Effective Date: 17/7/2025 – Last Updated: 17/7/2025
Website: https://bluelightlocal.co.uk
1.1 Who We Are
Blue Light Local operates bluelightlocal.co.uk and members.bluelightlocal.co.uk as an Employee Assistance Programme dedicated to supporting emergency service personnel by connecting them with local, independent businesses offering exclusive discounts and benefits.
1.2 Our Commitment
We are committed to protecting your privacy and personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all applicable data protection laws.
1.3 Purpose of This Policy
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our services.
1.4 Data Controller
Blue Light Local 15032559 is the data controller for the personal data we process.
1.5 Contact Information
For any privacy-related queries or to exercise your data protection rights, please contact us:
Email: [email protected]
Address: Colony Fabrica, 269 Great Ancoats Street, Manchester, M4 7DB
Data Protection Officer: [email protected]
2.1 Information You Provide Directly
For Members:
Identity Information: Full name, email address, contact telephone number
Employment Verification: Current or former employer/service details, employee ID number, professional registration numbers
Verification Documentation: ID card scans, payslips, pension statements, service records, professional certificates
Account Information: Username, password, security questions
Profile Information: Optional location/postcode for offer relevance, preferences, profile photo Communication Data: Messages, support tickets, feedback, and correspondence with us
For Suppliers:
Business Information: Business name, trading name, company registration number, VAT number
Contact Details: Business owner/representative name, email address, telephone number, business address
Business Profile: Type of business, description of services/products, operating hours, website Offer Information: Discount details, terms and conditions, validity periods, exclusions Marketing Materials: Business logo, promotional images, offer descriptions Financial Information: Bank account details for verification purposes (if required)
2.2 Information Collected Automatically
Technical Data:
Device Information: IP address, browser type and version, operating system, device type Usage Data: Pages visited, time spent on pages, click patterns, search queries, referral sources Performance Data: Page load times, error reports, system performance metrics Location Data: General location derived from IP address (not precise GPS location)
Cookies and Tracking Technologies:
Essential Cookies: Required for website functionality and security
Analytics Cookies: To understand how you use our website and improve our services Preference Cookies: To remember your settings and preferences
Marketing Cookies: To show you relevant content and measure advertising effectiveness
2.3 Information from Third Parties
Verification Services: Data received from third-party verification providers (if used) Social Media: If you choose to register or log in using social media accounts Public Sources: Information from publicly available sources to verify business legitimacy
We process your personal data for the following purposes, with the corresponding lawful basis under UK GDPR:
3.1 To Provide and Manage Your Account
Lawful Basis: Contract Performance
Process Member registration and verification
Process Supplier registration and profile management
Manage user accounts and provide access to platform features
Authenticate users and maintain account security
3.2 To Facilitate Offers and Services
Lawful Basis: Contract Performance / Legitimate Interest
Display relevant Offers to Members based on location and preferences
Allow Suppliers to create, manage, and update their Offers
Connect Members with Suppliers for discount redemption
Process and track Offer usage and redemption
3.3 To Communicate with You
Lawful Basis: Contract Performance / Legitimate Interest / Consent
Send service-related notifications (account updates, security alerts)
Respond to your queries and provide customer support
Send new Offer notifications and platform updates
Send marketing communications (with explicit consent only)
Conduct user surveys and gather feedback
3.4 For Security and Fraud Prevention
Lawful Basis: Legitimate Interest / Legal Obligation
Verify user identity and employment eligibility
Detect and prevent fraudulent use of Offers or the platform
Monitor for suspicious account activity
Maintain platform security and integrity
Comply with anti-fraud and security regulations
3.5 To Improve Our Website and Services
Lawful Basis: Legitimate Interest
Analyse usage patterns and user behaviour
Develop new features and improve user experience
Conduct research and analytics to enhance our services
Optimise website performance and functionality
3.6 To Comply with Legal Obligations
Lawful Basis: Legal Obligation
Respond to legal requests, court orders, and regulatory requirements
Comply with tax, accounting, and audit obligations
Meet requirements under consumer protection and employment law
3.7 For Marketing and Business Development
Lawful Basis: Consent / Legitimate Interest
Send promotional materials and marketing communications (with consent)
Analyse market trends and user preferences
Develop partnership opportunities with new Suppliers
4.1 With Other Platform Users
Member Information Shared with Suppliers:
For Offer Redemption: Member’s first name and verification status may be shared with Suppliers to validate eligibility
