Privacy

Protecting your Privacy, The Maybe* promise.

‘Because your data and privacy are so important, we wanted to let you know that when you share your information with us, we are responsible for it. We take this obligation very seriously indeed.’

Polly Barnfield OBE, CEO and Founder of Maybe*

Introduction 

Maybe* is committed to protecting the privacy and the security of your personal data.

This Privacy Policy explains the types of personal data we may collect about you when you interact with us. It also explains how we store and handle that data and keep it safe. For the purposes of data protection law, Maybe* is a Data Controller.

First of all, here are a few terms we may use in this document to explain ourselves. “Personal data” is information relating to you as a living, identifiable individual. So, this could be anything from a postal address, to a telephone number or date of birth.

“Processing” your data includes various operations that may be carried out on your data, including collecting, recording, organising, using, disclosing, storing and deleting it. A “Condition for processing data” is essentially our justification for processing the data. For example, we may ask you to agree for us to send you marketing information. In this instance, we may ask you for your Consent.

2. The law requires us:

2.1 To process your data in a lawful, fair and transparent way;

2.2 To only collect your data for explicit and legitimate purposes;

2.3 To only collect data that is relevant, and limited to the purpose(s) we have told you about;

2.4 To ensure that your data is accurate and up to date;

2.5 To ensure that your data is only kept as long as necessary for the purpose(s) we have told you about;

2.6 To ensure that appropriate security measures are used to protect your data. The following sections will answer any questions you have but if not, please do contact us, details are shown below;

2.7 It is likely that we will need to update this Privacy Notice from time to time, and you are welcome to come back and check this at any time or contact us by any of the means shown below.

3. What is Maybe*?

Maybe* is a social media management platform that allows businesses to understand the impact of their digital content, engage with their customers, benchmark against their competitors, build audiences for marketing. When this happens the client, product or brand will then process your data and send you communications that will be relevant and potentially of interest to you. You’ll have an opportunity to opt-in to that relationship. We do not share or sell your data to any other organisations. You can always stop this processing by contacting us below. For the purposes of Data Protection Law, if an individual opts in by way of consent to receive information from a client, product or brand, that entity will be the Data Controller of such personal data. 

4. Maybe* needs to process data, how?

The law on data protection sets out a number of different reasons or conditions for which an organisation may collect and process your personal data. When collecting your personal data, we will always make clear to you which data is necessary for each purpose we have told you about. Most commonly, we will process your data on the following lawful grounds:

4.1 Consent. In specific situations, we can collect and process your data with your consent.

4.2 This may include when you agree to receive an email about our services or an event we may hold. When you make an enquiry online for example, we may assume your implied consent to enable us to send information you have requested.

4.3 If you have not engaged with us for more than five years, you may be flagged as an inactive individual and we will contact you to ask whether you want us to keep your data or not. Unless you reply to say ‘yes’, we will delete or anonymise your personal data.

5. Maybe* has some Contractual obligations.

Maybe* has some Contractual obligations. In certain circumstances, we need your personal data to comply with our contractual obligations. If a law says we must process your information, we have no alternative. This might be if you worked in the amazing Maybe* team.

6. Other Legal compliance.

If the law requires it, we may need to collect and process your data. This might be when a criminal act is detected or matters relating to taxation for example. Again, we have no option but to comply with the law.

7. Legitimate interest.

In certain circumstances, we require your data to pursue the Maybe* legitimate interests in a way which might reasonably be expected when we pursue our aims and objectives as an organisation. When we process data in this way we’ll make sure there is no chance of any material impact on your rights, freedom or interests, we promise. Maybe* has a legitimate interest in maintaining a record of its activities, the people with whom it has interacted, its organisational history and the development of future products and services it may provide to its clients and their customers. You have the right to object to the processing of personal data where the processing is undertaken in our Legitimate Interests. 

8. Vital use of data.

We may also use your data, typically in an emergency, where this is necessary to protect your vital interests, or someone else’s vital interests. In a small number of cases where other lawful bases do not apply, we will process your data on this basis and in your best interest.

9. Special category data – The most sensitive of all information.

The most sensitive of all information. Maybe* does not set out to collect sensitive information about its clients or their customers. We have no need for this information. However, we are mindful that information of the type shown below may be available to us from time to time. For example, if Maybe* hears someone talking about health information. We don’t process this information for the purpose of understanding a person’s health condition. “Special categories" of particularly sensitive personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data. We aim to collect and process special category data as little as possible. Maybe*will document all incidents of its processing of special category data in our Information Asset Register. We have carefully measured the risk associated with this by conducting an impact assessment.

