Logo Worthwhile Chat
HomeFor IndividualsCommitmentsFor TeamsFAQHelpPromptingCommitmentsUse Cases
Link Four
Link FiveLink SixLink Seven
LoginRegister interest

Privacy Policy

Centre for Acceleration of Social Technology (CAST)

Worthwhile Chat Service

Effective Date: 7 January 2026

Last Updated: 7 January 2026

Version: 1.0

1. Introduction and Controller Information

The Centre for Acceleration of Social Technology (“CAST”, “we”, “us”, or “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Worthwhile Chat Service (the “Service”).

CAST operates as the data controller for the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”). We are responsible for determining the purposes and means of processing your personal data in connection with the Service.

Controller Details

Organisation: Centre for Acceleration of Social Technology (CAST)

Legal Status: Registered Charity in England and Wales

Charity Registration Number: 1180906

Company Registration Number: 11606772

Registered Address: 2nd Floor, 145-157 St John Street, London, EC1V 4PY, United Kingdom

Contact Email: hello@wearecast.org.uk

Data Protection Contact: dataprotection@wearecast.org.uk

Telephone: +44 (0) 20 3897 7892

Data Protection Officer: CAST has appointed an internal Data Protection Officer who can be contacted at dataprotection@wearecast.org.uk for all matters relating to data protection and privacy.

This Privacy Policy applies to all users of our Worthwhile Chat Service, regardless of location, and should be read in conjunction with our Terms of Use and Cookie Policy. By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

2. Information We Collect

2.1 Personal Data Categories

We collect and process the following categories of personal data when you use our Service:

Chat Interaction Data:

  • All messages and queries you submit to the AI chat interface
  • AI-generated responses provided to you
  • Conversation history and context
  • Timestamps of all interactions - Session duration and frequency of use

Technical and Usage Data:

  • Internet Protocol (IP) address
  • Browser type, version, and settings
  • Operating system and device information
  • Referring website addresses
  • Pages visited within our Service
  • Time spent on pages and interaction patterns
  • Error logs and diagnostic information
  • Performance metrics and response times

Account and Authentication Data (if applicable):

  • Username or display name
  • Email address (if account registration is implemented)
  • Authentication tokens and session identifiers
  • Account preferences and settings
  • Login timestamps and access patterns

Voluntary Information:

  • Feedback and survey responses
  • Support ticket communications
  • Any additional information you choose to provide

2.2 Sensitive Personal Data

We do not intentionally collect sensitive personal data (also known as “special categories” of personal data under UK GDPR), including information about your race, ethnicity, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health information, or sexual orientation.

However, you may inadvertently include such information in your chat messages. We strongly advise against sharing sensitive personal information through the Service. If you do share such information, it will be processed under the same legal bases and safeguards as other personal data, with additional security measures where appropriate.

2.3 Children’s Data

Our Service is not intended for children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete such information promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at dataprotection@wearecast.org.uk.

For users between 13 and 16 years of age, we recommend parental guidance when using the Service, particularly regarding the sharing of personal information in chat interactions.

3. How We Collect Information

3.1 Direct Collection

We collect personal data directly from you when you:

  • Use the AI chat interface to submit queries or messages
  • Create an account or profile (if applicable)
  • Subscribe to updates or newsletters
  • Contact our support team
  • Participate in surveys or feedback collection
  • Report issues or provide suggestions

3.2 Automatic Collection

We automatically collect certain information when you access and use our Service through:

  • Cookies and Similar Technologies: As detailed in our Cookie Policy
  • Server Logs: Automatically generated when you access our Service
  • Analytics Tools: Third-party analytics services (with your consent)
  • Error Monitoring: Automated systems that detect and log technical issues

3.3 Third-Party Sources

We may receive information about you from third-party sources, including:

  • AI Service Providers: Technical metadata from AI processing services
  • Authentication Providers: If you use third-party login services
  • Security Services: Information from fraud prevention and security monitoring services
  • Public Sources: Publicly available information relevant to service security and compliance

4. Legal Bases for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:

4.1 Performance of a Contract (Article 6(1)(b))

We process your chat interaction data and account information to provide the AI chat service you have requested. This includes: - Processing your queries and generating AI responses - Maintaining conversation context and history - Providing technical support and service functionality - Managing your account and preferences

