ISO/IEC 27001:2013 Certificate
Information Security Policy Statement
This policy applies if you interact with us through our websites, applications, over the phone, face to face or through social media.
Information we may hold
- Your name, address, telephone number, email address, bank account and payment details and any information you give to us, including by phone, email, post, business cards or when you communicate with us via social media;
- Your contact information and contents of the emails and other electronic communications you receive from us, including whether that email has been opened and if you have clicked on any links. Information from other sources such as clients as well as information that is publicly available.
- Information about the services that we provide to you for example, the services we have provided to you like consultancy, when and where, what you paid, and so on;
- Your account login details for our services, including your user name and chosen password;
- Information about whether or not you want to receive marketing communications from us;
- Information about any device you have used to access our Services and also how you use our Services, e.g. we try to identify which of our apps you use and when and how you use them. If you use our websites or applications, we try to identify when and how you use those solutions too so that we can improve them.
Please note, however, that we do not have access to personal information which is uploaded to our secure app as this data is encrypted and only you will have access to it.
How do we use your personal information?
We use your personal information to which we have access in a number of ways and depending on how you interact with us, for example we may use your information in the following ways:
- To provide you products and services – we need to process your personal information in order to make our products and services available to you. This includes proposals, quotations, contracts, payment processing etc.
- To contact you either to conduct market research about products and services from us and other companies or about specific issues that you have raised.
- Security and safety – providing a safe and secure environment monitoring online and application activity to minimise fraudulent behaviour.
- Validating your identity – where you are experiencing problems with an information sensitive secure service and we need to validate you are the legitimate user of the service and account holder
- Verify details and check fraud.
Our basis for holding your personal information
To process your personal information, we rely on something called a legal basis of which there are a six, but the ones we rely on are:
- Execution of a contract where we must process your personal information in order to be able to provide you with one of our products or services or duties as an employer;
- Legal obligation where we are required to process your personal information by law including legal claims where the processing of your personal information is necessary for the exercise or defence of legal claims;
- Consent where you have told us you are happy for us to process your personal information for a specific purpose, for example for direct marketing purposes;
- Legitimate business interest where the processing is necessary for us to conduct our business, with a view to helping yours, for example making you aware of business opportunities, products to improve your business operation, or seeking your thoughts on improving products or services that could ultimately help you or your customers. We will not place our legitimate interests ahead of your own.
Who we may share your personal information with
Our service partners – we work with partners, suppliers and associates who may help us provide the products and services you require. They may process your personal information on our behalf and are required to meet our privacy standards and security in order to do so. We only share that information needed to provide their services to us or their products and services to you. These third parties include:
- Payment providers so that your payments are processed;
- Third party technology suppliers who help us maintain and manage our IT infrastructure;
- Physical and digital delivery partners who may deliver products, services or communication to you;
- Professional advisors like accountants, consultants and lawyers;
- Support companies that assess faults and fix issues on our behalf;
- Marketing companies that help us promote our business;
- Social media providers – such as Twitter, Facebook and Instagram – where we may interact with you on social media;
- Our agents, or associates involved in running services for you;
- Potential buyers of our company where we may be discussing all or part of our business, we may share information about you solely so they can evaluate the business or as a result of a sale so they can continue to provide you a service;
- Organisations where we are compelled to by law for example the department for work and pensions
How long will we keep your information for?
Our retention period will cease 7 years after the end of your relationship with us unless the law stipulates otherwise.
Securing your data
In order to protect your information, we routinely review our security policies and put in place processes such as technology controls for our information systems including user verification, data encryption, virus and firewall protection and enforce a need to know policy for access to any data and systems. We do not transfer your data outside the UK.
Your rights under law
Your rights include:
- The right to access a copy of personal information we hold about you (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check we are lawfully processing it;
- The right to be forgotten. This enables you to ask us to delete or remove Personal Data where there is no good reason for us to continue processing it. You also have the right to ask us to delete or remove Personal Data where you have successfully exercised your right to object to processing , where we may have processed your information unlawfully or where we are required to erase your information to comply with local law. Note, however, that we may not always be able to comply with your request for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- The right to correct inaccurate information about you. This enables you to have any incorrect or inaccurate data we hold about you corrected, although we may need to verify the accuracy of the new data you provide to us.
- The right to data portability. We will provide to you, or a third party you have chosen, your Personal Data in a configured, commonly used, machine readable format. Please note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- The right to restrict our use of your information. This enables you to ask us to suspend the processing of your Personal Data where you want us to establish the data’s accuracy, where our use of the data is unlawful but you do not want us to erase it, where you need us to hold the data, even if we no longer require it as you need it to establish, exercise or defend legal claims or where you have objected to our use of the data but we need to verify whether we have overriding legitimate grounds to use it.
- The right to object to our use of your information where we are relying on a legitimate interest (or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights or freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases we may demonstrate that we have compelling grounds to process your information which override your fundamental rights or freedoms.
- The right to withdraw consent where we rely on this as our legal basis
Please us the Contact Us section if you wish to exercise any of these rights.
You have the right at any time to make a complaint to the Information Commissioner’s office (“ICO”), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the opportunity to deal with your concerns before you approach the ICO so please contact us in the first instance.
Last Updated 12 January 2021