Just because we have your personal data, it does not mean we can do what we want with it, we must follow some rules.

To process your data in the UK or EEA we must have a lawful basis to do so. Our legal basis for collecting and using your information (described below) will depend on the personal information concerned and the specific context in which we collect it.

We do a lot of different work, so there are times when there are more rules that say we have to use your personal data to do our work, and we can do this without asking you first. We will process your personal data where:

• You have given consent to the processing of your personal data for one or more specific purposes.
• It is necessary for performing a contract to which you are a party or to take steps at your request prior to entering a contract.
• It is necessary for compliance with a legal obligation to which we are subject.
• It is necessary to protect your vital interests.
• It is necessary for performing a task carried out in the public interest or exercising an official authority vested in us.
• It is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.

If you are accessing our Sites and Services from a location outside of the UK or EEA, we will also comply with any applicable authorisations and requirements for processing your personal data under your local privacy and data protection laws (to the extent that they apply to us).

• Personal Data – Information that can be used to identify an individual, either directly on its own or in combination with other information such as a name, an identification number, location data, an online identifier.
• Special Category Data – Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Criminal conviction related data (about allegations, offences or sentencing) is also treated in a similar way.
• Pseudonymised – Personal data that has been processed in such a way that it can no longer be attributed to a specific person without the use of additional information. Such additional information must be kept carefully separate from personal data.

We are committed to protecting your personal information and respecting your privacy. We may collect and process personal data about you in different ways, depending on the nature of our relationship with you.

Some of the ways that we commonly collect, and process personal data include:

• When you provide your personal data directly to us when accessing our OS Sites and/or Services.
• When we analyse existing personal data, we already hold about you to better understand your use of our products and services, or other matters relevant to our relationship with you.
• Viewing or subscribing to our websites and social media functions.
• Corresponding with us using services such as web contact forms, webchat facility, telephone, email, or written letter.
• Signing up to marketing material or newsletters.
• Entering competitions or participating in discussion boards.
• Applying for a job vacancy, including personal data collected from third parties as part of reference checks.
• Applying for and under contract of Ordnance Survey Champions programme.
• Purchasing, licensing, or accessing products, including mobile applications (Apps).
• Some of our Sites and Services may include additional terms and conditions under an applicable end-user license agreement or terms of use (EULA, DEL or Terms of Use).

Location-based features of our OS Sites and/or Services use GPS or other similar functionality, which you may be asked to enable on your device before you can use these features (please see the section "Your Location Information" below).

We also use web and mobile analytics technologies for our OS Sites and/or Services, which automatically collect certain types of Device information and Log Information about your usage (please see the section "Your Device Information" below).

We use cookies to distinguish you from other users of our Sites and Services. This helps us to provide you with a good experience when you use our Sites and Services and allows us to improve them. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For detailed information on the cookies, we use and the purposes for which we use them, see our cookie policy.

The main reason we need to use your personal data is to know who you are.

If you have an OS Maps account, it ensures we give you the help you need from us.

We could also use it because of an event you have taken part in, or competition we organised, to ensure if you win you get your prize.

If we do not have your personal data, it could mean you miss out on the things we can do for you.

We may also use your data in the following ways:

• Provide you with personalised access to our mapping data.
• Provide you access to personalised areas of the website, online shop, mobile apps, Geovation Hub.
• Fulfil online payments or orders for any products you purchase through our online services.
• Provide you with information about other goods and services we offer similar to those you have already purchased or enquired about.
• Provide you, or permit selected third parties to provide you, with newsletters, promotions and other information about goods or services we feel may interest you where you have consented to such communications.
• Carry out our obligations from any contracts you have entered with us.
• Customer satisfaction surveys and market research.
• Process job vacancy applications and CV’s.
• Process recruitment and maintain Ordnance Survey Champions programme.
• Respond to your enquiries and complaints.
• Notify you about changes to our products and services.

