Privacy Policy

Last Updated: 11/04/2024

1. Who we are and what we do

Who we are
We are Otta Ltd (Aslan, us, we or our). We are a limited company registered in England and Wales under registration number 11377564, with our registered office at 82 St John Street, London, EC1M 4JN. We are registered with the UK supervisory authority, the Information Commissioner’s Office (ICO), in relation to our processing of Personal Data under registration number ZA459677.

What we do
We are in the business of providing employee benefits related to financial wellbeing solutions to employees of UK corporations. We and our affiliates, subsidiaries and related entities are committed to protecting the privacy and security of the Personal Data we process about you.

Controller
Unless we notify you otherwise, we are the controller of the Personal Data we process about you. This means that we decide what Personal Data to collect and how to process it.

 

2. Purpose of this privacy notice
The purpose of this privacy notice is to explain what Personal Data we collect about you and how we process it. This privacy notice also explains your rights, so please read it carefully. If you have any questions, you can contact us using the information provided below under the ‘How to contact us’ section.

 

3. Who this privacy notice applies to
This privacy notice applies to you if:

You visit our website.

You use our goods or services.

You enquire about our products and/or services.

You use our mobile application (Aslan App).

You use our web portal (Aslan Portal).

You agree to receive newsletters and/or other promotional communications from us.

 

4. What Personal Data is
Personal Data means any information from which someone can be identified either directly or indirectly. For example, you can be identified by your name or an online identifier.

 

5. Personal Data we collect
The type of Personal Data we collect about you will depend on our relationship with you. For the type of Personal Data we collect see the table below in the section entitled ‘Purposes, lawful bases and retention periods’.

 

6. How we collect your Personal Data
We collect most of the Personal Data directly from you in person by app, telephone, text or email and/or via our website.

However, we may also collect your Personal Data from third parties such as:

data controllers who have a legitimate interest to share your personal data;

reputable companies who provide lead generation contact lists;

others to whom you have provided consent;

publicly available sources such as social media platforms.

 

7. Purposes, lawful bases, and retention periods

We will only use your Personal Data when the law allows. Most commonly, we will use your Personal Data in the following circumstances:

Categories of individuals Categories of Personal Data Purpose of Processing Lawful Basis Retention Period
Client/ Director Personally Identifiable Information (‘PII’) Name, address, DOB  To enable KYC/KYB compliance checks required to enable the services provided Contract Retained in line with FCA regulatory requirements (6 years)
Clients’ employee PII  Name, Payroll information, email address  To enable Aslan to provide its service to its clients and their employees Legitimate interests Retained for 12 months after the end of the business relationship
Prospective Clients Name, job role, company, email, telephone To allow Aslan to generate new leads Consent  Retained for a period of 5 years from receipt of personal data.
Employee participants Name, Payroll information, email address, card transaction details To provide Aslan’s services to participants Consent Retained in line with FCA regulatory requirements (6 years)
Prospective employee and contractors Full contact information, ID, proof of address, skills/ qualifications, Resume/ CV, professional references.  The purpose of processing is to assess and evaluate qualifications, skills, experience, compliance and suitability for employment or engagement as a contractor. Consent CVs and associated personal data will be retained for a period of 12 months from the date of receipt or collection, unless an extended retention period is necessary to comply with legal obligations, performance of a contract, response to legal claims, or safeguard our legitimate interests. In such cases, the retention period will be extended in accordance with the applicable legal requirements and our internal policies.
Analytical Data Analytical information including coarse location data, device data, IP Address, related Google-derived analytics, Error codes and messages, App or Web App user details, and Full Name The purpose of processing is to support fraud and security assessments relating to the users, enable support to provide specific help relating to the individual user including error and unexpected events, develop more focused marketing collateral and content.  Legitimate interests & consent A maximum of 12 months after the end of the business relationship unless an extended retention period is necessary to comply with legal obligations, respond to legal claims, or safeguard our legitimate interests. In such cases, the retention period will be extended in accordance with the applicable legal requirements and our internal policies.
Usage Data Usage information such as functions and features used in the app and web app, time spent executing flows, and breaks in functional execution. The purpose of usage data is to evaluate app and web app usage to asses usage of features and functions to ensure a high-quality user experience. Legitimate interests A maximum of 12 months after the end of the business relationship unless an extended retention period is necessary to comply with legal obligations, respond to legal claims, or safeguard our legitimate interests. In such cases, the retention period will be extended in accordance with the applicable legal requirements and our internal policies.
Tracking Data Cookies and related tracking data including device id, internal user id’s, Full user details The purpose of cookie and tracking data is to, support app and web app execution, enable easier end-user login, track activity across applications and process to support marketing, track activity across applications and process to support fraud and security assessments. Legitimate interests & consent A maximum of 12 months after the end of the business relationship unless an extended retention period is necessary to comply with legal obligations, respond to legal claims, or safeguard our legitimate interests. In such cases, the retention period will be extended in accordance with the applicable legal requirements and our internal policies.

