Privacy Policy - UPP Foundation

Privacy notice

Last update May 2021

Welcome to the UPP Foundation Limited’s Privacy Notice.

SUMMARY

The UPP Foundation is committed to protecting your personal data. This Privacy Notice sets out what information we may collect from you when you:

Visit our website: https://upp-foundation.org (regardless of where you visit it from).
Visit our social media pages, including:

LinkedIn: https://www.linkedin.com/company/upp-foundation/
Twitter: https://twitter.com/UPP_Foundation

Call us, write to us, use our services, or communicate with us in any way.

This privacy notice does not apply to you if you are a supplier to us, work for us or are applying to work for us. In those cases, we will provide separate privacy notices that set out that relationship with you.

When we say “we”, “us”, or “UPP Foundation”, that means the company UPP Foundation Limited. UPP Foundation is part of a wider group of companies. You can find details of these companies here: https://www.upp-ltd.com/

This privacy notice is issued on behalf of UPP Foundation Limited. If your communications with us relate to our group companies, we will, where appropriate, pass your personal data to them so that they can handle your enquiry. Their specific privacy notice will then also apply to how they process your data.

Where we collect information about you, if that information is about you, or can be used by us or organisations with which we work to find out about you, it is known as “personal data”.

In line with the law, this privacy notice tells you what types of personal data we hold about you, why and how we use this information, and gives you details of your privacy rights.

The rules about personal data are complex. If you need help understanding anything in this privacy notice, please contact us at upp-foundation@upp-ltd.com

The simple version is this:

We collect information about you, including contact details (like your email address), when you give us that information on our website, when you call us or communicate with us, and when you interact with us on pages on social media platforms that we operate.
We treat the information that we hold about you very carefully. We do our best to make sure that information about you does not go to the wrong people or to people who might not look after that information properly.
If you ask us to do certain things with the information that we hold about you, we must usually do what you ask and you do not usually have to pay for this. Those things include:
- Giving you a copy of the information that we hold about you.
- Putting right any mistakes in the information that we hold about you.
- Stopping using information about you or deleting it.

If you want to ask us to do any of these things, or you have any questions or concerns, you can contact us at upp-foundation@upp-ltd.com. If you still have concerns, you can also contact the Information Commissioner’s Office (“ICO”). This is the organisation in charge of making sure that we do the right things with your personal data.

BACKGROUND

This privacy notice is addressed to individuals who visit the website or pages on social media platforms that are operated by UPP Foundation Limited (“UPP Foundation”, “we”, “our” or “us”); to our contacts; and to other individuals who may deal with us. In this privacy notice, we collectively refer to these categories of individuals as “you”.

If you are a supplier to us, applying to work for us, or you are one of our staff members or workers, a different privacy notice will apply. In that case, we will provide a separate privacy notice that sets out that relationship with you.

Our privacy notice is split into linked sections so that you can quickly go to a specific section. Alternatively, if you prefer, you can contact us upp-foundation@upp-ltd.com to request a hard copy of the whole privacy notice.

You can check the meaning of some of the terms used in this privacy notice by using the Glossary in the final section.

We also encourage you to read this notice and take a moment to read the UPP Foundation Website Terms and Conditions here [insert link]. We keep our data protection measures under constant review and from time to time we will update this notice so please refer back to this page. If we make any significant changes, we will endeavour to notify you.

We hope the headings below help you to find the information you are looking for.

About this Privacy Notice
About us
How to contact us
Changes to the privacy notice and your duty to inform us of changes
Personal data we collect about you
How we collect your personal data
How we use your personal data
Our Lawful bases
Our marketing
Who we share your personal data with
How we keep your personal data secure
International Data Transfers
How long we keep your information for
Your privacy rights
Third Party Links
Use of Cookies
Glossary

ABOUT THIS PRIVACY NOTICE

The UPP Foundation is committed to protecting your personal data. This Privacy Notice sets out what information we may collect from you when you:

Visit our website: https://upp-foundation.org (regardless of where you visit it from).
Visit our social media pages, including:

LinkedIn: https://www.linkedin.com/company/upp-foundation/
Twitter: https://twitter.com/UPP_Foundation

Call us, write to us, use our services, or communicate with us in any way.

