PRIVACY AND DATA PROTECTION POLICY
This privacy and data protection policy forms part of the Agreement between us and the User and applies to the Services provided by us through each of our Platforms and used by the User and anywhere else we interact with you.
1. Introduction
1.1. When you apply for membership and register with us and/or when you visit our Platforms, you are deemed to have entered into the Agreement (of which this policy forms part) and you will have provided us with personal information and have given us consent to processing your personal data (including your name, contact details, and device information) as described in this policy.
1.2. You are also consenting to the processing of your location data (including details of your current location disclosed by GPS or other technology, so that location-enable services are activated to serve relevant offers and perks and improve our Services).
1.3. You may at any time withdraw your consent to us processing your information by contacting us but that will not affect the lawfulness of any processing carried out before you withdraw your consent. You may also change your location settings via your device settings.
1.4. We will collect, process and store your personal data in accordance with the provisions of the Data Protection Act 2018 which implements the General Data Protection Regulation 2016.
1.5. This policy applies to any kind of personal information we collect from a member and/or a user through our Services and Platforms or any other contact and communications you may have with us that is connected to our Services (including contacting our Customer Service Team).
1.6. Your privacy is important to us and this policy explains what personal data about you we collect and process, how we use and protect the personal information we have collected and how you can exercise your privacy rights.
1.7. This policy will be updated from time to time to comply with applicable legislation. Our Platforms will have a link to the Agreement containing the latest version of this policy.
2. Your Personal data – what do we collect and why?
2.1. Personal data is any information that directly or indirectly identifies you. The personal information that we collect about you broadly falls into the categories set out in more detail below in clause 2.3.
2.2. In order to provide the Service in question to you, we will need to collect and process your personal data. These are necessary for the full functioning of the Service and to provide you with access to personalised offers and products and services.
2.3. Examples of the personal information we collect and why include:
2.3.1. Information that you provide:
Certain parts of the Platform may ask you to provide personal information such as your name, email address, telephone number, personal ID number, if you are in higher education, your student status, course or degeree and your student ID and your place of study. For example, we ask you to provide your contact details in order to register an account with us, to receive messages from us (or our advertiser partners), to get information about products, services and promotional offers, competitions, sweepstakes, polls and surveys, experiences and opportunities, and/or to submit enquiries to us (e.g. by interacting with our Customer Service team). You may provide information about your preferences, values, and beliefs when completing surveys, or entering competitions.
We will use the personal information that you provide to verify your identity, send relevant opportunities and information to you, improve our services, restrict age- appropriate products and services, and to help our partners send relevant information about their programmes, offers, products, and services.
For more information on internet-based advertising solutions, please see clause 2.3.3 (Information we obtain from third party sources) below.
2.3.2. Information that we collect automatically:
When you avail yourself of the Service and visit the Platform, we collect information automatically from your device.
The information we collect automatically includes information like your IP address, device type and software characteristics, unique device identification information, browser type, geographic location (e.g. country or city-level location), GPS (if enabled) and other technical information. We also collect information about how you and your device interact with the Platform, including pages you access and links you click, your purchase behaviour, engagement and interactions with perks, offers, features, polls, surveys and other content. Through our Apps, we may find out your location; remember that you can turn this feature off through your device’s settings. If you choose to receive push notifications when downloading or updating App preferences, you will receive content in that way.
Collecting this information enables us to verify your identity, provide our services to you and our partners, and to get paid. The information we collect positions us to better prevent fraud and enforce our rights, your rights and third party rights. It also helps us to understand the users of the Platform, such as where they come from and what content is of interest to them. We use this information for analytics purposes, to improve the quality of our Service and Platform, and to target and display content and services that are specifically suited to you. We may also use it to target different competitions and surveys based on detail, like which university you attend. Some information is collected via the use of cookies, web beacons and similar tracking technologies. See our Cookies Policy in Schedule 3 for more information on how and why we use cookies and similar technologies.
2.3.3.Information that we obtain from third party sources
From time to time, we may receive personal information about you from partners, suppliers and third party sources (including social media service providers, cookies and pixels).
This information includes your online interaction, and is used to provide services, and identify you as a member or a prospective customer of a partner, to monitor and analyse trends and usage, to learn more about our members, to be as relevant as we can, to improve the quality of our services and to tailor your experience and recommend products and services that we think you’ll be interested in. We will ask that these third parties are permitted or required to disclose your personal information to us. More details are set out in our Cookies Policy in Schedule 3.
We may use third party data sources to enhance the information we hold about you, only where these third parties are permitted or required to disclose your personal information to us. We help our partners display interest-based advertising using information you make available to us when you interact with our sites, content, or services. Interest-based ads, also sometimes referred to as personalised or targeted ads, are displayed to you based on information from activities such as purchasing through our Platform, use of devices, apps or software, visiting sites that contain Addreax or partner content or ads or cookies, or interacting with our tools. We offer you choices about receiving interest-based ads from us. You can choose not to receive interest-based ads from us by opting out on the Platform or here. You will still see ads, but they will not be personalised, and therefore may not be relevant to you.