 

Where Personal Data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.

 

8. Sharing your Personal Data

We may pass your personal data on to third-party service providers contracted with Aslan in the course of dealing with you. Any third parties that we may share your data with are obliged to keep your details securely, and to use them only to fulfil specific services. When they no longer need your data to fulfil this service, they will dispose of the details in line with Aslan procedures.

If you are taking part in a market research project with us, please refer to your project consent form for full details on who your personal data will be shared with, and how this will be done.

 

9. International Transfers
For organisations established in the UK
Your Personal Data may be processed outside of the UK. This is because the organisations we may work with to provide our service to you are based outside the UK.

We have taken appropriate steps to ensure that the Personal Data processed outside the UK has an essentially equivalent level of protection to that guaranteed in the UK. We do this by ensuring that:

 

10. Your rights and how to complain
You have certain rights in relation to the processing of your Personal Data, including to:

Right to be informed
You have the right to know what personal data we collect about you, how we use it, for what purpose and in accordance with which lawful basis, who we share it with and how long we keep it. We use our privacy notice to explain this.

Right of access (commonly known as a “Subject Access Request”)
You have the right to receive a copy of the Personal Data we hold about you.

Right to rectification
You have the right to have any incomplete or inaccurate information we hold about you corrected.

Right to erasure (commonly known as the right to be forgotten)
You have the right to ask us to delete your Personal Data.

Right to object to processing
You have the right to object to us processing your Personal Data. If you object to us using your Personal Data for marketing purposes, we will stop sending you marketing material.

Right to restrict processing
You have the right to restrict our use of your Personal Data.

Right to portability
You have the right to ask us to transfer your Personal Data to another party.
Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.

Right to withdraw consent
If you have provided your consent for us to process your Personal Data for a specific purpose, you have the right to withdraw your consent at any time. If you do withdraw your consent, we will no longer process your information for the purpose(s) you originally agreed to, unless we are permitted by law to do so.

Right to lodge a complaint
You have the right to lodge a complaint with the relevant supervisory authority, if you are concerned about the way in which we are handling your Personal Data. The supervisory authority in the UK is the Information Commissioner’s Office who can be contacted online at:
Contact us | ICO
Or by telephone on 0303 123 1113
For supervisory authorities in other countries within the EU see the link below:
https://edpb.europa.eu/about-edpb/about-edpb/members_en

 

How to exercise your rights
You will not usually need to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
If you wish to exercise your rights, you may contact us using the details set out below within the section called ‘How to contact us and our Data Protection Officer’. We may need to request specific information from you to confirm your identity before we can process your request. Once in receipt of this, we will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take us longer than this and, if so, we will keep you updated.

 

11. Children’s Privacy
We do not offer our products and services to children and we do not knowingly collect Personal Data of children without parental consent, unless permitted by law. If you learn that a child has provided us with their Personal Data without parental consent, you may contact us, as described below, and if appropriate, we will securely and permanently delete it, in accordance with applicable law.

 

12. How to contact us and our Data Protection Officer
If you wish to contact us in relation to this privacy notice or if you wish to exercise any of your rights outlined above, please contact us as follows:
Otta Ltd (‘Aslan’), 82 St John Street, London, EC1M 4JN.
hello@aslan.io
We also have an appointed Data Protection Officer (DPO). Our DPO can be contacted as follows:
Evalian Ltd, West Lodge, Leylands Business Park, Colden Common, Hampshire, SO21 1TH
Or via Email: dpo@evalian.co.uk
Please mark your communications FAO the ‘Data Protection Officer’.

 

13. Changes to this privacy notice
We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify you of the changes where required by applicable law to do so.