‘Because your data and privacy are so important, we wanted to let you know that when you share your information with us, that we are responsible for it. We take this obligation very seriously indeed.’
Polly Barnfield OBE, CEO and Founder of Maybe
Our policy on data protection
Maybe* is committed to protecting the privacy and the security of your personal data.
First of all, here are a few terms we may use in this document to explain ourselves. “Personal data” is information relating to you as a living, identifiable individual. So, this could be anything from a postal address to a telephone number or date of birth.
“Processing” your data includes various operations that may be carried out on your data, including collecting, recording, organising, using, disclosing, storing and deleting it. A “Condition for processing data” is essentially our justification for processing the data, for example, we may ask you to agree for us to send you marketing information, in this instance, we may ask you for your Consent.
The law requires us:
To process your data in a lawful, fair and transparent way;
To only collect your data for explicit and legitimate purposes;
To only collect data that is relevant, and limited to the purpose(s) we have told you about;
To ensure that your data is accurate and up to date;
To ensure that your data is only kept as long as necessary for the purpose(s) we have told you about;
To ensure that appropriate security measures are used to protect your data.
The following sections will answer any questions you have but if not, please do contact us, details are shown below.
It is likely that we will need to update this Privacy Notice from time to time, and you are welcome to come back and check this at any time or contact us by any of the means shown below.
2. What is Maybe*?
Maybe* is a platform that engages with people online and intelligently listens to its audience. Maybe* understands its audience and connects people with the products they want. For this reason, it is in our legitimate business interest to share some essential data with our clients. When this happens the client, product or brand will then process your data and send you communications which will be relevant and potentially of interest to you. You’ll have an opportunity to opt-in to that relationship. We do not share or sell your data to any other organisations. You can always stop this processing by contacting us below.
3. Maybe* needs to process data, how?
The law on data protection sets out a number of different reasons or conditions for which an organisation may collect and process your personal data. When collecting your personal data, we will always make clear to you, which data is necessary for each purpose we have told you about. Most commonly, we will process your data on the following lawful grounds:
In specific situations, we can collect and process your data with your consent.
This may include when you agree to receive an email about our services or an event we may hold. When you make an enquiry online for example, we may assume your implied consent to enable us to send information you have requested.
If you have not engaged with us for more than five years, you may be flagged as inactive individual and we will contact you to ask whether you want us to keep your data or not. Unless you reply to say ‘yes’, we will delete or anonymize your personal data.
Maybe* has some Contractual obligations
In certain circumstances, we need your personal data to comply with our contractual obligations. If a law says we must process your information we have no alternative. This might be if you worked in the amazing Maybe* team.
Other Legal compliance
If the law requires it, we may need to collect and process your data. This might be when a criminal act is detected or matters relating to taxationfor example. Again we have no option but to comply with the law.
In certain circumstances, we require your data to pursue the Maybe* legitimate interests in a way which might reasonably be expected when wepursue our aims and objectives as an organisation. When we process data in this way we’ll make sure there isn’t a chance of any materiallyimpact your rights, freedom or interests, we promise.
Maybe* has a legitimate interest in maintaining a record of its activities, the people with whom it has interacted, its organisational history and the development of future products and services it may provide to its clients and their customers.
Vital use of data
We may also use your data, typically in an emergency, where this is necessary to protect your vital interests, or someone else’s vital interests. In a small number of cases where other lawful bases do not apply, we will process your data on this basis and in your best interest.
Special category data – The most sensitive of all information
Maybe* doesn’t set out to collect sensitive information about its clients or their customers. We have no need for this information. However, we are mindful that information of the type shown below may be available to us from time to time. For example, if Maybe* hears someone talking about health information. We don’t process this information for the purpose of understanding a person’s health condition.
"Special categories" of particularly sensitive personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data. We aim to collect and process special category data as little as possible. Maybe*will document allincidents of its processing of special category data in our Information Asset Register. We have carefully measured the risk associated with this by conducted an impact assessment.
The Special Categories of personal data consist of data revealing:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership.
They also consist of the processing of:
- genetic data;
- biometric data (e.g. fingerprints) for the purpose of uniquely identifying someone;
- data concerning health;
- data concerning someone's sex life or sexual orientation.
We may process special categories of personal data in the following circumstances:
- With your explicit written consent; or
- Where it is necessary in the substantial public interest, and further conditions are met;
- Where the processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law;
- Where there is a legal obligation.
Further legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data on the same grounds as those identified for “special categories” referred to above.
4. When Maybe* collects your personal data:
These occasions will include, but are not limited to:
- When you work with the Maybe* team;
- When you visit our offices or an event we may organise;
- When you supply good and services to Maybe*;
- When you write to us about any subject by any means;
- When you post, like, follow or reply on any of our or our clients social media feeds
- When your image or vehicle number plate is recorded on our CCTV system;
- When you or your organisation is a client of Maybe* and use our products;
- When you are part of an audience that Maybe* is listening to;
- When the product or service you have engaged with asks us to send you a communication;
- When you access or engage with our website.
