Last updated: November 2019
How you can withdraw consent You may change your mind and withdraw consent at any time by contacting Us but that will not affect the lawfulness of any processing carried out before you withdraw your consent.
You may change your location settings via your device settings.
WHO WE ARE
For the purpose of the General Data Protection Regulation, the data controller is MyUnidays Ltd of 2 Castle Boulevard, Nottingham, NG7 1FB. ICO registration number: Z2692580. The Data Protection Officer can be contacted at: DPO@myunidays.com.
HOW TO CONTACT US
Please note that if you contact Us, We may need to authenticate your identity before fulfilling your request and will talk you through the process. We use this authentication process because the security of your information is important to Us and We want to be extra careful.
WHAT PERSONAL INFORMATION WE COLLECT AND WHY
The personal information that We collect about you broadly falls into the categories set out below.
What do We do with the information We collect? The short answer is that We provide you with access to an amazing and personalized set of products and services that We are always seeking to improve upon.
• Information that you provide
Certain parts of the Platform may ask you to provide personal information such as your name, email address, student status, and sometimes your student ID. For example, We ask you to provide your contact details in order to register an account with Us, to receive messages from Us (or Our partners), to get information about products, services and promotional offers, competitions, sweepstakes, polls and surveys, experiences and opportunities, and/or to submit enquiries to Us (e.g. by interacting with Our Customer Service team). You may provide information about your preferences, values, and beliefs when completing surveys, or entering competitions.
We will use the personal information that you provide to verify your identity, send relevant opportunities and information to you, improve Our services, restrict age-appropriate products and services, and to help Our partners send relevant information about their programmes, offers, products, and services.
See ‘Information We obtain from Third Party Sources’ below to learn about internet-based advertising solutions.
• Information that We collect automatically
When you visit the Platform, We collect information automatically from your device.
The information We collect automatically includes information like your IP address, device type and software characteristics, unique device identification information, browser type, geographic location (e.g. country or city-level location), GPS (if enabled) and other technical information. We also collect information about how you and your device interact with the Platform, including pages you access and links you click, your purchase behaviour, engagement and interactions with perks, offers, features, polls, surveys and other content. Through Our App, We may find out your location; remember that you can turn this feature off through your device’s settings. If you choose to receive push notifications when downloading or updating App preferences, you will receive content in that way.
Collecting this information enables Us to verify your identity, provide Our services to you and Our partners, and to get paid. The information We collect positions Us to better prevent fraud and enforce Our rights, your rights and third party rights. It also helps Us to understand the users of the Platform, such as where they come from and what content is of interest to them. We use this information for analytics purposes, to improve the quality of Our service and Platform, and to target and display content and services that are specifically suited to you. We may also use it to target different competitions and surveys based on detail, like which university you attend.
• Information that We obtain from Third Party sources
From time to time, We may receive personal information about you from partners, suppliers and third party sources (including social media service providers, cookies and pixels). This information includes your online interaction, and is used to provide services, and identify you as a member or a prospective customer of a partner, to monitor and analyse trends and usage, to learn more about Our members, to be as relevant as We can, to improve the quality of Our services and to tailor your experience and recommend products and services that We think you’ll be interested in. We will ask that these third parties are permitted or required to disclose your personal information to Us.
We may use third party data sources to enhance the information We hold about you, only where these third parties are permitted or required to disclose your personal information to Us. We help Our partners display interest-based advertising using information you make available to Us when you interact with Our sites, content, or services. Interest-based ads, also sometimes referred to as personalised or targeted ads, are displayed to you based on information from activities such as purchasing through Our Platform, use of devices, apps or software, visiting sites that contain UNiDAYS or partner content or ads or cookies, or interacting with Our tools. We offer you choices about receiving interest-based ads from Us. You can choose not to receive interest-based ads from Us by opting out on the Platform or here. You will still see ads, but they will not be personalised, and therefore may not be relevant to you.
WHO WE MAY DISCLOSE YOUR INFORMATION TO
We may disclose your personal information to the following categories of recipients:
- Our group companies
- Our agents (so that they can do work for Us)
- Our contractors to enable them to work for Us (always with confidentiality restrictions!)
- Our advisors (including lawyers, accountants and information security experts so that they can carry out their services)
- Our partners (although We usually only provide aggregated information, unless there’s a competition, scholarship, or something similar)
- Google assists Us with Our analytics and helps Us to set advertisements that reflect your interests;
- Iterable Inc assists Us with sending out Our email communications; and
- Facebook helps Us to assess how effective Our advertising is and also helps Us to set advertisements that reflect your interests.
- to any competent law enforcement body, regulatory, government agency, court or other third party where We believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend Our legal rights, or (iii) to protect your interests or those of any other person;
- to third party agencies and advertisers (to provide advertising services)
- to an actual or potential buyer, investor (and its agents and advisers) or authority in connection with any proposed restructure, public offer, purchase, merger or acquisition of any part of Our business, the purposes of such activity
- to any other person with your consent to the disclosure.
