Privacy policy

Oasis London — Privacy & Data Policy (UK) **Effective date:** 29 August 2025 **Contact:** [hello@oasislondon.co.uk](mailto:hello@oasislondon.co.uk) --- ## 1) Who we are (Controller) **Oasis London** ( Blue Lake Solution 12522595, [Kemp House 152-160 City Road, London, England, EC1V 2NX --- ## 2) Data we collect * **Identity & contact:** name, title, email, phone, employer, role, postal address, ID docs (where required), emergency contact. * **Membership & usage:** plan, bookings, desk/room usage, check-ins, **access-control/fob timestamps** (no CCTV), visitor logs, incident reports, support tickets. * **Payments:** invoices, payments, tokenised card refs (card data handled by our processor). * **Connectivity/IT:** device identifiers (MAC/IP), **Wi-Fi session metadata** (timestamps, bandwidth, domains metadata—**not** content), print logs. * **Community & marketing:** event RSVPs/attendance, surveys, preferences, cookie/analytics IDs, email engagement, social handles (if provided). * **Media:** photos/video from events and in-space activities. * **Special category data:** not sought; if shared (e.g., accessibility info) processed only where lawful. --- ## 3) Sources From you; from our systems (website/app, access control, Wi-Fi); from **Partner Organisations** and vendors (ticketing, CRM, payments, community tools); and public sources (e.g., Companies House). --- ## 4) Purposes & lawful bases **Contract (Art. 6(1)(b))** – onboarding, access, bookings, Wi-Fi/printing, billing, support. **Legitimate interests (Art. 6(1)(f))** – LIAs available on request: * Operate, **secure** and improve our premises and IT (access-control logs, fraud/abuse prevention, incident investigation). * Build the professional community (introductions, directory, event curation, partner benefits). * Share data with **Partner Organisations** for relevant opportunities/benefits (see §6). * Internal analytics, occupancy planning, product development. * B2B direct marketing with easy opt-out. **Legal obligation (Art. 6(1)(c))** – tax, accounting, H\&S, statutory reporting. **Consent (Art. 6(1)(a))** – non-essential cookies/analytics, marketing to non-customers/individuals where required, certain media uses (withdraw anytime). **Vital interests (Art. 6(1)(d))** – emergencies. **Special category (Art. 9)** – only with explicit consent or other UK-law basis. --- ## 5) Marketing, cookies & PECR * **Email/SMS:** soft opt-in for similar services to existing customers; consent where required for others; **B2B** marketing permitted with simple opt-out. * **Cookies/analytics:** non-essential cookies only with consent via our banner; settings can be changed anytime. --- ## 6) Sharing data (incl. Partner Organisations) **Processors:** hosting, access control, Wi-Fi, printing, CRM, email/SMS, analytics, ticketing, payments, insurers, advisers—under contract and our instructions. **Partner Organisations** (**independent** or **joint controllers**): sponsors, benefit providers, event co-hosts, professional service firms, ecosystem platforms, group companies. **We may share:** identity/contact, employer/role, membership tier, attendance/booking categories, stated interests, community engagement. **Partner uses:** invitations, benefits fulfilment, relevant outreach, sponsorship activation, impact reporting. We may receive fees/benefits. **Legal bases:** legitimate interests, contract (benefit fulfilment), or consent where PECR/UK GDPR requires. **Your choice:** object anytime to sharing for **direct marketing** or broader partner outreach not needed for your contracted services; we will restrict such sharing. **Other disclosures:** legal/regulatory, rights/safety protection, corporate transactions (e.g., merger). --- ## 7) International transfers If data leaves the UK, we use adequacy or UK-approved safeguards (**IDTA** / UK Addendum to SCCs) with risk assessments. --- ## 8) Retention We keep data only as long as needed, then delete or irreversibly anonymise. * Contracts/billing/core account: **6–7 years** after relationship ends * Access/visitor logs & Wi-Fi metadata: **12 months** * Event registrations/attendance: **24 months** * Media for marketing/community record: up to **5 years** (earlier on objection/consent withdrawal) * Marketing preferences/suppression: until opt-out + up to **2 years** --- ## 9) Your rights **Access, rectify, erase, restrict, object** (incl. marketing/partner outreach), **portability** (where applicable), and **withdraw consent**. Requests: **[hello@oasislondon.co.uk](mailto:hello@oasislondon.co.uk)**. Response within **1 month** (extendable for complex cases). ID checks may apply; we may refuse/charge if **manifestly unfounded or excessive**. Complaints: **ICO** (UK). --- ## 10) Security Access controls, encryption in transit/at rest where appropriate, least-privilege, vendor due diligence, monitoring, staff training, incident response. We’ll notify you and the ICO of notifiable breaches. --- ## 11) Access & Wi-Fi specifics *(no CCTV)* * **No CCTV** is used on our premises. * **Access control:** fobs/mobile credentials record entry/exit timestamps for safety, capacity management, and investigations. * **Wi-Fi:** we log device IDs and **session metadata only** to operate and secure the network; we do **not** inspect content. --- ## 12) Events, photos & filming We often photograph/film events. Basis: legitimate interests or consent as required. Photo-free zones/opt-out available—ask staff or email **[hello@oasislondon.co.uk](mailto:hello@oasislondon.co.uk)**. You can object anytime. --- ## 13) Children Services target professionals. Under-18 attendees may require guardian consent. --- ## 14) Changes We may update this policy; material changes notified via email or our site/app. The **effective date** shows the latest version. --- ### Definition — Partner Organisations Selected sponsors, benefit providers, professional service firms, event collaborators, ecosystem platforms, and Oasis London group companies that provide services, benefits, events, introductions, and relevant business opportunities.