Privacy Policy

The T-Cup platform accessible from our website at www.tcup.co.uk (the "Service") is a health platform that encourages healthy lifestyle choices and changes. The Service is operated by T-Cup Limited ("T-Cup", "us", "we", or "our") and is available to individuals but in some cases, it is paid for by your employer as a benefit for you. In order to provide the Service to you and to promote our business, we will need to collect and process certain personal information about you.

This privacy policy sets out the data protection practices for T-Cup Limited (company no: 11769537): registered office at 37 Great Pulteney Street, Bath, England, BA2 4DA. We are committed to protecting the privacy and security of your personal information, in accordance with the applicable data protection laws, including, but not limited to, the Data Protection Act 2018 and the General Data Protection Regulation ("GDPR"), together the"Data Protection Laws".

If we change our privacy policy we will post the changes on this page, and we may place notices on other pages of our website, so that you may be aware of the information we collect and how we use it at all times.

Last Updated August 2020


Data Controller/Data Processor

If you are a private individual who has registered to use and is using our Service, T-Cup is the data controller and is responsible for your personal data.

We have appointed a data protection officer ("DPO") who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

FAO: DPO
T-Cup Limited
37 Great Pulteney Street
Bath
England
BA2 4DA
Email address: hello@tcup.co.uk

If you are an employee who has registered to use and is using our Service that is paid for by your employer as a benefit for you, T-Cup is the data processor of your personal data on behalf of your employer. Your employer is the data controller of your personal data. If this applies to you, you should contact your employer in the first instance if you have any questions or concerns about your personal data.

The Data We Collect About You

Personal data, or personal information, means any information about an individual from which that person can be identified ("Personal Data"). It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:

  • a. Identity Data: your first name, last name, gender, year of birth, age and location;
  • b. Contact Data: the email address you use to sign-in to your account and the area of the business that you work in (if you are registering as an employee);
  • c. Profile Data: your username and password, your interests, preferences, feedback, survey responses and research responses, information about your participation and performance in challenges and the rewards you may be able to earn through the Service; the comments and contributions you may make on the Service; additional information you may provide as you submit queries and requests to us; personal information that you record via the free text boxes in the journal function of our Service (please see further information on this below);
  • d. Usage Data: information about how you use our Service;
  • e. Marketing and Communications Data: includes your preferences in receiving marketing from us and your communication preferences;
  • f. Special Categories of Personal Data: basic information about your health/wellness and information about your general fitness;
  • g. Technical Information: including type of mobile device you use, a unique device identifier, mobile network information, your login information, browser type and version you use, browser plug-in types and versions, operating system and platform; and
  • h. Information about your visit to our Service: including the full uniform resource locators (URL) clickstream to, through and from our Service (including date and time); pages you viewed or information you searched for; page response times, download errors or length of visits to certain pages.

    We also collect, use and share aggregated data such as statistical or demographic data for any purpose ("Aggregated Data"). Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific feature of our Service or how many users have high success scores or low success scores. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

  • Free Text Boxes - Journal

    As part of our Service we provide a journal function which you may or may not decide to use, as this is optional. This optional function is available for you to record any additional information in the free text boxes in the Service that may help you to keep a record of your progress. We provide this function for your own personal reference/record but we advise you not to record any personal data in these free text boxes as we do not actively collect, analyse or require this information from you via this function. However, if you do record any personal data in the journal function, we will treat such personal data in accordance with this privacy policy.

    The extent of the personal data you may be able to share with us will depend on the Service design and the features made available to you, as well as your level of participation in the Service. You are under no obligation to provide any personal data to us at any time. However, if you choose to withhold some personal data, we may be unable to provide you with the Service.

    How is your personal data collected?

    We use different methods to collect data from and about you including through:

    1. Direct interactions. You may give us your personal data by filling in forms, answering questions or by corresponding with us by email or otherwise. This includes personal data and may include special categories of personal data you provide when you:

    • a. apply for our Service or apply to find out more information about our Service;
    • b. create an account to use our Service;
    • c. subscribe to our Service;
    • d. answer our wellness questions;
    • e. earn T-Bucks;
    • f. request marketing to be sent to you;
    • g. enter a competition, promotion or survey;
    • h. take part in our research;
    • i. subscribe for our newsletter;
    • j. give us some feedback.

    2. Automated technologies or interactions. As you interact with our Service, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. Please see our cookies policy for further details.

    3. Third parties or publicly available sources. We may receive personal data about you from various third parties such as Technical Data from analytics providers such as Google based outside the EU.

