Privacy Policy
1. Introduction:
1.1 At Behaviour Smart Ltd (“Behaviour Smart” or “us” or “we” or “our”), we respect the privacy rights of our online visitors and users of our website and application, and recognise the importance of protecting the information we collect about you. This Policy is designed to help you understand how we collect, hold, use, disclose and delete personally identifiable information (“personal data”) about you.
1.2 This Policy, together with our Terms and Conditions [insert link] and any other documents referred to in it, sets out the basis on which we, Behaviour Smart Ltd, with company number 12846336 and registered address of 5 Cavendish Road, Sheffield, South Yorkshire, United Kingdom, S11 9BH, will process any personal data we collect from you, or which you provide to us, in the course of using our website (“Site”) [insert link] and/or our application (“App”) [insert link].
1.3 For the purpose of the Data Protection Act 2018 (“DPA’18”) we, Behaviour Smart, are either the:
a) data processor in instances where we are solely acting as a service provider; or
b) joint data controller in instances where we are acting as both a service provider through our website and consultant providing consultancy services through the website.
Behaviour Smart, as either the joint data controller or data processor, can be contacted on the following email address – info@behavioursmart.co.uk.
2. Users of our Site and App:
2.1 Our Site and App is designed to be used by companies and local authorities who operate within the education, health and social care sector to record, report and manage behaviour. Although we do collect the personal data of those companies, local authorities and their employees, as well as from individuals who make an enquiry via our Site, the majority of the personal data we collect is that of the subjects of the records and reports.
2.2 As the personal data of the subjects of the records and reports is not collected directly from the data subject themselves, it is the responsibility of the individual company or local authority to ensure that the individual data subjects have access to the Policy to ensure they understand how their personal data is collected, processed, stored, disclosed and deleted, as well as understanding how they can exercise their individual data subject rights.
2.3 For the purposes of this Policy “Direct Users” are defined as companies, local authorities and their employees who directly use our Site and/or App, and “Individual Data Subjects” are defined as those whose personal data is inputted into the Behaviour Smart system by Direct Users, collectively known as “users”.
3. Your information:
3.1 The personal data of users of our Site and/or App is processed under the General Data Protection Regulation (“GDPR”) and DPA’18.
3.2 The personal data relating to Direct Users and Individual Data Subjects is processed on the lawful basis of contract.
3.3 All other personal data collected including commercial data relating to users who visit our Site or make an enquiry by filling in a contact form is processed on the lawful basis of legitimate business interest to facilitate sales and marketing information relating to the provision of our services.
3.4 The provision of personal data is necessary in order to facilitate the provision of the service.
4. Information that may be collected about you:
4.1 The following personal data may be collected from you as a Direct Users of our Site and/or App when you either 1) fill in our contact form, 2) create an account, 3) login to an existing account, or 4) generally use the Behaviour Smart system:
a) Your full name;
b) Your email address;
c) Service name or name of institution;
d) Your full address or the full address of the service or institution;
e) Your unique login information, including email address and password; and
f) Your payment information, including your account number, sort code, CVC number and expiry date.
4.2 During the course of using our Site and/or App other personal data may be collected from you as a Direct User. The personal data that may be collected includes:
a) Your Internet Protocol (“IP”) address;
b) Any referring or exit pages taking you to or from our Site;
c) Your web and browser type;
d) Your device type, for example IOS or Android;
e) Your time zone and location;
f) Date and time stamps;
g) Any browser plug-ins; and
h) Your operating system.
4.3 The following information is collected about Individual Data Subjects whose personal data is provided by Direct Users during the course of using our Site and/or App:
a) Full name;
b) Gender;
c) Ethnicity;
d) Contact details, including postal address, email address and phone number;
e) Contact details of connected individuals; and
f) Other information included in the records and reports relating to the Individual Data Subjects behaviour, which may include special category data.
5. Special category personal data:
5.1 During the course of using our Site and/or App, Direct Users may disclose special category personal data relating to Individual Data Subjects including, but not limited to, racial and ethnic origin, religious or philosophical beliefs and health or sexual orientation. Whilst we do not encourage the disclosure of such data, we recognise that the processing of such data may be necessary.
