My NDPA Privacy Notice

Last updated: 16 May 2024

Welcome to My NDPA’s Privacy Notice. This Privacy Notice tells you everything that you need to know about how we collect, use and disclose your “Personal Data” when you interact with us, whether through our website, application or otherwise. We have capitalised the first letter of certain terms and provided an explanation for them in section 2 below.

1.What key information do you need to know about us?

Our legal entity name is My NDPA Ltd and we are incorporated in England & Wales and have the registration number of 15615720 and the registered address of 2-4 Petworth Road, Haslemere, England, GU27 2HR.

We have registered with the Information Commissioner’s Office (“ICO”) which is the data protection supervisory authority in England & Wales. Our registration reference with the ICO is [insert reference].

Data Protection Laws have established the roles of the Data Controller and the Data Processor. We operate as a Data Controller.

As such, we are responsible for protecting your privacy and rights, and we are accountable for ensuring compliance with Data Protection Laws.

2.What key data protection terms do you need to know?

To ensure our Privacy Notice is as clear as possible despite the complexity of legal terminology, we’ve provided a concise glossary below to help you to understand these terms.

  • Consent refers to when an individual gives agreement which is freely given, specific, informed and is an unambiguous indication of their wishes. It is done by a statement or by a clear positive action in respect of the Processing of any Personal Data relating to them.
  • Criminal Convictions Data refers to Personal Data relating to criminal convictions and offences and includes Personal Data relating to criminal allegations and proceedings.
  • Data Controller refers to an organisation that determines when, why and how to Process Personal Data. It is responsible for establishing policies and procedures in line with Data Protection Laws.
  • Data Processor refers to an organisation that Processes Personal Data on behalf of a Data Controller. It is responsible for establishing policies and procedures in line with Data Protection Laws.
  • Data Protection Laws refers to the UK GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any other applicable European Union legislation (such as the General Data Protection Regulation 2016/679) relating to Personal Data. The “UK GDPR” is the retained version of the General Data Protection Regulation 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). It sits alongside the Data Protection Act 2018.
  • Data Subjects refers to a living, identified or identifiable individuals about whom we hold Personal Data. Data Subjects may
  • be nationals or residents of any country and may have legal rights regarding their Personal Data.
  • European Economic Area (“EEA”) refers to the 27 countries in the European Union, Iceland, Liechtenstein and Norway..
  • Legitimate Interest refers to when an organisation’s interests are legitimate (as they need to do something to operate) and these interests do not override an individual’s interests or fundamental rights and freedoms.
  • Personal Data refers to any information identifying an individual or information relating to an individual that an organisation can identify (directly or indirectly) from that data alone or in combination with other identifiers that it Processes. Personal Data includes Special Category Data, Criminal Convictions Data and pseudonymised Personal Data. Personal Data excludes anonymous data or data that has had the identity of an individual permanently removed.
  • Process or Processing refers to any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
  • Special Category Data Data refers to information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data of an individual.

3. What does our data protection compliance program look like?

We adhere to Data Protection Laws not just out of legal obligation, but because we believe it is essential for building and maintaining the trust of the Data Subjects we interact with in our business.

Recognizing the critical responsibility of protecting the confidentiality and integrity of Personal Data, we have established a comprehensive data protection compliance program. This program includes a data register (also known as a record of processing activities), notices, policies, procedures, and technical security controls.

We adhere to all of principles under Data Protection Laws including those outlined below.

  • We only Process Personal Data lawfully, fairly and in a transparent manner.
  • We only collect Personal Data which is adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.
  • We ensure that Personal Data that we collect and maintain is accurate and kept up to date.
  • We ensure that Personal Data is not kept in a form which permits identification of individuals for longer than is necessary.
  • We ensure that Personal Data is processed in a manner that ensures its security, using appropriate technical and organisational measures, to protect it against unauthorised Processing and against accidental loss, destruction or damage.

From the very beginning of our business, we have integrated privacy considerations into the design and development of our services and systems. We utilise privacy-enhanced technologies, conduct data protection impact assessments, implement privacy-preserving measures, and embed privacy into My NDPA Ltd’s culture and practices.

4. Do we have a data protection officer?

We have conducted an assessment of our organisation under Data Protection Laws and have determined that we are not required, at this stage, to appoint a data protection officer. This is because we do not conduct regular and systemic monitoring of Data Subjects on a large scale and neither do we conduct large-scale Processing of Special Category Data. We will review our determination on a regular basis and will appoint a data protection officer if necessary. Please note that while we do not have a data protection officer, we are still very much committed to protecting the privacy and security of your Personal Data.

5. What types of Personal Data do we collect?

We collect, use, store and transfer different kinds of Personal Data depending on our relationship with you.

Examples of the Personal Data which we collect on Data Subjects (based on our relationship with you and the necessity of collecting such Personal Data) is outlined below.

  • Identity Data ((e.g., first name, maiden name, last name, title, date of birth).
  • Contact Data (e.g., phone number, email address, home address, business address and billing address).
  • Profile Data (e.g., information about your professional background/organisation, agreements you’ve made with us).
  • Special Category Data (e.g., details concerning your racial or ethnic origin, sexual orientation, and mental and physical health).
  • Criminal Convictions Data (e.g., information on whether you have a criminal conviction or a caution).
  • Transaction & Financial Data (e.g., bank invoices and payment details).
  • Technical & Usage Data (e.g., internet protocol addresses, browser type and version, time zone settings, location and information about your interactions with our website).
  • Communications & Marketing Data (e.g., your preferences regarding cookies and marketing).

We are dedicated to protecting the privacy and security of your Personal Data, especially when it involves sensitive Special Category Data and Criminal Convictions Data.

Please note that we do aggregate data, such as statistical or demographic data, for purposes including research and analysis. Aggregated data may be derived from your Personal Data but is not considered Personal Data under Data Protection Laws, as it does not directly or indirectly reveal your identity. For example, we may aggregate your Technical & Usage Data to determine the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your Personal Data in a way that could directly or indirectly identify you, we will treat the combined data as Personal Data and handle it according to this Privacy Notice.

Please also note that in some cases, we may anonymise your Personal Data for research or statistical purposes. Once anonymised, it is no longer possible to link the data back to you, and we may use this information without further notice.

6. Do we use artificial intelligence?

We leverage Artificial Intelligence (“AI”) to enhance and refine features in order to deliver services and elevate service quality. In respect of automated methods, we utilise the services provided by OpenAI to enhance our website and application. We use OpenAI to improve user experience through natural language processing, predictive text and other AI-driven features. When you interact with features powered by OpenAI, certain data may be processed to provide accurate and relevant responses. This can include input data (e.g., text you type) and context needed to generate appropriate outputs.

We ensure that any data processed by OpenAI is handled securely. OpenAI employs robust security measures to protect your data from unauthorised access and breaches. By using our website and application, you acknowledge the integration of OpenAI and the associated data processing as described.

7. What are the lawful grounds for which we Process Personal Data?

Under Data Protection Law, there are several lawful grounds for processing Personal Data. These are the justifications organisations must have to Process Personal Data legally. The lawful grounds that we rely upon are outlined below.

  • Consent – This is where you have given clear and explicit consent for your Personal Data to be Processed for a specific purpose.
  • Contract – This is where the Processing is necessary in order to enter into or perform a contract.
  • Legal obligation – This is where the Processing is necessary for compliance with a legal obligation to which we are subjected to.
  • Vital interests – This is where the Processing is necessary to protect your vital interests of the vital interests of another person. This is generally relied upon in life-and-death situations.
  • Legitimate interests – This is where the Processing is necessary for the purposes of our Legitimate Interests or those of a third party, except where such interests are overridden by your interests or fundamental rights.

8. What are the categories of Data Subjects that we engage with?

In the course of our business, we interact with the following categories of Data Subjects: prospective and existing website and application users; prospective employees and also prospective and existing third-party suppliers (including independent contractors such as our keyworkers). We have made a chart below to provide key information to each category of Data Subjects.

Data Subject

Prospective or existing website and application user

What do we collect?

  • Identity Data
  • Contact Data
  • Profile Data
  • Special Category Data
  • Transaction & Financial Data
  • Technical & Usage Data
  • Communications & Marketing Data

How do we collect it?

  • Collected automatically when you browse our website and application.
  • You provide it to us (including publishing it on our website or application).

What are our lawful grounds?

  • Consent
  • Contract
  • Legitimate interests
  • Legal obligation

9. Who do we share your Personal Data with?

We share your Personal Data only when necessary and we have outlined the categories of third parties that we share your Personal Data with below.

  • Technology companies – Providers of support and software products essential for conducting our business operations.
  • Professional advisers – Law firms, banks, payment providers, and accountancy firms engaged for business purposes.
  • Governmental agencies and regulators – Entities such as Companies House, HMRC and the ICO with whom we need to engage for business purposes and compliance.
  • Potential business owners – Third parties with whom we may negotiate to sell, transfer, or merge parts of our business or assets, or to attempt to acquire or merge with other companies in the future.