4.2 Legitimate Interests (Article 6(1)(f))

We process certain personal data based on our legitimate interests, which include:

  • Service Improvement: Analysing usage patterns to enhance AI performance and user experience
  • Security and Fraud Prevention: Monitoring for suspicious activity and protecting against cyber threats
  • Technical Operations: Maintaining system performance, debugging, and infrastructure management
  • Research and Development: Improving AI capabilities and developing new features
  • Business Operations: Managing our organisation and fulfilling legal and regulatory obligations

We have conducted legitimate interest assessments to ensure our interests do not override your fundamental rights and freedoms.

4.3 Consent (Article 6(1)(a))

We rely on your consent for:

  • Optional Analytics: Non-essential analytics and performance monitoring
  • Marketing Communications: Sending promotional emails or updates (if you opt-in)
  • Non-Essential Cookies: Cookies that are not strictly necessary for service functionality

You may withdraw your consent at any time by contacting us or using the opt-out mechanisms provided.

4.4 Legal Obligation (Article 6(1)(c))

We may process your personal data to comply with legal obligations, including: - Responding to lawful requests from law enforcement or regulatory authorities - Complying with court orders or legal proceedings - Meeting regulatory reporting requirements - Fulfilling tax and accounting obligations

4.5 Vital Interests (Article 6(1)(d))

In exceptional circumstances, we may process personal data to protect vital interests, such as preventing serious harm or protecting life and safety.

5. How We Use Your Information

5.1 Primary Service Provision

We use your personal data primarily to provide and maintain our AI chat service:

Query Processing and Response Generation: We process your chat messages to understand your queries and generate relevant AI responses. This involves analysing the content, context, and intent of your messages to provide accurate and helpful information. The AI models require access to your conversation history to maintain context and provide coherent responses across multiple exchanges.

Service Personalisation: We use your interaction patterns and preferences to personalise your experience, including remembering your settings, adapting response styles, and improving the relevance of AI-generated content. This personalisation helps ensure that the Service meets your individual needs and preferences.

Technical Service Delivery: Your technical data helps us deliver the Service efficiently, including routing your requests to appropriate servers, optimising response times, and ensuring compatibility across different devices and browsers. We monitor system performance to maintain service quality and availability.

5.2 Service Improvement and Development

AI Model Training and Enhancement: We analyse conversation patterns, user feedback, and interaction data to improve our AI models’ accuracy, relevance, and safety. This includes identifying common query types, improving response quality, and developing new capabilities. All data used for training is processed in accordance with our data minimisation principles.

User Experience Optimisation: We study how users interact with our Service to identify areas for improvement, including interface design, feature development, and accessibility enhancements. This analysis helps us create a more intuitive and effective user experience.

Research and Innovation: We conduct research into AI applications for social good, using aggregated and anonymised data to understand how AI can better serve societal needs. This research supports our charitable mission and contributes to the broader field of beneficial AI development.

5.3 Security and Safety

Fraud Prevention and Security Monitoring: We monitor for suspicious activities, potential security threats, and misuse of our Service. This includes detecting unusual usage patterns, preventing unauthorised access, and protecting against cyber attacks. We maintain security logs and conduct regular security assessments.

Content Safety and Moderation: We implement measures to ensure that our Service is not used for harmful purposes, including monitoring for inappropriate content, preventing abuse, and maintaining community standards. This may involve automated and manual review of interactions.

Compliance and Risk Management: We process personal data to ensure compliance with applicable laws, regulations, and industry standards. This includes conducting risk assessments, maintaining audit trails, and implementing appropriate governance measures.

5.4 Communication and Support

Customer Support: We use your contact information and interaction history to provide technical support, answer questions, and resolve issues. This includes maintaining support ticket records and following up on reported problems.

Service Communications: We may send you important information about the Service, including security updates, policy changes, and service announcements. These communications are essential for maintaining a secure and compliant service.

Optional Marketing and Updates: With your consent, we may send you information about new features, research findings, and other updates related to our work in social technology. You can opt out of these communications at any time.

6. Data Sharing and Disclosure

6.1 Third-Party Service Providers

We share personal data with carefully selected third-party service providers who assist us in delivering and improving our Service. These providers are contractually bound to protect your data and use it only for the specified purposes.

