Effective date: 1 August 2022
[4 August 2020])
The Policy applies to (i) XYZ’s customer products and services, including the HoloSite platform, the Atom headset (collectively, the “Services”); (ii) xyzreality.com and any other XYZ websites (collectively, the “Websites”); and (ii) other interactions (e.g., customer inquiries, attendance at conferences, when other businesses provide us with your information, etc.) XYZ may have with your personal information.
Where XYZ determines the purposes and means of processing of your personal information, as described in this Policy, XYZ acts as a “controller” or equivalent for the purposes recognised by certain data privacy laws.
In certain circumstances more than one data controller may process your information. For example, the customers of a third-party product with which XYZ has an integration and via which XYZ receives personal information. If XYZ determines the purposes and means of processing your personal information received via such circumstances independently from other data controllers, then we and the third-party separately have our own obligations under applicable data privacy laws. XYZ is not responsible for the processing of other data controllers (including our partners) and you should contact them directly for questions on how they process your personal information and for exercising your privacy rights in relation to such processing.
If you do not agree with the terms of this Policy, you should not access or use the Services, Websites, or any other aspects of XYZ’s business.
- Information we receive and collect
We may collect, store, and use the following categories of personal information about you: name, email address, contact number, and job title which we receive from, opt-in or consent forms, or from you when communicating with us via phone, post, email, live chat, or social media. If we are communicating with you in connection with any matter on which we are engaged to advise our customers or partners we may also receive identification information, financial information, employment information, and any other details included by you in such correspondence (including biographical and personal or circumstantial details).
- Contact information. A user of our Website may provide contact details for us to be able to get in touch about our products. A customer may provide details so that we can provide our Services. In each of these instances, we will collect contact information such as your name, organisation, email address, etc. On occasion we may also ask for your job title, role, or other relevant information.
- Technical information. The following technical information may be automatically collected depending on the consents provided by devices: (i) for Website users, your device’s IP address and location derived from IP address, browser type, operating system and version, and network information (including internet service provider (ISP)); (ii) for Service users, device information (as described for Website users above), and Services metadata (such as any third-party service connections).
- Information from third-parties and publicly available sources. We may receive information about you or your business from third-party sources or services to improve our own information or make it more useful. This may include data such as which locations correspond to IP addresses or how well a marketing campaign performed.
- Product feedback. We allow customers to provide ideas and feedback about the Services via a third-party platform.
- Other information voluntarily provided by you. If you participate in a user experience interviews, contests, request support, apply for a job, interact with XYZ’s social media, or otherwise communicate with us, we collect information that you voluntarily provide us with.
The Services and Website are not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If we learn we have collected or received personal information from a child under 13, we will delete that information. If you are a parent or a legal guardian and you are aware that your child under 13 has provided us with personal information, please contact us through the mechanisms described below.
- How we use information
Information we collect is used in accordance with applicable contractual agreements, to provide and maintain XYZ’s Services and Websites, and as required by applicable law. More specifically, we use information:
- To fulfil contractual (and pre-contractual) obligations. We may process information to fulfil obligations under a contract between XYZ and you or XYZ and a third-party.
- To provide, maintain, improve, and protect our Services, Websites, and business. We use the information provided to us deliver the best possible experience to our customers and others. For example, feedback on our products (provided directly or indirectly) is used to make updates to our Services. Information may also be used to resolve technical issues, address bugs, and analyse usage trends. At all times, information is only used for this purpose to pursue a legitimate interest and, where applicable, with your informed consent.
- To send you relevant information about our Services and business. We may send you communications to inform about changes in our Services, important information about our Services, technical and other administrative messages. Such communications are considered part of the Services and you may not opt of them. Additionally, we may occasionally send you emails about product recommendations, new Service features, or another news about XYZ. You can control whether to receive such marketing messages by unsubscribing using the links provided in the communications or by contacting us through the mechanisms described below. At all times, information is only used for this purpose with your informed consent or, where applicable, to pursue a legitimate interest.
- For billing, account management, and other administrative matters. For example, information may be used to contact you for invoicing, manage accounts, etc.
- As required by applicable law.
- To investigate and help prevent security issues and abuse. Information is used based on our legitimate interests.
- Legal basis for processing information
Data protection laws in various jurisdictions require us to process personal data only where we have a basis to do so under the law. For example, the General Data Protection Regulation (GDPR) applies to any organisation operating within the European Economic Area (EEA) and sets out such legal bases in its article 6(1). The California Consumer Privacy similarly regulates business’ use of personal information in California.
In the ‘How we use information’ section above there are various references to legal bases and below we set these out in a little extra detail:
- Performing a contract. A large proportion of our data processing is undertaken to fulfil obligations under a contract. For example, under a contract between XYZ and you in which XYZ provides Services, personal data of authorised users will be used to provide access to the Services.
