Please read this Privacy Policy carefully. It explains how we collect and process personal data about you when you visit our website at https://surff.io (our “Website”) and when you take part in the public votes, polls and surveys we make available on our Website. This Privacy Policy should be read together with our Terms of Use. Any capitalised terms defined in our Terms of Use have the meaning given there.
Who are we?
Surff Limited is a company incorporated in England and Wales under company number 15411120 and with its registered office at Collingwood Buildings, 38 Collingwood Street, Newcastle, NE1 1JF ("we", "us", "our" or "Surff").
We are registered with the Information Commissioner's Office under registration number ZC172506.
References in this Policy to “you” or a “User” are to any person who visits our Website or who takes part in any vote, poll or survey on our Website.
About this Policy
When you visit our Website or take part in a vote, poll or survey on it, we will process personal data about you, and we recognise the need to treat it in an appropriate and lawful manner, in accordance with the UK’s General Data Protection Regulation (“UK GDPR”).
The purpose of this privacy policy (this "Policy") is to explain to you how we will handle your personal data, as well as to explain certain rights you have in respect of your personal data. Your personal privacy is of great importance to us and we will only use your personal data in accordance with this Policy.
By using our Website and taking part in our votes, polls or surveys, you accept the practices described in this Policy. You should read this Policy carefully so that you understand how we will handle your personal data.
We keep our Policy under regular review. Please refer to date and version above for details of when this Policy was last updated.
Contents of this Policy
This notice is provided in a layered format so you can click through to the specific areas set out below:
Contact information
If you have any questions regarding this Policy, or about the use of your personal data or you want to exercise your privacy rights, please contact our Data Protection Representative via email at:
Email address: [email protected]
Postal address: Collingwood Buildings, 38 Collingwood Street, Newcastle, NE1 1JF
What personal data do we collect about you?
“Personal data” means any information about a living individual from which that person can be identified. It does not include data which has been anonymised. We will collect personal data from you when you visit our Website and when you take part in a vote, poll or survey on it.
Categories of Personal Data: The categories of personal data we may collect about you include:
Contact Data: if you contact us (for example, by email), the email address and any other contact details you choose to provide;
Technical Data: your internet protocol (IP) address, and information about which pages of our Website you accessed and when, your browser type and version, time zone setting and location, operating system and platform, and other technology on the devices you use to access our Website;
Usage Data: information about how you interact with and use our Website;
Contribution Data: the votes, poll responses and survey answers you submit on our Website, together with the IP address and a session identifier (a “session ID”) that we record with each submission;
How we collect your personal data
We will collect your personal data in the following ways:
Information you give us. You may provide us with information when you take part in a vote, poll or survey on our Website, when you give us feedback, or when you correspond with us (for example, by email).
Information acquired through automated technologies or interactions. As you interact with our Website, we automatically collect personal data about you (such as your Technical Data and Usage Data) using cookies and similar technologies. We also use analytics services, including Google Analytics and Google Search Console, to understand how our Website is used. Some of these cookies are not strictly necessary, and we will only set them where you have given your consent; you can withdraw your consent at any time through our cookie settings.
Why we collect personal data about you and how we use that information
We will process your personal data for a variety of commercial purposes and will also process your personal data where necessary to comply with any statutory or legal duties, to which we are subject.
The law requires us to have a legal basis for collecting and using your personal data. All personal data needs one of the "general" processing conditions. Additionally, when processing any "special category data" (meaning details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data) the law requires you to also have one of the legal bases set out in the special category processing conditions.
We do not collect any special categories of personal data about you.
The purposes for which we process your personal data and the lawful bases for such processing are as follows:
Why we use your personal data
Type of data (please see above list of data types)
Lawful basis for processing
Running our Website, votes and surveys: To operate our Website and to let you take part in our public votes, polls and surveys, and to record and display the results.
Technical Data; Usage Data; Contribution Data
Legitimate Interests: it is in our legitimate interests to operate our Website and to run our public votes and surveys and display the results.
Protecting the integrity of our votes and surveys: To detect and prevent duplicate, automated or fraudulent voting and other misuse.
Technical Data (including IP address and session ID); Contribution Data
Legitimate Interests: it is in our legitimate interests to keep our votes and surveys fair and to prevent misuse.
Improving and securing our Website: To administer, monitor, secure and improve our Website, including troubleshooting, analytics, system testing and ongoing development.
Technical Data; Usage Data
Legitimate Interests / Legal obligation: it is in our legitimate interests to improve and secure our Website, and we have a legal obligation to keep personal data secure.
Communicating with you and handling your requests: To respond to your queries, feedback and complaints, and to deal with requests to exercise your data protection rights.
Contact Data; Technical Data
Legitimate Interests / Legal obligation: it is in our legitimate interests to respond to you, and we are subject to legal obligations in relation to data subject requests.
