buddyboost Privacy and Cookies Policy (Policy)
buddyboost is produced by and owned by Mayathon Social Enterprise Limited ( Mayathon, we, us or our) and in reading this Policy, Mayathon should be considered the processor. Mayathon is committed to protecting and respecting your privacy. We want everyone who uses our services to feel confident and comfortable with how any personal information you share with us will be looked after or used. This Policy sets out how we collect, use and store your personal information (this means any information that identifies or could identify you).
The Mayathon Policy may change so please remember to check back from time to time; this is version 3.0 Where we have made any changes to this Policy, we will make this clear on our website, App or contact you about any changes.
We are committed to being open and transparent with you. This Policy addresses:
1. Who we are and the scope of this Policy
2. How we collect information about you
3. Information we collect and why we use it (including marketing and cookies)
4. Legal basis for using your information
5. Sharing your information
6. Keeping your information safe
7. How long we hold your information for
8. Your rights.
1. Who we are and the scope of this Policy
Mayathon is committed to protecting your personal information and making every effort to ensure that your personal information is processed in a fair, open and transparent manner.
We are a “data controller” for the purposes of the General Data Protection Regulation 2018 (“GDPR” or ” Data Protection Law“). This means that we are responsible for, and control the processing of, your personal information.
user or you
any third party that accesses the website or App and is not either (i) employed by Mayathon and acting in the course of their employment or (ii) engaged as a consultant or otherwise providing services to Mayathon and accessing the website or App in connection with the provision of such services.
the website that you are currently using, www.buddyboost.co.uk, and any sub-domains of this site unless expressly excluded by their own terms and conditions.
The buddyboost digital application that you have downloaded from the publicly available app stores onto your mobile telephone, tablet or handheld device.
This Policy applies only to the actions of Mayathon and users of this website or App. It does not extend to any websites or other digital applications that can be accessed from this website including, but not limited to, any links we may provide to social media websites.
If you have any questions about this Policy or the ways in which we may process your personal data, please contact us:
Mayathon Social Enterprise Limited,
219 Kensington High Street,
2. How we collect information about you
We collect information from you when you interact with us directly, this includes when you visit our website or use our App. When you use our website or our App, we automatically collect the following information about you:
- Technical information, including the type of mobile device you use, a unique device identifier (for example, your device’s IMEI number), mobile network information, your mobile operating system, the type of mobile browser you use;
- Details of your use, or your visits to, our website or App and the resources that you access;
- Internet Protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our website, (including date and time); product you viewed or search for; page response times, download errors, length of visits to certain pages, page interaction information, and methods used to browse away from the page; and
- we gather general information which might include which pages you visit most often and which services, events or information is of most interest to you. we may also track which pages you visit when you click on links in emails from us. We also use “cookies” to help our site run effectively. There are more details below – see ‘Cookies’ section in this Policy.
3. Information we collect and why we use it
3.1 Personal Information
The personal information that we typically collect includes your name, email address and electronic device identifiers (as described above). You will have given us this information whilst starting to use our App, registering your interest on our website, or any of the other ways to interact with us. We will mainly use this information:
- To provide the services or goods that you have requested, including use of our App and to search our website
- To update you with important administrative messages, or about an event, or for services which are not considered to be direct marketing in nature, including sign-posting to useful resources and charity partners
- To keep a record of your relationship with us and your interest in our work
- To allow us to contact users afterwards, including to promote other events (see the ‘Marketing’ section of this Policy, below)
- To invite you to participate in surveys or research
- For legitimate interests, specifically to track people’s activity and to gain insights which will help relevant research and public health interventions.
3.2 Sensitive Personal Information
If you choose to share your personal experiences related to the Mayathon challenge event, either through a survey or a case study, we will also collect data which may be considered to be sensitive. If you provide us with any additional Sensitive Personal Information by email or by other means for the purposes of our research, we will treat that particular information with extra care and confidentiality and always in accordance with this Policy.
We will only use this information for the purposes of research, and where you have given us your express consent; such consent is specific to that processing; and you have been adequately informed in providing consent. Separately, if you have clearly indicated to us that you are happy for us to share your story, then we may publish it on our website or other media. You can, of course, decide if you want to remain anonymous.
We may upload photos of our users to social media in order to promote Mayathon and to further our primary objectives described below in Section 4 (‘Lawful basis for using your information’). Wherever possible we will obtain explicit consent from you. You can ask us to not upload photos or to take down photos of you by contacting email@example.com and we will comply.
Relevant consent is required if Mayathon contacts you seeking to promote or advertise additional products or services. We will only contact you about such additional products and services by email if you have agreed for us to contact you in this manner.
You can update your choices or stop us sending you these communications at any time by contacting firstname.lastname@example.org or clicking the unsubscribe link at the bottom of the relevant communication.
There are certain activities which are not considered marketing where Mayathon may use your personal information to contact you. These legitimate activities include routine customer service messages and updates and encouragement relating to the Mayathon event, as well as reminding you of our partner charities and their important work. Similarly, if we contact you to request your participation in a survey (as part of our research and insights), this is not considered marketing, rather it is deemed genuine market research.
‘ Cookie’ is a name for a small file, usually of letters and numbers, which is downloaded onto your device, like your computer, mobile phone or tablet when you visit a website. Cookies are widely used in order to make such websites or mobile applications work more effectively, as well as to store information about your preferences or past actions. A cookie, by itself, can’t be used to identify you.
