Privacy and Security Policy (GDPR compliance)

Your privacy and trust are important to us and this Privacy Policy (“Policy”) provides important information about how Cranham Haig Limited (“Company” “we” or “us”) handle personal information. This Policy applies to personal information which we process in the course of doing business including information processed through the Company’s website and the services we provide (collectively, our “Services”).

Please read this Policy carefully and contact us if you have any questions about our privacy practices or your personal information choices.

It is important that you check back often for updates to this Policy. If we make changes we consider to be important, we will let you know by placing a notice on the relevant Services and/or contact you using other methods such as email.

This Policy was last updated on 22 May 2020.

Purpose of the processing, legal basis and retention periods

We may process personal information about you in different ways depending on our relationship with you. Please click on the link below which most closely identifies your relationship with us:

  1. You are or were a customer.
  2. You are a supplier or an employee of a supplier to us.
  3. You are a third party with whom we are in contact during the delivery of services to our customers or the possible delivery of services to prospective customers.
  4. You are a prospective customer or a prospective supplier.
  5. You are an employee, former employee or a relative of either.
  6. You are a prospective employee.
  7. We have received your information from a third party.
  8. Your relationship with us is not covered by any of the above.

1. Customers and employees of customers

We will collect and store personal information including contact details of our customers and those employees of the customer who are involved in the delivery of the contract so that we can provide our Services in accordance with our contract with our customer. We will also retain that information and any information relating to the contract between us for a period of seven years following completion or termination of the contract(s) between us so that we can review our performance if any complaints or issues arise after completion or termination of the contract.

We may take financial details, including credit, debit card and bank details for the purpose of processing payments. We will not store credit or debit card details and use Sage as our third party payment processor.

Where we are providing a hosted solution and/or providing support services, we are storing information and may sometimes have incidental access to data that is located in the cloud or on our customer’s system. This data may contain information about our customer, their employees, clients/customers, partners, or suppliers. We are processing this information on behalf of our customer in order to provide them with our services. The customer is the data controller in respect of this data and you should therefore contact the customer for further information about how we process this data on their behalf.

We may contact customers and registered users of our products with useful information about our Services, their product, product updates and new releases. We will do this either as part of our contracted Services or where it is in our legitimate interests to inform you how to get the most out of our products and Services. We will only do this if we believe that you would reasonably expect us to contact you in this way and that such processing does not have an impact on you in a way that would make this processing unfair.

Unless you request us not to do so, we may also contact those employees of the customer who are involved in the delivery of the contract on an individual basis about similar services which we offer, because it is in our legitimate interest to direct market to you. However we will not send you direct marketing e-mails unless you were given the option to opt out of receiving direct marketing e-mails when you purchased products or services from us and did not opt out or you have otherwise given your consent to receiving direct marketing e-mails.

2. You are a supplier or an employee of a supplier to us

We will collect and store personal information including contact details of our suppliers and those employees of the supplier who are involved in the delivery of the contract so that we can receive your services in accordance with our contract with you. We will also retain that information and any information relating to the contract between us for a period of seven years following completion or termination of the contract(s) between us so that we can review your performance if any complaints or issues arise after completion or termination of the contract.

We may also contact you about new business opportunities for us to work together with you and to keep you informed of our activities.  We are processing your personal information in this way because it is in our legitimate interests to grow our business and explore new business opportunities with you. We will only do this if we believe that you would reasonably expect us to contact you in this way and that such processing does not have an impact on you in a way that would make this processing unfair.

We will not send you general marketing information as part of a group e-mailing campaign unless you have consented to being contacted in this way.

3. You are a third party with whom we are in contact during the delivery of services to our customers or the possible delivery of services to prospective customers

We will collect and store personal information including contact details of third parties with whom we are in contact during the delivery of Services to our customers or discussions relating to Services to prospective customers. We may receive that information from you, a customer, a supplier, an introducer or otherwise as a result of an interaction between you and our supplier or customers. We process that information because it is in our legitimate interests to do so in order for us to be able to perform our contracts for our customers or pitch for work from prospective customers. We believe that you would reasonably expect us to process your personal information in this way and that such processing does not have an impact on you in a way that would make this processing unfair.

Where your personal information is kept as part of a file relating to the performance of a contract with one of our customers, we will also retain that information and any information relating to that contract for a period of six years following completion or termination of that contract(s) so that we can review the file if any complaints or issues arise after completion or termination of the contract.

Where your information is stored in our contacts database but is not kept in a customer or supplier file, we carry out a review of our contacts database every [2] years when we consider whether or not we still have a legitimate interest to keep your contact information. Where we consider that we no longer have a legitimate interest to keep your contact information we will delete it.