LEGAL BASIS FOR PROCESSING PERSONAL INFORMATION
Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which We collect and use it.
We will collect personal information from you for the following lawful basis: where We have your consent to do so, where We need the personal information to perform a contract with you, or where the processing is in the legitimate interests of Us, you or third party and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, We may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.
If We ask you to provide personal information to comply with a legal requirement or to perform a contract with you, We may not be able to enter into or perform the contract or comply with Our legal obligations if you do not provide that information. An example of this is when We ask you to provide Us with your university email address as We can’t verify that you’re a student without it. We need the information to provide the service.
Similarly, if We collect and use your personal information in reliance on legitimate interests (or Us, you or third party), We will do so in the interests of providing direct marketing, to prevent and detect fraud, for organisational reasons, to improve Our services, for network and information security purposes, to ensure We comply with the law and comply with your individual rights, to ensure We suppress any requests you make, to provide personalised messages, to retain evidence of Our compliance and to defend UNiDAYS against claims or fraud, for monitoring of performance, to improve Our use of AI, for web analytics, to host data in the cloud, to carry out limited international transfers (Our business is across a number of countries), for the purposes of an acquisition or legal restructuring, to update member details and preferences, and for logistics.
Some examples of the information We collect, the purposes for that collection and the lawful basis:
|Information We collect||Purpose||Lawful basis|
|Contact and personal information (including information about you and your institution, course and year of study)||
- to administer your account, verify you are a student and provide Our services
- to detect and prevent fraud
- to ensure We respect your rights
Legitimate interests - detection and prevention of fraud, for organisational and compliance reasons, to send personalised messages, to understand Our members, provide Our services better, deal with queries and complaints, and defend UNiDAYS
|Poll and survey responses||Reporting to partners, to help partners understand members or exclude members from campaigns||Legitimate interests - to provide a fun experience for members, help promote brand partners, to better understand members
Consent, where the survey responses require it
|Perk Engagement behaviour||to understand brand partner performance, for financial modeling, to provide feedback to brand partners about performance of Our services and improve services||Legitimate interests - to monitor performance, to perform Our contract with brand partners|
|Purchase behaviour||for payment, to aggregate information about purchases to assess what’s on trend, and help Us decide what’s going on the App||Contract
|App interactions||for monitoring engagement and for reporting e.g to partners (information will mostly be aggregated), to show partners who has liked their page/ content, to enable more insight into serving better, more relevant content||Legitimate interests
- for understanding member behaviour and to personalise marketing messages
- for payment
|Registration channel and segmentations||to see how you register and how active you are||Legitimate interests - to monitor performance and to improve of services|
|Location: GPS||so that you can find discounts, events and other promotions near you||Consent - We will only use this where the location is switched on in the App|
|Number of years registered with UNiDAYS, and months until and after expiry||so that We know when to expire your account, and send service messages about renewal||Contract|
|Opted-in status||to make sure We respect your right to object to marketing||Legal Obligation|
|‘Join Early Access’ (on/off)||to provide early access to certain functionality and services||Legitimate interest - improving Our services|
If you have questions or need further information concerning the legal basis on which We collect and use your personal information, please contact Us using the contact details provided under the “How to contact Us” heading above.
HOW WE KEEP YOUR PERSONAL INFORMATION SECURE
We use appropriate technical and organisational measures such as encryption, physical security, access restrictions to Our application to protect the personal information that We collect and process about you. The measures We use are designed to provide a level of security appropriate to the risk of processing your personal information.
Where you have chosen a password that allows you to access certain parts of the Platform, you are responsible for keeping this password confidential. We advise you not to share your account log-in details, including your password, with anyone. We will not be liable for any unauthorised transactions entered into using your name and password.
The transmission of information via the internet e.g by email is not completely secure. Although We will take steps to protect your information, We cannot guarantee the security of your data transmitted to the Platform.
We retain personal information We collect from you where We have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements).
When We have no ongoing legitimate business need to process your personal information, We will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then We will securely store your personal information and isolate it from any further processing until deletion is possible. We will not keep personal information that identified you for longer than 2 years after your membership has expired.
INTERNATIONAL DATA TRANSFERS
Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different from the laws of your country.
Our Website servers, group companies (and staff) and third party service providers and Partners operate around the world. This means that when We collect your personal information it may be processed in any of these countries. However, We have taken appropriate safeguards to require that your personal information will remain protected. These safeguards are either (a) signing model clauses with the third party; or (b) ensuring the third party is on the ‘Privacy Shield’ list; or (c) working with third parties in countries deemed to have adequate data protection laws.
Additionally, if We share personal information with a third party acting as Our data processor, We remain responsible for how that information is processed. We will ensure We have a contract in place which sets out Our liability clearly.
Our European Representative is: UNiDAYS GmbH, registered address: Auguste-Hauschner-Strabe 5 10785 Berlin.