AI and Machine Learning Providers: We work with leading AI service providers, including OpenAI, Anthropic, and other reputable organisations, to power our chat functionality. When you submit a query, it may be processed by these providers’ systems to generate responses. These providers have their own privacy policies and security measures, and we ensure they meet our standards for data protection.

Cloud Infrastructure Providers: We use cloud computing services from providers such as Amazon Web Services, Google Cloud Platform, or Microsoft Azure to host our Service and store data. These providers offer enterprise-grade security and compliance certifications, including SOC 2, ISO 27001, and other relevant standards.

Analytics and Performance Monitoring: With your consent, we may use analytics services such as Google Analytics to understand how our Service is used and to identify areas for improvement. These services typically process anonymised or pseudonymised data and are configured to respect your privacy preferences.

Security and Monitoring Services: We employ specialised security services to monitor for threats, prevent fraud, and maintain the integrity of our systems. These services may process technical data and access logs to identify and respond to security incidents.

6.2 Legal and Regulatory Disclosure

We may disclose personal data when required by law or when we believe disclosure is necessary to:

Comply with Legal Obligations: We will disclose personal data in response to valid legal requests, including court orders, subpoenas, search warrants, and regulatory investigations. We carefully review all such requests to ensure they are legally valid and appropriately scoped.

Protect Rights and Safety: We may disclose personal data when we believe it is necessary to protect our rights, property, or safety, or the rights, property, or safety of our users or the public. This includes cooperating with law enforcement investigations into serious crimes or threats.

Regulatory Compliance: We may share data with regulatory authorities as required for compliance with applicable laws and regulations, including data protection authorities, charity regulators, and other relevant bodies.

6.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred as part of the transaction. We will provide notice of any such transfer and ensure that the receiving organisation commits to protecting your data in accordance with this Privacy Policy or an equivalent standard.

6.4 Data Sharing Safeguards

All data sharing arrangements include appropriate safeguards to protect your personal data:

Contractual Protections: We enter into comprehensive data processing agreements with all third-party providers, including specific provisions for data security, confidentiality, and compliance with applicable data protection laws.

Technical Safeguards: Data is encrypted in transit and at rest, access is restricted to authorised personnel only, and we implement monitoring and audit controls to ensure compliance with our data sharing agreements.

Regular Assessments: We regularly review and assess our third-party providers to ensure they maintain appropriate security standards and comply with their contractual obligations.

7. International Data Transfers

7.1 Transfer Mechanisms

Some of our service providers and partners are located outside the United Kingdom. When we transfer personal data internationally, we ensure appropriate safeguards are in place to protect your data.

Adequacy Decisions: We may transfer data to countries that have been deemed by the UK Government to provide an adequate level of data protection, including the European Economic Area and other countries with adequacy decisions.

Standard Contractual Clauses: For transfers to countries without adequacy decisions, we use Standard Contractual Clauses approved by the UK Information Commissioner’s Office or the International Data Transfer Agreement (IDTA) to ensure appropriate protection.

Certification and Codes of Conduct: We may rely on approved certification schemes and codes of conduct that demonstrate appropriate safeguards for international data transfers.

7.2 Specific Transfer Arrangements

AI Service Providers: Our AI service providers may process data in the United States and other jurisdictions. We ensure these transfers are protected by appropriate safeguards, including Standard Contractual Clauses and additional security measures.

Cloud Infrastructure: Our cloud infrastructure providers operate data centres in multiple jurisdictions. We configure our services to process and store data in the UK and EEA where possible, with appropriate safeguards for any necessary transfers outside these regions.

7.3 Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) for international data transfers to ensure that the level of protection provided in the destination country is not undermined. These assessments consider the legal framework, security measures, and practical safeguards in place.

8. Data Retention

8.1 Retention Principles

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Our retention practices are based on the following principles:

Purpose Limitation: Data is retained only for the specific purposes for which it was collected and processed.

Data Minimisation: We regularly review and delete data that is no longer necessary for our legitimate purposes.

Legal Compliance: We maintain data for periods required by applicable laws and regulations.

User Control: We provide mechanisms for users to request deletion of their data, subject to legal and operational constraints.

