BAPAA’S INTERNAL PRIVACY POLICY

This Privacy Policy sets out the basic principles and practices of personal data protection adopted by the BRITISH AU PAIR AGENCIES ASSOCIATION (the “Organisation”).

1. Introduction

1.1 This Privacy Policy is an overview of the principles and practices which the Organisation will follow in relation to the protection of personal data which the Organisation collects, uses and discloses as part of the operation of its mobile app and manager panel.

1.2 For more information about how the Organisation uses user personal data, please contact aupairsuk@bapaa.org.uk.

2. Personal data is defined by the general data protection regulation (EU regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’. Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.

3. Data Protection Principles and Practices

3.1 The Organisation shall follow the principles and practices below which are interrelated and shall be adhered to as a whole. At the Organisation we care deeply about privacy and we’re committed to being up-front and transparent about our privacy practices in regard to how we treat your personal information. This policy explains our privacy practices for the “AuPairs UK” mobile app and manager web panel. This Privacy Policy was published on the 24th of May 2018 and will take effect on the 25th of May 2018.

3.2 We need to process your personal data to provide you with the mobile app Service. By accepting our Terms and Conditions you are confirming that you have read and that you understand this policy including how and why we use your information. Your acceptance of this Privacy Policy is deemed to occur upon your first use of the mobile app. If you DO NOT want us to collect or to process your personal information as described in this policy, you shouldn’t use the Service.

3.3 The Organisation’s Terms and Conditions require all users to be at least 18 years of age (“Users”).

3.4 Collection of personal data

3.4.1 In the course of providing our Service, we collect or receive your personal information. Often it might be the case that you choose what information to provide, but sometimes we actually do require certain information for you to use (and for us to be able to provide you) the Service.

3.4.2 The purposes for which personal data are collected are specified by the Organisation in clause 3.4.6 below.

3.4.3 The personal data collected must be directly related to the purposes for which it is collected (this includes, for keeping the account secure).

3.4.4 When personal data has been collected and is to be used for a purpose not previously specified, the new purpose shall be specified to the relevant party prior to use, where this is a legal requirement.

3.4.5 Pursuant to an agreement dated 1st October 2017 (the “ Agreement”), Excuses to Meet LTD (“E2M”) as owner of the Application supplies the Service to the Organisation. Subject to the terms of the Agreement we are authorised by E2M to allow you to use the Service.

3.4.6 Under the GDPR, we must always have a lawful basis for using personal data. This may be because the data is necessary for our performance of a contract with you, because you have consented to our use of your personal data, or because it is in our legitimate business interests to use it. The following list includes the data we collect from you and the purposes for which we collect it:

(a) First and Last Name: Collected to help the Organisation with the User verification process, and to help Users have a more personable experience when chatting with one another on the app (by allowing them to view each other’s first name).

(b) Profile Photo: Upon first login, a User’s profile photo will be grabbed from the User’s public profile from the social media account used to log-in to the app. At all times, the User has the ability to change its profile photo and at all times is required to use a photo which clearly shows the User’s face in a way in which the User is easily identifiable. The following types of photos are an example of photos which WILL NOT be allowed as profile photos: blank photos, photos where the User is looking away from the camera, photos with multiple people in the photo, or photos where the User is not in the photo, etc.

(c) Email: We collect User’s emails to make sure that a User who has logged in using one social media account is then also able to log-in using a different social media account, based on the same email address credential. For example, if the User logs in using the Facebook login feature and on another occasion logs-in using the Google login feature (with coinciding email address), in such scenarios we tie both logs together as one account so that the User can access its account regardless of the social media platform used for logging in.

(d) Profile Description: As part of your profile page, you (the User) are allowed to create your own profile description to introduce yourself or more generally to inform others why you’re using the app (or what you want to get out of it). This section may be edited by you at any time, and you may at any time delete the information in this section. We only store the most recent version of your profile description.

(e) Gender: Gender is only collected to help us understand high level gender-demographics of Users in the app, which in turn helps us bring you an experience more attuned to the whole of the User-base. For example, the type of “excuses to meet” (interests list) we provide to our Users; these could be updated based on the Gender information breakdown we collect.

(f) Device-specific information: We may collect device-specific information when you install, access or use our Service. This information may include device hardware model, operating system information, app version, app usage, IP address and device name/identifiers. This information, combined with other information we collect about you is used to prevent fraud and to keep the Service secure.

