1. Who are we and what is the purpose of this policy?

TMU Ireland Ltd, a company registered under the Laws of the Republic of Ireland with company registration number 701630 and having its registered office situated at 38 Upper Mount Street, Dublin 2 (“we”, “us” or “TMU”), operates TrustMeUp, a website, mobile application, and platform intended, amongst others to (i) facilitate fundraising campaigns by connecting donors and non-profit organisations (the charity or non-profit organisations being referred to as “organisations”) and (ii) enable participating merchants to promote goods and services that they offer (hereinafter referred to as “merchants”).

This policy is intended to provide a high-level overview of:
- the personal data that is collected by us whilst you are using TrustMeUp;
- how this personal data is collected;
- why do we need to collect such personal data; and
- how we comply with the provisions of laws relating to the protection of personal data as applicable to us, in particular Regulation (EU) 2016/679 (“GDPR”).

In terms of the provisions of the GDPR, the term “personal data” is defined as “any information relating to an identified or identifiable natural person (“data subject”)”. Furthermore, the term “processing” is also given a wide meaning and is defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.” This includes collection, recording, storage, adaptation, and use of personal data.

This privacy policy applies solely to the extent that where we are deemed to be data controllers in terms of the GDPR.

Save as expressly indicated in section 2(d) hereunder, each of the organisations and the merchants individually determine the purposes and the means of any personal information that they collect, and they do so independently from us.  In this respect and in accordance with the provisions of the GDPR, each of the organisations and the merchants are considered to be separate and independent controllers of your data.

TMU is not responsible for the data processing practices of the organisations or the merchants, which may differ from the contents of this document. We encourage you to review the relevant privacy notices set out by the organisations or the merchants before using TrustMeUp or disclosing any information to such entities.  

2. How do we get personal data?

We collect or get access to your personal data as follows:

a) Information you give us directly:
- Personal data that relates to your personal contact details, such as your address and account details and other personal information that you provide to us during the account opening process;

- Personal data that you make available to us whilst corresponding with us;

- Personal data that you provide to us when you provide a donation to the organisations or carry out a transaction with merchants.  This includes, amongst others, all information or content that you submit whilst using our portal (including carrying out any transaction), comments or posts that you leave on our portal; messages you send to us or to the organisations or merchants (as the case may be).

b) Information that we collect about you automatically through your use of TrustMeUp, such as, data that is generated as part of one of your transactions (donations, bids, purchases, etc) or that is linked to your account as a result of a transaction in which you are involved, such as transaction amounts, time and location of transactions and form of payment or payout method.

c) We may also collect other types of personal data, automatically, from your device or browser, such as:

- Data about your device - We collect certain data about your device or browser automatically via log files, such as your Media Access Control (MAC) address, device ID, operating system name and version, browser type, and device manufacturer and model. We may also collect your IP address. We use data about your device to ensure our software solutions (including our mobile app) functions properly, diagnose server problems, and administer our software solutions (including our mobile app) and the services we provide.

- Usage data - We collect certain technical data related to your use of our software solutions (including our mobile app), such as the date and time your device accesses our servers and the parts of our software that were visited. We primarily use this data to ensure that our software solutions (including our mobile app) functions properly and to improve such solutions and our services.

- Cookies – TrustMeUp makes use of cookies in order to distinguish you from our other users.  This enables us to provide you with a better experience when accessing our portal or system and also allows us to improve our service offering.  For further information about our use of cookies and how you can control their use, please refer to our Cookies Policy.

d) We may also receive information about you from third parties, as further detailed hereunder:
- Merchants –  We receive a small commission whenever you complete a transaction with a Merchant – but only in those situations where you access the Merchant’s e-commerce platform by clicking on the Merchant’s shopwindow accessible on our site (“the shopwindow”).  In order to identify such transactions which entitles us to a commission, you will be automatically allocated a unique reference code whenever you access the Merchant’s websites through the shopwindow as aforesaid.  This unique reference code is used exclusively to confirm that you have accessed the Merchant’s website through the shopwindow and completed a transaction.  The unique reference code expires after each visit.  The information we receive in this respect (which is limited to the transactions you complete with a merchant through their websites) is collected and transferred automatically through a plugin which we have developed, and which the Merchants voluntarily install on their respective online stores  
Solely in respect to the personal data collected and processed through the use of the plugin (as further detailed above), TMU and the Merchants are, in accordance with the provisions of the GDPR, deemed to be joint-controllers.   No data will be collected and shared as aforesaid unless a joint-controller agreement is entered into between TMU and each respective Merchant, which complies with the provisions of the GDPR.  
To facilitate the exercise of data subject rights, TMU has agreed to be the main point of contact for any query that any data subject may have in relation to any data which is jointly processed by the parties as aforesaid (including the exercise of any data subject rights).  This shall be without prejudice to any other right that the data subject may have (including the right to get in touch directly with the Merchant, should the data subject so desires).
If you require more information about the personal data processed by us as joint controllers and any other relevant information, please get in touch with us through the contact details set out hereunder.

- Authorities – We may receive information concerning you from the police, tax and other authorities, such as when they are carrying out an investigation which involves or relates to you.  