We may also contact you about new business opportunities for us to work together with you and to keep you informed of our activities. We are processing your personal information in this way because it is our legitimate interests to grow our business and explore new business opportunities with you. We will only do this if we believe that you would reasonably expect us to contact you in this way and that such processing does not have an impact on you in a way that would make this processing unfair.

We will not send you general marketing information as part of a group e-mailing campaign unless you have consented to being contacted in this way.

4. You are a prospective customer or a prospective customer

We will collect, store and use personal information including contact details of people who have expressed an interest in our services or signed up for a trial of our products or to receive our newsletters or people who we reasonably consider we might do business with as a supplier or a customer.

We may collect this information from you, when you contact us (including through this website) or at an event or from a mutual contact. We will only collect contact information from your website or another third party website if we have identified you specifically as someone who may be interested in purchasing products from us or delivering goods or services to us.

We may contact you about our products, services, events and new business opportunities for us to work together with you and to keep you informed of our activities.  We believe that it is in our legitimate interests to develop our business and that you would reasonably expect us to process your personal information in this way and that such processing does not have an impact on you in a way that would make this processing unfair. Where your information is stored in our contacts database but is not kept in a customer or supplier file, we carry out a review of our contacts database every [2 years] when we consider whether or not we still have a legitimate interest to keep your contact information. Where we consider that we no longer have a legitimate interest to keep your contact information we will delete it.

We will not send you general marketing information as part of a group e-mailing campaign unless you have consented to being contacted in this way.

5. You are an employee or related to an employee

Employees should refer to the Employee Privacy Notice for further information about our privacy policy in respect of employees.

Where an employee has provided us with personal information about a spouse, civil partner or other family member/friend (perhaps in relation to sharing a Company car, private medical insurance or other benefits or as an emergency contact), it is the employee’s responsibility to inform that person that the employee has provided us with their details and that we will be processing it as an emergency contact or in connection with the relevant benefit and/or policy in accordance with this privacy policy.

6. You are a prospective employee or a referee of a prospective employee

If we have received your details in response to a recruitment initiative, we will store the personal information that either you, your recruitment agent or another third party has provided us with. We process that information because it is in our legitimate interests to do so in order for us to be able to make an informed decision about whether to interview you and, ultimately, recruit you. We believe that you would reasonably expect us to process your personal information in this way and that such processing does not have an impact on you in a way that would make this processing unfair. Where your personal information is kept as part of a file relating to prospective employees of the Company, we will retain that information and any information relating to that matter. This is so that we can review the file if any complaints or issues arise after the recruitment process. The length of time that we keep prospective employee files is usually 6 months after conclusion of the relevant recruitment process.

7. We have received your information from a third party

If we have received your personal information from a third party, for example an introducer or your employer, that third party will be the controller in relation to that personal information and we will be processing it on their behalf. You should therefore contact that third party to review their privacy policy.

8. Your relationship with us is not covered by any of the above

We may hold your contact details and personal information as a result of an interaction between you and one of our employees. We are processing your personal information in this way because it is in our legitimate interests to retain a record of our employee’s engagement with third parties. We believe that you would reasonably expect us to process your personal information in this way and that such processing does not an impact on you in a way that would make this processing unfair.  We carry out a review of our contacts database every [2] years when we consider whether or not we still have a legitimate interest to keep your contact information. Where we consider that we no longer have a legitimate interest to keep your contact information we will delete it.

Where you provide us with personal information about another person

If you give us personal information about another person, you must ensure that:

  1. you are legally entitled to give us that information;
  2. the disclosure is in accordance with any applicable data protection or privacy laws; and
  3. such other person has also read this privacy policy.

Personal information we hold

The information we collect about you depends on the products and services you use. It includes (but is not limited to):

  • Your name, address, contact details
  • Who you work for
  • Details that we need to check your identity, process an application and perform credit referencing
  • Financial details, including credit card, debit card and bank details to process payments only
  • Your communications with us, including notes or recordings of calls, emails or letters you send to us
  • Marketing preferences

We would not normally process sensitive information, for example, relating to your health, religious belief or sexuality. If that information is relevant to the services we are providing or receiving from you, then we will agree with you at the time whether we can process that information.

Our Services include data and document storage as an integral part of the product or solution we are offering. Documents and data stored by our customers may contain personal information about our customer, their employees, clients/customers, partners, or suppliers . Any information stored by or on behalf of our customers is controlled by our customers. Our access to this information is limited to the Company personnel who may occasionally require access in order to provide our Services or for any other critical business reason.

