WYA Logo

PRIVACY POLICY

1. INTRODUCTION

This Privacy Policy explains how and why any personal information that could identify you that you provide to us or that we obtain (“Personal Data”) will be used and disclosed by us in connection with your use of the WYA® website, application (“App”) and the WYA® Service. Please read this Privacy Policy carefully. By using our website, App and/or our WYA® Service, you consent to this Privacy Policy and the processing of your Personal Data as described below. In the context of the law and this policy, “processing” means collecting, storing, transferring, using or otherwise acting on information.

The law requires us to tell you about your rights and our obligations to you with regard to the processing and control of your Personal Data. We do this now, by requesting that you read the information provided at www.knowyourprivacyrights.org. Except as set out below, we do not share, or sell, or disclose to a third party, any information collected through our website or App.

The law requires us to determine under which of six defined bases we process different categories of your Personal Data, and to notify you of the basis for each category. If a basis on which we process your Personal Data is no longer relevant then we shall immediately stop processing your data. If the basis changes then if required by law we shall notify you of the change and of any new basis under which we have determined that we can continue to process your information.

To help protect the privacy of Personal Data processed by us, we maintain appropriate physical, technical, organisational and administrative safeguards. We update and test our security technology on an ongoing basis. We restrict access to your Personal Data to those WYA® personnel who need to know that information to provide benefits or services to you. In addition, we train our personnel about the importance of confidentiality and maintaining the privacy and security of your information. We commit to taking appropriate disciplinary measures to enforce our employees' privacy responsibilities.

2. ABOUT US

The App and the WYA® Service are provided by WHERE YOU AT Limited, registered in England and Wales, no. 12384414 (referred to in this Privacy Policy as “us”, “our” or “we”). Our contact details are in section 12 below.

We take seriously the protection of your privacy and confidentiality. We understand that all visitors to our website or who use our products and services are entitled to know that their Personal Data will not be used for any purpose unintended by them, and will not accidentally fall into the hands of a third party. We undertake to preserve the confidentiality of all information you provide to us, and ask you to reciprocate in respect of our confidential information. Our policy complies with EU data protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (“GDPR”), with The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“UK Privacy Laws”) and with Statutory Instrument 336 of 2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (together, “Data Protection Laws”).

For the purposes of the Data Protection Laws, we are the controller of your Personal Data (that is, the person responsible for deciding how to hold and use your Personal Data), and you are the data subject.

Our Data Protection Officer (“DPO”) can be contacted as follows: dpo@whereyouat.co.uk You must be 18 years or older to download and use the full App and use the WYA® Service. In some cases an adult may set up and manage an account on behalf of a child.

3. THE SERVICE

The App enables us to provide you with access to the WYA® Service, An award winning app attempting to tackle the feelings of vulnerability in the night-time economy. General information about the WYA® Service can be found on our website at wya.world (“Site”). Further details of how to access, download and register with the App, and how the Service will be delivered, will be confirmed to you by the company or other entity for which we provide the WYA® Service.

We provide the service to you and your friendship group directly, but it may be offered through a third party event organiser or event site (“Service Participant”). Service Participants will have anonymised data and not have access to your Personal Data through us. Your Personal Data provided to WYA® will be retained by us securely.

When you download and register with the App, you will be asked to give your consent to use the WYA® Service, and to confirm that you are aware of the collection, use and transfer of your Personal Data under the terms of this Privacy Policy.

Further details of how the WYA® Service works will be given to you, either by us or by the Service Participant, when you register with the App.

4. DATA WE COLLECT AND HOW WE USE IT

4.1 App. When you register with the App, contact us by email, telephone or post, you consent to this Privacy Policy and we ask you voluntarily to provide details of:

  • your name (can be first or nickname);
  • your email address;
  • your phone/mobile phone contact number;
  • temporary location. Please see section headed Location Personal Data below
  • sensitive data (eg allergies, health concerns) with express consent where required;
  • friendship group identifier.
  • your home address and/or other current residential address, including postcode.

