Last updated: September 2023
Our commitment to your privacy
Your privacy is our priority. We appreciate that you entrust us with your personal data and want you to know that we respect your privacy. Our privacy practices are based on these core principles:
- We design our platforms and services with your privacy in mind.
- We strive for transparency about how we process your personal data. We work hard to provide clear and straightforward descriptions of our privacy practices because we want you to understand them.
- We are dedicated to the protection of your personal data. We continually assess data security risks and test and monitor our security practices to protect against them.
If you are located in the European Economic Area (EEA) or the UK, the data controller for the personal data that UNiDAYS collects is Myunidays Limited of 2 Castle Boulevard, Nottingham, Nottinghamshire, United Kingdom NG7 1FB. The ICO registration number is Z2692580.
If you are located in the US or Canada, the legal entity responsible for personal data processing is Unidays Inc., Penn Plaza 9th Floor 132 W 31st St. New York City NY 10001, United States.
If you are located in India, the legal entity responsible for personal data processing is UNiDAYS Private Limited, with its principal place of business at 4th Floor, Vedwati Apartments, Opposite Agriculture College, Shivaji Nagar, Pune, Maharashtra, India 411005.
For all other jurisdictions, the legal entity responsible for personal data processing is MYUNIDAYS LTD of 2 Castle Boulevard, Nottingham, Nottinghamshire, United Kingdom NG7 1FB.
MYUNIDAYS LTD is incorporated and registered in England and Wales with company number 07552253, VAT number 130053865, and registered office at 2 Castle Boulevard, Nottingham, Nottinghamshire, NG7 1FB.
To learn how you can exercise your privacy rights:
- For everyone else, please see “How Does UNiDAYS Honour Privacy Rights Requests?” below.
What is UNiDAYS?
UNiDAYS provides student identity verification services and works with brands that want to provide verified students with benefits and/or advertise their products and services to our Members on our platform. We refer to these brands as our “Partners”. Through the Platform, Members have access to exclusive promotions, discounts, and other exciting offers from Partners (“Offers”). Members may also have access to available sweepstakes, competitions, contests, volunteer opportunities, polls, surveys, subscriptions, exclusive content, and other online and in-person opportunities and events. Members also can benefit from the verification status to log on to other 3rd party platforms of Partners via our UConnect services.
To the extent that UNiDAYS and a Partner use the OAuth 2.0 authorisation protocol embedded in our UConnect services, and you elected to verify your identity and eligibility with UNiDAYS, we, with your express consent when required, will share certain personal data with the Partner for the specific purposes of verifying your identity and eligibility to receive Partner Offers and/or enable you to log in on a 3rd party Partner’s platform using UNiDAYS credentials:
What information does UNiDAYS collect and why?
If you are resident in the United States of America, please see our US State Privacy Notice available here.
Personal data that you provide to UNiDAYS
We collect personal data that you provide when you register, verify your identity, or otherwise choose to share with us. We collect this personal data for many reasons, including to create and secure your account, provide our services, and protect the Platform.
A Member’s email address is required to create a UNiDAYS account. All other personal data collected through Member accounts or use of the Platform may include:
- University/College/Academic Institution;
- Enrolment Status;
- Student ID Card;
- University/College/Academic Institution supporting documents;
- Country of residence;
- Social media username;
- Telephone number;
- Birthday or Age;
- Photographs of yourself, such as on your Student ID or when you allow UNiDAYS to access your photos through the App;
- Customer service communications;
- Preferences, opinions, and other details about yourself that you choose to share in your responses to surveys or during focus groups or discussions; and
- Personal data shared with other Members through the Platform.
We collect these personal data for the following purposes:
- To verify identity and eligibility for membership;
- To create Members’ accounts;
- To send information about Offers that we think will interest Members, including Offers that are personalised based on the information associated with that Member’s account;
- To administer sweepstakes (also known as giveaways), contests, polls, surveys, and events in which Members choose to participate;
- To respond to correspondence and requests, such as Member interactions with our Customer Service team;
- To learn how Members interact with the Platform so that we can improve the Platform, develop new features, and identify which Partners’ Offers are most popular with Members;
- To process a Member’s application to become a UNiDAYS blogger, influencer, or other content creator;
- To present volunteer and internship opportunities for Members;
- To obtain feedback and provide customer service about Offers, Partners, and the Platform in general;
- To detect and protect against spam, fraud, or unauthorised use of the Platform; and
- To monitor and enforce compliance with our legal agreements.
