Last updated: 1st January 2022
PLEASE READ THIS POLICY CAREFULLY
Protecting your data, privacy and personal information is very important to Zoopla Limited (“our”, “us” or “we”). This policy sets out the basis on which any personal data about you will be processed and applies to (i) activities on or through our public Website yourkeysstg.wpengine.com (the “Website”) (ii) our direct marketing activities and (iii) your use of our Yourkeys services part of Zoopla Limited.
Identity and contact information of the Data Controller
For the purposes of UK data protection legislation, the data controller (i.e. the person that determines the purposes and manner in which your personal data are processed) is Zoopla Limited. Zoopla Ltd is a company incorporated and registered in England and Wales (company number 06074771) with its registered office at The Cooperage, 5 Copper Row, London SE1 2LH, United Kingdom. Zoopla Limited registration details with the Information Commissioners Office (ICO) is Z9972266.
Personal information we may process about you
A breakdown of the personal data we may process is set out in a table at the end of this policy, together with the other information we are required to provide.
Yourkeys service part of Zoopla Limited
We process personal information in order to provide you with the Yourkeys service.
Please note that payment details (such as credit card information) are not processed by us and are instead handled by our payment providers like Stripe.
We use your personal data to provide our services to you. To the extent we collect personal data via our Website, our main purpose is to better serve our customers and to improve the function of the Website.
Where you have consented we may also use your information to send you electronic marketing communication. We will provide an option to unsubscribe or opt-out of further communication or you may opt out by contacting us at email@example.com.
We will not sell your personal data (or any other data you provide us with) to third-parties for marketing purposes.
How personal data is collected
We may obtain personal data about you in two main ways:
- You provide us with your personal data (such as when you register to use our Yourkeys service).
- Personal data is collected automatically (such as the automatic recognition of your IP address or placement of cookies on your device).
How long we store your personal information
Details of how long we store your personal information are set out at the end of this policy. Please note that some personal data may need to be retained for longer than this to ensure we can comply with applicable laws and internal compliance procedures, including retaining your email address for marketing communication suppression if you have opted not to receive any further marketing.
Disclosure of your information
Details of who we disclose your personal information to are set out at the end of this policy. We may also disclose your personal information to third parties in the following circumstances:
Purpose of disclosure and third party(s) to which disclosure might be made
If you request we do so.
You have provided your consent.
To a member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006
Legitimate interests (i.e. for business administration).
If we sell any business or assets, we may disclose your personal information to the prospective seller or buyer of such business or assets.
Legitimate interests (i.e. to buy or sell business assets).
If Zoopla Limited or substantially all of its assets are acquired by a third party, personal information about our customers will be one of the transferred assets.
Legitimate interests (i.e. to dispose of our business).
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect the rights, property, or safety of Zoopla, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.
Processing is necessary for compliance with a legal obligation, or processing is necessary in order to protect the vital interests of a natural person
We may disclose your personal information to third parties, the court service and/or regulators or law enforcement agencies in connection with proceedings or investigations anywhere in the world where compelled to do so. Where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime.
Legitimate interests (i.e. to cooperate with law enforcement and regulatory authorities)
Under the General Data Protection Regulation (GDPR), you have the following rights (subject to certain limitations):
Right of access
You have the right to obtain from us confirmation as to whether your personal data are being processed, and, where that is the case, access to such personal data.
Right to Rectification
We will use reasonable endeavours to ensure that your personal data is accurate. In order to assist us with this, you should notify us of any changes to the personal data that you have provided to us by sending us a request to rectify your personal data where you believe the personal data we have is inaccurate or incomplete.
Right to erasure / ‘Right to be forgotten’
Asking us to delete all of your personal data will result in us deleting your personal data without undue delay (unless there is a legitimate and legal reason why we are unable to delete certain of your personal data, in which case we will inform you of this in writing).
Right to restriction of processing
You have the right to ask us to stop processing your personal data at any time.
Right to data portability
You have the right to request that Zoopla limited provides you with a copy of all of your personal data and to transmit your personal data to another data controller in a structured, commonly used and machine-readable format, where it is technically feasible for us to do so.
Right to complain
You have the right to lodge a complaint to a supervisory authority such as the Information Commissioner’s Office in the UK (see www.ico.org.uk). Although we encourage our customers to engage with us in the event they have any concerns or complaints. You can do so by writing to us at firstname.lastname@example.org
All of these rights can be exercised by contacting us at email@example.com
Zoopla limited will not ordinarily charge you in respect of any requests we receive to exercise any of your rights detailed above. However, if you make excessive, repetitive or manifestly unfounded requests, we may charge you an administration fee in order to process such requests or refuse to act on such requests. Where we are required to provide a copy of the personal data this will usually be free of charge. However, any further copies requested may be subject to reasonable fees based on administrative costs.
