Terms
& policies

Privacy Notice


Welcome to AllBright’s Privacy Notice. AllBright is the trading name of AllBright Collective Limited, Company Number 14947580, Registered Office Address: 116 Upper Street, London, United Kingdom, N1 1QP.

AllBright respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what types of personal information we collect about you, what we do with that personal information, the legal basis for our processing of your personal information, what rights you have in relation to your personal information and how you can exercise those rights. It also explains how we keep your personal information safe and secure. We take our Data Protection obligations very seriously and this notice gives you information about our approach to Data Protection legislation (UK General Data Protection Regulation, Data Protection Act 2018, Privacy & Electronic Communications Regulations (PECR)).


  1. IMPORTANT INFORMATION AND WHO WE ARE


    PURPOSE OF THIS PRIVACY POLICY


    This privacy notice gives you information on how AllBright collects and processes your personal data through your contact with us; by the use of this website, our mobile app or any other digital service provided by us (Digital Services), and any data processed from your attendance at our premises or our events.

    AllBright services (including Digital Services and attendance at our premises) are not intended for children under aged 13 and we do not knowingly collect data relating to children. All people who register with us or who otherwise provide their personal data to us or must be aged 18 or over.

    It is important that you read this privacy notice together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This notice supplements other privacy notices and is not intended to override them. We may update this notice at any time, details of which are found at the end of this document.



    CONTROLLER


    ALLBRIGHT COLLECTIVE LIMITED is the Data Controller and we are responsible for your personal data (collectively referred to as, “we”, “us” or “our” in this privacy notice).

    We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice or any other Data Protection query, please contact the DPO using the details set out below.



    CONTACT DETAILS


    If you have any questions about this privacy policy or our privacy practices, please contact our DPO in the following ways:
    Full name of legal entity: AllBright Collective Limited
    Email address: dpo@allbright.co
    Postal address: 116 Upper Street, London, United Kingdom, N1 1QP.

    You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for Data Protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

    It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us or if you would like to opt-out of any services we provide.



    THIRD-PARTY LINKS


    The Digital Services may include links to third-party websites, plug-ins and applications.

    Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.



    Social Media, Blogs, Reviews, and Similar Services


    Any social media posts or comments you make to us (e.g. on our own Facebook page) will be shared under the terms of the relevant social media platform (e.g. Facebook or Twitter) on which they are made and could be made public by that platform. These platforms are controlled by other organisations and so we are not responsible for this sharing. You should review the terms and conditions and privacy policies of the social media platforms you use to ensure you understand how they will use your information, what information relating to you they will place in the public domain and how you can stop them from doing so if you are unhappy about it.

    Any blog, review or other posts or comments you make about us, our products and our Service on any of our blog, review or user community services will be shared with all other members of that service and the public at large.

    You are responsible for ensuring that any comments you make comply with any relevant policy on acceptable use of those services.



  2. THE DATA WE COLLECT ABOUT YOU


    Personal data, or personal information, means any information about a living individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

    We may collect, use, store, process and transfer different kinds of personal data about you which we have grouped together as follows:

    • Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
    • Financial Data includes bank account and payment card details.
    • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
    • Technical Data includes your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
    • Profile Data includes your username and password, your interests, preferences, feedback and survey responses.
    • Aggregated Data such as statistical or demographic data. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate usage data to calculate the percentage of users accessing a specific Digital Services feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.
    • Marketing & Communications Data such as your marketing and communication preferences, your interests and feedback.
    • User Data such as your transactions on our Digital Services, messages, recordings, chat logs, access to our premises and similar data that we maintain on your account.
    You may give us information about other people, such as the name and email of a friend or contact with whom you want to share an article or the name and address of a gift subscription recipient. Please do not give us information about others unless you are authorised and have their permission to do so. We will use their information for the purposes described in this Privacy Notice, so please inform them of this notice.

    We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, genetic or biometric data). Nor do we collect any information about criminal convictions and offences. Please do not provide us with any such data. Should you provide us with this type of information we will assume you are providing your explicit consent for AllBright to hold this data.

    IF YOU FAIL TO PROVIDE PERSONAL DATA



    Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.



  3. HOW IS YOUR PERSONAL DATA COLLECTED?


    We use different methods to collect data from and about you including through:

    Direct interactions

    You may give us your Identity, Contact and Financial Data by filling in on-line forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you: apply for our products or services; create an account on one of our Digital Services; subscribe to our service or publications; request marketing to be sent to you; enter a competition, promotion, sweepstake, survey or similar initiative; attend our events or premises, give us feedback or contact us.

    Automated technologies or interactions.

    As you interact with our Digital Services, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.

    Third parties or publicly available sources.

