Volunteer Privacy Policy

Who we are

We are the Chelmsford Beer & Cider Festivals (CBCF) Volunteer Portal. We are part of the Chelmsford and Mid-Essex (CME) Campaign for Real Ale (CAMRA) Branch.

Our website address is: https://volunteer.cbcf.info/portal/.

This policy covers how we handle our volunteer information – please refer to our Festival Privacy Policy for how we handle other information.

What personal data we collect and why we collect it

Registering for an account

In order to use the Volunteer Portal, you must register a user account which collects your first and last names, your date of birth, your email address, your contact number and a name for your Volunteer Badge. We collect this to set up your account on our system and it is needed to keep your account active.

Collection of sensitive information

  • Contact telephones numbers – this is only used to get in touch with you during any festival that you have volunteered for to confirm shift times or arrange alternative times if required.
  • Date of birth – we are required to keep a record of this for all volunteers as part of our alcohol license. Volunteers under the age of 18 must go through a manual verification process to confirm that parental consent is given for them to keep their data on this site.

Additionally, we may collect data relating to the device you are using to access our website such as IP address, operating system, browser type and version. This is done for security verification and protection purposes to ensure each attempt to register an account is valid.

Submitting details on forms

The Volunteer Portal is based on forms and most of the interactions on this site (such as updating information on Your Profile or signing up to volunteer at a festival) requires us to collect additional personal data:

  • Emergency contact numbers – this will be used in the event you have an accident whilst volunteering at one of our festivals. In addition to the contact number, we also required the first and last name of the contact and their relation to you (to help us when dealing with an emergency).
  • Dietary/Medical information – as part of our Volunteer Safeguarding policy, we will ask volunteers to provide information regarding any dietary requirements or medical information that we need to be aware of whilst they are volunteering at a festival.
  • Contact address – this information is only used if you are involved in an accident at the festival. As part of our Volunteer Safeguarding Policy, we will share this information with the emergency services if appropriate.

Additionally, when filling in forms we also collect IP addresses, operating system type, browser type and version for security verification and protection purposes to ensure that no malicious attempts to leak or change data being saved to our system.


If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you update or submit a form, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the submission ID of the form you just submitted. It expires after 1 day.

Who we share your data with

Data from the Volunteer Portal remains on our secure database and is not shared with anyone outside of CBCF, CME or CAMRA.

For operational reasons, we do share limited subsets of your information with third-party data processors for specific purposes (such as to send email communications or SMS communications) only if you have consented to this. See Where we send your data for further information.

We only share information (such as emergency contact information) with emergency services if absolutely necessary.

How long we retain your data

For users that register on our website, we store the personal information they provide in their user profile. All users can see, edit, or delete their own personal information at any time.

All accounts are valid for 5 years since the last activity date (activity is defined as the last registered festival on your Volunteer Profile). If an account is not active for 5 years, we will send an email to the affected user and remind them to sign into the Volunteer Portal within 2 weeks before the account is automatically suspended and data is removed.

We take regular backups of data stored on our database – we retain these backups for a period of 30 days. If you submit a request to have your data removed, we will remove it from the live databases although your data will still be stored for a period of 30 days as per our backup policy. After 30 days this data is securely removed. We are unable to restore data removed from our system by a data removal request.

Additionally, information submitted for festivals on separate forms may have their own Data Processing Notice which will outline any additional requirements or alternative retention periods (these may be shorter or longer than the ones stated above).

What rights you have over your data

If you have an account on this site, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

This can be done by going to our Data Request form on the Volunteer Portal. Once a request has been made, this can take up to two weeks to be actioned by the Data Protection Officer.

Additionally, you can permanently remove your Volunteer Portal account by going to this page.

Where we send your data

We make use of Mailgun (a third-party data processor) to send out our bulk communication emails (that arrive from [email protected]). Whilst we do send them your name and email address to send our communications, they only retain this information for a period of 5 days for the purpose of sending out our communications.

Additionally, we also use Twilio (a third-party data processor) to send out our bulk communication SMS (texts). We only send them your phone number which is only used to send our message to your device. They retain this number for a period of 7 days.

You can unsubscribe from these at any time by following the links at the bottom of each bulk email or by going to Your Profile and adjusting your email preferences.

Please note that service communications are mandatory and cannot be opted out of. More information can be found on this Support Article.

Our contact information

You can contact our Data Protection Officer (Tom Maguire) by emailing [email protected], by phoning 01245 526899 or texting 07982 720143.

Additional information

How we protect your data

There are several security measures we have put in place that ensure personal data on the Volunteer Portal is kept secure at all times.

  • We require the use of HTTPS and TLSv1.2+ on all pages of the website.
  • We run daily backups of data stored on this service that are stored offsite away from the main web servers.
  • We complete bi-annual security audits on the Volunteer Portal to find and fix any security vulnerabilities that may arise.
  • We enforce the use of Two-Factor Authentication (2FA) for administrators of this system and authentication is done via the CBCF SSO Identity Provider to allow for additional verification checks for malicious login attempts.
  • We prohibit the use of compromised or weak passwords on the Volunteer Portal and prevent login attempts of accounts that become compromised.
  • We run ad-hoc security patching for the Volunteer Portal, ensuring that any updates go through a staging environment before going to the live environment.
  • We use TLSv1.2+ connections between our web server, database server, external links to third party systems and email communications.

Industry regulatory disclosure requirements

We are registered with the Information Commissioner’s Officer with registration number ZA478683.

This document was last updated on 2nd October 2022. Effective date is 2nd October 2022.