Privacy Policy

Introductions

We are Online-store BigBrightLight.com (hereinafter “Online-store” or “We”) (company number: 12860248, “Upp Wellbeing Ltd” is a company, with its registered office at Beechwood, Park Drive, Doncaster, DN5 7LP). Upp Wellbeing Ltd is the “data controller” of any Personal Data it may collect, process and hold about You, unless we inform You otherwise.

For the purposes of this policy, we define the term “Customer” as an individual or business entity, who uses the Website to order an item in our Online-store and the term “User” as an individual, who uses the Website to view an item in our Online-store and / or an individual who subscribes to the Online Store newsletter.

If the information relates to both the User and the Customer, for the purposes of this policy, we define the term “You” or “Your”.

We know how important it is for You to understand how we use Your data. This Privacy Policy explains how we use any Personal Data You provide us with when You use our Online-store via Website bigbrightlight.com (hereinafter - “Website”) and any contact You have with our Customer Support.

This Privacy Policy also explains Your rights in relation to the Personal Data that we collect about You. We respect Your right to privacy and are committed to maintaining it. By accessing and browsing our Website You are confirming that You have read and understood this Privacy Policy, so please make sure You have read it carefully.

We will always be transparent with You about what we do with Your Personal Data. We only collect, store and process Your Personal Data in accordance with the relevant laws and regulations.

We do not sell Your Personal Data to third parties. A ‘sale’ of Personal Data under the CCPA is defined broadly to include the ‘selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means’ the Personal Data of a consumer to another business or third party ‘for monetary or other valuable consideration.’ If we decide to sell our Website or our business, we will inform You about this, so You can forbid us to transfer Your Personal Data together with our business. If so, we will delete Your data from the databases prior to a business transfer.

We adhere to the following principles in order to protect Your privacy:

Principle of purposefulness - we process Personal Data fairly and in a transparent manner only for the achievement of determined and lawful objectives, and they shall not be processed in a manner not conforming to the objectives of data processing;
Principle of minimalism - we collect Personal Data only to the extent necessary for the achievement of determined purposes and do not keep Personal Data if it is no longer needed;
Principle of restricted use - we use Personal Data for other purposes only with the consent of the data subject or with the permission of a competent authority;
Principle of data quality - we update Personal Data shall be up-to-date, complete and necessary for the achievement of the purpose of data processing;
Principle of security - security measures shall be applied in order to protect Personal Data from unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures;
Principle of individual participation - the persons shall be notified of data collected concerning him or her, the persons shall be granted access to the data concerning him or her and the persons have the right to demand the correction of inaccurate or misleading data.

1. Data we collect

1.1

Usage data

1.1.1

We may collect, record and analyse Your information on our Website.

1.1.2

Where our Website is accessed purely to gain information, i.e. where You do not provide us information in any way, we only collect the Personal Data provided by Your browser to our server. When You view our website, we collect the following data necessary for technical purposes to be able to demonstrate our Website to You and to ensure adequate access stability and security (therefore, the legal basis for this is the legitimate interest of the Online-store):

1.1.3

We use this information in aggregate to assess the popularity of the web pages on our Website and how we perform in providing content to You. When combined with other information we know about You from previous visits, the data could possibly be used to identify personal information, even if You did not provide any information to us. Information collected this way is stored for no longer than one year.

1.1.4

Processing of Usage Data relies on our legitimate interests. It is necessary for managing and running our business efficiently and effectively, providing quality services including website support, developing and improving products, determining who may be interested in them.

1.1.5

While processing Your Personal Data, we rely on Your consent to the processing of Your Personal Data for the purpose of communicating with You. We use such Personal Data in ways You would reasonably expect and which have a minimal privacy impact. You can withdraw consent at any time by sending us an email to privacy@uppwellbeing.com with Your withdrawal request and Your Personal Data will be deleted within seventy-two (72) hours.

1.1.6

Processing of Personal Data for marketing purposes (including newsletters) also relies on Your consent. We use data in ways You would reasonably expect and which have a minimal privacy impact.

1.1.7

Wherever possible, we aim to obtain Your explicit consent to process Your Personal Data.

1.1.8

You can control the use of Cookies at the individual browser level. If You reject Cookies, You may still use our Website, but Your ability to use some features or areas of our website may be limited.

1.2

Personal Data

1.2.1

In order to provide newsletter services to You, we collect Your personally identifiable information. In order to receive the newsletter, You will provide us with Your name and email. We use this information for marketing purposes.

1.2.2

In order to provide services and place orders to You, we collect Your personally identifiable information.

