NiftiBusiness

AUTOLEASE FLEET MANAGEMENT LIMITED PRIVACY AND COOKIES POLICY

Last revised: 04 August 2021 (AFM)

Autolease Fleet Management Limited trading as NiftiBusiness (“Autolease” ,“us”, “we”, or “our”) operates the www.niftibusiness.ie website (the “Service”).

This page informs you of our policies regarding the collection, use, and disclosure of Personal Data when you use our Service and the choices you have associated with that data. In this Privacy Policy, the term “Personal Data” means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, our possession, and includes personal data as described in Data Protection Legislation (as defined below).

We use your data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms and Conditions, accessible from www.niftibusiness.ie

We will handle your Personal Data in accordance with Data Protection Legislation. “Data Protection Legislation” means the Irish Data Protection Acts 1988 to 2018, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and any other applicable law or regulation relating to the processing of Personal Data and to privacy, including the E-Privacy Directive 2002/58/EC and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, as such legislation shall be supplemented, amended, revised or replaced from time to time.

INFORMATION COLLECTION AND USE

We collect several different types of information for various purposes to provide and improve our Service to you. We will only collect and use your information where we are legally entitled to do so.

We may add your personal data to our Client Relationship Management database (the “CRM Database”) which we use to develop our relationships with current and prospective contacts in order to manage and develop our business.

We do not sell your personal data or provide it to third parties for direct marketing use.

TYPES OF DATA COLLECTED

PERSONAL DATA

While using our Service, we may ask you to provide us with certain Personal Data. Personal Data may include, but is not limited to:

  • Email addresses;
  • Telephone numbers including mobile phone numbers
  • Home addresses
  • First and last names;
  • Cookies and Usage Data; and
  • Portal User Data.

USAGE DATA

We may also collect information how the Service is accessed and used (“Usage Data”). This Usage Data may include information such as your computer’s Internet Protocol address, browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

TRACKING & COOKIES DATA

We use cookies and similar tracking technologies to track the activity on our Service and hold certain information.

Cookies are files with small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyse our Service.

The ‘Help Menu’ on the menu bar of most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie and how to disable cookies altogether. You can also disable or delete similar data used by browser add-ons, such as flash cookies, by changing the add-ons settings or visiting the website of its manufacturer.

For more information about cookies and managing them including how to turn them off, please visit www.cookiecentral.com. You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies), you may not be able to fully experience the interactive features of our website or other related websites/applications which you visit/use.

We do not use any non-essential cookies without your explicit consent. You can withdraw your consent to cookies and/or manage your consent preferences at any time by clicking here Cookie Settings.

Examples of Cookies we use:

Session Cookies. We use Session Cookies to operate our Service.

Preference Cookies. We use Preference Cookies to remember your preferences and various settings.

Security Cookies. We use Security Cookies for security purposes.

You can find a list of cookies we use and the purposes for which we use them in the table below.[1]

CookiePurposeExpires
[.Nop.Antiforgery][Anti-forgery cookies. Ensure that data requests originate from the current domain][End of session]

You should also be aware that there are cookies which are found in other companies’ internet tools which we may use to enhance the Service. You may see ‘social buttons’ during your use of the website, including but not limited to Twitter, Facebook, LinkedIn and Instagram which enable you to share or bookmark certain web pages.  These websites and social platforms have their own cookies and privacy practices, which are controlled by them.

portal user data

Where you are a user of our Online Portal (a “Portal User”) we may collect certain categories of Personal Data (“Portal User Data”) on behalf of your employer (or the organisation who is providing you with insurance cover in accordance with their internal insurance policy based on information you provide to the Portal, as the case may be) (the “Portal Data Controller”).

Portal User Data relating to you may include the following categories of Personal Data:

  • Full name;
  • Address;
  • Phone Number;
  • Branch / Cost centres;
  • Driving licence information, including:
    • Type of driving licence (i.e. full / provisional licence);
    • Driving licence number;
    • Number of years for which your driving licence has been held;
    • Country of issue of driving licence;
  • Previous accident records;
  • Record of refusal of insurance;
  • Medical conditions, which may affect your driving ability;
  • Eye test results; and
  • Photocopies of your driving licence.

The Portal Data Controller is a controller (as defined in Data Protection Legislation) in respect of your Portal User Data.  As a Processor, we will only Process Portal User Data relating to you in accordance with the instructions of the Portal Data Controller who is the controller of your Portal User Data.

how we USE your DATA

NiftiBusiness uses the collected data for various purposes.

