DrumRoll HQ Limited is a UK company, with company registration number 09195005 and registered office address at Huckletree Soho, Ingestre Court, Ingestre Pl, London, United Kingdom, W1F 0JL (“DrumRoll” or “we”). DrumRoll is the owner and operator of the ‘Erase All Kittens’ website and its associated game (located at www.eraseallkittens.com). We, at Drum Roll, are committed to protecting and respecting your privacy.
We only collect Personal Information from a child under 18 where:
- where the parent or legal guardian of a child has signed up to our Services or been invited to sign up or approve the child’s use of the Services.
If you are aged under 18, please do not send any Personal Information about yourself to us if your school, district, and/or teacher has not obtained this prior consent from your parent or guardian or if your parent or guardian has not signed you up and given their approval for you to use our Services, and please do not send any Personal Information other than what we request from you in connection with the Services.
If we learn we have collected Personal Information from a student aged under 18 without parental consent being obtained by his or her parent, guardian, school, district, and/or teacher, or if we learn a student under 18 has provided us with Personal Information beyond what we request from him or her, we will delete that information as quickly as possible. If you believe that a student under 18 may have provided us with personal information in violation of this paragraph, please contact us at [email protected].
PERSONAL INFORMATION AND CHILDREN’S PERSONAL INFORMATION WE MAY COLLECT FROM YOU
We may collect and process the following data about you:
Information you give us. You may give us information about you by filling in forms on our site www.eraseallkittens.com (our site) or by corresponding with us by phone, e-mail or otherwise. This includes information you provide when you register to use our site, subscribe to our service, download any content, sign up for any subscription services, participate in discussion boards or other social media functions on our site, enter a competition or promotion or survey and when you report a problem with our site. The information you give us may include your name, age, gender, address, e-mail address and credit card information. You may modify or remove your Personal Information at any time by logging into your account and accessing features to edit your profile and/ or account information. Please note that your school can view all activity and content associated with your student account, including your Personal Information.
Information we collect about you. With regard to each of your visits to our site we may automatically collect the following information:
- technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouseovers), and methods used to browse away from the page and any phone number used to call our customer service number.
Information we receive from other sources. We may receive information about you if you use any of the other websites we operate or the other services we provide. We are also working closely with third parties (including, for example, business partners, subcontractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.
USES MADE OF THE PERSONAL INFORMATION AND CHILDREN'S PERSONAL INFORMATION
We use information held about you in the following ways:
- to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;
- to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about;
- to provide you, or permit selected third parties to provide you, with information about goods or services we feel may interest you. If you are an existing customer, we will only contact you by electronic means (e-mail or SMS) with information about goods and services similar to those which were the subject of a previous sale or negotiations of a sale to you. If you are a new customer, and where we permit selected third parties to use your data, we (or they) will contact you by electronic means only if you have consented to this. If you do not want us to use your data in this way, or to pass your details on to third parties for marketing purposes, please tick the relevant box situated on the registration form on which we collect your data;
- to notify you about changes to our service;
- to ensure that content from our site is presented in the most effective manner for you and for your computer.
Information we collect about you. We will use this information:
- to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to improve our site to ensure that content is presented in the most effective manner for you and for your computer;
- to allow you to participate in interactive features of our service, when you choose to do so; as part of our efforts to keep our site safe and secure;
- to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;
- to make suggestions and recommendations to you and other users of our site about goods or services that may interest you or them.
Information we receive from other sources. We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
DISCLOSURE OF YOUR PERSONAL INFORMATION AND CHILDREN’S PERSONAL INFORMATION
We may share your information with selected third parties including:
- business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you;
- analytics and search engine providers that assist us in the improvement and optimisation of our site;
- credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you.
We may disclose your information to third parties:
- in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
- if all of Drum Roll’s assets or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
WHERE WE STORE YOUR PERSONAL DATA
The data that we collect from you may be transferred to, and stored at, a destination outside the UK and the European Economic Area (“EEA”). It may also be processed by staff operating outside the UK or the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. Unless such transfer is made with your consent, or is required in order to fulfil the terms of any Services requested from us, we will not transfer any of your personal data to any country outside the UK or EEA unless such transfer is to an organisation which provides adequate safeguards in compliance with the Data Protection Regulations.
All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted using appropriate encryption technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at [email protected].
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
RETAINING AND DELETING PERSONAL DATA
Personal data that we process for any purpose shall not be kept for longer than is necessary for that purpose. This means that unless there is a good reason to do so we won't keep your personal data more than 6 years after our business relationship has ended.
Notwithstanding the other provisions of this policy, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your legal interests or the legal interests of another person.
ACCESS TO INFORMATION
The Act gives you the right to access information held about you. Your right of access can be exercised in accordance with the Act.
DATA BREACH POLICY
Our Data Protection Policy aims to protect the rights of individuals about whom data is obtained, stored, processed or supplied and requires that we take appropriate security measures against unauthorised access, alteration, disclosure or destruction of personal data.
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data or special category data transmitted, stored or otherwise processed.
Our Data Protection Officer (DPO) has overall responsibility for addressing any personal data breach. They are responsible for ensuring the appropriate notification processes are adhered to and any appropriate investigation and reporting of a personal data breach are carried out lawfully and in accordance with this policy. They are also the designated point of contact for any questions relating to personal data breaches.
