We are committed to safeguarding the privacy of our website visitors, service users and other individuals with whom we deal. This Policy sets out information about how we use, store and transfer personal data relating to those individuals which we receive through our website www.studentrents.co.uk (each the Site) or otherwise. We are a data controller in relation to that personal data, which means we determine the purposes and means of the processing of that personal data.
Full details are set out in the relevant sections of this Policy below, but keeping it brief:
- we normally receive your personal data from you, but sometimes it might be from a third party with whom we are mutually acquainted (e.g. landlords or other users of the Site);
- we use your personal data to conduct our business, keep appropriate records and meet our legal obligations;
- we only provide your personal data to third parties for our business purposes or as permitted by law. We don’t share your data with third party advertisers;
- we store personal data for specified periods for our limited business purposes;
- you have legal rights in relation to your personal data which you can exercise on request;
- you can contact us to enquire about any of the contents of this Policy.
PERSONAL DATA WE COLLECT.
In this Section we have set out the kinds of personal data that we may collect, use, store and transfer. We have grouped that data together into different categories based on its subject matter, and based on the kinds of individuals to whom they relate.
Data relating to almost everyone we deal with: e.g. Site users, enquirers, suppliers
We may process data about your use of our Sites (usage data), which we obtain through our analytics tracking systems. The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use.
We may process information contained in or relating to any enquiry or communication that you send to us or that we send to you (correspondence data). This could for example include customer support queries from our users, enquiries from journalists or any other correspondence. The correspondence data may include the communication content and metadata associated with the communication, as well as any contact details you may provide to us such as your name, email address, phone number, job title, address or social media username.
DATA RELATING TO REGISTERED USERS OF OUR SITE:
We may process the account data (account data) you provide to us, which may include your name, email address, phone number, postal address, username, password and demographic data (such as age and gender). If you use a third-party application like Facebook to log into your account on our website then we may receive and process account data from the relevant third party.
We may process information included by you when you complete our survey to help us find your Student Rents (survey data). If you are a registered user of our Site then your survey data will be associated with your account. If you complete a survey as part of a sign-up process but then never open an account with us as a registered user, then any survey data you provided to us will not be associated with any account and will be anonymous.
We may process any personal data which you include in any advert, comment, message or other submission you upload or post to our Site or in any message you send through the Site (including messages between users). We call all of this messaging data. We do not pre-moderate or have any control over what you include in messaging data, so we ask that you carefully consider your own privacy in deciding what to include in messaging data. Because messaging data is determined by you, it could potentially include special categories of data, such as data about race, ethnic origin, politics, religion, health, sex life or sexual orientation.
We may process information relating to payments we make to you or receive from you (payments data), which may include your contact details, your payment account details and the transaction details. We do not collect or process your credit or debit card details when you make payments through the Sites. We use Stripe as a payment processing service provider and it is Stripe who will collect and process your card details.
For more information, see https://stripe.com/gb/privacy
Finally, Our Site includes interfaces that allow you to connect with social networking platforms like Facebook, Twitter and Instagram (each an SNP). If you connect to an SNP through our Site, we may access, use and store the information which you have allowed us to access through your SNP account settings (typically this will be account data) (SNP data). You can revoke our access to SNP data at any time by amending the appropriate settings from within your account settings on the applicable SNP.
If you provide feedback to us, we may use and disclose such feedback on our Site and may post your first and last name along with your feedback on our Site. We will collect any information contained in such feedback and will treat the personal data in it in accordance with this Policy.
DATA RELATING TO SUPPLIERS AND OTHER COMMERCIAL PARTNERS.
If we have some other commercial relationship with you or with your employer (for example, a supply, purchase, sponsorship or referral relationship) then we may handle your contact details (name, job title, email address, postal address, telephone number), any related communications, and any related documents (such as contracts, POs and invoices, proposals and so on). We call all of this partner data, and we process it for the purposes of administering our commercial relationship with you.
PERSONAL DATA WE OBTAIN FROM OTHERS.