9.1 The Special Categories of personal data consist of data revealing:

9.2 Racial or ethnic origin;

9.3 Political opinions;

9.4 Religious or philosophical beliefs;

9.5 Trade union membership.

9.6 They also consist of the processing of:

9.7 Genetic data;

9.8 Biometric data (e.g. fingerprints) for the purpose of uniquely identifying someone;

9.9 Data concerning health;

9.10 Data concerning someone's sex life or sexual orientation.

We may process special categories of personal data in the following circumstances:

9.11 With your explicit written consent; or

9.12 Where it is necessary in the substantial public interest, and further conditions are met;

9.13 Where the processing is necessary for archiving purposes in the public interest and where UK Law permits, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law;

9.14 Where there is a legal obligation.

Further legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data on the same grounds as those identified for “special categories” referred to above.

10. When Maybe* collects your personal data:

These occasions will include, but are not limited to:

10.1 When you work with the Maybe* team;

10.2 When you visit our offices or an event we may organise;

10.3 When you supply goods and services to Maybe*;

10.4 When you write to us about any subject by any means;

10.5 When you post, like, follow or reply on any of our or our client’s social media feeds;

10.6 When your image or vehicle number plate is recorded on our CCTV system;

10.7 When you or your organisation is a client of Maybe* and use our products;

10.8 When you are part of an audience that Maybe* is listening to;

10.9 When the product or service you have engaged with asks us to send you a communication;

10.10 When you access or engage with our website;

10.11 When you engage in our loyalty scheme.

10.12 How and why Maybe* collects your personal data:

Maybe* collects personal data in order to manage its business and deliver its service to its clients. The data collected is most likely in electronic format but can also be in paper form.

11. When you visit our website, we may collect your IP Address, page visited, web browser, any search criteria entered, previous web page visited and other technical information. This information is used solely for web server monitoring and to deliver the best visitor experience. We may use technology such as cookies to help us deliver relevant and interesting content in our communications in the future. We may profile you to find out more about you but in the least most intrusive way. We may use information we collect to display the most interesting content to you on our website. We may use data we hold about your previous visits.

12. We may also collect your social media username if you interact with us through those channels in order to help us respond to your comments, questions and feedback. The data privacy law allows this as part of our legitimate interest in understanding our audience;

13. For your security, we use all appropriate organisational and technical security controls to safeguard your data.

14. When we interact with you, we may also collect notes from our conversations with you, and details of any complaints or comments you make. We may record your age or identity where the law requires this;

15. We will only ask for and use your personal data collected for the purpose stated at the point at which it is collected. If we believe your data is no longer needed for this purpose, we will not process your data further.

16. Retailers who participate in Rewards:

When you use the services provided by Maybe* as an organisation and where you are a controller of data in accordance with GDPR Chapter IV, section 1 Art. 24, personal data processed will be in accordance with your organisation's policies. Maybe* can be a data processor when delivering the services to the organisation. Maybe* may also be a data controller when certain services are provided. Please see our policies and terms concerning personal data.

17. Organisations that use Maybe* services:

When an organisation use the Maybe* services each party undertake to comply with the provisions of the Data Protection Act 2018 (the DPA 18), the Privacy and Electronic Communications Regulation 2003 (2002/58/EC) (as amended), the EU General Data Protection Regulation (2016/679) and the UK Data Protection, Privacy and Electronic Communication Regulation 2019 (UK GDPR) and all applicable laws and regulations relating to the processing of personal data, including where applicable the binding guidance and codes of practice issued by the Information Commissioner's Office or any other national data protection authority if applicable, and the equivalent of any of the foregoing in any relevant jurisdiction, and any replacement or equivalent of any of the foregoing in the UK insofar as the same relates to the provisions and obligations of this Agreement.

17.1 Maybe* is accountable for the personal information it processes where it is deemed to be a controller. It has appointed a Data Protection Officer to ensure transparency for such processing activities. Maybe* undertakes where applicable to conduct data protection impact assessments in accordance with the UK GDPR article 35. Maybe* ensures it is compliant with the UK GDPR’s specific security requirements as detailed in article 32. Maybe* also ensures that it adequately applies the principles of data protection law in accordance with the UK GDPR Articles 5, 6, 7, 9 and 11.