• There are times when we will rely on legitimate interests to process personal data, particularly when it is not practical to obtain consent. We will always consider if it is fair and balanced to do so and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure we use your personal information in ways that are not unduly intrusive or unfair. Examples are:

  • Reporting criminal acts and compliance with law enforcement agencies.
  • Internal and external audit for financial or regulatory compliance purposes.
  • Statutory reporting.
  • Operate our platforms and communicate with you as necessary when providing our services to you for our legitimate interest.
  • Use analytics data collected when you consent to the use of cookies and other tracking technologies.
  • Maintenance of “do not contact” lists (suppression lists).
  • Customer satisfaction surveys and market research.
  • Physical and Network security.
  • Work Experience placements.
  • Financial Management and Control.
  • General Administration.

The personal data you give us includes:

• Name
• Address
• Telephone number
• Email address
• Date of birth and age
• Username and passwords to access our Sites and Services
• Financial and credit card information
• Personal profile description and photograph
• Reviews and ratings in our Apps
• Routes and activity information in our Apps and OS sites
• Equality and diversity information
• Location Information (see the "Your Location information" section below)
• Social media handle(s) and/or websites (if applicable)

• We may use GPS technology or other technology to determine your current location to provide certain functionality to you as part of our OS Sites and/or Services. Some of our location-enabled Services require your location data for the feature to work. If you wish to use the particular feature, you will be asked to consent to your data being used for this purpose.
• To record routes using the OS Maps app, background access to your location is required. This is so your route can be recorded even if you do not have the app open for the duration of the route. Your recorded routes are stored securely and will be visible to other users only if you choose to make them ‘Public’ when you save them. If they are set to ‘Private’, you are the only person who can see your recorded routes. (In order to share a route, it must first be made ‘Public’).
• You can withdraw your consent to determine your current location at any time through your device setting.

Each time you visit or use our OS Sites and/or Services, we may automatically collect the following information:

• Technical information, including the type of mobile device you use, a unique device identifier (for example, your Device's IMEI number, the MAC address of the Device's wireless network interface, or the mobile phone number used by the Device), mobile network information, your mobile operating system, the type of mobile browser you use, and/or time zone setting.
• Details of your use of any of our Apps or your visits to any of our Sites and Services including, but not limited to, Internet protocol (IP) address used by your Device, traffic data, location data, (see the "Your location information" section above), weblogs and other communication data, whether this is required for our own billing purposes and/or the resources that you access (Log Information).
• URL click stream information showing how users have reached our Site and Services and whether they access other third-party sites via any external links.

• To administer our OS Sites and/or Services for troubleshooting, data analysis, testing, research, statistical and survey purposes.
• To improve our OS Sites and/or Services to ensure content is presented in the most effective manner for you and your Device.
• To allow you to participate in interactive features of our Site, Services and Apps, when you choose to do so.
• As part of our efforts to keep our OS Sites and/or Services safe and secure.
• To determine which features your Device supports which assists our development strategy.

• Track the success of our products and services and our marketing activity.
• Monitor data traffic and any patterns of use.
• Ensure the content of our OS Sites and/or Services are fit for the purpose for which they are set up and to develop the experience of our users.
• Monitor compliance with and enforce our Terms of Use or our data licensing terms.
• To ask you to review our products and services.

Sometimes to do our work we have to share your personal data, or other people might share it with us. We are very careful about how we do this, meaning there are even more rules.

To facilitate your use of our OS Sites and/or Services, we may have to share your personal data with third parties to provide elements of our Site, Services and Apps to you. We will provide your personal data to third parties when they need the data to perform particular functions in delivering our OS Sites and/or Services to you or as part of our regulatory compliance. These include:

• Service providers acting as data processors, located in the UK and EEA who provide data hosting facilities, IT and system administration services.
• Service providers located in the UK and EEA acting as data processors who administer our customer email service, webchat service, and API Services.
• Service providers who are manufacturers of OS Branded products where a device requires interaction with third parties for registration of devices, third-party software and downloading of mapping tiles.
• Service providers located in the UK and EEA acting as data processors who provide Payment Card Industry (PCI) processing services.
• Service providers acting as a data controller located in the EEA who act as a reseller of OS Maps and who facilitate payment of subscriptions in international local currencies.
• Service providers such as Google and Amplitude for the use of Analytics and Crashlytics. We use Google Analytics for Firebase, as well as Amplitude analytics to understand how users interact with all our mobile apps. This means that we collect first-party identifiers, such as Device ID, Android Advertising ID and Advertising Identifier for iOS, assign each user a Globally Unique Identifier (GUID) and collect data on app feature usage. We use this information to improve the experience and stability of the apps and monitor the effectiveness of our marketing. You can disable the collection of first-party identifiers for each instance of our apps that you have downloaded at any time in the settings pages of the app.
• For more information on how Google may use the data we share with them, please see Google’s privacy policy. Service providers such as Meta and Google will use Pseudonymised data to create marketing lists. These lists can then be used to target users more closely and improve relevancy of advertising. Users will be profiled into “Lookalike audiences” (Lookalike audiences are customers who have the same interest such as hiking or dog walking and may be interested in the same promotional content) which can be used to improve the marketing audience.
  
  For more information on how Meta may use the data we share with them, please see Meta’s privacy policy.

• Service providers such as Adjust for functionality to monitor app downloads and app usage analytics primarily to track the source of app downloads and attribute them to a marketing channel. We collect first party identifiers such as Device ID and Android Advertising ID.
• Service providers such as Mapbox, using their Telemetry Software development kits to enable the collection of anonymous data and device location to continuously update and improve maps. For more information see Telemetry | Mapbox.
• Service providers acting as a data processor for facilitating our recruitment processes.
• HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.
• We may disclose your personal information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006.
• We may contact you via email to invite you to rate and review any services and/or products you received from us in order to collect your feedback and improve our services and products (the “Purpose”). We use an external company, Trustpilot A/S (“Trustpilot”), to collect your feedback which means that we will share your name, email address and reference number with Trustpilot for the Purpose. If you want to read more about how Trustpilot process your data, you can find their Privacy Policy here. We may also use such reviews in other promotional material and media for our advertising and promotional purposes.
• Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them.
• If we are under a duty to disclose or share your personal data to comply with any legal or regulatory obligation or request.
• To:
  • enforce or apply the terms of a relevant EULA, our Terms of Use (os.uk/legal), terms and conditions of supply (OS Shop Terms of Sale and Supply (ordnancesurvey.co.uk) and other agreements or to investigate potential breaches; or
  • protect the rights, property or safety of our group companies, our suppliers and/or our customers.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service provider processors to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We use online marketing to keep you up to date with our products and offers.

You may see Ordnance Survey banners and ads while you are using other websites and apps, such as Google and social media platforms like Facebook and Instagram. We manage this through digital marketing networks and ad exchanges. We also use a range of advertising technologies.

The banners and averts you see are based on information we hold about you, or your previous use of OS (for example, your OS search history, the content you read on our OS sites and any interactions to newsletter emails sent to you) or on OS banners and ads you may have previously clicked on.

Any data we use for marketing purposes we obtain consent from you to do so, you can unsubscribe from marketing by clicking the "Unsubscribe" link in any promotional or marketing email or text received, by emailing customerservicesosl@os.uk or here.

For more information on our use of advertising technologies and cookies please see Cookies above.

Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective).

Specifically, our Website servers are located in the UK, EEA and Australia, and our third-party service providers and partners operate in UK, EEA, USA and Australia. This means when we collect your personal information, we may process it in any of these countries.

However, we have taken appropriate safeguards to require your personal information remains protected in accordance with this Privacy Policy. We have implemented appropriate safeguards with our third-party service providers and partners and further details can be provided upon request.

We store personal data as either secure physical records, electronically on our internal IT systems, in cloud storage, and in some cases, records on third party servers, which may be located in various countries (please see the "Data transfers to third countries" section above for more details).

Once it is within our control, we will do our utmost to ensure your personal data is processed in a way that ensures appropriate security from unauthorised or unlawful processing, accidental loss, destruction, or damage.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We will retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. We may also retain your personal data for a reasonable period afterwards to allow us to respond to any follow up enquiries or complaints, or for as long as you remain a registered user of our products and services.