We will ask you to confirm that all information about yourself that you give to us is true, complete and accurate. If any of your Personal Data changes while you are using the Service, you may edit your earlier responses in the “my account” section of the App, or inform us at: dpo@whereyouat.co.uk. When we receive any request to access, edit or delete Personal Data we shall first take reasonable steps to verify your identity before granting you access or otherwise taking any action. This is important to safeguard your information.

4.2 Website. When you visit our website, we collect various Personal Data, which may include your IP address and information regarding which pages are accessed and when. When you use the Contact/Email us page, we collect your name, email address and possibly other contact details.

4.3 Third Party Information. With your consent, we may combine information from third parties with information you give to us and information we collect about you. We may use this information and the combined information for the purposes of the Service (depending on the types of information we receive).

4.4 We will also store information that your device provides to us in connection with your use of the App, such as your type of device, browser type, and its unique identifiers operating system, unique reference IDs, network information and requested and referring URLs. The lawful basis on which we collect this information is that it is necessary to enable us to maintain the App and to provide the Service, and also necessary for our legitimate interest in maintaining and improving the functionality of the App.

4.5 WYA® Team. When you apply to or join the WYA® team in any capacity, we shall be Data Controller in respect of your Personal Data and this Privacy Policy shall apply. Where you provide your Personal Data to us as a prospective or current member of the WYA® team, this enables us to fulfil our contractual obligations to you and/or is necessary for legitimate purposes. You will receive GDPR training and this Privacy Policy is an important part of that training.

4.6 Third Party Business Contact. When you contact or contract with WYA® as a professional, for example as personnel of a Service Participant, with a few exceptions, we require Personal Data limited to the kinds of information that can be found on a business card: first name, last name, job title, employer name, work address, work email, and work phone number. If you have any concerns or questions about your personal data in these circumstances, in the first instance you should contact your employer.

4.7 Lawful basis. In order to progress and act upon your communications and requests and provide Services to you, we must process the information you give to us. The lawful basis on which we collect this information is that it is necessary to enable us to provide the Service, and also to comply with our legal obligations. We usually process Personal Data with your consent and/or in connection with a contract with you. We also may process your Personal Data where we have a legitimate interest in doing so, for example lawful direct marketing. Sometimes, we must process your information in order to comply with a statutory obligation, as necessary to protect the security and integrity of the App and website and our Services or in response to a request for cooperation from a law enforcement or other government agency. For example, we may be required to give information to legal authorities if they so request or if they have the proper authorisation such as a search warrant or court order. This information may include your Personal Data. Further, your Personal Data may be used: to permit applications for employment with us and related activities to such applications and contracts for service or services; to establish or exercise legal rights; to bring or defend legal claims; for responsible corporate governance or as otherwise required or permitted by applicable laws and/or regulations; in circumstances in which we believe disclosure is appropriate in connection with fraud prevention and prevention of other illegal, or unlawful activity or any other activity which is or may be contrary to our legal and regulatory compliance obligations and for other legitimate purposes as provided by the Data Protection Laws.

4.8 If You Do Not Provide Personal Data. Where we need to collect Personal Data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to provide the Service or perform the contract we have or are trying to enter into with you. In this case, we may have to cancel Service you have with us but we will notify you if this is the case at the time.

5. HOW WE USE YOUR PERSONAL DATA

We process your Personal Data for specific purposes and only so far as reasonably necessary. We will use the Personal Data primarily to provide you with the App functionality and the WYA® Service, on the lawful basis that it is necessary for the provision of the WYA® Service.

We may also use the Personal Data to:

  • improve the quality and content of the App/website;
  • notify you about important functionality changes and alterations to the App and/or the WYA® Service (including material changes to this Privacy Policy and/or the Terms of Use);
  • in some cases, with your consent and subject to privacy control settings, to allow a venue to cross-match data for purposes separately disclosed to you;
  • • provide you with support and information about the App and/or the WYA® Service.

