Effective Date: 1st January 2020
This “Privacy Notice” explains how Bleep (UK) PLC (“Company”, “Bleep” or “we”) collects, uses, discloses, and otherwise processes personal data on behalf of our customers in connection with our general business operations and supply of point of sale systems (“Bleep POS”) – relating to hardware, software, services and third-party integrations. This includes the personally identifiable information we already hold about you currently and the further personally identifiable information we might collect about you, either from you or from a third-party, in the future.
Bleep takes privacy matters extremely seriously and is committed to GDPR and Data Protection legislation compliance. We may provide additional or supplemental privacy notices to individuals at the time we collect their data, which will govern how we may process the information provided at that time.
This policy explains how we operate as a “data controller” (covering our sales, marketing, accounting, human resources and recruitment processes) and “data processor” (on behalf of our clients concerning their Bleep POS system) with regards to obtaining and processing individual’s personal identifiable information in order to conduct standard business operations to clients, prospective clients and third parties.
Personal Data We Collect
We may collect and use a variety of personally identifiable information depending on the products and services we deliver for you. We may need to use the following data:
- Personal Information.
- Contact details – name, address, email, home and mobile telephone numbers.
- Age – date of birth.
- Identification – information to allow us to check your identity.
- Photograph – information to record your identity.
- Online computer identification (IP address) – information recorded when you engage with us by email.
- National Insurance numbers – information to carry out functions such as payroll and/or supporting people contracts.
- Next of kin.
- Marital Status.
- Reference Numbers (e.g. passport) where your personal information appears.
- Bank and Payment details – for payments for contracted services.
Also, as part of services relating to Bleep POS systems and our business operations, we may collect:
- Information that we collect when a customer interacts with Bleep POS
– Information that we collect from POS transactions
Bleep EPOS terminals are semi-integrated with Ingenico card payment devices. This means that Bleep EPOS terminals do not hold any payment data and only the Ingenico PDQ devices hold this data – which is why they require PCI compliance.
Ingenico, as our payment device partner, is a Payment Card Industry Data Security Standard (PCI-DSS) certified organisation.
– Additional information customers may provide through the Bleep POS
Additional information may be collected, depending on how a customer configures its Bleep POS system. This information may include:
- Product names, detail and costs.
- Customer names, address, phone number, email address.
- Employee name (first and surname).
- Any other information you choose to enter into the Bleep POS.
- Information that we collect about our customers
This information may include email addresses, site contact details, phone numbers, bank details, and purchase history for accounting or operational/support purposes.
- Information that we collect about customers and their personnel
We may collect personal data directly from our customers (including prospective customers) about themselves and their personnel. We may collect information from these parties in a variety of contexts, such as when completing one of our online forms, making an application for one of our products or services, interacting with us on social media, or corresponding with us. The types of information we obtain in these contexts include:
- Contact information of the business entity and its personnel who interact with us, such as name, job title, address, telephone number, and email address.
- Information about individuals’ affiliation with a legal entity, such as an individual’s role, and whether he or she is a beneficial owner or authorised signatory.
- Feedback and correspondence, such as information you provide when you request information from us, receive customer support, or otherwise correspond with us, including by interacting with our pages on social networking online sites or services.
- Financial account information, such as payment card or bank account details.
- Information related to the use of Bleep products or services, such as account information, spending thresholds, spending activity and patterns, and information about the transactions we process.
- Information about your personnel and their interaction with the Bleep POS, such as clock-in and clock-out time, tips earned, and additional job-related information depending on how the client configures its Bleep POS.
- Marketing information, such as your preferences for receiving marketing communications, merchant surveys, and details about how you engage with our marketing communications.
- Information collected via third-party applications
Our clients may choose to integrate Bleep POS with various third-party applications. Bleep may receive personal data about customers, customer’s customers, or customers personnel as a result of their use of the third-party application.
We are not responsible for the privacy practices of third-party applications that are run on or with Bleep POS or the scope or quality of the data that such an application transmits to us; however, we will treat the data we receive from the third-party application per this Privacy Notice.
