We have appointed a Privacy Officer to oversee compliance with this policy. If you have any questions about this policy or how we handle personal information, please contact the Privacy Officer in writing using the details below.
Name: Shona Davies
3rd Floor, 207 Regent Street
- Our company is: 6126239
- Our ICO registration number is: ZA696189
Introduction and purpose
Upstart Breakthrough Strategy Ltd (‘Upstart’, ‘we’, ‘our’, ‘us’. ‘the Company’) is committed to protecting the privacy and security of your personal information.
This policy describes how we collect and use personal information about you, in accordance with the UK General Data Protection Regulation (GDPR).
Upstart is a ‘data controller’. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this policy.
This policy applies to past and present clients, suppliers and research participants. This policy does not form part of any contract that we may have in place with you.
It is important that you read this policy, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
Changes to this policy
We reserve the right to update this policy at any time and we will publish the new policy to our website when we make substantial updates.
1. The Data Protection Principles
We will comply with data protection law. The law says that the personal information that we hold about you must be:
- Used in a lawful, fair and transparent way in compliance with the law, and in ways that you have been told about.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes that we have told you about.
- Kept securely and confidentially.
- Kept responsibly, with appropriate measures and records in place to ensure compliance.
2. The kind of information that we hold about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (such as anonymous data).
There are some ‘special categories’ of more sensitive personal data which require a higher level of protection.
We collect, store and use some or all of the following categories of personal information about you:
A) Basic personal information: name, title, address, telephone numbers, email addresses, nationality and a photograph (the latter for staff and associates only).
B) Payment details: national insurance number, company numbers, VAT account numbers, bank account details, tax status information.
C) Details of your relationship with us: start date of contract or relationship, location of usual place of business, key contacts’ basic personal information, job titles, transaction history, delivery details, service level preferences and qualifications.
D) Research information: customer satisfaction data, salary and/or other remuneration details, education level, vehicle information, travel information.
E) Monitoring: CCTV footage, swipe/fob records, and use of our IT and communications systems.
Typically we will hold information in categories A-C and E in relation to clients and suppliers and information in categories A, C and D in relation to research participants.
3. Special Categories
We may also collect, store and use the following ‘special categories’ of more sensitive personal information:
F) Health information: medical records are kept in line with our Sickness and Absence Policy for employees only. Dietary requirements may be held on file for meeting attendees and research participants.
G) Criminal records: criminal convictions and offences.
Typically we will hold information in categories G in relation to employees and suppliers only.
4. How we collect your personal information
We collect or determine personal information through our marketing, purchasing and research processes. The information is either provided directly by yourself as a potential client, supplier or research participant, or by an outsourcing agency or market research provider who has the legal right to share the data.
We collect personal information falling within categories D and F in the course of the research that you participate in.
5. How we use your personal information
We will only use your personal information when the law allows us to. The law says that we must identify a lawful basis for each use of your personal data. We rely on a number of lawful bases, including:
- Where we have obtained freely given, specific, informed and unambiguous consent from you to use your personal information in certain ways.
- Where we have a contractual obligation that we have entered into with you.
- Where we need to comply with a legal obligation.
- Where it is necessary for us to use your personal information to pursue our legitimate interests (or those of a third party) and we believe that using your personal information in that way is not overridden by your interests or your fundamental rights.
Below, we have set out the purposes for which we use each category of your personal data and the lawful bases which are relevant to those purposes.
- We use your basic personal information to contact you in the course of our relationship. Our lawful basis for this is consent (when the data is provided directly by you) and in order to fulfil our contractual obligations to you where appropriate.
- In the case of research participants, we use your payment details to pay you money that we owe you and to deduct tax and national insurance contributions where applicable. With clients, we hold tax status and company details in order to invoice for services rendered. Our lawful basis for this is to perform the contract that we have entered into with you.
- We use your relationship details for business management, accounting, auditing and planning. We also use your relationship details to conduct service reviews, financial reviews, to manage service delivery, to assess suitability for particular contracts, to determine service requirements and to deal with legal disputes.
- Our lawful basis for this in relation to suppliers is our legitimate interest in ensuring that our financial resources are deployed effectively to ensure that our business prospers.
- Our lawful basis for this in relation to clients and prospective clients is our legitimate interest in providing the best possible service and creating and maintaining strong client relationships.
- Our lawful basis for this in relation to research participants is our legitimate interest in the proper management of our research activities.
- We use your research information to conduct research, test hypotheses and report findings to our clients. Our lawful basis for this is explicit consent.
- We use monitoring to conduct service reviews and manage performance, to ensure network and information security, including preventing unauthorised access to our systems and preventing malware distribution, to ensure compliance with our IT and communications policies, to gather evidence for possible complaints hearings and to deal with legal disputes. Our lawful basis for this is our legitimate interests in securing our information and systems and in ensuring that you are carrying out your obligations in accordance with our contract with you and our policies and procedures.
7. Special Categories & Sensitive Data
‘Special categories’ of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. Below we have identified the further justification on which we are relying to process your special category personal data. We have in place appropriate policies and safeguards which we are required by law to maintain when processing such data.
- We use equality information for equal opportunities monitoring and to ensure that our premises and communications are accessible. Our lawful basis for this is our legitimate interest in ensuring that we attract, maintain and support a diverse client base and supply chain. Our further justification is that it is in the public interest to ensure meaningful equal opportunities monitoring and reporting.