17.2 When you use the Service referred to in these terms, you are the data controller as defined in the UK GDPR Article 24, of such information you may process that may identify individuals directly or indirectly. Maybe* will be a data processor as defined in the GDPR Article 28 unless otherwise acknowledged. Maybe* may be a controller or joint controller as defined in the UK GDPR Article 24 and 26 when you engage with its managed services but only where it might solely or jointly along with the associated controller determine the purpose for processing as defined in the UK GDPR Article 28(10). Where you are using the service as a data controller you will be processing the data in accordance with your data protection policy. When using the Maybe* managed services Maybe* may be a data controller and will therefore apply its own policies concerning processing activities but only where it may have determined the purpose for processing;

17.3 Nevertheless, regardless of the status of Maybe* as defined in the UK GDPR Article 24, 26 and 28 in accordance with section 7 of these terms, Maybe* shall be held harmless to any damages or liability howsoever they may arise and as a result of any infringement by a party contracted to the terms of the agreement and acting as the data controller of any applicable data protection law; 

17.4 Maybe* does however, when performing a task on behalf of the controller and in accordance with the law, take responsibility for information security and data transfers to and from the data controller.  

18. Retailers who participate in the loyalty scheme:

When you use the services provided by Maybe* as an organisation and where you are a controller of data in accordance with GDPR Chapter IV, section 1 Art.24, personal data processed will be in accordance with your organisation’s policies. Maybe* can be a data processor when delivering the services to the organisation. Maybe* may also be a data controller when certain services are provided. Please see our policies and terms concerning personal data.

19. Organisations that use Maybe* services.

When an organisation use the Maybe* services each party undertake to comply with the provisions of the Data Protection Act 2018 (the DPA 18), the Privacy and Electronic Communications Regulation 2003 (2002/58/EC) (as amended), the EU General Data Protection Regulation (2016/679) and the UK Data Protection, Privacy and Electronic Communication Regulation 2019 (UK GDPR) and all applicable laws and regulations relating to the processing of personal data, including where applicable the binding guidance and codes of practice issued by the Information Commissioner's Office or any other national data protection authority if applicable, and the equivalent of any of the foregoing in any relevant jurisdiction, and any replacement or equivalent of any of the foregoing in the UK insofar as the same relates to the provisions and obligations of this Agreement.

19.1 Maybe* is accountable for the personal information it processes where it is deemed to be a controller. It has appointed a Data Protection Officer to ensure transparency for such processing activities. Maybe* undertakes where applicable to conduct data protection impact assessments in accordance with the UK GDPR article 35. Maybe* ensures it is compliant with the UK GDPR’s specific security requirements as detailed in article 32. Maybe* also ensure that it adequately applies the principles of data protection law in accordance with the UK GDPR Articles 5, 6, 7, 9 and 11.

19.2 When you use the Service referred to in these terms, you are the data controller as defined in the UK GDPR Article 24, of such information you may process that may identify individuals directly or indirectly. Maybe* will be a data processor as defined in the GDPR Article 28 unless otherwise acknowledged. Maybe* may be a controller or joint controller as defined in the UK GDPR Article 24 and 26 when you engage with its managed services but only where it might solely or jointly along with the associated controller determine the purpose for processing as defined in the UK GDPR Article 28(10). Where you are using the service as a data controller you will be processing the data in accordance with your data protection policy. When using the Maybe* managed services Maybe* may be a data controller and will therefore apply its own policies concerning processing activities but only where it may have determined the purpose for processing;

19.3 Nevertheless, regardless of the status of Maybe as defined in the UK GDPR Article 24, 26 and 28 in accordance with section 7 of these terms, Maybe* shall be held harmless to any damages or liability howsoever they may arise and as a result of any infringement by a party contracted to the terms of the agreement and acting as the data controller of any applicable data protection law; 

19.4 Maybe* does however, when performing a task on behalf of the controller and in accordance with the law, take responsibility for information security and data transfers to and from the data controller.  

