New live session: Building an Award-Winning Engagement Strategy. Sign up here!
Close Cookie Popup
Cookie Preferences
By clicking “Accept All”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts as outlined in our cookie policy.
Strictly Necessary (Always Active)
Cookies required to enable basic website functionality.
Cookies helping us understand how this website performs, how visitors interact with the site, and whether there may be technical issues.
Cookies used to deliver advertising that is more relevant to you and your interests.
Cookies allowing the website to remember choices you make (such as your user name, language, or the region you are in).
Customize
Save
Decline All
Accept All

Privacy Policy

Updated: 18th December 2023

About this document

This document provides a summary of how we process your data to provide our platform, and your associated rights.

1. Introduction

This privacy policy explains the privacy practices at Thanks Ben Ltd., a company incorporated in England & Wales, with its registered office on 9th Floor, 107 Cheapside, London, United Kingdom, EC2V 6DN and company number 12335851.

Please read this policy carefully as it contains important information on who we are, how and why we collect, store, use and share any information relating to you (your personal data) when you use our website, the Ben app and any other services provided by us. It also explains your rights in relation to your personal data and how to contact us or a relevant regulator if you have a complaint.

Who are we in relation to your personal data?

  • Thanks Ben is a data processor for the purpose of providing the Ben platform and service. The customer will remain as the data controller.
  • Thanks Ben is the data controller for any data collected through the Ben website.

If you have any questions about how we protect or use your data, please email us at privacy@thanksben.com.

2. What this policy applies to

This privacy policy relates to your use of our website, the Ben platform, and any services we provide to you. The privacy policy does not apply to any information gathered by any benefits provider, card services provider or other third party you link to through the website or Ben platform which will be processed by them in accordance with their privacy policies.

3. Collecting your personal data

We believe that your personal data belongs to you, and you only. With that said, we have to collect and process some of your personal data to provide you with our awesome services.

What data we collect

The personal data we collect about you depends on the particular activities carried out through our website and the Ben platform. We may collect and use the following personal data about you which we have grouped together as follows:

  • Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
  • Contact Data includes billing address, delivery address, email address and telephone numbers.
  • Financial Data includes bank account and payment card details.
  • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
  • Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
  • Usage Data includes information about how you use our website, the Ben platform, and services.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

‍We may also collect, use, and share Aggregated Data such as statistical or demographic data. This may be derived from your personal data but is not considered personal data in law as this data cannot directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. If we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we will treat the combined data as personal data, which will be used in accordance with this privacy policy.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

How we collect the data

We use different methods to collect data from and about you including through:

  • Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by phone, email or otherwise. This includes personal data you provide when you:
    • Register to use our services;
    • create a Ben account;
    • request marketing to be sent to you;
    • report a problem to us;
    • enter a competition, promotion or survey; or
    • give us feedback or otherwise contact us.
  • Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy for further details.
  • Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources as set out below:
    • Contact and Profile Data from your employer where they have contracted with us for our services;
    • Contact, Financial and Transaction Data form banks, technical, and payment service providers;
    • Identity and Contact Data from publicly available sources such as Companies House and the Electoral Register based inside the UK;
    • Identity, Contact, and Financial Data from credit reference agencies;
    • Identity, Contact, and Technical Data from advertising networks and analytics providers.

If you fail to provide the data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with a Ben account). In this case, we may have to cancel service you have with us, but we will notify you if this is the case at the time.

4. How we use your data

We use your information when the law allows us to in the following ways:

  1. to carry out our obligations relating to your contracts with us and to provide you with the information, products and services that you request from us;
  2. to comply with any applicable legal and/or regulatory requirements;
  3. where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests

Generally, we do not rely on consent as a legal basis for processing your personal data, as we work as a processor of your data on behalf of your employer. We will however get your consent before sending direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us, using the details mentioned within this policy.

