Customer Privacy Notice

Overview

The Access Card scheme works by Nimbus providing a centralised assessment of a disabled person's evidenced needs whereby we translate detailed personal information into a set of symbols that represent their access requirements. This enables disabled people to quickly and discreetly communicate their needs when visiting a venue.

Nimbus does not share any detailed personal information. Nimbus only enables you to share the symbolic information available as Access Card icons to authorised third parties as outlined in this document.

A little about us…

We are a well-established Social Enterprise which started in 2006, we are run by disabled people for disabled people. In addition to promoting equality and accessibility, we are wholly committed to ensure that your personal data is treated appropriately and that your privacy rights are respected.

We are a registered Data Controller with the Information Commissioner, our registration number is ZA020704.

Your Privacy matters to us:

We appreciate the trust you place in us when sharing your personal data, the security of your data is very important to us. In this notice, we will explain how we collect, use, and protect your personal data. We will also provide information on what rights you have with regards to your personal data and how you can exercise those rights.

We appreciate that the world of data protection can seem a little complicated, so we will try to explain things in a simple and straightforward way.

We collect information from:

• You, when you provide it directly to us either as a new or returning customer
• A guardian or appointed representative
• Online enquiries via our website and google ads

What information we collect:

• Contact details (such as name, address, phone, email)
• Health & disability information (such as details of conditions, capacity, accessibility needs)
• Contact information & legal status of representatives & guardians where appropriate
• Call recordings, apart from where payment is taken over a call
• Optional: Demographic information – such as age, gender, ethnicity etc.
• Optional: Leisure, tourism and event preferences to tailor updates
• Payment information and transaction details is taken through our website/app via Stripe
• Enquiries about services and products
• Any concerns you may have

We will use your personal data to:

• Process your application & assess your suitability for an Access Card – in accordance with our terms & conditions
• Produce and provide your access card
• Notify you of changes, expirations, cancellations in regard to your access card
• Promote services and products in line with your leisure, tourism and event preferences
• Manage the information and keep it secure & up to date
• Process payments and invoices
• Record & review calls and wider correspondence for training and monitoring purposes
• Identify the most appropriate services and opportunities for you
• Assist with your applications and registrations for third parties, such as venues and events, where you choose us to
• Process payments and transactions
• Comply with our legal obligations

Do we have a basis in law to process your information?

We largely process your personal data in accordance with our contractual obligations.

We also process personal information in accordance with our ‘legitimate interests’ this includes considering benefits to the customer and our company…but don’t worry, we respect your privacy rights to ensure that the benefits pass privacy tests before using personal information in this way!

Where it’s appropriate to do so, we will ask for your consent to ensure we are clear on your choices.

We always need to follow the law so there may be some cases where we are legally required to share information with statutory partners & Ombudsman – these are official Organisations like the Police. We’ll tell you more about this in the ‘who we share information with’ section. We have numerous legal obligations, including but not limited to, those that are stipulated under the following laws:

• The Data Protection Act 2018
• The UK General Data Protection Regulations
• The Privacy & Electronic Communications Regulations
• The Human Rights Act 1998
• The Equality Act 2010
• The Consumer Rights Act 2015
• The Safeguarding Vulnerable Groups Act 2006

Can you opt out?

Of course! Wherever we have used your information in line with legitimate interests and consent you will usually be able to opt out by emailing cards@accesscard.org.uk.

There may be some cases where we have to hang on to some information – we explain this in the ‘information we keep’ section.

Who we share information with:

Statutory partners for investigations and audits such as the Police, the Information Commissioner and so on.

Subcontracted organisation & individuals that we formally engaged in the development and hosting of our systems.

Courts and Tribunals where necessary.

Where appropriate, within the Access Card app, we promote details of our trusted partners' offers, services and products.

In limited circumstances we may share information with a local authority for example we currently work with Croydon City Council for the disabled children’s registration scheme.

Any third party ticket sites are authorised to validate your access information via an API. This is only possible by authorised providers, and to do so you must provide them with your forename, surname and card ID. This acts as consent for them to pull your Access Card symbols into their systems.

With the correct information, the additional information we share back to the provider is your face photograph (for validation purposes), and your allotted access symbols (all of which are shown on the physical Access Card).

International Transfers:

We are committed to ensuring that any international transfer comply with UK Data Protection Legislation. In most cases, it will be necessary for us to implement the appropriate contractual safeguards prior to transferring such data.

We note that customers can sign up to our services from anywhere in the world. Customers can also opt to share their own data with overseas leisure and tourism providers such as Disneyland Paris.

Your rights for personal data:

• ask for a copy of the personal data we hold about you. Assuming your request is reasonable, we will provide a copy of all the personal data we hold about you and you can check that we’re processing it lawfully. This can be done by emailing dpo@nimbusdisability.com and we will respond with some security questions before sending any information to your postal address as per your application.
• ask us to correct the personal data that we hold about you
• ask us to delete your personal data. This one’s a little tricky! If, for some reason, we still hold your data, but without good reason, at your request we’ll delete it, there may be certain reasons why we need to hold on to information but we will explain these
• object to us processing your personal data. This applies where we’re relying on a “legitimate interest” of ours or a third party, and you have a situation which makes you want to object to us processing your data.
• ask for the restriction of the processing of your personal data. This means you can ask us to suspend the processing of personal data about you
• ask for the transfer of your personal data to you or another data controller if the processing is based on consent or contract – and you provided that information to us
• withdraw consent for processing – we’ve mentioned this above in the ‘can you opt out?’ section
• Right to prevent automatic decisions – you have the right to challenge a decision that affects you that has been made automatically. We don’t make automatic decisions, we carefully reach decisions about you and your information

Information we keep:

We keep your personal data for as long as we have to and always do this in line with data protection laws. We don’t want to keep your data any longer than we need to!

We store information securely, we mainly keep this digitally on our protected devices, we may also keep paper records for a certain period of time but don’t worry we’ll keep these secure as well.

Have some privacy concerns or questions?

Our Data Protection Officer is Mark Briggs

You can email: dpo@nimbusdisability.com

Or call: 0330 808 5108

Or write to: Nimbus Disability, Suite GB, Pentagon House, Sir Frank Whittle Road, Derby, DE24 4XA

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO):

By post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

By phone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Alternatively, visit ico.org.uk or email icocasework@ico.org.uk

Cookies Policy:

We do not set any cookies on our websites (accesscard.online or nimbusdisability.com). In our Access Card app, we set one session cookie containing a randomised number that is used to keep the user logged in after closing the app.

When was this policy last updated?

April 2024.

Nimbus Disability, CredAbility & Access Card - Retention Schedule

The Nimbus Disability website does not store any information on the visitors/users of the website. Please see the Access Card website's privacy policy for how Access Card customer data is stored: https://www.accesscard.online/legal/privacy/