3. Why do we collect personal data and what is the legal basis for doing so?

We will only process personal information when we have a proper reason for doing so, and particularly to manage your use of TrustMeUp. Furthermore, we are required to have a legal basis for using and processing any of your personal data. The following table provides an overview of how we will be using your data along with the legal grounds on which we rely:  

Where we have indicated that the legal basis for the processing of personal data is our legitimate interest, please note that we have carried out a legitimate interest assessment as required by the GDPR.  Should you require more information on this matter, please get in touch with us through the contact details set out hereunder.

If you fail to provide personal information

If you choose not to provide your personal data, it may prevent us from meeting legal obligations, fulfilling a contract or performing services required to run your account. Not providing your personal data may mean we are unable to provide you with our services.

4. Do we share or make personal data available to third parties?

We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you, and as otherwise provided hereunder.

We share personal data with:
a) Organisations – We disclose certain personal information related to you to the organisations that you choose to donate funds to.  The information that is made available to organisations includes your contact details and details of the donation, including the amount you agreed to provide as a donation;
b) Merchants – We disclose certain personal information related to you to the merchants that you choose to enter into transactions with. The information that is made available to merchants as aforesaid relates to the unique reference code which we use to identify you and the balance of PACs that you have;
c) ) Campaign and event organisers: In the event that you donate to a campaign created by another user, your personal information will also be shared with the user who created the campaign. This will allow the campaign organizer to properly thank you for your donation and offer you any related freebies or benefits, such as access to a webinar or special event, or even a discount on products or services offered.
d) Payment processors – We engage third party payment processors to process and assist in the transfer of funds from you to the organisations or merchants.   The information that is made available to payment services providers includes your contact details.
e) Third party service providers – save as aforementioned, we engage a number of third parties to provide us with certain services and in doing so, certain types of personal data may be required to be provided to such third-party service providers.  These include third parties providing accountancy services, sales, and customer & IT support.  We consider such third party service providers to be data processors, processing data for and on our behalf.  In terms of applicable law, any personal data that we make available to such third party service providers will be subject to a data processor agreement;
f) Group companies and other related entities - We may share personal data with other group companies and other related entities where necessary for administrative purposes and to provide services to our users.
g) Regulatory authorities, departments or law enforcement agencies, when we are required, or permitted to do so by law;
h) Any other person or entity but solely when we are expressly authorised to do so, such as when you provide us with your consent; and
i) A prospective buyer or any of its advisors, where relevant, in the course of a due diligence exercise, or as a result or pursuant to the conclusion of a transaction to sell all or part of our business or assets.

5. Is the information transferred outside of the European Economic Area (EEA)?

The majority of the personal data is processed within the European Economic Area (EEA).  It is however possible that personal data will be made available or otherwise processed outside of the EEA, namely when we engage certain third-party contractors.
If we do so, we will take adequate measures to ensure that personal data is safeguarded to the same standards as it would have been if processed in the EEA, by relying on one of the following:
a) We will ensure that personal information is sent to a country that is considered to provide an adequate level of data protection, in terms of any adequacy decision adopted by the European Commission, in accordance with the provisions of article 45 of the GDPR;
a) We will enter into agreements that impose a legal obligation on the recipient to protect personal data in accordance to the provisions of the GDPR.

6. Data Subject Rights

The GDPR grants data subjects a number of rights that can be exercised in certain circumstances, including:
- Right of access (subject access request)
- Right of rectification
- Right of erasure
- Right of restriction
- Right to object
- Right of data portability.

We do not carry out any automated decision-making or profiling.

Where the legal basis of processing is based on your consent, you may withdraw such consent at any time by notifying us accordingly. This shall be without prejudice to the lawfulness of processing based on consent before such withdrawal. We may continue to process such personal data when we have other legal grounds to do so.

In those situations where TMU is considered to be a data controller in terms of the GDPR, and you are located in the UK and/or the EEA, you may be entitled to exercise the data subject rights outlined above.  For more information about these rights and how to exercise them (when we are acting in our capacity as data controllers), kindly contact our data protection officer on the contact details set out hereunder in point 8.

We will not be in a position to entertain any requests in relation to any situation where we are considered to be data processors. If you have questions or would like to exercise your legal rights in such situations, you will be required to contact the Charity or the merchant (as the case may be) directly.

7. For how long do we retain personal data?

We will not retain your personal data for longer than necessary. The length of time for which we hold personal data depends on a number of factors, such as regulatory rules and any legal requirements. If you would like further information about our data retention policies, please get in touch with our data protection officer on the contact details set out hereunder.

8. Where can I get more information about your data handling policies?

We have appointed a data protection officer (in terms of the GDPR), to oversee compliance with the GDPR and general data protection related queries. If you need more information about this this privacy notice or how we handle personal information, please contact the data protection officer at  legal@trustmeup.com

9. Can I file a complaint?

If you are not satisfied with the way we manage personal data, you have the right to file a complaint with any relevant data protection authority (particularly the one situated where you habitually reside).  Contact details of the competent authority in the Republic of Ireland are as follows:

Helpline - 01 7650100 / 1800437 737TO 
Email - dpo@dataprotection.ie
Website - https://www.dataprotection.ie/en/contact/how-contact-us
Address - 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

If you are located in the UK, you may wish to contact the Information Commissioner by using any of the following contact details;

Helpline - 0303 123 1113
Email - casework@ico.org.uk
Website - www.ico.org.uk/make-a-complaint
Address - Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Version 1
Date: 18th February 2022

Note- Changes to this policy are governed by the same rules set out in the General Terms and Conditions.