Suppliers / grant recipients – If you or your organisation are a supplier or grant recipient of the UPP Foundation then the terms our contract or memorandum of understanding with you, together with the associated privacy notices, will provide more detail about how UPP Foundation will handle your personal data.

This website is not intended for children and we do not knowingly collect data relating to children.

To ensure that you are fully aware of how and why we are using your data, it is important that you read this privacy notice together with any other data protection or privacy notice that we may provide on specific occasions when we are collecting or processing personal data about you. This privacy notice supplements other such statements and privacy policies and is not intended to override them.

ABOUT US

UPP Foundation Limited (referred to as “UPP Foundation”, “we”, “us” or “our” in this privacy notice) is a limited company registered in England and Wales with registered company number 09928856 and whose registered head office is at First Floor, 12 Arthur Street, London, England, EC4R 9AB, is the controller and is responsible for your personal data.

UPP Foundation is also:

A registered charity (number: 1166323), founded by University Partnerships Programme, details of which can be found here: https://upp-foundation.org/about-us/.
Part of a wider group of companies. You can find details of these companies here: https://www.upp-ltd.com/

UPP Foundation will always endeavour to handle your personal data in accordance with applicable data protection legislation here in the UK.

HOW TO CONTACT US

If you have any questions about this privacy notice (including any requests to exercise your legal rights) or any questions about how we collect, use and protect your personal data, please contact our Compliance Team who will respond as quickly as possible to any query you may have.

Email: compliance@upp-ltd.com
Post: UPP, First Floor,12 Arthur Street, London, EC4R 9AB
Telephone: +(44) (0)207 398 7200

You have the right to make a complaint at any time to the Information Commissioner’s Office (“ICO”), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so we would encourage you to contact us first to discuss these.

CHANGES TO THE PRIVACY NOTICE AND YOUR DUTY TO INFORM US OF CHANGES

We keep our data protection practices under constant review and from time to time may update this privacy notice. This version was last updated in May 2021. Historic versions can be obtained by contacting us at upp-foundation@upp-ltd.com

Any changes that we make to this privacy notice in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our privacy notice.

It is important that the personal data that we hold about you is accurate and current. Please keep us informed at upp-foundation@upp-ltd.com if your personal data changes during your relationship with us.

PERSONAL DATA WE COLLECT ABOUT YOU

When you contact us through our sites, communicate with us or visit our premises, you may provide us with personal data about you.

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We will collect different types of personal data about you in several different ways depending on your relationship with us. To illustrate the types of information we collect we have grouped this together as follows:

1. Identity Data – this includes information such as first name and last name.
2. Contact data – this includes information such as your email address.
3. Marketing data – this includes your preferences in receiving marketing from us or any partners we work with.
4. Research data. We collect your contact data and other data relevant to particular research projects where you agree to participate in that research (described further below).
5. Technical data – this includes information we may collect when you access our website or interact with our social media accounts, such as your IP address, login data, browser type and version, time-zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices that you use to access our sites.
6. Client / supplier data – this includes personal data that you or your colleagues provide to us, or that we collect in connection with the service you supply to us. For example, business contact details and your business circumstances or history.
7. Usage data includes information about how you use our sites, products and services.
8. Image data includes individual images or general location images in which you might be visible.

Social media data includes marketing data, communications data via the relevant social media channel and limited identity data where you engage with our social media accounts.

Communications data includes personal data that is included in your communications with us.

We also collect, use and share aggregated data such as statistical or demographic data used for any purpose. Aggregated data could be derived from your personal data but is not considered personal data in law because this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users who access a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data, which will be used in accordance with this privacy notice.

We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). We also do not collect any information about criminal convictions and offences.

HOW WE COLLECT YOUR PERSONAL DATA

We use different methods to collect data from and about you, including through:

Direct interactions. You may give us your identity data, contact data, financial data, communications data and social media data by filling in forms or by corresponding with us via the website, by post, phone, email, via our social media accounts, face to face or otherwise. This includes personal data that you provide when you:

Make enquiries about or apply for grants.
Subscribe to our service or publications.
Request news, events and marketing information to be sent to you.
Communicate with us via social media
Respond to a survey, give us feedback or contact us
Attend an event.

Automated technologies or interactions. As you interact with our sites, we will automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Please see our cookie policy for further details.

Marketing data. We collect your contact data if you make an enquiry via our website or the website of UPP. We do not buy in mailing.
Social media data. When you use our social media platforms to communicate with us, engage with us or share content with us:

Those platforms may provide us with information about you, such as where you send us a message, or like or comment on us or our content.
When contacting us through a social media platform, we suggest that you also familiarise yourself with the privacy information provided by the relevant platform, which is not controlled by us.
If you wish to contact us via a social media platform, we suggest that you use direct messaging rather than public messaging if you wish to share any personal data with us. Any personal data shared in public on social platforms is shared at your own risk.

Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources as set out below:

Technical data from the following parties our website analytics provider Google (based within the EU).
We may also receive [identity data, contact data, and communications data] about you from other organisations and sources such as:

Public Relations advisors in our interaction with media, universities, public authorities and government agents.
Your advisors or parties associated with you.
Publicly available information from sources such as UK Companies House, the UK open electoral register and other websites.
Universities and charities where we fund projects.
Credit reference agencies and credit checking providers, as part of our new suppliers’ process, as well as criminal records checks and information from HM Revenue and Customs (HMRC).

If we receive information about you from another organisation, and it is not already obvious to you that we are holding this, we will let you know and tell you how we will use this information.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract that we have with you, or we are processing your personal data to fulfil a request that you have made, and you fail to provide that data when requested, we may not be able to perform the contract that we have or are trying to enter into with you (for example, to provide you with our services) or we may not be able to otherwise comply with your request. In this case, we may have to cancel a service that you have with us, but we will use reasonable efforts to notify you if this is the case at the time.

HOW WE USE YOUR PERSONAL DATA

We will only use your personal data when the law allows us to do so. Most commonly, we will use your personal data in the following circumstances:

To deal with your enquiries, and to make contact with you, where you request information about our services.
To perform a contract, we are about to enter into or have entered into with you or your organisation
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
To agree and then provide our services to you under our contract with you or your organisation.
To contact you where your details have been legitimately provided to us in relation to our services.
To comply with our legal or regulatory obligations and to handle complaints or claims.
To ensure that content from our site and the social media accounts that we operate is presented in the most effective manner for you and for your computer.
To send you marketing communications
To manage our business, including to notify you of changes to our services and to our Site.

We do not make any decisions that could have a legal effect, or other significant effect, on you, based solely on automated processing of your personal data.

Market research

We process Research Data (via reputable third-party research agencies acting on our behalf) where you agree to participate in feedback and market research activities such as surveys, questionnaires or focus groups. Where we do so, we share the very limited data required for that research in a safe and secure manner and we agree that when relevant data is shared back with UPP Foundation, it is done so in an anonymised form where possible.

You can decline to take part in any such research activities and opt-out of these types of communications from us by following the unsubscribe link in any of those relevant research communications.

Rest assured, we never sell your personal data to research companies and do not carry out sugging (selling under the guise of research).

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If you would like to understand more about any of our purposes, or you wish us to explain how the processing for the new purpose is compatible with the original purpose, please contact us at upp-foundation@upp-ltd.com.

If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

OUR LAWFUL BASES

To find out more about the types of lawful basis that we will rely on to process your personal data, see the Glossary below.

The following table describes all the ways in which we plan to use your personal data, and which of the legal bases we rely on to do so. Where appropriate, we have also identified what our legitimate interests are.

Generally, we do not rely on consent as a legal basis for processing your personal data. However, we will request your consent before sending third-party direct-marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us at upp-foundation@upp-ltd.com.

Note that we may process your personal data on more than one lawful basis depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal basis on which we are relying to process your personal data where more than one basis has been set out in the table below.

If you work for an organisation which is considering entering into a contract with us, we will collect Contact Data and/or Identity Data about you. We may need to continue to hold this information for the duration of any contract between us if you are the individual we are liaising with about that contract. We process this information as set out in more detail in the table below and in any contract entered into between us.

If you would like more information about this or require any clarification, please contact us. There is also useful information about lawful bases guidance from the Information Commissioner’s Office:https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/.

Purpose/activity	Type of data	Legal basis for processing (including the relevant legitimate interest basis where applicable)
To deal with your enquiries, and to make contact with you, where you request information about our services.	Identity Contact	To take steps necessary to perform a contract with you, or to take steps at your request prior to entering into a contract with you. Necessary for our legitimate interests: To market or promote our services to you or your organisation where you have made a request for information or discussed our services with us.
To agree and then provide our services to you under our contract with you or your organisation (e.g., our client, grant recipient or supplier) including: (a) Managing payments, fees and charges (b) Collecting and recovering money owed to us	Identity Contact Financial Transaction Marketing Communications	To take steps necessary to perform a contract with you, or to take steps at your request prior to entering into a contract with you. Necessary for our legitimate interests (to manage, strengthen and protect our business, including our relationship with suppliers and grant recipients) Obligations that require us to comply with any legal or regulatory requirements such as Anti-Money Laundering checks.
To contact you where your details have been legitimately provided to us in relation to our services.	Contact	Necessary for our legitimate interests: To approach organisation leads that have legitimately been provided to us, for us to promote our organisation
To make suggestions and recommendations to you about grants or services that may be of interest to you	(a) Identity (b) Contact (c) Technical (d) Usage (e) Marketing (f) Communications (g) Social media	Necessary for our legitimate interests (to develop our services, and to grow our business)
To manage our relationship with you, which will include: (a) Responding to an enquiry or complaint (b) Notifying you about changes to our terms or privacy notice (c) Asking you to update your details.	(a) Identity (b) Contact (c) Profile (d) Marketing (e) Communications (f) Social media	To take steps necessary to perform a contract with you, or to take steps at your request prior to entering into a contract with you. Necessary to comply with a legal obligation Necessary for our legitimate interests: To protect our organisation, including our relationship with clients, grant recipients and suppliers. To keep our records updated and to study how customers use our services).
To ensure that content from our Site and the social media accounts that we operate is presented in the most effective manner for you and for the devices you use to contact us.	Identity Contact Image Technical Usage Marketing Communications Social Media	Necessary to comply with a legal obligation. Necessary for our legitimate interests: To present our Site and social media accounts appropriately to best promote our services. To allow you to participate in interactive features of our service, when you choose to do so.
To send you our newsletter and other communications material about our services or about issues that we think may interest you (by email, text message, social media, post or phone), and to measure or better understand the effectiveness of our marketing material.	(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing (f) Communications (g) Technical (h) Social media	Consent (where this is necessary). Necessary for our legitimate interests: To strengthen our relationship with our grant recipients, clients, suppliers and other individuals. To develop our organisation and our marketing and communications strategy. To study how individuals use our services, to develop them and to grow our business
To enable you to partake in a review, a prize draw, competition or a complete survey.	Identity Contact Profile Usage Marketing Communications Social Media	To take steps necessary to perform a contract with you, or to take steps at your request prior to entering into a contract with you. Necessary for our legitimate interests: To maintain our relationships with clients, suppliers, grant recipients and other individuals. To keep our records updated. To study how individuals, use our site and services, to develop them and to grow our business. To improve our site and service to you and make your visits to our site more rewarding. To protect our organisation, including our relationship with clients, grant recipients and suppliers. To study how individuals use our services.
To administer and protect our business and our Sites.	Identity Contact Image Technical Usage Communications Social Media	Necessary to comply with a legal obligation. Necessary for our legitimate interests: To run our business efficiently, including by appointing appropriate suppliers that support our services. To manage our IT systems, including by allowing us and our suppliers to manage network security, troubleshoot, conduct testing, perform system maintenance, provide support and generate reporting. To keep our business secure and safe. To prevent fraud and dishonest behaviour.
To use data analytics to improve our Sites, products and services, marketing and customer relationships and experiences	(a) Technical (b) Usage (c) Social Media	Necessary for our legitimate interests (to define types of customers for our products and services, to keep our sites updated and relevant, to develop our business and to inform our marketing and communications strategy)
To conduct statistical analysis and research.	(a) Technical (b) Usage (c) Marketing and communications (d) Contact (e) Social Media	Necessary for our legitimate interests: To analyse our current or prospective partner, clients/suppliers and social media usage, and services, for business planning. To keep our site updated and relevant. To develop our business and to inform our marketing and communications strategy.

OUR MARKETING

We hope you enjoy and value our newsletter and updates, and our marketing material generally. We may send you this information by various means including email, text message, post, telephone or social media.

We may also use your identity, contact, technical, usage, social media and profile data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which of our services may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or requested services from us and you have not opted out of receiving that marketing.

We respect your right to choose what marketing messages you receive. You can ask us to stop sending you marketing messages at any time by selecting or deselecting relevant boxes to adjust your marketing preferences. You can also follow the opt-out links on any marketing message that we email to you, unsubscribe from our pages on social media platforms that we operate or by contacting us at any time.

We may also ask you to confirm or update your marketing preferences over time, such as when you instruct us to provide further services in the future, or if there are changes in the law or the regulation or structure of our business.

Third-party marketing

Our site is designed to provide information about our organisation. If you make an enquiry with us about another UPP group company (see above), we will pass your enquiry to the appropriate UPP group company so that they can contact you directly, including for their own marketing purposes. We do not otherwise share your personal data with any third party for marketing purposes.

WHO WE SHARE YOUR PERSONAL DATA WITH

All of our contractors and suppliers who process your personal data on our behalf (including our UPP group companies) acting as processors and our UPP Foundation staff (including volunteers, agents, temporary workers and casual workers) are subject to strict contractual requirements in relation to processing personal data.

We may share your personal data with the following parties for the purposes set out in the table in the previous section:

Internal third parties as set out in the Glossary.
External third parties as set out in the Glossary.
Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, the new owners may use your personal data in the same way as set out in this privacy notice.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

HOW WE KEEP YOUR PERSONAL DATA SECURE

UPP Foundation and all of our UPP group companies have a strong commitment to data security.

We all use reasonable endeavours to protect personal data from loss, misuse or alteration and we have put in place physical, electronic, and managerial procedures to safeguard and secure the information you provide to us online, or that we store about you.

UPP Foundation takes appropriate steps to communicate and train its staff in relation to applicable data protection law.

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach. We will notify you and any applicable regulator of a breach where we are legally required to do so.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site or via the social media accounts that we operate; any transmission is at your own risk.

If you would like to know more about our data security measures, please contact us.

INTERNATIONAL DATA TRANSFERS

We will only transfer your personal data to countries that the UK government or the European Commission have deemed to provide an adequate level of protection for personal data. For further details, see the information about adequacy decisions on the European Commission’s website and the UK ICO website.

Where we use certain service providers, we may use specific contracts approved by the European Commission that give personal data the same protection that it has in Europe. For further details, see the information about model contracts for the transfer of personal data to third countries on the European Commission’s website and the UK ICO website.

Currently, we transfer your personal data to the following jurisdictions:

Our email is hosted, and our files are stored using Microsoft 365, which is a cloud service provider based in Ireland. Ireland is considered by the UK as having an adequate level of protection for your personal data.
We use an email marketing management platform that is based in the USA. We only share your email address with this platform for our marketing purposes. Our contract with it incorporates the appropriate EU standard contractual clauses.

Please contact us if you would like further information about the specific mechanism that we use when we transfer your personal data out of the UK or the EEA.

Please note that we have no control over the routes that emails take, and even emails exchanged between two people in the UK could appear on equipment in countries outside the UK or the EEA, where they may not be protected by strong privacy or data protection laws. You will probably not consider this an issue, but if you have any concerns, please raise them with us and we will make alternative arrangements.

HOW LONG WE KEEP YOUR INFORMATION FOR

We will only keep your personal data for as long as necessary to fulfil the purposes we collected it for. This includes satisfying any legal, regulatory, tax, accounting or reporting requirements. We may keep your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine how long we keep personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances, you can ask us to delete your data: see the following section for further information.

In some circumstances, we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

YOUR PRIVACY RIGHTS

You have certain rights under data protection laws in relation to your personal data. These rights are aimed at giving you control over how your personal data is used by us. Please note they may be subject to specific requirements and some limitations.

