This Policy explains the ways in which we process or use your personal data and sets out your legal rights in relation to your personal data.
This policy is subject to copyright and may not be copied or used or adapted for use by anyone else without written consent from us.
Who We Are
When This Policy Applies
Data Protection Principles
How We Obtain Your Information
How We Use Your Information
What We Use Information For
Sharing Your Information
Third-Party Service Providers
Cookies, Opt-Outs and Links
Looking After Your Information
How Long We Keep Information
How to Exercise Your Rights
Our Role as a Data Controller
Changes to This Policy
Who We Are and How to Contact Us
“We” “our” or “us” refers to Highly Coded. We are a sole trader business based in the United Kingdom. Highly Coded is the data controller responsible for your personal data. You can contact us at our registered office including for any data protection or privacy related matters or directly to our data protection manager by email to email@example.com.
When This Policy Applies
This policy is mainly aimed at general users of this website.
This Policy does not apply to our processing of personal data of anyone with whom we have a specific contract which includes clauses or references to specific privacy policies to the extent that they override this one and in general, this Policy is additional to any other one and does not override it.
We do not knowingly collect or maintain any personal information of children. If you are under the age of 18, please do not access our website or social media pages or communicate with us.
Data Protection Principles
We will comply with data protection law. This means that your personal data that we hold must be:
- used lawfully, fairly and in a transparent way
- collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
- relevant to the purposes we have told you about and limited only to those purposes
- accurate and kept up to date
- kept only as long as necessary for the purposes we have told you about
- kept securely.
How We Obtain Your Information
We may collect any information that you provide to us yourself, for example when you:
- buy or apply for any of our products or services;
- create an account on our website or in any of our apps or online tools;
- communicate with us for example by email, chat, applications, shared meetings or documents spaces, social media messages, comments or posts, calls, meetings, training, post, webinars or via our websites or apps or online tools;
- make an enquiry, provide feedback, or make a complaint;
- subscribe to any of our marketing, newsletters, articles or mailing lists;
- enter a competition, promotion or survey provided by us or on our behalf;
- register to and/or attend our events in person or online;
- network with us (e.g., at exhibitions, conferences and/or other meetings or events, in person or online) or provide us with any contact details for networking purposes;
- link to or share information with any of our personnel through social media or business forums or groups (for example LinkedIn, business or industry associations or alumni networks);
- submit a CV and/or an application for a job or service provider of ours and / or attend an interview or assessment with us.
We may also receive information about you from other people. For example:
- Service providers and others: We may collect personal information from or via the people with whom we share data;
- Security: We may collect information from our information and cyber security service providers, about any actual or attempted misuse of our website, apps, emails or other communication methods or devices;
- Publicly available sources: We use publicly available sources such as search engines, listings sites, social media, websites, Companies House, Electoral Register, for instance to carry out identity and compliance checks and to gain background information and research;
- Analytics providers, advertising networks and search information providers: We may collect personal information from external providers of these services (see later sections);
- Employers, recruitment agencies and referees: If you are an applicant for a job with us or to become a service provider, we may contact your recruiter, current and former employers and/or referees to provide information about you and your application;
- Referrers: We may receive information about you from other people if you communicated to them that you would like to hear from us or from specified categories of business that include us;
- Official Sources: We may receive information about you from government authorities or bodies, police, crime or fraud prevention or other authorised entities.
