Privacy Notice.

This Privacy Notice aims to explain how we collect, use, and safeguard your personal information in a clear and approachable manner. Our goal is to ensure that you feel confident and secure while sharing your personal information with us. We want you to know that we handle your data responsibly and ethically, always with your best interests in mind.

1. Essential phrases and their meaning

  • Data Protection Laws refers to the UK GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any other applicable European Union legislation (such as the General Data Protection Regulation 2016/679) relating to Personal Data. The “UK GDPR” is the retained version of the General Data Protection Regulation 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). It sits alongside the Data Protection Act 2018.
  • Personal Data refers to any information identifying an individual or information relating to an individual that an organisation can identify (directly or indirectly) from that data alone or in combination with other identifiers that it Processes. Personal Data includes “Special Category Data” (see further below) and pseudonymised Personal Data. Personal Data excludes anonymous data or data that has had the identity of an individual permanently removed.
  • Process or Processing refers to any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

2. Essential information about Bubbl

Our legal entity name is B Holdings Limited, and we are incorporated in England & Wales and have the registration number of 15222311 and the registered address of 8 Packington Road, London, United Kingdom, W3 8FB.

We have registered with the Information Commissioner’s Office (“ICO”) which is the data protection supervisory authority in England & Wales. Our registration reference with the ICO is ZB663159.

Data Protection Laws have established the roles of the data controller and the data processor. A data controller refers to an organisation that determines when, why and how to Process Personal Data. It is responsible for establishing notices, policies and procedures in line with Data Protection Laws. A data processor refers to an organisation that Processes Personal Data on behalf of a data controller. When Bubbl is delivering its services to its customers, it is operating as a data processor.

3. Services that we offer to our customers

Bubbl provides a geo-location plugin that enhances existing mobile applications by enabling real-time user engagement through location-based interactions. Bubbl’s customers can create virtual fences, known as geo-fences, to deliver location-aware push notifications, images, videos and surveys to end-users when they enter or exit these defined areas.

Bubbl has a platform which facilitates in-location engagement by integrating its plugin into mobile applications, allowing its customers to communicate dynamically with their end-users based on their physical location. This set-up supports the delivery of pre-built notifications and media, helping businesses to engage with their end-users contextually and effectively.

4. Personal Data that we collect

We collect, use, store, and transfer various types of Personal Data based on our relationship with you. Outlined below are examples of the Personal Data we collect from individuals, depending on the nature of our relationship and the necessity of collecting such information.

  • Identity & Contact Data – This includes first name, last name, title, phone number and email address.
  • Technical & Usage Data – This includes internet protocol addresses, browser type and version, time zone settings, location and information about your interactions with our website.
  • Profile Data – This includes information about your professional background, organisation and contracts that you’ve entered into with us.
  • Special Category Data – This includes information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data of an individual.
  • Transaction & Financial Data – This includes transactions, invoices and payment details.
  • Communications & Marketing Data – This includes your preferences regarding cookies and marketing communications.

5. Lawful grounds which we rely on when we Process Personal Data

Under Data Protection Law, there are several lawful grounds for processing Personal Data; these are the justifications organisations must have to Process Personal Data legally. The lawful grounds that we rely upon are outlined below. 

  • Consent – This is where you have given your agreement freely and it is specific, informed an unambiguous indication of your wishes. It is done by a statement or by a clear positive action in respect of the Processing of any Personal Data. 
  • Contract – This is where the Processing is necessary in order to enter into or perform a contract. 
  • Legitimate Interests – This is where the Processing is necessary for the purposes of our Legitimate Interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.
  • Legal Obligation – This is where the Processing is necessary for compliance with a Legal Obligation to which we are subjected to.  

Please note that where we rely on Consent as the lawful grounds for Processing your Personal Data in a specific situation, we do not rely on any other legal grounds in that situation.

6. The individuals from whom we collect Personal Data

In the course of our business, we interact with the following categories of individuals: 

Prospective and existing website users 

  • What do we collect? Identity & Contact Data, Technical & Usage Data and Communications & Marketing Data.
  • How do we collect it? Automatically when you are browsing our website, or it is provided directly you to us. 
  • What’s our lawful grounds? Consent or Legitimate Interests. 

Prospective employees 

  • What do we collect? Identity & Contact Data, Profile Data, Special Category Data and Technical & Usage Data. 
  • How do we collect it? Automatically when you are browsing our website, provided directly by you or a third party (such as a background screening check provider). 
  • What’s our lawful grounds? Consent or Contract and Legitimate Interests. 

