Privacy Policy

Privacy Policy – Last Updated 25th September 2024

Student Discount Cards Limited (Company Number 08873775)

The privacy and security of your personal information is extremely important to us. This privacy policy explains how and why we use your personal data, to make sure you stay informed and can be confident about giving us your information. Your personal data is in safe hands with us. 

Privacy Principles 

We take your privacy seriously. The following principles underpin our approach to respecting your privacy: 

  • We value the trust that you place in us by giving us your personal information. We will always use your personal information in a way that is fair and worthy of that trust. 
  • We will provide clear guidance on how we use your personal information. We shall always be transparent with you about what information we collect, what we do with it, with whom we share it and who you should contact if you have any concerns. 
  • We will take all reasonable steps to protect your information from misuse and keep it secure. 
  • We will comply with all applicable data protection laws and regulations and we will co-operate with data protection authorities. In the absence of data protection legislation, we will act in accordance with generally accepted principles governing data protection. 
  • We will always protect your personal data and, as part of this, we regularly review our privacy notice so that you can see how we use your data and what your options are. If there are any further changes to the ‘UK General Data Protection Regulation’ (UK GDPR) or related laws, we may need to amend this statement in the future. 

A few quick notes: 

This privacy policy explains what data we collect as well as how and why we use your personal data. 

The policy applies to you if you’re a card holder, student, if you are an organisation, we have a working relationship with (e.g. supplier), if you visit our websites or email, call or write to us.

We will never sell your personal data. We will only share it with organisations we work with who meet our high privacy standards. 

Index: 

Who ‘we’ are? 

How we use your personal data

How we secure your data

Where your personal data may be processed

Events

Disclosing and sharing information

Data Retention

Your data protection rights

When we use Legitimate Interest

Changes to this Privacy Policy 

Who ‘We’ are 

In this policy, whenever you see the words ‘we’ it refers to Student Discount Cards Limited (Company Number 08873775.

Our registered office address is Merseyway Innovation Centre, 21-23 Merseyway, Stockport, SK1 1PN. 

We operate the following sites: 

https://www.isic.org.uk

If you have any questions relating to this privacy policy or how we use your personal data, please send them to dpo@isic.org.uk or post them to the Data Protection Officer, Student Discount Cards Limited , Merseyway Innovation Centre, 21-23 Merseyway, Stockport, SK1 1PN. 

Personal Data We Hold About You

1.1 We collect personal data from you when you voluntarily submit information directly to us or our application. This can include information you provide when you register to use the application, login to the application, complete a form, correspond with us, use discounts via our application or subscribe to our email lists.

1.1.1. Verifying ISIC Card: When you register to use our application, it may be necessary to verify the validity of your ISIC Card. We will also on a regular basis verify the validity of your ISIC Card, either at our own initiative or by your request. If your ISIC Card goes through a validation process, we will process your name, ISIC Card number, data of verification and IP Address. The verification, including the personal data necessary for it, will be stored for 5 years from the date of verification.

1.1.2. Application Profile: When you have completed your registration to our application, a profile will be created for you in our application. For managing your profile and enabling use of our application, we will process the personal data belonging to your ISIC Card and/or data you have provided us. The personal data collected and processed are your name, date of birth, ISIC Card Number, contact details, photo, country of residence, issuer organization of your ISIC Card, ISIC Card type, ISIC Card validity, ISIC Card status, your preferences and information about how you use and connect to the application, favourite discounts and password.

1.1.3. Displaying ISIC Card: For physically displaying and using your ISIC Card in the application, an image of your ISIC Card will be generated and temporarily stored, including any information found on your ISIC Card

1.1.4. Direct Marketing: So that we can ensure that you get the best from your ISIC proposition, we will send out newsletters and other electronic direct marketing under legitimate interests. We will process your name, e-mail address and phone number. You can unsubscribe from this processing at any time from the footer of any email from us

1.2 We also collect personal data indirectly from you, such as information about the pages you look at on the application and the device you connect to the application with.

1.4 We will now describe a few of the aforementioned categories of personal data we collect in more detail:

(a) Contact details: Include data such as your name, your email address and your telephone number associated with your account.

(b) Account information: Include data such as your contact details (as above) and other any information you share when creating an account with our application.

(c) Your preferences: choices you make such as notification and messaging preferences or choices about how the application is set up.

(d) Information about how you use and connect to the application:

(i) We collect information about how you use the application such as the pages and links you access, the discounts you have selected, the time you access the application and duration you are on it, the website you come to the application from or go to after leaving the application and selections and choices you make when using the application.

(ii) We also collect information about the computer or other electronic devices you use to connect to the application such as details about the type of device (which can include unique device identifying numbers), its operating system, browser and applications connected to the application through the device, your Internet service provider or mobile network, your IP address and your device’s telephone number (if it has one).

(e) Information about your location: subject to your consent, we may collect your location or an approximation thereof to show nearby discounts/benefits or location on the map. We do not connect location data to concrete users.

(f) Information provided by other organisations: Other organisations may provide information that we associate with you where they are lawfully permitted to share it, such as contact details, demographic data, or Internet navigation information.