Request access to your personal data (known as a “data subject access request”). You can ask us to provide a copy of the personal data we may hold about you and to explain the purposes for which we are using it.
Request correction of your personal data. If you notice or believe the information, we hold for you is out of date or incorrect in any way, please let us know and we will rectify this as soon as possible.
Request erasure of your personal data. You can ask for your personal data to be deleted or removed. We need to assess this on a case-by-case basis as there may be justifiable reasons as to why we need to keep hold of your personal data. If this is the case, we will explain the reason(s) in our response to you.
Request restriction of processing your personal data. In certain circumstances you can ask us to suspend or limit our use of your personal data.
Object to processing of your personal data generally. This allows you to ask us to stop using your personal data and it applies in certain circumstances. We may have a strong and legitimate reason to continue using your information. If this is the case, we will explain why in our response to you.
Object to processing your personal data for direct marketing. You always have the right to object to direct marketing from us. Please note this doesn’t necessarily mean we will delete all your details. We hold what’s called a marketing ‘suppression’ file. This means we can make sure we uphold your objection to direct marketing and don’t send you promotional material in the future.
Right to be informed. You can learn how and why we are processing your personal data, the legal basis for that processing, who we have disclosed it to and who we will disclose it to (which we have provided in this privacy notice).

Request transfer of your personal data to you or to organisation. You can request that we send you a machine-readable copy of your personal data or request us to give this to another organisation. This right only applies when we are relying on your consent or where the processing is necessary for the performance of our contract with you.
Right to withdraw consent at any time (provided we are relying on consent to process your personal data). However, this will not affect the lawfulness of any processing based on consent before withdrawal. This may impact our ability to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact our Compliance Team:

- Email address: compliance@upp-ltd.com

Postal address: UPP Foundation, Compliance, First Floor, 12 Arthur Street, London, England, EC4R 9AB

No fee usually required – You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee, or refuse your request, if your request is clearly unfounded, repetitive or excessive.

What we may need from you – We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to someone who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond – We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Right to complain – We will always endeavour to fully answer any queries you raise with us. If, however you are not happy with our response and the manner in which we have handled your personal data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. You can do this by visiting the ICO website or calling 0303 123 1113.

THIRD-PARTY LINKS

This website, and information that we may post via pages on social media platforms that we operate (“our sites”), may include links to third-party websites, plug-ins and applications, for your convenience and information. Clicking these links or enabling these connections means that you may leave our sites and may allow third parties to collect or share data about you.

We do not control these third-party websites, the social media platforms themselves or third-party social media accounts or apps. We are not responsible, or liable, for how they process your personal data or for their privacy notices. For example, they may send their own cookies to users, collect data or solicit personal data from you. When you leave our sites, we encourage you to read the privacy notice of every website, app and social media account that you use or visit.

USE OF COOKIES

Like most other websites, we use cookies and similar technologies. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly. To find out more about this please see our Cookie Notice.

GLOSSARY

Lawful Basis

Legitimate interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best, most secure experience. We make sure that we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Complying with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

Third Parties

Internal parties. This includes UPP Residential Services Limited (registered company number: 5337048 and address 1st Floor, 12 Arthur Street, London, EC4R 9AB) which is our main accommodation provider subsidiary) and any of our subsidiaries and parent companies which:

Support our services, for example, by providing us with IT and system administration services, human resources support, compliance and legal advice and leadership reporting.
Have a legitimate need to know in order to respond to your enquiries or to meet our commitments to you.

External third parties are:

Where we are legally compelled to do so, by a court or tribunal, a regulatory authority, and law enforcement agencies.
HM Revenue & Customs, the UK Charity Commission, regulators and other authorities based in the UK who require reporting of processing activities in certain circumstances.
Professional advisers acting on your behalf.
Professional advisers including lawyers, bankers, auditors and insurers based in the UK who provide consultancy, banking, legal, insurance and accounting services
Universities, charities, suppliers and sub-contractors and providers of goods or services for the performance of any contract that we enter into with them to support our organisation business. For example, our sub-contractors:
- [Mailing houses, printers and delivery services such as couriers based in the UK .
- [Payment providers based in the UK .
- Marketing and advertising service providers, analytics providers, marketing research agencies, social media agencies and optimisation providers based in the UK .
- Service providers acting as processors based in the UK who provide IT and system administration and security services including web hosting.
- Our email is hosted, and our files are stored using Microsoft 365, which is a cloud service provider based in Ireland. See above for more details.
- We use an email marketing management platform that is based in the USA. See above for more details.
Our insurers if we need to discuss your organisation’s request for services.
In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets only for that purpose and subject to appropriate confidentiality agreements.
If UPP Foundation or substantially all of its assets are acquired by a third party, in which case personal data held by it about its data subjects will be one of the transferred assets.
In other circumstances we may share your personal data where you have given us your consent for us to do so

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat	1 minute
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.