To determine appropriate retention periods for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal requirements.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, we may use or store this information indefinitely without further notice to you.

In some circumstances you can ask us to delete your data: see Right to Erasure below for further information.

If you are a resident of the UK or EEA, you have the following data protection rights:

Withdraw Consent - Where we are using your personal information based on your consent, you have the right to withdraw that consent at any time.

Right to be Informed – You have the right to be told how your personal information will be used. This Privacy Policy document, and shorter summary statements used on our communications, are intended to be a clear and transparent description of how your data may be used.

Right of Access – You can write to us asking what information we hold on you and to request a copy of that information. This is called a Subject Access Request. From 25^th May 2018 we will have 30 days to respond to you once we are satisfied you have rights to see the requested records and we have successfully confirmed your identity. Details on how to submit a Subject Access Request if you are in the UK or EEA can be found on our data protection page.

Right of Erasure –You have the right to be forgotten (i.e. to have your personally identifiable data deleted). However, we may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you. In some cases, we may recommend we suppress you from future communications, rather than data deletion, particularly if you have purchased an item from our e-commerce shop which comes with a warranty. Our Customer Services Team will be happy to advise you.

Right of Rectification – If you believe our records are inaccurate you have the right to ask for those records concerning you to be updated. This enables you to have any incomplete or inaccurate data we hold about you corrected. We may need to verify the accuracy of the new data provided to us.

Right to Restrict Processing – In certain situations you have the right to ask for processing of your personal data to be restricted because there is some disagreement about its accuracy or legitimate usage.

Right to Data Portability – Where we are processing your personal data under your consent, the law allows you to request data portability from us to another service provider. This right is largely seen as a way for people to transfer their personal data from one service provider to another. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Right to Object - You have an absolute right to stop the processing of your personal data for direct marketing purposes. Simply contact our Customer Service Team and they will amend your contact preferences or alternatively if you have an OS Maps or shop account you can update your details in your Preference Centre.

Right to object to automated decisions – In a situation where a data controller is using your personal data in a computerised model or algorithm to make decisions “that have a legal effect on you”, you have the right to object. This right is more applicable to mortgage or finance situations. We do not undertake complex computerised decision making that produce legal effects.

We keep a record of all conversations with our ChatBot and Live chat, this helps us to keep improving our customer’s experience. We will only ask for information relevant to your query this may include:

• Name
• Email address
• Telephone number
• Address
• Any reference numbers we have provided.

It is important you do not provide any sensitive information that is not directly relevant to your queries such as bank details or medical information. All data is passed to third parties who support this service.

We are committed to protecting the privacy of children who use the OS Maps service for the Duke of Edinburgh Award Scheme.

We do not knowingly collect or maintain personal data from children without verifiable parental consent, which in this instance, is obtained by The Duke of Edinburgh’s Award charity when a parent/guardian gives consent for a child to sign up to the DofE programme and are informed of third-party services used to facilitate participation.

We will use the information collected below to enable access to the OS Maps Web App Service and to send any service related/down time emails.

Categories of personal data collected are:

• Name
• Email address
• Username and passwords

Information for all Australian users

If you are accessing OS Sites and/or Services from Australia, you may have rights under Australian privacy laws including the Privacy Act 1988 (Cth) (the Australian Privacy Act).

Nothing in this Privacy Policy purports to exclude, modify, or restrict your rights under Australian laws (including the Australian Privacy Act).

The Australian Privacy Act gives individuals various rights, including the right to:

• request access to, or correction of, their personal information; and
• the right to make a complaint about how their personal information has been handled.

If you would like to make an access or correction request, or lodge a privacy complaint, please contact our Data Protection Officer using the details in the "Contacting Us" section above.

We will handle all such requests, complaints, and queries in accordance with any applicable requirements under Australian privacy laws. Where applicable, we may rely on exemptions under those laws (including, but not limited to, exemptions relating to related bodies, corporate and employee records).

Information for all New Zealand users

If you are accessing our OS Sites and/or Services from New Zealand, you may have rights under New Zealand’s data and privacy laws including the Privacy Act 2020 (the New Zealand Privacy Act) and the Unsolicited Electronic Messages Act 2007.

