

We will only ever share your data in other circumstances if we have your explicit and informed consent, such as where we are under a duty to disclose your personal information in order to comply with any legal obligation (for example to government bodies and law enforcement agencies). Your personal information may also be processed if it is necessary in the defence of a legal claim. We will not delete personal information if relevant to an investigation or a dispute and it will continue to be stored until those issues are fully resolved.

Finally, your personal data may be shared if it is anonymised and aggregated, as in such circumstances the information will cease to be personal data.

What we use your personal information for

We aim to be clear and transparent when we collect your data and not to do anything you wouldn’t reasonably expect.

If you make a purchase, sign up for an event or give a donation we usually collect your name, contact details and your bank or credit card information (if making a transaction).

We use this data to provide you with information about the events, services or information you asked for, ensure we know how you prefer to be contacted, understand how we can improve our communications or events, administer your donation or to process Gift Aid.

When you subscribe to our mailing list on our website, you can choose whether you would like to receive direct marketing communication and details of how you can support our work by email or post. We will include opt-out instructions in any communications you receive from us.


We classify our audience into groups and segments on the basis of their booking history and ticket purchases, attendance over time and information that is provided when you create an account, such as your postcode.

We use analytics to better understand our development as an organisation. We use anonymised data for this analytical research. We consider the growth and sales rate of our tickets and combine this with other relevant data such as interaction with our website and social media.

We may also undertake in-depth audience research by email, online and/or in person after each event. You are under no obligation to participate. Full details of the process are provided when we ask you to participate.


As a charity, we undertake research to support our fundraising and income generation activities to ensure our fundraising campaigns, events and fundraising communications are targeted in the most effective way.  This also includes:

  • evaluating the effectiveness of these campaigns and making changes where required;
  • determining whether certain individuals may be interested in supporting us;
  • ensuring we conduct campaigns and fundraising activity in compliance with law and industry codes of practice; and ensuring that we have reasonable knowledge of prospective donors to minimise the risk of reputational damage.

We may also undertake analysis of our audience by attendance, donations, postcode and other information contained on our own database to contact individuals who might be interested in supporting our fundraising campaigns (which could include donations and individual giving schemes) but only to the extent permitted by data protection legislation. The analysis activity where our audience is segmented is not targeted at specifically identifiable individuals in the first instance and communications sent to individuals thereafter are done so in accordance with their consent or our legitimate interests.

We may carry out research on information in our own database such as connections to ticket buying and history of giving and we may seek additional information from third party sources.

We endeavour to make sure that any research and data collection we do is only sourced from publicly available sources where an individual would, in our view, have a reasonable expectation that their information may be freely read by the public or the individual has freely made information available in respect of their business and philanthropic interests.

We carefully balance our legitimate interests against your interests as an individual. You can exercise your rights over your personal information at any time.

We will always keep your rights and interests at the forefront to ensure they are not overridden by your own interests or fundamental rights and freedoms. You have the right to object to any of this processing at any time. If you wish to do this, please contact our Data Protection Officer, Claire Moran.

We do not sell or share personal details with other organisations for the purposes of direct marketing.   We will only share personal details for the purposes of marketing if you have given your explicit consent for us to do this. If you have opted out of marketing communications, we may still get in touch with you. For example, we may email you to give you important information about the events you’ve booked or to tell you about any changes.

We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

You do have the opportunity to opt out, at any time, from any communications you receive from us.

Your personal information will be held, at all times, within the EEA.

Your Rights

You have certain rights in relation to your personal information. The availability of these rights and the ways in which you can use them are set out below in more detail.

Some of these rights will only apply in certain circumstances. If you would like to exercise, or discuss, any of these rights, please contact us using the details above.

Access: you have the right to ask us whether or not we are using or storing your personal information. You can also ask us for copies of your personal information, verbally or in writing. This is called the right of access and is commonly known as making a subject access request or SAR.

You can use a SAR to find out:

  • What personal information we hold about you;
  • how we are using it;
  • who we are sharing it with; and where we got your data from.

Correction: You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

you may sometimes hear this called the ‘right to be forgotten’. The right only applies in the following circumstances:

  • We no longer need your data for the original reason we collected or used it for.
  • You initially allowed to us using your data, but have now withdrawn your consent.
  • You have objected to the use of your data, and your interests outweigh our interests.
  • You have objected to the use of your data for direct marketing purposes.

Restriction: you are entitled to ask us to suspend the processing of certain of your personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

Transfer: You have the right to receive your personal data in a way that is accessible and machine-readable. You also have the right to ask us to transfer your data to another organisation. We must do this if the transfer is “technically feasible”. This only applies to information that is stored electronically and that you have provided directly to us.  This may include website or search usage history or traffic and location data.

Objection: you have the right to object to us processing (using) your personal data at any time. You can object where we are using your data:

  • for a task carried out in the public interest;
  • for the exercise of official authority;
  • for their legitimate interests;
  • for scientific or historical research, or statistical purposes; or
  • for direct marketing purposes.

Automated Decisions: you may object to any automated decision made about you where this has a legal or similar significant effect and ask for it to be reconsidered.

More information regarding your legal rights in respect of personal information can be found here. You also have a right to lodge a complaint in the Member State in the European Union where you are habitually resident, where we are based, or where an alleged infringement of Data Protection law has taken place.

In the UK you can make a complaint to the Information Commissioner’s Office (Tel: +44 (0)303 123 1113 or online).

In order to initiate a request with us, please send us a description of the information you would like to access or the rights you would like to exercise. The request should be sent to our Data Protection Officer, Claire Moran.