- Information that we collect from private and publicly accessible sources
Our service providers, alongside Bleep, may collect information about individuals that is publicly available, including by searching openly accessible government lists of public records databases (such as company registries and regulatory filings), and by searching media and the internet. We and or our third-party verification providers may also collect information from private or commercially available sources, such as by requesting reports or information from credit reference and fraud prevention agencies to the extent permitted under applicable law.
- Information collected via automated means
When you access our websites or interact with our digital content, we, our service providers and our partners may automatically collect information about you, your computer or mobile device, and activity on our websites or mobile applications. Typically, this information includes your computer or mobile device operating system type and version number, manufacturer and model, device identifier (such as the Google Advertising ID or Apple ID for Advertising), browser type, screen resolution, IP address, the website you visited before browsing to our website, general location information such as city or geographic area; and information about your use of and actions on or in our websites or mobile applications, such as pages or screens you accessed, how long you spent on a page or screen, navigation paths between pages or screens, information about your activity on a page or screen, access times, and length of access.
- Sensitive personal data
In the context of processing employment applications, we may also request sensitive information, such as racial or ethnic origin, where required or permitted by law of the country in which you are applying for employment.
Outside of these contexts or otherwise, as we specifically request, we ask that you not provide us with any sensitive personal data (meaning information revealing racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic, health, or biometric information, information about sex life or sexual orientation, or criminal convictions or offences) through our websites or mobile applications, or otherwise to us.
How We Collect Your Personal Data
We obtain and collect personally identifiable information by various methods; such as via an online enquiry form, face to face, email, telephone, correspondence and/or by receiving this information from others.
Some further examples of how we may gather your personally identifiable information are detailed below:
- Completing an enquiry form, application form for products or service or responding to a job vacancy.
- From monitoring or recording calls as part of quality control and complaints monitoring.
- From monitoring your use of our website.
- As a part of fulfilling our obligations to you, under a written contract or otherwise, as a customer, supplier or business partner of Bleep.
How We Use Your Personal Data
We use the personal data we collect to support our business operations, provide our services and to support the overall functionality of our POS systems. From time to time, we may share your information (if you are a customer, supplier or partner) when necessary for legitimate operational reasons. This may be to fulfil contractual service obligations.
We may also use personal data for related internal purposes, including:
- To provide information about the POS system, such as essential updates or changes and security alerts.
- To measure the performance of and improve the system.
- To respond to inquiries, complaints, and requests for customer support.
Also, we may use any personal data as we believe necessary or appropriate to (a) comply with applicable laws and lawful requests and legal processes, such as to respond to subpoenas or requests from government authorities; (b) enforce the terms and conditions that govern our application; (d) protect our rights, privacy, safety or property, and/or that of you or others; and (e) protect, investigate and deter against fraudulent, harmful, unauthorised, unethical or illegal activity.
Bleep maintain data catalogues for all operational departments, covering all uses of personally identifiable data, why it is processed, how it is stored, access levels and the data retention period.
We only use personally identifiable information where it is permitted by the legislation that protects your privacy rights, such as where:
- We need to deliver a service contract or enter into a contract with you.
- We need to use the information for the operational purposes or for our clients.
- We need to comply with our legal obligations.
When we consider using your information for the last purpose stated above we will consider if it is fair to use the personally identifiable information either in our interests or someone else’s interests, and only where there is no disadvantage to you – this can include where it is in our interests to contact you about like for like products or services from Bleep to a business and Bleep to an individual.
Where we need to seek your consent, we will (if permission is required) and this consent can be retracted at any time.
How We Share Your Personal Data
We may share the personal data that we collect with:
- The client from whom or on whose behalf we collected the personal data.
- The platform on which our application runs, the Bleep POS/Web Back Office.
- With third parties as a client may direct.
- With third-party service providers that help us manage and improve our contracted services.
- With subsidiaries and corporate affiliates for the purposes described in this Privacy Notice.
We will only pass on information about you or your business to third parties to enable us to perform services requested by you or with your prior consent or otherwise deemed necessary via a service contract.