Automatically-collected Personal Data
Both us and our contractors and vendors automatically collect personal data related to your use of the Platform. This information includes:
- Device Information: When you interact with the Platform, we collect technical information about your computer or mobile device including your IP or MAC address, device make, model and operating system, mobile network information, internet service provider, unique device identification number, advertising ID, browser type and language, geographic location (e.g., country or city-level location or time zone);
- Transactional Information: When you access Offers through the Platform, we collect details of the specific offer and the date and time that it was accessed.
Automatically-collected data help us understand how Members and visitors who are not Members use the Platform. Specifically, we use automatically-collected data:
- To personalise and target our advertising through our online advertising partners, including social media platforms;
- For analytics to enhance how Members use the Platform or a device;
- To evaluate the performance of Offers and other content, such as which Partners and types of Offers are most popular;
- To improve the quality and relevance of the Platform for Members, such as by showing or offering Members Platform content based on their preferences inferred from clickstream data (with consent where necessary);
- To present Offers and information that we believe are tailored to the interests of particular categories of Members;
- To help resolve technical issues and develop and update the Platform;
- To detect unauthorised use of the Platform and/or distribution of Platform content;
- For customer service; and
- For billing purposes, so that we can bill our Partners for the services that we provide.
Data from third parties
We may receive personal data from third parties when you interact with Offers. We use this personal data to analyse and improve the Platform, provide our services, personalise your experience and carry out our business.
From time to time, we may receive personal data about you from Partners and other third-party data sources (including publicly available sources). We receive transactional data about your interactions with a Partner’s website or app when you click through an Offer to make a purchase. We use this data for billing purposes so that we can bill our Partners for the services that we provide. The data we receive from third parties also are used to learn more about our Members, to tailor Members’ experiences on the Platform, to recommend Partners and Offers that we think will interest particular Members, and to improve the quality of the Platform content. These data also help us to monitor and analyse trends and Platform use so that we can better manage our technology infrastructure and detect and protect against fraud or unauthorised use of the Platform.
When we combine data from third-party data sources to enhance the data that we hold about you, we require that each third-party data source confirm that its sharing of personal data with UNiDAYS is transparent and lawful.
Data related to targeted advertising
We also process your personal data to provide personalised and relevant advertising based on your likes and preferences.
We display and help our Partners display targeted advertising by using personal data collected when Members and visitors interact with the Platform. Targeted ads (also sometimes referred to as personalised or interest-based ads) are displayed based on information generated by your online activity, such as:
- any purchases you make through the Platform;
- your use of the Platform;
- visiting sites that contain Partners’ content, ads, or cookies; and the websites that you visit before and after you log on to the Platform. We also use social media platforms such as Facebook, Reddit, Pinterest, Quora, TikTok and Snapchat to advertise.
We, and our Partners, will process personal data about you for the following purposes, linked to targeted advertising, including to:
- track user usage and event attendance;
- target marketing campaigns specific to our users;
- collect information and insights about you when you visit the Platform;
- deliver advertisements from third party advertisers; and
- determine what advertisements should be shown that may be relevant to you.
You can change your cookie preferences, including targeting cookies (which are used to present you with relevant advertising) on the Platform in your account settings. You will still see ads but they may not be personalised to you.
Some web browsers (including Safari, Internet Explorer, Firefox, and Chrome) incorporate a “Do Not Track” (“DNT”) or similar feature that signals to websites that a browser’s user does not want to have his or her online activity tracked. If a website that responds to a particular DNT signal receives the DNT signal, the browser can block that website from collecting certain information about the browser’s user. Not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, many website operators, including UNiDAYS, do not respond to DNT signals.
WE DO NOT KNOWINGLY COLLECT INFORMATION FROM CHILDREN UNDER AGE 16. The Platform is not intended for use by children under age 16. If you are under the age of 16, please do not use or attempt to use our Platform or provide any personal data to us. If you learn or suspect that anyone under age 16 has provided UNiDAYS with personal data, please notify firstname.lastname@example.org.
How does UNiDAYS share personal data?
We share your personal data with parties (including employees and contractors, where appropriate) that help us provide the Platform and to carry out our business.
We also share your personal information when you give us your consent.