AUTOMATED DECISION MAKING
Our use of your personal information (including engagement behaviour) may result in automated decisions being taken, for example, which ads or content to show you. It is not Our intention that these decisions legally affect you or similarly significantly affect you.
Automated decisions mean that a decision concerning you is made automatically on the basis of a computer determination (using software algorithms), without Our human review.
When We make an automated decision about you, you have the right to contest the decision, to express your point of view, and to require a human review of the decision. You can exercise this right by contact Us using the contact details provided under the “How to contact Us” heading above.
YOUR DATA PROTECTION RIGHTS
You have the following data protection rights:
- If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting Us using the contact details provided under the “How to contact Us” heading above or alternatively you can access Our right to be forgotten and subject access request forms here. Please note, that if you request Us to delete your data your information and all interaction information will be deleted. You must uninstall Our App (if you have been using this on your phone) to remove any residual data stored on your device.
- In addition, you can object to the processing of your personal information, ask Us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting Us using the contact details provided under the “How to contact Us” heading above.
- You have the right to opt-out of email marketing communications We send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing emails We send you or through your account settings. Please note that you cannot unsubscribe from certain communication, from Us, such as messages relating to your account transactions, non-promotional messages, business relationships or system updates or system issues.
Please note, that to opt out of receiving mobile push notifications from UNiDAYS, you can use your mobile device’s settings functionality to turn them off.
- Similarly, if We have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing We conducted prior to your withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority about Our collection and use of your personal information. For more information, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries (including the US and Canada) are available here.)
We respond to all requests We receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
Where We process your information based on Our legitimate interests, you have the right to object to that processing, subject to certain exceptions.
It is important to note that these rights are not automatic rights and may not apply in all instances.
UNiDAYS is not intended for use by children under 16 years old. We do not knowingly collect information from children under 16 years old. If you learn that your minor child has provided Us with personal information without your consent, please contact Us on firstname.lastname@example.org.
COOKIES AND SIMILAR TRACKING TECHNOLOGY
GÉANT Data Protection Code of Conduct (CoCo)
Name of the service
Description of the service
UNiDAYS is the world’s leading Student Affinity Network, connecting a global student audience with relevant brands and services.
Data controller and a contact person
MyUnidays Limited of 2 Castle Boulevard, Nottingham, NG7 1FB is the data controller, and can be contacted directly by post to the address above, or by e-mail to email@example.com.
Personal data processed
The following data is retrieved from your Home Organisation:
- your unique user identifier (SAML persistent identifier, ePPN or ePTID)
- your role in your Home Organisation (eduPersonAffiliation, eduPersonPrimaryAffiliation or eduPersonScopedAffiliation)
When you visit, register or view information about products or services on myunidays.com you may be asked to provide certain information about yourself including your name, educational status, institution name, and your current email address.
In addition, We may also collect information about your usage of Our website as well as information about you from messages you post to the website and e-mails or letters you send to Us.
Purpose of the processing of personal data
Your information will enable Us to provide you with access to specific parts of Our site and to operate the myunidays.com service for you. We will also use and analyse the information We collect so that We can administer, support, improve and develop Our business.
In particular, We may use your information to contact you for your views on Our services and to notify you occasionally about important changes or developments to the site or Our services.
Further, We might also use your information to let you know about other products and services which We offer which may be of interest to you. If you change your mind about being contacted in the future, you can opt-out by contacting Us directly or changing your preferences through your account settings. If you contact us, We may keep a record of that correspondence.
We will also retain certain information for the purposes of avoiding fraud.
Third parties to whom personal data is disclosed
Personal data is not disclosed to any of Our partners and is only shared in an anonymised and aggregated format. We may share your personal data with Our third party service providers for the purposes of providing Our services to you, in particular, contacting you about Our services and products. Finally, We may disclose your information to any business which is seeking to acquire, merge with or engage in a joint venture with Us. Confirmation of whether you have an account with Us by the e-mail address you register or verify with, will be publically available.
How to access, rectify and delete the personal data
In order to request access or rectification or, where such data can be deleted by law, to request deletion please contact Us using the contact details set out above. Please be aware that where information is retained pursuant to a legitimate aim, e.g. fraud prevention, We are not obliged to delete this data. You have the right to ask Us not to process your personal data for marketing purposes. You can exercise your right to prevent such processing by changing your account settings.
We employ security measures to protect your information from access by unauthorised persons and against unlawful processing, accidental loss, destruction, and damage. Your data shall be retained during the period for which your account is active. When you unsubscribe, all data which We do not require for fraud prevention purposes shall be deleted.
Data Protection Code of Conduct
Your data will be protected in accordance with the Data Protection Act 2018 and, once implemented, the General Data Protection Regulation.
Your personal data will be protected according to the Code of Conduct for Service Providers, a common standard for the research and higher education sector to protect your privacy.