Welcome to the UPP Group Limited’s Privacy Policy

Introduction and our commitment

UPP Group Limited (UPP) respects your privacy and is committed to protecting your personal data. This Privacy Policy will inform you as to how we look after your personal data when you visit our website or when you communicate us. It will tell you about your privacy rights and how the law protects you. Where we refer to “UPP”, as appropriate this includes its subsidiaries and Parent organisations.

Please read this policy carefully, and also take a moment to read the website Terms and Conditions.

We have set out our policy in a layered format so you can click on  the headings below to take you to the relevant section(s):

Aim of this policy

This policy relates to how UPP processes personal data relating to individuals who access our website, provide information to us via our site, via our corporate social media accounts and communications between us regarding any enquiries you make about our services. If you or any of your colleagues are accessing this site, or communicating with us, on behalf of your organisation, then this policy applies to any individuals whose personal data is provided to us.

If you are a student at one of our halls of residence, the accommodation website of your University or your halls of residence, will link you to the most appropriate privacy policy.

If you are applying to UPP or any of its Subsidiary Group Companies for a job, please see our Applicant Privacy Policy here.

If you or your organisation are a supplier of UPP, or a customer of UPP, then the terms our contract with you will provide more detail about how UPP and its group companies will handle your personal data.

Our services, and our site, are not intended for children and we do not knowingly collect personal data relating to children unless this is a necessary part of our services to you.

It is important that you read this policy together with any other data protection or privacy notice that we may provide on specific occasions when we collect or process personal data about you. In this way, you can ensure that you fully understand how and why we are using your data.

Who is in charge of the data collected and how do I contact UPP?

UPP Group Limited is comprised  of different legal entities, details of which can be found here. This privacy notice is issued on behalf of the UPP Group so when we mention the Company “we”, “us” or “our” in this privacy notice, we are referring to the relevant Company in the UPP Group responsible for processing your data. We will let you know which entity will be the controller for your data in your dealings with us. UPP Group Limited is the controller and responsible for this website

UPP Group Limited is the administrator of the UPP website, will deal with your enquiries, and operates UPP’s social media accounts. UPP will treat your personal data (which means data from which you can be identified, including – but not limited to – your name, address, e- mail address, phone number, and technical information about your visit to our site, and the like) in accordance with applicable data protection legislation here in the UK.

It is important that the personal data we hold is accurate and current. Please inform us if your personal data changes during your relationship with us.

How to contact us or make a complaint

If you have any questions about this privacy policy or our privacy practices, please contact our Compliance team who deal with all our privacy matters in the following ways:

Full name of legal entity: UPP Group Limited
Email address: gdpr@upp-ltd.com
Postal address: UPP, 40 Gracechurch Street, London, EC3V 0BT
Telephone number: +44 (0)207 398 7200

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to this policy

We keep our Privacy Policy under regular review. This version was last updated on 10 August 2018. Historic versions can be obtained by contacting us.

Any changes that we make to this policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our privacy policy.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

This website and information that we may post  via our social media accounts may include links to third-party websites, plug-ins and applications for your convenience and information. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

The data we collect about you?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

  1. In your dealings with us, we may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows Identity data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.Contact data includes email address and telephone numbers, your social media profile information (if you use this to get in touch with us) or billing address
  2. Financial data includes bank account and payment card details.
  3. Transaction Data includes details about payments to and from you.
  4. Marketing and communications data include your preferences in receiving marketing from us and our third parties, and your communication preferences.
  5. Technical data includes Internet protocol (IP) address; your login data; browser type and version; time zone setting and location; browser plug-in types and versions; operating system, platform and other technology on the devices you use to access our Site; information about your visit, including the full Uniform Resource Locator (“URL”); clickstream to, through and from our site or the social media accounts that we operate (including date and time); information that you viewed or searched for; page interaction information (such as scrolling, clicks, mouse-overs and likes); and any phone number used to call our customer service/receptionist office number.
  6. Usage data includes information about how you use our site and services.
  7. Client / supplier data includes personal data that you or your colleagues provide to us – or that we collect – in connection with the services which you supply to us. For example, our communications with you or about you, dealings with third parties about you and your personal or business circumstances or history.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences unless you are applying to work for us. Please refer to our Applicant Privacy Policy.

If you fail to provide your Personal Data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

How is personal data collected by UPP?

By corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you

  • apply for our products or services;
  • create an account on any of our web portal;
  • subscribe to our service or publications;
  • request marketing to be sent to you;
  • communicate with us via social media
  • enter a competition, promotion or survey or give us feedback or contact us
  • Direct interactions with you. You may give us your identity data, contact data, client / supplier data and marketing and communications data by filling in forms or by corresponding with us via our site, by post, by phone, by email, via our social media accounts, face to face or otherwise.
  • Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources:
    • Public Relations advisors in our interaction with public authorities and government agents
    • Client / supplier data. For example, where we are dealing with other parties or organisations as part of your enquiry, including from our group companies, your advisers or parties associated with you.
    • Companies House and other websites.
    • Marketing and communications data. We may use social media sites such as LinkedIn, Facebook and Twitter to contact you via that platform or share content with you. Those sites may also provide us with information about you, such as where you send us a message, or like or comment on us or our content. We may also receive data about you from our marketing services provider. We do not buy in mailing lists.
    • Technical data. You may provide this to our hosting providers when you interact with our site or our social media accounts. We also receive information from the following parties:
      • Analytics providers such as Google based within the EU.
      • Search information providers based inside the EU.
    • Identity and contact data from credit reference agencies and identity- and credit-checking providers, as part of our new supplier process,, as well as the police and HM Revenue & Customs (“HMRC”).
    • Identity data from publicly availably sources such as Companies House and the electoral register in your jurisdiction.

Depending on the nature of your dealings with UPP, we may combine this data with other data we hold about you.

Where possible, we will notify you when we receive information about you from third parties and will inform you about the purposes for which we intend to use that information.

How we use your  personal data

We will only use your personal data to the extent that the law permits us to.. Mostly, we use your personal data in the following circumstances:

  • To deal with your enquiries, and to make contact with you, where you request information about our services.
  • To perform a contract, we are about to enter into or have entered into with you or your organisation
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
  • To agree and then provide our services to you under our contract with you or your organisation.
  • To contact you where your details have been legitimately provided to us in relation to our services.
  • To comply with our legal or regulatory obligations and to handle complaints or claims.
  • To ensure that content from our Site and the social media accounts that we operate is presented in the most effective manner for you and for your computer.
  • To manage our business, including to notify you of changes to our services and to our Site.


Click here – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/

Generally, we do not rely on consent as a legal basis for processing your personal data other than in very limited circumstances, in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.

Purposes and legal bases for processing your personal data

The table below describes in more detail the purposes for which we use your personal data. It also identifies the relevant type of data, the lawful basis we rely on for that purpose.

If we have identified multiple legal bases for a particular purpose, please contact us if you would like further information.

Purpose/activity Type of data Lawful basis for processing including basis of legitimate interest
To deal with your enquiries, and to make contact with you, where you request information about our services. Identity


To take steps necessary to perform a contract with you, or to take steps at your request prior to entering into a contract with you.

Our legitimate interests:

  • To market or promote our services to you or your organisation where you have made a request for information or discussed our services with us.
  • To take steps at your request in relation to your organisation prior to entering into a contract. For example, booking an appointment.
  • To perform our contract with your organisation.
To agree and then provide our services to you under our contract with you or your organisation. Identity


Client / supplier

To take steps necessary to perform a contract with you, or to take steps at your request prior to entering into a contract with you.

Our legitimate interests:

  • To take steps at your request in relation to your organisation prior to entering into a contract.
  • To performing our contract with your organisation.
  • To manage payments, and to collect and recover money owed to us.
  • To strengthen and protect our business, including our relationship with clients and suppliers.

Legal obligations that require us:

comply with any regulatory requirements such as Anti-Money Laundering checks.

To contact you where your details have been legitimately provided to us in relation to our services. Contact Our legitimate interests:

  • To approach business leads that have legitimately been provided to us, for us to promote our business
To comply with our legal obligations and to handle complaints or claims. Identity


Client / supplier

Our legitimate interests:

  • To protect our business, including our relationship with customers and suppliers.
  • Necessary to comply with our legal obligations
To ensure that content from our Site and the social media accounts that we operate is presented in the most effective manner for you and for your computer.
  • Technical
  • Usage
  • Marketing and communications
Necessary for our legitimate interests:

  • To present our Site and social media accounts appropriately to best promote our services.
  • To allow you to participate in interactive features of our service, when you choose to do so.
To send you our newsletter and other marketing material about our services or about issues that we think may interest you (by email, text message, social media, post or phone), and to measure the effectiveness of our marketing material. Contact

Marketing and communications

Consent (where this is necessary).

Necessary for our legitimate interests:

  • To strengthen our relationship with our customers and to develop our business and our marketing strategy.
To manage our business, including our relationship with you, which will include:

  1. Notifying you about changes to our terms or privacy policy.
  2. Asking you to update your details.
  3. Asking you to partake in a review, a prize draw, competition or a complete survey..

