Privacy statement for customers

1 - Introduction and Contact Information
2 - Visitors to Our Website and Marketing Service
3 - Your Privacy Rights
4 - What Personal Identifiable Information do we ask for?
5 - How we gather your Personal Identifiable Information
6 - How we Lawfully use your Personal Identifiable Information
7 - Automated Decision Making
8 - Sharing your Personal Identifiable Information
9 - Data Transfers
10 - How Long Do We Keep your Personal Identifiable Information for?
11 - Keeping you up to date
12 - Confidentiality and Security
13 - Aareon UK (AUK) Commercial and Employee Information
14 - Your Customer Data

1. Introduction and Contact Information

1.1 This is the Aareon UK Limited (AUK) Privacy Notice. AUK is a company registered in England under company number 3990481 and is part of a group of companies with Aareon AG (a company based in Germany) as the Parent Company. This Privacy Notice describes the categories of personal identifiable information (PII) we process and for what purposes. We are committed to collecting and using data fairly and in accordance with the requirements of the UK’s Data Protection Act 2018 (DPA) and the General Data Protection Regulation which has been adopted in full by the United Kingdom since leaving the European Union and is now known as UK GDPR UK General Data Protection Regulation (GDPR).

1.2 We take your privacy seriously and this notice is to inform you about your privacy rights and how we collect, use, share and secure your PII. This includes the information we already hold about you and any further information we might collect about you, either direct from you or from a third party.

1.3 This Privacy Notice sets out our commitments and demonstrates our compliance with the Data Protection Laws in the countries in which we operate. It explains how we collect, use, store, share and secure your personal information and how we comply based on our relationships and processing operations with your PII.

1.4 Our website may, from time to time, contain links to and from the websites of our group companies, commercial partners and other third parties. If you follow a link to any of these websites, please note that these websites have their own privacy policies and they will be a Data Controller of your personal information. We do not accept any responsibility or liability for such third-party policies and you should check these policies before you submit any personal information to these websites.

1.5 In addition, if you linked to this website from a third-party site, we cannot be responsible for

the privacy policies and practices of the owners or operators of that third party site and recommend that you check the policy of that third party site and contact its owner or operator if you have any concerns or questions.

1.6 This Privacy Notice is a public document and applies when AUK obtain and use your PII as a

Data Processor, in the supply of our services and products to our customers and partners. (We also have a second Privacy Notice on our website which highlights how we demonstrate our compliance as a Data Controller for our own recruitment, employee, accounting and marketing purposes.)

1.7 The difference between a Data Controller and Data Processor is important.

When AUK carries out functions on behalf of other Data Controllers, (our customers) this means we act as their Data Processor. We carry out functions which may involve individuals’ PII on behalf of our customers and these processing operations are based on our customers’ written instructions and under a contract.
Where AUK determines the use of individuals’ PII, as where the individual is a prospective, current or former employee as well as when we process information when carrying out our marketing operations, we do so as a Data Controller.

1.8 This Privacy Notice will be updated when required: accordingly, we recommend you keep yourself informed by reviewing this notice on our website from time to time.

1.9 This Notice demonstrates how we, as an appointed Data Processor for our customers, provide software solutions to enable them to process and manage their housing services, together with the personal information regarding individuals subscribing to such services, will be managed in line with the DPA and GDPR. This will include their employees’ and contractors’ details. In all circumstances we obtain and process individual’s PII in order to conduct our normal business operations and to deliver products and services to our current and prospective customers.

1.10 As a Data Processor we hold and process a volume of individuals’ PII, including special categories of information, for our customers (the Data Controllers). Accordingly, we have appointed a Data Protection Officer whose contact details are below, and you can contact them if you have questions about your data, data protection, your rights or wish to make a complaint:

By post: By email:

Security & Compliance Manager. DP@Aareon.com

International House

36-38 Cornhill

London

EC3V 3NG

2. Visitors to our Website and Marketing Services

2.1 Visitors to our website are important as we want to supply you with full access to the services, products we offer across AUK and the Aareon Group and our preferred Partners. When you visit our websites we have a ‘cookie policy’. It is important you read this as it supplies details of how we collect, monitor, use, share, retain and secure your PII.

2.2 We will obtain PII from you when you request a contact, a call back or a demonstration of our products and services. We have a marketing data base and hold PII of individuals who have:

Requested information about our products and services;
Supplied contact details at events, conferences or meetings;
Used LinkedIn to ask or have accepted an invite to connect with a staff member
Being a customer of AUK and as part of the performance of contract, keep them informed on updates to existing products and services already purchased;
Being a customer of AUK we may use our legitimate interests to keep you informed of new products and services which in our opinion will be a benefit to your business.
We may also, under legitimate interest, ask customers to partake in surveys, questionnaires and/or workshops to assist us in developing our products and services.