For Service Provision: Contact details may be shared if necessary for Offer fulfilment Supplier Information Shared with Members:
Business Details: Business name, address, contact information, and descriptions are visible to Members
Offer Information: All Offer details, terms, and conditions are visible to Members Performance Data: Ratings and reviews (if applicable) are visible to Members
4.2 With Third-Party Service Providers
We work with the following third-party service providers who process personal data on our behalf:
Make.com (Integromat)
Purpose: Workflow automation and system integration
Data Processed: User registration data, offer information, system notifications Location: European Union
Safeguards: Data Processing Agreement, Standard Contractual Clauses
Instantly.ai
Purpose: Email automation and member invitation management
Data Processed: Email addresses, names, communication preferences
Location: United States
Safeguards: Data Processing Agreement, Standard Contractual Clauses
Zapier
Purpose: Application integration and data synchronisation
Data Processed: User data, offer information, system triggers
Location: United States
Safeguards: Data Processing Agreement, Standard Contractual Clauses
Google Sheets/GoogleWorkspace
Purpose: Internal data management, tracking, and organisation
Data Processed: User lists, offer data, analytics, administrative information
Location: Multiple locations (EU and US)
Safeguards: Google Cloud Data Processing Agreement, Standard Contractual Clauses OpenAI
Purpose: AI-powered content generation, verification assistance, and customer support enhancement
Data Processed: Support queries, content for improvement, verification analysis (pseudonymised where possible)
Location: United States
Safeguards: Data Processing Agreement, data minimisation practices, no model training on personal data
Website Hosting and Infrastructure
Purpose: Website hosting, content delivery, and technical infrastructure
Data Processed: All website data including user accounts and content
Safeguards: Data Processing Agreement, appropriate security measures
Email Communication Services
Purpose: Transactional emails, notifications, and system communications
Data Processed: Email addresses, names, communication content
Location: United States
Safeguards: Data Processing Agreement, encryption in transit
Analytics Providers
Purpose: Website analytics, user behaviour analysis, and performance monitoring Data Processed: Usage data, technical information, anonymised user behaviour Location: [Insert analytics provider location]
Safeguards: Data Processing Agreement, IP anonymisation, limited data retention
4.3 Legal Requirements and Protection of Rights
Law Enforcement: When required by law, court order, or regulatory authority Legal Proceedings: To protect our rights, property, or safety, or that of our users Regulatory Compliance: To meet obligations under financial services, employment, or consumer protection regulations
4.4 Business Transfers
Mergers and Acquisitions: In the event of a merger, acquisition, or sale of assets Due Diligence: During business negotiations, with appropriate confidentiality measures Successor Obligations: Any acquiring entity will be bound by the same privacy obligations
5.1 Data Transfer Locations
Due to our use of global technology services, your personal data may be transferred to and processed in countries outside the UK and European Economic Area (EEA), including:
United States: Instantly.ai, OpenAI, potentially others
Various Global Locations: Google services, analytics providers
5.2 Transfer Safeguards
We ensure appropriate safeguards are in place for all international transfers:
Standard Contractual Clauses: EU-approved contractual terms ensuring adequate protection
Data Processing Agreements: Binding agreements with all processors requiring equivalent protection
Adequacy Decisions: Transfers to countries with adequacy decisions where applicable Additional Safeguards: Encryption, access controls, and monitoring measures
5.3 Your Rights Regarding Transfers
You have the right to:
Request information about specific transfers affecting your data
Object to transfers in certain circumstances
Request a copy of the safeguards in place
6.1 Technical Measures
Encryption: Data encryption in transit and at rest using industry-standard protocols Access Controls: Multi-factor authentication, role-based access, and principle of least privilege System Security: Regular security updates, penetration testing, and vulnerability assessments Monitoring: 24/7 system monitoring, intrusion detection, and security incident response
6.2 Organisational Measures
Staff Training: Regular data protection and security training for all personnel Data Governance: Clear policies and procedures for data handling and processing
Incident Response: Established procedures for detecting, reporting, and responding to data breaches
Vendor Management: Due diligence and ongoing monitoring of third-party processors
6.3 Data Breach Response
Detection: Automated and manual systems to detect potential breaches
Assessment: Rapid assessment of breach impact and risk to individuals
Notification: Breach notification to supervisory authorities within 72 hours if required
Individual Notification: Direct notification to affected individuals if high risk to rights and freedoms
6.4 Limitations
While we implement robust security measures, no internet transmission or electronic storage is completely secure. We cannot guarantee absolute security but commit to using industry best practices.
