The EU General Data Protection Regulation (“GDPR”) came into force across the European Union on 25th May 2018 and brings with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.
The 21st Century brings with it broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new Regulation aims to standardise data protection laws and processing across the EU; affording individuals stronger, more consistent rights to access and control their personal information.
Total Enigma is a Limited company, registered office is 12 Crindledyke Close, Kingmoor Park, Carlisle, CA6 4BX, trading office is Paton House, Victoria Viaduct, Carlisle, CA3 8AN (We, Us and Our). For the purposes of the Data Protection Act 1998, as the act may be amended or replaced, (‘Data Protection Legislation’), we are the data controller.
We are committed to protecting your privacy. This policy explains how we use personal data we may obtain from or about you in relation to your use of our Services or Site.
Providing your personal data to others
We may disclose your personal data to any member of our group of companies (this means our subsidiaries, our holding company and its subsidiaries) insofar as reasonably necessary for the purposes, and on the legal bases, set out in this policy.
We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or to exercise or defend legal claims.
Booking transactions and account registrations are handled by our booking service (Bookify). We share transaction data with our booking services providers to the extent necessary for the purposes of processing your bookings and dealing with complaints and queries relating to such bookings. You may also wish to review our payment services providers' privacy policies and practices at www.bookifyapp.com/privacy .
Financial transactions relating to our website and services are handled by our payment services providers, [Stripe]. We share transaction data with our payment services providers to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds. You may also wish to review our payment services providers' privacy policies and practices at [https://stripe.com/privacy].
In addition to the specific disclosures of personal data set out above, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or to protect your legal interests or the legal interests of another person.
Retaining and deleting personal data
This section sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.
Personal data that we process for any purpose shall not be kept for longer than is necessary for that purpose.
It is not possible for us to specify in advance the periods for which your personal data will be retained. However, we will determine the period of retention based on your continued use of our website or services and based on our requirements for proper record keeping and accounting and legal purposes.
Notwithstanding the other provisions of this Section 5, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or to protect your legal interests or the legal interests of another person.
We may update this policy from time to time by publishing a new version on our website.
You should check this page occasionally to ensure you are happy with any changes to this policy.
We may notify you of changes to this policy by email or through the private messaging system on our website.
In this section, we have summarized the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
Your principal rights under data protection law are:
- the right to access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to object to processing;
- the right to data portability;
- the right to complain to a supervisory authority; and
- the right to withdraw consent.
You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data, as described below.
You have the right to have any inaccurate personal data about you rectified and, considering the purposes of the processing, to have any incomplete personal data about you completed.
In some circumstances you have the right to the erasure of your personal data without undue delay. Those circumstances include: the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; you withdraw consent to consent-based processing; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; and the personal data have been unlawfully processed. However, there are exclusions of the right to erasure. The general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims.
In some circumstances you have the right to restrict the processing of your personal data. Those circumstances are: you contest the accuracy of the personal data; processing is unlawful, but you oppose erasure; we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal data for this purpose.
You have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes on grounds relating to your situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
To the extent that the legal basis for our processing of your personal data is:
- consent; or
- that the processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract,
...and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
You may request that we provide you with any personal information we hold about you. Provision of this information will be subject to:
- the payment of a fee (currently fixed at (GBP) £10.00); and
- the supply of appropriate evidence of your identity (for this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank plus an original copy of a utility bill showing your current address).
When you interact with the Site, we try to make that experience simple and meaningful. When you visit our Site, our web server sends a cookie to your computer or mobile device (as the case may be). Cookies are small pieces of information which are issued to your computer or device when you visit a website or access or use a mobile application and which store and sometimes track information about your use of the Site. A number of cookies we use last only for the duration of your Site session and expire when you close your browser. Other cookies are used to remember you when you return to the Site and will last for longer.
We use only “analytical” cookies in order to:
- remember that you have visited us before; this means we can identify the number of unique visitors we receive;
- customise elements of the promotional layout and/or content of the pages of the Site; and
- collect anonymous statistical information about how you use the Site (including how long you spend on the Site) and where you have come to the Site from, so that we can improve the Site and learn which parts of the Site are most popular.
Most web and mobile device browsers automatically accept cookies but, if you prefer, you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser or mobile device. Please note, however, that by blocking or deleting cookies used on the Site, you may not be able to take full advantage of the Site.
Uses made of your information
We will use the information held about you in the following ways:
- we use Query Information to deal with and respond to your comments, queries and requests;
- we use Cookie Information as explained in the Cookie section above;
- we use Registration Information in relation to setting up your account to enable us to provide our Services;
- we use Registration Information to contact Users about any changes to the Services.
- we use Account Information to check that use of the Services is in accordance with our customer agreements;
- we use Registration Information for the purposes of security, and prevention and detection of fraud;
- we use Registration Information to contact Users with marketing materials where we are entitled to do; and
- we use Survey Information for the purposes of market research.
Basis for processing
- We are entitled to use your data as described in paragraph 1 above as we are responding to your request and therefore have your consent to this processing.
- We are entitled to use your data as described in paragraphs 3, 4 and 5 as we require to do this as part of our contractual obligations to provide the Services.
- We are entitled to use your data as described in paragraphs 2, 6, 7 and 8 above as the purposes stated are within our legitimate interests.
Information we may collect from you
We may collect and process the following information about you:
- Date of birth
- Contact information including email address
- Query Information: this is the information you provide when you use the Contact section of our Site to send a message or ask a question or to request one of our guidance materials or subscribe to our educational emails.
- Registration Information: this is the email log-in and password details if you are a User.
- Account Information: this is the information on a User’s use of the Services.
- Survey Information: this is information from surveys that we may, from time to time, run on the Site for research purposes, if you choose to respond to, or participate in, them.
The Site may, from time to time, contain links to external sites. We are not responsible for the privacy policies or the content of such sites.
We place great importance on the security of all personally identifiable information associated with our users. We have security measures in place to attempt to protect against the loss, misuse and alteration of personal information under our control. For example, our security and privacy policies are periodically reviewed and enhanced as necessary and only authorised personnel have access to personal information. Whilst we cannot ensure or guarantee that loss, misuse or alteration of information will never occur, we use all reasonable efforts to prevent it.
You should bear in mind that submission of information over the internet is never entirely secure. We cannot guarantee the security of information you submit via the Site whilst it is in transit over the internet and any such submission is at your own risk.
It is advisable to close your browser when you have finished your user session to help ensure others do not access your personal information if you use a shared computer or a computer in a public place.