With the regards the last two points the individual has the right to opt-out and will be given this option.

2.3 Individuals can unsubscribe at any time to receiving marketing information by emailing dp@aareon.com.

2.4 AUK provides and sells products and services in the form of software solutions to our customers, where they in turn process personal information relating to their customers (Data Subjects). As a Data Processor for our customers we have contractual obligations with regard to data protection. The products and services we provide are those found on our website.

3. Your privacy rights

3.1 With the DPA and GDPR you have eight rights relating to the use and storage of your PII, which are:

The right to be informed - You have the right to be informed about the collection and use of your personal data. This is a key transparency requirement under the GDPR. We will provide you with information including:

our purposes for processing your personal data,
our retention periods for that personal data, and
who it will be shared with.

The right of access – You have the right to a copy of the information we have on you.
The right to rectification – You have the right to have inaccurate PII data rectified, or completed if it is incomplete.
The right to erasure – You have the right to have your data erased.
The right to restrict processing - You have the right to request the restriction or suppression of your personal data. When processing is restricted, we are permitted to store the personal data, but not use it.
The right to data portability - The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
The right to object - You have the right to object to the processing of their personal data in certain circumstances. You do have an absolute right to stop your data being used for direct marketing.
Rights in relation to automated decision making and profiling - The GDPR has provisions on:

automated individual decision-making (making a decision solely by automated means without any human involvement); and
profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

Where decisions are made solely by automated means you have the right to request a review by a human.

3.2 AUK in its role as a Data Processor will, in the majority of cases, will refer you back to your employer, landlord or housing provider as the Data Controller for your PII. We will assist

where requested by our customer.

3.3 AUK has a legal obligation to answer all requests in relation to your rights. Some of these

rights are not absolute, e.g. where you are still under a contract, you will not be able to have your data erased.

3.4 You can make a complaint if you feel AUK is using your PII unlawfully or holding inaccurate, inadequate or irrelevant PII which, if used, may have a detrimental impact on you or has an impact on your rights. Please refer your concerns to our Security & Compliance Manager, whose details are noted above.

3.5 You can also make a complaint to the data protection supervisory authority. In the UK, this is the Information Commissioner's Office, at https://ico.org.uk.

3.6 To make enquires for further information about exercising any of your rights in this Privacy Notice, please contact our Security & Compliance Manager, whose details are above.

4. What Personal Identifiable Information do we ask for?

4.1 Where you are a prospective Customer

Contact details of you and any other staff members whom we have agreement to contact, such as: name, email, contact telephone numbers

4.2 Where you are an existing customer:

Contact details of you and any other staff members whom we have agreement to contact: name, email, contact telephone numbers
Your customers’ Personal Data, including special category data – only while we are supporting you with an open support ticket and only where you have given us access to the data
Your customers next of kin and other occupant details within the household – only while we are supporting you with an open support ticket and only where it is necessary to have access to the data
Personal data relating to your contractor/s using our products or services
Your staff’s PPI such as, name, emails, notes and other contact details

4.3 Where we are acting as a Data Processor for our customers we will have entered into a contract to deliver software, services and platforms which hold individuals’ PII. In such circumstances it will be the responsibility of our customers, as the Data Controllers of your Personal Data, to issue their own privacy notice.

4.4 Sometimes we may ask for your PII to enter into a contract e.g. in relation the performance of a contract or a legal or regulatory duty. It could be a simple process of attaching a cookie to enable a transaction to take place. We will not be able to provide some of our services or products without this information.

5. How We Gather Your Personal Identifiable Information

5.1 We obtain PII by various means: this can be by face to face, email, telephone,

correspondence or by receiving this information from others, for example, an authorised

person representing you. We can also receive information about you from other people who

know you or are linked to you, for example, a nominated person to act on your behalf, such

as your legal representative or another business colleague from the same company.

5.2 Some further examples of how we may gather your PII are set out below:

from monitoring or recording calls as part of quality and complaints monitoring - we record these calls for training and to ensure the safety of our staff.
from monitoring your use of our website.
from social media such as LinkedIn.