7.1 Retention Principles
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
7.2 Retention Periods
Member Data:
Active Accounts: Retained while account is active and for 12 months after last login Verification Documents: Retained for 3 years after account closure for audit purposes Communication Records: Retained for 6 years for legal and customer service purposes
Supplier Data:
Business Information: Retained while account is active and for 2 years after closure Offer History: Retained for 5 years for business analytics and dispute resolution Financial Records: Retained for 7 years to comply with tax and accounting obligations
Technical Data:
Usage Logs: Retained for 12 months for security and performance monitoring Analytics Data: Aggregated and anonymised data may be retained indefinitely Security Logs: Retained for 2 years for security incident investigation
7.3 Data Deletion
Automated Deletion: Automated systems delete data at the end of retention periods Manual Deletion: Upon request, we will delete data subject to legal retention requirements Secure Deletion: All deletion uses secure methods to prevent data recovery
8.1 Automated Verification
We use automated systems to:
Verify Employment Status: Automated checks of employment documentation
Fraud Detection: Automated monitoring for suspicious account activity
Risk Assessment: Automated assessment of verification document authenticity
8.2 Your Rights
You have the right to:
Human Review: Request human review of any automated decision
Explanation: Receive an explanation of the logic involved in automated decision-making Challenge: Challenge automated decisions that significantly affect you
Opt-Out: Object to automated decision-making in certain circumstances
8.3 Profiling Activities
We may use profiling for:
Offer Personalisation: Showing relevant offers based on location and preferences Service Improvement: Understanding usage patterns to improve our platform Security Purposes: Identifying potentially fraudulent behaviour
Under UK GDPR, you have the following rights regarding your personal data:
9.1 Right to be Informed
You have the right to be informed about how your personal data is processed (fulfilled by this Privacy Policy).
9.2 Right of Access
You have the right to:
Request a copy of your personal data
Receive information about how your data is processed
Access data we hold about you free of charge
9.3 Right to Rectification
You have the right to:
Correct inaccurate personal data
Complete incomplete personal data
Update outdated information
9.4 Right to Erasure (“Right to be Forgotten”)
You have the right to request deletion of your personal data when:
It’s no longer necessary for the original purpose
You withdraw consent and there’s no other legal basis
Your data has been unlawfully processed
Deletion is required for legal compliance
9.5 Right to Restriction of Processing
You have the right to restrict processing when:
You contest the accuracy of personal data
Processing is unlawful but you don’t want deletion
We no longer need the data but you need it for legal claims You’ve objected to processing pending verification of legitimate interests
9.6 Right to Data Portability
You have the right to:
Receive your data in a structured, commonly used format
Transfer your data to another service provider
Have data transmitted directly where technically feasible
9.7 Right to Object
You have the right to object to:
Processing based on legitimate interests
Direct marketing (including profiling)
Processing for scientific/historical research or statistics
9.8 Rights Related to Automated Decision-Making You have the right to:
Not be subject to solely automated decision-making
Request human intervention in automated decisions
Express your point of view about automated decisions
9.9 Right to Withdraw Consent
Where processing is based on consent, you have the right to:
Withdraw consent at any time
Withdraw consent as easily as you gave it
Continue using our services where other lawful bases apply
10.1 Making a Request
To exercise your data protection rights:
Email: [email protected]
Post: Colony Fabrica, 269 Great Ancoats Street, Manchester, M4 7DB
10.2 Information Required
When making a request, please provide:
