Privacy and Cookie Policy

Introduction

This Privacy & Cookie Policy explains how ONO App Ltd uses the personal data we collect about individuals that have dealings with ONO. This includes but is not limited to clients, customers, data subjects, all staff, contractors, consultants, and agents who act on behalf of ONO App Ltd. 

We take the security of all personal data very seriously. We use a combination of technical, organisational, and physical security measures to protect your personal data in line with our obligations under the data protection law. Our employees receive training to help us comply with data protection law and safeguard your privacy. 

This policy is issued on behalf of ONO App Ltd, when we mention ‘ONO’, ‘us’, ‘we’, our’, we mean ONO App Ltd. 

Definition 

When we use the term ‘personal data’ we mean information relating to natural persons who: 

  • can be identified or who are identifiable, directly from the information in question; or
  • who can be indirectly identified from that information in combination with other information. 

Personal data may also include the special categories of personal information or criminal conviction or offences data. These are considered to be more sensitive, and we only process them in more limited circumstances. 

Understanding our role in relation to the personal data we handle is crucial when ensuring compliance with data protection laws and the treatment of individuals. Depending on what role we perform for you, ONO will either be the: 

  • data controller
  • data processor

Data collection and use

In order to provide you with our services, we will need to process your personal data. We will collect data from you, from your use of our services and from external sources (both public and private). These may include: 

  • Identity data: includes first name, surname, username or similar identifier, marital status, title, date of birth and gender, driving licence number; 
  • Contact data: includes address, email address and telephone numbers;
  • Special categories of personal data: includes race or ethnicity, religious or philosophical beliefs, information about your health, injury details;
  • Claims data: location information, claims details, vehicle details;
  • Usage data: includes information about how you use our website, products and services;
  • Marketing data: includes marketing and communication preferences, information relating to promotions, customer experience and company statistics. 

We use different methods to collect data: 

  • Direct Interactions: data collected directly from an individual by phone, post, email, via the app, filling in forms or otherwise; 
  • Third Parties: data may be exchanged via a third party in relation to your association with us. For example: fleet providers, insurers, brokers, claims handlers, assistance providers, legal advisers, experts and publicly available sources or the authorities (this list is not exhaustive). 
  • Automated technologies: when interacting with our website or app, we will automatically collect technical data about the equipment being used, browsing actions and patterns. We collect this data using cookies and other similar technologies. Please see ‘Use of Cookies’ for further details. 

Use of Cookies

A cookie is a small text file that is placed and stored on your computer, mobile or other devices by websites that you visit. They are widely used to make websites work, or work more effectively, as well as to provide information about visitor behaviours to the website owner. These cookies collect information in an anonymous form, including the number of visitors to the website, where visitors have come to the website from and the pages they visited. 

Before cookies are placed on your computer or device, you will be shown a pop-up prompt requesting your consent to those cookies. By giving your consent you are enabling us to provide the best possible experience and services to you. You can opt out of being tracked by Google Analytics across this and all websites by simply downloading this tool from Google: Cookie opt out

How do we use personal data

We will only use personal data when the law allows us to. Most commonly, we will use personal data in the following circumstances:

  • where we need to perform a contract
  • where it is necessary for our legitimate interests (or those of a third-party) and an individual’s interests and fundamental rights do not override those interests
  • where we need to comply with a legal obligation

Change of purpose: We will only use personal data for the reason it was collected, if wider use is desired, we would require new consent from the individual. 

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. 

Disclosure of personal data

We may share data with other parties, affiliate business and third-party services providers (data processors), such as fleet owners, insurance providers, compliance, and other agents relevant to business activities. Where any of the data is required for such a purpose, we will take reasonable steps to ensure that the data will be handled safely, securely and in accordance with individuals’ rights, our obligations and the obligations of the third-party under the applicable law. 

We have an obligation to disclose data in the following four examples permitted by law, and the other situations set out below. These are: 

  • Where we are legally compelled to do so;
  • Where there is a duty to the public to disclose;
  • Where disclosure is required to protect our interest; and 
  • Where disclosure is made at your request or with your consent. 

