1. About this Privacy Policy
This Privacy Policy explains how OneDiary Ltd collects, uses, shares, stores and protects personal information when people use the OneDiary websites, mobile applications, business portal, public marketplace, booking pages, appointment-management tools, messaging features, payment integrations and related services (together, the Platform).
It also explains the circumstances in which OneDiary acts:
- as a controller, deciding why and how personal information is used;
- as a processor, handling appointment and related information on the instructions of a Business; or
- alongside another organisation, such as a Business or Stripe, which has its own responsibilities for the personal information it controls.
Capitalised terms such as Business, Business User, Client, Appointment and Business Services have the meanings given in the OneDiary Platform Terms.
This Privacy Policy is a transparency notice. It is not a request for blanket consent and does not reduce any rights provided by data-protection law.
2. Who we are
The Platform is operated by:
OneDiary Ltd Company number: 17286402 Registered in: England and Wales Registered office: 28 West Haddon Road, Northampton, NN6 8QL Email: support@onediary.co.uk
OneDiary Ltd is the controller for the processing described in this Policy where we state that OneDiary is the controller.
OneDiary’s business, offices and personnel are based in the United Kingdom.
3. How responsibilities are divided
3.1 Appointment information is normally controlled by the Business
When a Client searches for, makes, manages or attends an Appointment, the relevant Business normally decides why it needs the Client’s contact details, selected service, date and time, notes, attendance history and other information used to arrange and provide the Business Services.
For that processing:
- the Business is normally the controller; and
- OneDiary acts as the Business’s processor under Schedule 1 to the Platform Terms.
Clients should read both this Privacy Policy and the privacy notice provided by the Business they book with. Questions about how a Business uses appointment information, including how long it keeps it, whether it uses it for marketing, and whether it adds information to its own service records, should normally be directed to that Business first.
3.2 OneDiary has separate controller responsibilities
OneDiary is a controller where we decide to use personal information for our own purposes, including:
- creating and administering OneDiary Accounts;
- authenticating Users and protecting Account security;
- managing Business subscriptions and OneDiary Platform Fees;
- operating and moderating the public marketplace and review system;
- providing OneDiary support and handling complaints;
- sending OneDiary service, security, Account and legal communications;
- protecting the Platform, preventing fraud and enforcing the Platform Terms;
- maintaining accounting, legal and regulatory records; and
- analysing and improving the Platform in a proportionate manner.
The same item of personal information may be processed by the Business and OneDiary for different purposes and in different legal capacities.
3.3 Relationship with the Platform Terms
The Platform Terms are the contractual source of truth for use of the Platform. Schedule 1 to the Platform Terms takes priority when determining OneDiary’s contractual obligations as a processor of Business Personal Data.
This Privacy Policy explains OneDiary’s processing to individuals. Neither the Platform Terms nor this Privacy Policy overrides mandatory rights or duties under data-protection law.
4. Roles at a glance
| Activity | Business’s usual role | OneDiary’s usual role | Other relevant party |
|---|---|---|---|
| Business registration, subscription and Account administration | Controller for information it provides about its organisation and personnel | Controller for the OneDiary Account, contract, authentication, billing, security and support | Stripe may control payment and verification information |
| Staff profiles, working hours, service assignments and internal permissions | Controller | Processor for Business-managed workforce information; controller for authentication, audit and Platform security | — |
| Client booking, diary record, booking notes, cancellation, attendance and reminders configured by the Business | Controller | Processor under Schedule 1; controller only for limited security, fraud, legal and Platform-administration purposes | Messaging suppliers act as processors or subprocessors |
| OneDiary Client Account | Controller for its own Appointment records | Controller for Client Account identity, credentials and Account functions | — |
| Public Business profile and staff listing | Controller for the accuracy, legality and authority to publish the content it submits | Controller for marketplace operation, search, ranking, moderation and Platform presentation | Search engines and enabled integrations may act under their own terms |
| Reviews and ratings | May separately use and respond to reviews about it | Controller for collecting, verifying, publishing, ordering, moderating and retaining review records | Public visitors and search engines may view public content |
| Client payment for Business Services | Controller for the service, price, refund decision and underlying transaction | Technical facilitator or processor for relevant Business instructions; controller for OneDiary Platform Fees, security and records | Stripe may act as an independent controller or processor under its own terms |
| OneDiary marketing, security, analytics, support and complaints | — | Controller | Selected suppliers process information for OneDiary |
These descriptions reflect the normal position. A particular integration or activity may involve a different allocation, which will be explained in the relevant journey or provider terms.
