1.1 This website www.underbellyedinburgh.co.uk is owned and operated by Underbelly Ltd, registered with the ICO under registration number [A8218694] ("Underbelly", "we", "us", "our"). We are committed to safeguarding your privacy online and to this end have developed the following policy to deal with issues which may concern you. This policy explains the kinds of data that we process in connection with the website, how that data is used, how it’s protected and how you can find out what rights you have in relation to your data.
1.2 We reserve the right to update or otherwise amend this policy at any time.
1.3 By accessing, browsing or otherwise using this website you confirm that you acknowledge the terms of this policy. If you are not happy with any part of this policy, you should not use this website or use our services.
2. Speed Read and Key Shortcuts
- How we use your personal data - section 4
- Who receives your personal data - section 9
- Your rights - section 12
- Who to contact - section 13
3. Types of Personal Data Processed
3.1 "Personal data" is a concept defined by data protection law, and refers to information which relates to an identified or identifiable individual.
3.3 Typically the types of personal data that you will provide to us when using our website include, but may not be limited to, the following:
3.3.1 Your Personal Details - for example your name, date of birth, and personal contact details; and
3.3.2 Transaction Data - for example what tickets and preferences you have; and
3.3.3 Your Financial Information - for example your credit and/or debit card details.
4. Legal Basis and Purposes for Processing
4.1 We use your personal data for a number of purposes which we have listed at paragraph 4.3 below.
4.2 Whenever we process your personal data, we do so on the basis of a lawful "condition" for processing. In the majority of cases, the processing of your personal data will be justified on one of the following bases:
4.2.1 it is provided for in your terms when you purchase a ticket, and therefore necessary to give effect to that contract (for example, collecting bank account details to arrange payment for your ticket that you have purchased);
4.2.2 it is necessary for us to comply with a legal obligation (for example, disclosing VAT data to HMRC); or
4.2.3 it is in our legitimate interests to operate as a business, and our interests are not overridden by your interests, fundamental rights or freedoms (for example, to market services to you, or to enable you to post messages on our bulletin board or to enable customers to use any other features of the website that may be offered from time to time, and may require such information in order to utilise the feature).
4.3 The purposes for which we process your personal data are to:
4.3.1 to provide a service to you in line with our business aims;
4.3.2 to manage, analyse, understand and develop your relationship with us, including where you volunteer to complete a survey or participate in a promotion;
4.3.3 to keep you informed of any of our other/new events and activities that may be of interest to you, where you have chosen to be made aware of this;
4.3.4 to troubleshoot problems with the website, or to customise your experience on the website;
4.3.5 investigate and respond to complaints or queries;
4.3.6 other purposes consistent with the processes envisaged by the categories of data listed in Section 3.3; and
4.3.7 exercise our rights to defend, respond to or conduct prospective or actual legal claims or proceedings
The Website is not designed for children under the age of 13. We do not knowingly permit children to purchase tickets or sign up to a newsletter. Where we become aware that we have collected such data, we will take all reasonable steps to delete such data.
6.1 We may use the information you provide us with to keep you informed about events, activities or services which we provide and which we believe you may be interested in, in accordance with your preferences.
6.2 Where you contact us through the 'contact us' link of this website or provide you with tickets for an event, we provide the opportunity for you to give an opt-in consent to provide you with our promotional marketing. If you do not provide your consent then we will not send you information via electronic communications (e.g. email or SMS). We may however contact you in future by telephone or post where we reasonably believe (on the basis of services that we are providing to you) that there are additional, different services which you may be interested in. If you do not wish to receive direct marketing communications from us you can let us know by contacting us (using the details provided below), or by unsubscribing from such communications by means of a link provided in every electronic message that is sent to you by us.
6.3 Where you have opted in to receive such content, we may tell you about events offered by other entities within the Underbelly group.
7. Retention of Personal Data
7.1 Our general approach is to only retain personal data for as long as is required to satisfy the purpose for which it was collected by us or provided by you. We will take steps to delete or anonymise the data where it is no longer required for those purposes (for example, if you have not contacted us, or purchased any tickets for over 3 years).