What Information We May Collect and Process
The personal information we collect and process about you may include some or all of the following:
- Identity: including title, names, usernames, passwords, your age, the company you work for, your title or position, your relationship to other people, your image and / or voice, location, nationality, preferred language, gender, physical characteristics, marital status and others
- Contact information: including email addresses, phone numbers, addresses, social media names or contacts;
- Your communication: including any personal data that you include in any communication;
- Identification and background information: including information provided by you if required as part of our client contract processes, for example your government-issued identification information, social security numbers, tax identifiers, passport, utility bills copies or other personal identification documents;
- Transactions and profile data: including details about products and services that you bought from us and payments that you made via our payment service providers (who have their own separate privacy policies that you should read), your interests, preferences, feedback and survey responses and marketing and communication preferences;
- Website, social media and app usage and other technical data: including information about your interactions with our websites, apps or social media pages and the device that you use to access them, which may include information such as IP addresses, geographical location, device information (such as your hardware model, mobile network information, unique device identifiers). This information may be collected by third-party analytics service providers on our behalf and / or may be collected using cookies or similar technologies (see sections below)
- Employment and background data: if you submit a job application to us, you may provide information and details about your academic and work history, qualifications, skills, personal or professional background, references, proof of your entitlement to work in the UK, your national insurance number, your passport or other identity document details, and any other related information that you may provide to us;
Sensitive information such as information about criminal convictions and offences or “special category data” about your race or ethnicity, religious, philosophical or political beliefs or opinions, sex life, sexual orientation, trade union membership or health, generic or biometric data by law require higher levels of protection. We generally do not knowingly store information of this type. As an exception, we process this type of information if needed for you to attend our premises or events or for the provision of services to or from you or where we need to collect it to comply with legal obligations.
We may also collect, use and share aggregated data such as statistical or demographic data. This data may be derived from your personal data but is not considered personal data if it does not directly or indirectly reveal your identity. If we combine or connect this data with your personal data so that it can identify you, we do then treat the combined data as personal data in accordance with this Policy.
On What Basis We Use Your Information
We use your personal information as permitted by law. Most commonly, this will be on the basis of one or more of the following:
- to enter into or perform a contract with you;
- the legitimate interests of us or a third party as a business;
- to comply with a legal or regulatory obligation;
- your consent (if needed and where we request it).
Where we use your information for our legitimate interests, we consider any potential impact that such use may have on you. Our legitimate interests do not automatically override yours. We do not use your information if we think your interests should override. If you are concerned, see Your Rights Relating to Your Information or contact us if you want more information about how we balanced your rights and our legitimate interests.
Generally, we do not rely on consent as a legal basis for processing your personal data other than for certain types of marketing where we need your consent (and in those cases, only where you opt in). You have the right to withdraw consent to our marketing at any time by contacting us or clicking to opt out.
What We Use Your Information for
We may use your information for the following purposes:
- Registering you as a client and establishing contracts or terms with you, processing and delivering your orders, including managing (may be via third parties) payments, fees and charges and collecting money owed (on the basis of entering our contract with you, or otherwise on the basis of our legitimate interest to conduct our business)
- Provision of our services: to provide our services to you and update you about our services or instructions, or otherwise take steps as set out in any contract with you or in our Terms of Business or Website General Terms and / or to manage payments to or from us (on the basis of performing our contract with you, or otherwise on the basis of our legitimate interest to conduct our business);
- Response to enquiries: to respond to enquires you make, especially if you ask for information about us providing our services to you (on the basis of our legitimate interest to respond to enquiries from prospective clients and to operate a lawful business and / or on the basis of your consent if necessary and if given);
- User support: to provide service and support and deal with enquiries or complaints in relation to your use of our websites, online tools, portals, apps or social media pages or groups (on the basis of our contract with you or on the basis of our legitimate interests to provide you with customer service and to comply with our legal obligations);
- Marketing and Sales: to communicate with you about our news, events and services that we believe may interest you (either on the basis of our legitimate interests to provide you with marketing communications where we may lawfully do so (although you may opt out at any time) or your consent if we have requested it); we will not share your personal data with any third party for marketing purposes unless we have your express opt-in consent;
- Recruitment: to process any applications you send to us for a job or service, whether directly or via an agent or recruiter (on the basis of our legitimate interest to recruit new employees and contractors);
- Your experience of our website, social media and apps: to provide you with access to our website and / or social media pages or groups or apps in a way that is optimised and convenient which may include personalised content (on the basis of our legitimate interest to ensure our website, social media and apps are presented in an effective manner);
- Analytics: to use data analytics to improve and optimise use of our website, social media, apps, products or services, advertising, marketing, client relationships and experiences (on the basis of our legitimate interests in personalising or modifying the services or communications we provide to you, developing our business, and informing our marketing strategy);
- Fraud and unlawful activity detection: to protect, investigate, and deter against fraudulent, unauthorised, or illegal activity, including identity fraud or money laundering (on the basis of our legitimate interests to detect and prevent illegal activities and to operate a safe and lawful business or where we have a legal obligation to do so);
- Compliance: to enable us to comply with any legal or regulators’ obligations, policies and procedures and to enforce our legal rights, or to protect the rights, property or safety of our employees or service providers (on the basis of our legitimate interests to operate a safe and lawful business or where we have a legal obligation to do so).