5. Whose information we handle and where it comes from
We may handle personal information about:
- Business owners, directors, sole traders and authorised representatives;
- Business Users, including employees, workers and contractors;
- Clients, prospective Clients and people for whom an Appointment is made;
- parents, guardians, carers and representatives where relevant;
- people who contact us, submit a complaint or exercise a legal right;
- visitors to our websites and users of our applications; and
- suppliers, professional advisers and other business contacts.
We may obtain information:
- directly from the person concerned;
- from a Business owner or administrator who creates a staff profile or sends an invitation;
- from a Client or another person authorised to book on the Client’s behalf;
- from the Business with which a Client has an Appointment;
- from Stripe and other payment, fraud-prevention or identity-verification services;
- from integrations enabled by a User, such as calendar, mapping, social or communications services;
- automatically from devices, browsers, applications, cookies, sessions and security logs; and
- from public sources where a Business asks us to display or verify public business information.
A person who gives us personal information about someone else must have authority to do so and should ensure that the other person receives appropriate privacy information.
6. Personal information we handle
The information depends on how the Platform is used.
6.1 Account, identity and contact information
This may include:
- name, display name and title;
- email address and telephone number;
- postal or business address;
- Account identifier and verification status;
- authentication information, including a securely stored password hash rather than a readable password;
- Account role, permissions, invitations and access status;
- communication and marketing preferences; and
- parent, guardian or representative details where relevant.
6.2 Business and public-profile information
This may include:
- legal and trading name, business type and company or registration details;
- business address, telephone number, email address, website and social links;
- locations, opening hours and bookable hours;
- descriptions, images, logos and branding;
- services, categories, prices, durations, add-ons, policies and booking rules;
- staff display names, photographs, biographies, qualifications, services and public availability; and
- marketplace status and information used to create public listing and booking links.
A Business must have a lawful basis and appropriate authority before uploading information about a staff member or any other person.
6.3 Staff and workforce information
This may include:
- working hours and availability;
- service and location assignments;
- roles, permissions and Account activity;
- profile information supplied by the Business or staff member;
- Appointment allocation; and
- audit records relating to changes made through a Business Account.
Employment, contractor and workforce information entered by a Business is controlled by that Business. OneDiary is not the employer of Business Users.
6.4 Appointment and diary information
This may include:
- Client name, email address and telephone number;
- selected Business, location, service, add-on and staff member;
- Appointment date, time, duration and price;
- availability searches and booking status;
- confirmation, rescheduling, cancellation, attendance and no-show information;
- booking notes, preferences, accessibility information and other information supplied for the Business Service;
- Appointment history and links between a Client Account and bookings;
- correspondence and reminders relating to an Appointment; and
- the name and contact details of a person booking for someone else.
6.5 Payment, subscription and financial information
This may include:
- amount, currency, deposit and balance information;
- payment, refund, dispute, chargeback and failure status;
- Stripe customer, connected-account, payment, charge, refund and related identifiers;
- limited payment-method metadata returned by Stripe, where available, such as card brand and last four digits;
- Business Stripe onboarding and capability status;
- subscription plan, trial, discount, invoice, payment and cancellation history;
- OneDiary Platform Fee information; and
- accounting, reconciliation and audit records.
OneDiary does not intend to collect or store full card numbers, card security codes or online-banking credentials. Stripe collects card, bank, identity and connected-account verification information under its own privacy information. OneDiary receives only the identifiers, status and limited transaction information reasonably needed to operate the Platform.
