Last updated 24 May 2018
While ‘personal data’ is a defined term in EU law, we use it here to also cover ‘personally identifiable information’ as defined in US law, and other similar legal definitions. Essentially ‘personal data’ means any information relating to an identified or identifiable natural person, namely one who can be identified, directly or indirectly from that information alone or in conjunction with other information.
This Policy sets out what personal data we might collect, how we process and protect that data, the lawful grounds for that processing, and your related rights. In most cases, the lawful ground will be that the processing: (i) is necessary for our legitimate interests in carrying out our business, including to grow and improve our Services, provided those interests are not outweighed by your rights and interests (‘Legitimate Interests’), (ii) is necessary to perform a contract with you (‘Contract’), or (iii) is necessary to comply with our legal obligations (‘Legal Obligation’). Where processing is based on your consent (‘Consent’), we will identify the processing purposes and provide you with relevant information to make the processing fair and transparent.
As data protection law and practice are constantly developing, we’ll need to update this policy from time to time, which we’ll do by posting a new policy on the Website that takes effect from the date stated. It is your responsibility to return to the Website from time to time and check for changes.
How Do We Obtain Personal Data?
We might collect or be provided personal data in the normal course of business, for example:
- you may provide us with your details when you become a client, such as your name, email and employer (‘Account Data’),
- when you visit the Website, we may collect information about your visit such as your IP address and the pages you visited and when you use our Services we may collect information on how you use those Services (‘Improvement Data’),
- you may provide us with your details when you ask about our Services (through the Website, by email or otherwise) and we may obtain legally-compliant lists of potential customers for our Services for our marketing purposes (‘Marketing Data’), and
- we may receive personal data from our clients when using our Services, such as names of team members or data entered into the Services (‘Service Data’).
We are the ‘controller’ of Account, Improvement and Marketing Data and we are the ‘processor’ of Service Data – the customer remains the ‘controller’ of Service Data. We do not collect or retain any debit or credit card data ourselves. Any such data is collected and processed by our payment processors to process the relevant payments and we and those processors will at all times comply with the applicable industry codes and laws regarding security and retention of such data, for example the Payment Card Industry Data Security Standard. When you provide us with personal data about yourself or another person, you are confirming to us that you are authorised to provide us with that information and that any personal data you give us is accurate and up-to-date. Provision of personal data to us is never a requirement, however if you do not provide us with the personal data necessary for us to carry out an action at your request or under a contract with or relating to you, for example to respond to your query or provide Services to you, we may not be able to respond to your query or provide Services to you.
Sensitive Personal Data
How do we use personal data?
We use personal data in the ‘normal course’ of our business, including to provide and improve our Services and to meet any binding contractual or legal obligations. For example:
- to respond to enquiries, to provide the Websites and Services, to provide advice and support, and to invoice accordingly. Lawful basis: Legitimate Interests or Contract.
- to analyse and improve the Website and Services, for example for technical or security purposes and to improve the customer experience. Lawful basis: Legitimate Interests, however where for example applicable law requires your consent to use certain cookies, we will ask for your Consent having provided you with relevant information.
- to market and sell our Services, including to communicate with you about same or similar services that we offer – if we do so, we will provide you with an easy and free way to opt-out of receiving such communications in the future. Lawful basis: Legitimate Interests (or Consent as above).
- in certain circumstances, to share it with a limited number of third parties as described in this policy, for example for operational requirements and business continuity purposes. Lawful basis: most processing will be based on Legitimate Interests, some processing is based on Contract and, where necessary (as above) some processing may be based on your prior Consent.
Sharing Data & International Transfers
We will not give, sell or rent your personal data to third parties so they can market their services to you. Nor do we accept advertising from third parties on the Website. We may share personal data in the following limited circumstances.
- For provision of the Services, and for our own disaster recovery and business continuity purposes, we may store or transmit personal data to or through third party providers such as our cloud service provider, Six Degrees, with whom we have entered into the EC standard contractual clauses for transfers. Lawful basis: Legitimate Interests or Contract.