3. Sharing of personal information and disclosing your information – to whom may we disclose?
3.1. When you use the Service, you may be asked to share personal information with others, and you may be asked to accept their terms and privacy policies (for example, with one of our clients or partners from whom you make a purchase. Please note that we are not responsible for personal data that you have shared with others.
3.2. We will not share or disclose your data other than on the terms of this policy. We may disclose your personal information to the following categories of recipients:
3.2.1. Our group companies;
3.2.2. Our agents and our contractors to enable them to work for us (always with confidentiality restrictions);
3.2.3. Our advisers (including lawyers, accountants and information security experts so that they can carry out their services);
3.2.4. Our partners (although we usually only provide aggregated information, unless there’s a competition, or something similar);
3.2.5. Our third party service providers who provide data processing services to us (for example, to support the delivery of, provide functionality on, or help to provide the Services or Platforms, enhance the security of our Platforms; or to perform analytics in order to improve the quality of our services and enhance your experience), or who otherwise process personal information for purposes that are described in this policy or notified to you when we collect your personal information. The majority of our service providers operate within Europe, however sometimes they may send your personal information outside of Europe. Some examples of the service providers we use and why are set out below:
3.2.5.1. Google assists us with our security (reCAPTCHA), our analytics, and helps us to set advertisements that reflect your interests; and
3.2.5.2. Facebook helps us to assess how effective our advertising is and also helps us to set advertisements that reflect your interests.
3.2.6. to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your interests or those of any other person;
3.2.7. to third party agencies and advertisers (to provide advertising services);
3.2.8. to an actual or potential buyer, investor (and its agents and advisers) or authority in connection with any proposed restructure, public offer, purchase, merger or acquisition of any part of our business; and
3.2.9. to any other person with your consent to the disclosure.
4. Purpose and legal basis for processing personal information
4.1. We are the data controller for the processing of your personal data provided by you when you join us and use the Service and access the Platform.
4.2. We will primarily use your personal data to provide the Service and to continuously improve it. To fulfil this, we will process personal data for the purposes described in the table below.
4.3. Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect and use it.
4.4. We will collect personal information from you for the following lawful basis: where we have yourconsentto do so, where we need the personal information to perform a contract with you, or where the processing is in the legitimate interests of us, you or third party and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person. If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we may not be able to enter into or perform the contract or comply with our legal obligations if you do not provide that information. An example of this is when we ask you to provide us with your university or college email address or student ID as we can’t verify that you’re a student or in higher education without it. We need the information to provide the service.
4.5. Similarly, if we collect and use your personal information in reliance on legitimate interests we will do so in the interests of providing direct marketing, to prevent and detect fraud, for organisational reasons, to improve our services, for network and information security purposes, to ensure we comply with the law and comply with your individual rights, to ensure we process any requests you make, to provide personalised messages, to retain evidence of our compliance and to defend Addreax against claims or fraud, for monitoring of performance, to improve our use of AI, for web analytics, to host data in the cloud, to carry out limited international transfers (our business is across a number of countries), for the purposes of an acquisition or legal restructuring, to update member details and preferences, and for logistics.
4.6. Some examples of the information we collect, the purposes for that collection and the lawful basis on which the processing is based include:
4.7. If any other legitimate interests are relevant we will make that clear at the time. Please have a look at our Cookie Policy in Schedule 3 if you are concerned about the “how and why” of the information collected through our use of cookies. If you have questions or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided below.
5. How we keep your personal information secure
5.1. We use appropriate technical and organisational measures such as encryption, physical security, access restrictions to our application to protect the personal information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information.
5.2. Where you have chosen a password that allows you to access certain parts of the Platform, you are responsible for keeping this password confidential. We advise you not to share your account log-in details, including your password, with anyone. We will not be liable for any unauthorised transactions entered into using your name and password.
5.3. The transmission of information via the internet e.g. by email is not completely secure. Although we will take steps to protect your information, we cannot guarantee the security of your data transmitted to the Platform.
6. Data retention
6.1. We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements).
6.2. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. We will not keep personal information that identified you for longer than 2 years after your membership has expired.
7. International data transfers / treatment outside the EU/EEA
7.1. Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different from the laws of your country.
7.2. Our Website servers, group companies (and staff) and third party service providers and partners operate around the world. This means that when we collect your personal information it may be processed in any of these countries.
7.3. In particular, personal data processed in the IT systems we use to provide the Service may be shared with IT providers outside the EU/EEA. This is done because the processing is necessary to satisfy our legitimate interest in providing quality and reliable services with secure technology.
