Global Privacy Notice for Customers
Effective from: 25 May 2018
Last updated: 18 July 2019
- Who does this Notice apply to?
- Who controls your personal data?
- What legal basis do we rely on to process your personal data?
- When do we collect your personal data?
- What personal data do we collect and process?
- Why do we collect personal data?
- Where do we process and store your personal data?
- Our adherence to the EU-US Privacy Shield Framework
- Who do we share your personal data with?
- How long do we keep your personal data?
- What rights do you have over your personal data?
- How do we protect your personal data?
- Will this Notice change?
- Any questions?
This Notice applies to any prospective, current or former customer of Bright Horizons’ services and products, websites, apps and social media. Bright Horizons’ services include child and adult care, coaching, consulting, educational advising and tuition assistance.
A separate Global Privacy Notice for Staff and Suppliers applies to prospective, current and former staff and suppliers (including employees, apprentices, agency workers and contractors).
Bright Horizons is made up of a number of related companies. This section gives you the legal name of the Bright Horizons company processing your personal data as the data controller and tells you how to get in touch with us.
- If you are a prospective, current or former customer using our services in the United States, Canada, or India, Bright Horizons Family Solutions LLC at 200 Talcott Avenue South, Watertown, Massachusetts 02472, USA is the data controller. This entity also includes services under our brand names EdAssist and College Coach.
- If you use our services in the United Kingdom or Ireland, Bright Horizons Family Solutions Limited (Co. No. 2328679) at 2 Crown Court, Rushden, Northamptonshire, NN10 6BS, UK is the data controller. This entity also includes services under our brand names Yellow Dot Nursery, Asquith Nurseries, Magic Nursery and My Family Care (MFC).
- If you use our services in the Netherlands, Kindergarden Nederland B.V. (Co. No. 33303797) at Herengracht 244, 1016 BT Amsterdam, Netherlands is the data controller.
For any questions, please contact our Global Privacy Officer by email at firstname.lastname@example.org or by post at the United Kingdom address listed above.
For simplicity throughout this Notice, ‘we’, ‘us’ and ‘our’ means the relevant related company of Bright Horizons; ‘you’ or ‘your’ means customer; and ‘services’ includes child and adult care, coaching, consulting, educational advising and tuition assistance.
Bright Horizons relies on the following legal basis for processing your personal data.
- Performance under a Contract: For prospective, current and former customers, most of the personal data we process is necessary for us to perform our obligations under a contract we have with you, and if applicable, your employer when you receive our service as an employee benefit.
- Legal Obligations: For prospective, current and former customers, there are many laws that require us to process your personal data. Examples include law and regulations for child/adult care, safeguarding, health and safety, tax and government funding.
- Legitimate Interest: For prospective, current and former customers, we have a legitimate interest in processing some of your personal data. We will only process your personal data if our legitimate interests do not materially impact your fundamental rights, freedoms and interests. Some examples include:
- Use of your email address to send you a newsletter, invitation to a webinar, or information about your services or new/enhanced service updates. You have the right to stop receiving these communications at any time.
- Analysing your IP and browser information to improve the website experience for you. ‘Session’ cookies help you navigate through BH websites efficiently and are temporary and ‘persistent’ cookies are small files left on your device that store your user preferences for current and successive visits to BH websites.
- In some locations, we use CCTV for security/safety of our customers, staff and premises; to help prevent and detect crime; to support learning and training; and to defend legal claims.
- Recording your contact centre calls to assist us with monitoring our policies and procedures; identifying opportunities for training and development; and improving our service to you.
- Special Categories of Personal Data: For prospective, current and former customers, we may need to process special categories of personal data necessary for the contract we have with you and in order to fulfil our legal obligations. Special categories of personal data that we may process include health, race, religion, sexual orientation, disabilities, union membership related information.
There are a variety of contexts under which we will collect your personal data.
When you visit our websites or use our apps and social media, we will collect your personal data when:
- We monitor your visit to any of our websites or engagement with us on our apps or social media.
- You provide information to us, for example when you contact us for information or customer service; create an account or update your account information; register, enrol or make a reservation for our services; or make a payment for our services.
When you call our Contact Centres, we will collect your personal data when:
- You provide information to us, for example when you contact us for information or customer service; book a visit or appointment; create an account or update your account information; register or make a reservation for our services; or make a payment for our services.
When you receive services from us, we will collect your personal data when:
- You provide information to us, for example when you contact us for information or customer service; book a visit or appointment; register, enrol or make a reservation for our services; make a payment for our services; and complete and submit forms.
