The purpose of this Privacy Notice is to make it easier for you to understand how we use and protect your personal data. Personal data is any data that can identify you either on its own or be used with other data.
This Privacy Notice will help you understand your privacy rights, how and why we need to process your personal data, and how you can get in touch with us if you need to. Processing personal data involves any activity to do with that data, for example collection, storage, editing and deletion.
We have presented this information in different sections so you can access the information you need more easily.
Geovation sits at the heart of the geospatial ecosystem, connecting industry challenges with startup solutions. We believe in open innovation and the positive impact it can have on people, planet and profit.
Our ecosystem is a special place of over 1800 members built from experts in GeoTech and PropTech, from across all industries, working on ideas that use location data to create solutions that address global challenges. We power collaboration between entrepreneurs and the public and private sectors to develop new ventures capable of generating social, economic and environmental value.
This document applies to Ordnance Survey Limited’s Geovation Hub. For the purposes this document Ordnance Survey Limited’s Geovation Hub will be referred to as we, us, our. Geovation is an Ordnance Survey (OS) initiative in association with HM Land Registry. You can find more information on how OS may use your data here: https://www.ordnancesurvey.co.uk/governance/policies/privacy
We take your personal data privacy very seriously and we’re committed to protecting your personal data by complying with the relevant privacy legislation. We encourage you to read each section thoroughly.
If you are accessing our Site and/or Services from a location outside of the UK or the European Economic Area (the “EEA”), please refer to the section “Additional information for international users (outside of the UK or EEA)” at the end of this document for important additional information.
We’re required by law to always have a permitted reason called a “lawful basis” or “legal basis” for processing your personal data.
The law allows for six ways to process your personal data. Depending on the processing activity, we will process your personal data where:
· Consent: You have given consent to the processing of your personal data for one or more specific purposes.
· Contract: It is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering a contract.
· Legal Obligation: It is necessary for compliance with a legal obligation to which we are subject.
· Vital Interests: It is necessary in order to protect your vital interests;
· Public Task: It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
· Legitimate Interest: It is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.
ersonal Data – Information that can be used to identify an individual, either directly on its own or in combination with other information such as a name, an identification number, location data, an online identifier.
· Special Categories of Personal Data – Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Criminal conviction related data (about allegations, offences or sentencing) is also treated in a similar way.
· Pseudonymised – Personal data that has been processed in such a way that it can no longer be attributed to a specific person without the use of additional information. Such additional information must be kept carefully separate from personal data.
· Anonymised – Data in a form that does not identify individuals. Personal data, once it is anonymised, is no longer personal data.
· Aggregated – Statistical data about several individuals that has been combined to show general trends or values without identifying individuals within the data.
We are committed to protecting your personal information and respecting your privacy. We may collect and process personal data about you in a number of different ways, depending on the nature of our relationship with you.
Some of the ways that we commonly collect, and process personal data include:
· When you provide your personal data directly to us while accessing our site and/or Services.
· Viewing or subscribing to our websites and social media functions.
· Corresponding with us using services such as email or written letter.
· Entering competitions or participating in discussion boards.
· Applying for a job vacancy, including personal data collected from third parties as part of reference checking.
We also use web and mobile analytics technologies for our Sites and/or Services, which automatically collect certain types of Device information and Log Information about your usage (please see the section “Your Device Information” below).
· Provide you access to membership benefits, where you have registered as a Geovation member;
· Provide you with information about your membership;
· Fulfil payments for Geovation membership;
· Provide you with newsletters, which include information about events, services or products that we, Ordnance Survey or our partners, may offer, that we feel may interest you, where you have consented to such communications;
· Carry out our obligations from any contracts you may have entered into with us;
· Customer satisfaction surveys and market research;
· Respond to your enquiries and complaints;
· Notify you about changes to our terms of service.
· Provide you with access to location, property and other appropriate data where you have agreed terms and conditions of use (this would include Geovation Data Exploration Licence (DEL) – which gives access to Ordnance Survey, HM Land Registry, British Geological Survey and Third-Party OS data).
There are times when we will rely on legitimate interests to process personal data, particularly when it is not practical to obtain consent. We will always consider if it is fair and balanced to do so and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure that we use your personal information in ways that are not unduly intrusive or unfair. Examples are: –
· Reporting criminal acts and compliance with law enforcement agencies
· Internal and external audit for financial or regulatory compliance purposes
· Statutory reporting
· Operate our platforms and communicate with you as necessary when providing our services to you for our legitimate interest.
