Last updated: 26 November 2020
The Collective Foundation is committed to protecting the privacy of our users and customers. This privacy notice (“Privacy Notice”) is intended to inform you how we gather, define, and utilise your personal information such as name, address, email address and mobile phone number (“Information”). It is also intended to assist you in making informed decisions when using our Website and our products and services. All your personal Information shall be held and used in accordance with the Data Protection Act 2018 (the “Act”). If you want to know what information we collect and hold about you, please write to us at: The Collective (Living) Limited whose registered office is at 14 Bedford Square, London, WC1B 3JA. or via email to: firstname.lastname@example.org
What information do we collect?
The personal information that we may collect about you broadly falls into the following categories:
- Information that you provide voluntarily
Certain parts of our Website may ask you to provide personal information voluntarily: for example, we may ask you to provide your contact details in order to register an account with us, to subscribe to marketing communications from us, and/or to submit enquiries to us. The personal information that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal information.
- Information that we collect automatically
When you visit our Website, we may collect certain information automatically from your device. In some countries, including countries in the European Economic Area, this information may be considered personal information under applicable data protection laws.
Specifically, the information we collect automatically may include information like your IP address, device type, unique device identification numbers, browser-type, broad geographic location (e.g. country or city-level location) and other technical information. We may also collect information about how your device has interacted with our Website, including the pages accessed and links clicked.
Collecting this information enables us to better understand the visitors who come to our Website, where they come from, and what content on our Website is of interest to them. We use this information for our internal analytics purposes and to improve the quality and relevance of our Website to our visitors.
Some of this information may be collected using cookies and similar tracking technology, as explained further under the heading “Cookies” below.
- Information that we obtain from third party sources
From time to time, we may receive personal information about you from third party sources (including our customer referral scheme), but only where we have checked that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us.
The types of information we collect from third parties include for example your name and email address and we use the information we receive from these third parties to maintain and improve the accuracy of the records we hold about you.
We maintain the highest standards of security, however the transmission of information via the internet is not completely secure. So, whilst we will do our best to protect your Information, we cannot ensure the security of your data transmitted to our Website. Any information you submit is sent at your own risk. Once we have received your Information we will use strict procedures and security features to prevent unauthorised access.
What are cookies?
A cookie is a very small text document, which often includes an anonymous unique identifier. When you visit a website, that site’s computer asks your computer for permission to store this file in a part of your hard drive specifically designated for cookies. Each website can send its own cookie to your browser if your browser’s preferences allow it, but (to protect your privacy) your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other sites.
How do we use information we collect from cookies?
How do we use the information that you provide to us?
We use your Information for the following purposes:
- To ensure that content from our Website is presented in the most effective manner for you and your computer.
- To notify you about changes to our service.
- In accordance with your authorisation at the point of Registration.
- If we are under a duty to disclose or share your personal data to comply with any legal obligation or in order to enforce or apply our terms and conditions and other agreements or protect the rights, property, or safety of our customers, or others. This includes exchanging information with other companies and organisations for fraud protection and credit risk reduction.
Legal basis for processing personal information
Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.
However, we will normally collect personal information from you only (i) where we need the personal information to perform a contract with you, (ii) where the processing is in our legitimate interests and not overridden by your rights, or (iii) where we have your consent to do so. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.
If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).
If we collect and use your personal information in reliance on our legitimate interests (or those of any third party), this interest will normally be to operate our platform and communicating with you as necessary to provide our services to you and for our legitimate commercial interest, for instance, when responding to your queries, improving our platform, undertaking marketing, or for the purposes of detecting or preventing illegal activities. We may have other legitimate interests and if appropriate we will make clear to you at the relevant time what those legitimate interests are.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided within this notice.
Who does The Collective Foundation share my personal information with?
We may disclose your personal information to the following categories of recipients:
- to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
- to any other person with your consent to the disclosure.
Our service providers
Infrastructure: We use the following service providers to provide our cloud infrastructure environment and storage of our Customer Content:
- AWS – the bulk of user data is hosted here.
- Heroku – the bulk of user data is hosted here.
- Google – user, employee and applicant data is maintained here through products like Gmail, Drive, Adwords, Google Analytics, Google Tag Manager and Firebase.