1.2.3

When You use our Website to place an order by submitting an online order form on the Website, a contract is concluded between You and us. In order to fulfil our obligations under this contract, we must process the information that You provide to us.

1.2.4

During the submission of an online order form on the Website, You provide us with Your name, postal address, email and phone number. We use this information to identify You, provide You with services and fulfil an order, as well as to fulfil other contractual obligations.

1.2.5

Also, You provide us with the following information about the Addressee during the submission of an online order form on the Website:

Comments and product reviews
Cookies and Usage Data.

1.2.6

This information is used by us to identify You and to personalise You to complete the order in full.

1.2.7

We may obtain Your Personal Data from third parties such as payment service providers, whose services we use.

1.2.8

We process this information on the basis there is a contract between us and the Customer, we use the information before we enter into a legal contract.

1.3

Communication data

1.3.1

We collect any data that You share to us whether that be through email, text, social media messaging, social media posting or any other communication that You send us. We process this data for the purposes of communicating with You, for record keeping and for the establishment, pursuance or defence of legal claims. Our lawful ground for this processing is our legitimate interests which in this case are to reply to communications sent to us, to keep records and to establish, pursue or defend legal claims.

1.3.2

1.4

Marketing data

1.4.1

1.4.2

Processing of Personal Data for marketing purposes also relies on the consent obtained from You. This processing has appropriate safeguards and a minimal privacy impact. If You no longer wish to receive promotional emails, You may opt-out of them by following the “unsubscribe” link You will find on all the email marketing messages we send You. Alternatively, You can contact us at privacy@uppwellbeing.com.

1.5

Additional terms of processing

1.5.1

We do not collect any sensitive data about You. Sensitive data refers to data that includes details about Your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about Your health and genetic and biometric data. We do not collect any information about criminal convictions and offences.

1.5.2

Where we are required to collect Personal Data by law, which You do not provide us with, we may not be able to perform the contract (for example, to deliver Services to You). If You don’t provide us with the requested data, we may have to cancel a product or Service You have ordered but if we do, we will notify You at the time. We will only use Your Personal Data for a purpose it was collected for or a reasonably compatible purpose if necessary. For more information on this please email us at privacy@uppwellbeing.com.

1.5.3

In case we need to use Your details for an unrelated new purpose we will let You know and explain the legal grounds for processing. We may process Your Personal Data without Your knowledge or consent where this is required or permitted by law.

1.5.4

We do not carry out automated decision making or any type of automated profiling.

IP address;
Enquiry date and time;
Time zone difference to Greenwich Mean Time (GMT);
Enquiry content (the exact web page accessed);
Access status/HTTP status code;
Data volume transmitted in each case;
Website generating the enquiry;
OS and its interface;
Browser language and version.

2. Compliance with the applicable law

2.1

For Customers and Users located in the United Kingdom all processing of Personal Data is performed in accordance with regulations and rules following the Data Protection Act 2018.

2.2

For Customers and Users located in the European Economic Area (EEA) privacy rights are granted and all processing of Personal Data is performed in accordance with regulations and rules following the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, known as the General Data Protection Regulation (GDPR).

2.3

For Customers and Users located in California all processing of Personal Data is performed in accordance with regulations and rules following the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”)

2.4

For Customers and Users located in Brazilia, all processing of Personal Data is performed in accordance with regulations and rules following the Lei Geral de Proteção de Dados (“LGPD”).

2.5

We may need to share your Personal Data with the third parties that provide the Services. Where your Personal Data is transferred outside of the European Economic Area (‘EEA’), we require that appropriate safeguards are in place.

2.6

We guarantee that we have Data Processing Agreements in place with our service providers, ensuring compliance with the GDPR and our contracts with them, requiring us to maintain the confidentiality of Personal Data. All data transfers inside and outside of the EEA are being done in accordance with these Data Processing Agreements. All data transfers are performed in accordance with the strictest security regulations.

2.7

For more detailed information about the international information transfers to our business partners, service providers and developers outside of the EU/EEA, please contact us at privacy@uppwellbeing.com.

3. Your legal rights

3.1

You can review, correct, update, delete or transfer Your personally identifiable information. For that, contact us directly at privacy@uppwellbeing.com. We will acknowledge Your request within seventy-two (72) hours and handle it promptly and as required by law.

3.2

Right to access. You may contact us to get confirmation as to whether or not we are processing Your Personal Data. Where we process Your Personal Data, we will inform You of what categories of Personal Data we process regarding You, the processing purposes, the categories of recipients to whom Personal Data have been or will be disclosed and the envisaged storage period or criteria to determine that period.

3.3

Right to withdraw consent. In case our processing is based on a consent granted by You, You may withdraw the consent at any time by contacting us or by using the functionalities of our Services.

