Last updated on 09/05/2024

What is this notice all about?

We want to be completely transparent about how we collect and use your personal data and this privacy notice exists to tell you exactly how we do this.

This notice applies wherever we decide why and how we process personal data (and therefore act as a Data Controller under data protection law). It covers the personal data we process when you visit our website or use our services as a (potential) customer and/or test user.

The different ways we process personal data

 

• When we work with our customers

What personal data do we collect, why do we collect it, and what legal basis do we rely on?

Personal data is anything that can identify an individual, either on its own or through combining it with other factors that could eventually identify an individual.

When you sign as a customer, we collect your company name, details of your primary contact and any other relevant key contacts, payment details, and a signature. The legal basis we rely on for this processing is Article 6(1)(b) of the GDPR – Contract.

To keep in touch with you and manage your account we use your key contact name, email address, phone number and company name. The legal basis we rely on for this is Article 6(1)(f) of the GDPR – Legitimate Interest.

To collect payments for our service we require your company name and address, key contact name, and VAT number. The legal basis we rely on for this processing is Article 6(1)(b) of the GDPR – Contract.

We provide innovative services centred around automating routine clinical conversations for our customers. We are a Data Processor for data we process on behalf of our customers (the data controllers) hence we rely on our customers to have obtained the necessary notices, lawful basis for processing or any other legal requirements. 

We may use call recording and note taking software during our meetings which we sometimes use for preparation and training purposes, and to gain insights so we could identify new business prospects and improve our services. The legal basis we rely on for this is Article 6(1)(f) of the GDPR – Legitimate Interest. 

Where do we store it?

We use applications that store data in the UK or EEA GDPR zone, or countries deemed ‘adequate’ under GDPR.  When we use an application that stores data outside of the UK (or EEA), we will use appropriate measures to secure the transfer, including the new US-UK Privacy Framework, Standard Contractual Clauses (SCCs) and the UK Addendum where appropriate, or the UK International Data Transfer Agreement (IDTA). Any necessary Transfer Risk Assessments will be undertaken.

How long do we keep it? 

We will retain your personal data while you are a customer of ours and for up to 12 months after you leave, in line with our business needs. We keep financial data for a minimum of 6 years, in line with UK law.

 

• When we raise awareness of our company
  

What personal data do we collect, why do we collect it, and what legal basis do we rely on?

Personal data is anything that can identify an individual, either on its own or through combining it with other factors that could eventually identify an individual.

When we raise awareness of our company, we may collect some information such as your name, company name, phone number, and work email address. We may use call recording and note taking software during our meetings which we sometimes use for preparation and training purposes, and to gain insights so we can identify new business prospects and improve our services. The legal basis we rely on for this is Article 6(1)(f) of the GDPR – Legitimate Interest.

We may collect your home or office address to send you gifts or marketing materials such as information leaflets. The legal basis we rely on for this is Article 6(1)(f) of the GDPR – Legitimate Interest or Article 6(1)(a) of the GDPR – Consent.

Where do we store it?

We use applications that store data in the UK or EEA GDPR zone, or countries deemed ‘adequate’ under GDPR. When we use an application that stores data outside of the UK (or EEA), we will use appropriate measures to secure the transfer, including the new US-UK Privacy Framework, Standard Contractual Clauses (SCCs) and the UK Addendum where appropriate, or the UK International Data Transfer Agreement (IDTA). Any necessary Transfer Risk Assessments will be undertaken.

How long do we keep it?

We’ll retain your name, company name, phone number, and email address on a marketing list, in line with our retention schedule unless you unsubscribe. Anyone else who does not wish to be contacted will be transferred to our ‘do not contact list’. We retain name, company, email, phone number so that we know not to contact you, and all supplementary information will be deleted.

 

• When you participate as a test user

What personal data do we collect, why do we collect it, and what legal basis do we rely on?

Personal data is anything that can identify an individual, either on its own or through combining it with other factors that could eventually identify an individual.

When you participate as a test user to test our service, we may collect, store and use the following kinds of personal information about you: salutation, forename, surname, date of birth, email, phone number(s). 

The legal basis we rely on for this processing is Article 6(1)(f) of the GDPR – Legitimate Interest or Article 6(1)(a) of the GDPR – Consent.

Where do we store it?