When we share personal information

The Company shares or discloses personal information when necessary to provide Services or conduct our business operations as described below. When we share personal information, we do so in accordance with data privacy and security requirements. We do not sell any personal information to third parties. We may occasionally share non-personal, anonymised, and statistical data with third parties. Below are the parties with whom we may share personal information and why.

  • Our business partners: We occasionally partner with other organisations to deliver co-branded Services, provide content, or to host events, conferences, and seminars. As part of these arrangements, you may be a customer of both the Company and our partners, and we and our partners may collect and share information about you. The Company will handle personal information in accordance with this Policy, and we encourage you to review the privacy policies of our partners to learn more about how they collect, use, and share personal information.
  • Our third-party service providers: We partner with and are supported by service providers . Personal information will be made available to these parties only when necessary to fulfil the services they provide to us, including (without limitation) cloud hosting through Amazon Web Services and other cloud providers; payment providers; direct marketing services and data analytics. Our third-party service providers are not permitted to share or use personal information we make available to them for any other purpose than to provide services to us.
  • Third parties for legal reasons: We will share personal information when we believe it is required, such as:
    • to comply with legal obligations and respond to requests from government agencies, including law enforcement and other public authorities;
    • in the event of a merger, sale, restructure, acquisition, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings);
    • to protect our rights, users, systems, and Services.

Where we store and process personal information

We take steps to ensure that the information we collect is processed according to this Policy and the requirements of applicable law wherever the data is located.

We store information in a cloud hosting service, mainly through the provider Amazon Web Services. The Company has networks, databases, servers, systems, support, and help desks located in the UK. We take appropriate steps to ensure that personal information is processed, secured, and transferred according to applicable law. In some cases, we may need to disclose or transfer your personal information within the Company or to third parties in areas outside of your home country, but we will not transfer your data outside of the European Economic Area without your express written consent, unless you are a customer based outside the European Economic Area and it is necessary to transfer the data to you in order to provide our Services.

How we secure personal information

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

How long we keep personal information

We retain personal information for as long as we reasonably require it for legal or business purposes. In determining data retention periods, the Company takes into consideration local laws, contractual obligations, and the expectations and requirements of our customers and suppliers. When we no longer need personal information, or when you request us to delete your information, where this is legal, we will securely delete or destroy it. See section “Purpose of the processing, legal basis and retention periods” for further information on our retention periods.

Your legal rights

We respect your right to access and control your information, and we will respond to requests for information and, where applicable, will correct, amend, or safely delete your personal information.

  • Access to personal information: You have the right to request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. If you request access to your personal information, we will gladly comply, subject to any relevant legal requirements and exemptions, including identity verification procedures. Before providing data to you, we will ask for proof of identity and sufficient information about your interaction with us so that we can locate any relevant data.
  • Object to processing: of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • Request erasure: of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see above), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Request restriction of processing: of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer: of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Correction of your data: You have the right to request that we correct your personal information if it is inaccurate or requires updating or that we complete your personal information if the information we hold is incomplete.
  • Withdrawal of consent: If we are processing your personal information on the basis that you have given your consent to us processing that personal information, you have a right to withdraw your consent at any time by using the “Contact Us” option on our website or let us know in writing, by email or by telephone.
  • Marketing preferences: To opt out of email marketing, you can use the unsubscribe link found in the email communication you receive from us or you can use the “Contact Us” option on our website or let us know in writing, by email or by telephone.
  • Filing a complaint: If you are not satisfied with how the Company manages your personal data, you have the right to make a complaint to the Information Commissioner’s Office.

If you fail to provide personal data

Where we need to collect personal data by law or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our services). In this case, we may have to cancel your contract with us but we will notify you if this is the case at the time.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please let us know by using the “Contact Us” option on our website or let us know in writing, by email or by telephone.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Third-party links

This website has links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

Cookies

A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system. Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

How to contact us

Please contact us with any requests related to your personal information.

We understand that you may have questions or concerns about this Policy or our privacy practices or may wish to file a complaint. Please feel free to contact us in one of the following ways:

Email:

dataofficer@chlsoftware.com

Address:

Attn: Data Officer
CHL Software
14 Royal Crescent
Lower Ground Floor
Cheltenham
GL50 3DA
UK

Telephone:

+44 (0) 1242 225230

We value your privacy

We use Cookies to make using our website easy and meaningful for you, and to better understand how it is used by our customers. By using our website, you are agreeing to our privacy policy.

I agree