    We will receive personal data about you from various third parties as set out below:

    Technical Data from the following parties:

    • analytics providers such as Google based outside the EU;
    • advertising networks;
    • Social Media Platforms and similar services (including but not limited to Facebook, Instagram, Twitter, TikTok and YouTube). When you engage with our content or ads on Social Media Platforms, or interact with features on the Digital Services that contain content or features provided by Social Media Platforms (e.g., login or sign in features or tools that allow you to share our content with others on Social Media Platforms), we might obtain information from Social Media Platforms, including your username, user ID, and demographic information, subject to the settings and privacy practices of the relevant Social Media Platform. We obtain this information directly from the Social Media Platform or through plug-ins, integrations or applications. Please keep in mind that the operators of the Social Media Platforms also gather information about your use of the Digital Services and their features and tools. We are not responsible for their practices. In relation to Social Media Platforms, we only process information which you have already shared with the world. We process anonymous data received from public sources. Additionally where we receive personal data via Social Media Platforms we ensure this is processing lawfully in accordance with our legitimate interests which we do not consider affects your rights and freedoms.
    • search information providers and operators of third-party sites or apps, content distribution channels and platforms (e.g., Roku, Amazon Fire TV), voice-activated assistants (e.g., Amazon Alexa, Google Home) or other devices and technologies when you interact with our content, products, services or ads available on those channels and platforms. The information we receive includes information about the content you view or access as well as your demographic information and information about your interests.
    • Contact, Financial and Transaction Data from providers of technical, payment and delivery services.
    • Identity and Contact Data from data brokers or aggregators
    • Identity and Contact Data from publicly available sources including Social Media Platforms



  4. HOW WE USE YOUR PERSONAL DATA


    We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

    • Where we need to perform the contract we are about to enter into or have entered into with you.
    • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
    • Where we need to comply with a legal obligation
    • Where we need to protect your vital interests (emergency situations on our premises).

    Generally, we do not rely on consent as a legal basis for processing your personal data. However we will get your consent in respect of marketing communications sent to you via email or text message. You have the right to withdraw your consent to marketing at any time by contacting us.

    PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA

    We have set out below a description of the ways we use your personal data, and which of the legal bases for processing we rely on to do so. Please note this is not an exhaustive list but gives an indication of the processing we may undertake.

    PURPOSES/ACTIVITY

    • To register you as a new customer – Identity, Contact. GDPR Article 6(1)(b) - Performance of a contract with you.
    • To process and deliver purchases including managing payments, fees and charges & collecting and recovering money owed to us – Identity, Contact, Financial, Transaction, Marketing and Communications. GDPR Article 6(1)(b) Performance of a contract with you, GDPR Article 6(1)(f) Necessary for our legitimate interests (to recover debts due to us).
    • To manage our relationship with you – Identity, Contact, Profile, Marketing & Communications. GDPR Article 6(1)(b) Performance of a contract with you.
    • To enable you to partake in a prize draw, competition or complete a survey – Identity, Contact, Profile, Usage, Marketing and Communications. GDPR Article 6(1)(b) Performance of a contract with you (if an existing customer), GDPR Article 6(1)(f) Necessary for our legitimate interests (if not an existing customer).
    • To administer and protect our business and the Digital Services (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) - Identity, Contact, Technical. GDPR Article 6(1)(f) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise).
    • To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you – Identity, Contact, Profile, Usage, Marketing and Communications, Technical. GDPR Article 6(1)(f) Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy).
    • To use data analytics to improve our Digital Services, products/services, marketing, customer relationships and experiences, including cross-device linking – Technical, Usage. GDPR Article 6(1)(f) Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Digital Services updated and relevant, to develop our business and to inform our marketing strategy).
    • To make suggestions and recommendations to you about goods or services that may be of interest to you – Identity, Contact, Technical, Usage, Profile, Marketing & Communications. GDPR Article 6(1)(f) Necessary for our legitimate interests (to develop our products/services and grow our business).

    MARKETING


    We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

    • PROMOTIONAL OFFERS FROM US

      We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

      You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and you have not opted out of receiving that marketing.


    • THIRD-PARTY MARKETING

      We will contact you with special offers from carefully selected partners and we will get your opt-in consent before we do so. We will not share your personal data with any third party for marketing purposes, as we will send you such special offers directly from our customer database. We will inform you if this changes.


    • OPTING OUT/UNSUBSCRIBE

      You can ask us or third parties to stop sending you marketing messages at any time by contacting us at any time or by clicking the ‘Unsubscribe’ link in our emails.

      Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, product/service experience or other transactions. The technologies used to deliver ads on websites and mobile apps differ. Please also remember that opt-outs are browser and device-specific.


    COOKIES

    You can set your browser to refuse all or some browser cookies, or to alert you when Digital Services set or access cookies. If you disable or refuse cookies, please note that some parts of our Digital Services may become inaccessible or not function properly.

    ADDITIONAL CHOICES

    Device Settings. For relevant Digital Services, you will be able to review and adjust your preferences by updating the settings on your device (e.g. permitting us to collect precise location information).

    Push Notifications. If push notifications for a particular Digital Service are enabled on your device, you can review and update your push notification preferences by adjusting the settings on your device. For example, you can select the relevant app from ‘Notifications’ (for iOS devices) or ‘App notifications’ (for Android devices) and turn off alerts accordingly.