Processing of Customer Content: We work with various service providers that monitor, maintain and otherwise support our services. In order to provide this functionality these service providers may, but not necessarily will, have access to Customer Content:
- Zapier – integrations between web applications.
- Twilio – sms notification service.
- Hubspot – company CRM.
- Zendesk – customer account administration and support.
- Intercom – customer account administration and support.
- Formkeep – application form endpoints.
- Typeform – surveys and forms processing.
- Mixpanel – web performance monitoring and reporting.
- Segment – single API usage data collection & integration with other applications.
- HotJar – User behaviour reporting
Your data protection rights
- If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us using the following contact details: The Collective (Living) Limited whose registered office is at 14 Bedford Square, London, WC1B 3JA or via email to: email@example.com
- In addition, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided in this notice.
- You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us using the contact details provided provided in this notice.
- Similarly, if we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
Please note that email is not recognised as a secure medium of communication. For this reason, we request that you do not send private information to us by email.
International data transfers
Data and Information that we collect from you may be transferred to, processed and stored at a destination outside the European Economic Area (“EEA”) as certain of our third-party service providers and partners operate around the world. This means that when we collect your personal information we may process it in any of these countries. However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice.
We will take all steps reasonably necessary to ensure that your Information is treated securely and in accordance with this Privacy Notice.
We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
A copy of our data retention policy can be provided on request to: firstname.lastname@example.org
In some instances, our use of your personal information may result in automated decisions being taken (including profiling) that legally affect you or similarly significantly affect you.
Automated decisions mean that a decision concerning you is made automatically on the basis of a computer determination (using software algorithms), without our human review. For example, we may occasionally use third party service providers (such as Google AdWords) which uses automated decisions in respect of how we market our product to you. We ensure that any service provider that we use which may make automated decisions about you based on your personal information has implemented measures to safeguard your rights and interests.
When an automated decision is made about you, you have the right to contest the decision, to express your point of view, and to require a human review of the decision. You can exercise this right by contact us using the contact details provided within this notice.
Updates to this Privacy Notice
We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws.
You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.
Data Protection Policy
Last updated: 26 November 2020
|Organisation||means The Collective Foundation, a charity registered under 1157042.|
|DPA||means the Data Protection Act 2018 which implements the EU’s General Data Protection Regulation.|
|Responsible Person||means Andre Damian.|
|Register of Systems||means a register of all systems or contexts in which personal data is processed by the Organisation.|
1. Data protection principles
The Organisation is committed to processing data in accordance with its responsibilities under the DPA.
DPA requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the DPA in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
2. General provisions
- This policy applies to all personal data processed by the Organisation.
- The Responsible Person shall take responsibility for the Organisation’s ongoing compliance with this policy.
- This policy shall be reviewed at least annually.
- The Organisation shall register with the Information Commissioner’s Office as an organisation that processes personal data.
3. Lawful, fair and transparent processing
- To ensure its processing of data is lawful, fair and transparent, the Organisation shall maintain a Register of Systems.
- The Register of Systems shall be reviewed at least annually.
- Individuals have the right to access their personal data and any such requests made to the Organisation shall be dealt with in a timely manner.
4. Lawful purposes
- All data processed by the Organisation must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
- The Organisation shall note the appropriate lawful basis in the Register of Systems.
- Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Organisation’s systems.
5. Data minimisation
- The Organisation shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Any individual about whom The Collective Foundation/Impact Residency holds personal data shall be given access to the data held about them upon request. At all times, the organisation will ensure that the rights of such individuals can be fully exercised.
- The Organisation shall take reasonable steps to ensure personal data is accurate.
- Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
7. Archiving / removal
- To ensure that personal data is kept for no longer than necessary, the Organisation shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
- The archiving policy shall consider what data should/must be retained, for how long, and why.
- The Organisation shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
- Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
- When personal data is deleted this should be done safely such that the data is irrecoverable.
- Appropriate back-up and disaster recovery solutions shall be in place.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Organisation shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website).
END OF POLICY
|This policy is reviewed regularly and updated to meet changes in regulations.|