PRIVACY NOTICE

 

Umbrella Risk Management Ltd ("Umbrella", "we", "us") is a Promotional Marketing Agency that manages B2B and B2C campaigns on behalf of our clients. Our goal is to protect the privacy of the personal data that we receive through but not limited to secure file transfer, Internet, post, telephone, messaging services, or any other means from our clients’ customers. 

Umbrella Risk Management Ltd is a company registered in England and Wales (Company No. 05397976) with its registered office at Dodwell House, Chilton Business Centre, Chilton, Buckinghamshire, HP18 9LS. 

This policy explains how we collect, use, store, and protect personal data. It reflects our commitment to the Confidentiality, Integrity, and Availability (CIA) of the business-critical and sensitive data we handle. 

Umbrella typically receives personal data either directly from you (e.g., when you enter a promotion, submit a claim form, or contact us) or from the brand that engages Umbrella to administer the promotion. 

Depending on the campaign and your interaction, we may process: 

1. Identity and contact details: name, postal address, email address, phone number, and date of birth (where necessary for eligibility checks). 

2. Prize and fulfilment details: delivery address, travel preferences, booking information, or bank details for prize or cashback fulfilment. 

3. Participation data: codes entered, proof of purchase, entry date/time, responses to promotion questions, and communication history. 

4. Technical data: IP address, device type, and basic usage metrics from online entry forms. 

5. Special category data: limited health or accessibility information for travel or event prizes, only where strictly necessary and permitted by law. 

Mandatory and optional data items will be clearly indicated in the relevant promotion terms or entry form. 

Within the confines of a promotional marketing campaign, we typically receive data in four main ways: 

1. Website Entries: Consumers enter their personal details into a website to claim a prize or a chance to win. Our suppliers are given secure access to the site to download the data and process the prize. We use Secure Socket Layer (SSL) technology to help keep the personal information provided on any site we maintain secure. 

2. Postal Entries: Consumers enter a campaign by filling in a form which they post or hand in at an event. Postal entries are captured onto a secure server, and the physical postal applications are securely stored until the retention period expires (see Data Retention below). 

3. Secure File Transfer Protocol (SFTP): Where data has been collected elsewhere but needs to be delivered to us for processing, we use SFTP. Our handling suppliers are given passwords to securely access and download the data. Data remains on the SFTP server only for a limited time required for transfer. 

4. Customer Service: From time to time, we receive queries directly from consumers regarding their entry or claim. In these instances, we request only key crucial data (e.g., Name, Email, Mobile Number, live geolocation and / or Postcode) necessary to access their application and resolve the query. 

We process personal data primarily to process and deliver prizes, gifts, or incentives to individuals. We comply with the following legal bases under the UK GDPR and Data Protection Act 2018: 

To run and fulfil promotions: verifying eligibility, selecting winners, delivering prizes, and handling customer service (performance of a contract). 

To comply with legal obligations: maintaining records, responding to regulators, and keeping audit trails. 

To protect our business and participants: preventing fraud, managing risk, resolving disputes, and defending legal claims (legitimate interests). 

To analyse and improve services: using aggregated or pseudonymised data wherever possible (legitimate interests). 

We share personal data only where necessary to deliver a promotion, operate our business, or comply with the law. This may include: 

The brand or agency running the promotion. 

Prize fulfilment partners (e.g., travel providers, logistics companies, payment processors). 

Professional advisers, auditors, regulators, or law enforcement. 

Some partners may be outside the UK or EEA. Where this occurs, we ensure appropriate safeguards (e.g., standard contractual clauses) or another lawful transfer mechanism. 

We retain personal data only as long as necessary for the purposes described, including legal and accounting requirements. Typically, this means for the duration of the campaign plus a defined retention period. This will vary from promotion to promotion and will be specified in promotions terms or privacy policy. 

Umbrella balances the need to store information for query resolution with our legal obligation to destroy data when it is no longer required. 

1. Active Period: Data remains on the system for 6 months after a campaign ends to handle any immediate queries or claims. 

2. Archival Period: Data is archived for a further 18 months for audit and legal purposes. 

3 Destruction: After this total period, data is securely destroyed. 

1. Paper: Confidential paper information is cross-shredded. 

2. Electronic Media: Computer hard drives and media are wiped using professional software tools to ensure no unencrypted data remains. Media that cannot be wiped is physically destroyed. 

To ensure compliance, Umbrella enforces strict internal policies for all staff and suppliers: 

Staff Responsibility: All staff are trained on data security risks and are responsible for protecting sensitive data. Failure to comply with these policies leads to disciplinary procedures. 

Supplier Audits: Suppliers are required to carry out periodic risk assessments, maintain effective contingency plans, and ensure their security arrangements keep pace with technological changes. 

Under UK data protection law, you may: 

1. Request access to your personal data. 

2. Request deletion or restriction of processing in certain cases. 

3. Object to processing based on legitimate interests or for direct marketing. 

4. Request data portability in a structured, machine-readable format. 

To exercise these rights, contact us using the details below. We may require proof of identity to protect your information. 

You also have the right to complain to the Information Commissioner’s Office (ICO), though we would appreciate the chance to resolve concerns first. 

Umbrella Risk Management Ltd 

Dodwell House, Chilton Business Centre 

Chilton, Aylesbury, Buckinghamshire, HP18 9LS 

Email: info@team-umbrella.co.uk