In certain circumstances, we may need to disclose information about you if you breach this privacy notice or if you breach the Terms and Conditions. We may also disclose or access your account if required to do so by law or by any Governmental body.
Data Subject Rights
GDPR empowers data subjects to more rights concerning their data. These include:
- Right to rectification.
- Right to be forgotten.
- Right to access.
- Right to object to processing.
In accordance with the requirements, Bleep has developed operational policies/procedures to enact these requests on receipt from the data subject. All requests will be recorded.
The Data Protection Officer and management team will either enact the request and confirm back to the data subject or reject the request with an appropriate rationale.
If you have a complaint about how we handle personally identifiable data, you may contact our Data Protection Officer (details below).
How We Keep Your Data Safe
We have implemented security policies, procedures and formal technical measures to protect an individual’s personal information that we have under our control from:
- Unauthorised access.
- Improper use or disclosure.
- Unauthorised modification.
- Unlawful destruction or accidental loss.
GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.
As a result of the requirements, Bleep has undertaken several physical and technological measures to protect the data. These include, but are not limited to:
- Logical access controls.
- Business Continuity plans.
- Segregated file servers.
- Third-party due diligence.
All our employees, representatives, board members and third-party contractors (data processors) which we engage, who have access to, and are associated with the processing of your personal information, are obliged to respect the confidentiality and only process the information based on our instructions. We ensure that your personal information will not be disclosed until all security assurances have been documents. Annual awareness training is conducted for all staff to ensure this is adhered to.
With regards to our customer’s data, as part of our service provision relating to Bleep POS, this is currently hosted on Digital Ocean and Vultr Cloud service provider platforms which is fully protected and backed up.
Cross Border Data Transfer
GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.
These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.
These conditions include:
- Model Clauses implemented.
- Documented due diligence.
- Privacy statement and contract/terms and conditions clearly articulates that data will be transferred and may be accessed outside of the European Union.
We may need to transfer your information outside the UK and to service providers, agents, subcontractors and regulatory authorities in countries where data protection laws may not provide the same level of protection as those in the European Economic Area. When transferring data, we will ensure that your personal information is only used in accordance with this privacy notice and applicable data protection laws and is respected and kept secure.
You may contact us with questions about our transfer mechanism.
How long we keep your personal information for depends on the services we deliver to you.
We will never retain your personally identifiable information for any longer than is necessary for the purposes for which we need to use it.
You may contact us for additional information about our data retention practices in connection with the application. Our data retention policy is as follows:
- Each department will evaluate the age of all data stored, both physically and logically.
- On identification of any data being stored outside of the defined retention period, the DPO should be notified.
- The Head of Department will discuss with the DPO to agree on the appropriate deletion of the records.
- DPO will record the incident on the Breach log.
- All physical records are to be securely destroyed.
- Logical records should be deleted in collaboration with Information security.
- All information, decision and actions will be recorded on the and provided to the Data Protection Officer on completion of the incident.
Data Subject Rights
Data subjects in Europe have certain rights relating to their personal data, which include the rights to request from the Controller (a) access to the data subject’s personal data; (b) correction of incomplete or inaccurate personal data; (c) erasure of personal data; (d) restriction of processing concerning the data subject; and (e) that the controller provides a copy of the data subject’s personal data that the data subject provided to the controller in a structured, commonly used and machine-readable format.
Data subjects may also object to a controller’s processing of personal data under certain circumstances. Where the processing is based on a data subject’s consent, the data subject has the right to withdraw consent at any time; however, the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
Data subjects may also file a complaint with a supervisory authority.
Data subjects in Europe should direct any rights request to the appropriate Controller.
Bleep also collect information about the usage of our website. We use this information to understand how the website is used and to develop our online presence.
You may change your website browser settings to reject cookies, although please note that if you do this, it may impair the functionality of our website or other websites.
Changes to This Privacy Notice
We reserve the right to modify this Privacy Notice at any time. We will notify you of updates by updating the date of this Privacy Notice.
You are entitled to view, amend, or delete the personal information that we hold on you or your business.
If you have any questions about this policy or your personal data, please direct them to our Data Protection Officer:
Telephone: 020 8961 5200