Before we get into the detail, we just want to make sure you know that your privacy is important to us. We know you’ve heard this all before, but quite frankly, we mean it. You’ve placed your trust in us by using the UNiDAYS services and we value that trust. That means we’re committed to protecting and safeguarding any personal data you give us.
WHO WE ARE
For the purpose of the General Data Protection Regulation 2016 ("Act"), the data controller is MyUnidays Ltd of 2 Castle Boulevard, Nottingham, NG7 1FB.
Please note that if you contact us, we may need to authenticate your identity before fulfilling your request. We will talk you through the process of doing this, and it really doesn’t take much time or effort. But as security of your information is important to us, we need to be extra careful.
WHAT PERSONAL INFORMATION WE COLLECT AND WHY
The personal information that we may collect about you broadly falls into the categories set out at the bullet points below.
What do we do with the information we collect? The short answer is, we provide you with an amazing set of products and services that we strive to improve relentlessly.
Information that you provide voluntarily
Certain parts of the Platform may ask you to provide personal information voluntarily. For example, we may ask you to provide your contact details in order to register an account with us, to subscribe to marketing communications from us (e.g. to share information about our products, services and promotional offers that we think may interest you), and/or to submit enquiries to us (e.g. by interacting with our Customer Services Team). The personal information that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal information.
Information that we collect automatically
When you visit the Platform, we may collect information automatically from your device (be it a phone or a computer). In some countries, including countries in the European Economic Area, this information may be considered personal information under applicable data protection laws.
Specifically, the information we collect automatically may include information like your IP address, device type and software characteristics, unique device identification numbers, browser-type, broad geographic location (e.g. country or city-level location) and other technical information. We may also collect information about how your device has interacted with the Platform, including the pages accessed and links clicked. Through our app we may also find out your location, however you can turn this feature off through your device’s settings.
Collecting this information enables us to verify your identity and position us to better prevent fraud, and to understand the users of the Platform, such as where they come from and what content is of interest to them. We use this information for our internal analytics purposes, to improve the quality our service, and to tailor your experience to you by displaying content and services that we think is specifically suited to you.
Information that we obtain from third party sources
From time to time, we may receive personal information about you from third party sources (including social media service providers), but only where we have checked that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us.
The types of information we collect from third parties include information about your online interaction with such parties and we use this information to monitor and analyse trends and usage, improve the quality our service and tailor your experience and recommend products and services that we think you’ll be interested in.
WHO WE MAY DISCLOSE YOUR INFORMATION TO
We may disclose your personal information to the following categories of recipients:
Google assists us with our analytics and helps us to set advertisements that reflect your interests;
Bronto assists us with sending out our email communications; and
Facebook helps us to assess how effective our advertising is and also helps us to set advertisements that reflect your interests;
2. to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
3. to help third parties display interest-based advertising using information you make available to us when you interact with our sites, content, or services. Interest-based ads, also sometimes referred to as personalised or targeted ads, are displayed to you based on information from activities such as purchasing through our sites, use of devices, apps or software, visiting sites that contain our content or ads, or interacting with our tools. We offer you choices about receiving interest-based ads from us. You can choose not to receive interest-based ads from us by opting out here. You will still see ads but unfortunately, they will not be personalised and therefore may not be relevant to you;
5. to any other person with your consent to the disclosure.
LEGAL BASIS FOR PROCESSING PERSONAL INFORMATION (EEA VISITORS ONLY)
If you are a visitor from the European Economic Area, our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.
We will normally collect personal information from you only where we have your consent to do so, where we need the personal information to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.
If we ask you to provide personal information to comply with a legal requirement or to perform a contact with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information). An example of this is when we ask you to provide us with your university email address as we can’t verify that you’re a student without it.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “How to contact us” heading above.
HOW WE KEEP YOUR PERSONAL INFORMATION SECURE
We use appropriate technical and organisational measures to protect the personal information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information.
Where you have chosen a password that allows you to access certain parts of the Website, you are responsible for keeping this password confidential. We advise you not to share your account log-in details, including your password, with anyone. We will not be liable for any unauthorised transactions entered into using your name and password.
The transmission of information via the internet is not completely secure. Although we will take steps to protect your information, we cannot guarantee the security of your data transmitted to the Platform.
We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements). When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. We will not keep personal information for longer than 2 years after your membership has expired, and we will always endeavour to anonymise information 6 months after we receive it.
INTERNATIONAL DATA TRANSFERS
Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country.
AUTOMATED DECISION MAKING
In some instances, our use of your personal information may result in automated decisions being taken (including profiling) that legally affect you or similarly significantly affect you.