7.4. However, we have taken appropriate safeguards to require that your personal information will remain protected. If processing takes place outside the EU/EEA or in a State that is not deemed to have an adequate regulatory framework that protects your personal data, we will ensure an appropriate level of protection for your personal data.
7.5. These safeguards are either (a) signing model clauses with the third party (through the application of the Commission’s standard contractual clauses and Article 46(2) of the General Data Protection Regulation); or (b) ensuring the third party is on the ‘Privacy Shield’ list; or (c) working with third parties in countries deemed to have adequate data protection laws.
7.6. Additionally, if we share personal information with a third party acting as our data processor, we remain responsible for how that information is processed. We will ensure we have a contract in place which sets out our liability clearly.
8. Automated decision making
8.1. Our use of your personal information (including engagement behaviour) may result in automated decisions being taken, for example, which advertisements or content to show you. It is not our intention that these decisions legally affect you or similarly significantly affect you.
8.2. Automated decisions mean that a decision concerning you is made automatically on the basis of a computer determination (using software algorithms), without our human review. When we make an automated decision about you, you have the right to contest the decision, to express your point of view, and to require a human review of the decision. You can exercise this right by contact us using the contact details provided below.
9. Your data protection rights
9.1. You have the following data protection rights:
9.1.1. Right to access, rectification or deletion
9.1.1.1. We want to be open and transparent about how we process your personal data. If you wish to gain insight into our processing of your personal data, please request an extract showing what personal data we have about you. If any personal data about you is incomplete or inaccurate, you have the right to request that it be corrected or deleted.
9.1.1.2. If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us using the contact details provided below. Please note, that if you request us to delete your data your information and all interaction information will be deleted. You must uninstall our App (if you have been using this on your phone) to remove any residual data stored on your device.
9.1.1.3. Access If we receive a request from you for access, we may ask for additional information to ensure what information you wish to access and that we disclose the information to the right person.
9.1.1.4. We will respond to your request without undue delay and within one month. You have the right to receive such information free of charge once a year, but we may charge you a small administration fee.
9.1.1.5. Rectification You always have the right to request that your personal data be corrected if the data is incorrect. Within the scope of the stated purpose, you also have the right to supplement any incomplete personal data.
9.1.1.6. Upon correction, we notify the recipients who have received your personal data from us that you have requested correction of the data, unless it is impossible or involves a disproportionate effort for us to do so.
9.1.1.7. Deletion You have the right to request the deletion of personal data that we process if:
(i) the data is no longer necessary for the purposes for which they have been collected or processed;
(ii) you object to a balance of interests that we have made and there is no legitimate interest in those of us who weigh heavier;
(iii) you object to processing for direct marketing purposes;
(iv) the personal data has not been processed in accordance with applicable regulations; or
(v) the personal data must be deleted in order to fulfil a legal obligation to which we are subject.
9.1.1.8. However, despite your request for deletion of personal data, we have the right to continue the processing and not comply with your request if the processing is necessary for us:
(i) to fulfil a legal obligation to which we are subject; or
(ii) to be able to establish, enforce or defend legal claims.
9.1.1.9. We will notify the recipients who have received your personal data from us that you have requested deletion of the data, unless it is impossible or involves a disproportionate effort for us.
9.1.2. Right to restriction and portability
9.1.2.1. You can object to the processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided below.
9.1.2.2. Restriction You have the right to require that our processing of your personal data be restricted if:
(i) you dispute the accuracy of the personal data, for a period of time that allows us to verify the accuracy of the personal data;
(ii) the processing is illegal and you object to the deletion of personal data and instead request a restriction on their use;
(iii) we no longer need the personal data for the purposes of the processing, but you need the data in order to establish, enforce or defend legal claims;
(iv) you have objected to processing in accordance with Article 21(1) of GDPR pending verification of whether the legitimate reasons of the controller outweigh the legitimate grounds of the data subject;
(v) you have objected to a balance of interests that we have made as a legal basis for a purpose. You can then request limited processing for the time we need to check if our legitimate interests outweigh your interests in having the data deleted.
9.1.2.3. If the processing has been restricted under any of the above situations, we may only process the data in addition to the data retention itself in order to establish, enforce or defend legal claims, to protect someone else’s rights or if you have given your consent.
9.1.2.4. We will notify the recipients who have received your information from us that you have requested limitation of processing of the data, unless it is impossible or involves a disproportionate effort for us.
9.1.2.5. We will inform you in advance if the restriction on personal data processing ends.
9.1.2.6. Portability If our right to process your personal data is based on the fulfilment of commitments in a contract with you, you have the right to request that the data relating to you that you have provided to us be transferred to another data controller (so-called data porting). It is a prerequisite is that the portability can be done automated and that it is technically possible.