6.6 Reviews, content and marketplace information
This may include:
- rating, review text, display name and publication date;
- the relevant Business, service or booking-verification link;
- a Business response;
- reports, moderation decisions, appeals and evidence used to assess authenticity or abuse;
- marketplace searches, filters and listing interactions; and
- ranking, quality, safety and fraud signals derived from Platform activity.
6.7 Communications and support information
This may include:
- support requests, emails, messages and call notes;
- feedback, survey responses and feature requests;
- privacy requests and data-protection complaints;
- evidence and correspondence relating to disputes or enforcement; and
- records showing whether an email, SMS or push notification was sent, delivered, failed, opened or acted upon, where the provider makes that information available.
6.8 Technical, device, usage and security information
This may include:
- IP address, browser type, operating system, device type and app version;
- session, cookie and authentication identifiers;
- push-notification token and notification preferences;
- login dates, timestamps, audit events and security logs;
- pages, screens and features used;
- crash, diagnostic, performance and error information;
- suspected fraud, abuse or Account-compromise indicators; and
- approximate location inferred from an IP address or a location or postcode actively supplied for marketplace search.
We will request precise device location only where a feature genuinely requires it and the device or application provides an appropriate permission choice.
6.9 Required and optional information
Required fields should be identified in the relevant flow. In general:
- we cannot create or secure an Account without essential identity, contact and authentication information;
- a Business cannot subscribe without the information needed to form and administer its contract and payment arrangement;
- an Appointment cannot normally be arranged without the Client contact and booking information required by the Business;
- Stripe cannot process a payment or connected-account onboarding without the information it requires; and
- optional profile details, booking notes, photographs and marketing choices may be left blank unless a particular Business Service genuinely requires them.
7. Why OneDiary uses personal information and our lawful bases
The following table describes processing for which OneDiary is a controller. Where OneDiary acts only as a processor, the Business is responsible for identifying and explaining its lawful basis.
| Purpose | OneDiary’s usual lawful basis |
|---|---|
| Create and administer Business Accounts, Client Accounts and agreed Platform services | Performance of a contract with the Account holder or steps requested before entering a contract. For staff and representatives who are not personally party to the Business contract, legitimate interests in providing authorised access |
| Authenticate Users, administer roles and protect Accounts | Contract where needed to provide the Account; legitimate interests in secure and reliable access and preventing unauthorised use |
| Operate subscriptions, invoices, Platform Fees and related records | Contract; legal obligation for accounting, tax and regulatory records; legitimate interests in reconciliation and debt recovery |
| Operate public Business profiles, marketplace search, booking links and ranking | Contract with the Business; legitimate interests in operating a useful, fair and trustworthy marketplace |
| Provide a OneDiary Client Account and link eligible Appointments | Contract with the Client; legitimate interests in preventing mistaken or unauthorised linking |
| Send Account, payment, security, policy and service communications | Contract; legitimate interests in administering and protecting the Platform; legal obligation where a notice is required by law |
| Facilitate Client payments, refunds and payment-status information | Contract for the relevant Platform functionality; legitimate interests in payment operation, reconciliation and fraud prevention; legal obligation where applicable |
| Collect, verify, publish and moderate reviews | Legitimate interests in genuine feedback, marketplace trust, preventing fake or abusive reviews and protecting Users; contract where review functionality forms part of the service |
| Provide support, investigate faults and respond to enquiries | Contract where support relates to the Platform service; legitimate interests in helping Users and improving reliability |
| Handle rights requests, complaints, disputes and legal claims | Legal obligation; legitimate interests in resolving issues and establishing, exercising or defending legal claims |
| Detect and prevent fraud, misuse, security incidents and breaches of the Platform Terms | Legitimate interests in protecting Users, OneDiary, Stripe and the integrity of the Platform; legal obligation or recognised legitimate interests where applicable |
| Analyse performance and improve the Platform | Legitimate interests in understanding service use, correcting faults and making proportionate improvements; consent where required for a non-essential cookie or similar technology |
| Send OneDiary marketing | Consent where required; otherwise legitimate interests where direct-marketing and electronic-communications law permits. Marketing messages will include an appropriate opt-out |
| Comply with law and respond to lawful authority requests | Legal obligation; legitimate interests where disclosure is necessary and lawful but not strictly compelled |
| Corporate restructuring, investment, acquisition or sale | Legitimate interests in managing a genuine corporate transaction, subject to confidentiality and data minimisation |
7.1 Legitimate interests
Where we rely on legitimate interests, those interests may include:
- operating, supporting and improving a commercially sustainable Platform;
- enabling Businesses and Clients to arrange and manage Appointments;
- protecting Accounts, payments, systems and Users;
- preventing fraud, fake reviews, misuse and unlawful activity;
- maintaining accurate records and resolving disputes;
- understanding service performance and correcting faults;
- communicating necessary service information; and
- establishing, exercising and defending legal rights.