3.4

Right to object. In case our processing is based on our legitimate interest to run, maintain and develop our business, You have the right to object at any time to our processing. We shall then no longer process Your Personal Data unless for the provision of our Services or if we demonstrate other compelling legitimate grounds for our processing that override Your interests, rights and freedoms or for legal claims. Notwithstanding any consent granted beforehand for direct marketing purposes, You have the right to prohibit us from using his/her Personal Data for direct marketing purposes, by contacting us or by using the functionalities of the Services or unsubscribe possibilities in connection with our direct marketing messages.

3.5

Right to restriction of processing. You have the right to obtain from us restriction of processing of Your Personal Data, as foreseen by applicable data protection law, e.g. to allow our verification of accuracy of Personal Data after Your contesting of accuracy or to prevent us from erasing Personal Data when Personal Data is no longer necessary for the purposes but still is required for Your legal claims or when our processing is unlawful. Restriction of processing may lead to fewer possibilities to use our Services.

3.6

Right to data portability. You have the right to receive Your Personal Data from us in a structured, commonly used and machine-readable format and to independently transmit that data to a third party, in case our processing is based on Your consent and carried out by automated means.

3.7

To exercise any of the above mentioned rights, You should primarily use the Website or/and place an order in the Online-store. If such functions are however not sufficient for exercising such rights, Customer and/or User shall send us a letter or email to the address set out below under Contact, including the following information: name, address, phone number, email address and a copy of a valid proof of identity. We may request additional information necessary to confirm Your identity. We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded.

3.8

If You are from the United Kingdom and You object to Your data processing, You can complain to the Information Commissioner’s Office at casework@ico.org.uk.

3.9

If You are from California and dissatisfied with how we have used Your Personal Data, You can complain to the California Department of Justice. Also You have the right to lodge a complaint with a supervisory authority if You think that we violate Your rights. You could contact The California Department of Justice (Department) via their website. If You are from Brazil, You can also file a complaint with Brazil’s National Data Protection Authority (ANPD) through its official channels.

4. Data retention

4.1

We will retain Personal Data for as long as You use our Website, or continue to communicate with our support team. Your information will be deleted if You did not communicate with the support team for more than 12 months.

4.2

When deciding what the correct time is to keep the data for we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure, the processing purposes, if these can be achieved by other means and legal requirements.

4.3

For tax purposes the law requires us to keep basic information about You (including contact, identity, financial and transaction data) for 12 months after You stop being Customers.

4.4

In some circumstances we may anonymise Your Personal Data for research or statistical purposes in which case we may use this information indefinitely without further notice to You.

4.5

Any data collected for the purpose of analytics will be deleted in 12 months after being collected.

5. Information security

5.1

We care to ensure the security of Personal Data. We follow generally accepted industry standards to protect the information submitted to us, both during transmission and once we receive it. We maintain technical, physical, and administrative security measures to provide reasonable protection for Your Personal Data. When we or our Service Providers process Your information, we also make sure that Your information is protected from unauthorized access, loss, manipulation, falsification, destruction or unauthorized disclosure. This is done through appropriate administrative, technical and physical measures.

5.2

There is no 100% secure method of transmission over the Internet or method of electronic storage. Therefore, we cannot guarantee its absolute security. But we make our best efforts to make the transmission as secure as possible.

5.3

We never process any kind of sensitive data and criminal offence data not as a Controller nor as a Processor. Also we never undertake profiling of Personal Data.

6. Service providers

6.1

We may employ third party companies and individuals to facilitate our Service (‘Service Providers’), to provide the Service on our behalf, to perform Service-related services or to assist us in analysing how our Service is used.

6.2

These third parties have access to Your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

6.3

Analytics. We may use third-party Service Providers to monitor and analyse the use of our Website.

6.3.1

Google Analytics. Google Analytics is a web analytics service offered by Google that tracks and reports Website traffic. Google uses the data collected to track and monitor the use of our Website. This data is shared with other Google services. Google may use the collected data to contextualise and personalise the ads of its own advertising network. You can opt-out of having made Your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents Google Analytics JavaScript (ga.js, analytics.js, and dc.js) from sharing information with Google Analytics about visits activity. For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy?hl=en. Your data will be stored in Google's network of data centres. Google maintains a number of geographically distributed data centres.