9.1.3. Right to object on balance of interests
You may object to us processing personal data about you on the basis of a balance of interests. In such cases, we will cease processing unless we can demonstrate a compelling legitimate reason for the processing in question that outweighs your interests, rights or freedoms. Otherwise, we may only process the data in order to establish, exercise or defend legal claims.
9.1.4. Right to decline direct marketing (including analysis performed for purposes)
9.1.4.1. You may object to your personal data being processed for direct marketing purposes. The objection also covers the analysis of personal data (so-called profiling) carried out for direct marketing purposes.
9.1.4.2. You have the right to opt-out of email and SMS marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing emails and SMS messages we send you or through your account settings. Please note that you cannot unsubscribe from certain communication, from us, such as messages relating to your account transactions, non-promotional messages, business relationships or system updates or system issues.
9.1.4.3. Please note, that to opt out of receiving mobile push notifications from Addreax, you can use your mobile device’s settings functionality to turn them off.
9.1.4.4. If you object to direct marketing, we will cease processing your personal data for that purpose and cease any direct marketing action. Please note that this may mean that we are no longer able to provide all aspects of the Service.
9.1.4.5.You have the option to decline mailings and personal offers in some channels. For example, you can choose to receive offers only from us by email, but not SMS. In this case, you should not object to the personal data processing for marketing purposes in general as we will have difficulty assessing which marketing is relevant to you.
9.1.4.6. If this is not impossible or otherwise involves a disproportionate effort for us, we will notify the recipients who have received your information from us that you have requested that the data be not processed for direct marketing purposes.
9.1.5. Right to withdraw consent
If we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
9.1.6. Right to complain
You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries (including the US and Canada) are available here.)
9.2. We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. Where we process your information based on our legitimate interests, you have the right to object to that processing, subject to certain exceptions. It is important to note that these rights are not automatic rights and may not apply in all instances.
10. Children
The Services provided by Addreax are not intended for use by children under 15 years old. We do not knowingly collect information from children under 15 years old. If you learn that your minor child has provided us with personal information without your consent, please contact us on [email protected].
11. Cookies and similar tracking technology
11.1 We use cookies and similar tracking technologies (collectively, “Cookies“) to recognise you when you visit the Website or App of our Service.
11.2 A cookie is a small file that we request to be saved in your browser and stored on your computer or mobile device. Each cookie contains a small amount of information that is required, for example, to improve functionality of our Website or App so the User can access different functions of our Website or that is used to “remember” the User’s actions or preferences over time.
11.3 We use two types of cookies on our Websites:
11.3.1 session cookies: these are stored only temporarily until the User leaves the Website; and
11.3.2 permanent cookies: these are stored on your computer or mobile device for a longer period of time (the cookie has an expiration date) or until the User removes them himself.
11.4 Cookies are provided either by ourselves (so-called “First-party cookies“) or by third parties (so-called “Third-party cookies“).
11.5 First-party are cookies that we have placed on the Website or App and these contain information about the User and keep the User logged on. We do not share this information with third parties.
11.6 Third-party cookies are cookies placed by our partners, including providers of marketing materials, analytics tools and social media who may place cookies on your computer or mobile device when you visit the Website or App in order to deliver their services. We are not in a position to control the content or use of these third-party cookies.
11.7 The User can always block cookies and/or delete cookies that have already been saved on the User’s computer or mobile device by accessing the settings in their browser.
11.8 If the User does not accept the use of cookies or if the User chooses to block and/or delete cookies, the functionality of the Website will deteriorate, i.e. the User will not be able to use all the features of the Website which we offer.
11.9 For more information about the types of Cookies we use, why and how you can control Cookies, please see our separate Cookies Policy in Schedule 3.
12. Updates to this policy
We may update this policy from time to time in response to changing legal, technical or business developments. When we update our policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make. Please check back regularly for updates.
13. Data Controller and Data Protection Officer
13.1 For the purpose of the General Data Protection Regulation, the data controller is Addreax Group Limited, a private limited liability company incorporated and registered in England and Wales with company number 12013604 and registered address at 42 Lytton Road, Barnet, Hertfordshire EN5 5BY, United Kingdom.
13.2 The Data Protection Officer can be contacted at: [email protected]
14. How to contact us / Questions
14.1 For any questions about this policy or complaints regarding the processing of your personal data, please contact us by email at [email protected].
14.2 If you have general questions about your account or how to contact Customer Service for assistance, please contact our online help centre at [email protected].
14.3 Please note that if you contact us, we may need to authenticate your identity before fulfilling your request and will talk you through the process. We use this authentication process because the security of your information is important to us and we want to be extra careful.
15. Disagreement with policy
If you disagree with our policy as set out herein you should cancel your account and stop using our Services.