We consider the necessity and impact of the processing and apply safeguards such as access controls, data minimisation, retention limits, opt-outs, aggregation and human review where appropriate.
7.2 When OneDiary acts as processor
For Appointment and related Business Personal Data processed solely on a Business’s instructions, OneDiary does not substitute its own lawful basis for the Business’s. The Business must identify an Article 6 lawful basis and, where relevant, an Article 9 condition for special-category data. OneDiary processes that information under the Platform Terms, Schedule 1 and the Business’s lawful configuration and instructions.
8. Sensitive and special-category information
Booking notes, selected services or correspondence may reveal information about health, disability, racial or ethnic origin, religion, sex life, sexual orientation or another protected category. Accessibility requirements, allergies, therapy notes or the nature of a treatment may amount to special-category data.
The Platform is not intended to be a general medical-record, clinical-record or safeguarding-case-management system.
8.1 Business responsibilities
A Business must:
- collect sensitive information only where genuinely necessary for the Business Service;
- identify both an Article 6 lawful basis and an Article 9 condition before processing special-category data;
- give Clients clear information about that processing;
- restrict access to personnel who need it;
- apply appropriate retention periods; and
- avoid entering excessive, speculative or disrespectful information in notes.
8.2 OneDiary’s handling
When OneDiary processes this information for a Business, it does so as processor under Schedule 1. We do not use booking notes to target advertising or build unrelated profiles.
OneDiary may process limited sensitive information as an independent controller only where a valid legal condition applies, for example where necessary for a legal claim, vital interests, a lawful safeguarding purpose or another substantial public-interest purpose. We will limit and document that processing.
Clients should not include sensitive information in a booking note, review or support request unless it is genuinely necessary. Where practical, particularly sensitive information should be given directly to the Business through an appropriate channel.
9. Public profiles, availability and reviews
9.1 Public Business information
Information a Business chooses to publish may be visible to anyone, including:
- its trading name, address and contact details;
- descriptions, services, prices and policies;
- staff display names, photographs, biographies and public availability;
- images, social links and booking links; and
- ratings, reviews and Business responses.
Public pages may be indexed, copied or cached by search engines, social networks and other third parties. Removing content from OneDiary may not immediately remove a third party’s cached copy.
A Business is responsible for ensuring that it has authority to publish information and images relating to staff and other people.
9.2 Reviews
Before a review is submitted, the Platform should identify which fields will be public. Public review information may include a Client-selected display name, rating, review text, the reviewed Business, the publication date and, where appropriate, a limited reference to the service.
We do not publish a reviewer’s email address, telephone number, payment details, private booking notes or exact Appointment time as part of the review.
We may use booking and Account information privately to verify that a review relates to a genuine experience, detect manipulation, investigate reports and enforce review rules. We may remove or restrict a review and retain proportionate evidence where reasonably necessary to address fraud, safety, legal claims or Platform integrity.
Users must not include another person’s private or sensitive information in a public review or response.
10. Payments and Stripe
10.1 Client payments
The Business, not OneDiary, supplies the Business Services and is normally the merchant of record for Client Payments. Stripe processes the payment and may carry out fraud, security and legal-compliance checks.
