TAAP Visitor Book – Privacy Notice

Your privacy is important to us. Our goal is to make TAAP Visitor Book a great experience while processing your personal data fairly and transparently. This Privacy Notice (the “Privacy Notice”) aims to describe how we process your personal data in the context of your use of TAAP Visitor Book and to inform you of the rights you hold as a result. The TAAP Visitor Book Product is made up of a Portal (“Website”) for use by an Organisation who subscribe to the Product and a mobile application for use by the Visitors who sign in and out of Organisation’s locations. This Privacy Notice applies only to our Website and to the services provided through our mobile application (the “TAAP Visitor Book App”). Use of the TAAP Visitor Book Product is your use of our Services.

1. Introduction and applicability

In light of the UK GDPR legislation on the protection of personal data (the “General Data Protection Regulation”, known as the “GDPR” 2016/679 and Data Protection Act 2018), we would like to disclose, in a transparent manner, our data processing operations with respect to the personal data collected by your use of our Services.

Kindly observe that this Privacy Notice does not apply to any external products or services such as applications or software that integrate with other services (“Third Party Services”). Furthermore, please note that our Services may contain links, embedded or not, to external websites and services that have privacy policies of their own and fall outside the scope of this Privacy Notice.

We are committed to ensuring that your personal data is kept confidential, and that it is only collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. For any question regarding the collection or processing of your personal data, or for any request to exercise your rights in relation to your personal data, you can contact us in writing at any time to dataprotectionofficer@ontaap.com.

For more details on data processing, its scope and purpose, the relationship between the Data Controller and the Data Processor, please visit our Data Processor Agreement (DPA)

2. Who is responsible for the data processing?

TAAP Ltd, having its registered office at Kinetic Centre, Theobald Street, Borehamwood, Hertfordshire WD6 4PJ under company number 04962797 is the Data Processor for the processing of your personal data collected via the Product and for the processing carried out when you subscribe to and/or use our Services and so enter information when creating your account. TAAP Visitor Book is one of many products incubated and built in the United Kingdom by TAAP Ltd.

The Organisation that purchases TAAP Visitor Book and displays QR codes generated by the Product for Visitors to sign in and outis the Data Controller. The Organisation has the ability to configure data fields they wish to collect on a Visitor and the data retention period from between 1 – 30 days. Configurable data fields are outlined in Section 4.

On downloading the TAAP Visitor Book application and submitting your data, you are giving your consent to the processing of your personal data by TAAP Ltd (Data Processor) and the subscribing Organisation (Data Controller) that shall use the TAAP Visitor Book Product.

3. What is personal data?

Personal data (which should be understood to include personally identifiable information, or PII for short) is any information relating to an identified or identifiable natural person. It is sufficient that the data shall allow us to establish a (direct or indirect) link between one or more data-pieces and a natural person.

Personal data does not include anonymous or non-personal data (i.e. information that cannot be associated with or tracked back to a specific individual) or personal data that has been independently anonymised. By your use of our Services, you in any case consent to the processing and using of anonymous and non-personal data that is no longer associated with any natural person.

4. Description of processing

What information will we collect?

-Product payment/ invoices – details required to complete the purchase of the Product. Where credit card payment is required over the phone; Name and card details will be required. For invoicing – billing details such as invoice email, address, phone numbers will be required.

-Account registration for use of the TAAP Visitor Book Product. When registering for an account, details that you provide us with are required to create a user and provide you with access to the Portal. The registration requires you to provide us with;

-Admin User Email Address – Needed to provide access to the Website for account setup.

-TAAP Visitor Book Portal – Your administrator will setup users of the system which will include the following data;

-Display Name – Needed to Identify who has logged in.

-Email address – required as a username to be able to log into the Portal for security
and identification purposes.

-TAAP Visitor Book app – If you are a Visitor that has pre-registered or signed into a location using the TAAP Visitor Book mobile Application, you will be required to complete your personal details as specified by the Organisation. These details will be sent back to the Portal for visibility of who has pre-registered or signed in and out of an Organisation’s location. The information provided can include;

-Visitor Name – (mandatory) so the reception, security, admin, at a location, can view a Visitor Book log of who has signed in and out.

-Person Visiting Name – (mandatory, if selected) so the reception, security, admin, at a location, can identify who the Visitor is coming to see.

-Phone Number – (mandatory, if selected). Used to contact you for security and/or health and safety purposes when signed into a particular location.

-Email – (mandatory, if selected). Used to contact you for security and health and safety purposes when signed into a particular location.

-Vehicle Registration – (optional, if selected). Used to identify owners of motor vehicles in case of accessibility issues at a location. E.g blocking another person’s vehicle or emergency services accessibility.

-Photo – (mandatory, if selected). Used for identification and security purposes when signing into and out of a location.

-Postcode – (optional, if selected). Used for track and trace purposes where required.

-Special Assistance Required – (optional). Used to inform the organiser/reception that assistance may be required on arrival or in the case of an emergency. Should the Visitor select ‘Yes’, options are available to provide further detail.

5. For what purpose will we process your data? Will my personal data be shared?

Your data will be processed for specified, explicit and legitimate purposes as described in section [4]. We will only use your personal data for the purpose(s) for which it was originally collected unless we reasonably believe that another purpose is compatible with that or those original purpose(s) and need to use your personal data for that purpose. If we do use your personal data in this way and you wish us to explain how the new purpose is compatible with the original, please contact us using the details in section 10.