6. How We Lawfully Use Your Personal Information

6.1 The table below sets out the processes and the legal gateway we rely on to process the data:

Purpose / Activity	Lawful ground to process
To keep prospective customers informed of our products and services	Legitimate Interests
When we engage with you as a potential customer/a customer	Performance of a Contract
Processing your customer data	Performance of a Contract
Invoice you as a customer	Performance of a Contract
Chase an outstanding debt	Performance of a Contract
To keep you informed of products and services, you have purchased	Performance of a Contract and/or Legitimate Interests
To manage our relationship with you, updating our terms of business or this privacy notice	Performance of a Contract and/or Legal Requirement
Administer and support your business processes (troubleshooting, maintenance, testing, support and hosting the data)	Performance of a Contract
Administer and support our business products, processes and website (troubleshooting, maintenance, data analysis, testing, support, reporting and hosting the data)	Legitimate Interests as we need to ensure our products/services/systems are running correctly and are complainant.
Data analytics to improve our websites, services, experience, customer relationships	Legitimate Interests as we need to ensure we are learning from our customers and prospective customers to improve our services
Informing you of new products and/or services – customer	Legitimate Interests
Adding LinkedIn contacts to our CRM	Consent – either before accepting an invite from us or after accepting an invite from you
*Obtaining your views on our products and services whether through surveys, questionnaires or asking you to participate in workshops	Legitimate Interest

When we consider using your information for legitimate interests we will consider if it is fair to use the PII either in our interests or someone else's interests, and only where there is no disadvantage to you – this can include where it is in our interests to contact you about like for like products or services from AUK to a business. Where we carry out direct marketing operations with businesses, we will carry out a marketing assessment to market to you or collaborate with others to improve our services.

*In these events we will ask whether you want to participate in such events before processing your details. Not participating does not result in you being deleted from our Customer Relationship Management system.

You have the right to object or opt out of any all communications from us and this can be done, by emailing dp@aareon.com.

7. Automated decision making

We do not carry out any automated decision making as part of our processing operations.

8. Sharing Your Personal Information or Getting Your Personal Identifiable Information from Others

8.1 We may share your information with selected third parties including:

business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you;
analytics and search engine providers that assist us in the improvement and optimisation of our website; and
other companies, including shareholders in the Aareon Group.

9. Data Transfers

9.1 Whenever we transfer your personal data inside or out of the European Economic Area (EEA), we ensure an appropriate degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission or UK.
Where we use providers based in the USA, we carry out due diligence before and during any continued involvement and will check the service providers we are presently using have signed up to the EU-U.S. and Swiss-U.S. Data Privacy Frameworks (DPF) and the UK Extension to the EU-U.S. DPF as set forth by the US Department of Commerce regarding the collection, use and retention of personal information from the EEA, Switzerland and the UK, respectively. Further details on the DPF can be found here https://www.dataprivacyframework.gov/Program-Overview
AUK have signed a Data Sharing Agreement which following our exit from the EU, means we can continue to share data within the confines of the Group.

9.2 Our directors and other appointed individuals working for AUK may, in limited circumstances, access an individual’s PII outside of the UK and European Union, e.g. if they are remote working, absent from the office and need to access critical business information or working abroad. If they do so they will be using our security measures and will be subject to their arrangements with us which are subject to English Law, in line with the GDPR and the same legal protections that would apply to accessing personal data within the UK.

10. How long do we keep your Personal Information for?

10.1 The length of time we keep your personal information for depends on the services we deliver to you. We will never retain your PII for any longer than is necessary for the purposes for which we need to use it. This is normally identified within the contract

terms.

10.2 Where you have provided your information as a prospective customer we will keep your details for as long as you continue to consent to receiving information from us.

11. Keeping You Up to Date

11.1 We will communicate with you about products and services we are delivering using any contact details you have given us - for example by post, email, social media, and notifications on our ‘App’ or website. If you have given us consent to receive marketing,

you can withdraw consent, and update your marketing preferences by contacting us directly.

11.2 If you wish to withdraw your consent at any time, please email dp@aareon.com.

12. Confidentiality and Security

12.1 We have implemented security policies, rules and technical measures to protect individuals’ personal information that we have under our control from:

Unauthorised access
Improper use or disclosure
Unauthorised modification
Unlawful destruction or accidental loss

12.2 All our employees including those of any Aareon Group company, representatives, board members and third party contractors (our 3rd Parties, Sub-Processors which we engage through a contract), who have access to, and are associated with the processing of your PII, are obliged to respect the confidentiality and only process the information based on our instructions and data protection policies.

13. AUK Commercial and Employee Information

13.1 When someone visits our website we will collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. We collect this information in a way which does at times identify a person who contacts us about a product. We do not make any attempt to find out the identities of those visiting our websites as a routine search. This Notice explains when we collect personal information and what we intend to do with it.

13.2 The information held and published on our website and associated websites is only to be used for the purposes for which it has been published. We do not consent to any organisation, or member of the public to take individuals’ (Data Subjects’) personal information from our website and use this for their own purposes.

13.3 In the case of unlawful use, we reserve the right to review and carry out legal proceedings.