Prospective and existing third-party suppliers 

  • What do we collect? Identity & Contact Data, Profile Data, Special Category Data and Technical & Usage Data. 
  • How do we collect it? Automatically when you are browsing our website, or it is provided directly by you. 
  • What’s our lawful grounds? Consent or Contract, Legitimate Interests and Legal Obligation.

Prospective and existing customers 

  • What do we collect? Identity & Contact Data, Profile Data, Transaction & Financial Data, Technical & Usage Data, Communications & Marketing Data. 
  • How do we collect it? Automatically when you are browsing our website and provided directly by you. 
  • What’s our lawful grounds? Consent or Contract, Legitimate Interests and Legal Obligation.

End users of our customers 

  • What do we collect? Technical & Usage Data. Please note though that we only collect a unique identification number, time and location stamps when you are within a virtual fence that is determined by our customer. The unique identification number is not your internet protocol address and is a number generated by the relevant application store from which you have downloaded our customer’s application (e.g., Google Play store). 
  • How do we collect it? Automatically when you are utilising the customer’s application where our plugin has been configured. 
  • What’s our lawful grounds? As we are operating as a Data Processor, we are only acting upon the instructions of our customer. When you have been using our customer’s application, you have agreed to use their application and have chosen to enable your location-tracking on your device. Our plugin only works when the location tracking is enabled. 

7. Using your information for marketing purposes

We strive to provide you with choices regarding the use of specific Personal Data, particularly in relation to your Marketing & Communications Data. You will receive marketing from us if you have requested information or purchased our product and have not opted out of such communications. Before sharing your Personal Data with any third party for marketing purposes, we will obtain your opt-in Consent. You can request us or third parties to stop sending you marketing messages at any time by contacting us and withdrawing your Consent. However, opting out of these marketing messages will not affect messages necessary to fulfil a contract we have with you (e.g., contacting you to fulfil contractual obligations).

8. Aggregated and anonymised data

Please be aware that we do aggregate data, such as statistical or demographic data, for various purposes including research and analysis. Aggregated data may be generated from your Personal Data but is not classified as Personal Data under Data Protection Laws, as it does not directly or indirectly disclose your identity. For instance, we might aggregate your Technical & Usage Data to ascertain the proportion of users accessing a particular geo-location area. 

However, if we merge or associate aggregated data with your Personal Data in a manner that could potentially identify you, we will treat the combined data as Personal Data and manage it in accordance with this Privacy Notice. 

Additionally, it’s important to note that in certain instances, we may anonymise your Personal Data for research or statistical purposes. Once anonymised, it becomes impossible to trace the data back to you, and we may utilise this information without further notification.

9. Sharing your Personal Data with third parties

We disclose your Personal Data only when necessary, and we have detailed below the categories of third parties with whom we share your Personal Data:

  • Technology providers – This concerns companies offering support and software products essential for our business operations.
  • Professional advisors – This includes law firms, banks, payment providers, and accountancy firms engaged for business purposes.
  • Governmental agencies and regulators – This includes Companies House, HMRC, and the ICO, with whom we must engage for business operations and compliance.
  • Prospective business partners – This concerns third parties with whom we may negotiate to sell, transfer, or merge parts of our business or assets, or explore potential acquisitions or mergers in the future.

10. Transferring your Personal Data outside of the United Kingdom (“UK”) and/or the European Economic Area (“EEA”)

We ensure that Personal Data is always transferred safely and securely. Whenever your Personal Data is transferred outside of the UK and/or the EEA, we protect it by implementing one of the following safeguards:

  • We only transfer your Personal Data to organisations outside of the UK and/or the EEA if we have entered into specific contracts with them that ensure your Personal Data will receive the same level of protection as it does in the UK and/or the EEA.
  • We only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data, as endorsed by the ICO and determined by the European Commission.

11. Looking after your Personal Data

We have implemented appropriate technical and organisational measures, including encryption (where necessary), to protect your Personal Data from accidental loss, falsification, unauthorised access, alteration, or disclosure. Access to your Personal Data is restricted to authorised personnel and relevant third parties, who need it for business purposes. 

We have developed comprehensive policies, plans, and procedures to address both suspected and confirmed breaches of Personal Data. While our primary goal is to prevent such incidents from occurring in the first place, these measures ensure we are fully prepared to respond effectively should a Personal Data breach occur.