We have set out below, in a table format, a description of all the ways we plan to use your Personal Data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.

Note that we may process your Personal Data for more than one legal basis depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal basis we are relying on to process your Personal Data where more than one ground has been set out in the table below.

PurposeCategories of data  Legal basis for processing and, where necessary, the basis of legitimate interest
To provide and maintain the Service To allow you to participate in interactive features of our Service when you choose to do so To provide customer care and supportEmail addresses; First and last names;  Necessary for our legitimate interest to provide the website and Service to you.  
To provide analysis or valuable information so that we can improve the Service To monitor the usage of the Service To detect, prevent and address technical issuesCookies and Usage Data.Necessary for our legitimate interests (for running the Service, running our business, provision of administration and IT services and network security)  
To notify you about changes to our Service and/ or our Privacy Policy  Email addresses; First and last names; and Cookies and Usage Data.  Necessary for our legitimate interests (for running our business and website) Necessary for us to comply with our legal obligation
 Portal User Data as described aboveNecessary for our legitimate interest to provide the Service to you.

As noted above, in relation to Portal User Data, the Portal Data Controller is a controller (as defined in Data Protection Legislation) in respect of Portal User Data and is responsible for establishing the legal basis of the Processing of Portal User Data. Where you are a Portal User, your Portal Data Controller’s data protection policy, rather than this Privacy Policy, will apply to the processing of your Portal User Data.

TRANSFER OF DATA

Your information, including Personal Data, may be transferred to, stored at, or accessed from a destination outside the European Economic Area (“EEA”) for the purposes of us providing the Service. It may also be processed by staff operating outside the EEA who work for us, another corporate entity within our group, or any of our suppliers.

We are part of a larger company group and for administrative efficiencies, your information may be stored within one CRM or central IT system which is owned operated or shared by our Affiliates. Where we share your personal data for intra-group administration, we first enter into appropriate agreements to regulate the data sharing or data processing among the relevant Affiliates. We have a data sharing agreement in place with our Affiliate, Autolease Personal Leasing Limited, trading as Nifti, for the purposes of our shared CRM Database. “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with us; “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

If you are located outside Ireland and choose to provide information to us, please note that we transfer the data, including Personal Data, to Ireland and process it there.

NiftiBusiness will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information. The safeguards in place with regard to the transfer of Your Data outside of the EEA to third parties shall include (but shall not be limited to) the entry by us into appropriate contracts with all transferees of such data, reliance on a decision of the European Commission confirming an adequate level of data protection in the respective non-EEA country and/or standard contractual clauses approved by the European Commission or the DPC and any additional or supplementary measures required. Please contact us for further information on the means to ensure an adequate level of data protection and the transfer mechanism we rely upon for such transfers.

Where any Portal Data Controller is located outside of the EEA, that Portal Data Controller is responsible for ensuring that the transfer of Portal User data is lawful under Data Protection Legislation.  This may include obtaining your explicit consent in respect of any such transfer.

DISCLOSURE OF DATA

LEGAL REQUIREMENTS

NiftiBusiness may disclose your Personal Data in the good faith belief that such action is necessary to:

  • To comply with a legal obligation
  • To protect and defend the rights or property of NiftiBusiness
  • To prevent or investigate possible wrongdoing in connection with the Service
  • To protect the personal safety of users of the Service or the public
  • To protect against legal liability

SECURITY OF DATA

We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

The security of your data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

your rights

As a data subject, you have the following rights under Data Protection Legislation and we, as controller in respect of Your Data, will comply with such rights in respect of Your Data:

  • the right of access to Personal Data relating to you;
  • the right to correct any mistakes in your Personal Data;
  • the right to ask us to stop contacting you with direct marketing;
  • rights in relation to automated decision taking;
  • the right to restrict or prevent your Personal Data being processed;
  • the right to have your Personal Data ported to another data controller;
  • the right to erasure; and
  • the right to complain to the Data Protection Commission (“DPC”) if you believe we have not handled your Personal Data in accordance with Data Protection Legislation.

These rights are explained in more detail below, but if you have any comments, concerns or complaints about our use of your Personal Data, please contact us (see ‘Contact Us’ below). We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex or cumbersome, in which case we will respond within three months (we will inform you within the first month if it will take longer than one month for us to respond). Where a response is required from us within a particular time period pursuant to Data Protection Legislation, we will respond within that time period.

