Version 25th May 2018
“Inforcehub” (and “we”, “us”, or “our”) refers to Inforce Ltd registered in England and Wales under registration 10609791 with registered address 30 Saint John’s Road, Woking GU21 7SA.
Personal data is any information relating to an identified or identifiable living person. When “you” or “your” are used in this statement, we are referring to the relevant individual who is the subject of the personal data. Inforcehub processes personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose may differ.
When collecting and using personal data, our policy is to be transparent about why and how we process personal data. To find out more about our specific processing activities, please go to the relevant sections of this statement.
Our processing activities
We outline our main processing activity in respect of personal data belonging to:
- Business contacts
- Website visitors
Collection of data
Inforcehub processes personal data about contacts (existing and potential clients and/or individuals associated with them) using a customer relationship management system (the “Inforcehub CRM”).
The collection of personal data about contacts and the addition of that personal data to the Inforcehub CRM will include name, employer name, contact title, phone, email and other business contact details. In addition, data may be collected from Inforcehub emails (sender name, recipient name, date and time) and calendars (organiser name, participant name, date and time of event) systems concerning interactions between Inforcehub users and contacts or third parties. The Inforcehub CRM is provided by Hubspot and is hosted in their US data center which is Privacy Shield certified.
Use of personal data
Personal data relating to business contacts may be used for our legitimate interests for the following purposes:
- Administering, managing and developing our businesses and services
- Providing information about us and our range of services
Unless we are asked not to, we use client business contact details to provide information that we think will be of interest about us and our services.
We do not sell or otherwise release personal data contained in the Inforcehub CRM to third parties for the purpose of allowing them to market their products and services without consent from individuals to do so.
Personal data will be retained on the Inforcehub CRM for as long as we have, or need to keep a record of, a relationship with a business contact, which is for the duration of our relationship with a contact or their organisation. Personal data may be held for longer periods where extended retention periods are required by law or regulation and in order to establish, exercise or defend our legal rights.
Collection of data
We collect only the personal data necessary for agreed purposes and we ask our clients to only share personal data with us where it is strictly needed for those purposes.
Where we need to process personal data to provide our services, for example in relation to the customer analytics that we perform, we rely on our clients as data controllers to provide, where appropriate, the necessary information about this processing to the data subjects.
The categories of personal data processed by us in relation to the services we provide to insurers include, but are not limited to personal details of their insurance clients as well as insurance contract and servicing details.
Use of personal data
Our core products and services may require us to process personal data in order to provide analytics deliverables, provide campaign management services or provide advice to our clients. This processing of personal data by us is necessary for the purposes of fulfilling the contract with our clients and the legitimate interests pursued by us in providing these services to our clients.
Where we process personal data on behalf of our clients we have a Data Processing Agreement in place. We always ask our clients to send personal data in a so-called pseudonymised or person-relatable format. Only our clients have the keys to make the person-relatable data they provide personally identifiable again.
We may also process personal data of individuals associated with or working for our clients for the purpose of the legitimate interest to administer, manage and develop our businesses, such as:
- managing our relationship with clients and prospective clients;
- identifying client needs and improvements in service delivery;
- hosting of events; and
- managing our website and applications.
Unless we are asked not to, we use client and business contact details to provide information that we think will be of interest about us and our services. This processing is necessary for the purposes of the legitimate interests pursued by us to promote our business and services.
As a provider of services to insurers we are subject to legal, professional and, in the future, possibly regulatory obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data. We have a legitimate interest in processing personal data as necessary to meet these obligations.
Where agreed with our clients, we may use information that we receive in the course of providing our services for other legitimate interest purposes , including analysis to better understand a particular issue, industry or sector, provide insights back to our clients, to improve our business, service delivery and offerings and to develop new technologies and offerings. To the extent that the information we receive in the course of providing professional services contains personal data, we will de-identify the data prior to using the information for these purposes.
We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).
In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records and other documentary evidence created in the provision of services is 8 years.
Personal data may be held for longer periods where extended retention periods are required by law or regulation and in order to establish, exercise or defend our legal rights.
Collection of data
We collect personal data concerning our own personnel as part of the administration and management of our business activities. The details of this are available to our personnel.
Visitors to our website
Collection of data
Visitors to our websites are generally in control of the personal data shared with us.
We may receive personal data, such as name, title, company address, email address, and telephone numbers from website visitors when an individual registers for updates from us via our website.
Use of personal data
When you register an interest in receiving information from inforcehub via our website we always you to reconfirm this via a link in an email. Subject to this confirmation and unless we are asked not to, we may contact you with information about Inforcehub’s business, services and events.
When you provide personal data to us via our website, we may use it for a number of purposes, including:
- to administer and manage our website
- to personalise and enrich your browsing experience;
- to determine the company that you work or are associated with;
- to conduct benchmarking and data analysis regarding usage of our website.
Personal data collected via our websites will be retained by us for as long as it is necessary (e.g. for as long as we have a relationship with the relevant individual).
Who has access to your personal data
Your personal data can be accessed by our employees to the extent that this access is required to enable them to perform their work for us. In addition, your personal data can be accessed by our external service providers we use to run our business. All third parties that we work with, that have access to your personal data, are subject to data processing agreement(s) that guarantee(s) that this data is exclusively processed for the purposes listed above.