3.5.2 The cookies we use
We use the categorisation set out by the International Chamber of Commerce in their UK Cookie Guide. We use three categories of cookies:
- Strictly necessary cookies are essential for you to move around our website and to use its features
- Performance cookies collect information about how you use our site, like which pages are visited most
- Functionality cookies collect anonymous information that remember choices you make to improve your experience, like your text size or location. They may also be used to provide services you have asked for such as watching a video.
3.5.3 How to manage cookies
4. Lawful basis for using your information
In some cases, we will only use your personal information where we have your explicit consent, such as undertaking a survey with you or if you decide to share a story with us.
However, there are other lawful reasons that allow us to process your personal information and one of those is called ‘legitimate interests’. This means that the reason that we are processing information is because there is a legitimate interest for Mayathon to process your information to help us to further our primary objectives. These include:
- To encourage people to incorporate regular exercise activity in to their daily lives, with the ultimate aim to make people healthier and happier;
- To develop an evidence base for research in to the link between physical activity and good mental health;
- To develop insights in to effective ways to promote positive behaviour change; and
- To allow us to update people with relevant information, which may help participants to be more informed and also more engaged with the Mayathon challenge, in furtherance of our objectives.
Whenever we process your personal information under the ‘legitimate interest’ lawful basis we make sure that we take your rights and interests into account and will not process your personal information if we feel that there is an imbalance.
In addition to analysis of data generated from the App, some further examples of where we have a legitimate interest to process your personal information are where we use your personal information for data analytics to better understand who our participants are and to improve our services.
5. Sharing your Information
The personal information we collect about you will be used by Mayathon to further its primary objectives described above in Section 4 (‘Lawful basis for using your information’).
We will never sell or share your personal information with organisations so that they can contact you for any marketing activities. In addition, we never sell any information about your web browsing activity.
5.1 Use of third parties
Mayathon will, however, share your information with our trusted partners and suppliers who work with us on our behalf to deliver our services, but processing of this information is always carried out under our instruction. These partners are termed processors or sub-processors. We make sure that they store the data securely, delete it when they no longer need it and never use it for any other purposes.
Such processors include software developers, database administrators and mail list providers. Further examples of where we will share your information in connection with our objectives described above are with data analytics partners and research partners. We may also share images with partners who help us to manage our social media accounts on Facebook, Twitter or Instagram, but at all times complying with the provisions of 3.3 of this policy.
We enter into contracts with these service providers that require them to comply with Data Protection Laws and ensure that they have appropriate controls in place to secure your information.
We have not listed the individual suppliers by name as these may change from time to time, but in which case we will continue to ensure compliance with Data Protection Laws.
5.2 Legal disclosure
We will disclose your information if required to do so by law to comply with applicable laws, regulations and codes of practice or in response to a valid request from a competent authority.
6. Keeping your information safe
We take the security of your information very seriously. We’ve implemented appropriate physical, technical and organisational measures to protect the personal information we have under our control, both on and off-line, from improper access, use, alteration, destruction and loss.
All information you provide to us is stored on secure servers held in both the European Economic Area (EEA) and with GDPR compliant international data processors only. Where international data processors are used, all appropriate technical and legal safeguards will be put in place to ensure that you are afforded the same level of protection as within the EEA. For example, if a transfer of information is made to a back-up server located in the US, this will be done under applicable Standards Contractual Clauses (SSCs) in compliance with the GDPR.
7. How long we hold your information for
We only keep information for as long as is reasonable and necessary for the relevant activity, which may be to fulfil statutory obligations. The data is held to facilitate the legitimate interests described in Section 4 of this Policy, particularly our research that we will develop over time. For this reason, we expect to keep the data for at least 6 years. However, all data will be anonymised where possible (including aggregation of data and the use of numerical identifiers) and the retention period will be reviewed regularly to ensure it remains necessary in support of our legitimate interests.
8. Your rights
You have various rights in respect of the personal information we hold about you – these are set out in more detail below.
- Complaint : If you wish to exercise any of these rights or make a complaint, you can do so by contacting our Privacy team at Mayathon; 219 Kensington High Street; London W8 6BD, or by email at email@example.com . You can also make a complaint to the data protection supervisory authority, the Information Commissioner’s Office: https://ico.org.uk/.
- Access to your personal information: You have the right to request access to a copy of the personal information that we hold about you, along with information on what personal information we use, why we use it, who we share it with and how long we keep it. You can make a request for access free of charge. Please make all requests for access in writing, and provide us with two pieces of evidence confirming your identity.
- Right to object: You can object to our processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes. Please contact us as noted above, providing details of your objection (or opt-out of the marketing communications).
- Consent: If you have given us your consent to use personal information (for example, for marketing), you can withdraw your consent at any time. It should be noted that withdrawal of consent will not affect the lawfulness of processing based on consent before the withdrawal was requested.
- Rectification: You can ask us to change or complete any inaccurate or incomplete personal information held about you.
- Erasure: You can ask us to delete your personal information where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for keeping it.
- Portability: You can ask us to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred.
- Restriction: You can ask us to restrict the personal information we use about you where you have asked for it to be erased or where you have objected to our use of it.
Please note, some of these rights only apply in certain circumstances and we may not be able to fulfil every request.
To find out more about this Policy and how we look after your personal information, contact our Privacy team at firstname.lastname@example.org.