Updated: May 25, 2018
Exubia Ltd (“Exubia”) is committed to protecting your privacy and ensuring you have a positive experience on our website and in using our products and services (collectively, “Products”). This policy covers the Exubia website exubia.co.uk, mobile applications, and desktop clients and is applicable worldwide.
If you reside in the European Union (“EU”), United Kingdom, Lichtenstein, Norway, Iceland or Switzerland, you may have additional rights with respect to your Personal Data, as further outlined below. These rights may include rights under the EU’s General Data Protection Regulation (“GDPR”), if you are a resident of the EU, United Kingdom, Lichtenstein, Norway or Iceland.
Collection of your Personal Data
We collect the following categories of Personal Data about you when you use or otherwise interact with our Products or Services:
- Email address
- Work/mobile telephone number
- Postal or other physical address
- Credit/debit card information (only in the case of direct debit payments, as agreed by the account holder)
- IP addresses and other information collected passively, as further detailed in the “Passive Collection” section below
- Device identifiers, as further described in the “Mobile Application” section below
We collect and/or process your Personal Data in connection with the below activities related to our Products and Services:
- Account registration
- Use of certain Product features
- Generating reports based on information collected from use of our Products and Services
- Requesting service and support for our Products and providing such support
- Placing transactions or orders
- Billing and collecting payments for our Products and Services
- Participating in discussion groups or forums, or using the online chat facility
- Registering for newsletter subscriptions
- Customizing the advertising and content you see
Processing of your Personal Data
We will only process your Personal Data if we have a lawful basis for doing so. Lawful bases for processing include consent, contractual necessity (i.e. processing that is necessary for the performance of a contract with you, such as your user agreement with us that allows us to provide you with the Products and/or Services) and our “legitimate interests” or the legitimate interest of others (e.g. our users) such as:
- Personalizing, improving or operating our Products, Services, and business
- Better understanding your needs and interests
- Fulfilling requests you make related to the Products and Services
- Providing you with information and offers from us or third parties
- Complying with our legal obligations, resolving disputes with users, enforcing our agreements
- Protecting, investigating and deterring against fraudulent, harmful, unauthorized or illegal activity
We process Personal Data for purposes such as:
- To process your orders and deliver the Products and Services that you have ordered
- To provide reports based on information collected from use of our Products and Services
- To keep you up to date on the latest Product announcements, service enhancements, special offers, and other information
- To provide support and assistance for our Products and Services
- To provide the ability to create personal profile areas and view protected content
- To provide the ability to contact you and provide you with shipping and billing information
- To provide customer feedback and support
- To provide and administer marketing or promotional activities on the exubia.co.uk or affiliate websites
- To the extent you choose to participate, to conduct questionnaires and surveys in order to provide better products and services to our customers and end users
- To support recruitment inquiries
- To personalize marketing communications and website content based on your preferences, such as in response to your request for specific information on products and services that may be of interest
- To meet contract or legal obligations
You can choose whether to provide Personal Data to Exubia, but note that you may be unable to access certain options, offers, and services if they require Personal Data that you have not provided. You can sign-up, and therefore consent, to receive email or newsletter communications from us. If you would like to discontinue receiving these communications, you can update your preferences by using the “Unsubscribe” link found in such emails or by contacting us using the information in the “Contact Us” section of this policy.
Data Subject Rights
You have certain rights with respect to your Personal Data as set forth below. Please note that in some circumstances, we may not be able to fully comply with your requests, or we may ask you to provide us with additional information in connection with your request, which may be Personal Data, for example, if we need to verify your identity or the nature of your request. In such situations, however, we will still respond to let you know of our decision.
To make any of the following requests, contact us using the contact details referred to in the “Contact Us” section of this policy.
- Access: You can request more information about the Personal Data we hold about you. You can also request a copy of the Personal Data.
- Rectification: If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data. Please contact us as soon as possible upon noticing any such inaccuracy or incompleteness.
- Objection: You can contact us to let us know that you object to the collection or use of your Personal Data for certain purposes.
