Privacy Notice

1. Introduction

   1. On Set Software Ltd, registered in England and Wales with company registration number 10149304, of International House, 10 Churchill Way, Cardiff, CF10 2HE, United Kingdom ("we"/"us") are committed to protecting and respecting your privacy.
   2. This notice ("Privacy Notice") (together with our Terms of Use, and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
   3. For the purposes of the General Data Protection Regulation ("GDPR"):
      1. Where we hold data for our customers' purposes or on their instruction, the customer shall be the "controller" and we shall be the "processor". For example the Production Owner is the controller of personal data directly relating to their Production; and
      2. Where we hold data for enabling the operation of the Platform, for billing purposes or for marketing purposes we shall be the "controller".
   4. This Notice shall apply in full where we are the controller. Where we are not the controller, section 6 explains where we will store the data that we process, but all other aspects of this Notice shall not apply, and it is the responsibility of the controller to communicate the relevant information to the data subjects regarding use of their personal data.

2. Information We May Collect From You

   1. We may collect and process data about you in the manner set out below.
   2. You may give us information about you by filling in forms on our Platform or by corresponding with us by phone, e-mail or otherwise. This includes information you provide when you register to use our Platform, download our App, subscribe to any of our services, make an in-App purchase, share data with our Platform's social media functions, participate in discussion boards on our Platform, enter a competition, promotion or survey, when you report a problem with our Platform or when you upload information or data on our Platform. The information you give us may include your name, address, e-mail address, phone number, your device's phone number, age, username, password and other registration information, financial and credit card information (processed by our payment providers on our behalf), and information regarding your participation in Productions.
   3. With regard to each of your visits to or use of our Platform we may automatically collect the following information about you or your devices:
      1. technical information, including the type of device(s) you use, a unique device identifier, the Internet protocol (IP) address used to connect your device(s) to the Internet, network information, browser type and version, time zone setting, browser plug-in types and versions and operating system and platform;
      2. information and details about your use of our Platform (including but not limited to traffic data, location data, weblogs and other communication data, the full Uniform Resource Locators (URL) clickstream to, through and from our Platform (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page)).
   4. We may also use GPS technology to determine your current location information. Some of our location-enabled services require your personal data for the feature to work. If you wish to use the particular feature, you will be asked to consent to your data being used for this purpose. You can withdraw your consent at any time by disabling the location permissions on your device(s).
   5. We may receive information about you from other sources if you use any of the other websites we operate or the other services we provide. In this case we will have informed you when we collected that data that it may be shared internally and combined with data collected on our Platform. We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, payment services (please see Section 7 below for more information on this), advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.

3. Cookies

   1. Like most websites and mobile applications, our Platform uses cookies. A cookie is a small, often encrypted file of letters and numbers that we store on your browser, your computer, your mobile device or other device. They help us improve our Platform and your general experience on it.
   2. We may use the information we obtain from the cookie in the administration of our Platform, to improve our Platform's usability and for marketing purposes. We may also use that information to distinguish you from other users of our Platform and to monitor traffic on our Platform.
   3. If you do not want us to store cookies on your computer or other device for these purposes, you may change the settings on your internet browser to reject cookies. Please note that if you set your browser to reject cookies, you may not be able to use all of the features of our Platform and/or may be prevented from accessing certain parts of our Platform.
   4. If you continue to use our Platform, we will take that as your consent to the relevant cookies being set on your computer or other device.
   5. You can find more information about the individual cookies we use and the purposes for which we use them in the table below:

   • Cookie Name	Purpose
     _ga, _gat	These cookies are inserted by Google Analytics to track user activity, distinguish users and throttle request rate on the Platform. These cookies expire after 2 years (_ga) or 10 minutes (_gat).
     PHPSESSID	This cookie is used to identify a user's unique session ID on the Platform for their current browsing session. It is set upon arrival on the Platform and is deleted upon leave.
     cookieconsent_dismissed	This cookie checks whether a user has accepted the Platform's cookie policy and expires after 2 years.
     auth_key	This cookie acts as an optional "remember me" token and expires after 1 month.
     flags	Used to identify a user's progress through the application, for example to ensure that advisory popups are only shown the first time a user makes a relevant interaction. Expires after 10 years
     XSRF-TOKEN	A unique code to ensure that user data input is from an authorised source. Expires with the PHPSESSID
     intercom-id-hopr4asv intercom-lou-hopr4asv intercom-session-hopr4asv	Intercom tokens, used to identify users across visits and allow them to communicate with us via the chat system. Expire in 36 weeks or 1 week (intercom-session-hopr4asv)