7.2 In certain cases, legal or regulatory obligations require us to retain specific records for a set period of time, including following the end of your relationship with us (including for tax and audit purposes).
7.3 In other cases, we deliberately retain records in order to resolve queries or disputes which we think may arise from time to time.
8. Sources of Personal Data
Primarily the personal data we process about you will have been provided by you, either during your visit to our website, or on an ad hoc basis during the course of relationship with you. From time to time, we may receive personal data about you from other third parties, for example other arts foundations where you have consented to your information being shared with us.
9. Disclosures of Personal Data
9.1 We may share your personal data with other members of the Underbelly group where required in order to, for example, run a national process or to carry out group wide reporting.
9.2 We use a number of third party suppliers or social media platforms to help us provide IT services or run marketing campaigns with us (in particular we share data with Facebook to build custom and lookalike audiences (although you can turn off this feature within your Facebook account)). These third parties may have access to or merely host your personal data, but they will only do so under our instruction and subject to a contractual relationship.
9.3 We may be required to disclose your personal data to third parties:
9.3.1 in response to orders or requests from court, regulators, parties to a legal proceeding or public authorities; or
9.3.2 to comply with regulatory requirements or as part of a dialogue with a regulator
9.4 Your personal data may also be disclosed to advisers, potential transaction partners or interested third parties in connection with the consideration, negotiation or completion of a corporate transaction or restructuring of the business or assets of any part of the Underbelly group.
10. Cross-border Transfers
10.1 Certain suppliers and service providers may have personnel or systems located outside of the EEA. Where your personal data may be transferred outside of the EEA, we will take steps to ensure that your personal data receives an adequate level of protection, including by, for example, entering into data transfer agreements or by ensuring that third parties are certified under appropriate data protection schemes (in particular, we make use of Dropbox which is certified with the EU-US Privacy Shield Framework). You have a right to request a copy of any data transfer agreement under which your personal data is transferred, or to otherwise have access to the safeguards used. Any data transfer agreement made available to you may be redacted for reasons of commercial sensitivity.
11. Security of your Personal Data
11.1 We implement reasonable physical, technical and administrative security standards designed to protect your personal data from loss, misuse, alteration, destruction or damage. To this end all personal data stored by us is kept on a server in a secure environment and regular security reviews are held by us to ensure that the website remains safe and secure for your protection. More information about the specific measures implemented is available on request.
11.2 We take steps to limit access to your personal data to those individuals who need to have access to it for one of the purposes listed in Section 4.
11.3 You also have an important role to play in protecting the security of your personal data, and you should take care about whom you disclose personal data to, and how you protect your communications and devices.
12. Data Subject Rights
12.1 You have the following rights in respect of your personal data:
12.1.1 to obtain a copy of your personal data together with information about how and on what basis that personal data is processed;
12.1.2 to rectify inaccurate personal data;
12.2 From 25 May 2018, you also have the right:
12.2.1 to erase your personal data in limited circumstances where it is no longer necessary in relation to the purposes for which it was collected or processed;
12.2.2 to restrict processing of your personal data where: (a) the accuracy of the personal data is contested; (b) the processing is unlawful but you object to the erasure of the personal data; (c) we no longer require the personal data for the purposes for which it was collected, but it is required for the establishment, exercise or defence of a legal claim;
12.2.3 to challenge processing which we have justified on the basis of a legitimate interest;
12.2.4 to object to decisions which are based solely on automated processing or profiling;
12.2.5 to obtain a portable copy of your personal data, or to have a copy transferred to a third party controller; or
12.2.6 to obtain a copy of or access to safeguards under which your personal data is transferred outside of the EEA (see Section 10).
12.3 In addition to the above, you have the right to lodge a complaint with the Information Commissioner's Office, who is the UK supervisory authority for data protection, however we would ask that you try to resolve such matters with us directly first.
13. Contact Us
You may contact us at any time if you have general concerns about the processing of your personal data, or any data protection issue, or to exercise any of the rights set out above at:
13.1.2 0207 307 8480