Privacy Policy
1. POLICY
eCERTO is fully committed to compliance with the requirements of the General Data Protection Regulation (GDPR) and all other data protection legal requirements currently in force as follows:
We take the privacy, including the security, of personal information we hold about you seriously. This privacy notice is designed to inform you about how we collect personal information about you and how we use that personal information. You should read this privacy notice carefully so that you know and can understand why and how we use the personal information we collect and hold about you.
We may issue you with other privacy notices from time to time, including when we collect personal information from you. This privacy notice is intended to supplement these and does not override them. We may update this privacy notice from time to time. This version was last updated on 13th of May 2024.
1.1. eCERTO customer privacy notice
This privacy notice tells you what to expect us to do with your personal information.
1.1.1. Key Definitions
The key terms that we use throughout this privacy notice are defined below, for ease:
-
Data Controller: under UK data protection law, this is the organisation or person responsible for deciding how personal information is collected and stored and how it is used.
-
Personal Information: in this privacy notice we refer to your personal data as ‘personal information’. ‘Personal information’ means any information from which a living individual can be identified. It does not apply to information which has been anonymised.
1.1.2. Details of personal information which we collect and hold about you
Set out below are the general categories and details of those categories and in each case the types of personal information which we collect, use, and hold about you. We do not keep your personal data for longer than is necessary to fulfil the purpose for which it was collected. Generally, we will not keep your personal details for longer than 6 years as this is the statutory retention period for HMRC records.
The types of personal data we collect about you may differ from person to person, depending on who you are and the relationship between us.
We do not collect or hold any special information about you. We do not collect information from you relating to criminal convictions or offences.
1.1.3. Details of how and why we use personal information
We are only able to use your personal information for certain legal reasons set out in data protection law. There are legal reasons under data protection law other than those listed below, but in most cases, we will use your personal information for the following legal reasons:
-
Contract Reason: this is to perform our obligations to you under a contract we have entered with you.
-
Legitimate Interests Reason: this is where the use of your personal information is necessary for our (or a third party’s) legitimate interests, so long as that legitimate interest does not override your fundamental rights, freedoms, or interests.
-
Legal Obligation Reason: this is where we must use your personal information to perform a legal obligation by which we are bound; and
-
Consent Reason: this is where you have given us your consent to use your personal information for a specific reason or specific reasons.
So that we can provide you with products and services, we will need your personal information. If you do not provide us with the required personal information, we may be prevented from supplying products and services to you.
It is important that you keep your personal information up to date. If any of your personal information changes, please contact us as soon as possible to let us know. If you do not do this then we may be prevented from supplying products and services to you.
Where we rely on consent for a specific purpose as the legal reason for processing your personal information, you have the right under data protection law to withdraw your consent at any time. If you do wish to withdraw your consent, please contact us using the details set out in this notice. If we receive a request from you withdrawing your consent to a specific purpose, we will stop processing your personal information for that purpose, unless we have another legal reason for processing your personal information, in which case, we will confirm that reason to you.
We have explained below the different purposes for which we use your personal information and, in each case, the legal reason(s) allowing us to use your personal information. Please also note the following:
-
If we use the Legitimate Interests Reason as the legal reason for which we can use your personal information, we have also explained what that legitimate interest is; and
-
For some of the purposes we may have listed more than one legal reason on which we can use your personal information, because the legal reason may be different in different circumstances. If you need confirmation of the specific legal reason that we are relying on to use your personal data for that purpose, please contact us using the contact details set out at the start of this privacy notice.
Sometimes we may anonymise personal information so that you can no longer be identified from it and use this for our own purposes. In addition, sometimes we may use some of your personal information together with other people’s personal information to give us statistical information for our own purposes. Because this is grouped together wither other personal information and you are not identifiable from that combined data, we are able to use this.
Under data protection laws we can only use your personal information for the purposes we have told you about, unless we consider that the new purpose is compatible with the purpose(s) which we told you about. If we want to use your personal information for a different purpose which we do not think is compatible with the purpose(s) which we told you about then we will contact you to explain this, and what legal reason is in place to allow us to do this.
1.1.4. Details of how we collect personal information and special information
We usually collect Identity Information, Contact Information, directly from you when you purchase products and services from us and contact us by e-mail, telephone, in writing or otherwise.
We may receive some of your personal information from third parties or publicly available sources.
Identity Information and Contact Information from publicly available sources such as Companies House, Website, Device and Technical Information from third parties such as analytics providers.
We may also receive Website, Device and Technical Information automatically from technologies such as cookies which are installed on our website. To find out more about these please see our cookie policy which is available here.
1.1.5. Details about who personal Information may be shared with
-
We may need to share your personal information with other organisations or people. These organisations include: Government bodies and regulatory bodies: such as HMRC, fraud prevention agencies.
-
Our advisors: such as lawyers, accountants, auditors, insurance companies who are based in Scotland.