OneDiary may send Stripe information needed to create or manage the payment and may receive transaction identifiers, status, amount, limited payment-method metadata, refund, dispute and chargeback information. OneDiary uses that information to operate the Platform, display payment status, support the Business, prevent misuse and calculate its Platform Fee.
10.2 Business subscriptions and connected accounts
Stripe processes OneDiary subscription payments and supports connected-account onboarding and Client payment functionality. Depending on the particular Stripe service and processing activity, Stripe may act as an independent controller or as a processor. Stripe provides its own privacy information in the onboarding and payment journey.
Stripe may collect directly:
- payment-card or bank details;
- identity and business-verification information;
- beneficial-owner, director or representative information;
- bank-account and payout information;
- device, fraud and compliance information; and
- documents required by financial-services, anti-money-laundering or sanctions rules.
OneDiary normally receives identifiers, status, capabilities and limited transaction information rather than the full information collected by Stripe. We may share Account, transaction and technical information with Stripe for onboarding, processing, fraud prevention, support, reconciliation and legal compliance.
11. Emails, SMS, push notifications and marketing
11.1 Appointment and service communications
The Platform may send confirmations, reminders, payment links, cancellations, rescheduling messages, receipts, invitations, password resets, security alerts and other operational communications by email, SMS or push notification.
When a message is sent on a Business’s instructions about an Appointment, the Business is normally the controller and OneDiary acts as processor. When a message concerns a OneDiary Account, Platform security, a OneDiary subscription or a OneDiary legal notice, OneDiary is normally the controller.
Service messages are operational communications and are not dependent on marketing consent. They should not contain unrelated promotional material.
11.2 Delivery providers and metadata
We may give a communications provider the recipient’s contact detail, message content, template information and technical delivery information. Providers may return status information such as sent, delivered, failed, opened or clicked.
For push notifications, we may process a device or push token and basic app or device information. Expo relays push notifications to the relevant mobile delivery network, which may include Apple Push Notification service or Google Firebase Cloud Messaging.
Users should avoid putting highly sensitive information into notification titles or lock-screen previews.
11.3 Marketing
OneDiary sends marketing only where law permits. We distinguish marketing from necessary service messages. A person can opt out through the message, Account settings where available, or by contacting us.
A Business is separately responsible for any marketing it sends to Clients. The fact that a Client made an Appointment does not automatically permit a Business to use the Client’s details for unrelated marketing.
A person may object to OneDiary using their personal information for direct marketing at any time. We will stop that marketing and retain only the minimum suppression information needed to respect the request.
13. Where personal information is processed
OneDiary’s own offices, staff and business operations are located in the United Kingdom.
We configure our core application, database and backup hosting so that customer data at rest is stored in United Kingdom or European Economic Area regions. Brevo’s primary storage for messaging data is located in the European Union.
However, data residency at rest is not the same as every act of processing occurring in that location. Some providers, including Stripe, Expo and the mobile push networks, operate internationally and may process, access or route limited personal information from countries outside the United Kingdom and European Economic Area. Google Cloud and Brevo may also use global support functions or onward providers under their contractual arrangements.
Where OneDiary is responsible for a restricted international transfer, we use a lawful transfer mechanism and appropriate safeguards. Depending on the destination and provider, these may include:
- United Kingdom adequacy regulations;
- the UK International Data Transfer Agreement;
- the UK Addendum to the European Commission’s Standard Contractual Clauses;
- approved binding corporate rules;
- the UK Extension to the EU–US Data Privacy Framework where available and applicable; or
- another lawful exception or mechanism permitted by data-protection law.
Where required, we assess the transfer risk and consider supplementary technical or organisational measures. Further information about a relevant safeguard may be requested by contacting us, subject to necessary confidentiality and security redactions.
14. How long we keep personal information
We keep personal information only for as long as reasonably necessary for the purpose for which it is held, including contractual, accounting, security, dispute and legal requirements.