· Physical and Network security
· Financial Management and Control
· General Administration
· Telephone number.
· Email address.
· Date of birth and age.
· Username and passwords to access our Sites and Services.
· Financial and credit card information.
· Personal profile description and photograph.
· Equality and diversity information.
· Location Information.
· Website and Social Media URL’s.
Each time you visit or use our Sites and Services, we may automatically collect the following information:
· Technical information, including the type of mobile device you use, a unique device identifier (for example, your Device’s IMEI number, the MAC address of the Device’s wireless network interface, or the mobile phone number used by the Device), mobile network information, your mobile operating system, the type of mobile browser you use, and/or time zone setting.
· Details of your use of any of our Apps or your visits to any of our Sites and Services including, but not limited to, Internet protocol (IP) address used by your Device, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes and the resources that you access (Log Information).
· URL click stream information showing how users have reached our Site and Services and whether they access other third-party sites via any external links.
· To administer our Geovation Sites and/or Services for troubleshooting, data analysis, testing, research, statistical and survey purposes;
· To improve our Geovation Sites and/or Services to ensure that content is presented in the most effective manner for you and for your Device;
· To allow you to participate in interactive features of our Site, Services and Apps, when you choose to do so;
· As part of our efforts to keep our Geovation Sites and/or Services safe and secure;
· To determine which features your Device supports which assists our development strategy.
In order to facilitate your use of our Geovation Sites and/or Services, we may have to share your personal data with third parties to provide elements of our Services to you. We will provide your personal data to third parties when they need the data to perform functions in delivering our Services to you or as part of our regulatory compliance. These may include: –
· Service providers acting as data processors, located in the UK and EEA who provide data hosting facilities, IT and system administration services.
· Service providers located in the UK and EEA acting as data processors who administer our customer email service, webchat service, API Services.
· Service providers who are manufacturers of Geovation Branded Products where a device requires interaction with third parties for registration of devices, third-party software and downloading of mapping tiles.
· Service providers located in the UK and EEA acting as data processors who provide Payment Card Industry (PCI) processing services.
· Service providers acting as a data processor for the facilitation of our recruitment processes.
· HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.
· We may disclose your personal information to any member of our group, which means our ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006.
· Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them.
· If we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service provider processors to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective).
Specifically, our website servers are located in the UK, EEA and Australia, and our third party service providers and partners operate in the UK, EEA, USA and Australia. This means that when we collect your personal information, we may process it in any of these countries.
However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice. We have implemented appropriate safeguards with our third party service providers and partners and further details can be provided upon request.
We store personal data as: secure physical records; electronically on our internal IT systems; in cloud storage, and in some cases, records on third party servers, which may be located in various countries (please see the “Data transfers to third countries” section above for more details).
Once data is within our control, we will do our utmost to ensure your personal data is processed in a way that ensures appropriate security from unauthorised or unlawful processing, accidental loss, destruction or damage.
Your personal data is held in secure systems with controlled access and subject to cyber security measures, whether we’re processing it in our offices, sites or working from home. We also apply strict physical security at all our sites and offices.
We only choose third party service providers in line with company protocol, procedures and checks, and when we use them, we disclose only the personal information that is necessary to deliver the service provided.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so, and all our employees must complete annual data protection training.
In line with our Records Retention Policy and Schedules, we will retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
We may also retain your personal data for a reasonable period afterwards to allow us to respond to any follow up enquiries or complaints, or for as long as you remain a registered user of our services.
To determine appropriate retention periods for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, we may use or store this information indefinitely without further notice to you.
In some circumstances you can ask us to delete your data: see Right to Erasure below for further information.
If you are a resident of the UK or EEA, you have the following data protection rights:
· Withdraw Consent: Where we are using your personal information on the basis of your consent, you have the right to withdraw that consent at any time.
· Right to be Informed: You have the right to be told how your personal information will be used. This document, and shorter summary statements used on our communications, are intended to be a clear and transparent description of how your data may be used.
· Right of Access: You can ask what information we hold on you and to request a copy of that information. This is called a Subject Access Request. If possible, you should specify the type of information you’d like to see to ensure that our disclosure is meeting your expectations. We must be able to verify your identity. Your request may not impact the rights and freedoms of other people, e.g., privacy and confidentiality rights of other customers or staff. Other exemptions may apply dependent on the information and context.