Third party organisations that provide services to us
We use third parties to support us in providing our services and to help provide, run and manage our internal IT systems. For example, providers of information technology, cloud based software as a service providers, identity management, website hosting and management, data analysis, data back-up, security and storage services. The servers powering and facilitating that cloud infrastructure are located in secure data centres around the world, and personal data may be stored in any one of them. Further details of these providers is included below.
- Google Ireland Limited
Business applications (such as email, documents and calendar)
Gordon House, Barrow Street, Dublin 4, Dublin, D04 E5W5
- Microsoft Limited
Azure cloud services
Microsoft Campus, Thames Valley Park, Reading, RG6 1WG, UK
One Dockland Central, Dublin 1, Ireland
Accounting & Payroll
The Shard, 32 London Bridge Street, London, SE1 9SG, UK
Mailing list for web sign ups
The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Atlanta, GA 30308 USA
On client engagements, we may engage or otherwise work with other providers, their data and their software to helps us deliver to our clients.
In all cases we ensure that data is stored and processed within the EU or, where service providers are based or use servers in the US, that these are covered by the Privacy Shield.
Auditors, insurers and professional advisers
Our auditors are Barnbrook Sinclair 30 Saint John’s Road, Woking GU21 7SA. We have a number of business insurance policies in place and we may need to share personal data with the insurer, for example, in the event of a claim. We use other professional advisers, for example, law firms, as necessary to establish, exercise or defend our legal rights and obtain advice in connection with the running of our business. Personal data may be shared with these advisers as necessary in connection with the products and services they have been engaged to provide.
Law enforcement or other government and regulatory agencies
If specifically required, by applicable law we may provide your personal data to regulatory authorities, police, justice department, fiscal authorities and other authorities assigned with investigative powers pursuant to applicable law. Occasionally, we may receive requests from other third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.
Individuals’ rights and how to exercise them
Individuals have certain rights over their personal data and controllers are responsible for fulfilling these rights.
Individuals’ rights may include the right of access to personal data, to rectification of personal data, to erasure of personal data / right to be forgotten, to restrict processing of personal data, to object to processing of personal data, to data portability, the right to withdraw consent at any time (where processing is based on consent) and the right to lodge a complaint with a supervisory authority.
Please see further information about these rights and when they are available. All rights can be be exercise by emailing email@example.com.
Your right of access to personal data
You have the right to obtain confirmation as to whether we process personal data about you, receive a copy of your personal data held by us as a controller and obtain certain other information about how and why we process your personal data (similar to the information provided in this privacy statement). We aim to respond to any requests for information promptly, and in any event within the legally required time limits.
Your right to rectification or amendment
You have the right to request for your personal data to be amended or rectified where it is inaccurate (for example, if you change your name or address) and to have incomplete personal data completed. When practically possible, once we are informed that any personal data processed by us is no longer accurate, we will make updates as appropriate based on your updated information.
Your right to erasure / right to be forgotten
You have the right to obtain deletion of your personal data in the following cases:
- the personal data are no longer necessary in relation to the purposes for which they were collected and processed;
- our legal grounds for processing is consent, you withdraw consent and we have no other lawful basis for the processing;
- our legal grounds for processing is that the processing is necessary for legitimate interests pursued by us or a third party, you object to our processing and we do not have overriding legitimate grounds;
- you object to our processing for direct marketing purposes;
- your personal data have been unlawfully processed; or
- your personal data must be erased to comply with a legal obligation to which we are subject.
Your right to restrict or suppress processing
You have the right to object to our processing of your personal data in the following cases:
- our legal grounds for processing is that the processing is necessary for a legitimate interest pursued by us or a third party;
- or our processing is for direct marketing purposes.
You also have the right to restrict our processing of your personal data in the following cases:
- for a period enabling us to verify the accuracy of your personal data where you have contested the accuracy of the personal data;
- your personal data have been unlawfully processed and you request restriction of processing instead of deletion;
- your personal data are no longer necessary in relation to the purposes for which they were collected and processed but the personal data are required by you to establish, exercise or defend legal claims;
- for a period enabling us to verify whether the legitimate grounds relied on by us override your interests where you have objected to processing based on it being necessary for the pursuit of a legitimate interest identified by us.
Your right to data portability
You have a right to receive your personal data provided by you to us and have the right to send the data to another organisation (or ask us to do so if technically feasible) where our lawful basis for processing the personal data is consent or necessity for the performance of our contract with you and the processing is carried out by automated means.
Your right to withdraw consent
Where we process personal data based on consent, individuals have a right to withdraw consent at any time. We do not generally process personal data based on consent (as we can usually rely on another legal basis). Where we rely on your consent for our processing of your personal data, you can withdraw your consent, or, to stop receiving an email from an inforcehub marketing list, please click on the unsubscribe link in the relevant email. Please see the relevant “Use of personal data” sections of this privacy statement for further details about our processing of personal data based on consent.
All information you provide to us is stored on our secure servers. Any data transfers will be encrypted using Secured Sockets Layer technology or a secure virtual private network.
We regularly review the appropriateness of the measures we have in place to keep the data we hold secure.
We hope that you won’t ever need to, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to firstname.lastname@example.org. We will look into and respond to any complaints we receive.
You also have the right to lodge a complaint with the supervisory authority in your country of residence, place of work or the country in which an alleged infringement of data protection law has occurred within the EU. The Information Commissioner’s Office (“ICO”) is the UK data protection regulator/supervisory authority. For further information on your rights and how to complain to the ICO, please refer to the ICO website.