Marketing and communications

Client / supplier

Performance of a contract with you.

Necessary to comply with a legal obligation under the Data Protection Act 2018 that requires us to provide you with fair processing information, and to keep our records of personal data up to date and accurate.

Necessary for our legitimate interests:

  • To maintain our customer relationships.
  • To keep our records updated.
  • To study how customers use our site and services.
  • To improve our site and service to you and make your visits to our site more rewarding
To administer and protect our business and our Site. Identity




Necessary for our legitimate interests:

  • To run our business efficiently, including by appointing appropriate suppliers that support our services.
  • To manage our IT systems, including by allowing us and our suppliers to manage network security, troubleshoot, conduct testing, perform system maintenance, provide support and generate reporting.
  • To keep our business secure and safe.
  • To prevent fraud and dishonest behaviour.
To use data analytics and to conduct statistical analysis and research. Technical


Marketing and communications

Partner/Client /Supplier


Necessary for our legitimate interests:

  • To analyse our current or prospective partner, clients/suppliers  and social media usage, and services, for business planning.
  • To keep our site updated and relevant.
  • To develop our business and to inform our marketing strategy.
To sell our business, or part of it. Client / supplier Necessary for our legitimate interests:

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you would like to understand more about any of our purposes, please contact us. We will notify you to explain if we need to use your personal data for an unrelated purpose.


We hope that you enjoy and value our newsletter and updates, and our marketing material generally. We respect your right to choose what marketing messages you receive. You can opt out of any marketing material that we send you at any time by clicking the unsubscribe link in our emails, or by contacting us.

We may ask you to confirm or update your marketing preferences over time, such as when you instruct us to provide further services in the future, or if there are changes in the law or the regulation or structure of our business.

With whom will the information be shared?

All of our contractors, suppliers and staff (including volunteers, agents, temporary workers and casual workers) who process your personal data on our behalf (and therefore act as our processors) are subject to strict contractual requirements in relation to processing personal data.

Where we are required to disclose your personal data to another organisation that acts as a controller (for example, law enforcement agencies; regulators; HMRC; or as part of court proceedings), we will only do so if required by law, or if you have approved that disclosure.

We only disclose information to a third party where permitted by law, and always only as necessary to achieve a legitimate purpose. We will never share your personal data with any party for its own marketing purposes without your prior consent.

We may disclose your personal data to the following:

  • Internal third parties. This includes UPP Residential Services Limited (which is our main accommodation provider subsidiary) and any of our subsidiaries and parent companies which support our services or have a need to know in order to respond to your enquiries or to meet our commitments to you.
  • External third parties in connection with our services – this includes to:
    • Where legally compelled to do so, a court or tribunal, a regulatory authority, and law enforcement agencies.
    • Other professional advisers acting on your behalf.
    • Our professional advisers and our bank.
    • Our University partners, suppliers and sub-contractors and providers of goods or services for the performance of any contract that we enter into with them to support our business. For example, our sub-contractors in technical, payment and delivery services, marketing and advertising service providers, analytics providers, and search and social media information and optimisation providers.
    • Our insurers if we need to discuss your organisation’s request for services.
    • In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets only for that purpose and subject to appropriate confidentiality agreements.
    • If UPP or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
    • To enforce or apply our Site’s Terms of Use or our standard terms and conditions of business or other agreements, or to protect the rights, property or safety of UPP, our customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
  • To anyone where we have you prior consent.

Security procedures/access

The only people who can use your personal data are authorised UPP staff, in particular our ICT department, or our suppliers which are contractually committed to maintain the confidentiality of your personal data and to treat it in accordance with applicable data protection law in the UK.

If you submit personal data (as described above), the information is available only to the UPP staff involved in implementing the relevant activity.

UPP has a strong commitment to data security. UPP uses all reasonable endeavours to protect personal information from loss, misuse or alteration and we have put in place physical, electronic, and managerial procedures to safeguard and secure the information you provide to us online, or that we store about you. UPP takes appropriate steps to communicate and train its staff in relation to applicable data protection law.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site or via the social media accounts that we operate; any transmission is at your own risk.

If you would like to know more about our data security measures please contact us.

International Data transfers

Wherever possible, we will not transfer your data outside the European Economic Area (EEA). However, there are circumstances where this will be unavoidable. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.

How long will your personal data be retained for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.


To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us.

In certain circumstances, you may ask us to delete your personal data. See your legal rights below.

We may also choose to anonymise your personal data, by making sure that you are no longer identifiable. We can then keep that data indefinitely without further notice to you.

Automated decision making including profiling

UPP does not use your personal data to make any automated decisions or conduct any profiling about you.