- Pursuing our legitimate interests. When it is necessary to meet our legitimate business interests, personal data may also be processed, but always only in a manner that minimises its impact on your privacy. Minimising steps taken include controlling access to the data and, where applicable, aggregating or deidentifying data. Examples of data processing to pursue legitimate interests include:
- Developing and improving our Services;
- Marketing our Services;
- Creating a profile of you based on preferences you have indicated, including to get a better understanding of you and verifying the accuracy of data that we hold about you;
- Preventing unauthorised use of our Services;
- Obtaining information from third-parties or publicly available sources to better inform our understanding of customer needs;
- for network and information security purposes that enables us to take steps to protect your personal data against loss or damage, theft, or unauthorised access.
- Complying with law. There may be instances where personal data requires processing to comply with legal obligations such as anti-money laundering and sanctions compliance, or to respond to court orders.
- With your consent. Your personal data may also be processed with your specific and informed consent. You may withdraw your consent at any time to stop further processing by contacting us through the mechanisms described below.
You will only receive centralised communications from us (including information about our products and services or other news and announcements) if you indicate to us a preference (‘opt-in’) to do so. You will be invited to complete a client consent/opt-in process by email as a result of any of the following:
- You or your employer becoming our customer;
- You are providing a business card directly to an employee of XYZ at (for example) a trade or networking/business event;
- You have given consent via another medium (for example, the website opt-in form)
- We will never share your information with third-party partners for their own marketing uses, although we may use service providers to assist us with our own marketing.
- How we share and disclose information
We do not sell personal data to third-parties. We may share personal data with other parties, in accordance with the law, and as required to deliver our Services or operate our business. We require third-parties to respect the security of your data and to treat it in accordance with the law.
Entities with which we may share your personal data include:
- Our affiliates, subsidiaries, and in the event of a business transfer. Your personal data may be shared amongst XYZ group entities as part of our regular reporting activities on company performance, for system maintenance support and hosting of data, and in order to deliver an optimal service to you. We also reserve the right to disclose and transfer information in the context of a merger, restructuring, reorganisation, divesture, dissolution, or other sale or transfer of some or all of XYZ’s assets.
- Third-parties providing services on behalf of XYZ. We may share your information with partners or service providers. For example, a web hosting service assisting us in providing our Websites may be provided your personal data in order to maintain our Website. Other similar third-party providers include email service providers, video conferencing software providers, web analysis tools, etc.
- Third-parties in exceptional circumstances. We may share data, if we have determined it is reasonably necessary and having sought legal counsel, with regulators and government agencies to comply with the law or a government request; to protect the security of our Services; to enforce our agreements, policies, and terms; to protect you, our customers, business partners, or the public from harm or illegal activity; or to address an emergency.
In so far as possible, we will attempt to only share anonymised data with the other parties. All our third-party service providers and other entities in our group are required to take appropriate security measures to protect your personal data substantially in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
In the event that a party we share your data with is located in a state outside of the EEA or has servers outside the EEA on which it will store your data, we will ensure that adequate protection of your data is administered as required by applicable law. This may include concluding standard contractual clauses issued by the European Commission and an equivalent international data transfer agreement issued by the UK Information Commissioner’s Office (ICO).
- How do we store your data?
Your personal data may be stored in a variety of locations, including electronically on our secure servers, electronically on a third-party provider’s secure servers, or in hard copy form in access-restricted, locked filing cabinets.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third-parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected or actual data security breach and will notify you and the ICO of a suspected breach where we are legally required to do so.
Whenever we propose using new technologies, or where processing is construed as ‘high risk’, we are obliged to carry out a data protection impact assessment which allows us to make sure appropriate security measures are always in place in relation to the processing of your personal data.
- How long do we keep information?
We only retain your personal information for as long as is necessary to fulfil the purposes we collected it for. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of it, the purposes for which we process it, including whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
- Your rights regarding our collection and use of your data
It is important that the personal information we hold about you is accurate and current. You have a duty to keep us informed if your personal information changes during your relationship with us and can do so by contacting us through the mechanisms described below.
You also have other rights relating to any personal information we hold about you:
- Request access to your personal information (known as “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below):
- Withdrawing your consent. Where we rely on your consent as the legal basis for processing your personal data, as set out under the ‘Legal basis for processing information’ section, you may withdraw your consent at any time by contacting us through the mechanisms described below. If you would like to withdraw your consent to receiving any email communications, you can do so using the ‘Unsubscribe’ tool within the email from us. If you withdraw your consent, our use of your personal data before you withdraw your consent is still lawful.
- Object to processing of your personal information where we are relying on a legitimate interest and there is something about your situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your information. Where we rely on your consent as the legal basis for processing your personal data or need to process it in connection with your contract, as set out under the ‘Legal basis for processing information’ section, you may ask us to provide you with a copy of that data in a structured data file. We will provide this to you electronically in a structured, commonly used, and machine-readable form, such as a CSV file. You can ask us to send your personal data directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal data if this concerns other individuals or we have another lawful reason to withhold that data.
If you have any questions regarding any of the information we hold about you or you wish to exercise any of your rights regarding your personal information as described above, you can do so by:
- Writing to the Head of Privacy and Data Protection at XYZ Reality, G0.G02, 338-346, Goswell Road, London EC1V 7LQ; or
- Emailing firstname.lastname@example.org.
You have the right to complain to the ICO if you are concerned about the way we have processed your personal data. Please visit the ICO’s website for further details.