Right of access to Personal Data relating to you

You may ask to see what Personal Data we hold about you and be provided with:

  • a summary of such Personal Data and the categories of Personal Data held;
  • details of the purpose for which it is being or is to be processed (see above);
  • details of the recipients or classes of recipients to whom it is or may be disclosed, including if they are overseas and what protections are used for those oversea transfers (see below);
  • details of the period for which it is held or the criteria we use to determine how long it is held (see “Retention of Personal Data” below);
  • details of your rights, including the rights to rectification, erasure, restriction or objection to the processing (set out in this section);
  • any information available about the source of that data;
  • whether or not we carry out automated decision-making, or profiling, and where we do, information about the logic involved and the envisaged outcome or consequences of that decision making or profiling; and
  • where your Personal Data are transferred out of the EEA, what safeguards are in place.

Details in respect of the above points are all set out in this Privacy Policy; however, if you need further clarification, please contact us (see ‘Contact Us’ below).

Requests for your Personal Data must be made to us (see ‘Contact Us’ below) specifying what Personal Data you need access to, and a copy of such request may be kept by us for our legitimate purposes in managing the Service. To help us find the information easily, please give us as much information as possible about the type of information you would like to see. If, to comply with your request, we would have to disclose information relating to or identifying another person, we may need to obtain the consent of that person, if possible. If we cannot obtain consent, we may need to withhold that information or edit the data to remove the identity of that person, if possible.

There are certain types of data which we are not obliged to disclose to you, which include Personal Data which records our intentions in relation to any negotiations with you where disclosure would be likely to prejudice those negotiations. We are also entitled to refuse a data access request from you where (i) such request is manifestly unfounded or excessive, in particular because of its repetitive character (in this case, if we decide to provide you with the Personal Data requested, we may charge you a reasonable fee to account for administrative costs of doing so), or (ii) we are entitled to do so pursuant to Data Protection Legislation.

Right to update your Personal Data or correct any mistakes in your Personal Data

You can require us to correct any mistakes in your Personal Data which we hold free of charge. If you would like to do this, please:

  • email or write to us (see ‘How can you contact us’ below);
  • let us have enough information to identify you (e.g. name, registration details); and
  • let us know the information that is incorrect and what it should be replaced with.

If we are required to update your Personal Data, we will inform recipients to whom that Personal Data have been disclosed (if any), unless this proves impossible or has a disproportionate effort.

It is your responsibility that all of the Personal Data provided to us is accurate and complete. If any information you have given us changes, please let us know as soon as possible (see ‘Contact Us’ below).

Right to ask us to stop contacting you with direct marketing

We have a legitimate interest to send you electronic communications in connection with the Service and related matters (which may include but shall not be limited to newsletters, announcement of new features etc. and which may also appear on social media platforms such as Facebook, LinkedIn, Twitter or Instagram.). We may also ask you for your consent to send you direct marketing from time to time. You may be able to select your preferences with respect to direct marketing when registering Your Account. We may also ask you different questions for different services, including competitions. We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.

You can ask us to stop contacting you for direct marketing purposes. If you would like to do this, please:

  • Click on ‘unsubscribe’ on an email (this will be instantaneous);
  • Send an email via ‘Contact Us’ below (this can take up to 5 working days).

We will provide you with information on action taken on a request to stop direct marketing – this may be in the form of a response email confirming that you have ‘unsubscribed’. Unsubscribing from direct marketing does not unsubscribe you from essential electronic communications in respect of the administration of Your Account.

Rights in relation to automated decision taking

You may ask us to ensure that, if we are evaluating you, we do not base any decisions solely on an automated process and have any decision reviewed by a member of staff. Profiling may occur in relation to your Personal Data for the purposes of targeted advertising and de-targeting you from specified advertising. This allows us to tailor our advertising to the appropriate customers and helps to minimise the risk of you receiving unwanted advertising. These rights will not apply in all circumstances, for example where the decision is (i) authorised or required by law, (ii) necessary for the performance of a contract between you and us, or (ii) is based on your explicit consent. In all cases, we will endeavour that steps have been taken to safeguard your interests.

Right to restrict or prevent processing of Personal Data

In accordance with Data Protection Legislation, you may request that we stop processing your Personal Data temporarily if:

  • you do not think that your Personal Data is accurate (but we may start processing again once we have checked and confirmed that it is accurate);
  • the processing is unlawful but you do not want us to erase your Personal Data;
  • we no longer need the Personal Data for our processing; or
  • you have objected to processing because you believe that your interests should override the basis upon which we process your Personal Data.