20. Other important information.

Sometimes we are required to inform you about certain changes, including updates to this Privacy Policy and where we have a legal obligation such as a duty of care or safeguarding. These administrative messages will not include any marketing content and do not require prior consent when sent by email. This ensures that we are compliant with our legal obligations. We may use your data to send you a survey and feedback requests to help improve the way we communicate. These messages will not include any marketing and do not require prior consent when sent by email. We have a legitimate interest to do so as this helps improve our services and make them more relevant to you. Of course, you are free to opt out of receiving any of these communications should you wish.

21. Explanatory notes to Maybe* customers:

Maybe* is a Data Controller in accordance with the UK GDPR Chapter IV Section 1 Article 24 and as such determines the purposes and the means of the processing activities associated with its service provision. Essentially this amounts to deciding respectively the "why" and the "how" in order to enable the service for a customer to then use. The controller is the actor who has determined why the processing is taking place (To what end or what for) and how this objective shall be reached. The Customer of Maybe* is also a Data Controller as it also determines its own purposes and means. It is likely that these will be different purposes and means from those of Maybe*.

21.1 For some processing activities Maybe* may be a Data Processor in accordance with the UK GDPR Art.28. This will be where Maybe* is instructed to process the data or work on behalf of the Controller in a defined way and where it may not process data for its own purposes and has little if any influence over the means of processing. As a Data Processor it may be possible for Maybe* to make some determination concerning the processing activities such as the way data is secured and the IT arrangements. 

21.2 Where Maybe* sources the services of a social media platform it acts as a Data Controller alongside the Customer who is also acting as a Controller but separately from one another. For example, where Maybe* works with Facebook as a Partner. According to Facebook’s Privacy Notice, it does not share personal data with its Partners without the Consent of the account holder. If the processing relies upon Consent, Consent may be withdrawn at any time. Because of this, Maybe* does not profile the data of the account holder whilst the data is within its Controllership, Facebook undertakes this process separately and prior to Maybe’s* activity. Consequently, with regard to Art.4(4)(Definition of profiling),  Maybe* does not consider this to be applicable to its processing activities. However, it may be possible to undertake such processing where there is the Consent of the Data Subject which may be gathered outside of Facebook’s control, such as the loyalty scheme Maybe* provides. Maybe* has also considered the issue of risk and does not consider any of its processing activities to create increased risk. For the avoidance of doubt this means a risk to the fundamental rights and freedoms of the account holder. Maybe* believes there is little or no potential harm to individuals. It is also acknowledged that such assessments are not required where valid and informed Consent is gathered. However, Maybe* has undertaken a Data Protection Impact Assessment (DPIA) to ensure its approach is ethical. Such assessments are regularly reviewed. The Customer may decide that its subsequent processing activities in accordance with its own purposes and means create a higher level of risk. Where this is the case the Customer may undertake a DPIA.      

22. Data retention and how long Maybe* may keep data:

Whenever we collect or process your personal data, we will only keep it for as long as is necessary for the purpose for which it was collected. The Information Asset Register includes retention periods, and this Register will indicate the types of data concerned and clearly indicate the period it will be retained. Annual reviews will ensure that retention schedules are followed. At the end of the retention period, your data will either be deleted completely, put beyond use or anonymised. In some cases, personal data will be kept in perpetuity.

22.1 Protecting your data outside the EEA;

22.2 Where data is transferred from the UK to an EEA Country or to a third country, [We] will ensure such transfers are protected by suitable and appropriate safeguards such as Standard Contractual Clauses (SCCs). Where necessary and subject to an assessment of risk, the use of such SCCs will be on a case-by-case basis. 

23. How to complain about our processing of your data.

If you feel that your data has been handled incorrectly, or you are unhappy with the way we have dealt with your query regarding the way we use your personal data, you have the right to complain to the Information Commissioner’s Office (ICO) which regulates the use of information in the UK.

You can call them on 0303 123 1113 or go online to www.ico.org.uk/concerns 

If you are based outside the UK, you have the right to complain to the relevant data protection supervisory authority in your country.

If you would like to discuss any aspect of this policy or the way Maybe* processes your information, please contact.

The Data Protection Officer.

By Post – 11 Brindley Place, Brunswick Square, Birmingham B1 2LP

By Email – paul@maybetech.com

By Telephone - 0800 0614 214

Stopping us from using your data in the future

You can stop Maybe* from processing your data by either:

• Clicking the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails and will ‘forget’ your information in line with your rights unless we have a legal obligation to keep it; or

• By contacting us using the information above.

Remember, some administrative communications cannot be stopped.