Automated decisions mean that a decision concerning you is made automatically on the basis of a computer determination (using software algorithms), without our human review. For example, we use automated decisions to, for example, choose how to order our custom tiles on our website for you. We have implemented measures to safeguard the rights and interests of individuals whose personal information is subject to automated decision-making, including removing such automated decision making upon a written request from a member.
When we make an automated decision about you, you have the right to contest the decision, to express your point of view, and to require a human review of the decision. You can exercise this right by contacting us using the contact details provided under the “How to contact us” heading above.
YOUR DATA PROTECTION RIGHTS
You have the following data protection rights:
If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us using the contact details provided under the “How to contact us” heading above or alternatively you can access our right to be forgotten and subject access request forms here. Please note, that if you request us to delete your data you must uninstall our app (if you have been using this on your phone) to remove any residual data stored on your device".
In addition, if you are a resident of the European Union, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided under the “How to contact us” heading above.
As a recommendation service, we think it is really important that we send you communications about our products, services and promotional offers that we think may interest you, as we would hate to think you missed out on a discount with one of your favourite brands! However, you have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you or through your account settings. Please note that you cannot unsubscribe from certain email correspondence from us which is not for marketing purposes, such as messages relating to your account transactions or when we are required to email you about system updates or issues.
To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us using the contact details provided under the “How to contact us” heading above. Please note, that to opt out of receiving mobile push notifications from UNiDAYS, you can use your mobile device’s settings functionality to turn them off.
Similarly, if we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries (including the US and Canada) are available here).
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
UNiDAYS is not intended for use by children under 16 years old. If you learn that your minor child has provided us with personal information without your consent, please contact us on firstname.lastname@example.org.
COOKIES AND SIMILAR TRACKING TECHNOLOGY
GÉANT Data Protection Code of Conduct (CoCo)
Name of the service
Description of the service
UNiDAYS is the world’s leading Student Affinity Network, connecting a global student audience with relevant brands and services.
Data controller and contact person
MyUnidays Limited of 2 Castle Boulevard, Nottingham, NG7 1FB is the data controller. They can be contacted directly by post at the address above, or by e-mail at email@example.com
Personal data processed
Following data is retrieved from your Home Organisation:
- your unique user identifier (SAML persistent identifier, ePPN or ePTID)
- your role in your Home Organisation (eduPersonAffiliation, eduPersonPrimaryAffiliation or eduPersonScopedAffiliation)
The following data is gathered from you:
When you visit, register or view information about products or services on myunidays.com, you may be asked to provide certain information about yourself, including your name, educational status, institution name and your current email address.
In addition, we may also collect information about your use of our website, as well as information about you from the messages that you post to the website and e-mails or letters that you send to us.
Purpose of the processing of personal data
Your information will enable us to provide you with access to specific parts of our site and to operate the myunidays.com service for you. We will also use and analyse the information we collect so that we can administer, support, improve and develop our business.
In particular, we may use your information to contact you for your views on our services and to notify you occasionally about important changes or developments to the site or our services.
Further, we might also use your information to let you know about other products and services that we offer, which may be of interest to you. If you change your mind about being contacted in the future, you can opt out by contacting us directly or changing your preferences through your account settings.
If you contact us, we may keep a record of that correspondence.
We will also retain certain information for the purposes of avoiding fraud.
Third parties to whom personal data is disclosed
Personal data is not disclosed to any of our partners and is only shared in an anonymised and aggregated format. We may share your personal data with our third party service providers for the purposes of providing our services to you, in particular, contacting you about our services and products. Finally, we may disclose your information to any business which is seeking to acquire, merge with or engage in a joint venture with us. Confirmation of whether you have an account with us by the e-mail address you register or verify with, will be publicly available.
How to access, rectify and delete personal data
In order to request access or rectification or, where such data can be deleted by law, to request deletion, please contact us using the contact details set out above. Please be aware that where information is retained pursuant to a legitimate aim, e.g. fraud prevention, we are not obliged to delete this data.
You have the right to ask us not to process your personal data for marketing purposes. You can exercise your right to prevent such processing by changing your account settings.
We employ security measures to protect your information from access by unauthorised persons and from unlawful processing, accidental loss, destruction and damage. Your data shall be retained during the period for which your account is active. When you unsubscribe, all data which we do not require for fraud prevention purposes shall be deleted.
Data Protection Code of Conduct
Your data will be protected in accordance with the Data Protection Act 1998 and, once implemented, the General Data Protection Regulation.
Your personal data will be protected according to the Code of Conduct for Service Providers, a common standard for the research and higher education sector to protect your privacy.