Privacy Policy

WeLink Communications (UK) Limited

Privacy Policy

1. Introduction and Scope

WeLink Communications (UK) Limited (“WeLink”, “we”, “us” or “our”) recognises that the privacy of the personal information that is provided to us is critically important. We take the privacy and security of personal information very seriously.

We are committed to complying with our legal obligations under the General Data Protection Regulation (“GDPR”), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“UK Data Protection Laws”) and other data protection laws around the world.

This Privacy Policy explains what types of personal information we collect, what we do with that personal information, the legal basis for our processing of it, what rights individuals have in relation to any personal information we process about them and how they can exercise those rights. It also explains how we keep personal information safe and secure.

2. Who are WeLink Limited?

WeLink is a company, registered in England and Wales under No. 08850166, whose registered office is at Cardale House Cardale Court, Beckwith Head Road, Harrogate, North Yorkshire, HG3 1RY. The business of WeLink is the provision of Wi-Fi services and wireless broadband services to the UK market.

WeLink is registered with the Information Commissioner’s office under Registration No. ZA184721.

WeLink operates a website, which provides more information about who we are and what we do, which can be viewed at https://www.welinkuk.com (“the Website” or “our Website”).

Our customers are either  individuals and businesses which purchase our broadband services or public sector organisations to which we   provide free WiFi services to end users.

3. Contacting WeLink

There are three ways to contact WeLink to discuss any data protection issues you may have:-

In writing

The Data Protection Officer
WeLink Communications (UK) Limited
Cardale House Cardale Court
Beckwith Head Road
Harrogate, HG3 1RY

By email

hello@welinkuk.com 

By phone

+44 (0)1423 510511 and ask for the WeLink Data Protection Officer.

4. Who is responsible for the management of data protection at WeLink

We have appointed Michael Wray as the Data Protection Officer for WeLink. The Data Protection Officer is responsible for managing data protection at WeLink and ensuring that we comply with our legal obligations relating to personal information. The Data Protection Officer can be contacted using the contact details given in section 3 above.

5. What types of personal data does WeLink process?

Under data protection laws, personal data is any information relating to an individual from which that person can be identified. It does not include data from which the identity of an individual cannot be identified (which is anonymous data).

WeLink  processes the following categories of personal data depending upon whether we are providing broadband services or Wifi services:

Broadband Services:

We process the following personal data in relation to these services: limited customer information as set out below.

Wi-Fi Services:

We process the following personal data in relation to these services: information  relating to the users of our Free Wifi Services, and personal infomration relating to people who work for, or represent, our current and prospective customers or who are, or work for, or represent suppliers to WeLink.

6. What sort of personal data do we hold and collect? 

In relation to our broadband services we collect the following personal data:

1. Customer Name
2. Address
3. Contact details on and off line
4. Residential home ownership details

In relation to our Wi-Fi services we collect the following personal data:

When you register to be able to use our Wi-Fi network we ask for some personal information through our registration portal. This information includes:

1. Age range;
2. First name;
3. Last name;
4. Email address;
5. Home post code;
6. Gender; and
7. Why you are in the area?

We also collect device-specific information when you connect to our network and when you browse the internet. This information includes:

1. MAC address;
2. The type of device; and
3. The browser.

When you use our services we automatically collect and store certain information in server logs such as:

1. Time and date of registration;
2. Time and date of further connections;
3. How much data is consumed; and
4. Which access points you are connected to.

7. WeLink’s role in relation to the data which it collects on its platform 

Broadband Services:

In relation to WeLink’s broadband business, it is a data controller and it uses and processes that data in accordance with its obligations under the GDPR.

WiFi Services:

In relation to WeLink’s WiFi business it has a number of agreements with its customers. These agreements set out whether WeLink, or its customer is either data controller or data processor and set out how data is either controlled or processed.

In relation to the networks which WeLink owns, it is data controller but where it operates a network for a customer which owns the network, then it is a data processor.  Where WeLink is a data controller it determines the purposes for which data is processed; where it is a data processor it processes information on the basis of instructions received from its customers.

Obligations where WeLink is a Data Processor

Data processors are obliged to ensure that the processing of data is in compliance with the six data protection principles set out in the GDPR. In particular, to:

• ensure that individuals can exercise their rights regarding their personal data, including the rights of access, rectification, erasure, restriction, data portability, objection and those related to automated decision-making;
• implement appropriate technical and organisational security measures to ensure the security of personal data.
• notify personal data breaches to the ICO and, where necessary, other supervisory authorities in the EU, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
• comply with certain accountability obligations, such as maintaining records, carrying out data protection impact assessments and appointing a data protection officer.
• ensure compliance with the GDPR’s restrictions on transfers of personal data outside the EU.
• co-operate with supervisory authorities, (such as the ICO) and help them perform their duties.

