Identity - Privacy Policy

Identity Verification - Privacy Policy

‍

Last Updated: July 01, 2024

This Privacy Policy describes how Myunidays Limited and its subsidiaries (collectively “UNiDAYS,” “we”, “us”, or “our” ) collect and process your personal data and how you can exercise your privacy rights.

This Privacy Policy applies to individuals using the UNiDAYS identity verification service (the “Service”) to verify their identities through our business customers in partnership with UNiDAYS, therefore creating a direct relationship with UNiDAYS.

YOU ACKNOWLEDGE THAT THIS PRIVACY POLICY DESCRIBES HOW WE PROCESS YOUR PERSONAL DATA WHEN YOU USE OUR SERVICE

WE DO NOT KNOWINGLY COLLECT INFORMATION FROM CHILDREN UNDER THE AGE OF 13. The Service is not intended for use by children under the age of 13. If you are under the age of 13, please do not use or attempt to use our Service or provide any personal data to us. If you learn or suspect that anyone under the age of 13 has provided UNiDAYS with personal data, please notify info@myunidays.com.

UNiDAYS may handle your personal data in different ways depending on our underlying relationship with you or with our business customers who use our services. This Privacy Policy explains our collection, use, and disclosure of your personal data, as an independent data controller (or such similar term under applicable law) in connection with the Service.

This Privacy Policy does not apply to personal data we process as a marketplace service provider. Individuals using our identity verification Service through a business customer or independently for the purpose of joining our marketplace membership to benefit from partners’ gated offers and the UNIDAYS community can learn about how our data handling practices differ in relation to those services here.

California residents can find specific disclosures, including “Notice at Collection” details, by clicking here.

1. UNiDAYS Entities Responsible for your Personal Data

If you are located in the European Economic Area (EEA) or the UK, the data controller for the personal data that UNiDAYS collects is Myunidays Limited of 2 Castle Boulevard, Nottingham, Nottinghamshire, United Kingdom NG7 1FB. The ICO registration number is Z2692580.

If you are located in the US or Canada, the legal entity responsible for personal data processing is Unidays Inc., Penn Plaza 9th Floor 132 W 31st St. New York City NY 10001, United States.

If you are located in India, the legal entity responsible for personal data processing is UNiDAYS Private Limited, with its principal place of business at 4th Floor, Vedwati Apartments, Opposite Agriculture College, Shivaji Nagar, Pune, Maharashtra, India 411005.

For all other jurisdictions, the legal entity responsible for personal data processing is Myunidays Limited.

Myunidays Limited is incorporated and registered in England and Wales with company number 07552253, VAT number 130053865, and registered office at 2 Castle Boulevard, Nottingham, Nottinghamshire, NG7 1FB.

2. Service Specific Information

This section provides specific information about our processing activities via the Service in the context of our partnership with business customers:

If you were directed to UNiDAYS via a business customer’s website or app in connection with the Service, UNiDAYS will ask you to submit your academic email address to: (i) verify the authenticity of your email address and, (ii) confirm that you are the individual attending a relevant academic institution by corroborating the identity details via our global network of third-party data partners.

The Service will generate a verification result for our business customer, but it is our business customer that ultimately decides how it uses the verification result provided to them. It’s important to note that in addition to this Privacy Policy we encourage you to read the respective business customer’s privacy policy for further information on their use of your personal data.

Personal Data We Collect and Process

This section describes the personal data we collect and process in order to provide the Service to you. The personal data we collect depends on how you interact with the Service and the choices you make.

We collect information about you from different sources and in various ways when you use the Service, including information you provide directly, information collected automatically, information from third-party data sources, and data we infer or generate from other data.

Information that you provide directly

You may directly provide personal data to the Service, including the following:

• Name and surname;
• Contact Information, including email address, and phone number;
• Demographic Data, including sex, nationality, birthdate and age;
• Surveys responses and Service improvement feedback information

Some information, such as Biometric Information when used to uniquely identify you, may be sensitive or afforded protected status under local laws (for example, “sensitive information” in California or “special category data” in the EU and the UK). We do not collect “sensitive information” or “special category data”.

Information we collect indirectly

We do not indirectly collect personal data about you for access to the Service.

Information we obtain from third party sources

We may receive unique reference numbers from our business customers, and provide unique reference numbers to our business customers, to enable each of us to identify you in our systems ("Account Identifiers").