We may, from time to time, use your personal data for reporting and for making improvements to our Services; in such instances we will always ensure an individual cannot be identified.

Your personal data may be transferred to our trusted third-party processors, this will be for purposes such as: hosting of our servers, project management tools and customer relationship management system.

Our trusted third-party processors are contractually bound by us to keep your information confidential and used only for specified, explicit, and legitimate purposes as specified in section [4].

Some messages from us are service-related and necessary for customers. You agree that we can send you non-marketing emails or messages, such as those related to transactions, your account, security, or product changes/updates.

With your permission and/or where permitted by law, we may also use your personal data for marketing purposes, which may include contacting you by email with information, news, and offers on our services. You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with our obligations under the UK GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt-out. We will always obtain your express opt-in consent before sharing your personal data with third parties for marketing purposes and you will be able to opt-out at any time.

If you have agreed that we can use your information for marketing purposes, you can change your mind easily, via one of these methods: Send an email to: unsubscribe@ontaap.com or write to us at: Unsubscribe, c/o Data Protection Officer, Kinetic Centre, Theobald Street, Borehamwood, Hertfordshire WD6 4PJ.

We will never lease, distribute or sell your personal data to a third party without requesting your prior permission. We will not transfer your data to other third parties without informing you separately beforehand in the exceptional cases where we are either legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims.

6. Legal Basis for processing personal data

Our legal basis for collecting and using the personal data described above will depend on the personal information concerned and the specific context in which we collect it. However, we will generally only collect personal information from you where:

• We need the personal information to perform a contract with you upon signup and acceptance of our End User License Agreement (EULA);
• The processing is in our legitimate interest and not overridden by your right;
• You have given your consent to do so.

We have a legitimate interest in operating our services, for example when responding to your queries, improving our services, undertaking marketing. In some circumstances, where permitted or required by law, we may process your personal data without your knowledge or consent. This will only be done within the bounds of the GDPR and your legal rights.

If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not.

7. Security of your data

 Protecting personal data from access, loss or alteration is of the utmost importance to us. All visitor records, photos, account data, configuration data and contact information are stored in the Cloud, data centres within the United Kingdom.

Servers are updated with the latest security patches during scheduled routine maintenance.

The TAAP Visitor Book app and Website (referred to as our Services) access data using our secure API (short for: application program interface – how software components interact with each other forming the basis of software applications). The API uses encryption for data in transit, and every request must include a time-limited authentication token generated by the authentication system. Visitor data is encrypted at rest. For support purposes, a limited number of senior engineers can access client data via a virtual private network secure tunnel, controlled by private key-based secrets and multi-factor authentication.

As a Website user, you will log in with an email address and password, managed by your Admin as specified in [4]. User passwords are hashed at all times and cannot be accessed or intercepted as we use Secure Socket Layer (SSL) technology.

There are two user levels that can be set, controlling access to user management and configuration options. For accounts with multiple sites, there is also the option to restrict individual users to only view data for a single site.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8. Where will your personal data be processed?

Visitor data collected via our Services is only stored and/or processed within the United Kingdom (UK).

Sometimes we will need to share your personal data with third parties and suppliers outside the United Kingdom. This will be for purposes such as: Technical Support, Project Management Tools and our Customer Relationship Management system.

Where your personal data is transferred outside the United Kingdom, it will only be transferred to countries that have been identified as providing adequate protection for United Kingdom data, or where approved transfer mechanisms are in place to protect your personal data, i.e., by ensuring the entity is Privacy Shield certified (for transfers to US-based third parties). If you wish for more information about this, please contact dataprotectionofficer@ontaap.com.

Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice.

9. How long will we hold your data?

We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected or to comply with applicable legal, tax or accounting requirements in accordance with our data retention policy. Following that period, we’ll make sure it’s deleted or anonymised.

For the TAAP Visitors data submitted by the TAAP Visitor Book app into the Website, the data will be held for a period of up to 30 days only. Should you wish to see a copy of our Data Retention Policy, this can be requested by email to dataprotectionofficer@ontaap.com.

10. Data subject rights

It’s your personal data and you, as a data subject, have certain rights relating to it. When it comes to marketing communications, you can ask us not to send you these at any time. Follow the unsubscribe instructions contained in the marketing communication, or send your request to unsubscribe@ontaap.com.

Under data protection law, you have rights including:

• Your right of access – You have the right to ask us for copies of your personal information.
• Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
• Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.
• Your right to object to processing – You have the right to object to the processing of your personal data in certain circumstances.
• Your right to data portability – You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
• You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

You can exercise these rights at any time by sending an email to dataprotectionofficer@ontaap.com.

If you’re not happy with how we are processing your personal data, please let us know by sending an email to dataprotectionofficer@ontaap.com. We will review and investigate your complaint and get back to you within a reasonable time frame.

You may be able to refer your complaint to the relevant data protection authority. For the UK, this is the Information Commissioner’s Office (ICO).

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Helpline number: 0303 123 1113

This privacy statement was last updated: 23rd October 2023 under version 2.