- We use research information (health) for conducting research, testing hypotheses and reporting findings to our clients. Our lawful basis for this is consent. Our further justification is explicit consent to use such sensitive data for this purpose. (In this instance, the law recognises that consent can be both a lawful basis and a further justification).
- We use criminal records to make decisions about appointments and to check that you are legally allowed to perform any obligations you may owe to us as part of our relationship. Our lawful basis for this is our legitimate interest in ensuring the suitability of suppliers and others for the function they perform. Our further justification is that it is in the public interest to protect the public against dishonesty, unfitness or mismanagement.
- We process medical records for employees only when necessary to establish fitness to work and/or establish any reasonable changes to working conditions that will facilitate a return to work. Our lawful basis for this is consent. Our further justification is explicit consent to use such sensitive data for this purpose.
8. If you fail to provide personal information
If you fail to provide certain personal information when we request it, we may not be able to perform our contract with you properly (such as paying you or delivering a service) or we may be prevented from achieving our legitimate interests (such as to ensure the safety and accessibility of our premises for people of differing abilities).
9. Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the lawful basis which allows us to do so.
10. Automated decision-making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making where we have notified you of the decision and given you 30 days to request a reconsideration, where it is necessary to perform a contract with you or with your explicit written consent.
We will not make any decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
11. How we store your data
‘Third parties’ includes third-party service providers (including contractors and designated agents) and other entities within our group. The following activities are carried out by third-party service providers include (but are not limited to) advertising, digital development, market research, communications, email hosting and cloud storage.
All third parties are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow third parties to use your personal data for their own purposes. We only permit them to access your personal data for specific purposes and in accordance with our instructions, or in the case of clients for the specific purposes that we have agreed with them in advance.
We may share your personal information with other third parties, for example with a potential purchaser in the context of a potential sale or restructuring of the business. We may also need to share your personal information with a regulator to comply with the law.
We may transfer your personal information outside the UK. If we do, you can expect a similar degree of protection in respect of your personal information. We currently transfer the personal information that we collect about you to the following countries outside the UK: USA, EU, EEA and selected European countries.
Transfers will always be subject to adequate safeguards.
These safeguards may take the form of an adequacy decision. An adequacy decision means that the countries to which we transfer your data are deemed to provide an adequate level of protection for your personal information.
To ensure that your personal information does receive an adequate level of protection in the absence of an adequacy decision, we will put in place binding corporate rules or standard contractual clauses approved by the ICO to ensure that your personal information is treated by those third parties in a way that is consistent with and respects UK laws on data protection. The ICO has issued adequacy decisions in line with EU GDPR adequacy decisions (as at March 2021) and continued use of the Directive’s Standard Contractual Clauses and Privacy Shield in all other cases.
If you require further information about these protective measures, please contact our Privacy Officer at email@example.com.
Unless requested by you, we keep the information that we hold about you (see Section 2) for 7 years. We will then dispose of your information by working with our Sales, Marketing, Operations and Executive teams to identify the systems that hold your data and purge them.
Please note that regardless of a deletion request, if we have received funds or entered into a contract with an individual, if asked by the authorities to provide information about them we must fulfill that request and so the following data will be kept.
- Contract-related Data
- Transaction data
- Background data (as in the case with a contractor)
- Enquiries or follow-ups related to Upstart payments
In cases where we have received a request to delete data, we will keep a record only of the initials of the requestor and the relevant dates (when we received the request, when it was actioned, etc) for audit purposes. We will also advise you if your data was stored in HubSpot so that you can make a direct request for deletion by them as per their deletion policy.
12. Data security
We have put in place appropriate security measures to protect your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those people who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put procedures in place to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We retain sensitive information with an increased level of security over-and-above our standard information security practices.
13. Data retention
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal accounting, or reporting requirements.
We retain personal information, excluding health and safety information for the period of our relationship with you and for 7 years after the relationship terminates.
We retain personal information related to job applications for a period of 2 years.
We retain health and safety information permanently.
We retain sensitive medical information related to employees only as long as is necessary to make a determination as to their fitness to work and/or any reasonable adjustments required to facilitate a return to work.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
14. Changes to your data
It is important that the personal information we hold about you is accurate and up to date. Please keep us informed if your personal information changes during your working relationship with us. If your personal information changes, please contact our Privacy Office at firstname.lastname@example.org.
15. Your rights
Under certain circumstances, by law you have the right to:
- Request access to your personal information. This is commonly known as a subject access request. This enables you to receive a copy of the personal information we hold about you and to check that we are processing it lawfully.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
- Request the reconsideration of an automated decision. This enables you to ask us to reconsider a decision that was made solely by automated means or to ask for human intervention.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, request that we transfer a copy of your personal information to another party or request the reconsideration of an automated decision, please contact our Privacy Officer at email@example.com.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our Privacy Officer at firstname.lastname@example.org. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to.
16. How to Complain
If you have any concerns over how we use your data, please contact our Privacy Officer in the first instance at email@example.com
If you are not satisfied that we have addressed your concerns adequately, you have the right to lodge a complaint with the ICO. Their contact details are below:
Information Commissioner’s Office
Helpline Tel: 0303 123 1113
ICO website: https://www.ico.org.uk