For the purpose of the Data Protection Act 1998 and the General Data Protection Regulation 16/679 the data controller is Qudini Limited, which has ICO registration number ZA069059.
Qudini committed to protecting and respecting your privacy. This policy sets out the basis on which any personal data We collect from you, or that you provide to us, directly or indirectly will be processed by us. Please read the following carefully to understand our views and practices regarding personal data and how We treat it.
The Data Protection Officer can be contact at the registered office address or firstname.lastname@example.org
In this statement We have used certain terms which are set out in the EU’s General Data Protection Regulation (GDPR or the Regulation):
Qudini App Site refers to the software platform built by Qudini and made accessible to Clients (as defined below) who have subscribed to use our platform on a paid or trial basis, for the purposes of managing their venue level staff and end user customers for the benefit of improving their customer experience and general operations.
Qudini Website refers to our corporate website used to explain and promote the Qudini software solution (available at the Qudini App Site) to potential Clients and Reseller Partners (together Clients) and any of their customers or staff who may be interested in learning more about the Qudini solution and services.
WHAT WE DO
Qudini is a cloud-based SaaS solution provider offering customer experience management solutions that help our Clients including Clients in the retail, health care, public sector, telco, financial services, hospitality, leisure and entertainment sectors, to improve their customer experience, serve more customers and increase their conversion and saving costs.
Our Client’s use the solution available at the Qudini App Site so that their customers can make use of our system to access services provided by our Client. For example, a retailer may allow their customers to pre-book an appointment or join a digital queue to access advisor services within their stores.
OUR STATUS UNDER GDPR
Depending on the nature of the interaction, We act as a processor in that We are acting upon instructions from our Clients when We provide our services to them; and when We control the purposes and means of the processing of personal data, such as processing our employee’s personal data, We are a controller, as defined under GDPR.
WHAT LAWFUL REASONS DO WE USE TO PROCESS PERSONAL DATA?
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Consent)
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Contract Performance)
- processing is necessary for compliance with a legal obligation which We are subject to (Legal Obligations)
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Legitimate Interest).
Where We process personal data as a result of data subject consent, We ensure that consent is freely given, specific and informed, and established by a clear affirmative act. Where consent is withdrawn, We have set out (below) how this may be undertaken by the data subject.
Where We enter into a contract with third parties, processing of personal data may, as a matter of course, be necessary in order to execute such contract or take pre-contract preparation steps.
Where We have legal obligations which apply to Qudini, processing of personal data may be required by law.
Our legal basis for processing personal data in this context is that it is necessary for the performance of a contract between a customer and Client.
SENSITIVE PERSONAL DATA
Where Qudini processes sensitive personal data on behalf of a Client, Qudini does so on the basis that the Client has established a lawful exception to the prohibition on processing sensitive personal data under Article 9 of the Regulation; and where Qudini is processing sensitive personal data of employees, it does so pursuant to its employment relationship with its personnel and so uses the exception set out in paragraph 2(b) of Article 9 of the Regulation.
QUDINI’S USE OF PERSONAL DATA
How Qudini collects and uses personal data differs based on the Site used and the type of user’s details input.
Corporate Subscriber Data
How personal data is collected: data subjects interested in learning more about the Qudini business, services or software products directly through Qudini, have the opportunity to enter their details into our website at www.qudini.com or any landing pages hosted at pages.qudini.com via a “Contact” form; or they may email or call us directly using contact details provided on our website or elsewhere. This will likely be for the purposes of requesting that We contact them, downloading useful information, starting a trial, playing with a demo or requesting support from our support team.
From time-to-time, We may also meet business-relevant connections at events or research individuals using standard online open-source social media platforms. Where these individuals are approached (or approach us) in their capacity as employees of their organisation, the interaction will be regarded as a business to business exchange.
Type of personal data collected: Corporate subscriber data might include a data subject’s name, telephone number, home address, email address, company of work and IP address from the device being used, online identifiers and location data. We will not knowingly collect sensitive personal data. Where a data subject visits our website, We may collect and process information about their website usage (e.g. browsing history and information about your navigation through our website) using “cookies” and other similar technologies. During communications, We may process information about the interactions undertaken with us.
Who controls the data: Corporate subscriber data is controlled by Qudini.
Who processes the data: Corporate subscriber data is processed by our website, email, CRM and marketing platform providers. We have contracted with a number of parties (the precise number varies according to business need) who process personal data on our behalf. This is undertaken in a manner that is consistent with the Regulation and the ePrivacy Directive (the Directive).
Where data is stored; how data is used: Data collected on corporate subscribers may be stored within our CRM platform and used for the purposes of sending news and information about our services and solutions. All messages will provide the recipient with the opportunity to opt-out.
Data will also be used to improve our online services, including format and content, to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes, as part of our efforts to keep our site safe and secure, to measure or understand the effectiveness of any advertising We serve to you and others, and to deliver relevant advertising.
