1. Who are we?
Join Together is a software platform that allows workers to connect with and join trade unions. Join Together is a data controller in certain circumstances, and a data processor in relation to the services it provides to trade unions. In such circumstances, the trade unions are the data controllers. Join Together is committed to protecting the personal data that is provided to us and recognises the importance of protecting your information.
Personal data means information that identifies you personally, for example your name, contact details or information that can be linked with such data in order to identify you.
2. The data we process, how we use it and why
Join Together collects certain personal data in providing its services. This includes:
When you are a trade union client:
When you work for a client of Join Together, we will collect certain information about you in order to provide our services to your organisation and perform the contract we have in place. We also may contact you where you have consented to be on our client mailing list.
We may contact you for transactional matters via email regarding your usage of our services and to provide updates about new features or changes that we have made to our services so that you are able to make use of them effectively.
This data is limited to name, contact details, job title, any information contained in our contracts with the trade union and any information contained in your correspondence and interaction with us.
When you are using the website:
When you visit our website, certain data about your device is processed in order to maintain the security of the website. We undertake this processing for the purpose of preventing harm to the website from malicious users and traffic data.
This data is limited to IP address and device type and is processed via essential session cookies on the basis of our legitimate interests in maintaining the security of the website.
When you are a staff or apply for a job:
Where you are a staff member of Join Together or apply for a job with Join Together, we process your personal data in order to carry out the contract for employment that we have with you or on the basis of our legitimate interests for operating our business.
This data includes your name, contact details, date of birth, CV data, education, the role you are applying for or job title and any information contained in our correspondence with you. Where you are an employee, we will also collect your salary, performance review details and information made available during your employment.
When you are a service provider:
We may collect certain information about you where we enter into a contract with you or your organisation for services that you provide. We undertake this processing on the basis of our legitimate interests in facilitating and assisting with the running of our business.
This data includes your name, contact details, job title and invoicing details.
Trade union applicant data:
We also process personal data on behalf of our trade union clients. We capture prospective members’ applications to join unions such as your name, payment data and other information regarding your application (“Applicant data”). We ensure the data is correctly formatted. Data is either transmitted onwards automatically to the client’s systems via secure and encrypted APIs or stored while the client downloads and processes the applications. Applicant data is controlled by the trade unions themselves, so for more information about this, please see the relevant trade union’s website.
In certain circumstances, depending on the relevant trade union, personal data of individuals under the age of 18 may be processed, however in no circumstances will personal data of any individuals under the age of 13 be processed by Join Together. In addition, minors are not permitted to use this site, and we request that minors under the age of 18 not submit any personal data to the site.
4. Who we share your personal data with
We use EU instances of Heroku, a cloud-based hosting platform to store data which includes your personal data that is processed by us. We use Xero for invoices so our staff’s payment details and invoices are shared with Xero for that purpose.
We use Mailchimp to send our mailing list members and trade union clients updates and marketing information where you have provided us with consent and in doing so, we share your email address and name with Mailchimp.
We use Postmark to send transactional emails to confirm receipt of your union application and to help you resume an application if left incomplete. To do this we send Postmark your name, email address, and details included in the email such as the type of membership you applied for.
We may also share your personal data with third parties who perform functions on our behalf or provide services to us such as professional advisors (such as accountants, lawyers, payroll service providers and IT consultants).
We also use non-personal aggregated data to improve our services.
We use an analytics service called MixPanel. We use Mixpanel to see how well our trade union join forms are performing by sending them anonymous information on the stages of the join form that you have reached and completed. This service neither receives nor stores personal data.
We use an analytics service called Plausible. We use Plausible to understand how our website is being used and where visitors are coming from. We send Plausible anonymous information on the pages that you visit on our website, where the visit originated from (referrer), details of the device type (operating system; browser version), and your approximate location (country, region, city). This service neither receives nor stores personal data.
Where we provide our services to trade unions, that trade union will be the data controller and will have access to your personal data in the event that you express interest in or register to apply for such trade union. Individual unions have access to their union’s data via a secure login. Each login is linked to an individual and all data access is logged. If the client wishes, we can even restrict logins to specific IP addresses.
Your personal data may be shared in the event of a transfer of the assets or ownership of Join Together in connection with any proposed reorganisation or sale. We may also disclose personal data in the event of a legal requirement.
5. How long we keep your personal data for
Join Together has processes in place to ensure that it does not retain your personal data for longer than is necessary for the purposes it was originally collected, unless we have a legal or regulatory reason to keep it for a longer period.
For more information on our retention periods, please contact us at firstname.lastname@example.org.
6. International transfers
Join Together stores its personal data using EU instances of Heroku, a cloud-based hosting platform. We also use Mailchimp and Postmark which are based in the US. Where we transfer any personal data outside of the United Kingdom, we will (i) ensure that an adequate level of protection for that personal data is ensured by applicable data protection laws and (ii) in the absence of an adequate level of protection, provide appropriate safeguards such as Standard Contractual Clauses and/or (iii) enter into or establish any other appropriate instruments or undertakings required under applicable data protection laws to effect such data transfer without breach of such laws.
7. Automated decision-making
Join Together does not undertake any automated decision-making, including profiling.
8. Information security and risk mitigation
Join Together places a high priority on information security and has implemented a range of technical, organisational and legal safeguards to protect the confidentiality, integrity and availability of the personal data it processes and the data it processes. This includes:
- All data is encrypted at rest
- All data is transferred via 256bit SSL
- All data access is logged
- Software libraries are monitored and updated regularly for security and bug fixes
9. Other websites
The Join Together site may link to other, unaffiliated third party websites. Please note that Join Together is not, and cannot, control or be responsible for the content or privacy and confidentiality practices of any third party websites. You must always carefully review the privacy and confidentiality policy of any third party website that you may visit in order to understand how the operators of that website may collect, store and use your personal data.
10. Your rights
By law, you have a number of rights regarding your personal data in certain circumstances. Please contact us at email@example.com to exercise any of your rights:
You have the right to obtain access to your personal data that we are processing, as well as certain other information about how we process your personal data.
To be informed
If your personal data is inaccurate or incomplete, please let us know as you are entitled to have your personal data corrected.
To object to processing
In certain circumstances, you have the right to object to processing including for direct marketing.
To restrict processing
In certain circumstances, you may have the right to have us restrict the processing of your personal data. For example ‘blocking’ any further use of your personal data.
In certain circumstances, you may have the right to the deletion or removal of your personal data.
To data portability
You have the right to have your personal data transferred. For example, if you obtain similar services from another organisation, you can request that we transfer your personal data in a secure manner to that organisation.
To withdraw consent
Where you have provided your consent for the processing of your personal data, you can withdraw your consent at any time. This will not make any prior processing unlawful, but it does mean that not further processing will be undertaken. This includes withdrawing consent for marketing.
To lodge a complaint with your data protection regulator
You have the right to lodge a complaint about the way we handle your personal data with the relevant data protection regulator. In the UK, that’s the UK Information Commissioner’s Office.
Generally, we will respond to your request within one month, however if your request is complex and requires additional time, we will let you know as soon as possible.