(g) Location information: We collect generalised location information about your (the User’s) device as this information is essential for the Service to run; location information allows us to organise User’s profiles according to their approximated distance from you, starting with those closest to you, which we display towards the top of your screen, while displaying those farther away below. This helps you understand which Users are closest to you and make informed decisions about whether or not writing to them for the purposes of eventually meeting, may be realistic (based on the proximity information provided). Certain functionality of the app may require you to be within a specific geo-location in order to gain access (for example, the “Communities” feature); this is another reason why we collect your location. We only store location based on the first time you joined the app, and the last time the app received “ping” activity. For your peace of mind, all additional data points are permanently removed from the system, and those two points which we do keep are micro-randomised to ensure that we’re not storing your specific location. You may at any time disable ‘Location’ by turning it OFF from your device Settings, however this may result in certain parts of the Service becoming unavailable.

(h) Analytics: We collect both granular and high-level analytics about User’s behaviour in the app and we want to be extremely clear and transparent about what this means for you. We DO NOT read your messages and we DO NOT view who you are communicating with, however in certain extreme circumstances we may request from E2M a view of specific conversation logs (such as a User reporting abuse from another User, or a relevant authority requesting assistance as part of an ongoing investigation, or as due diligence to prevent suspected fraud, etc). As part of the platform’s internal analytics we are able to count the amount of 1-to-1 dialogues and the number of messages resulting from these dialogues, in the platform; we can do this at a granular level and as aggregated totals, but again, without reading these and without knowing who these were directed to. This helps us build a general understanding of how helpful the Service is to our Users in making new connections with others. We may also keep a log of what day, month and year you first joined the app, when you were first approved into the app, when you were rejected from it (if relevant), when you were banned from the app (if relevant), and the last time you had activity in the app (for example, the last time you messaged someone).

(i) Public Profile: As our login process may require you to log-in using your social media account, we may collect a link pointed to your account’s public profile. This information, in combination with some of our other verification features, helps us determine the authenticity of the profile you’ve created with us.

3.5 Consent

3.5.1 The Organisation shall obtain the consent of the individual to whom the personal data relates (hereinafter called the “ Individual”) for the collection, use or disclosure of personal data to a third party, save where obtaining consent is not a legal requirement such as for a legitimate interest to use it.

3.5.2 Consent shall be obtained by the Organisation at or before the time the personal data is collected except that, where the Organisation wants to use the personal data for a purpose not previously specified, consent with respect to such purpose may be obtained after the personal data is collected but before use.

3.5.3 With your permission and/or where permitted by law, the Organisation may also use your personal data for marketing purposes, which may include contacting you by email, telephone, via the app, text message, post with information, news, and offers on our services.

3.5.4 The way in which the Organisation obtains consent may vary, depending on the circumstances and the type of personal data being collected. Individuals who do not consent will be provided with an opportunity not to submit their personal data (for example, by not continuing through with the registration/initial sign-up process).

3.5.5 Where the Organisation intends to use personal data for direct marketing purposes, the Organisation will make this clear in an upfront notice to Individuals and will ask Individuals to consent to this purpose. Individuals who do not consent will still be able to submit their personal data to continue their relationship with the Organisation. The Organisation will record that such Individuals have not consented to direct marketing and will not send marketing materials to such Individuals (unless they subsequently provide their consent).

3.6 Use and disclosure

3.6.1 Except where legally permitted, the Organisation will not use, or disclose to a third party, personal data for purposes other than those for which it was collected, unless the Individual consents to such use or disclosure.

3.6.2 Examples where use or disclosure without the consent of the Individual is permitted:

(a) Personal data is used in the investigation of an actual or suspected breach of an agreement or contravention of the law that has been, is being, or is about to be committed;

(b) Personal data is being used in an emergency that threatens the life, health or security of a person;

(c) Use of personal data which is generally available to the public;

(d) Disclosure is made to a lawyer or law firm representing the Organisation;

(e) Disclosure or use is necessary for the purposes of establishing, exercising or defending legal rights;

(f) Disclosure is to a government agency that has made a lawful request for the personal data;

(g) Disclosure is made, on the initiative of the Organisation, to an investigative body appointed by the Organisation, or to a government agency for investigative purposes; or

(h) Disclosure is made to a person who needs the personal data because of an emergency that threatens the life, health or security of a person.

3.7 Accuracy

3.7.1 The Organisation will use reasonable efforts to keep personal data accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

3.7.2 The Organisation will provide Individuals with opportunities to check that their personal data is accurate, complete and up-to-date.

3.7.3 When necessary, the Organisation will also check with Individuals that their personal data is accurate, complete and up-to-date.

3.8 Retention, Removal and Portability

3.8.1 Subject to any applicable legal requirements, personal data shall not be kept longer than is necessary for the fulfilment of the purposes (including any directly related purpose) for which the personal data is or is to be used or for legal or business purposes. We store personal data for a maximum of 7 years.