8.2 Specific Retention Periods

Chat Interaction Data:

  • Active Conversations: Retained for the duration of your session and up to 30 days for context continuity
  • Conversation History: Retained for 3 months after your last interaction to enable service improvement and support
  • Aggregated Analytics: Anonymised conversation patterns may be retained indefinitely for research purposes

Technical and Usage Data:

  • Access Logs: Retained for 12 months for security monitoring and compliance purposes
  • Error Logs: Retained for 6 months for troubleshooting and system improvement
  • Performance Metrics: Retained for 24 months for service optimisation and capacity planning

Account Data:

  • Active Accounts: Retained for the duration of your account plus 12 months after account closure
  • Inactive Accounts: Accounts inactive for 24 months may be deleted after appropriate notice
  • Authentication Data: Retained for 90 days after account closure for security purposes

Support and Communication Data:

  • Support Tickets: Retained for 3 years after resolution for quality assurance and legal compliance
  • Email Communications: Retained according to our general email retention policy (7 years for business records)

8.3 Automated Deletion

We implement automated systems to delete data in accordance with our retention schedules. These systems include:

Scheduled Deletion Jobs: Automated processes that regularly identify and delete data that has exceeded its retention period.

Data Lifecycle Management: Systems that automatically move data through different storage tiers and ultimately to deletion based on age and usage patterns.

Audit and Monitoring: Regular audits to ensure deletion processes are functioning correctly and retention policies are being followed.

8.4 Legal Hold and Exceptions

In certain circumstances, we may need to retain data beyond our standard retention periods:

Legal Proceedings: Data may be retained longer if it is subject to legal hold due to litigation, investigation, or regulatory proceedings.

Regulatory Requirements: Some data may be subject to longer retention periods under specific regulatory requirements.

Security Incidents: Data related to security incidents may be retained longer for investigation and prevention purposes.

9. Data Security

9.1 Security Framework

We implement comprehensive technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security framework is based on industry best practices and relevant standards, including ISO 27001 and SOC 2.

Risk-Based Approach: We conduct regular risk assessments to identify potential threats and vulnerabilities, implementing appropriate controls based on the level of risk and the sensitivity of the data.

Defence in Depth: We employ multiple layers of security controls, ensuring that if one layer is compromised, additional protections remain in place.

Continuous Monitoring: We maintain 24/7 monitoring of our systems to detect and respond to security incidents promptly.

9.2 Technical Safeguards

Encryption:

  • Data in Transit: All data transmissions are encrypted using TLS 1.3 or higher
  • Data at Rest: All stored data is encrypted using AES-256 encryption or equivalent
  • Key Management: Encryption keys are managed using industry-standard key management systems

Access Controls:

  • Authentication: Multi-factor authentication is required for all administrative access
  • Authorisation: Role-based access controls ensure users can only access data necessary for their functions
  • Privileged Access Management: Administrative access is monitored and logged

Network Security:

  • Firewalls: Network traffic is filtered through enterprise-grade firewalls
  • Intrusion Detection: Automated systems monitor for suspicious network activity
  • Segmentation: Network segmentation isolates critical systems and data

Application Security:

  • Secure Development: We follow secure coding practices and conduct regular security testing
  • Vulnerability Management: Regular vulnerability scans and penetration testing
  • Input Validation: All user inputs are validated and sanitised to prevent injection attacks

9.3 Organisational Measures

Staff Training and Awareness: All staff receive regular training on data protection and security best practices. This includes awareness of social engineering attacks, proper handling of personal data, and incident response procedures.

Background Checks: Staff with access to personal data undergo appropriate background checks and sign confidentiality agreements.

Incident Response: We maintain a comprehensive incident response plan that includes procedures for detecting, investigating, and responding to security incidents. This includes notification procedures for data breaches and coordination with relevant authorities.

Vendor Management: All third-party providers undergo security assessments, and we maintain ongoing monitoring of their security posture through regular audits and assessments.