Our standard retention approach is:
| Record type | Standard retention approach |
|---|---|
| Active Business Account, operational settings and Business profile | While the Account is active. Following ordinary termination, relevant Business Data is normally available for export or reasonable read-only access for 30 days. Public listings are unpublished and operational data is then deleted or anonymised from active systems within a further 90 days, unless a lawful reason requires retention |
| Business Personal Data, including Appointments and booking notes | While the Business Account is active and until the Business deletes it or instructs deletion, subject to product functionality and legal requirements. Following service end, the 30-day export period applies and remaining active-system copies are normally deleted or anonymised within a further 90 days |
| Secure backups | Retained through the ordinary backup cycle and normally overwritten within 90 days after deletion from active systems. Backup information is isolated and restored only for recovery, security or legal necessity |
| Staff Account and access records | Account information is retained while access is authorised and normally deleted or anonymised within 30 days after access ends, subject to audit, security and legal records |
| Client Account profile and credentials | While active. Following Account closure, normally deleted or anonymised within 30 days, subject to security, dispute and legal records. Appointment records controlled by Businesses may remain under their own retention policies |
| Subscription, invoice, Platform Fee and accounting records | Normally six years after the end of the financial year or contractual relationship to which the record relates, or longer where required for an audit, investigation or legal claim |
| Payment, refund, chargeback and dispute identifiers controlled by OneDiary | Normally six years after the transaction or final resolution of the dispute where needed for accounting, fraud prevention or legal claims |
| Reviews | While published. Verification, moderation and removed-review records are normally retained for up to three years after removal, or longer for an active legal, fraud or safety matter |
| Support enquiries and ordinary correspondence | Normally two years after the matter is closed. Formal complaints, contractual disputes and legal-claim records may be retained for up to six years after final resolution |
| Security, access and audit logs | Normally 12 months, unless a longer period is needed to investigate an incident, fraud, abuse or legal claim |
| Marketing preferences and consent evidence | Preference information is kept while relevant. Evidence supporting marketing may be kept for up to six years after last reliance. A minimal suppression record may be retained for as long as needed to respect an opt-out |
| Incomplete registration, expired invitation, password-reset and abandoned-flow information | Deleted or anonymised when no longer needed, normally within 30 days, unless security or fraud concerns justify a longer period |
| Cookies and similar technologies | For the period stated in the applicable cookie or storage-technology notice |
A Business may need to retain its own Appointment or service records for a different period. Clients should consult the Business’s privacy notice for that information.
We may retain a limited record for longer where necessary to comply with law, establish or defend legal claims, prevent fraud, protect security or enforce a valid restriction. We may retain aggregated or genuinely anonymised information that no longer identifies an individual.
15. Security
We use technical and organisational measures appropriate to the nature of the information and risks involved. These may include:
- encryption in transit and appropriate protection of stored information;
- password hashing, authentication controls and role-based access;
- least-privilege access and removal of access that is no longer needed;
- logging, monitoring and investigation of security events;
- secure development, change control, dependency management and patching;
- backup and recovery arrangements;
- incident-response procedures;
- confidentiality obligations and staff guidance; and
- supplier due diligence and contractual safeguards.
A Business is responsible for managing its Business Users, permissions, devices, exports, local copies and Account security. Users must keep credentials confidential and notify us promptly if they suspect unauthorised access.
No online service can guarantee absolute security. We review our safeguards as technology, use and risk change.
17. Marketplace ranking, fraud signals and automated processing
The Platform may use automated rules or signals to:
- display availability and allocate a configured staff member;
- rank or rotate marketplace listings;
- detect suspected fraud, fake reviews, abuse or Account compromise;
- route communications and payment events;
- identify errors or unusual activity; and
- provide basic Account or marketplace functions selected by a User.
Marketplace ranking is explained further in Schedule 2 to the Platform Terms.
OneDiary does not currently make decisions based solely on automated processing that have legal or similarly significant effects on individuals. Automated signals may trigger a temporary protective measure or referral for investigation. Where the law requires it, a person may request meaningful human review, express their view and challenge the decision.
We will update this Policy and provide any required safeguards before introducing materially different significant automated decision-making.
18. Children
The Platform is not specifically designed as a children’s service, but some Business Services and booking functions may be used by or for people under 18.