3.8.2 Individuals have the right to be forgotten and may at any time request the permanent deletion of their account. In such instances the Organisation will place Individuals accounts on queue for automatic permanent removal for a period ranging anywhere between immediate removal and removal taking place up to six months later. This queueing period aids the Organisation in identifying potential bad-leavers, ensuring said Individuals don’t abuse the Service with an easy exit into anonymity.

3.8.3 Individuals have the right to data portability which they may request by emailing the Organisation at aupairsuk@bapaa.org.uk. In certain instances, a reasonable fee for the administrative costs of complying with the request may be applied, and collection of said fees is expected prior to actioning the Individual’s request. The Organisation may also request additional information from the Individual to locate and/or verify the Individual’s account.

3.9 Other Legal Rights

Under the GDPR, you have the following rights, which we will always work to uphold:

3.9.1 The right to be informed about our collection and use of your personal data. This Privacy Policy should tell you everything you need to know, but you can always contact us to find out more or to ask any questions at aupairsuk@bapaa.org.uk.

3.9.2 The right to access the personal data we hold about you. Clause 3.11 will tell you how to do this.

3.9.3 The right to restrict (i.e. prevent) the processing of your personal data.

3.9.4 The right to object to us using your personal data for a particular purpose or purposes.

3.9.5 Rights relating to automated decision-making and profiling. We do not use your personal data in this way.

For more information about our use of your personal data or exercising your rights as outlined above, please contact us at aupairsuk@bapaa.org.uk.

Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.

If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.

3.10 Security

3.10.1 Reasonable and appropriate safeguards shall be put in place to protect personal data against accidental or unlawful loss, as well as unauthorised access, disclosure, copying, use, or modification. The Organisation shall protect personal data regardless of the format in which they are held.

3.10.2 The nature and extent of the security measures and safeguards will vary depending on:

(a) the sensitivity of the personal data that has been collected;

(b) the amount, distribution, and format of the personal data;

(c) the method of storage;

(d) the state of technological development; and

(e) the cost and reasonableness of implementation of the safeguards.

3.10.3 The methods of protection will include one or more of the following:

(a) physical measures, for example, secured filing cabinets and restricted access to the offices;

(b) organisational measures, for example, security clearances and limiting access on a need-to-know basis;

(c) technological measures, for example, the use of passwords, secure logon processes, firewalls, intrusion monitoring technologies, a secure socket layer connection and encryption, as may be available, appropriate and reasonable from time to time.

3.10.4 Reasonable care shall be used in the disposal or destruction of personal data, to prevent unauthorised parties from gaining access to the personal data.

3.11 Access to and correction of personal data

3.11.1 Where required by law, upon the request of an Individual, the Organisation will assist the Individual to obtain access to and correct his/her personal data (or suggest alternative ways in which this data may be corrected).

3.11.2 After correcting any inaccurate personal data at the request of the Individual, where necessary for the relevant purposes for which the data is being processed, the Organisation shall send such corrected personal data to any other organisations to which the personal data was disclosed.

3.11.3 Individuals can contact aupairsuk@bapaa.org.uk if they wish to correct their personal data.

3.12 Third Party Processors

3.12.1 Further security-related measures will apply when the Organisation uses third parties to process personal data on its behalf.

3.12.2 The Organisation will carry out due diligence on the third party to ensure that it will be able to comply with (at least) the same security standards that the Organisation must comply with.

3.12.3 A written contract will be put in place with such third parties, specifying that:

(a) the third party will comply with such security standards as specified by the Organisation;

(b) the third party will only retain the data for as long as the Organisation deems necessary; and

(c) the third party will only use the personal data in accordance with the Organisation’s instructions.

3.12.4 The Organisation will also monitor such third parties to ensure that they are complying with the terms of such written contract.

3.13 Transfers of data to other countries

3.13.1 The Organisation may transfer personal data collected in one country to another country e.g. for back-up purposes. Where the Organisation does so, it will only do so in accordance with applicable laws.

4. Staff Training AND MESSAGES FROM THE ORGANISATION

4.1 Staff of the Organisation shall be made aware of the importance of this Privacy Policy and of maintaining the confidentiality and security of personal data.

4.2 The Organisation staff may contact you via 1-to-1 conversation within the app. You agree that the Organisation can send you messages (including broadcasted messages), such as those related to your account, security, or product changes. The Organisation may also respond to messages initiated by you, for example where you may have requested support about the app.

5. Reviews of and Updates to this Privacy Policy

5.1 The Organisation shall review and update this Privacy Policy:

5.1.1 on a regular basis (and at least every two years);

5.1.2 to reflect any new regulatory requirements or guidance;

5.1.3 where there is a change in the business or its activities which impact its personal data practices; and

5.1.4 in the event of a serious data protection incident.