We share personal data with the following categories of recipients:
- Professional advisors, such as lawyers, accountants, and information security and forensics experts;
- Third party companies we partner with for targeted advertising purposes who are deploying cookies and similar technologies on our Platform;
- Partners and other Platform advertisers as needed to process orders, payments and to carry out our business;
- Marketing vendors that help UNiDAYS promote the Platform and from time to time supplement personal data that we already have. For this purpose we may provide your email address to the social media platforms in hashed form for them to present sponsored posts in your social media feed and to other providers for them to help us develop insights, to match behaviour and to build audiences;
- Our contractors and vendors to enable them to work for us, including without limitation those who perform data analytics and test, monitor, secure, and enable the Platform and services. For example:
- Iterable receives and uses our data to assist us with marketing email campaigns;
- Kevel receives and uses our data to deliver personalised advertising to Members;
- Competent law enforcement, government regulators, courts, or other third parties when we believe disclosure is necessary (i) to comply with the law, (ii) to exercise, establish or defend our legal rights, or (iii) to protect the vital interests of Members, Partners or another third party;
- Our affiliates; and
- To any other third party with your permission.
What are UNiDAYS' lawful bases for processing personal data?
We only collect and process your personal data according to applicable law. Your location will determine the legal entity that is responsible for the collection and processing of your personal data.
Under EEA and UK data protection law, UNiDAYS may collect and process your personal data only when UNiDAYS follows the lawful bases specified in EEA and UK data protection law and informs you of the specific lawful bases on which UNiDAYS relies.
The lawful bases on which UNiDAYS relies are:
- Consent: we process your personal data when you provide your consent;
- Performance of a contract: UNiDAYS operates the Platform and related services on the basis of a contract with you, which are our Terms of Service;
- Our legitimate interests: UNiDAYS may base the processing of personal data on our legitimate interests as a business in:
- efficiently operating, maintaining and managing the Platform and related services;
- tailoring the Platform and related services to suit our users;
- ensuring the security of the Platform;
- understanding customer behaviour to improve and create new services and products which benefit our Members and Partners;
- promoting UNiDAYS;
- preventing and detecting fraud;
- communicating with you in accordance with your wishes and expectations;
- responding to and handling any requests or complaints;
- maintaining internal administrative records;
- undertaking quality control and business planning;
- retaining evidence of our compliance with the law;
- accessing appropriate professional advice, and;
- defending UNiDAYS against legal claims or fraud.
When we rely on our legitimate interests as our basis for processing personal data, we balance our interests with strong privacy protections tied to fairness and purpose limitation and which are designed to minimise the risks to our Members, visitors, and others.
- Compliance with a legal obligation to which we are subject.
If we ask you to provide personal data to comply with a legal obligation or to perform a contract with you, we may not be able to comply with our legal obligation or enter into or perform the contract if you do not provide that personal data. For example, when we ask you to provide your email address, we need that data to verify that you are eligible to use the Platform. We will advise you whether providing your personal data is mandatory and the possible consequences if you do not provide your personal data.
If another legal basis or legitimate interest is relevant to particular personal data processing, we will make that clear when we collect that personal data. If you have questions or need further information concerning the legal basis on which we process your personal data, please contact us using the contact details provided under the “How Do I Contact UNiDAYS?” heading below.
- If you are located in the European Economic Area or the UK, the data controller for the personal data that UNiDAYS collects is Myunidays Limited of 2 Castle Boulevard, Nottingham, Nottinghamshire, United Kingdom NG7 1FB. The ICO registration number is Z2692580.
- If you are located in India, the legal entity responsible for personal data processing is UNiDAYS Private Limited, with its principal place of business at 4th Floor, Vedwati Apartments, Opposite Agriculture College, Shivaji Nagar, Pune, Maharashtra, India 411005.
- If you are located in the U.S. or Canada, the legal entity responsible for personal data processing is Unidays Inc., Penn Plaza 9th Floor 132 W 31st St. New York City NY 10001, United States.
- For all other jurisdictions, the legal entity responsible for personal data processing is MYUNIDAYS LTD of 2 Castle Boulevard, Nottingham, Nottinghamshire, United Kingdom NG7 1FB.
Our Data Protection Officer is available via email@example.com.
Our EU representative is available at firstname.lastname@example.org
If you are located in the UK or the EEA, the following apply to you in addition to (and, in case of any inconsistencies, takes precedence over) the other provisions of this section:
- If UNiDAYS’ processing of your personal data is based on your consent, the legal basis is Art. 6(1)(a) of the U.K and EU General Data Protection Regulations (GDPR). You can withdraw your consent at any time (Art. 7(3) GDPR), effective for the future. This will not affect the legality of processing that took place before you withdrew your consent.
- If UNiDAYS’ processing of your personal data is based on the performance of a contract between UNiDAYS and you, the legal basis is Art. 6(1)(b) GDPR.
- If UNiDAYS’ processing of your personal data is based on legal obligations that UNiDAYS must fulfil, the legal basis is Art. 6(1)(c) GDPR.