-
Any organisations which propose to purchase our business and assets in which case we may disclose your personal information to the potential purchaser.
Depending on the circumstances, the organisations or people who we share your personal information with will be acting as either Data Processors or Data Controllers. Where we share your personal information with a Data Processor we will ensure that we have in place contracts, which set out the responsibilities and obligations of us and them, including in respect of security of personal information.
We do not sell or trade any of the personal information which you have provided to us.
1.1.6. Details about transfers to countries outside of the EEA
If any transfer of personal information by us will mean that your personal information is transferred outside of the EEA then we will ensure that safeguards are in place to ensure that a similar degree of protection is given to your personal information, as is given to it within the EEA and that the transfer is made in compliance with data protection laws (including where relevant any exceptions to the general rules on transferring personal information outside of the EEA which are available to us – these are known as ‘derogations’ under data protection laws). We may need to transfer personal information outside of the EEA to the third parties listed above, who may be located outside of the EEA.
The safeguards set out in data protection laws for transferring personal information outside of the EEA include:
-
Where the transfer is to a country or territory which the EU Commission has approved as ensuring an adequate level of protection.
-
Having in place a standard set of clauses which have been approved by the EU Commission.
-
Compliance with an approved code of conduct by a relevant data protection supervisory authority (in the UK, this is the Information Commissioner’s Office (ICO).
-
Certification with an approved certification mechanism.
-
Where the EU Commission has approved specific arrangements in respect of certain countries, such as the US Privacy Shield, in relation to organisations which have signed up to it in the USA.
1.1.7. Details about how long we will hold your personal information
We will only hold your personal data for as long as is necessary. How long is necessary will depend upon the purposes for which we collected the personal information and whether we are under any legal obligation to keep the personal information (such as in relation to accounting or auditing records or for tax reasons). Normally we will not keep your personal details for longer than 6 years as this is the statutory retention period for HMRC records. We may also need to keep personal information in case of any legal claims, including in relation to any guarantees or warranties which we have provided with the services.
1.1.8. Your rights under Data Protection
Under data protection laws you have certain rights in relation to your personal information, as follows:
-
Your right of access - You have the right to ask us for copies of your personal data. (this is often called ‘subject access’). This is the right to obtain from us a copy of the personal information which we hold about you. We must also provide you with certain other information in response to these requests to help you understand how your personal information is being used.
-
Your right to rectification - You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. this is the right to request that any incorrect personal data is corrected and that any incomplete personal data is completed.
-
Your right to erasure - You have the right to ask us to erase your personal data in certain circumstances. (this is often called the “right to be forgotten”). This right only applies in certain circumstances. Where it does apply, you have the right to request us to erase all of your personal information.
-
Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal data in certain circumstances. Where it does apply, you have the right to request us to restrict the processing of your personal information.
-
Your right to object to processing - You have the right to object to the processing of your personal data in certain circumstances.
-
Your right to data portability - This right allows you to request us to transfer your personal information to someone else. You have the right to ask that we transfer the personal data you gave us to another organisation, or to you.
-
Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent.
-
Your right to object - You have the right to object to us processing your personal information for direct marketing purposes. You also have the right to object to us processing personal information where our legal reason for doing so is the Legitimate Interests Reason and there is something about your particular situation which means that you want to object to us processing your personal information. In certain circumstances you have the right to object to processing where such processing consists of profiling (including profiling for direct marketing).
You don’t usually need to pay a fee to exercise your rights. If you make a request, we have one calendar month to respond to you. To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.
In addition to the rights set out, where we rely on consent as the legal reason for using your personal information, you have the right to withdraw your consent.
If you want to exercise any of the above rights in relation to your personal information, please contact us using the details set out at this notice. If you do make a request, then please note:
-
We may need certain information from you so that we can verify your identity.
-
We do not charge a fee for exercising your rights unless your request is unfounded or excessive.
-
If your request is unfounded or excessive then we may refuse to deal with your request.
1.2. Our contact details
6.2.1 Telephone
+44 (0) 7717 207677
6.2.2. Email
1.3. What information we collect, use, and why
We collect or use the following information to provide services:
-
Names and contact details
We collect or use the following information for service updates purposes:
-
Names and contact details
We collect or use the following information to comply with legal requirements:
-
Names and contact details
1.4. Lawful bases
Our lawful bases for collecting or using personal information to provide services are:
-
Consent
Our lawful bases for collecting or using personal information for service updates purposes are:
-
Consent
Our lawful bases for collecting or using personal information for legal requirements are:
-
Consent
1.5. Where we get personal information from
-
People directly
1.6. How long we keep information
-
Up to 6 years
1.7. How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint
1.8. Last updated
13 May 2024
1.9. Third Party Websites
Our website may contain links to third party websites. If you click and follow those links, then these will take you to the third party website. Those third-party websites may collect personal information from you, and you will need to check their privacy notices to understand how your personal information is collected and used by them.