    How we use your personal data

    We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

    • a. where we need to perform the contract we are about to enter into or have entered into with you;
    • b. where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
    • c. where we need to comply with a legal or regulatory obligation;
    • d. to identify you and manage your account in connection with the Service;
    • e. to process your T-Buck transactions;
    • f. liaise with your employer;
    • g. to improve the Service;
    • h. to provide you with support in using our Service;
    • i. promote our business and market our services;
    • j. manage our business, including for accounting and auditing purposes;
    • k. to use data analytics to improve the Service, marketing, customer relationships and experiences;
    • l. maintain our IT systems and manage hosting of our data;
    • m. deal with legal disputes involving you; and
    • n. to prevent fraud.

    Some of the above grounds and purposes for processing will overlap and there may be several grounds which justify our use of your personal information.

    We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

    Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

    We do not use or analyse any personal information that you record in the free text boxes in our journal function.

    How we use Special Categories of Personal Data

    Special Categories of Personal Data includes information about your health. Some fitness and wellness information that we collect from you via your responses to the wellness questions may be considered personal health data under Data Protection Laws and if recorded over a period of time.

    The security of and appropriate use and disclosure of information about your health is of paramount importance to T-Cup. T-Cup will only collect, process and use sufficient health information to enable us to deliver the Services.

    If we collect your personal health data, we will use this data for the following purposes:

    • a. to manage and administer your account with us;
    • b. to monitor your basic health and fitness activity to enable you to record your performance and progress;
    • c. to enable us to provide you with benefits relevant to your T-Cup performance and status;
    • d. for research purposes, with your consent; and
    • e. to carry out data modelling, profiling, demographics or statistical analysis using aggregated, anonymous data.

    We do not use or analyse any special categories of personal data that you record in the free text boxes in our journal function.

    Lawful Bases for Processing under the GDPR

    What are the lawful bases for processing personal data? The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever we process personal data. We mainly use consent, contract, legal obligations and legitimate interests as the bases to process your personal data in accordance with this privacy policy.

    • a. Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
    • b. Contract: the processing is necessary for a contract we have with the individual, or because they have asked you to take specific steps before entering into a contract.
    • c. Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
    • d. Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests. (This cannot apply if to a public authority processing data to perform your official tasks.)

    When you register for an account or interact with our Service, such processing is necessary for the performance of our Services. (Art. 6(1)(b) GDPR).

    Where we process your location data without consent, for example in order to provide our Services, such processing is necessary for the performance of our Services (Art. 6(1)(b) GDPR).

    When you communicate with us or sign up for promotional materials, we process such data on the basis of our legitimate interest (Art. 6(1)(f) GDPR), and our legitimate interest is to provide you with our promotional messages. Where we are required under applicable local law to obtain your consent for sending you marketing information, the legal basis is your consent (Art. 6(1)(a) GDPR).

    For all other personal data such processing is necessary for the performance of our Services (Art. 6(1)(b) GDPR or on the basis or our legitimate interests and our legitimate interest is to enhance our services (Art. 6(1)(f) GDPR).

    For the health/wellness information (special categories of personal data) we process such data on the basis of: (i) the performance of our Services (Art. 6(1)(b) GDPR; or (ii) on the basis or our legitimate interests and our legitimate interest is to enhance our Service (Art. 6(1)(f) GDPR), and your explicit consent (Art. 9(2)(a) GDPR).

    Marketing

    We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

    Promotional offers from us

    You will receive marketing communications from us if you have requested information from us or used our Service or if you provided us with your details when you entered a competition or registered for a promotion and, in each case, you have not opted out of receiving that marketing.

    Opting out

    You can ask us to stop sending you marketing messages at any time by contacting us at any time.

    Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of using our Service.

    Cookies

    You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of the Service may become inaccessible or not function properly. For more information about the cookies we use, please see cookie policy.

    Change of Purpose

    We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

    If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

    Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

    Disclosures of Your Personal Data

    We may have to share your personal data with the parties set out below:

    • a. service providers acting as processors based in the UK who provide IT, hosting and system administration services;
    • b. professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based in the UK who provide consultancy, banking, legal, insurance and accounting services; and/or
    • c. third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

    We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

    We may share aggregated demographic and statistical information with your employer, where relevant. This is not linked to any personal information that can identify any individual person. We may also use such aggregated information and statistics for monitoring usage of the Service in order to help us develop the Service.

    These parties are not allowed to use any personally identifiable information except for the purpose of providing the Service.

