Privacy policy

 

1. INTRODUCTION

Select Service Partner UK Limited (“we”, “our” or “us”) are committed to protecting and respecting your personal data as data subject (“you” or “your”). This policy will inform you on how we look after your personal data when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you.

Please read the following carefully to understand our practices regarding your personal data and how we will treat it. By visiting this website you are accepting and consenting to the practices described in this policy.

The processing of your personal data, such as the name, address, e-mail address, or telephone numbers will be in line with the general data protection regulation (“GDPR”)

By means of this policy, we would like to inform you of the nature, scope, and purpose of the personal data we collect through the website.

2. IMPORTANT INFORMATION AND WHO WE ARE

We will collect, store and process your personal data in order for you to be supplied with our products and services, and allow us to respond to your requests and general queries made by you through your use of the Upper Crust website. Our details are set out below:

Select Service Partner UK Limited

32 Jamestown Road.

London

NW1 7HW

UK

Phone: +44 (0)207 543 3300

Email: customer.care@ssp.uk.com

Website: uppercrust.co.uk

Contact details of the Data Protection Officer

We are not required to appoint a Data Protection Officer at the current time under the EU GDPR and the Data Protection Act 2018. The Privacy Manager for Select Service Partner UK Limited can be contacted in writing at:

For Attention Of: Privacy Manager

Company Name: Select Service Partner UK Ltd

Email Address: GDPR@ssp-intl.com

3. THE DATA WE COLLECT ABOUT YOU

We may collect, use, store and transfer different kinds of personal data provided by you which we have grouped together follows:

  • Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
  • Contact Data includes billing address, delivery address, email address and telephone numbers.
  • Financial Data includes bank account and payment card details.
  • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
  • Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, and feedback and survey responses.
  • Usage Data includes information about how you use the website, products and services.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). We do not collect any information about criminal convictions and offences.

We will only pass your personal data onto a third party where you have agreed to enter into any competitions, promotions (or similar) and we will not sell, rent or exchange your personal data to a third party for commercial gain.

IF YOU FAIL TO PROVIDE PERSONAL DATA

Where we need to collect personal data under any applicable laws, or under the terms of a contract we have with you, we would ask that you provide us with the relevant personal data in order for us to perform the contract (for example, to deliver a product you have ordered).

4. HOW IS YOUR PERSONAL DATA COLLECTED?

We use different methods to collect personal data from and about you including through:

  • Direct interactions – you may give us your identity, contact and financial data by filling in forms or by corresponding with us by post, phone, and email or otherwise. This includes personal data you provide when you:
    • apply for our services;
    • purchase our products
    • create an account on the website;
    • subscribe to our service or publications;
    • request marketing to be sent to you;
    • enter a competition, promotion or survey; or
    • give us some feedback.
  • Automated technologies or interactions – as you interact with the website, we may automatically collect technical data about your browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive technical data about you if you visit other websites employing our cookies.
  • Third parties or publicly available sources – we may receive personal data about you from various third parties and public sources as set out below:
    • Technical Data from the following parties:
      1. analytics providers such as Google based outside the EU;
      2. advertising networks based inside OR outside the EU; and
      3. search information providers based inside OR outside the EU.
    • contact, financial and transaction data from providers of technical, payment and delivery services based inside OR outside the EU.
    • identity and contact data from publicly availably sources such as Companies House and the Electoral Register based inside the EU

5. HOW WE USE YOUR PERSONAL DATA

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • where we need to perform a contract we are about to enter into or have entered into with you.
  • where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • where we need to comply with a legal or regulatory obligation.
  • our service providers, including logistics providers, such as those who deliver our orders and e-mails, technical and support partners, such as the companies who host our website and who provide technical support and back-up services.
  • law enforcement agencies, government or public agencies or officials, regulators, and any other person or entity that has the appropriate legal authority where we are legally required or permitted to do so, to respond to claims, or to protect our rights, interests, privacy, property or safety.

We will only pass your details onto a third party when you have agreed to do this when entering competitions/ promotions and will never sell, rent or exchange your personal information with any third party for commercial reasons. Where you have agreed to allow third parties to send direct marketing communications to you via email or text message, you have the right to withdraw consent to marketing at any time as further set out in clause 7.2.