Identity Verification: Proof of identity to prevent unauthorised access
Specific Request: Clear description of what you’re requesting
Account Information: Details to help us locate your data
10.3 Response Times
Standard Requests: We will respond within one month
Complex Requests: May require up to three months with explanation
Urgent Requests: We will prioritise requests involving potential harm
10.4 Fees
Generally Free: Most requests are processed free of charge
Excessive Requests: We may charge a reasonable fee for excessive or repetitive requests Advance Notice: Any fees will be communicated before processing
11.1 Internal Complaints Process
If you have concerns about how we handle your personal data:
. Contact Us: Raise your concern using the contact details above
. Investigation: We will investigate and respond within 30 days
. Resolution: We will work with you to resolve the issue
11.2 Supervisory Authority
You have the right to lodge a complaint with the supervisory authority:
UK Authority: Information Commissioner’s Office (ICO)
Website: www.ico.org.uk
Telephone: 0303 123 1113
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
11.3 EU Residents
If you’re in the EU, you can also complain to your local supervisory authority.
12.1 What Are Cookies
Cookies are small text files placed on your device when you visit our website. They help us provide you with a better experience by:
Remembering your preferences and settings
Understanding how you use our website
Improving our services and functionality
12.2 Types of Cookies We Use
Essential Cookies:
Session Management: Keep you logged in during your visit
Security: Protect against fraud and unauthorised access
Functionality: Enable core website features
Analytics Cookies:
Usage Analytics: Understand how visitors use our website
Performance Monitoring: Identify and fix technical issues
Service Improvement: Optimise website performance
Preference Cookies:
Settings: Remember your preferences and customisation
Location: Provide location-relevant content and offers
Accessibility: Maintain accessibility settings
Marketing Cookies:
Personalisation: Show relevant content and offers
Advertising: Measure effectiveness of marketing campaigns
Social Media: Enable social sharing and interactions
12.3 Managing Cookies
You can control cookies through:
Browser Settings: Configure your browser to block or delete cookies
Cookie Preferences: Use our cookie preference centre [if available]
Opt-Out Tools: Use industry opt-out tools for marketing cookies
12.4 Impact of Disabling Cookies
Disabling cookies may:
Affect website functionality
Require repeated login
Prevent personalisation features
Impact our ability to improve services
13.1 Age Restrictions
Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.
13.2 Discovery of Children’s Data
If we discover we have collected personal data from a child:
We will delete the data immediately
We will not use the data for any purpose
We will implement additional safeguards to prevent recurrence
13.3 Parental Concerns
If you believe we have collected data from a child, please contact us immediately.
14.1 Policy Updates
We may update this Privacy Policy to reflect:
Changes in our data processing practices
Updates to applicable laws and regulations
New features or services
Feedback from users and regulators
14.2 Notification of Changes
We will notify you of material changes through:
Email Notification: For significant changes affecting your rights
Website Notice: Prominent notice on our website
In-Platform Notification: Messages within your account
14.3 Review and Acceptance
Review Frequency: We recommend reviewing this policy periodically
Continued Use: Continued use after changes constitutes acceptance
Objection Rights: You may object to changes or close your account
15.CONTACT INFORMATION
For any questions, concerns, or requests regarding this Privacy Policy or your personal data:
Blue Light Local
Privacy Team
Email: [email protected]
Address: Colony Fabrica, 269 Great Ancoats Street, Manchester, M4 7DB
Website: https://bluelightlocal.co.uk
Data Protection Officer: [email protected]
Customer Support: [email protected]
End of Privacy Policy
This Privacy Policy was last updated on 17/7/2025. Please check our website regularly for the most current version.