· Right of Erasure: You have the right to be forgotten (i.e., to have your personally identifiable data deleted). However, we may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.
· Right of Rectification: If you believe our records are inaccurate you have the right to ask for those records concerning you to be updated. This enables you to have any incomplete or inaccurate data we hold about you corrected. We may need to verify the accuracy of the new data provided to us.
· Right to Restrict Processing: In certain situations, you have the right to ask for processing of your personal data to be restricted because there is some disagreement about its accuracy or legitimate usage. However, in some circumstances this right may not apply, for example, where we have a legal obligation to use the data.
· Right to Data Portability: Where we are processing your personal data under your consent, the law allows you to request data portability from us to another service provider. This right is largely seen as a way for people to transfer their personal data from one service provider to another. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
· Right to Object: You can request that your personal data is not processed for specific purposes such as profiling. This right applies where our processing of your personal data is necessary for us to perform a task in the public interest or for our official functions or for our legitimate interests. You can also object to our processing of your personal data for direct marketing purposes.
· Right to object to automated decisions: In a situation where a data controller is using your personal data in a computerised model or algorithm to make decisions “that have a legal effect on you”, you have the right to object. This right is more applicable to finance situations. We do not undertake complex computerised decision making that produce legal effects.
The applicability of some of these rights depends on the legal basis of processing of the data concerned. Some of these rights only apply in specific circumstances and we may not need to fully comply with your request in all cases.
You may exercise any of these rights free of charge, by contacting us. We may need to check your identity and may need to ask for more information – it’ll help us to help you if you’re as specific in your request as possible.
We’ll comply with your request within one calendar month (from the time we receive your request, or any additional information we asked for) unless:
· It’s a complex request – in such cases, we’ll respond within the month to inform you of the appropriate response period that will apply to your request (which may be a period of up to three months); or
· In exceptional circumstances, we would not be able to carry out your request. In these cases, we will inform you of the reason within one calendar month.
Any changes we may make to our Privacy Notice in the future will be posted on this page and, where appropriate, notified to you. The new terms may be displayed on-screen, and you may be required to read and accept them to continue your use of any Services.
Information for all Australian users:
If you are accessing our Sites and/or Services from Australia, you may have rights under Australian privacy laws including the Privacy Act 1988 (Cth) (the Australian Privacy Act).
Nothing in this Privacy Notice purports to exclude, modify or restrict your rights under Australian laws (including the Australian Privacy Act).
The Australian Privacy Act gives individuals various rights, including the right to:
· request access to, or correction of, their personal information; and
· the right to make a complaint about how their personal information has been handled.
If you would like to make an access or correction request, or lodge a privacy complaint, please contact our Data Protection Officer using the details in the “Contacting Us” section below.
We will handle all such requests, complaints and queries in accordance with any applicable requirements under Australian privacy laws. Where applicable, we may rely on exemptions under those laws (including, but not limited to, exemptions relating to related bodies corporate and employee records).
Information for all New Zealand users:
If you are accessing our Sites and/or Services from New Zealand, you may have rights under New Zealand’s data and privacy laws including the Privacy Act 2020 (the New Zealand Privacy Act) and the Unsolicited Electronic Messages Act 2007.
Nothing in this Privacy Notice purports to exclude, modify or restrict your rights under New Zealand’s laws.
By using our Sites and/or Services or otherwise providing your personal information to us, you consent to our collection, storage, use and disclosure of your personal information in accordance with this Privacy Notice. Our legal basis for collecting and using your information [described below] will depend on the personal information concerned and the specific context in which we collect it. We will process your personal data where:
· You have given consent to the processing of your personal data for one or more specific purposes;
· it is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract; or
· it is necessary for compliance with a legal obligation to which we are subject.
You can always choose not to provide your personal information to us, but it may mean that we are unable to provide you with access to the Geovation Sites and/or Services. If you choose not to consent to analytics data collection, you can still use sites and/or Services without any impact on the performance or functionality.
Your privacy rights
The New Zealand Privacy Act gives individuals various rights, including the right to:
· request access to, or correction of, their personal information; and
· the right to make a complaint about how their personal information has been handled.
If you have any concerns about privacy or the use or collection of your personal information by us, please contact our privacy officer at DPO@os.uk and include the words ‘ATT: THE PRIVACY OFFICER’. We will respond as quickly as possible (our target response is 20 working days).
We are committed to full compliance with the Unsolicited Electronic Messages Act 2007.
