This is the Privacy Notice of (i) BrightStarr Group Limited (company number 08804209) whose registered office is at First Floor, The Granary Abbey Mill Business Park, Lower Eashing, Godalming, Surrey, GU7 2QW; (ii) BrightStarr UK Ltd (company number 05654147) whose registered office is at The Granary, Abbey Mill Business Park, Eashing, Surrey, GU7 2QW; (iii) BrightStarr US Inc. (a United States, Delaware corporation) whose registered office is at 31 Bond Street, New York, NY, 10012; and (iv) BrightStarr Pty Ltd whose registered office is at Level 20, Tower A, The Zenith, 821 Pacific Highway, Chatswood 2067, NSW (each where relevant “BrightStarr Group”, “we”, “us” or “our”) and sets out how we collect and process your personal data. Use of the terms “we”, “us” or “our” throughout this Privacy Notice shall in each instance apply to the relevant BrightStarr Group entity, as applicable.
This Privacy Notice also provides certain information that is legally required and lists your rights in relation to your personal data.
This Privacy Notice relates to personal information, being information or an opinion that identifies “you”, meaning customers or potential customers / suppliers/ individuals who browse our website/ individuals outside our organisation, with whom BrightStarr Group (where relevant) interact.
We refer to this information throughout this Privacy Notice as “personal data” and paragraph 3 sets out further detail of what this includes. Please read this Privacy Notice to understand how BrightStarr Group (where relevant) may use your personal data.
If you are an employee, contractor or otherwise engaged in work for us or applying to work for us, a separate privacy notice applies to you instead. We do not knowingly collect personal data relating to children. However, to the extent that such data is collected this Privacy Notice will apply. Where there is a need for consent to be given in respect of such personal data of a child it may be given by the child if he or she has the capacity to consent or by a parent or guardian where no such capacity exists.
This Privacy Notice may vary from time to time so please check it regularly. This version of our Privacy Notice was published in May 2022 and is the most recent version.
2.1 Data controller and contact details
For the purposes of relevant data protection legislation, we are a controller of your personal data and as a controller we use the personal data we hold about you in accordance with this Privacy Notice.
If you wish to correct your personal data held by us or to opt out at any time from receiving marketing correspondence from us or to alter your marketing preferences please contact marketing@unily.com.
If you need to contact us in connection with our collection, use or processing of your personal data, or gain access to it then our contact details are marketing@unily.com +44 1483 239 240 | Unily, The Granary, Abbey Mill Business Park, Eashing, Surrey, GU7 2QW and our representative is Chris Saville.
2.2 Data Protection Officer
Our Data Protection Officer is James Heathcote. You can contact him at james.heathcote@unily.com
3.1 The categories of personal data about you that we may collect, use, store, share and transfer are:
Individual Data
Advertising Data
Information Technology Data
Economic and Financial Data
Sales Data
Visual Data
This includes personal data which is gathered using our CCTV, by any photographers appointed by us or through other recording systems in the form of images, video footage and sound recordings that is taken at any of our locations (including at any of our events) or otherwise by us for promotional purposes (such as for the purposes of promoting our future events via our website);
Health Data
Market Research Data
We may also create personal data about you, for example, if you contact us by telephone to make a complaint, for example about our services or goods, then we may make a written record of key details of the conversation so that we can take steps to address the complaint.
3.2 We also obtain and use certain aggregated data such as statistical or demographic data for any purpose (“Aggregated Data”). Aggregated Data may be derived from your personal data but does not directly or indirectly reveal your identity. For example, we may aggregate your Information Technology Data to calculate the percentage of users accessing a specific feature on our website. However, if we re-combine or re-connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.
3.3 In addition, we may obtain certain special categories of your data (“Special Categories of Data”), and this Privacy Notice specifically sets out how we may process these types of personal data. The Special Categories of Data are: (i) personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; and (ii) the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. We treat this data as sensitive information and will only collect it if you consent and the information is reasonably necessary for one or more of our functions or activities.
4.1 We obtain your personal data from the following sources:
4.1.1 Directly from you, either in person (at our locations, at our events or otherwise), via our website, apps or by telephone or via hand held PDAs. This could include personal data which you provide when you:
(a) download a piece of content;
(b) register for or attend an event;
(c) subscribe to our communications;
(d) request information on our products or services;
(e) create an account on our website;
(f) place an order for our products or services;
(g) enter into a competition or promotion; and
(h) complete a survey from us or give us feedback;
4.1.2 Automated technologies, such as CCTV or other recording systems, cookies, server logs and other similar technologies. We may automatically collect Information Technology Data about your equipment, browsing actions and patterns by using cookies, server logs and other similar technologies. We may also receive Information Technology Data about you if you visit other websites or apps employing our cookies.
4.1.3 Third parties, such as:
(a) analytics providers (such as Google Analytics);
(b) advertising networks (such as Facebook, Linkedin, Google Adwords);
(c) data brokers or aggregators (such as Electric Marketing and DiscoverOrg)
(d) providers of social media platforms (such as Facebook, Twitter, LinkedIn, Google+ and Instagram) for example where you share our content through social media, for example by liking us on Facebook, following or tweeting about us on Twitter
4.1.4 Publicly available sources, such as:
(a) Companies House; and
(b) HM Land Registry;
5.1 Where we are relying on a basis other than consent we may rely on one or more of the following legal bases when processing your personal data. We have set out below the purposes for which we may process your personal data:
| Purposes for which we process your personal data | Categories of personal data | The basis on which we can do this (this is what the law allows) |
|---|---|---|
|
To register you as a new customer and process your order. |
|
The processing is necessary
|
|
In order to perform our contractual obligations to you. This would include:
|
|
The processing is necessary
|
|
In order to comply with our own legal obligations, e.g. health and safety legislation, or to assist in an investigation (e.g. from the police). |
|
The processing is necessary
|
|
In order to use your personal data in life or death situations and there is no time to gain your consent (e.g. in the event of an accident or illness or injury or some other related emergency or to record any accident or injury or other incident you may suffer when visiting any of our locations or we have to give your personal details to medical personnel). |
|
The processing is necessary
|
|
In order to manage our relationship with you including:
|
|
The processing is necessary:
|
|
In order to administer and protect our business, deal with any misuse of our website and to comply with our security policies at our locations. |
|
The processing is necessary:
|
|
In order to make suggestions and recommendations to you about goods or services or upcoming events that may be of interest to you, deliver relevant website and app content and advertisements to you and to measure or understand the effectiveness of our advertising. |
|
|
|
For internal purposes to use data analytics, to identify usage trends, determine and measure the effectiveness of promotional campaigns and advertising and to improve our website, products/services, marketing, customer relationships and experiences. |
|
The processing is necessary for our legitimate interests in defining types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy. |
|
To communicate with you and other existing or potential customers about, and administer participation in, special events, programs, promotions, any prize draws or competitions. |
|
The processing is necessary:
|
|
To sell, make ready for sale or dispose of our business, in whole or in part including to any potential buyer or their advisers, or in relation to any refinancing. |
|
The processing is necessary for our legitimate interests in the sale or disposal of our business or assets and in the context of a business reorganisation or group restructuring exercise |
|
In order to enforce or apply our terms of use, terms and conditions of supply and other agreements with third parties. |
|
The processing is necessary for our legitimate interests in protecting our business and property and recovering debts owed to us. |
5.2.1 We would like to use your personal data for a variety of different purposes. For certain of these purposes it is appropriate for us to obtain your prior consent. This includes where your personal data is sensitive information. The legal basis of consent is only used by us in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way. Where we rely on consent, you may at any time withdraw the specific consent you give to our processing your personal data by following the opt-out links on any marketing message sent to you or by contacting us at any time. Please contact us using the contact details set out in paragraph 2. In Australia, for sensitive information, consent is not required where the information is required or authorised by or under an Australian law or a court/tribunal order; or collection is permitted as permitted general or a permitted general or a permitted health situation exists (as those terms are defined in the Australian Privacy Act).
5.2.2 Please note even if you withdraw consent for us to use your personal data for a particular purpose we may continue to rely on other bases to process your personal data for other purposes.
We may disclose your personal data to:
7.1 If you provide personal data to us about someone else (such as one of your directors or employees, or someone with whom you have business dealings) you must ensure that you are entitled to disclose that personal data to us and that, without our taking any further steps, we may collect, use and disclose that personal data as described in this Privacy Notice.
7.2 You must ensure the individual concerned is aware of the various matters detailed in this Privacy Notice, as those matters relate to that individual, including our identity, how to contact us, the way in which we collect and use personal data and our personal data disclosure practices, that individual's right to obtain access to the personal data and make complaints about the handling of the personal data, and the consequences if the personal data is not provided.
It is important that the personal data we hold about you is accurate and current and we take all reasonable precautions to ensure that this is the case but we do not undertake to check or verify the accuracy of personal data provided by you. Please keep us informed if your personal data changes during your relationship with us either by logging onto your account on the website or by contacting us. We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal data that you provide to us.
Outside the United Kingdom
9.1 It is possible that personal data we collect from you may be transferred, stored and/or processed outside the United Kingdom, including in the European Economic Area, the United States of America and Argentina.
In connection with such transfers we shall seek to ensure that:
9.1.1 appropriate safeguards are place in connection with such processing, such as binding corporate rules or the standard data protection contractual clauses between us and the recipient (a copy of which can be obtained by contacting us using the contact details set out in paragraph 2); or
9.1.2 an adequacy decision has been made by the United Kingdom such that the data protection regime in the relevant location or jurisdiction ensures an adequate level of protection for personal data; or
9.1.3 one of the derogations for specific situations in Article 49 GDPR (or the equivalent provisions of applicable data protection legislation in the UK) applies to such transfer, storage or processing.
Outside Australia
9.2 It is possible that personal data we collect from you in Australia may be transferred, stored and/or processed outside Australia, including in the United Kingdom, the European Economic Area, the United States of America and Argentina.
9.2.1 Where we disclose information collected in Australia outside Australia we will only do so where the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and there are mechanisms that you can access to take action to enforce that protection of the law or binding scheme,
We will store your personal data the time period which is appropriate for the purpose for which the personal data is used. We keep the length of time that we hold your personal data for under review. These reviews take place annually.
11.1 In certain circumstances the provision of personal data by you is a requirement to comply with the law or a contract, or necessary to enter into a contract.
11.2 It is your choice as to whether you provide us with your personal data necessary to enter into a contract or as part of a contractual requirement. If you do not provide your personal data then the consequences of failing to provide your personal data is that we may not be able to perform to the level you expect under any contract with you. An example of this would be where we are unable to provide you with essential information around the service we offer you or confirmation of event registration as we do not have your full details, or where we cannot perform our contract with you at all because we rely on the personal data you provide in order to do so. Please see our terms and conditions for further details.
Subject to applicable law including relevant data protection laws, in addition to your ability to withdraw any consent you have given to our processing your personal data (see paragraph 5.2), you may have a number of rights in connection with the processing of your personal data, including:
This policy only applies to BrightStarr Group (where relevant). If you link to another website from our website, you should remember to read and understand that website’s privacy policy as well. We do not control unconnected third-party websites and are not responsible for any use of your personal data that is made by unconnected third party websites.
BrightStarr Group has adopted this section to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and applies solely to residents of the State of California (“California Consumers”). Without limiting the foregoing, this section provides California Consumers with the disclosures and notices required under the CCPA. Certain exceptions and limitations may apply to a California Consumer’s rights and BrightStarr Group’s obligations under the CCPA.
Personal Information Collected. BrightStarr Group has collected the following categories of personal information from California Consumers within the last twelve (12) months (referred to within this Section as “CA Personal Information”):
Identifiers (e.g. real name, alias, online identifier, IP address, email address, or other similar identifiers).
Personal Information Categories Listed in the California Customer Records Statute (Cal. Civ. Code § 1798.80(e)). Some Personal Information included in this category may overlap with other categories.
Internet or Similar Network Activity (e.g. browsing history, search history, interactions with a website, application, or advertisement).