Your personal data may be provided to us by someone other than you. We might be introduced to you in correspondence by a mutual acquaintance, or we might receive personal data through an SNP, or we might receive personal data through other users of the Site (for instance, if they are your friends or flatmates). Normally this data will be correspondence data, messaging data, SNP data or partner data as described above.
OUR PURPOSES AND LEGAL BASES OF PROCESSING.
We have set out below, in table format, a description of all the ways we may use your personal data. We’re also required by law to identify the legal basis on which we handle personal data. These legal bases are set out in Article 6 of the General Data Protection Regulation (GDPR). When we process personal data on the basis of our legitimate interests then we also need to identify those legitimate interests and have done so below.
Note that we may process your personal data on more than one legal basis depending on the specific purpose for which we are using your data. Feel free to contact us for further information.
|Type of Data||Purpose/Activity||Legal Basis for Processing|
|Usage Data||Analyzing the use of, and improving, our Sites and services, security monitoring and fraud detection and to ensure each Site is presented in the most effective manner.||Our legitimate interests (Art 6.1(f) GDPR), namely delivering and improving our Sites, informing marketing strategy, and ensuring the security of the Sites.|
|Correspondence Data||To communicate with you. If you have indicated your interest in our services then we may also process correspondence data to provide you with occasional news about our services and marketing communications (although you will be free to unsubscribe at any time).||Our legitimate interests, namely properly administering our business and communications, developing our relationships with interested parties and addressing user concerns and queries.
Where correspondence data relates to marketing, our legitimate interests in developing our business.
Where correspondence relates to registered use of our Site, or to any contract or potential contract with you, then our legal basis may be for the performance of a contract with you, or to take steps at your request prior to entering into a contract with you (Art 6.1(b) GDPR).
|Account Data, Survey Data||Operating our Sites, providing our services, ensuring the security of our Sites and services, verifying logins, and communicating with you.||Performance of a contract with you (i.e. delivering our services through the account).
Our legitimate interests, namely properly administering our business, services and communications.
|Messaging data||Operating our Sites, providing our services, ensuring the security of our Sites and services, verifying logins, and communicating with you.
Making messaging data available to other users (e.g. adverts).
|Performance of a contract with you.
Our legitimate interests, namely properly administering our business and communications, ensuring a safe and respectful user experience and allowing users to message each other.
|Special category data contained in messaging data||Operating our Sites, providing our services and communicating with you||Your consent (Art. 6.1(a) GDPR, Art. 9.2(a) GDPR)|
|Payments data||Making and receiving payments to and from our website users.||Performance of a contract with you.|
|SNP data||Operating our Sites, providing our services, ensuring the security of our Sites and services, verifying logins, and communicating with you.||Performance of a contract with you (i.e. delivering our services through the account).
Our legitimate interests, namely properly administering our business, services and communications.
|Feedback data||Promoting our Sites and Services through publication of feedback||Our legitimate interests, namely marketing and business development.|
|Partner data||Administering our commercial relationship with those with whom we do business.||Performance of a contract with you.
Our legitimate interests, namely properly administering our business and communications, and developing commercial relationships.
|Any personal data||For the purposes of legal compliance (e.g. maintaining tax records)||Compliance with our legal obligations (Art 6.1(c) GDPR)|
|Any personal data||For the purposes of bringing and defending legal claims||Our legitimate interests, namely being able to conduct and defend legal claims to preserve our rights and those of others.|
|Any personal data||Record-keeping and hosting, back-up and restoration of our systems,||Our legitimate interests, namely ensuring the resilience of our IT systems and the integrity and recoverability of our data.|
PROVIDING YOUR PERSONAL DATA TO OTHERS.
Our advisors. We may disclose your personal data to our insurers and/or professional advisers to take professional advice and manage legal disputes.
Disclosures designated by you. We may disclose your personal data to third parties designated by you, such as other users of the Site to whom you show public information or whom you message.
OUR SERVICE PROVIDERS.
We may disclose personal data to our service providers or subcontractors in connection with the uses we’ve described above. For example, we may disclose:
- any personal data in our possession to suppliers which host the servers on which our data is stored (such as Catalyst 2.);
- communication data to providers of email or email marketing services (such as MailChimp or Sendgrid);
- payments data to our payment processing service providers (such as Stripe);
- usage data to providers of analytics services; and
- partner data and other relevant personal data to third parties for the purposes of fraud protection, credit risk reduction and debt recovery.