10. How do protect your Personal Data?

We have implemented appropriate technical and organisational measures, including encryption, to protect your Personal Data from accidental loss, falsification, unauthorised access, alteration, or disclosure. Access to your Personal Data is restricted to authorised personnel, including employees, contractors and relevant third parties, who need it for business purposes.

Furthermore, we have established policies, plans, and procedures to address any suspected or actual breaches of Personal Data, although we aim to prevent such incidents altogether.

Additionally, we require all third parties to respect the security of your Personal Data and to treat it in accordance with Data Protection Laws. We enter into contractual agreements with all of our third parties (with the exception of regulators and governmental authorities) which include the appropriate data protection clauses. We ensure that all third parties (with the exception of governmental agencies and regulators) put in place appropriate security measures to ensure that the Personal Data that is shared is protected from unauthorised access or misuse.

11. Do we transfer your Personal Data outside of the UK and/or the EEA?

We ensure that Personal Data is always transferred safely and securely. Whenever your Personal Data is transferred outside of the UK and/or the EEA, we protect it by implementing one of the following safeguards:

  • We only transfer your Personal Data to organisations outside of the UK and/or the EEA if we have entered into specific contracts with them that ensure your Personal Data will receive the same level of protection as it does in the UK and/or the EEA.
  • We only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data, as endorsed by the ICO and determined by the European Commission.

12. How long do we keep your Personal Data for?

  • We will retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including meeting legal, regulatory, tax, accounting or reporting requirements.
  • When determining the appropriate retention period for Personal Data, we consider various factors such as the amount, nature, and sensitivity of the data, the potential risks of unauthorised use or disclosure, the purposes for Processing the data, the feasibility of achieving these purposes through other means, and applicable legal, regulatory, tax, accounting, or other obligations.
  • In certain circumstances, we may retain Personal Data for a longer period, such as in the event of a complaint or if we reasonably believe there is potential for litigation related to our relationship with you (although we strive to avoid such situations whenever possible).

13. What rights do you have in respect of your Personal Data?

You have specific rights concerning the Personal Data we handle about you, as outlined below:

  • Right to access – You can request access to the information and obtain copies of the Personal Data we hold about you.
  • Right to rectification – You can ask us to correct any inaccuracies or incomplete information in your Personal Data.
  • Right to erasure – You can request the deletion of your Personal Data under certain circumstances, such as when the data is no longer necessary for its original purpose or Processing. However, complete deletion may not always be possible, especially if there is an ongoing contractual relationship.
  • Right to restrict Processing – You can request that we restrict the Processing of your Personal Data under specific conditions, such as when we are reviewing the accuracy of the Personal Data or assessing the validity of a deletion request.
  • Right to object – You can object to the Processing of your Personal Data, particularly if the Processing is based on our
Legitimate Interests or is for direct marketing purposes.
  • Right to data portability – You can request to receive, transfer, or copy your Personal Data to another Data Controller. This right applies when we process your Personal Data based on your Consent or a contract, and the Processing is automated.

If you are dissatisfied with our approach or have concerns about our approach, you have the right to lodge a complaint with the ICO via www.ico.org.uk. While we strive to adhere to evolving Data Protection Laws and maintain best practices, we encourage you to contact us first to address any concerns you may have about how we handle your Personal Data.

If you would like to exercise any of the rights mentioned above, please reach out to us at [email protected].

There is no charge for accessing your Personal Data or exercising any of these rights. However, if we deem your request to be clearly unfounded, repetitive, or excessive, we reserve the right to either charge a reasonable fee or decline the request.

For security reasons and to protect your interests, we may need to verify your identity by requesting specific information. Additionally, we may contact you for further details to expedite our response.

We aim to address all legitimate requests within one month. However, if your request is complex or involves multiple aspects, it may take longer. In such cases, we will keep you informed of any delays.

14. How do we use your Personal Data in our marketing practices?

We strive to provide you with choices regarding the use of specific Personal Data, particularly in relation to marketing and advertising. By analysing your Identity Data, Contact Data, Profile Data and Technical & Usage Data, we develop insights into your preferences and interests.

You will receive marketing communications from us if you have requested information or purchased our product and have not opted out of such communications. Before sharing your Personal Data with any third party for marketing purposes, we will obtain your explicit opt-in consent. You can request us or third parties to stop sending you marketing messages at any time by contacting us and withdrawing your Consent. However, opting out of these marketing messages will not affect messages necessary to fulfil a contract we have with you (e.g., contacting you to fulfil contractual obligations).

15. Do you have any questions or concerns?

By using our website and application, we’re assuming you’re happy with our approach to data protection compliance. If you have any questions or concerns, please do get in touch with us at [email protected].