Community Buying as CAS

Community Buying at CAS, part of Business Services at CAS Ltd

Privacy Policy

The General Data Protection Regulation (GDPR)  

This legislation replaces previous data privacy law, giving more rights to you as an individual and more obligations to organisations holding your personal data.

One of the rights is a right to be informed, which means we have to give you even more information than we do now about the way in which we use, share and store your personal information.

This means that we are publishing an updated privacy notice so you can access this information, along with information about the increased rights you have in relation to the information we hold on you and the legal basis on which we are using it.

How we use your information

Community Buying at CAS is part of Business Services at CAS Ltd (also referred to as “we”, “us”, or “our”), which is a registered company in England (Company no 03332778). Our registered address is Business Services at CAS Ltd, Brightspace, 160 Hadleigh Road, Ipswich, Suffolk IP2 0HH. We are a subsidiary of Community Action Suffolk, registered office as above. Registered Charity Number: 1150501. A company limited by guarantee and registered in England. Number 08316345.

This privacy notice tells you what to expect when Community Buying at CAS collects personal information. It applies to information we collect about:

  • visitors to our websites;
  • enquirers, complainants and other individuals in relation to an enquiry or complaint;
  • people who use our services, e.g. who join Community Buying at CAS in order to purchase fuel or other goods or services.

Visitors to our websites

When someone visits any of our community buying websites (, and we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Use of cookies by the Community Action Suffolk and its subsidiaries

You can read more about how we use cookies on our Cookie Policy page.


Group E-communications

We use a third party provider, MailChimp, to deliver our bulk monthly order deadline reminders, our annual membership renewal reminders, and our price and delivery detail emails. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-communications. For more information, please see the MailChimp Privacy Policy.

Security and performance

We implement security safeguards designed to protect your data, such as HTTPS on our websites, hardware and software firewalls, username and password based permission systems as well as a variety of physical security methods on buildings that host your data. We regularly monitor our systems for possible vulnerabilities and attacks. More information on specific measures enforced can be seen below.

Physical Security

All Community Action Suffolk IT Services are provided in a locked, secured and alarmed building which is monitored by an external security company outside office hours. Servers hosted in the building are also stored in an air conditioned, locked room within the building to provide additional protection.

Software Security

Community Action Suffolk has a hardware firewall over it’s router to protect users within the building against online threats. All computers within the Community Action Suffolk network are protected with business class Internet Security Software.

Any sensitive client data that Community Action Suffolk stores i.e. login passwords to systems are stored in password and credential based systems which only the IT team has access to.

Wifi Security

Community Action Suffolk enforces WPA2 password security methods to protect its wireless networks against threats.

Website Security

This website and all websites owned by Community Action Suffolk are protected with a “SSL” encrypted certificate.

However, we cannot warrant the security of any information that you send us. There is no guarantee that data may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.


We use a third party service,, to publish our websites, see the WordPress Privacy Policy. We use a secure WordPress website to collect members’ information, on joining Community Buying and for the placement of orders. This information is then securely exported and shared with AF Affinity Ltd, in order for them to be able to place bulk orders with the chosen supplier.

AF Affinity Ltd

We use AF Affinity Ltd as our fuel buyers. If you are a domestic community buying member, please see AF Affinity Individual Privacy Policy. If you are a community group, community buying or business member, please see the AF Affinity Business Privacy Policy. We share data with AF Affinity and them us using secure password protected methods, purely for the purposes of providing the Community Buying service to members and for the placement of orders. AF Affinity share data with the chosen suppliers in order to fulfil order requirements.

Contact Relationship Management (CRM)

We use a third party service, GMCVO Databases Ltd, to provide our CRM service, see the GMCVO Databases Ltd Privacy Policy. We use a secure GMCVO website to collect and record members’ information, to record their membership with Community Buying. This information is recorded for data analysis and reporting purposes with Community Action Suffolk.

People who contact us via social media

Facebook, Twitter and LinkedIn are social networks. Integration of social network components allows them to track which page on our site you are accessing, but only if you are logged in to their account. If you do not wish this, please log out of your social network accounts before browsing the web.

