Privacy Policy

1. Introduction and consent to installation of the app and use of the software

We may collect various types of information when you interact with our Services, including:

‍1.1: Welcome to the Privacy Policy of Spacebands – a collection of hardware devices that monitor and transmit workplace safety and well-being data to the accompanying mobile application software (‘App’) and web-based software (collectively the ‘Products’). This Privacy Policy should be read in conjunction with our Software as a Service (SaaS) Subscription Agreement and our Hire Agreement and Terms of Use for Hardware (collectively the ‘User Terms’).

1.2: spacebands respects your privacy and is committed to protecting your personal data. This Privacy Policy will inform you as to how we look after your personal data when you use our Products and tells you about your privacy rights and how the law protects you when you use the Products.

1.3: spacebands Ltd is a company registered in England and Wales under company number 12681754. Our registered office address is Sbarc/Spark, Maindy Road, Cardiff, Wales, CF24 4HQ. We are the controller and responsible for your personal data (collectively referred to as "spacebands", "we", "us" or "our" in this Privacy Policy).
‍
1.4: Words and phrases defined in our User Terms will take on the same meaning when used in this Privacy Policy.

1.5: We have appointed a data protection officer (‘DPO’) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact the DPO using the details set out below:

Full name of DPO: Ronan Finnegan
Email address: ronan@spacebands.com
Postal address: Fieldsafar, East End, Marshfield, Wiltshire, SN14 8NU
Telephone number: 07794637453

1.6: You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

1.7: Please use the Glossary in section 12 to understand the meaning of some of the terms used in this Privacy Policy.

2. Important information

2.1: This Privacy Policy aims to give you information on how spacebands collects and processes your personal data based on different types of interaction.

2.2: Our Products are not intended for children, and we do not knowingly collect data relating to children.

2.3: It is important that you read this Privacy Policy together with any User Terms or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Policy supplements other notices and privacy policies and is not intended to override them.

2.4: We keep our Privacy Policy under regular review. This version was last updated in September 2023. It may change and if it does, these changes will be posted on this page and, where appropriate, notified to you by SMS or by email or when you next start the App or log onto your account. The new policy may be displayed on-screen and you may be required to read and accept the changes to continue your use of the Software. Historic versions can be obtained by contacting the DPO using the details above. 

2.5: It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

2.6: This Software may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party apps or websites and are not responsible for their privacy statements. When you leave our App, we encourage you to read the privacy policy of every app or website you visit.

3. The data we collect about you

3.1: Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data) or data about corporate entities, like a company.

3.2: We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• (a) Identity Data - first name, last name, username/email, title, date of birth and gender, occupation/job role, location
  
• (b) Contact Data - billing address, delivery address, email address and telephone numbers
  
• (c) Device Data – type of mobile device, a unique device identifier (for example, the Device's IMEI number, the MAC address of the device's wireless network interface, or the mobile phone number used by the device), mobile network information, the operating system of the device, whether the device is rooted on Android or on iOS, device reporting language, time zone, recent country the browser was in, push notification status, Google Ad Id and Apple IFV.
  
• (d) Financial Data - bank account and payment card details.
  
• (e) Transaction Data - details about payments to and from you and other details of products and services you have purchased from us.
  
• (f) Technical Data - internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices used to access the website.
  
• (g) Profile Data - your username and password and details about purchases or orders made by you, including your interests, preferences, feedback and survey responses.
  
• (h) Usage Data – information about the way you use our Software, including the date and time of first and last use, and the total number of times and duration you have accessed the Software.
  
• (i) Marketing and Communications Data - preferences in receiving marketing from us and third parties and your communication preferences.
  

3.3: Aggregated Data. We also collect and use Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Software feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

3.4: Location Data. We also use proximity data to determine your location when using the Products. Some of our location-enabled Services require your personal data for the feature to work. If you wish to use the particular feature, you will be asked to consent to your data being used for this purpose. You can withdraw your consent at any time by contacting the DPO using the details above or disabling Location Data in your settings.

3.5: Data not provided. Where we need to collect personal data by law, or under the terms of a Contract we have with you, and you fail to provide that data when requested, we may not be able to perform the Contract we have or are trying to enter into with you (for example, to provide you with services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

4. Cookies

4.1: Our Software uses cookies to distinguish you from other users of our Software. This helps us to provide you with a good experience when you browse our Software and also allows us to improve the Software.

4.2: A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer (if you agree). Cookies contain information that is transferred to your computer's hard drive. We use the following cookies:

• (a) Strictly necessary cookies. These are cookies that are required for the operation of our Software. They include, for example, cookies that enable you to log into secure areas of our Software.
  
• (b) Analytical and performance cookies. These allow us to recognise and count the number of users and to see how visitors move around our Software or when they are using it. This helps us to improve the way the Software works, for example, by ensuring that users are finding what they are looking for easily.
  
• (c) Functionality cookies. These are used to recognise you when you return to our Software. This enables us to personalise our content for you, greet you by name and remember your preferences.
  
• (d) Targeted cookies. These are used to show you targeted adverts on third party websites.
  

4.3: You can find more information about the individual cookies we use and the purposes for which we use them below:

• Google Ads & Analytics Tracking. Used for Google Analytics and Google Ads marketing campaigns
  
• Facebook Pixel. Used for Facebook Ads marketing campaigns
  
• LinkedIn Pixel. Used for Linkedin Ads marketing campaigns
  
• Webflow. Used to build our website
  
• Leadfeeder. Used to track website visits
  
• Lucky Orange. Used to track user behaviour in our dashboard product
  

4.4: You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our Software.

5. How is your personal data collected?

5.1: We use different methods to collect data from and about you, including through:

• (a) Direct interactions. You may give us your Identity, Contact, and Financial Data by filling in forms or by corresponding with us by our Website and any in-App or Software chat features, post, phone, email or otherwise. This includes personal data you provide when you:
  (i) Create an account on the Software
  (ii) Subscribe to any marketing we offer
  (iii) Supplying feedback and any content
  (iv) Make contact by telephone. (Please note that we sometimes record telephone conversations, but will seek your express consent to this each time)
  (v) Filling out the contact form on the website or providing us with any other correspondence in Writing
  (vi) Enter a competition, promotion or survey
  
• (b) Automated technologies or interactions. As you interact with our Software, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using server logs and other similar technologies. We may also receive Technical Data about you if you visit other applications employing our cookies.
  
• (c) Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources as set out below:
  (i) Technical Data from analytics providers, such as Google, HotJar and Lucky Orange - all based in the US);
  (ii) Contact, Financial and Transaction Data from providers of technical, payment and delivery services, such as Stripe (based in the US);
  (iii) Identity and Contact Data from publicly available sources, such as Companies House and social media accounts, like LinkedIn.
  

6. How we use your personal data

6.1: We will only use your personal data when the law allows us to do so. Most commonly we will use your personal data in the following circumstances:

• (a) Where you have consented before the processing.
  
• (b) Where we need to perform a contract we are about to enter or have entered with you.
  
• (c) Where it is necessary for our legitimate interests (or those of a third party, such as employers collecting data from workers’ proximity to safety hazards) and your interests and fundamental rights do not override those interests.
  
• (d) Where we need to comply with a legal or regulatory obligation.
  

6.2: We may also use your personal information in the following situations, which are likely to be rare:

• (a) Where we need to protect your interests (or someone else's interests).
  
• (b) Where it is needed in the public interest or for official purposes.
  
• (c) Where third party companies can provide value to you (for example, insurance companies)
  

6.3: We will only send you direct marketing communications by email or text if we have your consent. You have the right to withdraw that consent at any time by contacting us. We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

6.4: We have also set out below, in a table format, a description of all the other ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

6.5: If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as providing you with the services), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of workers).

6.6: We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. 

6.7: Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

7. Marketing

7.1: We strive to provide you with choices regarding certain personal data uses, particularly around direct marketing and advertising. We have established the following personal data control mechanisms:

• (a) Promotional offers from us. We may use your Identity, Contact, Technical, Usage and account data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing). Adverts will be displayed in-Software, and you will also receive marketing communications from us if you have requested information from us or you have purchased Products, and you have not opted out of receiving that marketing.
  
• (b) Third-party marketing. We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.
  
• (c) Opting out. You can ask us or third parties to stop sending you marketing messages outside of your use of the Software at any time by following the opt-out links on any marketing message sent to you, or by contacting us at any time. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of purchases or other transactions.
  