- We share the minimal personal data required with our suppliers, such as payment details with finance partners, and otherwise with our contractors and advisors to help us operate, secure and analyse our business. Lawful basis: Legitimate Interests or Contract.
- We may be obliged to disclose your personal data to comply with a law, order or request of a court, government authority, other competent legal or regulatory authority or any applicable code of practice or guideline. Lawful basis: Legal Obligation.
In each case, we have written contracts in place incorporating relevant wording to safeguard that personal data and comply with applicable laws, and we will only share such data as is necessary for the purpose in question. Where possible, we keep personal data within the European Economic Area (‘EEA’). However in order to carry out the above purposes, we may use third parties and their facilities outside the EEA. In all such cases we will ensure that appropriate security measures are in place to protect your personal data and a valid legal basis for the transfer applies.
As a default position, we will only retain personal data for any statutory retention period, then a reasonable period (if any) for the above purposes. This is subject, for example, to any valid opt-out or withdrawal of consent where processing is based on consent, or other valid exercise of your data subject rights.
The security of data is very important to our business. In accordance with our legal obligations, we take appropriate technical and organisational measures to protect your personal data and keep those measures under review. However, we can only be responsible for systems that we control and we would note that the internet itself is not inherently a secure environment.
Third Party Services
You have the right to know if we process any personal data about you and, if we are, with certain limitations, to a copy of that personal data. You also have the right to ask us to remove or correct any of that personal data that is inaccurate, to object to certain processing and to withdraw any consent you may have given us for any processing of your personal data. As from 25 May 2018, you will also have the right to ask us to restrict processing certain of your personal data, to erase your personal data, and to ‘port’ certain of your personal data to you or another provider, provided in each case that we have such data and certain conditions are met.
You have the right, at any time, to object to the processing of your personal data for direct marketing.
‘Do Not Track’
The Website and Services do not use technologies that respond to ‘Do-Not-Track’ signals communicated by your internet browser.
If you’ve any question you can always contact us at the address above or by email to email@example.com. You have the right, at all times, to notify a complaint to any regulator such as the UK Information Commissioner, although we would welcome the opportunity to discuss and resolve any complaint with you first.
Last updated 24 May 2018
What are cookies?
The UK Information Commissioner (‘UK ICO’) defines a cookie as ‘small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.’ You can find out all about cookies, how to manage them and delete them, and how to manage your browser settings, at the UK ICO and www.aboutcookies.org. You can also opt out of being tracked by Google Analytics across all websites. As above, please note that if you manage your browser and third party settings to block cookies, some or all of the Website and Services may not have full functionality and your user experience may be impacted.
There are 4 main types of cookie, as defined by the ICC:
Strictly necessary cookies – which enable services you have asked for, such as cookies used related to user input, authentication, multi-media content players, shopping baskets or e-billing. These are typically ‘session cookies’ and are deleted at the end of or shortly after the end of the session. Consent is not required for these cookies.
Performance cookies – which collect anonymous information about how visitors use a website, such as the pages visitors go to most often. They don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous and is only used to improve how a website works. However, consent is required for these cookies.
Functionality cookies – which ‘remember choices you make to improve your experience’, such as your user name, and may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.’ These require consent.
Advertising cookies – which ‘are used to deliver adverts more relevant to you and your interests’. These also need consent. However, we don’t run ads, so we don’t use these.
Cookies we use in our websites
Google Analytics, a performance cookie, helps website owners measure how users interact with website content. No personal data is sent to Google.
When you use certain features enabled by third parties, cookies may be set. For example, YouTube may set the VISITOR_INFO1_LIVE cookie to manage bandwidth for video playback.
Cookies we use in our services
When you sign up for our services, we use the following cookies to deliver, maintain and improve the services. If you do not agree, please do not use the services. The cookies used are:
1. a strictly necessary cookie to keep you logged in during your session and remember your credentials for your next visit.
2. Google Analytics, a performance cookie, which requires your consent, given when you agree to use the services. This cookie helps online app owners measure how users interact with content.
If you’ve any question you can always contact us at the address above or by email to firstname.lastname@example.org