We require all third parties to respect the security of your Personal Data and to treat it in accordance with Data Protection Laws. We enter into contractual agreements with all of our third parties (with the exception of regulators and governmental authorities) which include the appropriate data protection clauses. We ensure that all third parties (with the exception of governmental agencies and regulators) put in place appropriate security measures to ensure that the Personal Data that is shared is protected from unauthorised access or misuse.

12. Retaining your Personal Data

We will retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including meeting legal, regulatory, tax, accounting or reporting requirements. When determining the appropriate retention period for Personal Data, we consider various factors such as the amount, nature, and sensitivity of the data, the potential risks of unauthorised use or disclosure, the purposes for Processing the data, the feasibility of achieving these purposes through other means, and applicable legal, regulatory, tax, accounting, or other obligations. In certain circumstances, we may retain Personal Data for a longer period, such as in the event of a complaint or if we reasonably believe there is potential for litigation related to our relationship with you (although we strive to avoid such situations whenever possible).

13. Your rights under Data Protection Law

You have specific rights concerning the Personal Data we handle about you, as outlined below:

  • Right to access – You can request access to the information and obtain copies of the Personal Data we hold about you.
  • Right to rectification – You can ask us to correct any inaccuracies or incomplete information in your Personal Data.
  • Right to erasure – You can request the deletion of your Personal Data under certain circumstances, such as when the data is no longer necessary for its original purpose or Processing. However, complete deletion may not always be possible, especially if there is an ongoing contractual relationship.
  • Right to restrict Processing – You can request that we restrict the Processing of your Personal Data under specific conditions, such as when we are reviewing the accuracy of the Personal Data or assessing the validity of a deletion request.
  • Right to object – You can object to the Processing of your Personal Data, particularly if the Processing is based on our Legitimate Interests or is for direct marketing purposes.
  • Right to data portability – You can request to receive, transfer, or copy your Personal Data to another data controller. This right applies when we process your Personal Data based on your Consent or a contract, and the Processing is automated.

If you are dissatisfied with our approach or have concerns about our approach, you have the right to lodge a complaint with the ICO via www.ico.org.uk. While we strive to adhere to evolving Data Protection Laws and maintain best practices, we encourage you to contact us first to address any concerns you may have about how we handle your Personal Data.

If you would like to exercise any of the rights mentioned above, please reach out to us at info@bubbl.tech.  

There is no charge for accessing your Personal Data or exercising any of these rights. However, if we deem your request to be clearly unfounded, repetitive, or excessive, we reserve the right to either charge a reasonable fee or decline the request.

For security reasons and to protect your interests, we may need to verify your identity by requesting specific information. Additionally, we may contact you for further details to expedite our response.

We aim to address all legitimate requests within one (1) month. However, if your request is complex or involves multiple aspects, it may take longer. In such cases, we will keep you informed of any delays.

14. Structure of our data protection compliance program

We believe that it’s critical to comply with Data Protection Laws as it helps us to build further trust with our customers, stakeholders and the public. We are committed to acting transparently and responsibly at all times.

Recognising our critical responsibility to protect the confidentiality and integrity of Personal Data, we have implemented a data protection compliance program. This data protection compliance program encompasses notices, policies, procedures, and technical security controls.

In our operations, we comply with the following principles under Data Protection Laws: 

  • We only Process Personal Data lawfully, fairly and in a transparent manner. 
  • We only collect Personal Data which is adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed. 
  • We ensure that Personal Data that we collect and maintain is accurate and kept up to date.
  • We ensure that Personal Data is not kept in a form which permits identification of individuals for longer than is necessary. 
  • We ensure that Personal Data is processed in a manner that ensures its security, using appropriate technical and organisational measures, to protect it against unauthorised Processing and against accidental loss, destruction or damage. 

Since the inception of our business, we have embedded privacy considerations into the design and development of our services and systems. We employ privacy-enhanced technologies, conduct data protection impact assessments, implement privacy-preserving measures, and integrate privacy into Bubbl’s culture and practices.

15. Our data protection team

We have conducted an assessment of our organisation under Data Protection Laws and have determined that we are not required, at this stage, to appoint a data protection officer. This is because we do not conduct regular and systemic monitoring of individuals on a large scale and neither do we conduct large-scale Processing of Special Category Data. We will review our determination on a regular basis and will appoint a data protection officer if necessary.

Please be assured that, despite not having a dedicated data protection officer, we remain fully committed to safeguarding the privacy and security of your Personal Data. You can contact us on info@bubbl.tech with any data protection questions and concerns that you may have. 

Last updated: 27 May 2024