Where you request us to rectify or erase your personal data or restrict any processing of such personal data, we may notify third parties to whom such personal data has been disclosed of such request. However, such third party may have the right to retain and continue to process such personal data in its own right.
We use Google Analytics to provide us statistics on website usage. The only personal data divulged to Google is your IP address. You can opt out of Google Analytics following the advice here – https://tools.google.com/dlpage/gaoptout
Children under the age of 13
Neither the Website nor our Yourkeys services are aimed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are under 13, please do not use our services or provide any information to us through the Website. If we learn we have collected or received personal information from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 13, please contact us at firstname.lastname@example.org.
Changes to this policy
Information we collect from you
Personal data collected
Why personal data are collected
Legal basis for processing
Period for which your data will be stored
Will your personal data will be shared with third parties?
Transfers outside the European Economic Area
Your full name, email address, and mobile phone number.
To provide you with: (1) a Yourkeys account; (2) support services; and (3) important information about our services
Processing is necessary for the performance of our contract with you.
For as long as you use the Yourkeys service, plus 90 days.
We may share your personal data with Amazon Web Services and to the 3rd party processors to provide our services, as described in the “Sharing or Disclosing Your Personal Data” section below.
Any personal data contained in your property purchase
To provide you with the ability to purchase a new home and to improve the communication between the all parties, namely the developer, the buyer, the developer’s conveyancer and the buyer’s conveyancer.
You have provided your consent. You can disable this functionality at any time.
Until (1) you cease using the Yourkeys service, plus 90 days.
We do not share your personal data to non-relevant third parties. We may share your personal data to the 3rd party processors to provide our services, as described in the “Sharing or Disclosing Your Personal Data” section below.
The IP address of the device you used to access our Website.
To improve the function of the Website.
Processing is necessary for our legitimate interests (i.e. to understand who is visiting the Website).
Unless we are otherwise legally required, we may share this data with Google Analytics to help us improve our Website.
Google Analytics may store this data in the USA. We rely on Google’s SCCs (Standard Contractual Clauses) to comply with GDPR.
Your name, email address and phone number, but only if you provide it to us.
To enable us to contact you / send information that you have requested.
You have provided your consent.
For as long as we send you relevant information.
To enable us to engage in direct marketing (such as newsletters or marketing emails for products and services provided by us that we believe will be of interest to you).
Processing is necessary for our content.
Until such time as you inform us you don’t want to continue receiving marketing communications – you have the right to unsubscribe at any time.
A record of any communication / correspondence you have with us (e.g. when you contact us by email, telephone or post).
To enable us to maintain records with our potential and actual clients.
Processing is necessary for our legitimate interests (i.e. to understand who contacts us).
Any personal data provided on a CV / resume provided to us (e.g. via email or through our “jobs” webpage).
To enable us to consider your application.
You have provided your consent.
We will keep your details on file for 24 months in case any other relevant positions become available.
Any personal data that you provide to us as part of a survey.
To improve our Website or services.
Processing is necessary for our legitimate interests (i.e. to understand the requirements of our potential and actual clients).
Links to Other Web Sites
Our services may contain links to other websites not controlled or operated by us. These links do not imply that we endorse these third party sites. We recommend reviewing those sites directly for information on their privacy policies.
Security & Safeguarding Measures
All personal data collected is transferred and stored securely, using industry standard encryption protocols, and approved transfer mechanisms. Please note however, that we cannot guarantee that the measures we maintain will guarantee the security of the information. Our team is trained on the importance of Privacy and Data Protection and will adhere to our internal policies to protect your data at all times.
Sharing or Disclosing Your Personal Data
We use third party processors to provide our services; these companies will process or store your information on our behalf. We also share your personal data with third parties such as sellers, conveyancers and mortgage brokers as part of our service provision to you.
We use the following third parties to process your data:
We share your data with the following third parties to service our contract with you:
These third parties may act as a data processor and a data controller throughout the lifecycle of the service contract. The names of the companies we use for these purposes may change frequently but will be communicated to you clearly at the time of sharing this data.