Also, it may be necessary to share your details in the following circumstances: 

  • In the event that we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets. 
  • If all the company’s assets are acquired by a third-party, personal data held by us about our customers will be one of the transferred assets. 

We require all third parties to respect the security of your personal data and, to treat it in accordance with the law of the jurisdiction it is handled. Where we are the controller, we do not allow our third-party service providers to use your personal data for their own purposes and only permit them to use it in accordance with our agreement with them and this policy. 

International Transfers

Sometimes we, or third parties acting our behalf, may need to transfer personal data between jurisdictions. We will always take steps to ensure that any transfer of personal data outside of its home jurisdiction is carefully managed to protect privacy rights and ensure that adequate safeguards are in place. This might include transfers to countries that are considered to provide adequate levels of data protection for all personal data (such as countries in the European Economic Area) or putting contractual obligations in place with the party we are sending information to. Contracts between affiliated and third parties will be covered by an agreement which contractually obliges each company to ensure that personal data receives an adequate and consistent level of protection whenever it is transferred. 

Data Security

We have put in place appropriate security measures, policies, and procedure to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to personal data to those employees, agents, contractors or other third parties who have a business need to know. They will only process personal data on our instructions, and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected personal data breach. We will notify you and the applicable authority of the breach where we are legally required to do so. 

Retention

The Company will only retain personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. We also retain data for analytical purposes, in this case data is anonymised which negates any risk. 

To determine the appropriate retention period, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, and the purposes for which we process the data. 

Data Rights

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. Please contact us should you believe your information needs rectifying.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances, e.g., where:

  • It is no longer necessary for us to use your personal data for the original purpose;
  • You withdraw your consent.

This is not an absolute right and there may be reasons why we cannot erase your data at your request such as legal requirements. 

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances such as: 

  • where you have contacted us about the accuracy of your personal data, and we are checking the accuracy;
  • if you have objected to your personal information being used based on legitimate interests.

This isn’t an absolute right, and we may not be able to comply with your request.

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You are not required to pay any charge for exercising your rights. We have one month to respond to you.

Your right of access

Under certain circumstances, individuals have rights under data protection laws in relation to personal data:

Request Access: Data subjects may submit a Subject Access Request to obtain a copy of the personal data that we hold about them in a structured or portable manner. To make a Subject Access Request please write to:

Compliance Department 

ONO App Compliance Department 

Regina House, 124 Finchley Road, London, United Kingdom, NW3 5JS

Or email: compliance@onoapp.co

You will need to provide the following documentation for verification purposes: 

  • Your full name, address and any reference number related to our work with you; and
  • Identification documents showing your name, address and signature:
    • A copy of your driving licence (where it shows all 3); and/or
    • A copy of your passport and a recent utility bill or bank statement

We aim to respond to valid requests within one month. It may take longer if the request is particularly complicated or if several requests have been made. We will always let you know if we think a response will take longer than one month. We may also ask you to provide more detail about what you want to receive or are concerned about. 

Right to withdraw consent 

We are relying on your consent to process your personal information. You have the right to withdraw this consent. However, this will not affect the lawfulness of any processing carried out on personal data received by us before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. 

Making a complaint

If you have any cause for complaint about our use of your personal data, please contact us using compliance@onoapp.co we will do our best to solve the problem for you. 

If we are unable to help, or you do not agree with our response, you also have the right to raise a complaint with the UK’s supervisory authority, the Information Commissioner’s Office. 

For further information about your rights, please contact the Information Commissioner’s Office https://ico.org.uk/global/contact-us/  or your local Citizens Advice Bureau.

How to contact us

If you have any questions about this Privacy & Cookie Policy, please contact us in one of the following ways: 

Post: 

ONO App Compliance Department 

Regina House, 124 Finchley Road, London, United Kingdom, NW3 5JS

Or email us on: compliance@onoapp.co

Updates

This Privacy & Cookie Policy is updated from time to time to take into account changes in our business activities, legal requirements and make sure it’s transparent. It is your responsibility to check this page from time to time for any changes to this Privacy & Cookie Policy.

This Privacy & Cookie Policy was last updated on 26th November 2023. Version: 261123.v2