8. Disclosures of your personal data

8.1: We may share your personal data with the parties set out below for the purposes set out in section 6 above:

• (a) External Third Parties as set out in the Glossary;
  
• (b) Specific third parties listed throughout this Privacy Policy; and
  
• (c) Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.
  

8.2: We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

9. International transfers

9.1: Your personal data may be stored or transferred to countries outside the European Economic Area (EEA) for the purposes described in this Privacy Policy and pursuant to providing the services to you. When we store or transfer your personal data outside the EEA, we will do so in accordance with applicable law and we will ensure a similar degree of protection is afforded to it by implementing the appropriate safeguards listed below. Transfers of personal data will only be made:

• (a) to a country recognised by the European Commission as providing an adequate level of protection; or
  
• (b) to a country which does not offer adequate protection but whose transfer has been governed by the standard contractual clauses of the UK GDPR or by implementing other appropriate cross-border transfer solutions to provide adequate protection.
  

By using our services, you understand that your personal data may be transferred to our facilities and those third parties with whom we share it as described in this Privacy Policy.

10. Data security

10.1: We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

10.2: We store your data on our secure cloud server, which is hosted by Microsoft and backed up by specialist backup software. 

10.3: We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

11. Data retention

11.1: We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. 

11.2: To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

11.3: We must keep basic information (including Contact, Identity, Financial and Transaction Data) for six years for tax purposes after you cease being a registered Worker.

11.4: On an annual basis, the DPO is responsible for ensuring that we comply with the above provisions in destroying personal data, which is carried out as follows:

• (a) All electronic records will be individually and permanently deleted from our systems.
  
• (b) Paper-based correspondence will be shredded and discarded in the confidential paper waste. We do not hold any original documents.
  
• (c) If email correspondence can’t be dealt with at the time of reading, it is marked ‘unread’ and left for another adviser to respond to. If it can be dealt with at the time of reading, it is placed into the adviser’s individual inbox and dealt with. When the enquiry is complete, and the details are uploaded onto our case management system the, email is deleted.
  

12. Your legal rights

12.1: Under certain circumstances, you have rights under data protection laws in relation to your personal data as follows (please check the Glossary for further information on each right):

• (a) Request access to your personal data.
  
• (b) Request correction of your personal data.
  
• (c) Request erasure of your personal data.
  
• (d) Object to processing of your personal data.
  
• (e) Request restriction of processing your personal data.
  
• (f) Request transfer of your personal data.
  
• (g) Right to withdraw consent.
  

If you wish to exercise any of the rights set out above, please contact us. 

12.2: Fees. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

12.3: Specific Information. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

12.4: Response time. We try to respond to all legitimate requests within one month. Occasionally, it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

13. Glossary

LAWFUL BASIS

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service or product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

‍Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

‍Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

‍THIRD PARTIES

‍In addition to any third parties specifically mentioned throughout this document, External Third Parties can be summarised as follows:

• (a) Service providers acting as processors based in the UK who provide IT and system administration services.
  
• (b) Professional advisers, acting as processors, including lawyers, bankers, auditors and insurers based in the UK, who provide consultancy, banking, legal, insurance and accounting services.
  
• (c) HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.
  
• (d) Payment service providers, like Stripe, based in the US and who act on our behalf as a processor. A link to their privacy policy can be found here.
  
• (e) Advertising management tools, like Facebook Pixel, based in the US and who act on our behalf as a processor. A link to their privacy policy can be found here.
  
• (f) Cookie providers, like Leadfeeder, based in Finland and who act on our behalf as a processor. A link to their privacy policy can be found here.
  
• (g) User insight tools, like HotJar and Lucky Orange, who act on our behalf as a processors. A link to HotJar’s privacy policy can be found here. A link to Lucky Orange’s privacy policy can be found here.
  
• (h) Software developers based in India, who act on our behalf as a processor. We have agreed standard contractual clauses to ensure their adherence with the UK GDPR when processing your personal data.
  
• (i) Analytics providers, such as Google, based outside of the UK and who act on our behalf as a processor.
  
• (j) Customer relationship management software providers, like Hubspot, based in the US and who act on our behalf as a processor. A link to their privacy policy can be found here.
  
• (k) Accounting software, like Xero, based in the US and who act on our behalf as a processor. A link to their privacy policy can be found here.