• FCA Approved Mortgage Brokers (https://www.fca.org.uk/about/the-fca)
• Mortgage Advice Bureau (https://www.mortgageadvicebureau.com)
• Savills Private Finance (https://spf.co.uk)
• Conveyancers approved by the Legal Software Suppliers Association (https://www.lssa.co.uk/)
• Conveyancers approved by the SRA (https://www.sra.org.uk)
• Conveyancers approved by the CLC (https://www.clc-uk.org)
• Convey Choice (https://www.conveychoice.co.uk)
• Leap UK (https://leap.co.uk)
• Redbrick Solutions (https://www.redbricksolutions.co.uk)
• Optimus (https://www.optimus-move.co.uk)
We share your data to the Sellers CRM platform used to initiate a reservation:
• Coins Global – https://www.coins-global.com
• Contact Builder – https://www.contact-builder.co.uk
• SalesSeek – https://www.salesseek.com
• Salesforce – https://www.salesforce.com/uk
• Microsoft Dynamics – https://dynamics.microsoft.com/en-gb
We share your data to the Sellers Aftercare Provider used to manage the aftercare requirements:
• Clixifix – https://www.clixifix.com
We share your data to Just Move In should the Buyer wish to utilise their free property move service
– Just Move In – https://www.justmovein.com
Internal Policies and Processes
Zoopla Ltd adheres to a number of organisational policies as defined below
• Data Handling Policy – This Data Handling Policy details the requirements for the transmission, storing, and usage of assets and data in Zoopla IT environment
• Data Retention Policy – The purpose of this document is to provide Zoopla statement of intent on how it provides a structured and compliant data and records management system with records being defined as all documents, regardless of the format, which facilitate the business activities and which are thereafter retained to provide evidence of its transactions or activities.
• Data Disposal Policy – This policy details the requirements for the disposal of assets and deletion of data in Zoopla IT environment
• Data Protection Policy – The purpose of this policy is to ensure that the staff, volunteers and trustees of Zoopla are clear about the purpose and principles of Data Protection and to ensure that it has guidelines and procedures in place which are consistently followed.
• Data Classification Policy – This Data Classification Policy details the requirements for the classification of assets and data in Zoopla’s IT environment for GDPR and Payment Card Industry (PCI) compliance.
• Data Retention Register – The register lists the data retention periods applicable to GDPR compliance.
• Information Security Objectives – The aim of this document is to list the information security objectives and the results of the review of those objectives.
• Information Security Policy – The aim of this top-level Policy is to define the purpose, direction, principles and basic rules for information security management
• Data Breach Policy & Procedures – The purpose of this policy is to provide Zoopla intent, objectives and procedures regarding data breaches involving personal information. As we have obligations under the GDPR, we also have a requirement to ensure that the correct procedures, controls and measures are in place and disseminated to all employees if a personal information breach occurs. This policy also notes our processes for reporting, communicating and investigating any such breach.
• Incident Management Policy – The purpose of this policy is to ensure quick detection of security events and weaknesses, and quick reaction and response to security incidents.
• Incident Management Procedure – This procedure clearly describes the steps the Incident Response Team (IRT) should take to evaluate, contain and remediate any Incident Response
• Access Management Policy – This policy details the requirements for the granting, transferring, revoking and management of user access in Zoopla IT environment
• Anti Virus Policy – This policy details the requirements for the deployment, configuration, and management of anti-virus software in Zoopla’s IT environment
• Background Checks Policy – This Background Check Policy details the requirements for the performance of background checks for new Zoopla personnel that will have access to sensitive data
• Backup Policy – The aim of this top-level Policy is to define the purpose, direction, principles and basic rules for information security management
• Business Continuity Policy – This policy allows us to identify potential disaster scenarios that may exist in relation to business continuity and to define contingency activities to avoid a disruption that affects business.
• Change Management Policy – This policy details the requirements for the process of developing, performing, and managing changes in Zoopla IT environment.
• Encryption and Encryption Key Management Policy – This Encryption and Encryption Key Management Policy details the requirements for the encryption algorithm and key management in Zoopla’s IT environment
• Firewall Configuration and Management Policy – This Firewall Configuration and Management Policy details the requirements for the configuration, placement, and maintenance of firewalls in Zoopla’s IT environment.
• Intrusion Detection and Prevention Policy – This Intrusion Detection/Prevention Policy details the requirements for the deployment, configuration, and management of IDS/IPS in Zoopla IT environment.
• Log Management Policy – This policy details the requirements for the generation and management of logs in Zoopla’s IT environment.
• List of Legal, Regulatory, Contractual and Other Requirements – The aim of this list is to document all the regulatory, contractual and other legal compliance that Zoopla must comply to
• Password Management Policy – This policy details the requirements for the secure construction and management of passwords in Zoopla’s IT environment
• Risk Assessment Policy – This policy details the requirements for the assessment, mitigation, and acceptance of risk in Zoopla IT environment.
• Separation of Duties – The aim of this document is to define the separation of duties and responsibilities between Zoopla, Developers, Conveyancers and Buyers
• Subject Access Request Procedure – This procedure document provides a process for individuals to use when making a SAR and the protocols followed by Zoopla when a SAR is received
If you have any concerns about this please email us at email@example.com.