- If UNiDAYS’ processing of your personal data is based on UNiDAYS’ legitimate interests, the legal basis is Art. 6(1)(f) GDPR. If you are interested in detailed information on the balancing of your and UNiDAYS’ interests, please contact UNiDAYS as described in the section “HOW DO I CONTACT UNiDAYS?”. Insofar as the processing is based on UNiDAYS’ legitimate interests, you have the right to object to the processing (Art. 21 GDPR).
- Pursuant to Art. 77 GDPR, you have a right to lodge a complaint related to UNiDAYS’ processing of your personal data, which you may exercise by submitting a complaint to your local data protection supervisory authority of the EU Member State of residence or where the issue that is the subject of the complaint occurred. We hope you will allow us to address your concerns by contacting us at email@example.com, firstname.lastname@example.org or email@example.com before you approach a Supervisory Authority, but otherwise, the contact details are available at https://edpb.europa.eu/about-edpb/board/members_en.
How does UNiDAYS honour privacy rights requests?
We offer easy to use forms to streamline your data privacy rights requests. You can always reach out to us with any questions or concerns regarding your data privacy rights.
For personal data for which we are the data controller, we honour the following privacy rights in accordance with applicable law:
- If you wish to review, correct, update, suppress, restrict or delete your personal data:
- For deletion, please fill out the Right To Be Forgotten Form;
- For access to the personal data that UNiDAYS has about you, please fill out the Right To Know Form; and
- For other requests, please contact us using the contact details provided under the “How Do I Contact UNiDAYS?” heading below.
- Please note that requests relating specifically to STUDY by UNiDAYS can be accessed as follows: Right To Be Forgotten Form and Right To Know Form.
- You can object to the processing of your personal data, request restrictions on the processing of your personal data, or request the portability of your personal data. To exercise these rights, please contact us using the contact details provided under the “How Do I Contact UNiDAYS?” heading below.
- You can opt-out of (or unsubscribe from) UNiDAYS’ email marketing communications by clicking the “unsubscribe” or “opt-out” link in one of our marketing emails or through your account settings. Please note that you cannot unsubscribe from certain communications, such as messages relating to your account transactions, non-promotional messages, business relationships, or system updates or system issues.
- If we process your personal data based on your consent, you can withdraw your consent at any time by contacting us using the contact details provided under the “How Do I Contact UNiDAYS?” heading below. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal data conducted in reliance on a lawful basis other than consent.
- If we process your personal data based on our legitimate interests, you have the right to object to that processing, subject to certain exceptions, by contacting us using the contact details provided under the “How Do I Contact UNiDAYS?” heading below.
- When our processing of your personal data results in automated decisions, such as which ads or content to show you, we do not intend that these decisions legally affect or significantly affect you. By automated decision, we mean that a decision concerning you is made automatically on the basis of computer algorithms without our human review. If we make an automated decision about you that legally affects or otherwise significantly affects you, you have the right to ask us to review the decision and to require a human review of the decision. You can learn about and exercise this right by contacting us using the contact details provided under the “How Do I Contact UNiDAYS?” heading below.
We will review your request as soon as reasonably practicable and respond within the time periods required by applicable law. In any request you submit to us, please make clear the personal data that are the subject of your request.
We respond to all requests we receive from individuals wishing to exercise their privacy rights in accordance with applicable data protection laws. Please know that the rights described above are not automatic rights and may not apply in all circumstances. When this occurs, we will notify you in our response to you.
For your protection, if you are a Member, we only fulfil requests for the personal data associated with the email address in your account and, if you are not a Member, we only fulfil requests for the personal data associated with the email address that you use to send us your request. We may need to request information from you to help us confirm your identity and ensure your right to access personal data. When we make these requests for more information, we do so as a security measure to ensure that your personal data are not disclosed to someone who has no right to receive your personal data. We also may contact you to ask you for further information in relation to your request to speed up our response.
Keeping your personal data – particularly your email address – accurate and current is important. Please update your account and/or contact us if your personal data changes during your relationship with us.
Please note that we may need to retain certain personal data for recordkeeping purposes and/or to complete a transaction that you began prior to requesting a change or deletion, such as fulfilling a prize in a sweepstake. Our databases and other records may have residual personal data which we cannot and will not remove. We also may not allow you to review certain personal data for legal, security, or other similar reasons.
Generally, no fee is associated with exercising your privacy rights but UNiDAYS may charge a reasonable fee if your request is unfounded, repetitive, or excessive.