Geolocation Data (e.g. physical location or movements).
Sources for the CA Personal Information We Collect. We collect the CA Personal Information described above from the following sources:
Use of CA Personal Information. Depending on your interactions with BrightStarr Group, we may use or disclose the CA Personal Information we collect about you for one or more of the following business purposes:
We will not collect additional categories of CA Personal Information or use the CA Personal Information we collect for materially different, unrelated, or incompatible purposes without notifying you.
Disclosing Personal Information. BrightStarr Group may disclose Personal Information for a business purpose to the following categories of third parties:
No Sale of Personal Information. BrightStarr Group has not sold any CA Personal Information in the preceding twelve (12) months.
Your Rights and Choices. The CCPA provides California Consumers with specific rights regarding their CA Personal Information. The following paragraphs describe your CCPA rights and explain how to exercise those rights. Each of these rights is subject to our receipt of a verifiable consumer request (see Submit a Consumer Privacy Request).
Right to Disclosure. You have the right to request that we disclose certain information to you about our collection and use of your CA Personal Information over the past 12 months, such as:
BrightStarr Group is only required to respond to two disclosure requests within a 12-month period.
Right to Access. You have the right to request that we provide you with access to specific pieces of CA Personal Information we have collected about you over the past 12 months (also called a data portability request). If you submit a right to access request, we will provide you with copies of the requested pieces of CA Personal Information in a portable and readily usable format. Please note that BrightStarr Group is prohibited by law from disclosing copies of certain pieces of CA Personal Information (e.g., government identification numbers, financial account information, and passwords or security questions and answers) because the disclosure would create a substantial, articulable, and unreasonable risk to the security of the information, our business systems, or your account. BrightStarr Group is only required by law to respond to two access requests within a 12-month period.
Right to Deletion. You have the right to request that we delete any of your CA Personal Information that we collected from you and retained, with certain exceptions. BrightStarr Group may permanently delete, deidentify, or aggregate the CA Personal Information in response to a request for deletion. If you submit a right to deletion request, we will confirm the CA Personal Information to be deleted prior to its deletion, and we will notify you when your request is complete.
Submit a Consumer Privacy Request. To exercise any of the above rights, please submit a verifiable consumer privacy request to BrightStarr Group: by email at privacy@unily.com
Verification. We cannot respond to your request or provide you with CA Personal Information unless we can verify your identity and your authority to make the request and confirm that the CA Personal Information relates to you. A verifiable consumer privacy request must:
You do not have to sign up with BrightStarr Group to make a verifiable consumer privacy request. We will only use CA Personal Information provided in a verifiable consumer privacy request to verify the requestor’s identity or authority to make the request.
Authorized Agent. You may make a verifiable consumer request on behalf of your minor child. Otherwise, only you, or a person you have designated in writing as your authorized agent or who is registered with the California Secretary of State to act on your behalf, or to whom you have provided power of attorney pursuant to California Probate Code sections 4000 to 4465 (“Authorized Agent”) may make a verifiable consumer request related to your CA Personal Information. If you wish to have an Authorized Agent make a verifiable consumer request on your behalf, they will need to provide us with sufficient written proof that you have designated them as your Authorized Agent, and we will still require you to provide sufficient information to allow us to reasonably verify that you are the person about whom we collected CA Personal Information.
BrightStarr Group’s Response. We endeavor to respond to a verifiable consumer request within forty-five (45) days of receipt. If we require more time, we will notify you in writing of the reason and extension period. We will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding receipt of the verifiable consumer request. If we cannot comply with part or all of your request, we will explain the reasons in our response.
We do not charge a fee to process or respond to your verifiable consumer privacy request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Nondiscrimination. We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by law, we will not do any of the following as a result of your having exercised your right under the CCPA:
Other California Privacy Rights. California Civil Code sections 1798.83-1798.84 (the Shine the Light Act) entitles California residents to request disclosure regarding CA Personal Information sharing with affiliates and/or third parties for marketing purposes. If you are a California resident and you would like to request a copy of this notice, please contact us at privacy@unily.com with the subject line “Request for Califoria Privacy Information.”