We do not allow our data processors to use your personal data for their own purposes. We only permit them to use your personal data for specified purposes, in accordance with our instructions and applicable law.
Third party advertisers. We may share personal data with advertisers and advertising networks that require the data to select and serve relevant adverts to you and others.
Compliance. We may also disclose your personal data where necessary to comply with law.
Restructuring and affiliates. If any part of our business is proposed to be sold or transferred, your personal data may be disclosed to the new owner or in connection with the relevant negotiations. We may also disclose personal data within our group of
International transfers of your personal data
Some of the third parties to whom we may transfer your personal data, discussed above, may be located outside the EEA or may transfer your personal data to their own service providers located outside the EEA. If so, then we will ensure that transfers by our appointed data processors will only be made lawfully (e.g. to countries in respect of which the European Commission has made an “adequacy decision”, or with appropriate safeguards such as the use of standard clauses approved by the European Commission or the use of the EU-US Privacy Shield). You may contact us if you would like further information about these safeguards.
Personal data that you submit for publication through our Site or services or otherwise make visible to other users may be available, via the internet, to others around the world. We cannot prevent the use (or misuse) of such personal data by others.
Other Site users may be located outside the EEA and if you message them using the messaging functions of the Site then your personal data will necessarily leave the EEA.
We have put in place appropriate security measures to protect your personal data. We also have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where required by law.
Unfortunately, no transmission or storage system can be guaranteed to be completely secure, and transmission of information via the internet is not completely secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us of the problem.
RETAINING AND DELETING PERSONAL DATA.
We comply with our legal obligations in relation to the retention and deletion of personal data, and in particular ensure that personal data that we process is not be kept for longer than is necessary for the relevant purposes. In particular:
- partner and payments data will be retained for seven years after the end of the relevant contractual relationship;
- correspondence data will be retained for the period of the enquiry or chain of correspondence and then deleted after twelve months;
- most data associated with any account on our Site (including account data, survey data and messaging data) will be kept during the life of the account and then deleted no more than twelve (12) months after account closure. However, we may retain account data and associated messaging data for up to six years following closure where relevant to any ongoing contract or any complaint or potential legal claim;
- usage data will be retained for twelve months.
- any data which is anonymized, and therefore not personal data, may be retained by us indefinitely. Typically, this will be derived from usage data and survey data.
- We maintain system backups for disaster recovery purposes and may retain those backups for up to six months. That means that information which is deleted from our live systems may still remain in backup for up to six months.
- We may retain your personal data longer than set out above where necessary to comply with law or in connection with any legal claim.
You have rights under data protection law – they are complex, and subject to exemptions, and you can read guidance from the Information Commissioner’s Office at www.ico.gov.uk for a fuller explanation of your rights. In summary, though:
- the right to access: you have the right to confirmation as to whether or not we process your personal data and, where we do, to access to the personal data, together with certain additional information;
- the right to rectification: you have the right to have any inaccurate or incomplete personal data about you rectified or completed;
- the right to erasure: in some circumstances you have the right to the erasure of your personal data (for example, if the personal data are no longer needed for the purposes for which they were processed or if the processing is for direct marketing purposes);
- the right to restrict processing: you have the right to restrict the processing of your personal data to limit its use. Where processing has been restricted, we may continue to store your personal data and will observe the restrictions on processing except to the extent permitted by law;
- the right to object to processing: you have the right to object to our processing of your personal data on the basis of legitimate interests (discussed above) or for direct marketing purposes and if you do so we will stop processing your personal data except to the extent permitted by law;
- the right to data portability: you have the right to receive your personal data from us if the legal basis for our processing is the performance of a contract with you, and such processing is carried out by automated means; and
- the right to complain to a supervisory authority: if you consider that our processing of your personal data is unlawful, you have a legal right to lodge a complaint with the ICO.
Last Updated 01/09/2021