9.4 Data Breach Response

In the event of a personal data breach, we will:

Immediate Response:

  • Contain the breach and assess the scope of the incident
  • Implement measures to prevent further unauthorised access
  • Preserve evidence for investigation purposes

Assessment and Notification:

  • Assess the risk to individuals’ rights and freedoms
  • Notify the Information Commissioner’s Office within 72 hours if required
  • Notify affected individuals without undue delay if there is a high risk to their rights and freedoms

Investigation and Remediation:

  • Conduct a thorough investigation to determine the cause and scope of the breach
  • Implement additional safeguards to prevent similar incidents
  • Provide support and guidance to affected individuals

10. Your Rights Under UK GDPR

10.1 Overview of Rights

Under the UK GDPR and DPA 2018, you have several important rights regarding your personal data. These rights are not absolute and may be subject to certain limitations and exceptions as provided by law.

10.2 Right of Access (Article 15)

You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to access that data along with specific information about our processing activities.

What You Can Request:

  • Confirmation of whether we process your personal data
  • A copy of your personal data in a commonly used electronic format
  • Information about the purposes of processing, categories of data, and recipients
  • Details about retention periods and your other rights
  • Information about the source of the data if not collected directly from you

How to Exercise This Right: Submit a request to dataprotection@wearecast.org.uk with sufficient information to verify your identity. We will respond within one month of receiving a valid request.

Limitations: We may refuse or charge for manifestly unfounded or excessive requests, particularly if they are repetitive. We may also be unable to provide information that would adversely affect the rights and freedoms of others.

10.3 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and to have incomplete personal data completed.

What You Can Request:

  • Correction of factual errors in your personal data
  • Completion of incomplete personal data, including by providing a supplementary statement

How to Exercise This Right: Contact us at dataprotection@wearecast.org.uk with details of the inaccurate or incomplete information and the corrections you would like us to make.

Our Response: We will assess your request and make appropriate corrections within one month. We will also notify any third parties to whom we have disclosed the data about the rectification, unless this proves impossible or involves disproportionate effort.

10.4 Right to Erasure (Article 17)

You have the right to have your personal data erased in certain circumstances, also known as the “right to be forgotten.”

When This Right Applies:

  • The personal data is no longer necessary for the original purposes
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The personal data has been unlawfully processed
  • Erasure is required for compliance with a legal obligation

Limitations: We may refuse erasure if processing is necessary for:

  • Exercising freedom of expression and information
  • Compliance with legal obligations
  • Public health purposes
  • Archiving, research, or statistical purposes
  • Establishment, exercise, or defence of legal claims

How to Exercise This Right: Submit a request to dataprotection@wearecast.org.uk explaining why you believe your data should be erased.

10.5 Right to Restrict Processing (Article 18)

You have the right to restrict the processing of your personal data in certain circumstances.

When This Right Applies:

  • You contest the accuracy of the data (restriction applies while we verify accuracy)
  • Processing is unlawful but you prefer restriction to erasure
  • We no longer need the data but you need it for legal claims
  • You have objected to processing pending verification of our legitimate grounds

Effect of Restriction: When processing is restricted, we may only store the data and process it with your consent or for specific limited purposes (legal claims, protection of others, or important public interests).

10.6 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

When This Right Applies:

  • Processing is based on consent or contract
  • Processing is carried out by automated means

What We Provide: We will provide your data in JSON or CSV format, which can be easily imported into other systems. Where technically feasible, we can transmit the data directly to another controller at your request.

10.7 Right to Object (Article 21)

You have the right to object to processing of your personal data in certain circumstances.

General Right to Object: You can object to processing based on legitimate interests or for direct marketing purposes. For legitimate interests, we must stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Direct Marketing: You have an absolute right to object to processing for direct marketing purposes, including profiling related to direct marketing.

How to Exercise This Right: Contact us at dataprotection@wearecast.org.uk or use any opt-out mechanisms provided in our communications.

10.8 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significant effects.

Our Use of Automated Processing: Our AI chat service involves automated processing to generate responses to your queries. However, this processing does not typically produce legal effects or similarly significant effects. If we implement automated decision-making that affects you significantly, we will provide appropriate safeguards, including the right to human intervention and to contest the decision.

