UnderPinned Ltd (“we”, “our” or “us”) take the privacy of your information very seriously. This Privacy Notice is designed to tell you about our practices regarding the collection, use and disclosure of personal information which may be collected in person from you, obtained via our apps and/or websites or collected through other means such as by an online form, email, or telephone communication. This notice applies to personal information provided by our contacts, users and customers whose data we process. In this notice “you” refers to any individual whose personal data we hold or process in accordance with the UK GDPR and the Data Protection Act 2018.
Below we have set out the categories of data we collect, the legal basis we rely on to process the data and how we process the data:
- Contact Information: Contact information for our users, customers and potential customers such as names, email addresses, phone numbers, addresses. We process this information when we communicate with you or provide services to you on the basis of our legitimate interest in providing our services to our customers and users.
- Profile Information: Information we may collect for the purposes of your membership or user profile. We process this information in order to provide relevant information to you on the basis of our legitimate interest in providing our services to our customers and users.
- Portfolio Information: Information provided by our users as part of their Accelerator portfolios. We process this information so that our users can send their portfolios to potential clients on the basis of our legitimate interest in providing our services to our customers and users.
- Client Contact Information: Information we collect about client leads for our users to potentially match with. We process this information on the basis of our legitimate interest in providing services to our customers and users.
- Virtual Office Information: Information our users input for the purposes of contract and invoice creation, which includes their own name, address and bank account details, the same details relating to their customers, and any other information about either party provided by our customer for inclusion in the contract or invoice. We process this information on the basis of our legitimate interest in providing our services to our customers.
- Communications Information: A record of any correspondence or communication between you and us. We process this information when we monitor our relationship with you and provide services to you on the basis of our legitimate interest in providing our services to our customers and users.
- Marketing Information: Information we may hold about you in order to provide information about our services. This may include names, email addresses, phone numbers, addresses, your marketing preferences, and any other information you provide to us for marketing purposes. We process this information either on the basis of our legitimate interests in communicating with you about our services (if you are an existing customer) or on the basis that you have consented to receive the information (e.g. if you choose to sign up to a newsletter).
Much of the personal data described above, particularly Contact Information, Profile Information, and Communication Information, is necessary for our apps, websites, and events etc. to function, and without this information we cannot provide our services to you.
While we may ask you to provide us with credit card details, we provide these details directly to Stripe and do not make a record of them.
Our current data retention policy is to delete or destroy (to the extent we are able to) personal data after the following periods:
- If you cancel or delete your account, we will notify you that you have 48 hours to download your invoices and contracts, following which these will be deleted from our systems and your account information will be anonymised.
- Records relating to a contract with us – if you have not cancelled or deleted your account, we will retain your data for 7 years from either the end of the contract or the date you last used our services, being the length of time following a breach of contract in which a contract party is entitled to make a legal claim.
- Marketing and contact records – 3 years from the date of your last interaction with us.
For any category of personal data not specifically defined in this notice, and unless otherwise specified by applicable law, the required retention period for any personal data will be deemed to be 7 years from the date of receipt by us of that data. The retention periods stated in this notice can be prolonged or shortened as may be required (for example, in the event that legal proceedings apply to the data or if there is an on-going investigation into the data).
We may disclose information to third parties in the following circumstances:
- Your Profile and Portfolio Information will be accessible to other users.
- We may disclose information about your usage of our services to your university (our customer) as part of our services to them. The exact information we disclose may vary between universities, but may include basic information like your name and contact details, as well as number of clients and invoices, and amounts charged. If you wish to know which information will be provided to your university, please contact [email protected]
- Client Contact Information will be provided to users.
- As part of our services we may provide information to our third party service providers;
- We may disclose information to our group companies;
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation (for example, if required to do so by a court order or for the purposes of prevention of fraud or other crime);
- In order to enforce any applicable terms and conditions or agreements for our services;
- We may transfer your personal information to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation, but we will take steps with the aim of ensuring that your privacy rights continue to be protected;
- To protect our rights, property and safety, or the rights, property and safety of our users or any other third parties. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
If we do supply your personal data to a third party we will take steps to ensure that your privacy rights are protected and that third party complies with the terms of this notice.
We will take all reasonable steps to ensure that appropriate technical and organisational measures are carried out in order to safeguard the information we collect from you and protect against unlawful access and accidental loss or damage.
With respect to your personal data, you have the right to:
- Request that your personal data will not be processed;
- Ask for a copy of any personal data that we have about you;
- Request a correction of any errors in or update of the personal data that we have about you;
- Request that your personal data will not be used to contact you for direct marketing purposes;
- Request that your personal data will not be used for profiling purposes;
- Request that your personal data will not be used to contact you at all;
- Request that your personal data be transferred or exported to another organisation, or deleted from our records; or
- At any time, withdraw any permission you have given us to process your personal data.
Please note that none of these rights are unqualified and exceptions may apply.
All requests or notifications in respect of your above rights may be sent to us in writing at the contact details listed below. We will endeavour to comply with such requests as soon as possible but in any event we will comply within one month of receipt (unless a longer period of time to respond is reasonable by virtue of the complexity or number of your requests).
If personal data we hold about you is subject to a breach, including any unauthorised disclosure or access, we will report this to the Information Commissioner’s Office (ICO) and/or our data protection manager. If a breach is likely to result in a risk to your data rights and freedoms, we will notify you as soon as possible.
We will not transfer your personal data in a systematic way outside of the United Kingdom or European Economic Area (“EEA”) but there may be circumstances in which certain personal information is transferred outside of the UK or EEA, in particular:
- If you use our services while you are outside the UK or EEA, your information may be transferred outside the UK or EEA in order to provide you with our services;
- We may communicate with individuals or organisations outside of the services in providing our services, those communications may include personal information (such as contact information) for example you may be outside of the UK or EEA when we communicate with you;
- From time to time your information may be stored in devices which are used by our staff outside of the UK or EEA (but staff will be subject to our cyber-security policies).
- If we transfer your information outside of the UK or EEA, and the third country or international organisation in question has not been deemed by the UK Secretary of State or the EU Commission (as appropriate) to have adequate data protection laws, we will provide appropriate safeguards and we will be responsible for ensuring your privacy rights continue to be protected as outlined in this notice.
If at any time you would like to contact us with your views about our privacy practices, or with any enquiry or complaint relating to your personal information or how it is handled, you can do so by us using the details below:
Address: 1 Gossamer Gardens, E2 9FN, London, UK
Email: [email protected]