Facebook privacy policy can be accessed here –

Twitter privacy policy can be accessed here –

LinkedIn privacy policy can be accessed here –

People who call us by telephone

When you call Community Action Suffolk, we collect Calling Line Identification (CLI) information. We use this information to help improve its efficiency and effectiveness.

People who email us

We use Microsoft Exchange to process emails through Microsoft Outlook. We use Transport Layer Security (TLS) to encrypt and protect email. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit. Microsoft Privacy Statement

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

People who make a complaint to us

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We may compile and publish statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s delivery is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

People who use Community Buying at CAS services

Community Buying at CAS offer various services to the public, community groups and businesses. We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have requested a service to carry out a survey to find out if they are happy with the level of service they received. When people do subscribe as a member to obtain our services, they can cancel their membership at any time by simply letting us know.

Your rights

Under the Data Protection Bill (Data Protection Act 1998 and subsequent GDPR Regulations) you have rights as an individual which you can exercise in relation to the information we hold about you.

Data Retention

We retain your personal data while your account is in existence or as needed to provide you services. This includes data you or others provided to us and data generated or inferred from your use of our services. We will continue to retain your data for future service provision and marketing purposes unless you tell us otherwise by unsubscribing from our mailing list or asking for your data to be removed. The retention period for your data, after cancellation of service or registration is for a period of 3 years, after which date, all personal identifying data will be removed.

Rights to Access and Control Your Personal Data

For personal data that we have about you:

  • Delete Data: You can ask us to erase or delete all or some of your personal data (e.g., if it is no longer necessary to provide services to you).
  • Change or Correct Data: You can ask us to change, update or fix your data in certain cases, particularly if it’s inaccurate.
  • Object to, or Limit or Restrict, Use of Data: You can ask us to stop using all or some of your personal data (e.g., if we have no legal right to keep using it) or to limit our use of it (e.g., if your personal data is inaccurate or unlawfully held).
  • Right to Access and/or Take Your Data: You can ask us for a copy of your personal data and can ask for a copy of personal data you provided in machine readable form.

If you want to remove yourself from our mailing list which will stop ALL communications from Community Buying at CAS, then from one of our emails, simply click on the “Unsubscribe” link at the bottom and follow any on screen instructions. Alternatively you can also contact us via email at or by telephone on 01473 345400 and we will process your request for changes, deletions or requests of data within 1 calendar month.

To make a request to Community Buying at CAS for any personal information we may hold you need to put the request in writing addressing it to the address provided below. If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone. If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting Community Buying at CAS.

Account Closure

If you choose to close your Community Buying account, you will be automatically removed from our mailing list and all of your services associated with your account will end when your subscription period (that you have paid for) has ended.

We retain your personal data even after you have closed your account if reasonably necessary to comply with our legal obligations (including law enforcement requests), meet regulatory requirements, resolve disputes, maintain security, prevent fraud and abuse, enforce our Terms and Conditions, or fulfil your request to “unsubscribe” from further messages from us.

Complaints or queries

Community Buying at CAS try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

If you want to make a complaint about the way we have processed your personal information, you can contact us by emailing

You also have the right to complain to the UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO). The ICO may be contacted via its website which is, by live chat or by calling their helpline on 0303 123 1113.

Access to personal information

Community Buying at CAS try to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:

  • give you a description of it;
  • tell you why we are holding it;
  • tell you who it could be disclosed to; and
  • let you have a copy of the information in an intelligible form.

Disclosure of personal information

In many circumstances we will not disclose personal data without consent. However when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies.

You can also get further information on:

  • agreements we have with other organisations for sharing information;
  • circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics;
  • our instructions to staff on how to collect, use and delete personal data; and
  • how we check that the information we hold is accurate and up to date.

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 21 May 2018.

How to contact us

If you want to request information about our privacy policy you can email us or write to:

Community Buying at CAS
Community Action Suffolk
160 Hadleigh Road
Suffolk IP2 0HH