Epsilon Abacus Services Privacy Policy


Last Modified: 17 January 2024

We encourage you to read the whole notice but if you wish to jump to a certain subject, please use the table below.

Privacy Commitment

Epsilon operates the Abacus Alliance which is a data cooperative used by UK charities and retailers (Members) to find consumers who may be interested in what they offer. This Privacy Policy (“Privacy Policy”) describes what Personal Data is collected by us and how it is used to provide our Services, including the Abacus Alliance. We believe our work is beneficial to charities, retailers, and individuals.

We care about your privacy, and we think it is important for you to understand how we Process Personal Data and what choices you have with regards to it. We have done our best to provide you with information that is as clear and easily accessible as possible, but if you have any questions, please do not hesitate to contact us.

Epsilon’s Role

This section sets out Epsilon’s role in relation to the different types of Personal Data that we Process in connection with our Services and provides further information about the connected Processing activities.

Personal Data provided by Members

Members provide us with their customers’ name and address details as well as purchasing histories for Processing in the Abacus Alliance’s cooperative environment. Epsilon Processes this type of Personal Data as a Processor on behalf of each Member, which is a Controller, sharing it with other Members on their behalf. Each Member decides what Personal Data to share with other Abacus Alliance Members and how it can be used. Each Member also determines the lawful basis for Processing. We Process this Personal Data to provide our Services to Members, which include creating mailing lists for Members to use for postal marketing.

Other Personal Data Processed by Epsilon

Separate to the Personal Data Provided by Members, Epsilon Processes the following Personal Data in connection with the Abacus Alliance and its other Services as a Controller:

  • Personal Data from the Ocean Database provided to it by CACI Limited (“CACI”); and
  • Personal Data collected in connection with other Epsilon services.

The Ocean Database contains name, address, unique CACI IDs attributed to each individual, and inferred attributes such as probability scores, for example as to whether an individual may have an interest in gardening or whether it has bought clothes online in the last 12 months. These probability scores are modelled/predicted scores (known as “inferred data”) created by inputting Personal Data and non-Personal Data (e.g., aggregated census data) into an algorithm and then running a computer model to produce probability scores for a wide range of attributes. One of the sources of name and address information in the Ocean Database is the edited Electoral Register. CACI also buys other sources of Personal Data to create the Ocean Database. More information about how CACI Processes Personal Data and how you can exercise your rights in relation to such Processing can be found here. CACI only shares Personal Data with us where it has a lawful basis to do so.

Epsilon also Processes additional attributes in connection with our Services that are created based on Personal Data collected in connection with other services provided by Epsilon. We combine these attributes to the Personal Data we receive from CACI (“Combined Data”). Please visit this Epsilon Privacy Policy for more information on how such Personal Data is collected and Processed by Epsilon to create such attributes and how to exercise your rights in relation to that Processing.

We use this Combined Data to:

  • Enhance our Services and help our Members gain insight into their customers, for example, by matching Member provided names and addresses with Combined Data (with inferred attributes) in order to assess whether an individual should be included on a mailing list for a specific postal marketing campaign. For this purpose, the Combined Data will only be linked to names and addresses that already exist in the Abacus Alliance (i.e., that have already been provided by at least one Member).
  • Partner with providers of connected TVs (e.g., on demand and over the top/OTT TV) to provide individuals with personalised direct marketing on behalf of Members and other clients on such providers’ platforms. This activity includes conducting profiling and modelling of Combined Data against personal data provided by the applicable Member or client to create a list of individuals who are likely to be interested in that Member's or client’s products and services. We then share the CACI IDs of such individuals with the connected TV provider so that they can match such list with their viewers and show personalised direct marketing to such individuals when they are using their platform.

The above Processing activities includes profiling and automated decision making, but it does not have legal or other similarly significant effects on individuals.

Epsilon has legitimate interests in Processing Combined Data for the above purposes. Epsilon’s legitimate interests include: (i) gaining the insight required to be able to provide Members with mailing lists that are likely to include individuals for whom the offer is relevant and achieve the result expected by the Member; (ii) providing the best Services possible to Abacus Alliance Members; (iii) ensuring Members can reach prospective customers with relevant and interesting direct marketing; and (iv) ensuring individuals receive relevant and interesting direct marketing.