We may obtain personal data about you from our global network of trusted third-party data sources, including the following: publicly available sources (such as open government databases), academic institutions which we are affiliated with, government and national registries, consumer credit agencies, mobile network providers and postal address databases. The types of “Additional Identity Data” we obtain from these sources will vary depending on the verification checks available in the particular country and our business customers’ needs.

We also use service providers to determine your device’s location based on its IP address and to generate device identifiers.

3. How We Use Personal Data and Our Legal Basis for Processing

We use the personal data we collect for the purposes described in this section or as otherwise disclosed to you at the time of collection.

The following table provides details of our purposes for processing your personal data and the related legal bases on which we rely. Where we rely on legitimate interests, it will be in a way which is reasonable for you to expect as part of the running of our business and which does not materially affect your rights and freedoms. We will only use your personal data where we are permitted to do so by applicable law. Under EU and UK data protection law, the processing of personal data must be justified under one of a number of legal grounds. For EU and UK users of the Service, the principal legal grounds that justify our use of your personal data are set out in the table below. In all other circumstances, where consent is required, we will rely on your consent.

PURPOSE	TYPE OF DATA (SEE PERSONAL DATA WE COLLECT AND PROCESS FOR DEFINITIONS)	OUR LEGAL JUSTIFICATIONS (EACH CALLED A ‘LEGAL BASIS’) UNDER DATA PROTECTION LAW, FOR EACH PURPOSE
Providing and delivering the Service to you, including operating and troubleshooting the Service	Name Contact Information Government Identifiers Demographic Data Additional Identity Data Geolocation Data Account Identifiers	To perform our contract with you for use of the Service and to fulfil our obligations under applicable terms of service. Necessary for our legitimate interests to operate, provide and improve the Service. Consent (to process information in order to identify you).
Promoting Security of the Service and detecting fraudulent acts by bad actors including verifying that the individual using the Service is the individual they purport to be.	Name Contact Information Government Identifiers Demographic Data Geolocation Data Account Identifiers	Necessary for our legitimate interests to detect or prevent illegal activities (e.g., fraud prevention); and/or to manage the security of our IT infrastructure, and the safety and security of our customers and users. Consent (to process your information in order to identify you).
To improve the Service, develop new features, and conduct research. For example: We may invite you to test our new features and allow you to provide feedback We may invite you to respond to a customer service survey	Contact Information Opinions and feedback Geolocation Data	Necessary for our legitimate interests to improve the Service and use insights to develop new features.
To provide customer support and respond to your questions.	This depends on the nature of support requested and/or your question but may include the following: Name Contact Information Uploaded content Government Identifiers Demographic Data Geolocation Data Account Identifiers	Necessary for our legitimate interests to operate, provide and improve the Service.

4. How We Disclose Personal Data

Disclosure to Business Customers

If you are a business customer’s member and are using the Service in connection with verifying your identity for the purpose of joining their community, then the following applies to you. We will disclose the following personal data to the business customer:

• Account Identifiers (i.e., reference numbers that enable each of us to identify you in our systems);
• Your academic institution; and
• Verification result.

Other Disclosures

In addition, we may disclose some or all of the categories of personal data described in “Personal Data We Collect and Process” above, to the types of third parties described below, for the following business purposes:

• Service providers. We provide personal data to service providers or agents working on our behalf for the purposes described in this privacy policy. For example, companies we’ve hired to provide customer service support or assist in protecting and securing our systems and services may need access to personal data to provide those functions.
• Global network of data partners. To enable us to conduct certain verification checks with our global network of trusted third-party data sources, we need to share certain information about you with those data partners.
• Affiliates. We enable access to personal data across our subsidiaries, affiliates, and related companies, for example, where we share common data systems or where access helps us to provide our services and operate our business.
• Corporate transactions. We may disclose personal data as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.
• Legal and law enforcement. We will access, disclose, and preserve personal data when we believe doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement, national security, or other government agencies.
• Security, safety, and protecting rights. We will disclose personal data if we believe it is necessary to:
  • protect our business customers and others, for example to prevent spam or attempts to commit fraud, or to help prevent the loss of life or serious injury of anyone; or
  • operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or protect the rights or property of ourselves or others, including enforcing our agreements, terms, and policies.

5. Data Retention

We retain personal data for as long as necessary to provide the Service and fulfil the verification you have requested.

We may retain certain personal data for a longer period in order to comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes, such as fraud detection and prevention and enhancing safety and security across our services. Because these needs can vary for different data types in the context of different services, actual retention periods will vary based on criteria such as the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we use your personal data and our legal or contractual obligations.

When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymize it.

