Upshot Systems CIC, a private company limited by guarantee with registered company number 13016591 (“Upshot”, “we”, “us”). Upshot respects your privacy and is committed to protecting your personal data. At all times we aim to respect any personal information you share with us, or that we receive from others, and keep it safe. This Privacy Statement (“Statement”) sets out our data processing practices and your rights and options regarding the ways in which your personal information is used and collected (including through our dedicated Upshot website – http://www.upshot.org.uk/).
This Statement contains important information about your personal rights to privacy. Please read it carefully to understand how we use your personal information.
The provision of your personal information to us is voluntary. However, without providing us with your personal information, your use of our services or your interaction with us may be impaired. For example, your organisation will be unable to sign up for use of the Upshot application and we will be unable to provide you with technical assistance.
Contents of this Statement:
1. What personal data do we collect
2. How do we collect personal information about you
3. How we use your personal data
4. Lawful bases
5. Communications for marketing/promotional purposes
6. Disclosures of your personal data
7. Security/ storage of and access to your personal information
8. International transfers
9. Data Retention
10. Exercising your legal rights
1. What personal data do we collect?
Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store, transfer and otherwise process the following kinds of personal information:
• your name and contact details including postal address, telephone number, email address;
• your social media identity;
• details of your organisation and the position you hold there;
• your organisation’s transaction history;
• your organisation’s financial information, such as bank details and/or credit/debit card details;
• information about your computer/ mobile device and your visits to and use of this website, including, for example, your IP address and geographical location;
• personal information you provide to us to receive technical assistance or during customer service interactions;
• product performance information and details about your use of Upshot; and
• personal descriptions; and/ or any other personal information which we obtain as per section 2.
In certain situations, Upshot may collect special categories of personal data about you (this includes information about your health, ethnicity and religious beliefs). For example, information about your ethnicity may be made available to funding organisations aiming to improve equality of opportunity in certain areas, or information about your health conditions may be stored by an organisation for a sport’s clubs record-keeping purposes). We will only process these special categories of personal information if there is a valid reason for doing so and where it complies with the retained UK law version of the
General Data Protection Regulation ((EU) 2016/679 (“UK GDPR”).
Whenever we process children’s personal information, we will obtain their consent and/or the consent of a parent/ guardian. We will always have in place appropriate safeguards to ensure that children’s personal information is handled with due care.
2. How do we collect personal information about you?
a. When you give it to us directly
For example, personal information that you submit through the Upshot website by making a booking for a demonstration of the Upshot software or personal information that you give to us when you communicate with us by email or phone.
b. When we obtain it indirectly
For example, your personal information may be shared with us by third parties including, for example, third party service providers (such as software developers who assist us with the operation of Upshot); funding organisations with which your organisation works, analytics providers and search information providers. To the extent we have not done so already, we will notify you when we receive personal information about you from them and tell you how and why we intend to use that personal information.
c. When it is available publicly
Your personal information may be available to us from external publicly available sources. For example, depending on your privacy settings for social media services, we may access information from those accounts or services (for example when you choose to interact with us via Facebook or Twitter).
d. When you visit our website
When you visit our website, we automatically collect the following types of personal information:
(i) Technical information, including the internet protocol (IP) address used to connect your device to the internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems and platforms.
(ii) Information about your visit to the websites, including the uniform resource locator (URL) clickstream to, through and from the website (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, referral sources, page interaction information (such as scrolling and clicks) and methods used to browse away from the page.
In general, we may combine your personal information from these different sources set out in a-d above, for the purposes set out in this Statement.
3. How we use your personal data?
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
• to assess your organisation’s need for the Upshot application;
• to allow you to make use of the software in general and provide you with related information;
• to provide you with technical assistance and customer support;
• to update you on the status of your orders/requests;
• to provide further information about our work, services or activities (where necessary, only where you have provided your consent to receive such information);
• to confirm your identification when you contact us;
• to answer your questions/ requests and communicate with you in general;
• for our own internal record keeping purposes;
• to manage relationships with our partners and service providers;
• to analyse and improve our work, services, activities, products or information (including our website), or for our internal records;
• to keep our facilities safe and secure;
• to run/administer Upshot, including our dedicated Upshot website, and ensure that content is presented in the most effective manner for you and for your device;
• to audit and/ or administer our accounts;
• to satisfy legal obligations which are binding on us, for example in relation to regulatory, government and/or law enforcement bodies with whom we may work (for example requirements relating to the payment of tax or anti-money laundering);
• for the prevention of fraud or misuse of services; and/or
• for the establishment, defence and/ or enforcement of legal claims.
4. Lawful bases
Under the UK GDPR we will rely on one or more of the following legal bases for processing your personal data:
• Where you have provided your consent for us to use your personal information in a certain way (for example, we may ask for your consent to use your personal information to send you marketing or promotional information about Upshot or software developments, or to collect special categories of personal information;
• Where necessary so that we can comply with a legal obligation to which we are subject (for example, where we are obliged to share your personal information with regulatory bodies which govern our work and services);
• Where necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering a contract (for example, to provide you with the software in return for the purchase price of the software); or
• Where it is necessary for the purpose of our legitimate interests and your interest or fundamental rights and freedoms do not override those interests.
Our ‘legitimate interests’ means our interest in ensuring that Upshot operates efficiently as a performance management software solution. In assessing our legitimate interests, we make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We will not use your personal information for activities where our interests are overridden by the impact on you, for example where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).