- We complete forms, assessments and other documentation required for you to receive the services.
If you are a prospective customer, we will process the following categories of personal data about you:
- All personal data that you provide to us so that we may process your request for information.
- For locations with CCTV cameras, images may be captured.
- Third party marketing companies provide us with contact details for individuals who have consented to receive marketing materials. You have the right to withdraw your consent at any time.
- Sensitive personal data which could include health-related information relevant to determine suitability of the service.
If you are a current or former customer, we will process the following categories of personal data about you:
- All personal data that you provide to us while you are receiving our services.
- Information obtained through electronic means such as personalised registration user name and passwords, and swipe card/key fob access records for entering a Bright Horizons premises.
- For locations with CCTV cameras, images may be captured.
- Care and service records that could include, for example, notes from meetings/calls; observations and assessments of you or your dependant’s activities while we provide services to them (including illnesses, sleep, nappy changes, meals, medication, learning, interactions with others, and accidents); review and feedback on your or your dependant’s education/school applications; photographs to share with you and for identification purposes or learning records; and utilisation reports (including dates of service, user of service and reasons for service).
- If you receive our service as part of an employee benefit, we may receive personal data from your employer on your eligibility to use the service and other reporting identifiers.
- If you receive government funding, we receive personal data from the government on your eligibility for the funding and other reporting identifiers.
- Government agencies may provide us with personal data to support their regulatory obligations or investigations.
- Other personal data provided to us by third parties in order to meet our legal obligations.
- Personal data about you and / or your dependant as necessary to respond to and defend legal claims or to pursue legal claims.
- Sensitive personal data about you and / or your dependant which could include:
- Health-related and religious information necessary to provide the child/adult care or coaching services such as allergies, dietary requirements, medicines, health conditions, sickness; and/or
- race, religion, sexual orientation, disabilities and union membership related information necessary to provide the educational advising and tuition assistance services.
We limit the collection of personal data to what’s necessary. Below we have highlighted the main reasons for collecting your personal data:
- Respond adequately to your requests for services or information.
- Provide services to you and/or your dependants, including providing a safe and healthy care environment; administering first aid and other medical care as necessary; and supporting with education, training, curriculum, communication, administration, and record-keeping.
- Provide resource material/information regarding our services and areas of interest to you, such as parenting, childcare, adult care, education, wellbeing, and work/life balance.
- Aid in the administration of our services on behalf of your employer if applicable such as providing utilisation reports and other information to your employer necessary for them to offer the service as an employee benefit.
- Comply with laws, and government regulations/standards.
- Facilitate and process payments for the services.
- Fulfil tax, reporting, and other financial requirements and obligations.
- Prevent or detect unlawful acts.
We don’t sell your personal data to any third parties.
Although some personal data may remain on electronic storage data systems in the country where we provide the service, it may also be processed and stored in the United States. For example, the contact centres and systems supporting our services are located in the United States. Please see below for more information on our adherence to the EU-US Privacy Shield Framework and compliance with other data protection laws.
The hardcopy of personal information we collect remains in the country where you receive the services or provide the information.
Bright Horizons Family Solutions LLC complies with the EU-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data we transfer from the European Union and the United Kingdom to the United States. Bright Horizons Family Solutions LLC certified to the Department of Commerce that it adheres to the Privacy Shield Principles. The Federal Trade Commission has jurisdiction over our compliance with the Privacy Shield.
If there is any conflict between the terms in this Global Privacy Notice and the Privacy Shield Principles, the Privacy Shield Principles shall apply. To learn more about the Privacy Shield program and view our certification, please visit https://www.privacyshield.gov/.
Under certain circumstances, you have the right to invoke binding arbitration for complaints regarding our Privacy Shield compliance that you have been unable to resolve through any of the other Privacy Shield mechanisms. To learn more about the binding arbitration mechanism, please visit https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
In compliance with the Privacy Shield Principles, Bright Horizons Family Solutions LLC commits to the following:
- Resolve complaints about our collection or use of your personal data. If you have questions or complaints regarding our adherence to the EU-US Privacy Shield Framework, please contact our Global Privacy Officer at email@example.com or 2 Crown Court, Rushden, Northamptonshire, NN10 6BS, United Kingdom.
- Cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel with regard to personal data transferred from the European Union.
- Remain responsible and liable for the processing of personal data we receive under the Privacy Shield and subsequently transfer to a third party acting as an agent on our behalf.
We consider your personal data confidential and do not share it with anyone else except as described in this Notice. There are limited circumstances that require us to disclose your personal data to others in order to deliver our services and meet our contractual or legal obligations or legitimate business interests.