5.2 Behaviour Smart and the individual company or local authority shall ensure that additional safeguards are in place to protect such data.
6. How your personal data may be used:
6.1 The personal data we collect about you during the course of you using our Site and/or App may be used in a number of ways including, but not limited to, the following:
a) To respond to any enquiries made through our contact form;
b) To provide any services requested;
c) To fulfill our obligations under any contract with have with the users of our Site and/or App;
d) To collect payment for our services;
e) To provide you with updates regarding our Site and/or App;
f) To ensure that the content on our Site and/or App is presented in the most optomised and effective manner for you and your device;
g) To diagnose and fix technology problems;
h) To control unauthorised use or abuse of our Site and/or App, or otherwise detect, investigate or prevent activities that may violate our policies or are otherwise illegal;
i) To carry out our obligations arising from the interactive features of our software, when you choose to do so;
j) To notify you about changes to our software, our services or our policies;
k) To deliver support where necessary;
l) To administer our Site and/or App including data analysis, testing, traffic monitoring, research, statistical and survey purposes;
m) To send you newsletters and other marketing information from time to time;
n) To keep you up to date with our services; and
o) To provide you with information regarding our Site and/or App that you request, or we feel may interest you.
6.2 If you do not wish to be contacted for marketing purposes please tick any relevant box on which you submit your personal data or unsubscribe from any marketing communication using the unsubscribe function in the footer of the email.
7. Where your personal data may be stored:
7.1 The personal data you provide to us will be stored on our UK based secure servers which are encrypted using SSL encryption to 2,048 bits.
7.2 We take your privacy seriously and will take all reasonable steps to protect your personal data. However, please beware that any data which you send to us via our Site and/or App is sent at your own risk.
7.3 In order to provide services to you, we may transfer your personal data to third parties, parent companies, affiliates, subsidiaries and other service providers, some of which may process and/or store your personal data outside of the European Economic Area (“EEA”). In such instances all reasonable steps will be taken to ensure that your personal data is treated securely and in accordance with this Policy (where possible). Any data transfers that take place outside of the EEA will be covered by appropriate safeguards, for example Standard Contractual Clauses (“SCC’s”).
8. How your personal data may be disclosed:
8.1 In accordance with clause 7.3 above, the third parties in which your personal data may be disclosed to include, but are not limited to:
a) Appt Online Solutions Ltd - www.appt-app-design.co.uk/privacy-policy; and
b) Stripe - https://stripe.com/gb/privacy.
9. Additional information regarding the storage of your personal data:
9.1 Behaviour Smart acts as a Data Processor on behalf of its Direct Users. Behaviour Smart is consequently processing personal data under instructions from those Direct Users who are defined as Data Controllers under DPA’18. As Data Controllers, Direct Users are responsible for collecting the personal data of individual data subjects and making decisions with regards to the retention, transmission, processing, review and deletion of that personal data. Consequently, Direct Users as Data Controllers remain responsible for the personal data that they collect and provide to Behaviour Smart for processing. Each Direct User is its own unique institution and should be aware of any specific data retention legislation that applies to it regarding the ongoing retention of the personal data of their data subjects.
9.2 Behaviour Smart’s general data retention period is outlined at 9.6 below. However, Behaviour Smart’s Direct Users will be aware of the data retention legislation applicable to their institution. As a general indicator as to the applicable legislation, a digest of commonly referred to data retention legislation can be referred to at https://www.proceduresonline.com/barnet/fs/t_retention_records.html.
9.3 We hold your personal data in a combination of hard copy and electronic files for the period necessary to support our Site and/or App, comply with our legal obligations, resolve disputes, or otherwise fulfill the purposes outlined in this Policy.
9.4 In order to provide our services, we may use third party systems who may process, store and/or have access to your personal data. These third parties will act as data processors on our behalf and will operate in line with this Policy where possible.
9.5 We may also retain backup information on our servers for some time in order to comply with applicable laws and regulations, and our internal security policies and procedures. Where applicable, we do not always remove or delete all of your personal data for a number of reasons including due to technical and system constraints, contractual requirements or legal requirements.
