top of page

Privacy Policy




Treetop Rocks CIC, incorporated under the Companies Acts (Company Number Company number SC660018) and having our registered office at 289 Mosspark Drive, Glasgow G52 1NS (“Treetop Rocks” or “we”, “our” or “us”) is committed to protecting the security and privacy of all personal information or data collected from you.


We therefore conduct our business in compliance with applicable laws on data privacy protection and data security. This privacy notice tells you what to expect when we collect and process your personal information.

We try to meet the highest standards when processing your personal information. The data controller who is responsible for how we handle your personal information is Fibie Whitchelo.


Any queries you have in relation to the same should be directed to


  • Before or at the time of collecting personal information, we will identify the purposes for which information is being collected.

  • We will collect and use of personal information solely with the objective of fulfilling those purposes specified by us and for other compatible purposes, unless we obtain the consent of the individual concerned or as required by law.

  • We will only retain personal information as long as necessary for the fulfillment of those purposes.

  • We will collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned.

  • Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and up-to-date.

  • We will protect personal information by reasonable security safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.

  • We will make readily available to customers information about our policies and practices relating to the management of personal information.


We are committed to conducting our business in accordance with these principles in order to ensure that the confidentiality of personal information is protected and maintained.


We may ask you to provide certain information about yourself when you use our website or are in contact with us (whether it is by telephone, email, via the forms on our website, via messaging app, or face-to-face) about the services and activities we provide. This includes both the commercial services we provide to the public, & the subsidised services provided through donor funding & from the profits from our commercial activities.

If you are booking a session/sessions for somebody under the age of 18, you may be asked to provide certain information about them. The information in this policy applies to information ("Your information") you give about yourself or a person in your care.


If you are providing information for someone else (such as your child), you should tell them that we will have their data and that they have certain rights relating to it.

We use the information you provide for the following 4 purposes:

  • Processing your booking

  • Administering your session or sessions

  • Managing your health, safety and wellbeing and that of people around you

  • Statistical analysis to aid evaluation, improvement & reporting; to apply for donor funding; & to fulfil reporting requirements to funders & our Directors.


The information collected may include:



  • Your name & date of birth 

  • Contact details including your postal/e-mail address and phone number

  • Transaction details about services you specifically request from us

  • Financial details in relation to any services bought from us including addresses for invoices and card payment details

  • Profile details from documents you complete online such as your username and password, preferences, interests and your transaction history

  • Information from customer surveys and feedback forms in respect of any of our services you may have purchased or participated in

  • details of your visits to our website including but not limited to traffic data, location data, weblogs and other communication data and the resources that you access or use


Sensitive data is strictly confidential, and we take extra care with it. We mainly use it to manage the health, safety and wellbeing of you and those around you, including to provide appropriate support and medical care if required.

When you participate in any of our tree climbing sessions, we will ask you to complete a Risk Acknowledgement & Safety Information document ("waiver")

The information collected may include:

  • date of birth

  • next of kin

  • gender

  • detailed medical information, including allergies and medical conditions

  • information on your dietary needs

  • if you are disabled, information about your access needs

  • any other information you may decide to tell us that helps us look after you.

If you are in contact with us to make an application for, or are accepted in order to access subsidised social enterprise climbing sessions, we may obtain additional sensitive data from you via any of the following: by telephone, via email & the forms on our website, or face-to-face.

In this case, sensitive data is personal information that may include


  • information concerning your background and characteristics, such as racial or ethnic origin

  • information about your education & socioeconomic circumstances 

  • religious or philosophical beliefs,

  • information concerning your health or mental wellbeing

  • your opinions about the content of the sessions & your assessment of our achievements in supporting you & meeting your needs​

This information is given with your consent in the form of surveys & feedback forms. You will be shown the type of information we will ask for before participating in our subsidised programmes & you may withdraw consent at any time.


This information is used for statistical analysis. We anonymise and aggregate sensitive data as soon as possible in the analysis process. This anonymised data is then used to help us understand and improve how we include as many people as possible in our subsidised sessions & understand and improve any benefits or challenges that arise from your participation. We use this data to report back to any donor & funding organisation, & to make applications for funding to expand our social enterprise provisions. 

This sensitive data is provided only with your consent.


We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration. This is statistical data about our users' browsing actions and patterns and does not identify any individual. 

Like most websites, we use cookies. Cookies are small pieces of data that websites store in their visitors' web browsers. Other technologies, including data we store on your web browser or device, identifiers associated with your device, and other software, are used for similar purposes. In this policy, we refer to all of these technologies as "cookies". Cookies help to improve our services and give you a better experience. For example, they can show us which pages people visit most often, and which are not getting as much attention. If you wish to block cookies you can do this in your browser settings; you can learn more about cookies and how to block them here.

How long we keep your data


After your session(s), we need to keep this data along with other records about your time with us. This helps us to meet our legal responsibilities. We won’t get rid of this information for at least three years after your course if you are over 18. If you are under 18, we need to keep it until you are at least 21 years old.



By law, we can only process your information if we can demonstrate the lawful grounds we have for doing so.

Currently, there are six potential lawful grounds for processing personal information, namely:

·we have your consent;

· it is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into such a contract;

· it is necessary for our compliance with a legal obligation;

· it is in the public interest;

· it is necessary to protect your vital interests; or

· that it is in our legitimate interest to do so but only where that interest does not override your interests or your fundamental rights and freedom.

If none of these grounds apply or ceases to apply, we must cease processing your personal information immediately.



We may use personal information held about you in the following ways:

Activity or purpose of processing data

Type of data

Legal basis for this

Registering you as a client or service user 

Your identity, contact details, & sensitive data

Performance of a contract

Processing or delivering our services

Your identity, contact details, sensitive data  including financial information

Performance of a contract


Legal Obligation


Legitimate Interest i.e. to recover any payments due

Maintaining our relationship with you

Your identity, contact and technical data

Performance of contract


Legal Obligation


Legitimate Interest i.e. to keep our records updated and identifying how you use our services

Administration of our website and business (including webhosting and support)

Your identity and contact and profile details

Legal Obligation


Legitimate interest i.e. running business, ensuring security and performance of the website, admin and support, monitoring for viruses or malicious software

Ensuring that content from our website is relevant to you and is presented in the most effective manner for you 

Your identity, contact, profile and technical details

Legitimate Interest i.e. to review the services/goods we supply to you and to inform our overall marketing strategy

To make suggestions that may be of interest to you

Your identity, contact, profile and technical data

Legitimate interests i.e. to develop our products and services



We will not sell the personal information that we collect from you and will only use it for the purposes set out in this privacy statement.


We may share your personal information with the following parties:-

Service providers who provide us with IT and administration services such as our IT Support and back up provider and webhosting company;
HMRC and other regulatory authorities who require reporting of those activities by law; and
Professional advisers such as our lawyers, accountants, bankers and insurers;
Third parties to whom we sell, transfer or merge our business or any part of it; and
Our accounts software provider for the purposes of invoicing.
All third parties with whom we share your data are required to protect your personal data, treat it confidentially and to process it in accordance with the law. Where we use third parties we will take all reasonable steps to ensure that:-

they have adequate technical and other measures in place to ensure the security of your personal information;
that they only use it for specified purposes;
that any employees or contractors who have access to the information are adequately trained and deal with it on a need to know basis only; and
that they act only in accordance with our instructions.


We will only market to you where you have:-

Specifically requested marketing information from us; or
Previously acquired similar services/goods from us; or
Consented by way of ticking a box or opting into receiving marketing from us.
If you have opted out of marketing, we will not send you any future marketing without your consent.

Each time we market to you, we will always give you the right to opt out of any future marketing. You have the right at any time to ask us not to market to you by emailing us at


Internet user privacy is of upmost importance to us and our customers. Our success depends on our ability to maintain the trust of our customers. To this end, we have two overriding policies:

Message recipient policy
Before customers can receive email messages, advertising or promotions, customers must have agreed to receive such messages, by either purchasing from us or by opting into one of our mailing lists. Any recipient may request at any time to be removed from our list, and we will comply with that request. In addition, we will thoroughly investigate any allegations made by recipients relating to unsolicited messages.

Policy against advertising our website using unsolicited email messages
We require that all e-mails promoting our business or its products are sent only to customers who have agreed to receive such messages. We prohibit any advertising of our brand and Web site using unsolicited email messages. If you feel you’ve been sent unsolicited emails promoting our brand or website and would like to register a complaint, please email us using our contact page. We will immediately investigate all allegations made related to unsolicited messages.

Your email address is safe with us.

  • We never sell or share your email addresses with other companies.

  • You can unsubscribe at any time.

  • We require that each email message sent out from us includes an easy way for subscribers to remove themselves via an unsubscribe link.

  • If you receive a newsletter or email and decide you don’t like it, simply click the unsubscribe link at the bottom of the email.

  • If you feel you’ve been sent unsolicited email and would like to register a complaint, please email us using our contact page.

Definition of Spam
Spam is unsolicited email sent in bulk. Any promotion, information or solicitation that is sent to a person via email without their prior consent, where there is no pre-existing relationship between the sender and the recipient, is spam.


You have rights as an individual which you can exercise in relation to the information we hold about you. These rights are:-

the right to restrict processing of your personal data;
the right to rectification or correction of your personal data;
the right to object to processing of your personal data;
the right of erasure of personal data (also referred to the right to be forgotten);
the right not to be subject to a decision based solely on automated processing or profiling;
the right to transfer your personal data (also referred to as the right of portability)
the right to withdraw your consent to processing your personal data; and
the right of access to your personal data.
Additional information about these rights can be found on the Information Commissioner’s website at

If you have provided consent and we are relying on that as the legal ground of processing your personal information and wish to exercise your right to withdraw that consent you can do so at any time by contacting us at



We try to be as open as we can in giving people access to their personal information. You can make a subject access request at any time. Any request requires to be in writing and is not subject to any charges or fees. If we do hold any personal information about you, we will:-

give you a description of it;
tell you why we are holding it;
tell you who it has or will be disclosed to;
the source of the information (if not you);
where possible, the period for which it will be stored; and 
let you have a copy of the information in an intelligible form.


We will respond to a subject access request within 30 days. On occasion, we may need additional information from you to determine your identity or help us find the information more quickly. Where the information you have requested is complex we may take longer than this but shall keep you advised as to progress should this be the case.

If you believe that any information we hold about you is incorrect or incomplete, you should email us at

Any information which is found to be incorrect will be corrected as soon as possible.


We would prefer to resolve any issues or concerns you may have direct with you. If you feel you are unable to resolve matters by contacting us directly or are you are unhappy or dissatisfied with how we collect or process your personal information you have the right to complain about it to the Information Commissioner who is the statutory body which overseas data protection law. They can be contacted through


Questions, comments and requests regarding this privacy statement are welcomed and should be addressed to

We keep our privacy statement under regular review. This privacy statement was last updated on 24-03-2024.

We are committed to keeping your personal data safe and secure, and to meeting the requirements of the UK General Data Protection Regulation (“GDPR”), the Data Protection Act 2018 (“DPA”), the Privacy and Electronic Communication Regulations 2003 (“PECR”) and other relevant data protection law.

bottom of page