4. Uses Made of This Information

   1. We will use the information you give to us:
      1. to carry out our obligations arising from any contracts entered into between you and us relating to the provision of the Platform's functionalities to you and to provide you with the information, products and services that you request from us;
      2. in accordance with our and/or your legitimate interests under any contract between you and us, to facilitate, and if necessary, enforce any legal obligations you may owe to us, in respect of that contract
      3. to carry out the instructions of Production Owners (where they act as data controller) in relation to Productions in which you are participating, within the functionality of the Platform;
      4. in accordance with our legitimate interest and the legitimate interests of other users of our services in ensuring that our services are used in the most effective manner and for maximum benefit,
         • to invite you to participate in surveys and provide feedback about your experience of using the Platform;
         • to notify you about changes to our Platform or services; and
         • to ensure that content on our Platform is presented in the most effective manner for you and for your computer or mobile device.
      5. in accordance with our legitimate interest in making our customers aware of the full range of services available to them, where you are a Production Owner, to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about;
      6. where you have consented to the same via the Platform, email or other communications channel, to provide you with information about goods or services we offer that we feel may interest you.
      7. in accordance with our legitimate interest, and the legitimate interest of any counterpart, in facilitating such sale or purchase as part of, or as reasonably necessary for the purpose of, any sale or purchase of any of our business or assets of which the provision or offering of goods or services to you forms part.
   2. We will use the information we collect about you from the use of our Platform, in accordance with our and/or your legitimate interests, in order to improve your experience of our Platform:
      1. to administer our Platform and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
      2. to allow you to participate in interactive features when you choose to do so;
      3. as part of our efforts to keep our Platform safe and secure;
      4. to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;
      5. to make suggestions and recommendations to you and other users of our Platform about goods or services that may interest you or them.
   3. We may combine the information we receive from other sources with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
   4. In the course of any of the uses listed above, we may send push notifications to your computer or mobile device(s). You can manage push notifications in your browser's settings and/or in your preference section within our App.

5. Disclosure of your Information

   1. We may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries (if applicable).
   2. We may share your information with selected third parties including:
      1. Our mailing partner, to deliver messages to you in accordance with the purposes set out above.
      2. Business partners, suppliers and sub-contractors for the performance of any contracts we enter into with them or you including payment processing, web-hosting and mailing services.
      3. Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but we may provide them with anonymous aggregate information about our users (for example, we may inform them that 500 men aged under 30 have clicked on their advertisement on any given day). We may also use such aggregate information to help advertisers reach the kind of audience they want to target. We may make use of the personal data we have collected from you to enable us to comply with our advertisers' wishes by displaying their advertisement to that target audience.
      4. Analytics and search engine providers that assist us in the improvement and optimisation of our Platform.
      5. Suppliers of IT systems and services for the purpose of ensuring the correct operation, or enhancing the operation of IT systems, or to ensure the safety and security of personal data.
   3. We may disclose your personal information to third parties:
      1. in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
      2. if we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets.
      3. if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, and other agreements; or to protect our rights, property, or safety, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
   4. A list of the processors (or sub-processors where we act as processor) can be found on our website.
   5. Data shall be shared with third parties only to the extent compatible with the uses set out in part 4 of this Notice.

6. Where We Store Your Personal Data

   1. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. For example, we use secure servers to store all information you provide to us. The security of your data is of the highest importance to us and we implement all industry standard measures available. However, the transmission of information via the internet is not completely secure and, like any online service, we cannot completely guarantee the security of your data transmitted to our Platform. Any payment transactions will be processed in accordance with Section 7.
   2. The data that we collect from or about you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA") for the purposes of mailing, payment processing, data hosting. All such transfers outside of the EEA are made pursuant to an adequacy decision of the European Commission relating to the country of destination, including transfers under the EU-US Privacy Shield. The data we collect from or about you may also on occasion be processed by staff operating outside the EEA who work for us and use our systems. In such cases we will self-assess the adequacy of the security provided by our systems and will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Notice.
   3. Where you have chosen a password that enables you to access certain parts of our Platform, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
   4. We will store your data for as long as necessary to fulfil the purposes for which it is originally collected, as explained in this Notice, or any other lawful purpose subsequently communicated to you, and for other essential purposes such as complying with legal obligations and enforcing our rights, such as those arising under any agreement with you. The retention period may therefore vary for different types of data, and depending on how and why it was gathered. Criteria relevant to determine retention periods include:
      1. If the data is necessary for the performance of a contract, we will retain it while performance under that contract remains active, and for a period thereafter in which that data may still be relevant to dispute resolution, enforcement of rights under the contract, or where additional connected contracts are likely to arise.
      2. If the data is processed pursuant to consent only, and consent is withdrawn, we may delete the data immediately, or we may cease processing and retain the data for a period if we have a need to keep it for dispute resolution or enforcement of rights.
      3. Where data is held solely for the purposes of someone else (for example data controlled by a customer and hosted on our service) we will retain it while we continue to have a relationship with that third party, unless that party indicates that they wish to delete the data. We will normally delete it shortly after that relationship terminates.
      4. In certain cases we may be legally obliged to hold data for a certain period of time, or to delete the data at a certain time, including in accordance with the exercise of your rights as data subject as explained in this Notice.