Nothing in this Privacy Policy purports to exclude, modify or restrict your rights under New Zealand’s laws.

By using our OS Sites and/or Services or otherwise providing your personal information to us, you consent to our collection, storage, use and disclosure of your personal information in accordance with this Privacy Policy. Our legal basis for collecting and using your information [described below] will depend on the personal information concerned and the specific context in which we collect it. We will process your personal data where:

• You have given consent to the processing of your personal data for one or more specific purposes;
• it is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract; or
• it is necessary for compliance with a legal obligation to which we are subject.

You can always choose not to provide your personal information to us, but it may mean that we are unable to provide you with access to the OS Sites and/or Services. If you choose not to consent to analytics data collection, you can still use OS sites and/or Services without any impact on the performance or functionality.

Your privacy rights

The New Zealand Privacy Act gives individuals various rights, including the right to:

• request access to, or correction of, their personal information; and
• the right to make a complaint about how their personal information has been handled.

If you have any concerns about privacy or the use or collection of your personal information by us please contact our privacy officer at DPO@os.uk and include the words 'ATT: THE PRIVACY OFFICER'. We will respond as quickly as possible (our target response is 20 working days).

Marketing communications

We are committed to full compliance with the Unsolicited Electronic Messages Act 2007.

By subscribing to emails and/or text communications, or otherwise providing your email address and/or mobile number, you consent to receiving emails and/or texts (as the case may be) which promote and market our products and services, or the products and services of others, from time to time.

You can unsubscribe from our email communications and/or text communications at any time by clicking the "Unsubscribe" link in any promotional or marketing email or text received or by emailing customerservicesosl@os.uk

Once you have unsubscribed from the email or text communications, you will be removed from the corresponding marketing list as soon as is reasonably practicable.

Changes to the Privacy Policy

Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you. The new terms may be displayed on-screen and you may be required to confirm they have been read and understood to continue your use of any Services or Apps.

It is your responsibility to check this Privacy Policy periodically for changes, and to keep your email address with us current.

Your continued use of our OS Sites and/or Services following notification of any changes to this Privacy Policy constitutes acceptance of those changes. If you do not agree with any aspect of the updated Privacy Policy, you must immediately cease all use of our OS Sites and/or Services.

Information for Californian users

These California subsections apply only to “personal information” about California residents, as that term is defined in the California Consumer Privacy Act (“CCPA”), and they supplement the information in the rest of our Privacy Policy. Data about individuals who are not residents of California may not be handled exactly the same way and is not subject to the same California rights described below.

Collection and Disclosure of California Personal Information During Past 12 Months

The chart below provides more detail on our disclosures of California personal information during the 12 months leading up to the effective date of this Privacy Policy:

CCPA “Sale” of California Personal Information

The CCPA requires businesses that “sell” personal information, as the term “sell” is defined under the CCPA, to provide an opt-out from such sales. Ordnance Survey does not “sell” personal information as that term is commonly understood or within the CCPA definition of the term.

California Privacy Rights

If you are a California resident, California law may permit you to request that we:

• Inform you of the categories of personal information we have collected about you in the last twelve months; the categories of sources of such information; the categories of personal information that we disclosed about you for a business purpose; the business or commercial purpose for collecting your personal information; and the categories of third parties to whom we have disclosed personal information for a business purpose.
• Provide access to and/or a copy of certain information we hold about you.
• Delete certain information we have about you.

You also may have the right to receive information about certain “financial incentives” that we may offer to you (if any).

Certain information is exempt from such requests under applicable law. For example, the CCPA has significant exceptions for certain B2B data.

To request to exercise your CCPA rights, please submit your request via Contact our Customer Services team or by emailing DPO@os.uk

For security and legal reasons, we may not accept requests that require us to access third-party websites or services. We do not respond to browser-based do-not-track signals or similar mechanisms. We can take steps to verify your identity before responding to your request, which may include requesting that you respond to an email that we send to you, requiring you to login to an account (if you have one) or otherwise verifying your name, email address or other information that will help us to confirm your identity.