Under the Platform Terms:
- a Client under 18 must have permission from a parent or guardian to create an Account or make a booking;
- a parent or guardian should make or approve a booking for a younger child; and
- a Business may impose additional lawful age, consent or accompaniment requirements.
Where an Appointment is made for a child, the Business is normally the controller of the child’s Appointment information and should explain how it uses that information. OneDiary processes it for the Business and separately uses limited Account, security and legal information as described in this Policy.
We do not knowingly use children’s booking notes or Account information for behavioural advertising. We take account of children’s best interests, minimise collection and use age-appropriate explanations and controls where the service is likely to be accessed by children.
A parent, guardian or child may contact us about privacy rights. We may need to verify identity, authority and the child’s own rights and wishes before acting.
19. Your data-protection rights
Depending on the circumstances and lawful basis, a person may have the right to:
- be informed about how personal information is used;
- request access to personal information and a copy of it;
- correct inaccurate or incomplete information;
- request deletion in applicable circumstances;
- restrict processing in applicable circumstances;
- object to processing based on legitimate interests;
- object to direct marketing at any time;
- receive certain information in a portable format where the legal conditions apply;
- withdraw consent at any time where processing is based on consent, without affecting earlier lawful processing; and
- obtain safeguards relating to qualifying significant automated decisions.
19.1 Exercising a right
Contact us at support@onediary.co.uk and describe the information or Account concerned. We may ask for proportionate information to verify identity and authority.
We respond without undue delay and normally within one calendar month after receiving the request or, where reasonably required, the information needed to verify identity or understand the request. The law permits the response period to be extended in some circumstances, including for complex or multiple requests. We will explain any extension or lawful refusal.
19.2 Appointment information controlled by a Business
Where a request mainly concerns Appointment information controlled by a Business, we may:
- direct the requester to the Business;
- notify the Business and seek its instructions; or
- assist the Business to respond under Schedule 1 to the Platform Terms.
This does not prevent OneDiary from responding to the parts of a request concerning information for which OneDiary is the controller.
19.3 Right to object
A person has the right to object at any time to our use of their personal information for direct marketing.
A person may also object to processing based on legitimate interests. We will stop unless we demonstrate compelling legitimate grounds that override the person’s interests, rights and freedoms, or the processing is needed for legal claims.
20. Privacy questions and data-protection complaints
A privacy question, concern or complaint may be sent electronically to support@onediary.co.uk or by post to the registered office in section 2.
For a complaint that OneDiary may have infringed data-protection law, we will:
- provide a practical electronic way to submit the complaint;
- acknowledge receipt within 30 days;
- take appropriate steps to investigate and respond without undue delay;
- keep the complainant appropriately informed about progress; and
- explain the outcome without undue delay.
Where a complaint principally concerns processing controlled by a Business, we may refer it to that Business or handle it in cooperation with the Business while addressing any part for which OneDiary is responsible.
A person may also complain to the Information Commissioner’s Office, the United Kingdom data-protection regulator, at ico.org.uk/make-a-complaint. Contacting us first is not a condition of exercising that right.
21. Third-party services and links
The Platform may link to or integrate with services operated by Stripe, Google, Apple, social networks, calendar providers or other third parties. Where a third party independently decides how it uses personal information, its own privacy notice applies.
OneDiary is not responsible for an independent third party’s processing, although we remain responsible for choosing and managing our own processors as required by law and Schedule 1 to the Platform Terms.
A Business may also link to its own website, social profile, terms and privacy notice. Those are controlled by the Business.
22. Changes to this Policy
We may update this Policy to reflect changes in law, suppliers, technology or the Platform. We will publish the revised version and update the date above.
Where a change is material, we will take reasonable steps to bring it to the attention of affected Users, for example by email, an Account notice or an in-app message. A change to this Policy does not retrospectively create a new lawful basis or remove an existing legal right.
23. Contact details
For privacy questions, rights requests or complaints:
OneDiary Ltd Company number: 17286402 Registered office: 28 West Haddon Road, Northampton, NN6 8QL Email: support@onediary.co.uk