8. How does WeLink use the data which it collects? 

As we have explained above in the context of WeLink’s businesses (both broadband and WiFi), WeLink can be both data controller and data processor depending upon its contractual position with its customers.  We will only process personal data when the law allows us to.

Broadband Services:

We use personal data in relation to our broadband services as follows:

• To deliver services that we provide and to manage our relationship with users, to meet their needs and to enable our services to deliver more useful, customised content;
• To improve the quality of our services and the infrastructure that we use to provide such services and develop new ones;
• To improve security by protecting against fraud and abuse
• To inform users about our services, such as letting them know about upcoming services changes, technical issues, improvements or changes to our terms of use
• To develop and carry out marketing activities about our services and to manage our network
• To implement appropriate technical and organisational measures to ensure the security of personal data. How we comply with this obligation is set out in section 14 below.
• To comply with GDPR/DPA accountability obligations, including maintaining records and appointing a data protection officer. Details of our data protection officer are set out in sections 3 above. Our data protection officer manages our accountability and record keeping obligations in accordance with the GDPR

WiFi Services:

Most commonly, we use personal data in our Wi-Fi business in the following ways:

• to register a user of our app or website and permit you to use it;
• to deliver services that we provide and to manage our relationship with users, to meet their needs and to enable our services to deliver more useful, customised content;
• to improve the quality of our services and the infrastructure that we use to provide such services and develop new ones;
• to improve security by protecting against fraud and abuse;
• to conduct analytics and measurements so as to better understand how our services are used;
• to monitor usage of our app and website so as to manage capacity and deal with any technical issues that may arise from time to time;
• to produce aggregate usage data (from which individual users cannot be identified) to understand how our services are used and to provide the same to third parties and group companies who may use it for analytics, trend analysis and to improve and provide the products and services provided by us;
• to inform users about our services, such as letting them know about upcoming services changes, technical issues, improvements or changes to our terms of use;
• to develop and carry out marketing activities about our services and to manage our network;
• where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
• to only process personal data in accordance with instructions from the data controller, which in all cases will be our customer;
• to enter into binding processor contracts with the data controllers (our customers). The GDPR sets out minimum terms which a controller must impose on its processor by contract.
• not to engage a sub-processor without the controller’s prior specific or general written authorisation. The identity of any sub-processors we use is confirmed and agreed either specifically or in general terms with our customers prior to their appointment.
• to implement appropriate technical and organisational measures to ensure the security of personal data. How we comply with this obligation is set out in section 14 below.
• to notify the relevant data controller (our customer) of personal data breaches without undue delay. We would do this as soon as we were aware of any data breach. We would notify our key customer contact in the first instance.
• to notify the relevant data controller (our customer) immediately if any of their instructions would lead to a breach of the GDPR or local data protection laws. This oversight is managed by our data protection officer, whose details are set out in sections 3 above.
• to comply with GDPR/DPA accountability obligations, including maintaining records and appointing a data protection officer. Details of our data protection officer are set out in sections 3 above. Our data protection officer manages our accountability and record keeping obligations in accordance with the GDPR.
• ensure that any transfer outside the EEA is authorised by the controller and complies with the GDPR transfer provisions.

9. The legal basis upon which WeLink processes data

The law on data protection provides a number of different grounds that a company such as WeLink can rely on to make its processing of personal data lawful.

WeLink relies on the following four legal grounds to process personal data:

You Have Consented To Our Using Your Personal Data

We can collect and process your personal data with your consent. This will be the case if you have registered to use app or website.

WeLink’s Contractual Obligations & Performance

We may process personal data to comply with and perform our obligations and exercise our rights under our contract with you. We also rely on this basis when ascertaining whether or not you are complying our Terms of Service and enforcing those terms.

WeLink’s Legitimate Interests

The law states that in specific situations, WeLink can process personal data to pursue its legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact the rights, freedoms or interests of our customers or users. We rely on this basis to use data to send you communications and information about other services we offer. We also rely on this basis to process your data to generate anonymised data. We further rely on this data to provide your Technical Data and Usage Data to Amvia, as set out in section 10 below.

Legal compliance

We may process your personal data to comply with any applicable legal obligation, law, regulation, legal process or enforceable governmental request or to detect, prevent or otherwise address fraud or crime prevention. We would rely on this ground for example if the police or security services were to require us to provide them with personal data in relation to the detection or prosecution of criminal offences.

10. Sharing your user personal data  

WeLink may share personal data with any member of our group, for the purposes of data and trend analysis. Group in this context means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

We may disclose or share personal data in order to comply with any legal obligation on us or to protect the rights, property, or safety of WeLink or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection or the prevention of criminal conduct.