We will do so on the basis that it is necessary for our legitimate interests in providing the App and the WYA® Service, and maintaining and improving their functionality.

We may also use the information which we collect to: Administer our APP and website, for internal operations, including troubleshooting, data analysis, testing, research, statistical / review; Improve our APP and website to ensure that content is presented in the most effective manner for you and for your computer; As part of our efforts to keep our site safe and secure; Measure or understand the effectiveness of any advertising we serve to you and others, and deliver relevant advertising to you; Make suggestions and recommendations to you and other users of our APP and website about Services that may interest you or them.

6. WHO WE SHARE YOUR PERSONAL DATA WITH

Your Personal Data will be kept anonymous when you provide it to us within the App. If you later wish to change the option you have chosen, you can do so at any time by using the “my account” section of the App or by contacting us at dpo@whereyouat.co.uk

We will not, without your express consent or when you are an existing contact, provide your Personal Data to any third parties for the purpose of direct marketing. We will only share anonymised data (not Personal Data) with the Service Participant; we only share Personal Data with the service participant (and your friendship group where reasonably necessary), on the legal basis that you have consented to our doing so in emergency circumstances. We may also disclose your Personal Data:

  • if we are under a duty to do so in order to comply with any legal or regulatory obligation or request, on the legal basis that it is necessary to enable us to comply with our legal obligations;
    • or
  • in order to enforce or apply this Privacy Policy, to investigate potential breaches, or to protect the rights, property or safety of us, other users, or others, on the legal basis that it is necessary for our legitimate interests to do so

This may include exchanging information with other companies and organisations for the purposes of legal advice and enforcement.

If we reorganise our group of companies so that we need to transfer your Personal Data to another group company, or if another company acquires us or all or substantially all of our assets, we will transfer your Personal Data on the legal basis that it is necessary for our legitimate interests to do so, and that other company will possess the same information and will assume the rights and obligations with respect to that information as described in this Privacy Policy.

Except as set out above, we will never sell, distribute or disclose any of your Data (except anonymised aggregate information) with any third party without your express consent.

7. WHERE WE STORE AND OTHERWISE PROCESS YOUR PERSONAL DATA

7.1 Why is Location data critical for the WYA® application?

We collect information about your location when you use our services, which helps us offer features such as: searching for you, arranging emergency services and venue assistance to you in emergency circumstances. Location information plays a critical and essential role to enable WYA® to provide the Services. When you first subscribe to the Services, you opt in to provide location data.

Location data is collected from you in two distinct forms:

  • i. At an event:
    • - High precision geolocation capabilities are required, due to the usual lack of accuracy of GPS and sensors in high capacity, low connectivity venues. This allows users to safely navigate venues whilst having the peace of mind that they know exactly where their group is located, to degrees of up to 10 centimetres.
  • ii. Getting to/from an event:
    • - Low precision geolocation capabilities are required during the period of event organisation, so users can see the locations of their friends and make best judgement as to the nature of their transport, schedules, and groups for the event.

7.2 How is Location determined?

WYA® uses a combination of technologies to offer the full suite of functionality to users and location accuracy. GPS (GNSS) covers users in external spaces where accuracy requirements are low. WYA® uses BLE (Bluetooth Low Energy, Eddystone, iBeacon) inside of venues in order to provide the maximum level of precision where user personal safety is at stake.

7.3 What type of Location Personal Data is stored and for how long?

Location data is stored on your device for the duration of your session plus two weeks. A session commences when you authenticate (login to) the WYA® application. The data is of type GeoJSON. This is an extension of the widely standardised Javascript Object Notation.

The types of location data we collect and how long we store it also depend in part on your device and account settings. For example, you can turn your Android device’s location on or off using the device’s settings app. You can also turn on or off Location History if you want to create a private map of where you go with your signed-in devices. And if your Web & App Activity setting is enabled, your searches and other activity from Google services, which may also include location information, is saved to your Google Account.