If you exercise your right to restrict us from processing your Personal Data, we will continue to process the Personal Data if:

  • you consent to such processing;
  • the processing is necessary for the exercise or defence of legal claims;
  • the processing is necessary for the protection of the rights of other individuals or legal persons; or
  • the processing is necessary for public interest reasons.

Right to data portability     

In accordance with Data Protection Legislation, you may ask for an electronic copy of your Personal Data that you have provided to us and which we hold electronically, or for us to provide this directly to another party. This right only applies to Personal Data that you have provided to us – it does not extend to data generated by us. In addition, the right to data portability also only applies where:

  • the processing is based on your consent or for the performance of a contract; and
  • the processing is carried out by automated means.

Right to erasure

In accordance with Data Protection Legislation, you can ask us (please see ‘Contact Us’ below) to erase your Personal Data where:

  • you do not believe that we need your Personal Data in order to process it for the purposes set out in this Privacy Policy;
  • if you had given us consent to process your Personal Data, you withdraw that consent and we cannot otherwise legally process your Personal Data;
  • you object to our processing and we do not have any legal basis for continuing to process your Personal Data;
  • your Personal Data has been processed unlawfully or have not been erased when it should have been; or
  • the Personal Data has to be erased to comply with law.

We may continue to process your Personal Data in certain circumstances in accordance with Data Protection Legislation (i.e. where we have a legal justification to continue to hold such Personal Data, such as it being within our legitimate business interest to do so (e.g. retaining evidence of billing information etc.). Where you have requested the erasure of your Personal Data, we will inform recipients to whom that Personal Data have been disclosed, unless this proves impossible or involves disproportionate effort. We will also inform you about those recipients if you request it.

Right to complain to the DPC

If you do not think that we have processed your Personal Data in accordance with this Privacy Policy, please contact us in the first instance. If you are not satisfied, you can complain to the DPC or exercise any of your other rights pursuant to Data Protection Legislation. Information about how to do this is available on the DPC website at https://www.dataprotection.ie

Withdrawal of Consent

If you no longer consent to our processing of Your Data (in respect of any matter referred to in this Privacy Policy as requiring your consent), you may request that we cease such processing by contacting us via the ‘Contact Us’ facility referred to below. Please note that if you withdraw your consent to such processing, it may not be possible for us to provide all/part of the Service to you.

SERVICE PROVIDERS

We may employ third party companies and individuals to facilitate our Service (“Service Providers”), to provide the Service on our behalf, to perform Service-related services or to assist us in analysing how our Service is used.

These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

ANALYTICS

We may use third-party Service Providers to monitor and analyse the use of our Service.

  • Google Analytics:Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network. You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on, available at http://tools.google.com/dlpage/gaoptout. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js, and dc.js) from sharing information with Google Analytics about visits activity. For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy?hl=en

LINKS TO OTHER SITES

This Privacy Policy only applies to websites and services that are owned and operated by us.  Our Service may contain links to other sites that are not operated by us. If you click on a third party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

breach reporting

We will notify serious data breaches in respect of your Personal Data to the DPC without undue delay, and where feasible, not later than 72 hours after having become aware of same. If notification is not made after 72 hours, we will record a reasoned justification for the delay. It is not necessary to notify the DPC where the Personal Data breach is unlikely to result in a risk to the rights and freedoms of natural persons. A Personal Data breach in this context means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

We will keep a record of any data breaches, including their effects and the remedial action taken, and will notify you of any data breach affecting your Personal Data (which poses a high risk to you) when we are required to do so under Data Protection Legislation. We will not be required to notify you of a data breach where:

  • we have implemented appropriate technical and organisational measures that render the Personal Data unintelligible to anyone not authorised to access it, such as encryption; or
  • we have taken subsequent measures which ensure that the high risk to data subjects is not likely to materialise; or
  • it would involve disproportionate effort, in which case we may make a public communication instead.

Where we act as a Processor we will notify the Data Controller of any data breaches without undue delay.

retention of personal data

Your Personal Data will be kept and stored for such period of time as we deem necessary taking into account the purpose for which it was collected in the first instance. This may include retaining your Personal Data as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our website.

 Where we retain information for Service improvement and development, we take steps to eliminate information that directly identifies you, and we only use the information to uncover collective insights about the use of our Service, not to specifically analyse personal characteristics about you.

CHILDREN’S PRIVACY

Our Service does not address anyone under the age of 18 (“Children”).

We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your Children has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from Children without verification of parental consent, we take steps to remove that information from our servers.

CHANGES TO THIS PRIVACY POLICY

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the “effective date” at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

CONTACT US

If you have any questions about this Privacy Policy, please contact us: