Access Card

Customer Privacy Notice

Overview

The Access Card scheme works by Nimbus providing a centralised assessment of a disabled person's evidenced needs whereby we translate detailed personal information into a set of symbols that represent their access requirements. This enables disabled people to quickly and discreetly communicate their needs when visiting a venue.

Nimbus does not share any detailed personal information. Nimbus only enables you to share the symbolic information available as Access Card icons to authorised third parties as outlined in this document.

A little about us…

We are a well-established Social Enterprise which started in 2006, we are run by disabled people for disabled people. In addition to promoting equality and accessibility, we are wholly committed to ensure that your personal data is treated appropriately and that your privacy rights are respected.

We are a registered Data Controller with the Information Commissioner, our registration number is ZA020704.

Your Privacy matters to us:

We appreciate the trust you place in us when sharing your personal data, the security of your data is very important to us. In this notice, we will explain how we collect, use, and protect your personal data. We will also provide information on what rights you have with regards to your personal data and how you can exercise those rights.

We appreciate that the world of data protection can seem a little complicated, so we will try to explain things in a simple and straightforward way.

We collect information from:

What information we collect:

We will use your personal data to:

Do we have a basis in law to process your information?

We largely process your personal data in accordance with our contractual obligations.

We also process personal information in accordance with our ‘legitimate interests’ this includes considering benefits to the customer and our company…but don’t worry, we respect your privacy rights to ensure that the benefits pass privacy tests before using personal information in this way!

Where it’s appropriate to do so, we will ask for your consent to ensure we are clear on your choices.

We always need to follow the law so there may be some cases where we are legally required to share information with statutory partners & Ombudsman – these are official Organisations like the Police. We’ll tell you more about this in the ‘who we share information with’ section. We have numerous legal obligations, including but not limited to, those that are stipulated under the following laws:

Can you opt out?

Of course! Wherever we have used your information in line with legitimate interests and consent you will usually be able to opt out by emailing cards@accesscard.org.uk.

There may be some cases where we have to hang on to some information – we explain this in the ‘information we keep’ section.

Who we share information with:

Statutory partners for investigations and audits such as the Police, the Information Commissioner and so on.

Subcontracted organisation & individuals that we formally engaged in the development and hosting of our systems.

Courts and Tribunals where necessary.

Where appropriate, within the Access Card app, we promote details of our trusted partners' offers, services and products.

In limited circumstances we may share information with a local authority for example we currently work with Croydon City Council for the disabled children’s registration scheme.

Any third party ticket sites are authorised to validate your access information via an API. This is only possible by authorised providers, and to do so you must provide them with your forename, surname and card ID. This acts as consent for them to pull your Access Card symbols into their systems.

With the correct information, the additional information we share back to the provider is your face photograph (for validation purposes), and your allotted access symbols (all of which are shown on the physical Access Card).

International Transfers:

We are committed to ensuring that any international transfer comply with UK Data Protection Legislation. In most cases, it will be necessary for us to implement the appropriate contractual safeguards prior to transferring such data.

We note that customers can sign up to our services from anywhere in the world. Customers can also opt to share their own data with overseas leisure and tourism providers such as Disneyland Paris.

Your rights for personal data:

Information we keep:

We keep your personal data for as long as we have to and always do this in line with data protection laws. We don’t want to keep your data any longer than we need to!

We store information securely, we mainly keep this digitally on our protected devices, we may also keep paper records for a certain period of time but don’t worry we’ll keep these secure as well.

For more information please refer to our customer retention schedule below.

Have some privacy concerns or questions?

Our Data Protection Officer is Mark Briggs

You can email: dpo@nimbusdisability.com

Or call: 0330 808 5108

Or write to: Nimbus Disability, Suite GB, Pentagon House, Sir Frank Whittle Road, Derby, DE24 4XA

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO):

By post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

By phone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Alternatively, visit ico.org.uk or email icocasework@ico.org.uk

Cookies Policy:

We do not set any cookies on our websites (accesscard.online or nimbusdisability.com). In our Access Card app, we set one session cookie containing a randomised number that is used to keep the user logged in after closing the app.

When was this policy last updated?

April 2024.

Nimbus Disability, CredAbility & Access Card - Retention Schedule

All Information must be kept in accordance with this retention schedule. In the event that employees identify any discrepancies or areas which are not covered by this retention schedule this should be promptly reported to the Data Protection Officer for review.