GuestFlow

Privacy Notice

Who we are:

We are GuestFlow Software Ltd. For the purposes of this notice, the term ‘we’ encompasses all those employed by us to carry out our business, either directly or as external contractors.

Our Contact Details:

If you have any questions about this Privacy Notice, please contact: sales@GuestFlow.co.uk

  1. Privacy laws

    The processing of personal data is governed by the General Data Protection Regulations (GDPR), enacted in the UK by the Data Protection Act 2018.


  2. The capacities in which we process data

    In providing you with our software platform we will be acting both as;

    1. a controller of personal data (as defined by Article 4(7) GDPR) with respect to any processing for which we determine the purpose and means. This includes data that we obtain from you in order to facilitate the administration of our business relationship and the fulfilment of our contract with you, and;

    2. a processor of personal data (as defined Article 4(8) GDPR) with respect to the processing of data you share with us in order to fulfil a purpose determined by you. In this capacity, our processing is limited to the storage of data uploaded to the GuestFlow platform by the controller, and we do not conduct any business activities using that data nor routinely have direct interaction with it. Data subjects wishing to ensure and enforce their privacy rights in respect of data uploaded to the GuestFlow platform by a data controller should contact that controller in the first instance. GuestFlow Software Ltd will support the controller in complying with those rights as described in Appendix A of this Notice.


  3. The purposes of this privacy notice are;

    • To inform you about our processing of your data as a controller under 2(a) above, in accordance with the ‘transparency’ requirement of Article 13 GDPR, and;

    • To establish the legal basis and other stipulations upon which we process data as a processor under 2(b) above in accordance with Article 28 GDPR (see Appendix A).


  4. The types of personal data we collect

    The personal data we use may include, but is not limited to:

    • Your name, address and contact details, including email address and mobile telephone numbers;

    • The names, addresses and contact details, including email address and mobile telephone numbers of other individuals in your company;

    • The terms and conditions of your contract with us for the provision of our software services.


  5. How we collect the personal data

    We may collect this information in a variety of ways. For example, data might be collected through;

    • correspondence with you; or

    • through interviews and meetings.

    We may also obtain personal data indirectly from sources such as public registers.


  6. Providing your personal data

    We will tell you if providing some personal data is optional, including if we ask for your consent to process it. In all other cases, we need you to provide your personal data so we can provide professional services to you.


  7. What we use your personal data for

    Fulfilment of contract

    • Providing access to our GuestFlow software platform as defined in Letters of Engagement or contracts between us.


      Other business purposes

    • As necessary for our own legitimate interests or those of other persons and organisations;

    • For good governance, accounting, managing and auditing our business operations both internally and by third parties;

    • For surveys of client experience and quality of our software services;

    • To monitor emails, calls, other communications;

    • For market research, other surveys and analysis and developing statistics for improving business performance.


      To comply with a legal obligation

    • When you exercise your rights under data protection law;

    • For compliance with legal and regulatory requirements;

    • For the establishment and defence of legal rights;

    • For activities relating to the prevention, detection and investigation of crime, and;

    • To investigate complaints, legal claims and data protection incidents.


  8. The legal basis for processing

    We will process your personal data under Article 6 (1)(b) of the GDPR, on the legal basis that processing is necessary for the performance of a contract for the provision of our software services, or in order to take steps at your request prior to entering into a contract.

    In addition, we may process your personal data on the following legal bases;


    • Legal obligation: the processing is necessary for compliance with a legal obligation - Article 6 (1)(c);

    • Vital interests: the processing is necessary to protect someone’s life - Article 6 (1)(d);

    • Public interest: the processing is necessary to perform a task in the public interest - Article 6 (1)(e);

    • Legitimate interests: the processing is necessary for an organisation’s legitimate interests or the legitimate interests of a third-party - Article 6 (1)(f).

