MYAPES PORTAL - PRIVACY POLICY
Version 1.0 | Dated: 14 November 2025
1. Introduction
The Association of Protecting Exotic Species CIC ("APES", "we", "us", "our") is committed to protecting and respecting your privacy. APES is a Community Interest Company registered in England and Wales (CIC No. 16253848).
This policy explains how we process personal data collected through the MyAPES portal (https://www.myapes.me.uk) (the "Portal"). For the purpose of the UK General Data Protection Regulation (UK GDPR), APES is the data controller.
This policy covers all users of the Portal, including guests, visitors, registered service users, and organisations.
2. The Data We Collect About You
We may collect, use, store, and transfer different kinds of personal data about you, which we have grouped together as follows:
Identity Data: Includes first name, last name, username or similar identifier.
Contact Data: Includes billing address, delivery address, email address, and telephone numbers.
Financial Data: When you use our billing portal, your payment card details are processed directly by our third-party payment processor (Stripe). We do not store your full payment card details, but we may receive and store transaction details, billing address, and the last four digits of your card.
Transaction Data: Includes details about payments to and from you and details of services you have purchased from us.
Profile Data: Includes your username and password, services used, and information submitted via registration or contact update forms.
Technical Data: Includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, and other technology on the devices you use to access this Portal.
Usage Data: Includes information about how you use our Portal, tools, and resources.
We collect this data when you:
Create an account on our Portal.
Submit a registration or contact update form.
Make a payment or manage your billing preferences via the Stripe portal.
Correspond with us by email or other means.
Browse the Portal (Technical and Usage Data).
3. How We Use Your Data & Our Legal Basis
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
| Purpose / Activity | Type of Data | Lawful Basis for Processing |
To register you as a new user and create your account. | Identity, Contact, Profile | Performance of a contract with you. |
To process payments and manage your billing (via Stripe). | Identity, Contact, Financial, Transaction | Performance of a contract with you. |
To manage our relationship with you (e.g., processing your contact update forms, notifying you of changes to our terms). | Identity, Contact, Profile | (a) Performance of a contract with you. (b) Legitimate interest (to keep our records updated). |
To provide you with access to tools, resources, and portals relevant to your relationship with us. | Identity, Contact, Profile, Technical | Performance of a contract with you. |
To administer, protect, and improve our Portal (including troubleshooting, data analysis, security, and support). | Technical, Usage | (a) Legitimate interest (for running our Portal, provision of IT services, network security). (b) Necessary to comply with a legal obligation. |
We do not use your personal data for activities where our legitimate interests are overridden by the impact on you. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose.
4. Data Sharing and Third Parties
We will not sell your personal data. We may have to share your personal data with trusted third parties to provide our services, including:
Payment Processors: We use Stripe, Inc. to process payments and manage billing. When you use the billing portal, you are providing your data directly to Stripe. Your use of the Stripe portal is subject to Stripe's own Terms and Privacy Policy.
Service Providers: Third parties who provide IT, system administration, and hosting services for the Portal.
Professional Advisers: Our lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services.
Regulators: HM Revenue & Customs, Companies House, the Information Commissioner's Office (ICO), and other authorities who may require reporting of processing activities in certain circumstances.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes.
5. International Transfers
Some of our third-party providers (such as Stripe) are based outside the UK and the European Economic Area (EEA), so their processing of your personal data will involve a transfer of data outside the UK/EEA.
Whenever we transfer your personal data out of the UK/EEA, we ensure a similar degree of protection is afforded to it by ensuring appropriate safeguards are in place, such as specific contracts approved for use in the UK (e.g., Standard Contractual Clauses) or by relying on an adequacy decision.
6. Data Security
We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed.
Access to your personal data is limited to those employees, agents, and other third parties who have a "need to know". They will only process your personal data on our instructions and are subject to a duty of confidentiality.
We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
7. Data Retention
We will only retain your personal data for as long as is reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements.
Account Data: We will retain your personal data for as long as your account is active.
Legal Requirements: We may retain your data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation. By law, we have to keep basic information about our service users (including Contact, Identity, Financial, and Transaction Data) for six years after they cease being customers for tax purposes.
8. Your Legal Rights
Under UK data protection law, you have specific rights in relation to your personal data:
Right of Access: Request a copy of the personal data we hold about you.
Right of Rectification: Request correction of any inaccurate or incomplete data. (You can update most of this information directly via your account profile and contact update forms).
Right to Erasure: Request that we delete your personal data ("right to be forgotten").
Right to Restrict Processing: Request that we suspend the processing of your personal data.
Right to Data Portability: Request the transfer of your personal data to you or a third party in a machine-readable format.
Right to Object: Object to us processing your data (e.g., where we are relying on a legitimate interest).
Right to Withdraw Consent: Where we rely on consent as our legal basis, you may withdraw it at any time.
There is usually no fee to exercise these rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. We may also need to request specific information from you to help us confirm your identity.
9. Cookies
Our Portal uses cookies to distinguish you from other users. This helps us to provide you with a good experience when you browse our Portal (e.g., by keeping you logged in) and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them, please see our separate Cookie Policy.
10. How to Contact Us
If you have any questions about this Privacy Policy or our data protection practices, or if you wish to exercise any of your rights, please contact us at:
If you have a specific query for our Data Protection Officer (DPO), you can contact them at:
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
11. Changes to this Privacy Policy
We keep our Privacy Policy under regular review. This version was last updated on the date shown at the top. Any changes will be posted on this page.
Information only — consult qualified counsel for legal advice.
