Privacy Policy
We respect your privacy and understand that privacy is important to you and that you care about how information about you is used, so this privacy notice sets out details about what data we collect and how we use it. It also explains how we’ll store and handle that data, and how we keep it safe.
Who are we?
We are Bright Blue Day Limited, a UK Limited Company number 4535919. Our Registered Office is at Parkway House, 26 Avenue Road, Bournemouth BH2 5SL.
In order to provide our services, we need to use and keep personal data about our customers and certain third parties. We are required to provide information about how we will use personal data, the safeguards to ensure that the personal data will not be used or shared inappropriately and an individual’s rights in respect of their personal data. An organisation that holds personal data and decides how it should be used is a controller. We will be a controller because we have to decide how to use the data to provide our services to our customers.
We have appointed a Data Protection Manager to oversee compliance with data protection. The Data Protection Manager is Stefan Brynard. Any enquiries about the personal data that we hold should be addressed to the Data Protection [Officer/Manager], Parkway House, 26 Avenue Road, Bournemouth BH2 5SL, by telephone at 01202 669090 or by email stefan.brynard@brightblueday.com.
We might hold your personal data for the following reasons:
- because you are a customer for our services;
- because you are a point of contact/director (third party) of a corporate customer who has engaged us to provide services;
- to meet legal and regulatory obligations we have;
- for administrative reasons to enable us to provide our services;
- because we have interacted with you as a result of our customer’s services;
- because you have made an enquiry with us;
- because you have submitted a data subject request to us;
- because you have made a complaint to us;
- because you are a contractor or supplier of services to us;
- for security reasons, if you have visited our premises;
- for other security reasons, including our system security;
- for our marketing, publications, webinars and events, and to understand how visitors to our website interact with it. (Please see our Cookies statement and our website Terms & Conditions);
- because contact has been made to us for recruitment and/or work placement opportunities;
- because you are engaged directly with us as an employee;
- because we are acting as a processor for another business/organisation and processing your data on their behalf.
The Legal Basis for the Processing
The collection, use, sharing and storage of personal data are all termed “processing”.
There must be a legal basis for any processing, which we have set out below.
| THE PURPOSE OF THE PROCESSING | THE LEGAL BASIS FOR THE PROCESSING |
If you are a customer, we will require personal data, particularly contact information, in order to discuss the services that you require and to provide the services. We will also need your personal data to carry out the administration of your account with us. The provision of our services may include communication with you, invoicing and for contractual purposes. | The data is necessary to perform the contract for services between us or to take steps prior to entering the contract. |
| Where you contact us by email your email will be stored on Google servers and will only be accessible to our employees and our IT support partners. All emails are subject to virus scanning and junk mail filtering. | The data is necessary to perform the contract for services between us or to take steps prior to entering the contract. |
| We will store the files or a copy of the files relating to a customer’s matter. | It is in our legitimate interests to retain files or a copy of files in order to deal with any queries that may arise after the services have been provided. |
| Personal data may be collected on our CCTV system if you visit our offices and recorded in our visitor book at reception. If we occupy offices that have a centralised room booking system, your name may be recorded in that system. | It is in our legitimate interests to maintain the security of our premises. |
| We may use your name, address, email address and telephone numbers for marketing purposes. | It is in our customer’s legitimate interests that the personal data of other parties or third parties to our customer’s services be processed. |
| We may need to use data to comply with audit and statutory regulations. | The processing is necessary for compliance with a legal obligation to which we are subject.
|
| We hold applicant information for recruitment vacancies. This may include address, personal email and personal telephone number, National Insurance number, previous employment details and next-of-kin details. | The data is necessary to consider the application for employment prior to making any offer of employment. You consent to us having the data. |
| If you are directly engaged in employment with us, we may need personal data to: | |
| The various lawful bases upon which we will rely to process these situations are: Where it is necessary for the performance of a contract with you or in order to take steps prior to entering into a contract. Where there is a legal obligation which we have to comply with. Where is it necessary for our legitimate interests or the legitimate interests of us or a third party and your interests and fundamental rights do not override those interests. Where it is necessary to protect your vital interests (or someone else’s interests). Where it is necessary for reasons of substantial public interest. Where you have provided us with consent. |
| Employee data is occasionally provided by third parties (for example from tax authorities or where we have received a reference as part of a recruitment process). Data is stored in both local and third-party cloud-based systems. | The data is necessary to consider the application for employment prior to making any offer of employment. You consent to us having the data. |
| We may be acting as a processor and processing your data on behalf of another business/organisation. | We process the data on the instruction of the controller. |
Recipients of Your Personal Data:
We may need to provide personal data to other people in order to provide our services to our customers. The recipients of such data may include:
- A number of third-party cloud-based services for the purposes of effectively running our business and providing our services to you;
- Other professionals acting on our customer’s behalf such as accountants, HR support, developers, UX specialists, SEO specialists
- HubSpot: We use HubSpot enterprise software to collect lead data and manage nurture emails.