Purposes for which we use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground that we are relying on to process your personal data, where more than one ground has been set out in the table below.

Purpose/Activity

Type of data

Lawful basis for processing, including basis of legitimate interest

To register you as a new user
  • Identity
  • Contact
  • Performance of a contract with you
  • Necessary for our legitimate interests (to deliver the contract we have signed with your employer)

To manage our relationship with you which could include:

Notifying you about changes to our services, terms, or privacy policy

Asking you to leave a review or take a survey
  • Identity
  • Contact
  • Profile
  • Marketing and Communications
  • Performance of a contract with you
  • Necessary to comply with a legal obligation
  • Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

To manage our Ben platform and services which includes:

Keeping our services and platform safe and secure

Improving our services to ensure they are presented in the most effective manner
  • Identity
  • Contact
  • Profile
  • Usage
  • Technical
  • Performance of a contract with you
  • Necessary for our legitimate interests (to deliver our services in a safe and user friendly manner)

To enable you to partake in a prize draw, competition or complete a survey
  • Identity
  • Contact
  • Profile
  • Usage
  • Marketing and Communications
  • Performance of a contract with you
  • Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
  • Identity
  • Contact
  • Technical
  • Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
  • Necessary to comply with a legal obligation

To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
  • Identity
  • Contact
  • Profile
  • Usage
  • Marketing and Communications
  • Technical
  • Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
  • Technical
  • Usage
  • Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)

To make suggestions and recommendations to you about products or services that may be of interest to you
  • Identity
  • Contact
  • Technical
  • Usage
  • Profile
  • Marketing and Communications
  • Necessary for our legitimate interests (to develop our products/services and grow our business)

Marketing

We mentioned earlier that we will seek explicit consent for activities around third-party marketing and advertising, and as such wanted to take the time to explore this in more detail.

Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing.

Third-party marketing

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

Opting out

You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of your usage of the Ben platform.

5. Disclosure of your data

We may share your personal data with selected third parties where we have a lawful basis to do so including:

  1. companies within our group of companies, located in or outside of the United Kingdom and European Union, for the supply of our Services.
  2. affiliates, business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you, including employers who subscribe to our services, benefits providers who offer their products through the Ben platform and technology providers.
  3. analytics and search engine providers that assist us in the improvement and optimisation of our site.
  4. fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity.
  5. affiliates, business partners, suppliers and sub-contractors who may be in a position to offer related services to you, where you have consented to be contacted by them.

We may disclose your personal information to third parties:

  1. to provide our Services to you, in which case we may share your personal data with other companies of our group or with our business partners, located in or outside of the European Union.
  2. if we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
  3. if we are under a duty to disclose or share your personal data to comply with any legal obligation, to enforce or apply our terms and conditions which regulate the relationship between us, or to protect the rights, property, or safety of Thanks Ben Ltd., our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
  4. to assist us in conducting or co-operating in investigations of fraud or other illegal activity where we believe it is reasonable and appropriate to do so.
  5. to prevent and detect fraud or crime.
  6. in response to a subpoena, warrant, court order, or as otherwise required by law.
  7. to assess financial and insurance risks.
  8. to recover debt or in relation to your insolvency.
  9. to develop customer relationships, services, and systems.

The sub-processors which we currently use to provide our services include:

Name of sub-processor

Purpose

Entity Country

Security Measures

Amazon Web Services EMEA SARL

Cloud Service Provider

Luxembourg

ISO 27001
SOC 2
CSA STAR
DPA & SCCs

Datadog, Inc.

User Analytics Platform

United States

ISO 27001
SOC 2
DPA & SCCs

FullStory, Inc.

User Analytics Platform

United States

ISO 27001
SOC 2
DPA & SCCs

Functional Software, Inc. d/b/a Sentry

User Analytics Platform

United States

ISO 27001
SOC 2
DPA & SCCs

Google Cloud EMEA Ltd.