If you are located in the UK or the EEA, the following applies in addition to (and, in case of any inconsistencies, takes precedence over) the other provisions of this section:
- You have the right to confirmation, and the right to access this personal data or request a copy of it (Art. 15 GDPR), a right to rectification of your incorrect data (Art. 16 GDPR), a right to erasure (Art. 17 GDPR), and a right to restrict (block) your data (Art. 18 GDPR).
- In addition, in the case of processing on the basis of Article 6(1)(e) or (f) GDPR, you may object to the processing (Art. 21 GDPR).
- If you have provided the data, you can request the transmission of the data (Art. 20 GDPR).
- If the processing is based on consent within the meaning of Art. 6(1)(a) or Art. 9(2)(a) GDPR, you can revoke consent at any time with effect for the future (Art. 7(3)(1) GDPR). You also have the right to contact the competent data protection supervisory authority (Art. 77 GDPR).
Whether and to what extent these rights are effective in individual cases and under what conditions they apply is stipulated by law.
Where does UNiDAYS process personal data?
Generally, we process personal data in the United Kingdom, Ireland and the United States, depending on the circumstances. We transfer data only as permitted by applicable law.
Your personal data may be transferred to and processed someplace other than where you live. These other jurisdictions may have privacy laws that are different from the laws of where you reside (and, in some cases, not as protective).
Our servers are primarily located in Ireland but we store and replicate your personal data on servers in other places in order to provide speed of access, robustness, and protection against server failure. The other primary jurisdictions where personal data are processed by or on behalf of UNiDAYS are the United States of America and the United Kingdom.
How does UNiDAYS protect personal data?
We take care to secure and safeguard your personal data using various technological measures as required by applicable law.
Like any other organisation, UNiDAYS cannot fully eliminate security risks associated with the processing of personal data but UNiDAYS uses technical, physical, and administrative safeguards intended to protect the personal data that we process. Our safeguards are designed to provide a level of security appropriate to the risk of processing your personal data and include (as applicable) measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and a procedure for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of personal data.
You are responsible for maintaining the security of your account credentials. UNiDAYS will treat access to the Platform through your account credentials as authorised by you.
We may suspend your use of all or part of the Platform without notice if we suspect or detect any breach of security. If you believe that information you provided to UNiDAYS or your account is no longer secure, please notify us immediately at firstname.lastname@example.org.
If we become aware of a breach that affects the security of your personal data, we will provide you with notice as required by applicable law. When permitted by applicable law, UNiDAYS will provide this notice to you through the email address associated with your account.
UNAUTHORISED ACCESS TO PERSONAL DATA AND THE PLATFORM – INCLUDING SCRAPING – IS PROHIBITED AND MAY LEAD TO CRIMINAL PROSECUTION.
For how long will UNiDAYS retain personal data?
We only keep personal data as long as permitted by applicable law. We also anonymise certain personal data for our records.
UNiDAYS will only retain your personal data for as long as we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax, or accounting requirements or to protect against fraud). We may retain your personal data for a longer period to address a complaint or if we reasonably believe that litigation in respect to our relationship with you is possible.
When we have no ongoing legitimate business need to process personal data, we will either delete or anonymise that personal data. If you are a Member, UNiDAYS’ policy is to delete or anonymise your personal data three (3) years after your membership terminates.
If we are not able to delete or anonymise certain personal data (for example, because your data are stored in backup archives or due to a legal requirement), then we will securely store the personal data and isolate the data from any further processing until deletion or anonymization is feasible.
How do I contact UNiDAYS?
- By Email: email@example.com or firstname.lastname@example.org.
- By Post: Myunidays Limited, ℅ DPO, 2 Castle Boulevard, Nottingham, Nottinghamshire, United Kingdom NG7 1FB
- By Phone: +44 (0)115 985 3070
Our European Representative pursuant Art. 27 GDPR is PLANIT//LEGAL.
- By Email: email@example.com.
- By Post: PLANIT//LEGAL, Jungfernstieg 1 20095, Hamburg, Germany
GÉANT Data Protection Code of Conduct (CoCo)
Name of the service
Description of the service
UNiDAYS is the world’s leading Student Affinity Network, connecting a global student audience with relevant brands and services.
Data controller and a contact person
MyUnidays Limited of 2 Castle Boulevard, Nottingham, NG7 1FB is the data controller, and can be contacted directly by post to the address above, or by e-mail to firstname.lastname@example.org
Personal data processed
Following data is retrieved from your Home Organisation:
- your unique user identifier (SAML persistent identifier, ePPN or ePTID)
- your role in your Home Organisation (eduPersonAffiliation, eduPersonPrimaryAffiliation or eduPersonScopedAffiliation)