We are registered as a data controller with the Information Commissioner’s Office (registration number ZA138193).
Please note that the Plotto Customer, and not Plotto, is the data controller in respect of personal data comprised in or related to video survey requests (Requests) and the video survey responses to those Requests (Contributions). Issues relating to that personal data must be addressed directly to the relevant Plotto Customer.
What information do we collect?
The personal data we hold about you in our capacity as a data controller may include some or all of the following:
• Contact and identity data including username and password, name, billing address, email address and phone number (we call this Identity and Contact Data)
• Your payment method (Payment Data)
• Details of payments made (and received) by you in connection with Plotto services (Transaction Data)
• Technical data concerning your use of Plotto (Technical Data) , which may include the type and version of your web browser or device, time zone setting and location of that web browser or device, browser plug-in (these are additional pieces of software that add extra capabilities to your web browser, such as the ability to run Java applets or see Flash animations) types and versions deployed by the web browser or device, parts of the site that you access and your internet protocol (IP) address, as well as information as to how you interact with communications we send to you
• Data we may collect to create a profile of you, based on multiple criteria such as demography, age and Technical Data, including data on perceived or inferred interests and lifestyle obtained from third parties (Profile Data)
• Your preferences for the marketing you wish to receive from us and third parties and your communication preferences (Marketing and Communications Data)
We also process data of which the Plotto Customer is the controller, namely:
• Information comprised in or related to Requests
• The content of, and information comprised in or related to, Contributions
Together we call this Plotto Customer Personal Data. Our processing of Plotto Customer Personal Data is governed by the Plotto Customer Data Processing Terms. The provisions below do not relate to Customer Personal Data, the processing of which is exclusively dealt with in the Plotto Customer Data Processing Terms.
Some of your personal data may be shared with us by third parties such as:
• Technical and Profile Data:
• Analytics providers (such as Google)
• Advertising services and networks
• Social media services (such as Facebook and Twitter)
• Payment Data: payment services providers
We also collect, use and share Aggregated Data such as statistical or demographic data. Aggregated Data may be derived from your personal data but is put together in an aggregated and anonymous manner (so that it cannot be associated with any of your Identity and Contact Data or other personal data) and does not constitute personal data for legal purposes. For example, we may anonymise and aggregate Profile Data and/or Technical Data with that of others and (a) use it for internal management purposes, (b) share it with current or prospective business partners, and (c) use it to target offers that are made through Plotto.
When we collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data) we will do this only with your explicit consent.
How do we use your personal data, and what is our legal basis for doing so?
These are the legal bases we have for holding and processing your personal data:
• Contract: To enter into or perform a contract with you
• Legitimate Interest: For our (or third parties’) legitimate interests, as long as they aren’t overridden by your interests and rights
• Consent: Your consent
• Explicit consent: Your explicit consent, where Special Categories of Personal Data are concerned
• Obligation: To comply with our legal obligations
And here is how we use your personal data, and our relevant legal basis (Our basis) for doing so:
If you register with us, you provide us with Identity and Contact Data. That Identity and Contact Data may be supplemented over time with other information. We use this information to maintain your registration with Plotto and administer our relationship with you. Our basis: Consent and Legitimate Interest (to remind you of matters relating to your account with us).
If you provide us with Payment Data, we will use your Identity and Contact Data, Payment Data and the related Transaction Data, to process your transaction and receive the relevant payment. Our basis: Contract and Legitimate Interest (to receive payment of sums owed to us). Note that we do not store your complete Payment Data – this is held by payment service providers.
From time to time, you may provide us with feedback or otherwise engage with us in ways that, in combination with other data we hold, may be included in your Profile Data. In using Plotto, we and our service providers will also collect Technical Data. We use Profile Data and Technical Data to analyse your use of Plotto and combine it with similar data for other users like you, with the object of making Plotto better and more relevant to you, to enable us to create content that is more suited to you and to send you more relevant communications. Our basis: Legitimate Interest (making our services and their marketing more specific to you).
Where you opt to receive marketing communications from Plotto, we will use your relevant Marketing and Communications Data to communicate that marketing to you. Our basis: Consent.
We will only use your personal data for the above purposes, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. We may process your personal data without your knowledge or consent where this is required or permitted by law.
Whom will we share your personal data with?
We will share your personal data with various third parties, but always for the uses referred to above. These third parties are businesses (and in some cases charities) of the following types:
• payment services providers
• mailing and delivery services
• website hosting providers
• messaging services providers
• social media platforms
• online and offline marketing service providers
• research and profiling services
• Identity verifications processes
We may also share your personal data with others where to do so is mandated by applicable law.
Your Marketing and Communications Data will only be shared with a third party for the purpose of them directly marketing to you where you have consented to that marketing.
If we transfer your personal data outside the European Economic Area (EEA) to a country that does not provide a similar level of legal protection to that provided by the United Kingdom’s data protection laws, we put in place legally appropriate safeguards to require the protection of your personal data. You can request details of those safeguards by contacting our Information Officer.
If we sell our business or assets, your personal data may be provided to the prospective purchaser’s advisers with appropriate legal protections and will be passed to the new owners of the business.
How long will we keep your personal data for?
We keep your personal data for as long as is necessary:
• to address relevant legal, tax or accounting requirements, including potential claims by and against us.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure of that data, the purposes for which we process it, whether we can achieve those purposes through other means, as well as legal, taxation and accounting requirements.
You can request more details of how we apply these criteria by contacting our Information Officer
When the need to keep your personal data ends, we either delete or anonymise it.
How do we keep your personal data secure?
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Your legal rights
Under the law, you have the right to:
• Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of your personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your personal data. This enables you to ask us to delete your personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with a legal or regulatory obligation. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; or (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
• Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.
• Withdraw consent to the processing of your personal data, or to profiling by means of your personal data, where consent is the basis for that processing. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact our Information Officer by email to the address specified below. You will not have to pay a fee to exercise any of your legal rights as specified above. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the relevant your personal data (or to exercise any of your other legal rights). This is a security measure we take to help avoid your personal data being disclosed to a person who has no right to receive it.
We may also contact you to ask you for further information in relation to your request to help speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Email address of Information Officer: email@example.com
Postal address of Information Officer: Information Officer, Plotto Ltd, New Penderel House 4th Floor, 283 - 288 High Holborn, London WC1V 7HP, UK.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO.
Updates to this policy