6. Your Rights and Choices

We provide a variety of ways for you to control the personal data we hold about you, including choices about how we use that data. In some jurisdictions, these controls and choices may be enforceable as rights under applicable law. We respond to all requests we receive from individuals in accordance with applicable laws.

Depending on where you are located and subject to applicable privacy laws, you may have the following privacy rights:

• You may access, correct, update or request deletion of your personal data.
• You can object to processing of your personal data, ask us to restrict processing of your personal data or request portability of your personal data (i.e., your data to be transferred in a readable and standardised format).
• If we have collected and processed your personal data with your consent, then you can withdraw consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.

You also have the right to lodge a complaint with your local supervisory authority, but we encourage you to first contact us with any questions or concerns. For more information on how to contact us, please refer to the section entitled ‘Contact us’ below.

If you wish to exercise any of your privacy rights, you may email privacy@myunidays.com to make your request.

Residents of California may have certain additional privacy rights. Please refer to the section entitled “US and California Privacy Rights” below for more information.

Choices for Cookies and Similar Technologies

UNiDAYS does not collect any personal data via Cookies or Similar Technologies for the provision of the Service.

6.1 Exercising Your Privacy Rights

For personal data for which we are the data controller, we honour the following privacy rights in accordance with applicable law:

• If you wish to review, correct, update, suppress, restrict or delete your personal data:
• For deletion, please contact us at privacy@myunidays.com;
• For access to the personal data that UNiDAYS has about you, please contact us at privacy@myunidays.com;
• You can object to the processing of your personal data, request restrictions on the processing of your personal data, or request the portability of your personal data. To exercise these rights, please contact us at privacy@myunidays.com;
• You can opt-out of (or unsubscribe from) UNiDAYS’ email marketing communications by clicking the “unsubscribe” or “opt-out” link in one of our marketing emails. Please note that you cannot unsubscribe from certain communications, such as messages relating to your account transactions, non-promotional messages, business relationships, or system updates or system issues;
• If we process your personal data based on your consent, you can withdraw your consent at any time by contacting privacy@myunidays.com. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal data conducted in reliance on a lawful basis other than consent; and
• If we process your personal data based on our legitimate interests, you have the right to object to that processing, subject to certain exceptions, by contacting privacy@myunidays.com.

We will review your request as soon as reasonably practicable and respond within the time periods required by applicable law.

6.2 US and California Privacy Rights

If you are a California resident and the processing of personal data about you is subject to the California Consumer Privacy Act (“CCPA”), you have certain rights with respect to that information. We also extend the same rights to all US citizens irrespective of the state where you reside within the US.

Notice at Collection. At or before the time of collection, you have a right to receive notice of our practices, including the categories of personal data, the purposes for which such information is collected or used, whether such information is sold or shared, and how long such information is retained. You can find those details in this policy by clicking on the above links.

Right to Know. You have a right to request that we disclose to you the personal data we have collected about you. You also have a right to request additional information about our collection, use, disclosure, or sale of such personal data. Note that we have provided much of this information in this Privacy Policy. You may make a Right To Know request by using the contact privacy@myunidays.com/

Rights to Request Deletion by making a Right To Be Forgotten request by using the contact privacy@myunidays.com. You also have rights to request that we correct inaccurate personal Data and that we delete personal data under certain circumstances, subject to a number of exceptions. To make a contact privacy@myunidays.com

Right to Opt-Out / “Do Not Sell or Share My Personal Information”. You have a right to opt-out from future “sales” or “sharing” of personal data as those terms are defined by the CCPA. Note that we do not “sell” or “share” personal data subject to this Privacy Policy as defined by the CCPA.

Right to Limit Use and Disclosure of Sensitive UNiDAYS Information. You have a right to limit our use of sensitive personal data for any purposes other than to provide the services or goods you request or as otherwise permitted by law. Note that we do not collect or use sensitive personal data for any such purposes.

You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights under the CCPA. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us.

Further, to provide, correct, or delete specific pieces of personal data will need to verify your identity to the degree of certainty required by law. We will verify your request by asking you to send it from the email address associated with your account or requiring you to provide information necessary to verify your account. For some types of personal data we may have, there may be no reasonable method by which we can verify your identity as the person to whom that data relates.

Finally, you have a right to not be discriminated against for exercising these rights set out in the CCPA.

Additionally, under California Civil Code section 1798.83, also known as the “Shine the Light” law, California residents who have provided personal data to a business with which the individual has established a business relationship for UNiDAYS, family, or household purposes (“California Customers”) may request information about whether the business has disclosed personal data to any third parties for the third parties’ direct marketing purposes.