10.9 Exercising Your Rights

How to Contact Us:

  • Email: dataprotection@wearecast.org.uk
  • Post: Data Protection Officer, CAST, 2nd Floor, 145-157 St John Street, London, EC1V 4PY
  • Online Form: [If available on website]

Information Required: To process your request efficiently and verify your identity, please provide:

  • Your full name and contact information
  • Specific details about your request
  • Proof of identity (copy of passport, driving licence, or other government-issued ID)
  • Any relevant account information or reference numbers

Response Times: We will acknowledge your request within 5 working days and provide a substantive response within one month. In complex cases, we may extend this period by up to two months, and we will inform you of any extension and the reasons for it.

No Fee: We do not charge a fee for most requests. However, we may charge a reasonable fee for manifestly unfounded or excessive requests, particularly if they are repetitive.

10.10 Right to Lodge a Complaint

If you are not satisfied with how we have handled your personal data or responded to your requests, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

ICO Contact Information:

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

When to Complain: You can complain to the ICO if you believe we have not complied with data protection law or if you are not satisfied with our response to your requests. You do not need to complain to us first, but we encourage you to contact us initially so we can try to resolve any issues.

11. Cookies and Tracking Technologies

This section provides an overview of our use of cookies and similar technologies. For detailed information, please refer to our separate Cookie Policy.

11.1 Types of Cookies We Use

Strictly Necessary Cookies: These cookies are essential for the operation of our Service and cannot be disabled. They include session management, security, and authentication cookies.

Performance and Analytics Cookies: With your consent, we use cookies to collect information about how you use our Service, helping us improve performance and user experience.

Functional Cookies: These cookies enable enhanced functionality and personalisation, such as remembering your preferences and settings.

11.2 Cookie Consent

We obtain your consent for non-essential cookies through our cookie banner and preference centre. You can withdraw consent at any time by adjusting your cookie settings or contacting us.

11.3 Third-Party Cookies

Some cookies are set by third-party services we use, such as analytics providers. These third parties have their own privacy policies governing their use of cookies.

12. Changes to This Privacy Policy

12.1 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes through appropriate means.

Types of Changes:

  • Updates to reflect new features or services
  • Changes in legal requirements or regulatory guidance
  • Modifications to our data processing practices
  • Updates to contact information or organisational details

12.2 Notification of Changes

Material Changes: For significant changes that affect your rights or how we process your data, we will provide prominent notice through:

  • Email notification to registered users
  • Prominent notice on our website
  • In-service notifications when you next use the Service

Minor Changes: For minor updates, such as clarifications or administrative changes, we will update the “Last Updated” date at the top of this policy and may provide notice through our website.

12.3 Continued Use

Your continued use of the Service after we publish or send a notice about changes to this Privacy Policy means you consent to the updated policy, provided the changes are not material. For material changes, we may require your explicit consent before the changes take effect.

13. Contact Information and Complaints

13.1 Data Protection Contacts

Primary Contact:

  • Email: dataprotection@wearecast.org.uk
  • Response Time: We aim to respond to all data protection enquiries within 5 working days

General Enquiries:

  • Email: hello@wearecast.org.uk
  • Telephone: +44 (0) 20 3897 7892
  • Post: CAST, 2nd Floor, 145-157 St John Street, London, EC1V 4PY

Data Protection Officer: Our Data Protection Officer oversees our data protection compliance and can be contacted directly at dataprotection@wearecast.org.uk for complex data protection matters.

13.2 Complaint Procedures

Internal Complaints: If you have concerns about our data processing practices, please contact us first. We have internal procedures to investigate and resolve data protection complaints promptly and fairly.

External Complaints: You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at any time. Contact details are provided in Section 10.10 above.

European Data Protection Authorities: If you are located in the European Economic Area, you may also have the right to lodge a complaint with your local data protection authority.

Document Control

  • Document Owner: Data Protection Officer, CAST
  • Review Frequency: Annual or as required by legal/operational changes
  • Next Review Date: January 2027
  • Approval: Board of Trustees, CAST
  • Distribution: Public (website), Staff (internal systems)

This Privacy Policy is effective as of the date stated above and supersedes all previous versions. For questions about this policy or our data protection practices, please contact us using the information provided above.

Worthwhile Chat is part of Worthwhile AI
Terms of UsePrivacy PolicyData ConsentCookie Policy
Email CAST
CAST on Linked
CAST Medium blog
Email YouTube channel
Privacy Policy
Copyright © 2026 CAST