We may disclose personal data to a purchaser of WeLink or substantially all of its assets, in which case personal data held by WeLink will be one of the transferred assets.

We won’t share personal data with any third party for the purpose of marketing unless you have given your consent to us doing that. If you do consent to receive information about third party products or services, we will provide you with relevant details of the third party (including who they are, where they are based and how they may be contacted) and will explain what personal data will be shared with them.

WiFi Services:

We may share your personal data with a company called Amvia Limited, company No. 10267830, whose registered address is at Aizlewoods Mill, Nursery Street, Sheffield, S3 8GG. Amvia provide us with certain technology infrastructure (such as leased line, fibre, ethernet and FTTP services) to allow us to operate Wifi in the City of Watford.

A subset of some data in relation to YCCC is shared with TwoCircles (a marketing company). The following information is shared. This includes: Date of registration; Time of registration; Registration type (email/Facebook); Marketing consent (yes/no);  First name; Last name; Email address; Postcode; Gender (Male/Female); age range; registration location (which stand in the stadium).

11. What are your legal rights in relation to your personal data?

Individuals (“Data Subjects”) have a number of legal rights in relation to the personal data which we hold about them. These include:

• The right to be informed about how we process and manage the Data Subject’s personal data. We comply with the Data Subject’s rights in this regard by the publication of this Privacy Policy.
• The right to obtain a copy of any personal data about the Data Subject which we hold at any time and to obtain certain information about how we process that data. This is called a Subject Access Request and Data Subjects can submit such a request by contacting the data protection officer: see section 3 above.
• The right to request that any inaccurate or incomplete personal data that we hold about the Data Subject is corrected. The Data Subject can update their personal data by contacting the data protection officer: see sections 3 above.
• In certain circumstances, the right to request that we erase, or restrict our processing of personal data that we hold about the Data Subject.
• The right to request the transfer of their personal data to the Data Subject or to a third party nominated by them.
• The right to request that we stop using their personal data for direct marketing or for purposes based on legitimate interests. A Data Subject can tell us at any time to stop marketing to them by using any of the methods set out in section  above or by emailing the Data Protection Officer.
• The right to require us to stop processing their personal data where the Data Subject contests the accuracy of the information we hold about them.
• Where our processing of the Data Subject’s data is based on their consent, the right to withdraw their consent at any time so that we then stop processing their personal data based on that consent.
• The right to have any decision, made solely on the basis of automatic processing of the Data Subject’s personal data, reviewed by a human being, express their point of view on the decision, obtain an explanation of the decision and challenge it.
• The right to compensation in certain circumstances where we breach the Data Subject’s rights relating to any information in a way that causes the Data Subject damage.

If you would like to exercise any of your legal rights in relation to the personal data we hold about you, you can submit a request through our Website using this link:  www.welinkuk.com/contact-us or by contacting the data protection officer whose details are set out in section 3 above.

Generally Data Subjects will not have to pay a fee to exercise any of their legal rights. However, we are entitled to charge a reasonable fee if any request is clearly unfounded, repetitive or excessive. We can also refuse to comply with an unfounded or excessive request. We may need to request information from a Data Subject to confirm their identity, in order to make sure that personal data is not disclosed to someone who is not entitled to have it. We may also need to ask a Data Subject for additional information to help us respond to their request. We will try to respond to a Data Subject’s request within one month but, if the request is very complex or if a Data Subject has made a number of requests, it could take longer. In such circumstances, we will explain to the Data Subject why it will take longer to respond and we will keep them updated.

12. Marketing

We may use your personal data to inform you about our services – for example we may send you emails or electronic notifications letting you know about upcoming service changes, technical issues, improvements or changes to our terms of use.

We may also use your personal data to send you emails containing information about products and services we offer or to conduct surveys but we won’t do that if you opted not to receive such emails when you registered with us. Any email of this type that we send you will contain an opt out option, which you can use to tell us that you no longer wish to receive this kind of email.

We won’t otherwise share your personal data with any third party for marketing purposes without first obtaining your express opt-in consent.

You can ask us or any approved third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.

13. How long will we keep your personal data?

We retain WeLink personal data for as long as reasonably necessary to fulfil the purposes it was collected for and to enable us to comply with our legal obligations.

As part of our commercial offering includes the statistical analysis and presentation of summarised historic information, we will retain information for as long as it is useful for these purposes. In carrying out these analyses, we will never share your personal information and will ensure that you remain anonymous at all times.

This does not affect your absolute right to have your personal information removed from our servers on request at any time.