    CHANGE OF PURPOSE

    We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

    In the unlikely event that we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

    Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.



  5. DISCLOSURES OF YOUR PERSONAL DATA


    We may share your personal data with the parties set out below (section 10) for the purposes set out in the information above.

    We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

    We may share your personal data with third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.



  6. INTERNATIONAL TRANSFERS


    Our data is typically hosted in the UK and other parts of the EEA, there are however some of our contracted technical service providers that process data from outside of the EEA. Where these transfers and any other transfers that may occur in the future are concerned, we ensure that there is a legal basis for the transfer and a lawful transfer mechanism in place prior to any transfers in place, in accordance with Data Protection legislation.

    Any such transfers are currently done using either a transfer to a country with an adequacy ruling, or if a third country, using the UK International Data Transfer Agreement (IDTA), or the European Commission Standard Contractual Terms (SCC’s) with the UK ICO Standard Contractual Clauses Addendum and the relevant transfer impact assessments. Should the international data transfer requirements change, we will review the obligations and amend this notice as appropriate. More information can be obtained by contacting our Data Protection Officer.



  7. DATA SECURITY


    We take the security of your information very seriously. We have in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

    We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.



  8. DATA RETENTION


    We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

    To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. Please contact our DPO for further information about retention and our schedule.



  9. YOUR LEGAL RIGHTS


    It is important that the personal information we hold about you is accurate and cur-rent. Please keep us informed if your personal information changes.

    Your rights in connection with personal informationUnder certain circumstances, by law you have the right to:
    Right to be informed by the provision of a privacy notice when your personal information is processed.
    Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
    Request rectification of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
    Request erasure of your personal information. This enables you to ask us to delete or re-move personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
    Right to object to processing of your personal information where we are relying on a le-gitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
    Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you.
    Request the transfer of your personal information to another party.
    Automated decision making, including profiling. We do not envisage that we will con-duct any automated processing including profiling, however we will inform you if this changes.

    In the limited circumstances where you may have provided your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.

    Generally, you will not have to pay a fee to exercise any of your legal rights. However, we are entitled to charge a reasonable fee if any request is clearly unfounded, repetitive or excessive. We can also refuse to comply with an unfounded or excessive request. We may need to request information from you to confirm your identity, in order to make sure that personal data is not disclosed to someone who is not entitled to have it. We may also need to ask you for additional information to help us respond to your request. We will try to respond to your request within one month but, if the request is very complex or if you have made a number of requests, we are legally able to extend the request by an additional two months. In such circumstances, we will explain to you why it will take longer to respond and we will keep you updated.

    Please contact our Data Protection Officer to exercise any of your rights.



  10. EXTERNAL THIRD PARTIES


    The following is an indication of the third parties we may share your personal information with;

    • HM Revenue & Customs, regulators and other Authorities based in the United Kingdom who require reporting of processing activities in certain circumstances.
    • Affiliates and Subsidiaries, we work closely with affiliates and subsidiaries within the AllBright Collective Limited family of companies with whom we share your information as necessary or appropriate to operate the Digital Services.
    • Payment providers, we will share relevant information relating to your financial data in order to process card payments.
    • Where we are using contracted service partners for services such as IT, web develop-ment, hosting and system administration, email communications, analytics and re-search, data enrichment, survey providers and customer support.
    • To any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vi-tal interests or those of any other person.
    • Advertisers, Advertising- and Marketing-Related Service Providers and Partners, we may provide your information to advertisers, advertising agencies, ad networks, ad exchanges, marketing businesses, technology vendors and other entities that create, deliver and assess advertising or marketing campaigns, including interest-based ads.
    • Social Media Platforms, if you interact with social media widgets, share content using social media share buttons, or access features of the Digital Services that contain content or features provided by Social Media Platforms, the relevant Social Media Platforms collect information. We encourage you to review the privacy policies of the Social Media Platforms that you engage with to understand their privacy practices, which we do not control.
    • Business Partners, in certain circumstances we provide your information to business partners such as content sponsors or event organizers, for various purposes.
    • Corporate Transactions, we may transfer any of the information we have about you to proceed with the consideration, negotiation, or completion of a sale or transfer of all or a portion of our business or assets to a third party, such as in the event of a merger, acquisition or other disposition, or in connection with a bankruptcy reorganisation, dissolution, or liquidation.
    • To enforce or apply our Terms of Service or other agreements or to protect AllBright and its customers (including with other companies and organisations for the purposes of fraud protection and credit risk reduction).
    • To any other person with your consent to the disclosure.

    A list of third parties who we may share your data with can be obtained from our Data Protection Officer. Please note this list is not exhaustive but gives an indication of the data we share with third parties.



CHANGES TO THIS PRIVACY NOTICE


From time to time, we may revise this Privacy Notice. Any such changes will be reflected on this page. AllBright recommends that you review this Privacy Notice regularly for any updates. The date on which this notice was last revised is located below.

Last Updated: 25/01/23
Author: DPO