uFlexReward’s Total Reward Platform Privacy Policy

Last Updated: 16th November, 2023

Introduction

We — UFlexRewardLimited of No. 1 Poultry, London, EC2R 8EJ (also “we,” “our,” or “us”) — prepared this Privacy Policy to help you understand our practices with respect to the processing of data that occurs on our platform. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

Who We Are

For the purposes of the General Data Protection Regulation (“GDPR”), we are the data processor of the data held within out Total Rewards Platform. This means we process personal data on behalf of our clients who are the data controllers. We are committed to ensuring that your privacy is protected.

The Data We Process

As a data processor, we process personal data on behalf of our clients, who are the data controllers. The types of personal data we process may include, but are not limited to, names, email, job title, grade, remuneration, date of birth, citizenship status, gender, martial status, employment commencement date, IP addresses, and other relevant data as directed by our clients. This data is used solely for the purpose of providing our service to our clients and we will not use this data for any other purpose.

Purpose of Processing Data

We process personal data as necessary to provide our services to our clients, to fulfill our contractual obligations, and as directed by our clients, who are the data controllers. Our use of your personal data is limited to that which is reasonably required in order to provide our service to you as directed by our client’s, the data controllers.

Legal Basis for Processing

We process personal data under the instructions of our clients, in accordance with our contractual obligations. We will not process personal data for other purposes or by other means than instructed by our clients.

Data Security

We have implemented appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. We limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

Data Retention

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Details on retention periods can be made available upon request.

Your Rights Under GDPR

As a data subject, you have several rights under GDPR, including the right to access, correct, update, or request deletion of your personal data. However, as we are a data processor, you should direct any requests to exercise these rights firstly to the data controller (our client). It is important to note that these rights are not absolute and are subject to various conditions under applicable data protection and privacy legislation.

The Company have an established system to enable and facilitate the exercise of Data Subject rights related to:

  • Information access
  • Objection to processing
  • Objection to automated decision-making and profiling
  • Restriction of processing
  • Data portability
  • Data rectification
  • Data erasure

If an individual makes a request relating to any of the rights listed above, the Company will consider each such request in accordance with all applicable Data Protection laws and regulations. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be unnecessary or excessive in nature.

All requests received for access to, or rectification of Personal Data will be logged as each request is received. A response to each request will be provided within 30 days of the receipt of the written request from the Data Subject. Appropriate verification must confirm that the requestor is the Data Subject or their authorised legal representative. Data Subjects shall have the right to require the Company to correct or supplement erroneous, misleading, outdated, or incomplete Personal Data.

International Transfers

We will only transfer your data to an overseas jurisdiction where there is sufficient legal basis to do so and where directed specifically by our clients, the data controller.

Changes to this Privacy Policy

Any changes we may make to our privacy policy in the future will be posted on this page. Please check back frequently to see any updates or changes to our privacy policy.

Contact Us

If you have any questions, comments, or requests regarding this privacy policy or our processing of your information, please contact us.