Sharing Your Information
On the lawful grounds referred to above and connected with the purposes set out, in addition to any recipients of your information described elsewhere in this Policy, we may share your personal information if relevant with third parties such as:
- Social media services: We may work with certain third-party social media providers to offer you their social networking services through us or our products or services. They may be able as a result to collect information about you and may notify your friends on their network in accordance with applicable law and their own privacy policies;
- Advertisers: We may share some personal information with advertisers, advertising exchanges and marketing agencies that we engage for advertising services for us or through some of our products or services. They may also target advertisements on third party websites based on cookies or other information indicating previous interaction with us or our services.
- Our service providers: service providers we work with to deliver our business, who act as processors and provide us with services including (as examples only) the following:
- website, email, app, online tools and social media developers, hosts or content contributors or related service providers based in the UK, EEA or USA;
- cloud computing hosting service providers based in the UK, EEA or USA;
- contract management, document management and digital or electronic signature service providers based in the UK, EEA or USA;
- online payment gateway and service providers based in the UK, EEA or USA;
- IT, system administration, analytical and security service providers based in the UK, EEA or USA;
- identity verification, fraud prevention and detection service providers based in the UK, EEA or USA;
- sub-contracted, outsourced or consultancy service providers based in the UK or EEA;
- our professional advisers or service providers including for legal services, documents, funding, tax advice, accounting, administrative services.
- Regulators and governmental bodies: HM Revenue & Customs, regulators, governmental bodies and other authorities acting as processors or joint controllers, who require reporting of processing activities in certain circumstances;
- Standards and Industry Bodies and Associations: To the extent applicable and necessary and if a member of the association or governed by their Code of Conduct, associations or quality standards organisations or similar;
- Referrals and Publicity: any selected third party that you consent to our referring you on to or sharing your information with for marketing, client reference or publicity purposes;
- Your own organisation and business and professional advisers, contacts and partners: to the extent that others (in your organisation or a third party) in an actual or potential transaction or service with you are copied or forwarded or given personal information, this is also sharing your information with them but will only be done in the usual and normal course of business
- Other external entities (including professional and business advisers and partners): any other third parties (including banks, funders, investors, legal, accountancy, consultancy, tax, business or other advisors, regulatory authorities, courts, law enforcement agencies and government agencies) where necessary to enable us to enforce our legal rights, or to protect the rights, property, or safety of us or our employees, or where such disclosure is required by law or is permitted for them to help us with their services.
- We require third parties to have appropriate security to protect your information from unauthorised access or processing and to treat it in accordance with all applicable law. We do not permit third-party service providers to use your personal data for their own purposes, only to process your personal data for the same specified purposes as us and in accordance with our instructions.
Example Third-Party Service Providers
We change our suppliers and third-party services based on our business needs. However, the following entities are being used at the date of this Policy as some of the processors of some of the personal data we hold. See Our Role as a Data Controller or Processor. You can also follow links (current at the date of this Policy but do a google search if they have changed) to their privacy policies (see following section in some cases to opt out) which are:
Cookies, Opt-Outs and Third-Party Links
You can opt out of any direct marketing communications that come directly from us or via Mailchimp at any time by contacting us or following links to opt out in the communication.
Our website, social media pages and groups or apps may contain content and links to external websites, plug-ins and applications that are operated by third parties that may also operate cookies and collect personal data. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control them, are not responsible for their privacy statements, and this Policy does not apply to them, so you should check their own privacy policies.