7. Payment Processing

   1. We do not store any credit card data associated with any purchases processed on the Platform. Instead, we use ChargeBee to process recurring payments and Stripe as a payment gateway for those payments (Stripe and ChargeBee shall together be referred to as "Third Party Payment Processors").
   2. You acknowledge that your use of the payment service provided by these Third Party Payment Processors will require them to process your personal data. We may receive information about you in accordance with Section 2 above from these Third Party Payment Processors and we may disclose information about you in accordance with Section 5 above to these Third Party Payment Processors.
   3. You acknowledge that your personal data may be processed and stored outside of the EEA. Whilst we have been assured by these Third Party Payment Processors that they comply with relevant data protection legislation, we cannot guarantee the security of your personal data, and any payments made through these Third Party Payment Processors are undertaken at your own risk. We have no control over these Third Party Payment Processors.
   4. You should review Stripe's Privacy Notice and ChargeBee's Privacy Notice for more details about how your information is collected, stored and maintained by these Third Party Payment Processors as all such transactions will be governed by these policies rather than this Privacy Notice.

8. Your Rights

   1. We will use your personal data for direct marketing purposes only where you have provided your consent to us, or, where you are a Production Owner, to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about. You have the right to ask us not to process your personal data for these purposes.
   2. The GDPR provides you with rights to:
      1. request from us confirmation of whether or not your personal data is being processed and where that is the case, confirmation of the information set out in this Notice;
      2. request from us a copy of your data that is undergoing processing, including, in relation to data provided to us by you, and which is processed by automatic means pursuant to a contract with you, or pursuant to your consent, a right to request that data in a structured, commonly used and machine readable format;
      3. request that we rectify or complete your personal data, where it is inaccurate or incomplete for the purposes of our processing of the data;
      4. request that we erase your personal data in the following circumstances:
         • the personal data is no longer necessary in relation to the purposes for which it is processed;
         • you withdraw consent and there is no other legal ground for the processing;
         • you successfully object to the processing pursuant to your right of objection explained below;
         • the personal data has been unlawfully processed;
         • the erasure is necessary for compliance with a relevant legal obligation that applies to us;
      5. request that we restrict the processing of your personal data in the following circumstances:
         • you contest the accuracy of the personal data, for a period enabling us to verify the same;
         • the processing is unlawful, but you request restriction rather than erasure;
         • we no longer need the data, but it is required by you in respect of legal claims;
         • you have objected to the processing, until such that that we verify that there are legitimate purposes that justify such processing;
      6. object to any processing that is based on our, or a third party's legitimate interests, upon which event we shall suspend processing until we demonstrate legitimate purposes that justify that processing. We may at all times continue to use data for the purpose of establishment, exercise or defence of legal claims;
      7. withdraw your consent for future processing (where the processing is based on that consent);
      8. lodge a complaint with the Information Commissioner's Office, which is the data protection supervisory authority in the UK.
   3. We will comply with any valid request for information under the rights explained above within one month, though we may tell you that this period is to be extended by a further two months where necessary, taking into account the complexity and number of the requests. This will normally be provided free of charge. If the request is manifestly unfounded, excessive or repetitive we may charge a reasonable fee or refuse to action the request.
   4. The provision of personal data to us is not a statutory requirement. Where the provision of data is a contractual requirement, or a requirement necessary to enter into a contract, we will make that clear as part of the process by which the contract is concluded, which may include by way of terms of the contract. These provisions will also make clear the consequences of failure to provide such data.
   5. Where the data is not a contractual requirement, you are not obliged to provide the data, but if you do not do so, we may be unable to offer certain benefits and functionality to you. For example, you may not be able to access part of the Platform.
   6. Our Platform may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates (including, but not limited to, websites on which our Platform is advertised). If you follow a link to any of these websites, please note that these websites and any services that may be accessible through them have their own privacy notices and that we do not accept any responsibility or liability for these notices or for any personal data that may be collected through these websites or services. Please check these notices before you submit any personal data to these websites or use these services.

9. Changes to Our Privacy Notice

   • Any changes we may make to our Privacy Notice in the future will be posted on this page and, where appropriate, notified to you by e-mail or when you next use our Platform. The new terms may be displayed on-screen and you may be required to read and accept them to continue your use of our Platform. Alternatively, please check back frequently to see any updates or changes to our Privacy Notice.

Contact Us

Questions, comments and requests regarding this Privacy Notice are welcomed and should be addressed to privacy@onsetupdates.com.