6.3.2

Google AdWords. Google AdWords remarketing service is provided by Google Inc. You can opt-out of Google Analytics for Display Advertising and customise the Google Display Network ads by visiting the Google Ads Settings page: http://www.google.com/settings/ads. Google also recommends installing the Google Analytics Opt-out Browser Add-on - https://tools.google.com/dlpage/gaoptout - for Your web browser. Google Analytics Opt-out Browser Add-on provides visitors with the ability to prevent their data from being collected and used by Google Analytics. For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy?hl=en. Your data will be stored in Google's network of data centres. Google maintains a number of geographically distributed data centres.

6.3.3

Facebook pixel. We use Facebook pixel to monitor and analyse web traffic. Facebook pixel is a web analysis service provided by Facebook Ireland Ltd ("Facebook"). Facebook utilises the Data collected to track and examine the use of our Website, to prepare reports on its activities and share them with other Facebook services. Facebook may use the Personal Data collected to contextualise and personalise the ads of its own advertising network. Personal Data collected: Cookies and Usage Data. Place of processing: the Republic of Ireland – Privacy Policy – Opt Out. Privacy Shield participant.

6.3.4

ActiveCampaign LLC is a marketing automation platform and email marketing service. It is heavily focused on GDPR, SOC 2, and HIPAA compliance. We constantly improve our security to go above and beyond compliance standards. You can learn more about this service from by visiting this page. For more information on the privacy practices of ActiveCampaign, please visit its Privacy Policy. ActiveCampaign uses data centres worldwide. View this page for more information on it's data centres.

6.4

Form constructors and hosting providers

6.4.1

JotForm. JotForm is provided by JotForm Inc. This is an online form builder that helps You in creating forms, surveys, order forms, etc. Creating a form using JotForm is easy with its intuitive drag and drop method. You can learn more about this service from JotForm by visiting this page: https://www.jotform.com/help/. For more information on the privacy practices of JotForm, please visit JotForm's Privacy Policy: https://www.jotform.com/privacy/. JotForm servers are co-located in a cloud based architecture with Google Cloud and Amazon Web Services (AWS). Google Cloud data centres are hosted in Iowa (US). AWS data centres are located both in Germany, Frankfurt (EU) and US, Virginia (US).

6.4.2

Cultrix. Cultrix cloud is provided by Cultrix LTD. Cultrix hosted virtual desktops provide a completely comprehensible cloud computing service, such as desktops and data availability from anywhere, maintenance, support, backups and the latest version of Microsoft Office, software consistency. You can learn more about this service from Cultrix LTD by visiting this page: https://www.cultrix.co.uk/. For more information on the privacy practices of Cultrix cloud, please visit their Cultrix Privacy Policy page. The servers of Cultrix are hosted and operated in various countries around the world in which it conducts business. Thus, Your Personal Data associated with Cultrix may be transferred to and/or processed in a country other than that from which it was collected. If You are a resident of the EU, any such transfers will be made in accordance with applicable laws.

6.4.2

Webflow. Webflow is provided by Webflow, Inc., a Delaware corporation. Webflow empowers to build professional, custom websites in a completely visual canvas with no code. You can learn more about this service from Webflow by visiting this page: https://webflow.com/legal/terms. For more information on the privacy practices of Webflow, please visit Privacy Policy: https://webflow.com/legal/privacy.

6.5

Payments. We use third-party services for payment processing (e.g. payment processors). We will not store or collect Your payment card details. That information is provided directly to our third-party payment processors whose use of Your Personal Data is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

6.6

The payment processors we work or sometimes work with are:

6.6.1

Shopify Payments

6.6.2

Stripe. Their Privacy Policy can be viewed at https://stripe.com/privacy.

6.6.3

Paypal. Their Privacy Statements can be found here.

6.6.4

Google Pay. Their Privacy notice can be viewed on the google payments site.

6.6.5

Apple Pay, Privacy and security overview

6.7

For a complete list of Service Providers - contact us.

7. Applicability

7.1

This Privacy Policy is applicable to our Website. Our Website contains links to other Websites. Once redirected to another Website, this Policy is no longer applicable.

8. Permitted Disclosure

8.1

We may have to share Your Personal Data with the parties set out below:

Other companies in our group who provide services to us.
Service Providers who provide IT and system administration services.
Professional advisers including lawyers, bankers, auditors and insurers
Government bodies that require us to report processing activities.
Third parties to whom we sell, transfer, or merge parts of our business or our assets.

8.2

We require all third parties to whom we transfer Your data to respect the security of Your Personal Data and to treat it in accordance with the law. We only allow such third parties to process Your Personal Data for specified purposes and in accordance with our instructions.

9. Changes

9.1

From time to time, we may update this Privacy Policy. We will notify You about material changes by prominently posting a notice on our Service. We encourage You to periodically check back and review this Policy so that You always will know what information we collect, how we use it, and with whom we share it.

Last updated July, 2021