Complying with our legal obligations and protecting our rights: To comply with our legal obligations and to establish, exercise or defend legal claims.
All personal data under this Policy
Legal obligation / Legitimate Interests.
Sharing personal data with our employees: Our employees who need to access your data will view it in order that we can manage your engagement with us and comply with our legal and statutory duties. All of our employees understand the need to keep your information confidential and to handle it in accordance with applicable data protection and privacy laws.
Sharing personal data with service providers: In addition to our employees, we may also use service providers who may process personal data on our behalf (for example service providers who host our Website or suppliers of IT services who help us operate and maintain our IT systems). Where we do disclose your personal data to a third party service provider, we will put in place arrangements to make sure your information is well protected and processed strictly in accordance with data protection laws.
Sharing personal data if we buy a business or sell our business. We may disclose your personal data to third parties: (i) in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets; or (ii) if we or substantially all of our assets are acquired by a third party, in which case personal data held by us will be one of the transferred assets.
Sharing personal data to comply with legal obligation or protect legal rights. We may disclose your personal data with third parties, if we are under a duty to disclose or share your personal data in order to comply with legal obligations or to protect our rights, property, or safety of our Users or customers, suppliers or other employees. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
If your personal data is provided to any third parties, you are entitled to request details of the recipients of your personal data or the categories of recipients of your personal data.
Ensuring your personal data is accurate
We will keep the personal data we store about you accurate and up to date. We will take every reasonable step to erase or rectify inaccurate data without delay. Please tell us if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you. We may contact you from time to time to check your details are still up-to-date. We will also contact you if we become aware of any event which is likely to result in a change to your personal data.
Retaining your personal data
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Where we have anonymised your personal data (so that it can no longer be associated with you) we may use this information indefinitely without further notice to you.
For further information on the retention of your personal data, please contact our Data Protection Representative.
What rights do you have in respect of your personal data?
You have a number of rights under data protection laws in relation to your personal data:
The right to request access to any personal data we hold about you (this is commonly known as a "subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
The right to request rectification of any personal data which we hold about you which is inaccurate. Rectification enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
The right to request erasure of your personal data, in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
The right to have the processing of your personal data restricted, in certain circumstances. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
if you want us to establish the information's accuracy;
where our use of the information is unlawful but you do not want us to erase it;
where you need us to hold the information, even if we no longer require it as you need it to establish, exercise or defend legal claims; or
you have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.
In certain circumstances, the right to be provided with the personal data that you have supplied to us, in a portable format that can be transmitted to another controller without hindrance. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Object to certain types of processing. You have an absolute right to object to any processing of your personal data for direct marketing purposes, including any profiling of personal data related to direct marketing. In other circumstances, you have a right to object but this may not be an absolute right. For example, you have a right to object where we are processing your personal data on the basis of legitimate interests, and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your interests, fundamental rights and freedoms. However, in some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your interests, rights and freedoms or that the processing is required for the establishment, exercise or defence of legal claims.
In certain circumstances, you have the right not to be subject to a decision that is based solely on automated processing which produces a legal effect or which has a similar significant effect for you.
The right to withdraw consent. If we are processing any of your personal data based on you having given us consent to do so, you have the right to withdraw that consent at any time. However, this will not affect the lawfulness of any processing we may have undertaken based on your consent before it is withdrawn.
If you wish to exercise any of the rights set out above, you must make the request in writing to the Data Protection Representative using the contact details noted earlier in this Policy.
How we keep your data secure
Keeping your data secure is important to us. We use reasonable and up to date security methods to keep your personal data secure and to prevent unauthorised or unlawful access to your personal data, and against the accidental loss of, or damage to, personal data.
We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will ensure your personal data is only accessible by those who need to see your information for their specific role. We will only transfer personal data to a third party if that third party agrees to comply with those procedures and policies, or if they put in place adequate measures themselves.
Transferring your personal data outside the United Kingdom
We will not transfer your personal data outside the UK unless such transfer is compliant with the UK GDPR. This means that we cannot transfer any of your personal data outside the UK unless:
the UK government has decided that another country or international organisation ensures an adequate level of protection for your personal data; or
the transfer of your personal data is subject to appropriate safeguards, which may include: (i) binding corporate rules; or (ii) the International Data Transfer Agreement or the UK Addendum, or
one of the derogations in the UK GDPR applies (including if you explicitly consent to the proposed transfer).
Breaches of data protection laws
If you consider that we have not complied with data protection laws in respect of personal data about yourself or others, you should raise the matter with our Data Protection Representative, email address [email protected]. We will take any breach of the UK GDPR seriously.
Right to lodge a complaint
If you have any issues with our processing of your personal data and would like to make a complaint, you may contact the Information Commissioner's Office, the UK regulator for data protection issues (http://www.ico.org.uk).