  9. Sharing of your personal data

    Subject to applicable data protection laws we may share your personal data with;


    • Sub-contractors and other persons who help us to provide services to you;

    • Our legal and other professional advisors, including our auditors;

    • Fraud prevention agencies, credit reference agencies, and debt collection agencies;

    • Government bodies and agencies in the UK and overseas (e.g. HMRC who may in turn share it with relevant overseas tax authorities and with regulators including the Information Commissioner's Office;

    • Courts, to comply with legal requirements, and for the administration of justice;

    • In an emergency or to otherwise protect your vital interests;

    • To protect the security or integrity of our business operations;

    • When we restructure or buy or sell our business or its assets or have a merger or re- organisation;

    • Payment systems and providers; and

    • Anyone other party where we have your consent or as required by law.


  10. Use of your personal data for marketing purposes

    With your consent, and subject to your communications preferences, we may use your contact details to send you emails containing information on new services which we think may be of interest to you. We will not share your data with any external party for marketing purposes.

    You are free at any time to change your mind and withdraw your consent by contacting us using the details given at the top of this Notice. This will not affect the services we provide to you.


  11. How long do we keep your data?

    Information may be kept for up to five years from the termination of the contract between us or the date of the last provision of professional services to you by us, whichever is the later.

    Information may be held for longer periods where any of the following apply;

    • Retention in case of queries. We will retain your personal data as long as necessary to deal with any outstanding queries you may have;

    • Retention in case of claims. We will retain your personal data for as long as you might legally bring claims against us; and

    • Retention in accordance with other legal and regulatory requirements. We will retain your personal data after you have received services based on legal and regulatory requirements and obligations pertaining at any given time.


  12. Your rights under applicable data protection law

    Your rights are, where applicable;


    • The right to be informed about processing of your personal data;

    • The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed;

    • The right to object to processing of your personal data;

    • The right to restrict processing of your personal data;

    • The right to have your personal data erased (the "right to be forgotten”);

    • The right to request access to your personal data and information about how we process it;

    • The right to move, copy or transfer your personal data ("data portability"); and

    • Rights in relation to automated decision-making including profiling.


    You may exercise these rights by contacting us using the details given at the top of this Notice. You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.


  13. How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us using the details given at the top of this Notice.

You can also complain to the Information Commissioner’s Office if you are unhappy with how we have used your data;

Information Commissioner’s Office

Wycliffe House Water Lane Wilmslow Cheshire

SK9 5AF

Helpline number: 0303 123 1113

Appendix A

Stipulations for acting in the capacity of a data processor

The data we process under 2(b) above will consist of data provided to us by a third-party acting as its controller, to enable use of the GuestFlow software platform for their commercial purpoes. We will process such data on the understanding of the controller’s compliance with the provisions of the GDPR and, in particular, that;

  • They have met the transparency requirements of Article 13 GDPR in respect of informing those data subjects about the sharing of their data with us and our processing of it, and;

  • They have established and documented legal bases for the processing of their data and, in particular, any special category data such as biometric data. Where such legal bases include the consent of the data subject, they have obtained, and documented, informed and freely given consent.

    In acting as a data processor on a controller’s instructions, we confirm that we shall respect the privacy rights and freedoms of those data subjects whose data they share with us. In particular, and in accordance with the requirements of Article 28 GDPR, we shall;

  • Only act on their documented instructions, unless required by law to act without such instructions or it is in the vital interests of the data subject to do so;

  • Ensure that people processing the data are subject to a duty of confidence;

  • Take appropriate measures to ensure the security of processing;

  • Only engage a sub-processor under a written contract which contains all of the technical and organisational measures necessary to ensure compliance with these stipulations and any other GDPR requirement relevant in the circumstances;

  • Take appropriate measures to assist the controller to respond to requests from individuals to exercise their rights under GDPR;

  • Taking into account the nature of processing and the information available, assist the controller to meet their GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;

  • Delete or return all personal data to the controller (at their choice) at the end of the contract, unless the law requires its storage or one of the criteria detailed at Section 8 are met; and

  • Submit to audits and inspections.

Privacy NoticeGuestflow Status