We use applications that store data in the UK or EEA GDPR zone, or countries deemed ‘adequate’ under GDPR.  When we use an application that stores data outside of the UK (or EEA), we will use appropriate measures to secure the transfer, including the new US-UK Privacy Framework, Standard Contractual Clauses (SCCs) and the UK Addendum where appropriate, or the UK International Data Transfer Agreement (IDTA). Any necessary Transfer Risk Assessments will be undertaken.

How long do we keep it?

We will retain your personal data while you are a test user with us and as needed to comply with applicable legal obligations. 

We will also retain and use your Personal Information as necessary to resolve disputes, protect us and our customers, and enforce our agreements.

 

• When you sign up to receiving our marketing materials

What personal data do we collect, why do we collect it, and what legal basis do we rely on?

Personal data is anything that can identify an individual, either on its own or through combining it with other factors that could eventually identify an individual.

When you sign up to our newsletter, we collect your name, company name and email address so that we can keep in touch with you. The legal basis we rely on for this processing is Article 6(1)(a) of the GDPR – Consent.

Where do we store it?

We use applications that store data in the UK or EEA GDPR zone, or countries deemed ‘adequate’ under GDPR. When we use an application that stores data outside of the UK (or EEA), we will use appropriate measures to secure the transfer, including the new US-UK Privacy Framework, Standard Contractual Clauses (SCCs) and the UK Addendum where appropriate, or the UK International Data Transfer Agreement (IDTA). Any necessary Transfer Risk Assessments will be undertaken.

How long do we keep it?

We’ll retain your name and email address on a marketing list, for 2 years in line with our retention schedule unless you unsubscribe sooner. Anyone who unsubscribes will be transferred to our ‘do not contact list’. We retain your name and email address so that we know not to contact you with marketing messages.

 

• When you apply for a job with us

What personal data do we collect, why do we collect it, and what legal basis do we rely on?

Personal data is anything that can identify an individual, either on its own or through combining it with other factors that could eventually identify an individual.

When you apply for a job with us, we will ask you for some information about yourself to manage the recruitment process, such as your name, contact details and CV. We may also invite you to attend an interview in person or via video call and complete tests as part of the recruitment process. The legal basis we rely on for this is Article 6(1)(f) of the GDPR – Legitimate Interests.

Where do we store it?

We use applications that store data in the UK or EEA GDPR zone, or countries deemed ‘adequate’ under GDPR.  When we use an application that stores data outside of the UK (or EEA), we will use appropriate measures to secure the transfer, including the new US-UK Privacy Framework, Standard Contractual Clauses (SCCs) and the UK Addendum where appropriate, or the UK International Data Transfer Agreement (IDTA). Any necessary Transfer Risk Assessments will be undertaken.

How long do we keep it?

If you’re offered a job with us, we’ll retain your data during your employment and remove it in line with our obligations under UK law. Otherwise we will keep your data during your interview process and remove it after 12 months.

When you visit our website

Our website uses cookies of which you should be aware.

What cookies do we collect, why do we collect them, and what legal basis do we rely on?

Cookies are text files placed on your hard drive by a web page server when you visit a website and are saved in your browser’s history. They allow the website to recognise your device and store some information about your preferences or past actions. Cookies cannot be used to run programs or deliver viruses to your computer; they are uniquely assigned to you and can only be read by a web server in the domain that issued the cookie.

When you use our website, the cookies that can be stored on your device are first party essential cookies, which are placed and read by us directly while you are using our website. As part of the verification flow, you will be redirected via a third party site that will deploy an essential cookie that will count your visit.

Below is a list of the cookies we use and the purposes for which they are used:

Essential cookies

These are essential to the operation of our website and are integral to the functioning of our Website, therefore they cannot be removed.

 

Cookie Name	Provider	Purpose	Expiry
moove_gdpr_popup	Moove	Record cookie permission	365 days

 

We do use any Non-essential cookies. These are additional cookies to the performance of our website and help us improve the service we provide to you.

 

UK and EU: What are your rights?

Your personal data is yours and you have rights in relation to it granted by the UK GDPR, which include:

• The right to be informed
  
  You have the right to be informed about the collection and use of your personal data, the purposes for processing, retention periods for that personal data and who it will be shared with. We have set out this information in this privacy notice.

• The right of access
  
  You have the right to ask us for copies of the data we hold about you. If you ask us, we’ll confirm whether we’re processing your personal information and, if so, provide you with a copy of that personal information (along with certain other details).