Your data protection rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data which we process as a controller. These rights are subject to specific requirements and limitations set out in the applicable data protection legislation. In summary you have the right to:

  • Request access to your personal data (known as a “data subject access request”). You can ask to receive a copy of the personal data we hold about you and to check that it is being lawfully processed.
  • Request correction of your personal data. You can ask to have any inaccurate or incomplete personal data that we hold about you corrected.
  • Request erasure of your personal data. You can ask for your personal data to be deleted or removed where it is no longer necessary for the original purpose for which it was collected. You can also ask us to delete or remove your personal data where you withdraw consent (and no other legal basis exists), where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with applicable law
  • Request restriction of processing your personal data. You may ask us to suspend processing of your personal data if: (a) you are concerned about the accuracy of the personal data; (b) where processing of your personal data is unlawful but you do not want it to be erased but restricted instead; (c) you need it to establish, exercise or defend legal claims even though we no longer need it; or (d) you have objected to the use of your personal data but we need to verify whether we have overriding legitimate grounds to use it.
  • Object to processing of your personal data. You can object to us processing your personal data on grounds relating your particular situation and where we are relying on a legitimate interest (or those of a third party). We may be able to demonstrate a legitimate basis to continue processing provided that overrides your rights and freedoms or so we can establish, exercise or defend a legal claim. You also have the right to object where we are processing your personal data for direct marketing purposes, including any profiling related to that direct marketing.
  • Request transfer of your personal data to you or to a third party. Where your information is processed by automated means, and we process your personal data on the basis of consent or a contract with you, you can ask to be provided with your personal data, or that a third party you have chosen is provided with, your personal data in a structured, commonly used, machine-readable format.
  • Right to withdraw consent at any time (provided we are relying on consent to process your personal data). However, this will not affect the lawfulness of any processing based on consent before withdrawal. This may impact our ability to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please Contact us.

No fee usually required – You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee or refuse your request, if your request is clearly unfounded, repetitive or excessive.

What we may need from you – We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond – We try to respond to all legitimate requests. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Use of Cookies

Cookies and how they Benefit You

Our site uses cookies, as almost all websites do, to help provide you with the best experience we can. Cookies are small text files that are placed on your computer or mobile phone when you browse websites

Our cookies help us:

  • Make our site work as you’d expect
  • Remember your settings during and between visits
  • Improve the speed/security of the site
  • Allow you to share pages with social networks like Facebook
  • Continuously improve our website for you
  • Make our marketing more efficient (ultimately helping us to offer the service we do at the price we do)

We do not use cookies to:

  • Collect any personally identifiable information (without your express permission)
  • Collect any sensitive information (without your express permission)
  • Pass data to advertising networks
  • Pass personally identifiable data to third parties
  • Pay sales commissions

You can learn more about all the cookies we use below

Granting us permission to use cookies

If the settings on your software that you are using to view this website (your browser) are adjusted to accept cookies we take this, and your continued use of our website, to mean that you are fine with this. Should you wish to remove or not use cookies from our site you can learn how to do this below, however doing so will likely mean that our site will not work as you would expect.

More about our Cookies

We use cookies to make our site work including:

  • Remembering if you have accepted our terms of use
  • Showing you which pages you have recently visited

There is no way to prevent these cookies being set other than to not use our site.

Social Website Cookies

So you can easily like or share our content on the likes of Facebook and Twitter we have included sharing buttons on our site.

Cookies are set by:

The privacy implications on this will vary from social network to social network and will be dependent on the privacy settings you have chosen on these networks.

Visitor Statistics Cookies

We use cookies to compile visitor statistics such as how many people have visited our website, what type of technology they are using (e.g. Mac or Windows which helps to identify when our site isn’t working as it should for particular technologies), how long they spend on the site, what page they look at etc. This helps us to continuously improve our website. These so-called analytics programs also tell us if how people reached this site (e.g. from a search engine) and whether they have been here before helping us to put more money into developing our services for you instead of marketing spend.

Turning Cookies Off

You can usually switch cookies off by adjusting your browser settings to stop it from accepting cookies (Learn how here). Doing so however will likely limit the functionality of our’s and a large proportion of the world’s websites as cookies are a standard part of most modern websites

It may be that you have concerns around cookies relate to so called “spyware”. Rather than switching off cookies in your browser you may find that anti-spyware software achieves the same objective by automatically deleting cookies considered to be invasive. Learn more about managing cookies with antispyware software.

The cookie information text on this site was derived from content provided by Attacat Internet Marketing http://www.attacat.co.uk/, a marketing agency based in Edinburgh. If you need similar information for your own website, you can use their free cookie audit tool.