Please be aware that we do not disclose personal data to any third parties for their direct marketing purposes as defined by this law.

California Customers may request further information about our compliance with this law by emailing privacy@myunidays.com. Please note that businesses are required to respond to one request per California Customer each year and may not be required to respond to requests made by means other than through the designated email address.

US-wide Metrics on Consumer Rights Requests for 2023

The following chart shows details about the consumer rights requests we received in the United States from January 1, 2023 to December 31, 2023 in relation to the Service:

Request Type	Received	Complied with in whole	Complied with in part	Denied	Average Days to Respond
Requests to Know	0	NA	NA	NA	NA
Requests to Delete	0	NA	NA	NA	NA

7. Processing Locations and Data Transfers

UNiDAYS is headquartered in the United Kingdom, with subsidiary offices in New York City, Germany, India and Australia as well as employees globally.

The personal data we collect may be stored and processed in your country or region, or in any other country where we or our affiliates, subsidiaries, service providers or third-party data partners process data. This means that we may process your personal data from and transfer your personal data to countries outside of the country in which you are based. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective). We take steps designed to ensure that personal data is processed and protected as described in this policy and in accordance with applicable law wherever the data is located.

Currently, we primarily use data centers in Ireland to host your personal data. The storage location is chosen to operate efficiently and improve performance.

We transfer personal data originating from the European Economic Area (EEA) and United Kingdom (UK) to other countries, some of which have not been determined by the European Commission and the UK Government to have an adequate level of data protection. When we do so, we use legal mechanisms including entering into Standard Contractual Clauses as approved by relevant authority and other available transfer mechanisms, to help ensure your rights and protections.

8. Security

We take reasonable and appropriate technical and organizational measures to protect personal data that we collect and process about you. The measures are designed to provide a level of security appropriate to the risk of processing your personal data.

You are responsible for maintaining the security of your account credentials. UNiDAYS will treat access to the Platform through your account credentials as authorised by you.

We may suspend your use of all or part of the Platform without notice if we suspect or detect any breach of security. If you believe that information you provided to UNiDAYS or your account is no longer secure, please notify us immediately at DPO@myunidays.com.

If we become aware of a breach that affects the security of your personal data, we will provide you with notice as required by applicable law. When permitted by applicable law, UNiDAYS will provide this notice to you through the email address associated with your account.

UNAUTHORISED ACCESS TO PERSONAL DATA AND THE PLATFORM – INCLUDING SCRAPING – IS PROHIBITED AND MAY LEAD TO CRIMINAL PROSECUTION.

9. Automated decision making

Automated decision making means that a significant decision concerning you is made automatically based on a computer determination (using software algorithms), without human review.

UNiDAYS itself does not undertake automated decision making. In the case of a business customer, the Service will generate a verification result for the business customer, but it is the business customer that ultimately decides how it uses the verification results provided to them (for example, whether to confirm your identity verification on your membership profile). If you have any questions about the outcome of a verification check relating to you or your identity, please contact the business customer that initiated the transfer to our platform.

10. Business Customers linked to the Services

This Privacy Policy applies to the UNiDAYS Service when you interact with the UNiDAYS platform.

This Privacy Policy does not apply to personal data processed by business customers on their own platforms, even when those platforms are linked to or from the UNiDAYS’ platform. The personal data collected through any of these business customers’ (third-party) platforms are subject to the respective privacy policy and practices. We encourage you to review the applicable privacy policy of the related business customer.

11. Changes to the Privacy Policy

We will update this Privacy Policy when necessary to reflect changes in our services, how we use personal data, or the applicable law. When we post changes to the Privacy Policy, we will revise the “Last Updated” date at the top of the Privacy Policy. If we make material changes to the Privacy Policy, we will provide additional notice regarding such changes if required by law.

12. Contact us

If you have a privacy concern, complaint, or a question for UNiDAYS, please feel free to contact DPO@myunidays.com.

For questions about this Privacy Policy or UNiDAYS’ personal data processing, please contact us by:

• Email: DPO@myunidays.com or unidays_eu_representative@planit.legal.
• Post: Myunidays Limited, ℅ DPO, 2 Castle Boulevard, Nottingham, Nottinghamshire, United Kingdom NG7 1FB

Our European Representative pursuant Art. 27 GDPR is PLANIT//LEGAL.

• Email: unidays_eu_representative@planit.legal.
• Post: PLANIT//LEGAL, Jungfernstieg 1 20095, Hamburg, Germany