How We Look After Your Information
We have security procedures and policies as to how your personal information is stored and used and who has access to it. We use appropriate security features to help prevent any unauthorised person gaining access to it. Sending information via the internet, although useful and essential, is always insecure to some extent. Although we take appropriate measures to protect your personal data, we cannot guarantee its security, especially if you send or receive it via a device, method or connection that is not secured.
We aim to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services and of personal information that we hold.
We operate a policy of “privacy by design”, with our systems and policies designed to take account of information security. We try to minimise the amount of personal information we hold and how long we hold it for. We use appropriate technological and operational security measures to protect your information against unauthorised access or unlawful use, which may include the following:
- physical: ensuring the physical security of our offices, equipment and devices;
- technical: ensuring the physical and digital security of our equipment and devices by using appropriate firewalls, password protection, pseudonymisation, encryption and other security;
- procedural: maintaining a privacy / data protection / information security policy for our personnel and sub-contractors and providing them with related training.
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where legally required to do so.
How Long We Keep Your Personal Information
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for or to satisfy any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation or legal disputes in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure of it, the purposes for which we process it, whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. Please contact us if you would like more information about how long we keep your information for. In general terms:
- by law we have to keep basic information about certain people including our clients, employees or contractors (including Contact, Identity, Financial and Transaction Data) for six years after they cease paying or being paid for tax purposes.
- in some circumstances you can ask us to delete your data: see Your Rights Relating to Your Information.
If we anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, we may use this information indefinitely without further notice to you.
International Transfers of Your Information
Highly Coded is based in the United Kingdom, but its personnel and service providers may be based in other countries. Within the UK and the EEA, your personal data is protected by the General Data Protection Regulations and national implementations that reflect it or are very similar in their level of protection (including countries that are not technically within the EEA such as the UK).
If you reside within the UK or EEA, we do not transfer your personal data outside the UK or EEA unless you instruct us to do so or the transfer is necessary to provide the services you requested from us or is otherwise required or permitted by law or as set out in this Policy (for example in relation to cloud or technical service providers who may be based outside the UK or EEA). If we transfer your personal data out of the UK or EEA, we ensure a similar degree of protection is in place by ensuring at least one of the following is implemented (in each case if and to the extent that legally valid at the time, bearing in mind that this has changed several times over the years due to legal court decisions):
- Your personal data is transferred to a country that the European Commission has deemed to provide an adequate level of protection for personal data. For details, search online for “European Commission: Adequacy of the protection of personal data in non-EU countries”;
- Your personal data is transferred to recipients subject to specific contracts approved by the European Commission giving protection to personal data. For details, search online for “European Commission: Model contracts for the transfer of personal data to third countries”;
- Your personal data is transferred to recipients based in the USA that are part of the Privacy Shield which requires similar protection for personal data shared between the Europe and the US. For further details, search online for “European Commission: EU-US Privacy Shield”;
- Your personal data is transferred to recipients under any other basis legally permitted at the time under the legislation applicable to us.
On request we will supply UK or EEA residents with further details on the protections for any of your personal data that is transferred or processed outside the UK or EEA. For residents in other countries, we only transfer your personal data internationally in compliance with applicable legislation.
Your Rights Relating to Your Information
We do not sell your personal data on to anyone else for their own use (this is relevant in particular if you reside in California or Nevada or any other location that restricts or prohibits the sale of personal data for others’ use). Other rights that you have under your privacy legislation are also covered by the rights referred to in this policy, which also covers the rights under UK and European legislation.
- You may also have the right to complain to a data protection authority about our collection and use of your Personal Information. Depending on the country in which you reside, you may have some or all of the following data protection rights in respect of the information that we hold about you, including the following (subject to exceptions that would be notified to you at the time if applicable):
- the right to be informed of the ways in which we use your information: you are informed by this Policy, but contact us if you want more details;
- the right to ask us not to process your personal data for marketing purposes: we will comply if so requested as soon as possible;
- the right to request access to the information that we hold about you: this is commonly known as a “data subject access request” and enables you to receive a copy of personal data that we hold about you (to the extent that we are required to provide it) and to check that we are lawfully processing it. It will be helpful and faster if you could be as specific as possible about the data that you would like a copy of (including dates where possible).