- Employers: Bright Horizons services are often made available to you as an employee benefit. In order to meet our obligations to your employer, we provide details of your use of the services, which may include your name, dates of use, reasons for use, and other employer requested utilisation information. We disclose only information relevant to the utilisation of the services or necessary for their administration of the benefit.
- Sub-Contractors and Other Agents: We sometimes employ or contract with other companies and individuals to perform functions on our behalf. Depending upon the type of service they are providing, we may share personal and special category (sensitive) personal data only as appropriate and necessary. These parties are under contractual obligations to use your personal data only as directed by us and as needed to perform their functions. All are under a legal duty to handle such data in accordance with Bright Horizons’ information security and confidentiality standards, and this Notice.
- Business Transfers: As we continue to develop our business, we might sell or buy assets. If any Bright Horizons business unit is sold or substantially all of Bright Horizons is acquired, personal data relevant to the operation sold may be transferred as part of the transaction.
- Bright Horizons’ Subsidiaries and Affiliate/Group Companies: We may share your personal data with our subsidiaries and affiliate/group companies as necessary to provide our services.
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected and as required under law. At the end of that retention period, your data will either be deleted completely or anonymized, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
You have the right to request:
- Access to the personal data we hold about you, free of charge in most cases.
- The rectification of your personal data to ensure that it’s up-to-date, accurate and complete.
- We stop processing your personal data for direct marketing purposes (either through specific channels or all channels).
- We and other third parties cease processing your personal data when this was previously undertaken on the basis of your consent and you’ve now withdrawn that consent.
To request copies of your personal data, please email firstname.lastname@example.org.
To ask for your information to be amended, please update your online account or call our contact centre team or the location providing the service directly to you.
To ask for us to stop direct marketing communications to you, you can:
- Click the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails from that particular mailing list.
- If you have an account, log in to your account and change your preferences.
- In our apps, you can manage your preferences and opt out from one or all of the different notifications by selecting or deselecting the relevant options in the ‘Settings’ section.
Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated.
In circumstances where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data that doesn’t infringe your rights and freedoms. You have the right to challenge our decision to the Supervisory Authority or seek legal redress through the courts.
If you feel that your personal data hasn’t been handled correctly, or you are unhappy with our response to any requests you have made regarding the use of your personal data, you have the right to lodge a complaint with the relevant Supervisory Authority.
- UK Supervisory Authority: Information Commissioner’s Office at www.ico.org.uk/concerns (opens in a new window; please note we can't be responsible for the content of external websites.)
- Ireland Supervisory Authority: Data Protection Commissioner/An Coimisinéir Cosanta Sonraí at www.dataprotection.ie/docs/Home/4.htm (opens in a new window; please note we can't be responsible for the content of external websites.)
- Netherlands Supervisory Authority: Autoriteit Persoonsgegevens (Dutch Data Protection Authority – Dutch DPA) at https://autoriteitpersoonsgegevens.nl/en/contact-dutch-dpa/contact-us (opens in a new window; please note we can't be responsible for the content of external websites.)
- Canada Supervisory Authority: Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca/en/ (opens in a new window; please note we can't be responsible for the content of external websites.)
We utilise appropriate technical, organisational, and physical safeguards to protect your personal data we process in both physical and electronic formats. We provide adequate and appropriate data protection, privacy and security training and conduct internal periodic quality assurance audits to ensure we maintain these standards.
However, please note that no computer system or information can ever be fully resilient against every possible hazard or risk. We do maintain appropriate levels of security in accordance with data protection, privacy and security laws and regulations in the territories we operate and keep these under review.
You also play a valuable part in protecting the security of your personal data. You should never share with anyone your password to access any accounts that you created or which are created for you by Bright Horizons.
When using a browser to access your account, after you have finished you should log out and exit your browser to prevent unauthorised users from returning to your account. If you believe that someone has improperly used your account or provided information about you that you didn’t authorise, please contact us immediately at email@example.com.
This Notice is subject to change in order to remain compliant with data protection and privacy laws in the territories in which we operate. We will post revisions to this Notice on our websites. Please check back periodically, especially before you provide any personal information. This Notice was last updated in July 2019.
We hope this Notice has been helpful in setting out the way we process your personal data and how we do this in a transparent and accountable manner.
If you have any questions that haven’t been covered by this Notice, please contact our Global Privacy Officer at:
- Email: firstname.lastname@example.org; or
- Post: Attn: Global Privacy Officer, 2 Crown Court, Rushden, Northamptonshire, NN10 6BS, United Kingdom.