If you are an agent making a request on behalf of a consumer, you must verify that you are authorized to make that request, which may include requiring you to provide us with written proof that satisfies CCPA requirements, such as an appropriate letter signed by the consumer or a power of attorney. We also may require the consumer to verify their identity directly with us.

Non-discrimination

You have the right not to receive “discriminatory treatment” (within the meaning of the CCPA) for the exercise of the privacy rights conferred by the CCPA.

Information for Nevada users

Under Nevada law, certain Nevada consumers may opt out of the “sale” of “personally identifiable information” for monetary consideration to a “data broker” (as such terms are used in Nevada privacy law) or other person. We do not engage in such activity as of the effective date of this Privacy Policy. However, Nevada users may submit a request to opt out of any potential future “sales” under Nevada law by sending a request to Contact our Customer Services team or by emailing DPO@os.uk

We may take steps to verify your identity and the authenticity of the request. Once verified, we will maintain your request in the event our practices change.

This vulnerability disclosure policy applies to any vulnerabilities you are considering reporting to us (the "Organisation"). We recommend reading this vulnerability disclosure policy fully before you report a vulnerability and always acting in compliance with it.

We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer monetary rewards for vulnerability disclosures.

Reporting

If you believe you have found a security vulnerability, please submit your report to us.

In your report please include details of:

* The website, IP or page where the vulnerability can be observed.

* A brief description of the type of vulnerability, for example; “XSS vulnerability”.

* Steps to reproduce. These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

What to expect

After you have submitted your report, we will respond to your report within 5 working days and aim to triage your report within 10 working days. We’ll also aim to keep you informed of our progress.

Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation.

We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.

Guidance

You must NOT:

* Break any applicable law or regulations.

* Access unnecessary, excessive or significant amounts of data.

* Modify data in the Organisation's systems or services.

* Use high-intensity invasive or destructive scanning tools to find vulnerabilities.

* Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.

* Disrupt the Organisation's services or systems.

* Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers.

* Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS1.0 support.

* Communicate any vulnerabilities or associated details other than by means described in the published security.txt.

* Social engineer, ‘phish’ or physically attack the Organisation's staff or infrastructure.

* Demand financial compensation in order to disclose any vulnerabilities.

You must:

* Always comply with data protection rules and must not violate the privacy of the Organisation’s users, staff, contractors, services or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.

* Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

Legalities

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the Organisation or partner organisations to be in breach of any legal obligations.

However, if legal action is initiated by a third party against you and you have complied with this policy, we can take steps to make it known that your actions were conducted in compliance with this policy.

Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you. The new terms may be displayed on-screen, and you may be required to read and accept them to continue your use of any Services or Apps.

If you have any queries about this Privacy Policy, please contact us:

Data Protection Officer:

• Email: dpo@os.uk
• Post: Ordnance Survey, Explorer House, Adanac Drive, Southampton, SO16 0AS.

Ordnance Survey and/or Ordnance Survey International Services Ltd:

• Contact our Customer Services team
• Post: Customer Services, Ordnance Survey, Explorer House, Adanac Drive, Southampton, SO16 0AS.

Ordnance Survey Leisure Limited:

• Contact our Customer Services team
• Post: Ordnance Survey Leisure, Customer Services, Explorer House, Adanac Drive, Southampton, SO16 0AS.

If, for any reason, you have a complaint, please contact the Data Protection Officer to discuss your concerns.

Following this, if you are still dissatisfied, you are able to contact your local data protection authority at the contact details below:

UK Information Commissioner: Contact telephone number: 0303 123 1113. Website: ICO website https://ico.org.uk/

European Data Protection Authorities: in the European Economic Area are available here

Office of the Australian Information Commissioner: GPO Box 5218, Sydney NSW 2001, Telephone: 1300 363 992, Email: enquiries@oaic.gov.au

Office of the New Zealand Privacy Commissioner: Contact telephone number: 0800 803 909 (Monday to Friday, 10am to 3pm). Email: enquiries@privacy.org.nz. Website: www.privacy.org.nz/