Corporate Payment Data
How data is collected: Business professionals interested in using Qudini software within their business provide their business’ payment card details or direct debit account details to our portal, under contract or over the phone to Qudini personnel in order to set-up automatic payments to Qudini.
Type of Data Collected: Corporate payment card data includes a person’s name, billing address, bank account sort code, bank account number, payment card long number, payment card issue date, payment card expiry date and three-digit security number. During communications, We may process information about the interactions a data subject has with us.
Who controls the data: Corporate payment card data is controlled by Qudini.
Who processes the data: Corporate payment card data is processed by Qudini and our third-party payment gateways.
How data is used: Corporate payment data is used to debit our Client’s account on a regular basis for the ongoing use of our software and to enable Clients to easily pay for one-off purchases including professional services, SMS messages and hardware loan or purchase.
Customer Personal Data
How data is collected: Customers of Clients can provide personal details for the purposes of accessing services provided by our Clients through booking an appointment, registering for event or joining a digital queue. Upon providing their details the customer will receive transaction updates on their required service or do capture feedback after their visit. Data is collected by the customer providing their details to an employee of our Client’s organisation or through a self-service interface accessed online via a website, or from self-service kiosk in our client’s venue or through an app installed on the customer’s personal mobile device.
Type of data collected: Data collected via the Qudini App Site from consumers may include name, telephone number, home address, email address and IP address from the device being used, online identifiers and location data. On occasion our applicable Client may collect sensitive personal data and this may be stored for a shorter retention period or detached from the customer personal data as soon as each customer’s transaction purpose has been completed. The Qudini Online booking interface and join queue interfaces may collect and process information about data subject’s website using “cookies” and other similar technologies. During communications, our Client may process information about the interactions you have with us.
Who controls the data: Customer personal data is controlled by our Client who is using the Qudini App Site to manager their customer and employees.
Who processes the data: Qudini processes the Customer personal data on behalf of our Clients. Customer personal data and sensitive personal data is passed to as few sub-processors as necessary to enable our software to perform its necessary functions, this includes only our server data base provider and Amazon Web Services and SMS aggregator providers. Client Derived Data is created to detach the customer’s transaction information from their Personal Data so that this can be processed by separate platforms for analytics purposes.
Customer Payment Card Data
How data is collected: Client’s using the Qudini software may, at their discretion, require that customers pay to make an appointment, register for an event or to join the queue. Customers will be required to enter their payment card data or to login through a third-party payment platform in order to complete their booking.
Type of data collected: Customer payment card data might include a customer’s name, billing address, payment card long number, payment card issue date, payment card expiry date, three-digit security number.
Who controls the data: Customer payment card data is controlled by our Client.
How data is used: Customer payment card data is used in order to debit the customer’s account for the fees specified when they made their booking, registered for an event, joined the queue or requested to purchase items.
Venue Level Employee Personal Data
How data is collected: Venue level employees of our Clients are required to input their personal data in order to gain access the Qudini App Site and in order to make use of the Qudini App Site and Software service within a business location owned by the Client, such data will be considered “Venue Level Employee Personal Data”,
Type of data collected: Venue level employee personal data collected in the Qudini App Site might include a person’s name, mobile number, email address, home address, photo, post code and notes about their role and skills. We will not collect “special categories” of data on employees (sensitive data).
Who controls the data: Personal data of venue level employees is controlled by the applicable Client who is the employer of the employee using the Qudini App Site to manage their customers and employees.
Who processes the data: Qudini processes the venue level employee personal data on behalf of our clients for the purposes of enabling clients to use our services. Data is also processed within third-party platforms used to help us provide premium services to the users of our platform; and these platforms help us provide support services to customers, marketing platforms and platforms s analyse how us We can analyse how users are using the platform and, from time-to-time, send service information updates.
Head Office Level Employee Personal Data
How data is collected: Head office level employees of our Clients are required to input their personal data in order to gain access to our the Qudini App Site and in order to receive email reports about their businesses use of the Qudini App Site Such data will be considered “Head Office Level Employee Personal Data”
Type of data Collected: Personal data input by head office level employees in the Qudini App Site might include a person’s name, mobile number, email address, home address, photo, post code and notes about their role and skills. We will not collect sensitive personal data.
Who controls the data: Personal data of head office level employees is controlled by our Client who is using the Qudini App Site to manage their customers and employees.
Who processes the data: Qudini processes the head office level employee personal data on behalf of our clients for the purposes of enabling clients to use our services. Data is also processed within third party platforms used to help us provide premium service to the users of our platform. These help us provide support ticketing services to customers and platforms which help us to analyse how users are using the platform and, from time-to-time, send service information updates.
How data is used by the processor: Head office employee data is also treated as Corporate Subscriber Data and so is imported into our CRM and mailing list tools in order to send the head office level employee useful information about new Qudini releases, features, training information and other recent news, helping head office level employees to learn how to get the most out of the Qudini platform (they will at all times have the option to unsubscribe from this news).