- Erasure: You can request that we erase some or all of your Personal Data from our systems.
- Restriction of Processing: You can ask us to restrict further processing of your Personal Data.
- Portability: You have the right to ask for a copy of your Personal Data in a machine-readable format. You can also request that we transmit the data to another entity where technically feasible.
- Withdrawal of Consent: If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Data, if such use or disclosure is necessary to enable you to utilize some or all of our Products or Services.
- Right to File Complaint: You have the right to lodge a complaint about Exubia’s practices with respect to your Personal Data with the supervisory authority of your country or EU Member State.
How long we retain your Personal Data depends on the type of data and the purpose for which we process the data.
Exubia and our third party service providers automatically collect some information about you when you use our Products and Services, using methods such as cookies and tracking technologies (further described below). Information automatically collected includes Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data to analyse trends in the aggregate and administer the website and/or Products and Services.
In addition, when you use some of our Products and Services, network information is transmitted back to us such as Product usage information. This information is transmitted back to us so we can determine how users are interacting with our Products and Services, to assist us with improving our Products and Services, and to correct any problems that may occur.
Cookies and Tracking Technologies
We collect information about where you are located for the purposes of fulfilling our Services and delivery our Products. We do not share this information with any third parties, except when necessary to complete the fulfilment of your service or product.
Sharing your Personal Data
We do not sell or rent your Personal Data to third parties for marketing purposes unless you have granted us permission to do so.
We share Personal Data within Exubia and its affiliated companies, and with third party service providers for purposes of data processing or storage.
We may also share Personal Data with business partners, service vendors and/or authorized third-party agents or contractors in order to provide requested Products, Services or transactions. We provide these third parties with Personal to complete/utilize the requested Product, Service or transaction.
In some cases, we may choose to buy or sell assets. In these types of transactions, user information is typically one of the transferred business assets. Moreover, if we, or substantially all of our assets, were acquired, or if we go out of business or enter bankruptcy, user information would be one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquirer of us or our assets may continue to use your Personal Data as set forth in this policy. As required by law, we may respond to subpoenas, court orders, or similar legal process by disclosing your Personal Data and other related information, if necessary. We also may use Personal Data and other related information to establish or exercise our legal rights or defend against legal claims.
We collect and possibly share Personal Data and any other additional information available to us in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Exubia’s terms of service, or as otherwise required by law.
Security of your Personal Data
Exubia is committed to protecting the Personal Data you share with us. We utilize a combination of industry-standard security technologies, procedures, and organizational measures to help protect your Personal Data from unauthorized access, use or disclosure. When we transfer credit card information over the Internet, we protect it using Secure Sockets Layer (SSL) encryption technology.
We recommend you take every precaution in protecting your Personal Data when you are on the Internet. For example, change your passwords often, use a combination of letters and numbers when creating passwords, and make sure you use a secure browser. If you have any questions about the security of your Personal Data, you can contact us at firstname.lastname@example.org.
Linked websites and third party services
Our websites and services may provide links to other third-party websites and services which are outside our control and not covered by this policy. We encourage you to review the privacy policies posted on these (and all) sites you visit or services you use.
Transfer and Storage of Personal Data
Our Products and Services are hosted and operated in the United Kingdom (“U.K.”) through Exubia and its service providers. We may transfer your Personal Data within the U.K., to any Exubia affiliate worldwide, or to third parties acting on our behalf for the purposes of delivering a service. By using any of our Products or providing any Personal Data for any of the purposes stated above, you consent to the transfer and storage of your Personal Data, whether provided by you or obtained through a third party, to the U.K. as set forth herein, including the hosting of such Personal Data on U.K. servers.
Attention: Privacy Officer
Woodside Nursery, Long Wittenham,
Abingdon, OX14 4PT
Exubia Ltd GDPR Compliance Statement
The EU General Data Protection Regulation (“GDPR”) comes into force across the European Union on 25th May 2018 and brings with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.
The 21st Century brings with it broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new Regulation aims to standardize data protection laws and processing across the EU; affording individuals stronger, more consistent rights to access and control their personal information.