Information Sharing

Epsilon shares Personal Data with:

  • Providers of connected TVs (e.g., on demand and over the top/OTT TV) to provide individuals with personalised direct marketing via connected TVs as set out above,
  • Members in connection with their participation with the Abacus Alliance,
  • Sagacity, in connection with providing our Services to clients in the charity sector,
  • Our affiliates, Processors, and sub-Processors as necessary to assist us in proving our Services;
  • A third party in the event of any reorganisation, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings);
  • As we believe necessary and appropriate: (a) under applicable law; (b) to comply with legal processes; (c) to respond to requests from public and government authorities including public and government authorities outside your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect our rights, privacy, safety or property; and (g) to allow us to pursue available remedies or limit the damages that we may sustain.

Retention Times

We retain Personal Data provided by Members for a period of 2 years. The Personal Data we receive from CACI is retained for 12 weeks, after which we receive an updated version which replaces the previous. The additional attributes that we attach to the Personal Data we receive from CACI may contain information from the last 12 months.

Your Rights

If you do not want your Personal Data to be Processed by Epsilon for the purpose of future postal mailings from Members, and no longer used for the purpose of direct marketing via connected TVs you can request to opt-out at any time. Please note that you may still receive postal marketing from Members for a few weeks after the date on which your request was actioned. This is because Members prepare their postal marketing campaigns weeks in advance and source contact lists from the Abacus Alliance early in the process.

You also have the right to contact us with a request to access, rectify, erase, or restrict the Personal Data we Process as a Controller. We ask you to be clear and specific with your request as this will enable us to assist you in a more effective manner.

If you wish to further limit the amount of unsolicited direct mail you receive, we recommend registering with the Mailing Preference Service (www.mpsonline.org.uk). This is a free service which will remove your name and address from lists used for postal marketing by the members of the Data & Marketing Association.

Security

We have implemented appropriate technical and organisational security measures to protect the Personal Data in our care, both during transmission and at rest. This includes physical and technical security measures to protect Personal Data from accidental or unlawful destruction, loss, or alteration, and from unauthorised disclosure or access.

International Transfers

In order to operate the Abacus Alliance and provide our Services, we may transfer Personal Data to countries outside the EU/EEA or the UK. More specifically Abacus Alliance servers are located in the United States, and our Processors and sub-Processors operate from the United States and India.

We have taken appropriate and suitable safeguards to ensure that Personal Data will remain protected when transferred outside the EU/EEA or the UK. This includes implementing Standard Contractual Clauses for transfers of Personal Data adopted by the European Commission and/or the UK as applicable.

Self-Regulation

We are an active member of the Data & Marketing Association (DMA) who sets standards for our industry. The DMA is representing over 1 000 members drawn from the UK's data and marketing landscape. We comply with the DMA Code which is a code of practice to which all DMA members and their business partners must adhere.

Contact Us

You can contact us if you have any questions or if you want to exercise any rights you have under Data Protection Laws by filling out this form or emailing us. You can also call us at 020 8943 8049.

Our Data Protection Officer is tasked with informing and advising us on the obligations that apply to us under Data Protection Laws as well as monitoring our compliance with the same. If you need to contact our Data Protection Officer, please email us here. However, we respectfully ask that you only contact our Data Protection Officer regarding urgent matters relating to data protection.

You also have the right to report a concern to your country’s Data Protection Authority. UK residents can report a concern to the Information Commissioner’s Office. However, we respectfully request that you contact us first so that we can assist you.

Changes to this Privacy Policy

We may occasionally make changes to this Privacy Policy. If we do, we will update the “Last Modified” date above.

Definitions

Abacus Alliance” means the cooperative environment operated by Epsilon in the United Kingdom used by participating charities and retailers (i.e., Members) to find and understand more about consumers who may be interested in what they offer.

Controller”, “Personal Data”, “Processor”, “Processing” and “Profiling” have the meaning given to them in Data Protection Laws.

Epsilon” means Epsilon International UK Ltd, registered in England and Wales with company number 03610044, whose registered address 1st Floor 2 Television Centre, 101 Wood Lane, London, United Kingdom, W12 7FR.

Data Protection Laws” means (i) the UK General Data Protection Regulation (UK GDPR) as tailored by the UK Data Protection Act 2018 (“GDPR”); (ii) the UK Privacy and Electronic Communications (EC Directive) Regulations 2003; and (iii) any and all applicable national data protection laws made under or pursuant to (i) or (ii); in each case as may be amended or superseded from time to time.

Members” means (i) charities; and (ii) retailers operating in the clothing, collectable, food & drink, gardening, gadgets & entertainment, personal care & comfort, beauty, household goods, home interiors, and travel categories that provide their customers’ or donors’ name and address details as well as transaction histories to the Abacus Alliance for processing in the co-operative environment.

Services” means the Abacus Alliance and other marketing related services (such as personalised direct marketing via connected TVs) that we provide to Members in more detail described here.