9.6 In line with our internal procedures, and applicable laws and regulations, we operate the following data retention periods:
a) Reports that are completed via our Site or App – 75 years from the last date of interaction.
b) Other data, such as usernames and passwords, contact information, and other personal data that is collected from a Direct User through the general use of our Site or App – 7 years from the last date of interaction.
9.7 At the end of the above data retention periods, all of the data stored, including personal data, will be reviewed and securely deleted/destroyed.
9.8 Please note that no method of transmission over the internet, method of electronic storage or other security methods are 100% secure. Therefore, while we strive to use commercially acceptable means of security, such as firewalls, encrypted databases with limited physical and electronic access, and other encryption methods, to protect your personal data against unauthorised use, disclosure or modification, we cannot guarantee its absolute security.
10. Processing of personal data of those below the age of 13:
10.1 As described above in section 2 of this Policy, our Site and App are designed to be used by companies and local authorities who operate within the education, health and social care sector. Due to this, some of the Direct Users of our system may input the personal data of Individual Data Subjects who are defined as a child under the DPA’18 and are therefore below the age of 13. This personal data is processed on the lawful basis of contract.
10.2 Please note that all of the personal data that is collected and processed through our Site and/or App is treated with a high standard of care. This applies whether the personal data relates to a child under the age of 13 or any individual aged above the age of 13.
11. Data subject rights:
11.1 Subject access request – Under the DPA’18 you have the right to access the personal data we hold about you. If you wish to exercise this right please send your request to info@behavioursmart.co.uk.
11.2 Right to rectification – Under the DPA’18 you have the right to request the amendment or updating of all the personal data that we hold about you. If you wish to exercise this right please send your request to info@behavioursmart.co.uk.
11.3 Right to erasure – Under the DPA’18 you have the right to have all of the personal data that we hold about you deleted in line with our statutory and legal responsibilities. If you wish to exercise this right please send your request to info@behavioursmart.co.uk.
11.4 Right to restriction of processing – Under the DPA’18, and in line with Article 18 (1) (a) to (d) of the GDPR, you have the right to obtain from us the restriction of processing. If you wish to exercise this right please send your request to info@behavioursmart.co.uk.
11.5 Right to data portability – Under the DPA’18, where applicable, you have the right to request a copy of all of the personal data we hold about you in a structured, commonly used and machine-readable format. If you wish to exercise this right please send your request to info@behavioursmart.co.uk.
12. Enforcement:
12.1 Behaviour Smart regularly reviews its compliance with relevant data protection laws and regulations, and this Policy.
12.2 Where applicable, we cooperate with the appropriate regulatory authorities, including data protection authorities, for example the UK Information Commissioners Office (“ICO”), to resolve any complaints regarding the collection, processing and disclosure of personal data that cannot be resolved between us and the individual.
13. Notices and provisions:
13.1 Please note that this Policy applies to the Behaviour Smart Site and App only. If you as a user of the Site and/or App click on, or follow, any links from our Site or App to an external website or application, this Policy will no longer apply. Please ensure you check the privacy policies of any such external website or application before submitting any personal data as we cannot accept any responsibility or liability in relation to such websites or applications.
13.2 We reserve the right to change this Policy at any time. These changes will take immediate effect unless you are notified otherwise. For this reason, we recommend that you refer to this Policy on an ongoing basis so that you understand our current practice at the time of using our service.
13.3 If you have a concern about this Policy or you would like to know more about how your personal data is collected, processed, stored or disclosed, please contact us.
13.4 If you wish to contact us with a complaint regarding the processing of your personal data, please ensure you include your full name, contact information and a detailed description of your complaint.
13.5 If you are not satisfied with our response to any of your data subject rights or a complaint that you have made, you may also contact your local data protection authority to lodge a complaint.
14. Contact information:
14.1 If you have any questions regarding this Policy or want to exercise any of your data subject rights, please email us on info@behavioursmart.co.uk or write to us at 5 Cavendish Road, Sheffield, South Yorkshire, United Kingdom, S11 9BH.
14.2 As outlined in the above section, should you not be satisfied with the process, conduct or response to a request you have made you have the right to complain to the ICO. The contact information for the ICO can be found here (https://ico.org.uk/make-a-complaint/).