14. How do we protect personal data?

WeLink takes the security of personal data very seriously. We use appropriate security measures to protect personal data from unauthorised access, disclosure, alteration or loss.

WeLink data is hosted by Amazon Web Services which is built with security by design principles, based upon confidentiality, integrity, and availability. The development of the WeLink Platform, its installation and maintenance are carried out in accordance with the rules set out by the latest security standards. Our products and services comply with the security and privacy requirements of GDPR, ISO 27001.

We take our responsibilities as a data processor extremely seriously and ensure that all customer data is treated with the utmost care and confidentiality. Data is hosted within Amazon Web Services London region and we use end to end encryption to ensure that information transmitted between the mobile device applications and infrastructure is not accessible by any individual.

Staff receive induction training on information security as part of joining their organisation and are made aware of their responsibilities and the implications of their actions in relation to cyber security both on them as individuals and also within the organisation.

We conduct training courses using our training platform to ensure that staff are up to date with the latest guidelines and best practices.

Access to personal information is retained only for senior staff and accessed upon instruction from a customer in response to a support issue or query. Roles Based Access Controls are implemented across the organisation’s IT systems to ensure that staff only ever have access to the information that they require.

As part of our induction training all staff are made aware of how to report information security incidents and we have ISO and GDPR policies on how to report a data breach internally, with customers and the ICO. Sophos antivirus and firewall protections are implemented across the organisations IT systems and end user devices.

We conduct annual penetration testing by a CESG accredited organisation to ensure that there are no threats and vulnerabilities within our infrastructure.

As part of our IT operations policy we conduct patching of internal IT systems and end user devices in line with guidance from software vendors and always use supported operating systems, software and browsers.

We ensure that we follow the latest industry best practices and guidelines in relation to cyber security. We ensure compliance with the latest information security and cyber security guidelines from NCSC.

All WeLink contact personal data, which we store electronically, is stored on our private, secure network of computers.  Access to our IT systems is password protected. Our IT provider regularly monitors our computer and network systems for possible vulnerabilities and attacks and use state of the art firewalls and anti-virus software, which is regularly updated.

15. Where is your personal data processed?

We only process personal data in the UK.

16. Exercising your rights in relation to your User Personal Data

If you wish to exercise any of the rights set out above, then you should contact our Data Protection Officer, whose details are set out in paragraph 3 above.

No Fee Usually Required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if the request is clearly unfounded, repetitive or excessive (see above). Alternatively, we could refuse to comply with such a request in these circumstances.

Verifying Your Identity

We may need to request specific information from you to help us confirm your identity and ensure your right to access personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. Typically we will require at least two valid types of Identity Data, being the email address that you used to sign up to our network services with and details of the devices you used to access our service (for example MAC Address).

We may also contact you to ask you for further information in relation to your request to speed up our response.

Time Limit to Respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if the request is particularly complex or if you have made a number of requests. In this case, we will notify you and keep you updated.

17. Getting us to stop using or keeping your Personal User Data

If you ask us to, we will, subject to compliance with any overriding legal obligations we owe to third parties (such as the police or the security services), remove, delete or stop using your personal Data information. If you want us to do this then please contact us at . We will need to verify your identity as set out in section 16 above.

18. Changes to our Privacy Policy and data subject’s duty to inform us of changes 

We keep our Privacy Policy under regular review. This version was last updated on 2 September May 2021. Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our privacy policy.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

19. Contacting the regulator to make a complaint

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority in relation to data protection issues (www.ico.org.uk). If you feel that your data has not been handled correctly, or are unhappy with our response to any requests you have made to us regarding our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.  We would, however, appreciate the chance to deal with any such concerns before you approach the ICO so please contact us in the first instance.

The ICO can be contacted by calling 0303 123 1113 or by going online at www.ico.org.uk/concerns.

If you are based outside the UK, you have the right to lodge a complaint with the relevant data protection regulator in your country of residence.

20. WeLink Policy on Cookies relevant to the Website

A cookie is a small file, which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

In general, we use cookies and our records of the pages users have visited to gather information about all of our users collectively, such as what areas users visit most frequently and what services are accessed most. We only use such data in the aggregate. This information helps us determine what is most beneficial for our users, and how we can continually create a better overall experience for our users and improve our website in order to tailor it to customer needs. We use the following cookies for WeLink:

Company	Name	Purpose
WeLink	laravel session	This cookie keeps track of the user sessions. We use the session cookie to provide a seamless registration experience across all registration mechanisms.
WeLink	random_string	This cookie is used in conjunction with the larval session cookie to keep track of the user sessions. We use the session cookie to provide a seamless registration experience across all registration mechanisms.

Cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

21. Further information

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to hello@welinkuk.com