• The right to object
  
  You have the right to ask us to stop processing your personal information in some circumstances, such as when we are relying on our own (or someone else’s) legitimate interests to process your personal information, when we are processing your personal information for direct marketing or when we are processing your personal information for research.

• The right to rectification
  
  You have the right to ask us to rectify the personal information you think is inaccurate or to complete information you think is incomplete. When you ask us to rectify your information, if we’ve shared your personal information with others, we’ll let them know about the rectification where possible.

• The right to erasure
  
  You have the right to ask us to erase your personal information, in some circumstances, such as where we no longer need it or you withdraw your consent (where applicable).

• The right to restrict processing
  
  You have the right to ask us to restrict the processing of your personal information for a period of time in some circumstances, such as where you contest the accuracy of that personal information or object to us processing it. This right is separate from the right to object and will only stop us from using your personal information further, not from processing it. If we’ve shared your personal information with others, we’ll let them know about the restriction where possible.

• The right to data portability
  
  You have the right to ask that we transfer the personal information you gave us to another organisation, or to someone else, in some circumstances.

You don’t have to pay anything to exercise your rights. Please contact us by sending an email to DPO@ufonia.com if you wish to make a request under your rights; we have a calendar month to get back to you with a response.

US: What are your rights?

• The right to know
  
  You have the right to ask a business to disclose what personal data they have collected, used, shared or sold about you and why it was collected, used, shared or sold. You have the right to this information for the 12 month period preceding your request. The data should be provided in a portable format.

• The right to opt-out of sale
  
  You have the right to ask a business to stop selling your personal information (”opt-out”). With some exceptions, a business cannot sell your personal information if they receive an opt-out request unless you provide authorisation allowing them to again.
  
  Nevada Residents: We do not sell your personal information, but nevertheless we offer an opt out to sales of your data in an overabundance of caution to ensure compliance with Nevada law. Verified requests under Nevada law (NRS 603A) to not make any sale of any covered information we have collected or will collect regarding you may be sent to DPO@ufonia.co Please included in your email “Request for Nevada Opt-Out” in the subject line and in the body of your message.

• The right to delete
  
  You have the right to request that businesses delete personal information they collected about you and to tell their service providers to do the same. There are some exceptions that allow businesses to retain your personal information.

• The right to non-discrimination
  
  Businesses cannot deny goods or services, charge you a different price, or provide a different level or quality of goods or services just because you exercised your rights under the CCPA.

• The right to rectification
  
  You have the right to ask us to rectify the personal information you think is inaccurate or to complete information you think is incomplete. When you ask us to rectify your information, if we’ve shared your personal information with others, we’ll let them know about the rectification where possible.

• The right to limit use of sensitive information
  
  You have the right to ask us to only use your sensitive personal information (for example, your social security number, financial account information, your precise geolocation data, or your genetic data) for limited purposes, such as providing you with the services you requested. If we’ve shared your personal information with others, we’ll let them know about the restriction where possible.

• Shine a Light (California Residents)
  
  If you are a California resident and have an established business relationship with us, you can request a notice disclosing the categories of personal information we have shared with third parties for the third parties’ direct marketing purposes during the preceding calendar year. To request a notice, please submit your request to: DPO@ufonia.co. Please include in your email “Request for California Shine the Light Opt-Out” in the subject line and in the body of your message. Please allow 30 days for a response.

You don’t have to pay anything to exercise your rights. Please contact us by sending an email to DPO@ufonia.com or use our contact form here if you wish to make a request under your rights; we have 45 days to get back to you with a response.

Who we share your personal data with

We may share your personal information with a company controlled by, or under common control with, Ufonia Ltd and Ufonia Inc for any purpose permitted by this Policy. We transfer Personal Information about you if a Ufonia Ltd organisation is, or its assets are, acquired by or merged with another company. We may share Personal Information about you during the fund raising process for venture capital and when we believe disclosure of personal information is necessary in order to comply with applicable law and legal processes and to enforce a contract with us.

How you can complain

If you have any concerns about our use of your personal information, please let us know by:

Emailing us at DPO@ufonia.com, or writing to us at 104 Gloucester Green, Oxford, OX1 2BU, United Kingdom.

If you are not satisfied with our response or you are unhappy with how we have used your data, you can complain to the Information Commissioner’s Office (ICO). You can find the ICO contact details below:

ICO Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Helpline number: 0303 123 1113.

ICO Website: https://www.ico.org.uk