Exubia Ltd (‘we’ or ‘us’ or ‘our’) are committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. However, we recognise our obligations in updating and expanding this program to meet the demands of the GDPR and the UK’s Data Protection Bill.
Exubia Ltd are dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the new Regulation. Our preparation and objectives for GDPR compliance have been summarised in this statement and include the development and implementation of new data protection roles, policies, procedures, controls, and measures to ensure maximum and ongoing compliance.
How We are Preparing for the GDPR
Exubia Ltd already have a consistent level of data protection and security across our organisation, however it is our aim to be fully compliant with the GDPR by 25th May 2018. Our preparation includes: –
- Information Audit – carrying out a company-wide information audit to identify and assess what personal information we hold, where it comes from, how and why it is processed and if and to whom it is disclosed.
- Policies & Procedures – revising and implementing new data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including: –
- Data Protection – our main policy and procedure document for data protection has been overhauled to meet the standards and requirements of the GDPR. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities; with a dedicated focus on privacy by design and the rights of individuals.
- Data Retention & Erasure – we have updated our retention policy and schedule to ensure that we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically. We have dedicated erasure procedures in place to meet the new ‘Right to Erasure’ obligation and are aware of when this and other data subject’s rights apply; along with any exemptions, response timeframes and notification responsibilities.
- Data Breaches – our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. Our procedures are robust and have been disseminated to all employees, making them aware of the reporting lines and steps to follow.
- International Data Transfers & Third-Party Disclosures – where Exubia stores or transfers personal information outside the EU, we have robust procedures and safeguarding measures in place to secure, encrypt and maintain the integrity of the data. Our procedures include a continual review of the countries with sufficient adequacy decisions, as well as provisions for binding corporate rules; standard data protection clauses or approved codes of conduct for those countries without. We carry out strict due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information, ensure enforceable data subject rights and have effective legal remedies for data subjects where applicable.
- Legal Basis for Processing – we are reviewing all processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met.
- Obtaining Consent – we have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. We have developed stringent processes for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records; and an easy to see and access way to withdraw consent at any time.
- Direct Marketing – we have revised the wording and processes for direct marketing, including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials.
- Special Categories Data – where we obtain and process any special category information, we do so in complete compliance with the Article 9 requirements and have high-level encryptions and protections on all such data. Special category data is only processed where necessary and is only processed where we have first identified the appropriate Article 9(2) basis or the Data Protection Bill Schedule 1 condition. Where we rely on consent for processing, this is explicit and is verified by a signature, with the right to modify or remove consent being clearly signposted.
Data Subject Rights
In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, we provide easy to access information via our website, or on request, of an individual’s right to access any personal information that Exubia processes about them and to request information about: –
- What personal data we hold about them
- The purposes of the processing
- The categories of personal data concerned
- The recipients to whom the personal data has/will be disclosed
- How long we intend to store your personal data for
- If we did not collect the data directly from them, information about the source
- The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this
- The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
- The right to lodge a complaint or seek judicial remedy and who to contact in such instances
Information Security & Technical and Organisational Measures
Exubia takes the privacy and security of individuals and their personal information very seriously and take every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures.
GDPR Roles and Employees
Exubia have designated a Data Protection Officer (DPO)/Appointed Person and have appointed a data privacy team to develop and implement our roadmap for complying with the new data protection Regulation. The team are responsible for promoting awareness of the GDPR across the organisation, assessing our GDPR readiness, identifying any gap areas and implementing the new policies, procedures and measures.
Exubia understands that continuous employee awareness and understanding is vital to the continued compliance of the GDPR and have involved our employees in our preparation plans. We have implemented an employee training program specific to the which will be provided to all employees prior to May 25th, 2018, and forms part of our induction and annual training program.
If you have any questions about our preparation for the GDPR, please send an email to email@example.com. You can also contact us by writing to this address:
Attention: Privacy Officer
Woodside Nursery, Long Wittenham,
Abingdon, OX14 4PT