7.4 How You can opt-out, and what are the impacts to the Service?

WYA® requires you to opt in to provide location data when you first subscribe for the Services. The permission to access your location at the GPS (GNSS) level appears at the point of authentication, when you create an account and first access the Services.

There are two critical internal applications of location data, so the ability to opt-out is after first subscription in addition at two stages:

  • i. You can personally at any time deny any one or more other user(s) access to your location by turning access off just for them, or by removing them as a friend.
  • ii. On high precision (BLE) location, WYA® has implemented a system where you opt in, in advance, to give consent for venue location for the duration of the event. This location data is only shared by WYA® with the relevant event venue (third party) in the circumstances of an emergency (by hitting the trigger in the WYA® application).

If you opt out of providing location data, WYA® may not be reasonably able to provide the Services. If you do not agree to share your location with the venue, WYA® would be unable to communicate an emergency to the venue, since the only information they would have is "someone somewhere is having an emergency".

WYA® provides a button (ghost mode) to enable you to hide your location data for set periods or until switched back on. When location data is switched off, WYA® may be able to ascertain your last known location but cannot provide the Services in full.

7.5 Who is Your Location shared with?

Location data is stored and otherwise processed solely for the provision of the Services and is not shared with third parties, other than your friends or other emergency contacts (where you have opted in), the event venue (where applicable), and emergency services as legally necessary. The location data will not be sold nor shared for advertising purposes. When you opt in, your location is shared with:

  • i. Your friends. On a per user basis.
  • ii. The venue, only in the event of an emergency. Opt in/out when you arrive at the venue for an event.
  • iii. As required by law.
  • iv. (Express opt in - third party emergency contact eg parent).

7.6 Google

has its own privacy policy regarding location history and usage for your personal data including location data (and other matters) to which you are referred. (Please see: https://policies.google.com/privacy)

7.7 WYA® does not guarantee

the precision of the geographical location sent by you through its third party suppliers GPS and/or BLE (Bluetooth Low Energy, Eddystone, iBeacon). The precision of your location depends on your wi-fi and mobile network

8. WHERE WE STORE AND OTHERWISE PROCESS YOUR PERSONAL DATA

We use third party suppliers to process your Personal Data. We process and store all Personal Data with third party service providers (Google) who provide encryption and other adequate technological and organisational measures to secure Personal Data in transit and at rest.

In usual circumstances, all disclosures of Personal Data and its processing are within the European Economic Area (EEA) and UK; the UK is deemed by the EEA to be GDPR compliant with an adequate level of protection for compliance with Data Protection Laws under Article 45 of GDPR. The disclosures and processing of your Personal Data described in this Privacy Policy may in some circumstances be outside of the EEA or UK, for example if you yourself are based outside the European Economic Area (EEA); in such circumstances your contact or contract may involve the transfer, storage or processing of your Personal Data to such country, where the level of data protection is not as high as in the EEA. By providing us with your Personal Data in such circumstances you agree to such transfers of your Personal Data. We will take all steps reasonably necessary to ensure that your information is treated securely and in accordance with this Privacy Policy.

The Personal Data which we collect from you is stored in one or more encrypted databases hosted by third parties located in the United Kingdom or EEA. These third parties do not use or have access to your Personal Data for any purpose other than cloud storage and retrieval. Our service providers are only based in countries within the European Economic Area whose laws provide for a different standard of protection for your personal data than that provided under UK law. In these cases, we will ensure that they have provided adequate means of protection in accordance with the applicable Data Protection Laws, such as by means of the European Union’s standard contractual clauses for transfers of Personal Data outside the European Economic Area.

We follow generally accepted industry standards to protect the Personal Data we collect or produce in connection with the WYA® Service. However, no method of transmission (in particular email) over the internet or via a device is totally secure and you transmit your Personal Data at your own risk. We will take all steps reasonably necessary to ensure that your Data is treated securely and in accordance with this Privacy Policy, but we cannot take responsibility for any unauthorised access or loss of personal information that is beyond our control.