7.1 PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we will rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note – we may process your personal data on more than one lawful ground depending on the specific purpose for which we are using your personal data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below:

Purpose/ActivityType of dataBasis for Processing
Signing up to a mailing list(a) identity
(b) contact
Performance of a contract with You
Promotional communications(a) identity
(b) contact
Performance of a contract with You
Marketing / Loyalty Schemes(a) identity
(b) contact
Performance of a contract with You
To register You as a new customer(a) identity
(b) contact
Performance of a contract with You
To process and deliver Your order including:
(a) Manage payments, fees and charges
(b) Collection and recover money
(a) identity
(b) contact
(c) financial
(d) transaction
(e) marketing and communications
(a) performance of a contract with You
(b) necessary for our legitimate interests (to recover debts due to us)
To manage our relationship with You which will include:
(a) notifying You about changes to our terms or the policy;
(b) Asking You to leave a review or take a survey;
(a) identity
(b) contact
(c) profile
(d) usage
(e) marketing and communications
(a) performance of a contract with You
(b) necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)

6. MARKETING

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We will develop and implement the following personal data control mechanisms:

6.1 PROMOTIONAL OFFERS FROM US

We may use your identity, contact details, technical, usage and profile data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased goods or services from us or if you provided us with your details when you entered a competition or registered for a promotion and, in each case, you have opted in for receiving that marketing.

6.2 THIRD-PARTY MARKETING

We will get your express consent before we share your personal data with any company outside the SSP group of companies for marketing purposes.

6.3 OPTING OUT USING UNSUBSCRIBE LINKS

You can ask to stop sending you marketing messages at any time by clicking the unsubscribe link sent in any email correspondence to you.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, registration, product or service experience or other transactions.

6.4 COOKIES

Similar to other commercial websites, our website uses a technology called “cookies” (see explanation below) and web server logs to collect information about how our website is used. Information gathered through cookies and web server logs includes the date and time of visits, the pages viewed, time spent at our website and the websites visited just before and just after our website. A cookie is a very small text document, which often includes an anonymous unique identifier. When you visit a website, that site’s computer asks your computer for permission to store this file in a part of your hard drive specifically designated for cookies. Each website can send its own cookie to your browser if your browser’s preferences allow it, but (to protect your privacy) your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other sites.

As you browse on our website, the website uses cookies to differentiate you from other users to prevent you from seeing unnecessary advertisements or requiring you to log in more than is necessary for security. Cookies, in conjunction with our web server’s log files, allow us to calculate the aggregate number of people visiting our website and which parts of the website are most popular. This helps us gather feedback so that we can improve our website and better serve our customers. Cookies do not allow us to gather any personal Information about you and we do not generally store any personal information that you provided to us in your cookies.

You can switch off all non-essential cookies through the banner at the top of our website.

7. CHANGE OF PURPOSE

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted under applicable laws.

8. DISCLOSURE OF YOUR PERSONAL DATA

We may have to share your personal data with the third parties set out below for the purposes set out in the table in paragraph 7.1 above:

  • Any individual or entity within the group of companies whether a parent or subsidiary undertaking of us
  • Third parties:
    • Our service providers, including logistics providers, such as those who deliver our orders and e-mails;
    • Technical and support partners, such as the companies who host our website and who provide technical support and back-up services;
    • Law enforcement agencies, government or public agencies or officials, regulators, and any other person or entity that has the appropriate legal authority where we are legally required or permitted to do so, to respond to claims, or to protect our rights, interests, privacy, property or safety.
  • We require all third parties to respect the security of your personal data and to treat it in accordance with the applicable laws. We do not allow our third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

9. INTERNATIONAL TRANSFERS

We do not transfer your personal data outside the European Economic Area (EEA)

10. DATA RETENTION

10.1 HOW LONG WILL WE KEEP YOUR PERSONAL DATA

We will only retain your personal data for as long as it is necessary to fulfil the purpose we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements as determined by applicable laws.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

10.2 ROUTINE ERASURE AND BLOCKING OF PERSONAL DATA

If the storage or purpose is no longer applicable, or if a storage period prescribed under the GDPR or another competent body expires, the personal data is routinely blocked or erased in accordance with prescribed legal requirements.

11. YOUR LEGAL RIGHTS

Under certain circumstances, you have rights under the GDPR (or its equivalent), in relation to your personal data.

A. Right of confirmation

You have the right to obtain from us, confirmation as to whether or not your personal data is being processed.

B. Right of access

You have the right to obtain from us, free information about your personal data stored by us, at any time and a copy of this information. Furthermore, you are entitled to copies of the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from us, rectification or erasure of your personal data, or restriction of processing of personal data concerning you, or to object to such processing;
  • the existence of the right to lodge a complaint with a supervisory authority;
  • where personal data is not collected from you, any available information as to its source;
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing relating to you.

Furthermore, you have a right to obtain information from us where personal data is transferred to a third country or to an international organisation. Should SSP transfer personal to a third country or international organisation, SSP will ensure that the appropriate safeguards relating to the transfer.

C. Right to rectification

You have the right to obtain from us, without undue delay, the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

D. Right to erasure (Right to be forgotten)

You have the right to obtain from us the erasure of Personal Data concerning you without undue delay, we will erase your personal data without undue delay where one of the following grounds applies, as long as the processing is not necessary:

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • you withdraw consent to which the processing in accordance with point (a) Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing;
  • you object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing;
  • the personal data having been unlawfully processed;
  • the personal data must be erased for compliance with a legal obligation in union or member state law to which the we are subject;
  • the personal data has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

Where we have made personal data public and we are obliged (pursuant to Article 17(1)) to erase the personal data, and into taking account the available technology and the cost of implementation, we will take reasonable steps, including technical measures, to inform any third party controller or processor as is necessary, that you have requested the erasure of the personal data, as far as processing is not required by us or them, and we will arrange the necessary measures or actions to be effected.

E. Right of Restriction of Processing

You have the right to obtain from us, restrictions regarding the processing of personal data, where one of the following applies:

  • the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data;
  • the processing is unlawful and you opposes the erasure of the personal data and request instead the restriction of the third parties use instead;
  • We no longer need the personal data for the purposes of the processing, but may be required in terms of our own policies, for the establishment, exercise or defence of legal claims.
  • you have objected to processing pursuant to Article 21(1) of the GDPR pending the verification thereof, whether legitimate grounds are applicable to us, to override your objections.

F. Right to data portability

You the right to receive personal data concerning you, which was provided to us in a structured commonly used machine-readable format. You have the right to transmit your personal data to another controller without undue hindrance from us, provided, the processing is currently based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR, or on a contract pursuant to point (b) of Article 6(1) of the GDPR, and the processing is carried out by automated means, or as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the us.

G. Right to object

You have the right to object on grounds relating to your particular situation, at any time, to processing of personal data concerning you, which is based on point (e) or (f) of Article 6(1) of the GDPR. This also applies to profiling based on these provisions.

We shall no longer process the personal data in the event of a reasonable objection, unless we can demonstrate legitimate grounds for the processing, or where for a potential defence of legal claims.

If we process personal data for direct marketing purposes, you have the right to withdraw consent at any time to the processing of personal data concerning you for such marketing purposes. This applies to profiling to the extent that it is related to such direct marketing. If you object to us processing personal data for direct marketing purposes, we will no longer process the personal data for those purposes.

H. Automated individual decision-making, including profiling

You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you, or similarly significantly effects you, as long as the decision (1) is not is necessary for entering into, or the performance of, a contract between the you and us, or (2) is not authorised under GDPR, or (3) is not based on your explicit consent.

If the decision (1) is necessary for entering into, or the performance of, a contract between you and us, or (2) it is based on the your explicit consent, we shall implement suitable measures to safeguard the your rights and freedoms and legitimate interests, at least the right to obtain human intervention on our part, to express your point of view and contest the decision.

I. Right to withdraw data protection consent

You shall have the right to withdraw your consent to the processing of your personal data at any time.

12. WHAT WE MAY NEED FROM YOU

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that your personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

13. PERIOD FOR WHICH THE PERSONAL DATA WILL BE STORED

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

The criteria used to determine the period of storage of personal data is the respective statutory retention period. After expiration of that period, the corresponding personal data is routinely deleted, as long as it is no longer necessary for the fulfilment of the contract or the initiation of a contract or permitted under applicable laws and our internal policies.

14. EXISTENCE OF AUTOMATED DECISION-MAKING

As a responsible company, we do not use automatic decision-making or profiling.

GLOSSARY

DEFINITIONS

This policy of Select Service Partner UK Limited is based on the adoption of the GDPR and applicable laws for the website policy, we would like to explain the terminology used in the policy set out below:

In this policy we use the following terms:

you

Identifiable natural person, whose Personal Data is processed and/controlled under this policy (“you” or “your”).

Consent

Consent is any freely given, specific, informed and unambiguous indication he or she, by a statement or you, a clear affirmative action.

controller

Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by European Union or member state law, the controller or the specific criteria for its nomination may be provided for by European Union or member state law.

personal data

Personal Data means any information relating to an identified or identifiable natural person (“you”) who can be identified, either directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

processing

Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

pseudonymisation

Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to you without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to you.

processor

Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

recipient

Recipient is a natural or legal person, public authority, agency or another body, to which the personal data may disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with European Union or member state law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.

technical data

scientific or technical information recorded in any form or presented in any manner, but excluding financial and management data.

third party

Third Party is a natural or legal person, public authority, agency or body other than you, the controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

website

uppercrust.co.uk