How we use your personal data

We will use your personal data for the purposes outlined at the time you provided it to us. Examples include:

  1. Administering your discount membership and our relationship with you as a cardholder, as well as providing you with information about discount offers and other related purposes.
  2. Responding to your requests and fulfilling our contractual obligations with you.
  3. Under legitimate interest, we will share information with the National Union of Students (United Kingdom), Company number 08015198 and/or NUS Students’ Union Charitable Service. As a student, we want to ensure you have access to the latest information about campaigns and competitions for students. You can opt out at any time by emailing dpo@isic.org.uk

We may also need to provide your personal data if we are asked by the police, or any other regulatory or government authority in relation to safeguarding. 

How we secure your data 
We want to keep our customers and suppliers safe, so the security of your data and of our information systems is incredibly important to us. When you entrust your personal information to us, we take care of it as if it were our own.  We spend a lot of time, money and resources on ensuring that the personal details you entrust to us are protected from loss, misuse and abuse.   

External threats to our data security are changing all the time, so we have a robust process for assessing, managing and protecting all of our new and existing systems to ensure they are up to date and secure. 

Our staff complete mandatory information security and data protection training when they start with us and every year afterwards, to reinforce their responsibilities and requirements and ensure they understand and comply with their obligations under the Data Protection Act 2018 and UK GDPR.  We carefully control who has access to your information and ensure that it is only used in the way you would expect. 

When you trust us with your data we will keep your information secure to maintain your confidentiality. 

Where your personal data may be processed 

Whenever we transfer personal data out of the EEA or the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:  

We will only transfer personal data to countries that have been deemed to provide an adequate level of protection for personal data by the ICO. For further details, see ICO A guide to international transfers

Where we use certain service providers, we may use specific contracts approved by the ICO which give personal data the same protection it has in UK.

Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the UK and the US.

We also take regular encrypted backups. 

Disclosing and Sharing information

We do not sell or share your personal information for other organisations to use unless you specifically opt into this. However, in general we may disclose your personal information to selected third parties in order to achieve the purposes set out in this Policy.  Non-exhaustively, those parties may include suppliers and sub-contractors for the performance of any contract we enter into with them, for example IT service providers such as cloud storage providers or mailing houses.

 

Data Retention 

We will only use and store your information for as long as it is required for the purposes it was collected for. How long it will be stored for depends on the information in question, what it is being used for and, sometimes, statutory legal requirements. 

Your Data Protection Rights 

Individuals have certain rights over their personal data and data controllers are responsible for fulfilling these rights. Where we decide how and why personal data is processed, we are a data controller and have provided further information about the rights that individuals have and how to exercise them below: 

Right of Access – you have a right to ask us for copies of your personal data held by us.  This right may be exercised by emailing us at dpo@isic.org.uk or writing to us at DPO, Student Discount Cards Limited, Merseyway Innovation Centre, 21-23 Merseyway, Stockport, SK1 1PN.  We will aim to respond to any requests for information promptly and within the legally required time limit (30 days).  This timeframe may be extended by up to two months if your request is particularly complex. 

Amendment of Personal data – You have the right to ask us to rectify personal information you think is inaccurate.  You also have the right to ask us to complete information you think is incomplete. The update or amendment of your personal data will take place within 30 days of receipt of your request. 

Right to Restriction of Processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances. 

Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances. 

Your right to erasure – You have the right to ask us to erase your personal information.    
Your data will be deleted:

You are not required to pay any charge for exercising your rights.  If you make a request, we have 30 days to respond to you. 

When we use legitimate Interest 

Under data protection legislation we are only permitted to use your personal information if we have a legal basis for doing so as set out in the data protection legislation.  

The legal basis that permits us to use your information depends on the basis that we are using that information for.  We rely on the following legal bases to use your information: 

  • Where we need information to perform the contract we have entered with you. 
  • Where we need to comply with a legal obligation. 
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. 

In more limited circumstances we may also rely on the following legal bases: 

  • Where we need to protect your interests (or someone else’s interests). 
  • Where it is needed in the public interest or for official purposes. 

Some information is classified as “special” data under data protection legislation. This includes information relating to health, racial or ethnic origin, religious beliefs or political opinions, sexual orientation and trade union membership. This information is more sensitive and we need to have further justifications for collecting, storing and using this type of personal information. There are also additional restrictions on the circumstances in which we are permitted to collect and use criminal conviction data. 

We may process special categories of personal information and criminal conviction information in the following circumstances: 

  • In limited circumstances with your explicit consent, in which case we will explain the purpose for which the information will be used at the point where we ask for your consent. 
  • We will use information about your physical and mental health or disability status to comply with our legal obligations, including to ensure your health, safety and wellbeing at our events. 

The legal basis that permits us to use your information is consent. 

What to do if you are not happy?

If you have any concerns about our use of your personal information, you can make a complaint to us at dpo@isic.org.uk

You can also complain to the ICO if you are unhappy with how we have used your data. 

The ICO’s address is: 

Information Commissioner’s Office 

Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 

Helpline number: 0303 123 1113 

ICO Website: https://www.ico.org.uk  

Changes to this Privacy Policy  

We keep our privacy policy under regular review, and we will place any updates on this web page. This privacy policy was last updated on Tuesday, 24 September 2024.