Where we collect and/or use special categories of your personal information (please see section 1 above), we are required by the UK GDPR to rely on at least one from an additional set of conditions. We consider the conditions below to be relevant:
• Where you have already made public the relevant information (for example, where you have made it public on a social media account);
• Where the information is required for the establishment, exercise or defence of legal claims;
• Where the information is necessary for reasons of substantial public interest (for example, monitoring and ensuring equality of opportunity); or
• Otherwise, where you have given your explicit consent for us to do so.
5. Communications for marketing/promotional purposes
We may use your contact details to provide you with information about our work, events, services and/or activities which we consider may be of interest to you (for example, about software updates which may become available after you purchase the latest version of Upshot).
Where we do this via email, SMS or telephone (where you are registered with the Telephone Preference Service), we will not do so without your prior consent (unless allowed to do so via applicable law).
Where you have provided us with your consent previously but do not wish to be contacted by us about our work, events, services and/or activities in the future, please let us know by email at email@example.com. You can opt out of receiving emails from us at any time by clicking the “unsubscribe” link at the bottom of our emails.
6. Disclosures of your personal data
We do not share, sell or rent your personal information to third parties for marketing purposes. However, in general we may disclose your personal information to selected third parties in order to achieve the purposes set out in this Statement.
These parties may include (but are not limited to):
• funding or delivery organisations, as relevant;
• suppliers and sub-contractors for the performance of any contract we enter into with them, for example IT service providers such as software developers or cloud storage providers;
• funding bodies with which we work;
• banks (for payment processing purposes);
• professional service providers such as accountants and lawyers;
• parties assisting us with research to monitor the impact/effectiveness of our services; and
• regulatory authorities, such as tax authorities.
In particular, we reserve the right to disclose your personal information to third parties:
• in the event that we sell or buy any business or assets, in which case we will disclose your personal information to the (prospective) seller or buyer of such business or assets;
• if substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets;
• if we are under any legal or regulatory duty to do so; and/or
• to protect the rights, property or safety of Upshot, its personnel, users, visitors or others.
7. Security/storage of and access to your personal information
We are committed to keeping your personal information safe and secure and we have appropriate and proportionate security policies and organisational and technical measures in place to help protect your information.
Your personal information is only accessible by appropriately trained staff, volunteers and contractors, and stored on secure servers which have features to prevent unauthorised access.
8. International transfers
Given that we are a UK-based organisation we will normally only transfer your personal information within the UK. However, because we may sometimes use agencies and/or suppliers to process personal information on our behalf and we have customers based outside the UK, it is possible that personal information we collect from you will be transferred to and stored in a location outside the UK.
Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
• we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data; or
• where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.
Unfortunately, no transmission of your personal information over the internet can be guaranteed to be 100% secure – however, once we have received your personal information, we will use strict procedures and security features to try and prevent unauthorised access.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
9. Data Retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
In general, unless still required in connection with the purpose(s) for which it was collected and/or processed, we remove your personal information from our records six years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure (please see Section 10 below), we will remove it from our records at the relevant time.
If you request to receive no further contact from us, we may keep some basic information about you on our suppression list in order to comply with your request and avoid sending you unwanted materials in the future.
10. Your legal rights and how to exercise them
Under certain circumstances, you have right under data protection laws in relation to the your personal data. These rights include:
• Right of access – you can write to us to ask for confirmation of what personal information we hold on you and to request a copy of that personal information. Provided we are satisfied that you are entitled to see the personal information requested and we have successfully confirmed your identity, we will provide you with your personal information subject to any exemptions that apply.
• Right of erasure – at your request we will delete your personal information from our records as far as we are required to do so. In many cases we would propose to suppress further communications with you, rather than delete it.
• Right of correction – if you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated. You can also ask us to check the personal information we hold about you if you are unsure whether it is accurate/up to date.
• Right to restrict processing – you have the right to ask for processing of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage.
• Right to object to processing– you have the right to object to processing where we are (i) processing your personal information on the basis of the legitimate interests basis (see section 4), (ii) using your personal information for direct marketing or (iii) using your information for statistical purposes.
• Right to request transfer of your personal data – to the extent required by the UK GDPR, where we are processing your personal information (that you have provided to us) either (i) by relying on your consent or (ii) because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contact, and in either case we are processing using automated means (i.e. with no human involvement), you may ask us to provide the personal information to you – or another service provider – in a machine-readable format.
• Rights to withdraw consent at any time – where we are relying on consent to process your personal data. This includes the right to ask us to stop using your personal information for marketing or fundraising purposes or to unsubscribe from our email list at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. we will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact us using the details in section 11 below.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
We encourage you to raise any concerns or complaints you have about the way we use your personal information by contacting us using the details provided in section 11 below. You are further entitled to make a complaint to the Information Commissioner’s Office – www.ico.org.uk.
We may update this Statement from time to time. We will notify you of significant changes by contacting you directly where reasonably possible for us to do so and by placing an updated notice on our website. This Statement was last updated February 2021.
We link our website directly to other sites. This Statement does not cover external websites and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any external websites you visit via links on our website.
Please let us know if you have any questions or concerns about this Statement or about the way in which Upshot processes your personal information by contacting us at the channels below. Please ask for / mark messages for the attention of Noam Gur, Commercial Manager (Data Protection Officer).
Telephone: +44 (0)20 3111 1455
Post: Top Flat, 96 Algernon Road, London, United Kingdom, SE13 7AW