Job Candidate Data
How data is collected: Candidates interested in applying for a role at Qudini may provide their personal details by email or through our job application platform to express their interest in a role.
Type of data collected: Personal data input by job candidates may include: name, email, phone number, home address, place of work, education and work history alongside their skills. We will not collect sensitive personal data.
Who controls the data: Job candidate data is controlled by Qudini.
Who processes the data: Job candidate data is processed by our software providers and consultants involved in helping us to recruit candidates and manage employees.
How data is used by the controller: Job candidate data is used by the controller to manage and communicate with candidates in relation to the role they have applied for at Qudini.
How data is used by the processor: Job candidate data is used by our processors to enables us to accept and manage applications and to support decision making processes.
How long data is stored: Job candidate data is stored for as long as necessary. It is then archived or deleted pursuant to or data retention framework.
A list of the types of types of sub-processors we use for the different categories of data described above can be found on our website at: www.qudini.com/sub-processors/
We may share information with third parties so that they can assist us in providing our services; selected third parties could include:
- Clients, suppliers and sub-contractors for the performance of any contract We enter into with them. For example, so that our platform can work effectively, We may engage with contractors to carry out part of our services.
- Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but We will provide them with aggregate information about our users for example, We may inform them that a high level of our audience from our website are from the South-East, based on location data.
- Analytics and search engine providers that assist us in the improvement and optimisation of our site.
We will disclose your personal information to third parties:
- If Qudini or substantially all of its assets are acquired by a third party, in which case personal data held by it about its Clients will be one of the transferred assets.
- If We are under a duty to disclose or share personal data to comply with any legal obligation, or in order to enforce or apply our terms and other agreements; or to protect the rights, property, or safety of Qudini, our Clients, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
TRANSFERRING OUT OF THE EEA
Storing: We use cloud providers to store our personal data. Personal data may be transferred to and stored at a destination outside of the European Economic Area (EEA).
Processing: We may use third parties to help us deliver our services and they may be based outside the EEA. Where data is transferred outside the EEA, We adhere to compliance mechanisms that are identified by the European Commission, for example, the use of EU model contract clauses or conformity to US Privacy Shield.
Where we are the processor: in general, personal data is stored in the locations required by our Clients. Periodically, our Clients may agree specific terms as to where customer data, venue employee data and head office employee data is stored by us. At all times, We act in accordance with the Regulation.
DATA RETENTION PERIODS
Qudini has a data retention policy which sets out how long it will store personal data, which is consistent with Article 5 of the Regulation. Qudini only keeps personal data for as long as is necessary. For example, Qudini is required to retain certain information in accordance with the general law, where information needed for income tax and audit purposes. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices. Personal data may be held in addition to these periods depending on Qudini’s business needs, which are balanced against the requirements of the Regulation and the rights of the individual.
Where we are the controller
We will retain personal data for as long as necessary. As described above, in some cases, We will have a legal or statutory obligation to retain information for a set period, such as the limitation period.
Where we are the processor
We have implemented security measures that are designed to help protect the personal data We collect or receive in connection with our services from unauthorised access or disclosure. For example, We use encryption techniques to ensure the security of data; We also use password protection. However, no transmission or storage of data can be guaranteed to be completely secure and We therefore cannot ensure or warrant the security of any information We collect and store.
The personal data We process is subject to rigorous measures and procedures to minimize the risk of unauthorized access or disclosure. We will get in touch with the supervisory authority (which in Qudini’s case is the Information Commissioner on the United Kingdom) and with affected data subjects where this is required under the Regulation.
CHANGES TO THIS PRIVACY STATEMENT
If We change this privacy statement, We will let you know about the changes by publishing the updated version on our website.
- Identity and the contact details of the person or organisation that has determined how and why to process your data. In some cases, this will be a representative in the EU.
- Contact details of the data protection officer, where applicable.
- The purpose of the processing as well as the legal basis for processing.
- If the processing is based on the legitimate interests of Qudini or a third party, information about those interests.
- The categories of personal data collected, stored and processed.
- Recipient(s) or categories of recipients that the data is/will be disclosed to.
- If We intend to transfer the personal data to a third country or international organisation, information about how We ensure this is done securely. The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, We will ensure there are specific measures in place to secure information.
- How long the data will be stored.
- Details of data subject’s rights to correct, erase, restrict or object to such processing.
- Information about the data subject’s right to withdraw consent at any time.
- How to lodge a complaint with the supervisory authority.
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether We are obliged to provide the personal data and the possible consequences of failing to provide such data.
- The source of personal data if it wasn’t collected directly from you.
- Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.
What forms of ID will I need to provide in order to access this?
Qudini accepts the following forms of ID when information on your personal data is requested: passport, driving licence, birth certificate, utility bill from the previous 3 months.
Contact Name: Data Protection Officer
Address: 35 Kingsland Road, London E2 8AA