Please contact the DPO with any questions about the operation of this policy or if you have any concerns that this policy is not being or has not been followed.
You can contact our DPO at: [email protected].
DATA BREACH PROCEDURE
What is a Personal Data Breach?
Examples of a data breach may include the following:
- Loss or theft of data or equipment on which data is stored, for example loss of a laptop or a paper file (this includes accidental loss);
- Inappropriate access controls allowing unauthorised use;
- Equipment failure;
- Human error (for example sending an email or SMS to the wrong recipient);
- Unforeseen circumstances such as a fire or flood;
- Hacking, phishing and other “blagging” attacks where information is obtained by deceiving whoever holds it.
When Does It Need To Be Reported?
We will notify the Information Commissioners Office (ICO) of a data breach where it is likely to result in a risk to the rights and freedoms of individuals. This means that the breach needs to be more than just losing personal data and if unaddressed the breach is likely to have a significant detrimental effect on individuals.
Examples of where the breach may have a significant effect include:
- potential or actual discrimination;
- potential or actual financial loss;
- potential or actual loss of confidentiality;
- risk to physical safety or reputation;
- exposure to identity theft (for example through the release of non-public identifiers such as passport details);
- the exposure of the private aspect of a person’s life becoming known by others.
If the breach is likely to result in a high risk to the rights and freedoms of individuals then the individuals will also be notified directly.
Reporting A Data Breach
A person who suspects a personal data breach has occurred or may occur which meets the criteria above, should contact the DPO immediately with full details of the data breach.
Once reported, no further action should be taken in relation to the breach, without the prior instruction of the DPO. For example, affected individuals or authorities should not automatically be informed, until appropriate investigation and analysis of the data breach has been undertaken to ensure the correct procedure is followed.
The DPO will acknowledge receipt of any data breach report and take appropriate steps to deal with the report in accordance with this policy and with our legal obligations.
Managing and Recording The Breach
On being notified of a suspected personal data breach, the DPO will take immediate steps to establish whether a personal data breach has in fact occurred. If so, the DPO will take steps to:
- Where possible, contain the data breach;
- As far as possible, recover, rectify or delete the data that has been lost, damaged or disclosed;
- Assess and record the breach in the Company’s data breach register;
- Notify the ICO (in serious cases, and/or where appropriate to do so);
- Notify data subjects affected by the breach (in serious cases, and/or where appropriate to do so);
- Notify other appropriate parties to the breach (in serious cases, and/or where appropriate to do so);
- Take steps to prevent future breaches.
Notifying the ICO
The DPO will notify the ICO when a personal data breach has occurred which is likely to result in a risk to the rights and freedoms of individuals.
This will be done without undue delay and, where possible, within 72 hours of becoming aware of the breach. If the DPO is unsure of whether to report a breach, the assumption will be to report it.
Where the notification is not made within 72 hours of becoming aware of the breach, written reasons will be recorded as to why there was a delay in referring the matter to the ICO.
Notifying Data Subjects
Where the data breach is likely to result in a high risk to the rights and freedoms of data subjects, the DPO will notify the affected individuals without undue delay including providing details of the likely consequences of the data breach and the measures the Company has or intends to take to address the breach.
When determining whether it is necessary to notify individuals directly of the breach, the DPO will, where appropriate, contact our legal advisors, the ICO and any other relevant authorities (such as the police) for advice.
If it would involve disproportionate effort to notify the data subjects directly (for example, by not having contact details of the affected individual) then we will consider alternative means to make those affected aware (for example by making a statement on our website).
Notifying Other Authorities
We may need to consider whether other parties need to be notified of the breach. For example: -
- Third parties (for example when they are also affected by the breach);
- The police (for example if the breach involved the theft of equipment or data).
This list is non-exhaustive.
Assessing The Breach
Once initial reporting procedures have been carried out, we will carry out all necessary investigations into the breach.
We will identify how the breach occurred and take immediate steps to stop or minimise any repeated breach or further loss, destruction or unauthorised disclosure of personal data. We will identify ways to recover correct or delete data (for example notifying our insurers or the police if the breach involves stolen hardware or data).
Having dealt with containing the breach, we will consider the risks associated with the breach. These factors will help determine whether further steps need to be taken (for example notifying the ICO and/or data subjects as set out above). These factors may include:
- What type of data is involved and how sensitive it is;
- The volume of data affected;
- Who is affected by the breach (i.e. the categories and number of people involved);
- The likely consequences of the breach on affected data subjects following containment and whether further issues are likely to materialise;
- Are there any protections in place to secure the data (for example, encryption, password protection, pseudonymisation);
- What has happened to the data;
- What could the data tell a third party about the data subject;
- What are the likely consequences of the personal data breach to the Company; and
- Any other wider consequences which may be applicable.
Preventing Future Breaches
Once the data breach has been dealt with, we will consider our security processes with the aim of preventing further breaches. In order to do this, we may:
- Establish what security measures were in place when the breach occurred;
- Assess whether technical or organisational measures can be implemented to prevent the breach from happening again;
- Consider whether there is adequate staff awareness of security issues and look to fill any gaps through training or tailored advice;
- Consider whether it’s necessary to conduct a privacy or data protection impact assessment;
- Consider whether further audits or data protection steps need to be taken.