‘Because your data and privacy are so important, we wanted to let you know that when you share your information with us, that we are responsible for it. We take this obligation very seriously indeed.’
Polly Barnfield OBE, CEO and Founder of Maybe
Our policy on data protection
Last updated 23rd March 2021
Maybe* is committed to protecting the privacy and the security of your personal data.
First of all, here are a few terms we may use in this document to explain ourselves. “Personal data” is information relating to you as a living, identifiable individual. So, this could be anything from a postal address to a telephone number or date of birth.
“Processing” your data includes various operations that may be carried out on your data, including collecting, recording, organising, using, disclosing, storing and deleting it. A “Condition for processing data” is essentially our justification for processing the data, for example, we may ask you to agree for us to send you marketing information, in this instance, we may ask you for your Consent.
2. The law requires us:
2. 1 To process your data in a lawful, fair and transparent way;
2.2 To only collect your data for explicit and legitimate purposes;
2.3 To only collect data that is relevant, and limited to the purpose(s) we have told you about;
2.4 To ensure that your data is accurate and up to date;
2.5 To ensure that your data is only kept as long as necessary for the purpose(s) we have told you about;
2.6 To ensure that appropriate security measures are used to protect your data. The following sections will answer any questions you have but if not, please do contact us, details are shown below;
2.7 It is likely that we will need to update this Privacy Notice from time to time, and you are welcome to come back and check this at any time or contact us by any of the means shown below.
3. What is Maybe*?
Maybe* is a platform that engages with people online and intelligently listens to its audience. Maybe* understands its audience and connects people with the products they want. For this reason, it is in our legitimate business interest to share some essential data with our clients. When this happens the client, product or brand will then process your data and send you communications which will be relevant and potentially of interest to you. You’ll have an opportunity to opt-in to that relationship. We do not share or sell your data to any other organisations. You can always stop this processing by contacting us below.
4. Maybe* needs to process data, how?
The law on data protection sets out a number of different reasons or conditions for which an organisation may collect and process your personal data. When collecting your personal data, we will always make clear to you, which data is necessary for each purpose we have told you about. Most commonly, we will process your data on the following lawful grounds:
4.1 Consent. In specific situations, we can collect and process your data with your consent.
4.2 This may include when you agree to receive an email about our services or an event we may hold. When you make an enquiry online for example, we may assume your implied consent to enable us to send information you have requested.
4.3 If you have not engaged with us for more than five years, you may be flagged as inactive individual and we will contact you to ask whether you want us to keep your data or not. Unless you reply to say ‘yes’, we will delete or anonymize your personal data.
5. Maybe* has some Contractual obligations. In certain circumstances, we need your personal data to comply with our contractual obligations. If a law says we must process your information we have no alternative. This might be if you worked in the amazing Maybe* team.
6. Other Legal compliance. If the law requires it, we may need to collect and process your data. This might be when a criminal act is detected or matters relating to taxation for example. Again, we have no option but to comply with the law.
7. Legitimate interest. In certain circumstances, we require your data to pursue the Maybe* legitimate interests in a way which might reasonably be expected when we pursue our aims and objectives as an organisation. When we process data in this way we’ll make sure there isn’t a chance of any materially impact your rights, freedom or interests, we promise. Maybe* has a legitimate interest in maintaining a record of its activities, the people with whom it has interacted, its organisational history and the development of future products and services it may provide to its clients and their customers.
8. Vital use of data. We may also use your data, typically in an emergency, where this is necessary to protect your vital interests, or someone else’s vital interests. In a small number of cases where other lawful bases do not apply, we will process your data on this basis and in your best interest.
9. Special category data – The most sensitive of all information. Maybe* doesn’t set out to collect sensitive information about its clients or their customers. We have no need for this information. However, we are mindful that information of the type shown below may be available to us from time to time. For example, if Maybe* hears someone talking about health information. We don’t process this information for the purpose of understanding a person’s health condition. “Special categories" of particularly sensitive personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data. We aim to collect and process special category data as little as possible. Maybe*will document all incidents of its processing of special category data in our Information Asset Register. We have carefully measured the risk associated with this by conducted an impact assessment.
9.1 The Special Categories of personal data consist of data revealing:
9.2 Racial or ethnic origin;
9.3 Political opinions;
9.4 Religious or philosophical beliefs;
9.5 Trade union membership.
9.6 They also consist of the processing of:
9.7 Genetic data;
9.8 Biometric data (e.g. fingerprints) for the purpose of uniquely identifying someone;
9.9 Data concerning health;
9.10 Data concerning someone's sex life or sexual orientation.
We may process special categories of personal data in the following circumstances:
9.11 With your explicit written consent; or
9.12 Where it is necessary in the substantial public interest, and further conditions are met;
9.13 Where the processing is necessary for archiving purposes in the public interest and where UK Law permits, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law;
9.14 Where there is a legal obligation.
Further legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data on the same grounds as those identified for “special categories” referred to above.
10. When Maybe* collects your personal data:
These occasions will include, but are not limited to:
10.1 When you work with the Maybe* team;
10.2 When you visit our offices or an event we may organise;
10.3 When you supply good and services to Maybe*;
10.4 When you write to us about any subject by any means;
10.5 When you post, like, follow or reply on any of our or our client’s social media feeds
10.6 When your image or vehicle number plate is recorded on our CCTV system;
10.7 When you or your organisation is a client of Maybe* and use our products;
10.8 When you are part of an audience that Maybe* is listening to;
10.9 When the product or service you have engaged with asks us to send you a communication;
10.10 When you access or engage with our website.
10.11 When you engage in our loyalty scheme.
10.12 How and why Maybe* collects your personal data
Maybe* collects personal data in order to manage its business and deliver its service to its clients. The data collected is most likely in electronic format but can also be in paper form.
11. When you visit our website, we may collect your IP Address, page visited, web browser, any search criteria entered, previous web page visited and other technical information. This information is used solely for web server monitoring and to deliver the best visitor experience. We may use technology such as cookies to help us deliver relevant and interesting content in our communications in the future. We may profile you to find out more about you but in the least most intrusive way. We may use information we collect to display the most interesting content to you on our website we may use data we hold about your previous visits;
12. We may also collect your social media username if you interact with us through those channels in order to help us respond to your comments, questions and feedback. The data privacy law allows this as part of our legitimate interest in understanding our audience;
13. For your security, we use all appropriate organisational and technical security controls to safeguard your data
14. When we interact with you, we may also collect notes from our conversations with you, and details of any complaints or comments you make. We may record your age or identity where the law requires this;
15. We will only ask for and use your personal data collected for the purpose stated at the point at which it is collected. If we believe your data is no longer needed for this purpose, we will not process your data further.
16. The Maybe* Retail loyalty Scheme.
16.1 When you chose to become a member of the loyalty program and you reside in the UK, your personal data will be processed in accordance with UK data protection law. The legislation includes but is not limited to;
16.2 The Data Protection, Privacy and Electronic Communications Regulation (UK-GDPR);
16.3 The General Data Protection Regulation (679) 2016 (EU-GDPR);
16.4 The Privacy and Electronic Communications Regulation (PECR);
16.5 The data Protection Act 2018;
16.6 If you reside outside of the UK, your data protection rights will be upheld in accordance with your national laws;
16.7 Maybe* is the data controller of such information you may provide when you become a member of the scheme in accordance with the GDPR;
16.8 Maybe* may work with other organisations when providing membership services, in these instances it may be a data processor as defined in the GDPR;
16.9 Other organisations may therefore be controllers of your personal data and will process that data in accordance with their policies.
16.10 When your personal data is processed in accordance with the terms and conditions of the loyalty program, it will be processed with your Consent.
16.11 When you make a purchase as a member of the program, your Consent will be used to share your personal data with the retailer/s with whom you made a purchase/s.
16.12 The retailer may offer you the ability to opt-out of their marketing in the future.
16.13 Once your personal data has been shared with the retailer with whom you made the purchase, and you wish to opt-out of marketing with that specific retailer, you will need to contact them directly or respond to their communications.
16.14 Your data is only shared with the retailer with whom you make purchases.
17. The eight data subject rights will be upheld unless there is a legal provision or obligation, they include;
17.1 The right to be informed;
17.2 The right of access;
17.3 The right to erasure of the right to be forgotten;
17.4 The right to restrict processing;
17.5 The right to question automated decision making;
17.6 The right to rectify inaccurate information;
17.7 The right to portability of data.
17.8 The principles of the GDPR and how Maybe* upholds them is
17.9 detailed in the data protection policy, in particular;
Maybe* ensures that its processing is fair, proportionate and transparent;
17.10That the purposes for processing are strictly for the provision of membership services unless otherwise notified;
17.11 That only the data required to provide the services is processed;
17.12 That the data provided by the member is accurate and continues to be so wherever possible;
17.13 Data is only retained for as long as is necessary to provide membership and to uphold any legal obligations;
17.14 All data is processed with adequate physical and technical security, which is regularly reviewed, and risks mitigated;
17.15 Maybe* can demonstrate it is accountable for the data is may process as a data Controller;
17.16 Maybe* has appointed a Data Protection Officer to oversee and ensure fair processing of all personal data;
17.17 Data processed to provide membership services will be processed using contractual obligation as the lawful grounds;
17.18 Some data may be processed with the consent of the member;
17.19 Some data may be processed using the legitimate interest of Maybe* or another data controller;
17.20 Data may be shared using the lawful grounds for processing detailed where a data sharing agreement is in force;
17.21 Maybe* does not intend to process special categories of data that may identify a member;
17.22 In certain circumstances if processing is undertaken in accordance with this policy it will be processed with explicit consent or on rare occasions a Data Protection Act 2018 exemption;
17.23 International transfers of data are made to countries that have adequate standards of data protection in accordance with the EU GDPR;
17.24 Where transfers are made to a third country, necessary safeguards are used to ensure the data subjects’ fundamental rights and freedoms are upheld;
17.25 Safeguards referred to include but are not limited to EU standard contractual clauses;
17.26 Such safeguards are used on a case by case basis and only after the assessing the standards of national Data Protection Law;
17.27 Member, current, prospective and lapsed may lodge a complaint about the processing of their data by Maybe with the Information Commissioner’s Office (ICO) who regulates data protection in the UK. (www.ico.org.uk/concerns)
17.28 This privacy notice may be updated from time to time and published in the public domain.
18. Retailers who participate in the loyalty scheme
When you use the services provided by Maybe* as an organisation and where you are a controller of data in accordance with GDPR Chapter IV, section 1 Art.24, personal data processed will be in accordance with your organisations policies. Maybe* can be a data processor when delivering the services to the organisation. Maybe* may also be a data controller when certain services are provided. Please see our policies and terms concerning personal data.
19. Organisations that use Maybe* services.
When an organisation use the Maybe* services each party undertake to comply with the provisions of the Data Protection Act 2018 (the DPA 18), the Privacy and Electronic Communications Regulation 2003 (2002/58/EC) (as amended), the EU General Data Protection Regulation (2016/679) and the UK Data Protection, Privacy and Electronic Communication Regulation 2019 (UK GDPR) and all applicable laws and regulations relating to the processing of personal data, including where applicable the binding guidance and codes of practice issued by the Information Commissioner's Office or any other national data protection authority if applicable, and the equivalent of any of the foregoing in any relevant jurisdiction, and any replacement or equivalent of any of the foregoing in the UK insofar as the same relates to the provisions and obligations of this Agreement.
19.1 Maybe* is accountable for the personal information it processes where it is deemed to be a controller. It has appointed a Data Protection Officer to ensure transparency for such processing activities. Maybe* undertakes where applicable to conduct data protection impact assessments in accordance with the UK GDPR article 35. Maybe* ensures it is compliant with the UK GDPR’s specific security requirements as detailed in article 32. Maybe* also ensure that it adequately applies the principles of data protection law in accordance with the UK GDPR Articles 5, 6, 7, 9 and 11.
19.2 When you use the Service referred to in these terms, you are the data controller as defined in the UK GDPR Article 24, of such information you may process that may identify individuals directly or indirectly. Maybe* will be a data processor as defined in the GDPR Article 28 unless otherwise acknowledged. Maybe* may be a controller or joint controller as defined in the UK GDPR Article 24 and 26 when you engage with its managed services but only where it might solely or jointly along with the associated controller determine the purpose for processing as defined in the UK GDPR Article 28(10). Where you are using the service as a data controller you will be processing the data in accordance with your data protection policy. When using the Maybe* managed services Maybe* may be a data controller and will therefore apply its own policies concerning processing activities but only where it may have determined the purpose for processing;
19.3 Nevertheless, regardless of the status of Maybe as defined in the UK GDPR Article 24, 26 and 28 in accordance with section 7 of these terms, Maybe* shall be held harmless to any damages or liability how so ever they may arise and as a result of any infringement by a party contracted to the terms of the agreement and acting as the data controller of any applicable data protection law;
19.4 Maybe* does however, when performing a task on behalf of the controller and in accordance with the law, take responsibility for information security and data transfers to and from the data controller.
21. Explanatory notes to Maybe* customers
Maybe* is a Data Controller in accordance with the UK GDPR Chapter IV Section 1 Article 24 and as such determines the purposes and the means of the processing activities associated with its service provision. Essentially this amounts to deciding respectively the "why" and the "how" in order to enable the service for a customer to then use. The controller is the actor who has determined why the processing is taking place (To what end or what for) and how this objective shall be reached. The Customer of Maybe* is also a Data Controller as it also determines its own purposes and means, it is likely that these will be different purposes and means from those of Maybe*.
21.1 For some processing activities Maybe* may be a Data Processor in accordance with the UK GDPR Art.28. This will be where Maybe* is instructed to process the data or work on behalf of the Controller in a defined way and where it may not process data for its own purposes and has little if any influence over the means of processing. As a Data Processor it may be possible for Maybe* to make some determination concerning the processing activities such as the way data is secured and the IT arrangements.
21.2 Where Maybe* sources the services of a social media platform it acts as a Data Controller alongside the Customer who is also acting as a Controller but separately from one another. For example, where Maybe* works with Facebook as a Partner. According to Facebook’s Privacy Notice, it does not share personal data with its Partners without the Consent of the account holder. If the processing relies upon Consent, Consent may be withdrawn at any time. Because of this, Maybe* does not profile the data of the account holder whilst the data is within its Controllership, Facebook undertakes this process separately and prior to Maybe’s* activity. Consequently, with regard to Art.4(4)(Definition of profiling). Maybe does not consider this to be applicable to its processing activities. However, it may be possible to undertake such processing where there is the Consent of the Data Subject which may be gathered outside of Facebook’s control such as the loyalty scheme Maybe* provides. Maybe has also considered the issue of risk and does not consider any of its processing activities to create increased risk, for the avoidance of doubt this means a risk to the fundamental rights and freedoms of the account holder. Maybe* believes there is little or no potential harm to individuals. It is also acknowledged that such assessments are not be required where valid and informed Consent is gathered. However, Maybe* has undertaken a Data Protection Impact Assessment (DPIA) to ensure its approach is ethical. Such assessments are regularly reviewed. The Customer may decide that its subsequent processing activities in accordance with its own purposes and means create a higher level of risk. Where this is the case the Customer may undertake a DPIA.
22. Data retention and how long Maybe* may keep data
Whenever we collect or process your personal data, we will only keep it for as long as is necessary for the purpose for which it was collected. The Information Asset Register includes retention periods, and this Register will indicate the types of data concerned and clearly indicate the period it will be retained. Annual reviews will ensure that retention schedules are followed. At the end of the retention period, your data will either be deleted completely, put beyond use or anonymised. In some cases, personal data will be kept in perpetuity.
22.1 Protecting your data outside the EEA;
22.2 Where data is transferred from the UK to an EEA Country or to a third country, [We] will ensure such transfers are protected by suitable and appropriate safeguards such as Standard Contractual Clauses (SCCs). Where necessary and subject to an assessment of risk, the use of such SCCs will be on a case-by-case basis.
23. How to complain about our processing of your data.
If you feel that your data has been handled incorrectly, or you are unhappy with the way we have dealt with your query regarding the way we use your personal data, you have the right to complain to the Information Commissioner’s Office (ICO) which regulates the use of information in the UK.
You can call them on 0303 123 1113 or go online to www.ico.org.uk/concerns
If you are based outside the UK, you have the right to complain to the relevant data protection supervisory authority in your country.
If you would like to discuss any aspect of this policy or the way Maybe* processes your information, please contact.
The Data Protection Officer.
By Post – Unit 1, Oldfields, Shropshire, TF9 3RW.
By Email – firstname.lastname@example.org
By Telephone - 44 (0) 330 0972698
Stopping us from using your data in the future
You can stop Maybe* from processing your data by either:
- clicking the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails and will ‘forget’ your information in line with your rights unless we have a legal obligation to keep it; or
- by contacting us using the information below.
Remember, some administrative communications cannot be stopped.