By subscribing to emails and/or text communications, or otherwise providing your email address and/or mobile number, you consent to receiving emails and/or texts (as the case may be) which promote and market our products and services, or the products and services of others, from time to time.
You can unsubscribe from our email communications and/or text communications at any time by clicking the “Unsubscribe” link in any promotional or marketing email or text received or by emailing firstname.lastname@example.org.
Once you have unsubscribed from the email or text communications, you will be removed from the corresponding marketing list as soon as is reasonably practicable.
Changes to the Privacy Notice
Any changes we may make to our Privacy Notice in the future will be posted on this page and, where appropriate, notified to you. The new terms may be displayed on-screen, and you may be required to confirm they have been read and understood to continue your use of any Services or Apps.
It is your responsibility to check this Privacy Notice periodically for changes, and to keep your email address with us current.
Your continued use of our Geovation Sites and/or Services following notification of any changes to this Privacy Notice constitutes acceptance of those changes. If you do not agree with any aspect of the updated Privacy Notice, you must immediately cease all use of our Geovation Sites and/or Services.
Information for Californian users:
These California subsections apply only to “personal information” about California residents, as that term is defined in the California Consumer Privacy Act (“CCPA”), and they supplement the information in the rest of our Privacy Notice. Data about individuals who are not residents of California may not be handled exactly the same way and is not subject to the same California rights described below.
CCPA “Sale” of California Personal Information
The CCPA requires businesses that “sell” personal information, as the term “sell” is defined under the CCPA, to provide an opt-out from such sales. Geovation does not “sell” personal information as that term is commonly understood or within the CCPA definition of the term.
California Privacy Rights
If you are a California resident, California law may permit you to request that we:
· Inform you of the categories of personal information we have collected about you in the last twelve months; the categories of sources of such information; the categories of personal information that we disclosed about you for a business purpose; the business or commercial purpose for collecting your personal information; and the categories of third parties to whom we have disclosed personal information for a business purpose.
· Provide access to and/or a copy of certain information we hold about you.
· Delete certain information we have about you.
You also may have the right to receive information about certain “financial incentives” that we may offer to you (if any).
Certain information is exempt from such requests under applicable law. For example, the CCPA has significant exceptions for certain B2B data.
To request to exercise your CCPA rights, please submit your request via Contact our Customer Services team or by emailing DPO@os.uk
For security and legal reasons, we may not accept requests that require us to access third-party websites or services. We do not respond to browser-based do-not-track signals or similar mechanisms. We can take steps to verify your identity before responding to your request, which may include requesting that you respond to an email that we send to you, requiring you to login to an account (if you have one) or otherwise verifying your name, email address or other information that will help us to confirm your identity.
If you are an agent making a request on behalf of a consumer, you must verify that you are authorized to make that request, which may include requiring you to provide us with written proof that satisfies CCPA requirements, such as an appropriate letter signed by the consumer or a power of attorney. We also may require the consumer to verify their identity directly with us.
You have the right not to receive “discriminatory treatment” (within the meaning of the CCPA) for the exercise of the privacy rights conferred by the CCPA.
Information for Nevada users:
Under Nevada law, certain Nevada consumers may opt out of the “sale” of “personally identifiable information” for monetary consideration to a “data broker” (as such terms are used in Nevada privacy law) or other person. We do not engage in such activity as of the effective date of this Privacy Notice. However, Nevada users may submit a request to opt out of any potential future “sales” under Nevada law by sending a request to email@example.com or by emailing DPO@os.uk.
We may take steps to verify your identity and the authenticity of the request. Once verified, we will maintain your request in the event our practices change
If you have any queries about this privacy notice, please contact us:
Data Protection Officer: · Email: firstname.lastname@example.org
· Post: Ordnance Survey, Explorer House, Adanac Drive, Southampton, SO16 0AS.
Geovation: · Email: email@example.com
· Post: Sutton Yard, 4th floor, 65 Goswell Road, London, EC1V 7EN
If, for any reason, you have a complaint, please contact the Ordnance Survey Data Protection Officer to discuss your concerns.
Following this, if you are still dissatisfied, you can contact your local data protection authority at the contact details below:
UK Information Commissioner: Contact telephone number: 0303 123 1113. Website: ICO website https://ico.org.uk/ European Data Protection Authorities: in the European Economic Area are available here
Office of the Australian Information Commissioner: GPO Box 5218, Sydney NSW 2001, Telephone: 1300 363 992, Email: firstname.lastname@example.org