9. COOKIES

The WYA® App uses cookies to distinguish you from other users of the App, and to help us provide you with a good experience when you use the App. Further details can be seen on our Cookies Policy.

10. HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION?

We keep Personal Data for no longer than necessary. We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your Personal Data are available in our retention policy which is available from dpo@whereyouat.co.uk. To determine the appropriate retention period for Personal Data, we have regard to the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from its unauthorized use or disclosure, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise and aggregate your Personal Data so that it can no longer be associated with you, in which case we may use such information without further notice to you. For example we may use the anonymised information in a general way and use it to provide class information to monitor our performance with respect to a particular service we provide. If we use it for this purpose, you as an individual will not be personally identifiable and Data Protection Laws are not relevant.

We may pseudonymise the data earlier if you so request in writing. We retain all Personal Data of personnel resources (including directors) and suppliers for six years from your last contract in accordance with applicable laws and regulations.We may pseudonymise the data earlier if you so request in writing. We retain all Personal Data of personnel resources (including directors) and suppliers for six years from your last contract in accordance with applicable laws and regulations.

We may pseudonymise the data earlier if you so request in writing. We retain all Personal Data of personnel resources (including directors) and suppliers for six years from your last contract in accordance with applicable laws and regulations.

In some cases, our insurers require us to retain some data for seven years to allow for a six-year legal limitation period and additional time to allow for notification and processing of any insurance claim. This also helps us meet our tax record-keeping obligations.

At the end of the periods indicated above, it may not be possible in certain cases to physically delete the data (for instance, where it is stored on a secure external server), in which case we will take appropriate steps to ensure that it is not available for re-use or disclosure to third parties.

11. YOUR RIGHTS AS A DATA SUBJECT

As a data subject you have certain rights including:

  1. the right to access the information held about you;
  2. the right to ask us not to process your personal data for marketing purposes;
  3. the right to ask us to rectify inaccurate personal data about you;
  4. the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit the data to another controller without hindrance (data portability);
  5. the right to ask for the restriction of personal data concerning yourself that is inaccurate, unlawfully processed, or no longer required;
  6. the right to ask for the erasure of personal data concerning yourself where processing is no longer necessary, or the legitimate interests we have in processing your data are overridden by your interests, rights and freedoms as the data subject;
  7. where the processing of your personal data is based on a consent you have given, the right to withdraw that consent at any time;
    8. and
  8. to make a complaint to the Information Commissioner’s Office in the UK via the website www.ico.gov.uk or by post to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Please copy any such communication to us so that we can work to resolve any outstanding issues promptly. We request that you allow us an opportunity to resolve any complaint you might have in the first instance; we shall endeavour to resolve your queries promptly. If we feel that the complaint is justified or if we believe the law requires us to do so, we shall remove the content while we investigate. If we think your complaint is vexatious or without any basis, we shall not correspond with you about it. When we receive a complaint, we record all the information you have given to us. We use that information to resolve your complaint. If your complaint reasonably requires us to contact some other person, we may decide to give to that other person some of the information contained in your complaint. We do this as infrequently as possible, but it is a matter for our sole discretion as to whether we do give information, and if we do, what that information is.

12. CHANGES TO PRIVACY POLICY & FUTURE DEVELOPMENTS

We may revise this Privacy Policy from time to time. The most current version of this Privacy Policy will govern our use of information about you and will be located on this page. If we make material changes to this Privacy Policy, then where appropriate we will notify you by email or by posting a notice on the App and/or the website prior to the effective date of the changes. By continuing to access the App and/or website after those changes become effective, you agree to be bound by the revised Privacy Policy

13. FURTHER INFORMATION

If you have any questions or requests regarding our use of your Personal Data, please contact us by email to: dpo@whereyouat.co.uk 124 Finchley Road, London, England, NW3 5JS