- the right to request that we correct or rectify any information that we hold about you which is outdated or incorrect: we may need to verify the accuracy of the new data that you provide;
- the right to withdraw your consent for our use of your information if we are using it only in reliance of your consent: see On What Basis We Use Your Information;
- the right to object to our using your information on the basis of our legitimate interests: this right applies if there is something about your particular situation which makes you want to object to our processing on this ground (see On What Basis We Use Your Information) and if your rights override our own legitimate grounds to process your information;
- the right to request the transfer of your personal data to you or to someone else like a new replacement service provider: where possible, we will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you;
- in certain circumstances, the right to ask us to delete information we hold about you: this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it or where you have successfully exercised your right to object to processing (see above), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. We may not always comply with your request of erasure for specific reasons which will be notified to you, if applicable, at the time;
- in certain circumstances, the right to request restriction of processing of your personal data: this enables you to ask us to suspend the processing of your personal data in the following scenarios: (i) if you want us to establish the data’s accuracy; (ii) where our use of the data is unlawful, but you do not want us to erase it; (iii) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; (iv) if you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
- the right to complain about us: you have to right to complain about us in relation to your data protection and / or privacy to the UK Information Commissioner’s Office (www.ico.org.uk) as well as a right to complain to the relevant authority in your country of work or residence if different. For more information, please contact your local data protection authority. We would, however, appreciate the chance to deal with your concerns ourselves before you approach any data protection authority, so please Contact Us first.
We may need to retain certain information for legal and record-keeping purposes. We may also need to send you service-related communications even if you opt not to receive marketing communications.
How to Exercise Your Rights
You may exercise your rights using the contact details referred to in Who We Are and How to Contact Us. We will comply with your request unless we have a lawful reason not to do so. It will help to get your request dealt with promptly and correctly if you could please clearly mark it in the subject matter with “Information Privacy Request” or “Data Protection Request” or similar wording and be as specific as you can in your request in relation to what you want.
Note that your objection to processing (or withdrawal of any previously given consent) could mean that we are unable to provide you with our services or otherwise perform the actions necessary to achieve the purposes set out above (see What We Use Your Information for). We may still be able to continue to process your personal information to the extent required or otherwise permitted by law, in particular in connection with exercising and defending our legal rights or meeting our legal or regulatory obligations.
You may request us to cease sending you any marketing information at any time by notifying us as set out in Who We Are and How to Contact Us. Each marketing email sent to you will contain an easy, automated way for you to “opt out” and cease receiving marketing emails from us. If you have received unwanted, unsolicited marketing from us or claiming to be from us, you should please forward a copy of it with your comments to us for review.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any unauthorised person. We may also contact you to ask you for further information in relation to your request.
We will generally not charge any fee for you to access your personal data or exercise your other rights referred to. However, if your request is clearly unfounded, repetitive or excessive, we have the right to and may charge a reasonable fee or refuse to comply with your request.
Timing of our response to your requests: We will try to respond to all legitimate requests within one month. Sometimes it may take us longer if your request is particularly complex or you have made more than one request. If so, we will notify you and keep you updated.
Our Role as a Data Controller or Processor
We are the controller and responsible for your personal data where we collected that data for our own business purposes or where we are the person who controls and decides about its processing.
- process the personal data only on the documented instructions of the controller;
- enter into a written contract or undertake to comply with written contractual clauses with the controller with regard to the data processing;
- only use staff and other persons who have a duty of confidentiality with regard to the data;
- comply with security obligations equivalent to those imposed on the controller by law;
- notify the controller of any breach in relation to the personal data shared by the controller;
- enlist a sub-processor only with the prior permission of the controller.
Changes to This Policy and Your Duty to Inform us of Data Changes
It is important that the personal information that we hold about you is accurate and current. Please let us know as soon as possible if any of it changes during your relationship with us.
We will, where appropriate, notify you (this may be by changing this Policy on our website) of any material changes, for example if there is a change in the processing purpose for your data, or a change in identity of controller. If we change the purpose for which we use your personal data from the purpose for which we collected it, we will (on request) give you further information about how the new purpose is compatible with the original purpose or the legal basis for the new purpose.