Privacy Policy

This Privacy Policy is effective from 25th May 2018

We respect and are committed to protecting your privacy.

This policy explains when and why we collect personal information about you, how we use it, the conditions under which we may disclose it to others, how we keep it safe and secure and your rights and choices in relation to your information.

Any questions regarding this policy and our privacy practices should be sent via the Contact Us page or by writing to COSSES, PO Box 4706, Shrewsbury, SY5 0WT.

Who are we?
We are The County of Salop Steam Engine Society Ltd (COSSES), a not for profit organisation with the sole purpose of furthering the interest in, the preservation of, and the promotion of steam and vintage vehicles as something worth preserving, primarily through our annual event, the Shrewsbury Steam Rally.
Registered in England and Wales – Company Reg. No. 01654318.
Registered Office: Emstry House, Sitka Drive, Shrewsbury Business Park, Shrewsbury, SY2 6LG

How do we collect information from you?
We obtain information in the following ways:

  • Information you give us directly
    • When you contact us through our website, by telephone, post, e-mail or through any other means.
    • When you apply for membership.
    • When you subscribe to our mailing list via our website.
    • When you complete surveys, promotional forms and return them to us (although you are not obliged to respond to them).
    • When you enquire to and/or exhibit at one of our events.
    • When you enter a competition or promotion through a social media channel.
  • Information you give us indirectly
    • Your information may be shared with us by subcontractors acting on our behalf who provide us with ticketing services, booking services and card payment services.
  • When you visit our website –
    We, like many companies, automatically collect the following information:


    • technical information, including the type of device you’re using, the IP address, browser and operating system being used to connect your computer to the internet. This information may be used to improve the services we offer.
    • information about your visit to our website, for example, we collect information about pages you visit and how you navigate the website, i.e. length of visits to certain pages, products and services you viewed and searched for, referral sources (e.g. how you arrived at our website).

We collect and use your personal information by using cookies on our website – more information on our use of cookies can be found in the “Cookies Policy” available on our website.

  • Social Media
    When you interact with us on social media platforms such as Facebook, Twitter and Instagram, we may obtain information about you (for example, when you publicly tag us in an event photo). The information we receive will depend on the privacy preferences you have set on those types of platforms.

What information is collected?
We may collect the following information:

  • your name and contact details (including postal address, email address and telephone number).
  • demographic information such as postcode, preferences and interests.
  • information about your activities on our website and the device used to access it, for instance, your IP address and geographical location.
  • your bank or credit card details. If you pay online for membership, purchase tickets online or pre-book camping, your card information is not held by us, it is collected by our third-party payment processors, who specialise in the secure online capture and processing of credit/debit card transactions.
  • other written information related to your enquiry/application that you provide.

What we do with the information we collect
We require this information to administer your membership and to provide the products and services you have requested from us and provide you with a better service for the following reasons:

  • Internal record keeping.
  • Sending membership/subscription notices to you.
  • Recording financial transaction to your membership.
  • Contacting you with relevant society correspondence.
  • Providing you with a Membership Card for gaining access to the Society activities.

Processing of your personal data
Under the GDPR (General Data Protection Regulation) we control and / or process any personal information about you electronically using the following lawful basis.

All individuals who were on our email mailing list prior to 25th May 2018 have been contacted and have since given consent or been removed from the mailing list.

Any individual added to our database since 25th May 2018 will be under either of the following basis:

  • Lawful basis: Consent
    The reason we use this basis: If you have previously requested or given permission to be added to our mailing list.
    We process your information in the following ways: Your personal data is stored
    Data retention period: We will continue to process your information under this basis until you withdraw consent, or it is determined your consent no longer exists.
  • Lawful basis: Legitimate interests
    The reason we use this basis: #
    We process your information in the following ways: #
    Data retention period: #

We shall stop processing your personal information if the lawful basis used is no longer relevant.

Sharing your personal data
We will not share your information to third party organisations, with the exception of approved third-party partner agencies to process information on our behalf, for example, a mailing list company to process email communications to members. Third parties with which we share your information are only authorised to use that information to fulfil their contractual obligations to us. They are not permitted to use it for any other purpose.

Links to other websites
Our Website may, from time to time, provide links to other websites. We have no control over such websites and are not responsible for the content of these websites. This privacy policy does not extend to your use of such websites. You are advised to read the privacy policy or statement of other websites prior to using them.

Data security and protection
We ensure the security of any personal information we hold by using secure data storage technologies and precise procedures in how we store, access and manage that information. Our methods meet the GDPR compliance requirement.

Email marketing messages & subscription
Under the GDPR we use the consent lawful basis for anyone subscribing to our newsletter or marketing mailing list. We only collect certain data about you, as detailed in the “Processing of your personal date” above. Any email marketing messages we send are done so through an EMS (Email Marketing Service provider). An EMS is a third-party service provider of software/applications that allows marketers to send out email marketing campaigns to a list of users.

Email marketing messages that we send may contain tracking beacons / tracked clickable links or similar server technologies in order to track subscriber activity within email marketing messages. Where used, such marketing messages may record a range of data such as; times, dates, I.P addresses, opens, clicks, forwards, geographic and demographic data. Such data, within its limitations, will show the activity each subscriber made for that email campaign.

Any email marketing messages we send are in accordance with the GDPR and the PECR. We provide you with an easy method to withdraw your consent (unsubscribe) or manage your preferences / the information we hold about you at any time. See any marketing messages from us for instructions on how to unsubscribe or manage your preferences, you can also unsubscribe from all MailChimp lists, by following this link, otherwise contact the EMS provider.

Your rights
Under the GDPR, you have the following rights in relation to your Data:

  • Right to access – the right to request (i) copies of the information we hold about you at any time, or (ii) that we modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this, unless your request is “manifestly unfounded or excessive.” Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will tell you the reasons why.
  • Right to correct – the right to have your Data rectified if it is inaccurate or incomplete.
  • Right to erase – the right to request that we delete or remove your Data from our systems.
  • Right to restrict our use of your Data – the right to “block” us from using your Data or limit the way in which we can use it.
  • Right to data portability – the right to request that we move, copy or transfer your Data.
  • Right to object – the right to object to our use of your Data including where we use it for our legitimate interests.

To make enquiries, exercise any of your rights set out above, or withdraw your consent to the processing of your Data (where consent is our legal basis for processing your Data), please contact us via the contact details provided at the top of this document.

If you are not satisfied with the way a complaint you make in relation to your Data is handled by us, you may be able to refer your complaint to the relevant data protection authority. For the UK, this is the Information Commissioner’s Office (ICO). The ICO’s contact details can be found on their website at

It is important that the Data we hold about you is accurate and current. Please keep us informed if your Data changes during the period for which we hold it.

Transfers outside the European Economic Area
Data which we collect from you may be stored and processed in and transferred to countries outside of the European Economic Area (EEA). For example, this could occur if our servers are located in a country outside the EEA or one of our service providers is situated in a country outside the EEA.