    Third-Party Links

    The Service may include links to third-party websites, platforms, services, plug-ins and applications (including social medial platforms). Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites, platforms, services, plug-ins or applications and are not responsible for their privacy statements. When you leave our Service, we encourage you to read the privacy notice of every third party you visit. This privacy policy applies solely to information collected by us in connection with the Service.

    Direct Mailings

    We may occasionally send out newsletters, offers or alerts to our users. We may also wish to provide you with information about special features of our Service or any other service or products we think may be of interest to you.

    Where required by Data Protection Laws (for example, if you have provided your email address in the opt-in for our newsletter option) we will send you such information only if you have specifically elected to receive it. You can opt-out from receiving such communications at any time – please see the "Your legal rights" section below.

    Surveys/Research

    From time to time the Service may request information from you via surveys and research questionnaires. Participation in these surveys or research is completely voluntary and you, therefore, have a choice whether or not to disclose this information. Information requested may include contact information (such as name and e-mail address), demographic information (such as postcode or age level), health/wellness information (such as how did you sleep or how was your diet today).

    Survey information will be used for purposes of monitoring or improving the use of and satisfaction with the Service. Research information will be used for improving our wellness questionnaire.

    International Transfers

    We do not transfer your personal data outside the European Economic Area ("EEA").

    Keeping Your Data Secure

    We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

    While we will use all reasonable efforts to safeguard your personal data, you acknowledge that the use of the internet is not entirely secure and for this reason, we cannot guarantee the security or integrity of any personal data that is transferred via the internet. If you have any particular concerns about your information, please contact us at: hello@tcup.co.uk.

    We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

    Retention Periods

    We will only retain your personal information in accordance with the retention periods set out in the table below:

    Action Process/Retention Period
    When a user signs up to our Service they are required to confirm their account.
    • All users have 30 days to confirm their account or it will be deleted.
    • The user is notified 7 days before their account is due to be deleted and again 2 days before their account is deleted.
    • Upon deletion of an account, all details entered by that user (including their personal data) will be permanently deleted.
    If a confirmed user has been inactive on our Service for 60 days, their account will be deleted.
    • The user is notified 30 days before their account is due to be deleted.
    • The user is notified 7 days before their account is due to be deleted and again 2 days before their account is deleted.
    • Upon deletion of an account, all details entered by that user (including their personal data) will be permanently deleted.
    • If the user becomes active again within this period, then the deletion of their account does not take place.
    For user accounts that remain active. We will continue to process that user's personal data in accordance with this privacy policy until the account is deleted by the user or their account becomes inactive (as set out above).

    To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

    Once you are no longer a user of our Service, we will securely destroy your personal information in accordance with applicable laws and regulations.

    Your Legal Rights and Your Duty to Inform us of Changes

    It is important that the personal information we hold about you is accurate and current. Please let us know if your personal information changes during your relationship with us.

    Under certain circumstances, by law, you have the right to:

    • a. Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a confirmation from us as to whether we process any of your personal information or not, and if this is the case, to receive a copy of such personal information and to check that we are lawfully processing it.
    • b. Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
    • c. Request erasure of your personal information (often referred to as "the right to be forgotten"). This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
    • d. Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
    • e. Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it, or if we no longer need your data for our legitimate interests but we need to hold some of it for the purpose of legal proceedings.
    • f. Request the transfer of your personal information to another party.

    If you would like to exercise any of the above rights, please:

    • a. Email us at: hello@tcup.co.uk; provide us with proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill). This is to allow us to verify your identity and prevent disclosure to unauthorised third parties; and
    • b. let us know the details of your request, for example by specifying the personal data you want to access, the information that is incorrect and the information with which it should be replaced.

    Please note that if you request erasure, object to our processing of your personal data or request the restriction of our processing of your personal data we may not be able to provide our Service and we may need to deactivate your account.

    You also have the right to ask us not to process your personal data for marketing purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at: hello@tcup.co.uk. You can always unsubscribe from our email communications at any time by following the unsubscribe link in our email communications, or by updating your email preferences on your profile in our Service.

    Contact Us or the ICO

    If you have any concerns or complaints about our privacy activities, you can contact us on hello@tcup.co.uk.

    You have the right to make a complaint at any time to the Information Commissioner’s Office ("ICO"), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

    For more details about your rights under the Data Protection Laws, the rules we have to adhere to in collecting and storing your information, and how you can check your data records, please visit https://www.gov.uk/data-protection/the-data-protection-act.