Cloud Service Provider

Ireland

ISO 27001
SOC 2
CSA STAR
DPA & SCCs

HubSpot UK Holdings Ltd.

Customer Relationship Management

Ireland

SOC 2
DPA & SCCs

Intercom Software UK Ltd.

Customer Support

United Kingdom

ISO 27001
SOC 2
DPA & SCCs

Kombo Technologies GmbH

HRIS Integrations

Germany

ISO 27001
SOC 2
DPA & SCCs

Okta, Inc.

Identity & Access Management

United States

ISO 27001
SOC 2
DPA & SCCs

Paystratus Group Ltd.

Payments Platform Provider

United Kingdom

PCI DSS
DPA & SCCs

Salesloft, Inc.

Customer Relationship Management

United States

ISO 27001
SOC 2
DPA & SCCs

Typeform S.L.

Customer Support

Spain

ISO 27001
SOC 2
DPA & SCCs

Zendesk

Customer Support

United States

ISO 27001
SOC 2
DPA & SCCs

6. International Transfers

Many of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
  • Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

Please contact us if you want further information on the specific mechanisms used by us when transferring your personal data out of the UK, or more information around supplementary measures post Schrems II.

7. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so, typically within 72 hours where feasible.

8. Data Retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including forthe purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.

Details of retention periods for different aspects of your personal data can be requested from us by contacting us.

9. Your Rights

You have specific rights available under the UK GDPR, for which further information can be found below. Should you wish, you can exercise any of these rights at any time by contacting us at privacy@thanksben.com.

  • The right to access all personal data held about you.
  • The right to rectification for any personal data held about you, if it is incorrect, incomplete, or otherwise inaccurate.
  • The right to restrict or object to processing in certain circumstances if you believe our processing impacts on your fundamental rights and freedoms. We may however demonstrate that we have legitimate grounds to process your data, not withstanding your rights and freedoms.
  • The right to erasure, or “to be forgotten” and require that we delete the data that we hold for you, where it is no longer necessary for us to hold it. While we respect your right to be forgotten, we may still be required to retain your data in accordance with applicable laws. If this is the case, we will inform you of this when we respond to your request.
  • The right to portability of your data and receive a structured, machine-readable version of your data.
  • The right not to be subject to a decision based solely on automated processing.

For further information on each of those rights, including the circumstances in which they do and do not apply, please contact us. You may also find it helpful to refer to the guidance from the UK's ICO on your rights under the UK GDPR.

If you do end up contacting us, please:

  • provide enough information to identify yourself (eg your full name, address and customer or matter reference number) and any additional identity information we may reasonably request from you.
  • let us know which right(s) you want to exercise and the information to which your request relates.

10. Changes to this Policy

Any changes we may make to our privacy policy will be posted on this page and, if the changes substantially affect your rights or obligations, notified to you by e-mail (if we have your email address on record).

Please check back frequently to see any updates or changes to our privacy policy.

11. How to Contact Us

Questions, comments, and requests regarding this policy are welcomed and should be sent via email at privacy@thanksben.com, or addressed to Privacy Team, Thanks Ben Ltd, 9th Floor, 107 Cheapside, EC2V 6DN, London, United Kingdom.

We hope we will be able to resolve any issues you may have, but if you feel that we have not addressed your questions or concerns adequately, you have the right to make a complaint with the Information Commissioner’s Office in the United Kingdom. You may access their details via https://ico.org.uk/global/contact-us/.

12. General Provisions

Our website may contain links to third party websites, plug-ins, and applications. We are not responsible for the content of such third-party content, or their privacy statement/s. If you provide any information to the third party, then you should check the third-party website to find the applicable privacy policy.

If any provision of this policy is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision shall be construed, as nearly as possible, to reflect the intentions of the parties and all other provisions shall remain in full force and effect.

This policy shall be governed by and construed in accordance with English law, and you agree to submit to the exclusive jurisdiction of the English Courts.