5. How and why Maybe* collects your personal data
Maybe* collects personal data in order to manage its business and deliver its service to its clients. The data collected is most likely in electronic format, but can also be in paper form.
When you visit our website, we may collect your IP Address, page visited, web browser, any search criteria entered, previous web page visited and other technical information. This information is used solely for web server monitoring and to deliver the best visitor experience. We may use technology such as cookies to help us deliver relevant and interesting content in our communications in the future. We may profile you to find out more about you but in the least most intrusive way. We may use information we collect to display the most interesting content to you on our website we may use data we hold about your previous visits.
We may also collect your social media username if you interact with us through those channels in order to help us respond to your comments, questions and feedback. The data privacy law allows this as part of our legitimate interest in understanding our audience.
For your security, we use all appropriate organisational and technical security controls to safeguard your data.
When we interact with you we may also collect notes from our conversations with you, and details of any complaints or comments you make. We may record your age or identity where the law requires this.
We will only ask for and use your personal data collected for the purpose stated at the point at which it is collected. If we believe your data is no longer needed for this purpose we will not process your data further.
6. Maybe* is committed to your data protection rights
You have eight important rights under the data protection act 2018, here’s a brief explanation of each.
Right to Object
You have the right to object to our processing of your personal information if we used it for the purpose of direct marketing. But remember in some cases we are bound by law to process your data. If you have given consent for Maybe* to collect and process your personal data, you have the right to change your mind at any time and to withdraw that consent. We’ll let you know how every time to communicate with you.
Right to challenge automated decisions
You have the right to challenge automated decisions we make about you. You may ask for these to be assessed by a member of the Maybe* team. Remember, if the client or the product or brand we are working with is making a decision about you, you may need to refer to them.
Right to a copy of your information and a chance to correct inaccuracies
You have the right to request a copy of any information about you that Maybe* may hold at any time to check whether it is accurate. To ask for that information, please contact Maybe* using the details below. To protect the confidentiality of your information and the interests of Maybe*, we will ask you to verify your identity before proceeding with any request for information. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to request such information.
Right to be Forgotten
You have the right to ask us to Forget you from our records. We will always uphold this right unless there is a legal obligation upon us to keep your data. This might be a contractual obligation for example.
Right to be informed
You have a right to be informed, to know what we are doing with your data and why. We promise to publish privacy notices wherever they may be required to clearly explain our reasons.
Right to Restriction
You have the right to ask us to stop processing your data for a number of difference reasons. For example, it might be because you think the data we hold about you is incorrect. Or maybe you think we are doing something wrong. Please contact us for further details.
Your right of portability
If we hold information about you and you want us to ‘port’ it or send it to another company that does similar work to us or provides a similar service, you can ask us to do that. This service will be free of charge if deemed a reasonable cost and we will endeavour to provide this service without undue delay.
Other important information
Sometimes we are required to inform you about certain changes, including updates to this Privacy Notice and where we have a legal obligation such as a duty of care or safeguarding. These administrative messages will not include any marketing content and do not require prior consent when sent by email. This ensures that we are compliant with our legal obligations.
We may use your data to send you a survey and feedback requests to help improve the way we communicate. These messages will not include any marketing and do not require prior consent when sent by email. We have a legitimate interest to do so as this helps improve our services and make them more relevant to you. Of course, you are free to opt out of receiving any of these communications should you wish.
7. Data retention and how long Maybe* may keep data
Whenever we collect or process your personal data, we will only keep it for as long as is necessary for the purpose for which it was collected. The Information Asset Register includes retention periods and this Register will indicate the types of data concerned and clearly indicate the period it will be retained. Annual reviews will ensure that retention schedules are followed. At the end of the retention period, your data will either be deleted completely, put beyond use or anonymised. In some cases, personal data will be kept in perpetuity.
8. Protecting your data outside the EEA
Occasionally we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA). The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway.
We may transfer personal data that we collect from you to third-party data processors in countries that are outside the EEA, such as the USA. For example, this might be required when we store data in a Cloud Service. If we do this, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the EEA, and we will treat the information under the guiding principles of this Privacy Notice.
9. How to complain about our processing of your data
If you feel that your data has been handled incorrectly, or you are unhappy with the way we have dealt with your query regarding the way we use your personal data, you have the right to complain to the Information Commissioner’s Office (ICO) which regulates the use of information in the UK.
You can call them on 0303 123 1113 or go online to www.ico.org.uk/concerns
If you are based outside the UK you have the right to complain to the relevant data protection supervisory authority in your country.
If you would like to discuss any aspect of this policy or the way Maybe* processes your information please contact;
The Data Protection Officer;
By Post – The Growth Hub, Oxstalls Campus, Longlevens, Gloucester, GL2 9HW
By Email – firstname.lastname@example.org
By Telephone - 44 (0) 330 0972698
10. Stopping us from using your data in the future
You can stop Maybe* from processing your data by either:
- clicking the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails and will ‘forget’ your information in line with your rights unless we have a legal obligation to keep it; or
- by contacting us using the information below.
Remember, some administrative communications cannot be stopped.