- Google Analytics: When someone visits our website at www.brightblueday.com we make use of the Google Analytics service to collect standard information about visitors to the sites and their behaviour (e.g. what pages they viewed). The data provided by Google Analytics is anonymised and in no way enables us to identify individual visitors, however, Google Analytics will place a cookie on your device to enable the service. For more information about how Google Analytics cookies work on websites visit:
https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage. - Online forms: If you fill out one of our website forms (for example on the “Contact Us” page) the data is stored in a secure database and a notification email which includes that data is sent to the relevant team within our company. As our site uses SSL (https) the data you submit using the contact form will be encrypted once you press the “Submit” button.
- Hosting: Our website is hosted by Azure within the UK.
Where appropriate, with experts, we will enter into a Data Sharing Agreement with them to ensure that the data is protected.
We may use other external service providers for IT, fileshare and communication services. We use external service providers to take card payments. All our external service providers are required to take appropriate security measures to protect your data.
International Transfers
In most cases, there will be no need to transfer your personal data to a country outside the UK.
If there is a need to transfer your personal data outside the UK, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- The country has been deemed to provide an adequate level of protection for personal data by the UK;
- We may use specific contracts approved by us in the UK which give personal data the same protection that it has in Europe;
- We adopt safeguard mechanisms to protect the data, e.g. use encryption, put in place standard contractual clauses.
If there are no appropriate safeguards in place, we may transfer data outside the UK where the transfer is necessary for:
- the performance of the contract between us for the provision of legal services or advice, or for taking steps, at your request, prior to entering into such a contract;
- the conclusion or performance of a contract concluded in your interest between us and someone else; or
- the transfer is necessary for the establishment, exercise or defence of legal claims.
- you explicitly consent to the transfer.
How Long Will Your Data be Kept?
Customer data (which might include third party data) will be kept until the completion of the provision of the services for which it was collected. Once the services have been fully provided, we will keep our files and that data for as long as is necessary to fulfil the purposes of satisfying any legal, accounting or regulatory requirements and, where necessary, as long as is required for us to assert or defend legal claims. Customer data is stored both locally and on cloud-based systems and in most instances will be retained by us for a period of 6 years following the cessation of trade with a customer.
Recruitment applications will be retained for seven months by our HR Team.
Other personal data collected for recruitment purposes is stored both locally and on cloud-based systems and is retained for no longer than for 12 months from receipt.
CCTV images are kept for 30 days, at which point they are overwritten unless there has been a security incident in which case the images will be kept until such time as the incident has been investigated and any necessary action has been taken.
Visitor information in our visitor book is kept for a 2-year period.
We will keep any data that we hold for marketing purposes whilst we have your consent to do so.
Where we have acted as a processor we return the data to the controller upon completion of their instructions.
Consent
If we ask for your consent to use your personal data for marketing purposes, you have the right to withdraw your consent at any time. The form of consent and a subsequent marketing communication will tell you how to withdraw your consent. In addition, you can withdraw consent by email to hello@brightblueday.com.
The withdrawal of consent will not affect our provision of our services in any way.
Other Rights in Relation to Your Personal Data
Under certain circumstances, you have the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are processing it lawfully.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected or updated.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on our legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party. Your right to portability allows you to request a machine-readable format of the data you supplied to us and associated service logs (where we store them).
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us by writing to Data Protection Manager, Parkway House, 26 Avenue Road, Bournemouth BH2 5SL or by email to stefan.brynard@brightblueday.com.
Prior to actioning your request, we may ask you to validate your identity and we will only carry out any request by you when we are satisfied that we have validated your identity appropriately.
If you are dissatisfied with the way in which we have dealt with your personal data, you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
Telephone number: 0303 123 1113.
Website address:Â https://ico/org.uk
