Here we list all the steps we take to protect everyone’s data. At ProfileTree we take this very seriously.
1. ABOUT US
1.1. We are ProfileTree LLP, a limited liability partnership registered in Northern Ireland with registered number NC000806 and address, Innovation Factory Forthriver Business Park, 385 Springfield Road, Belfast, Northern Ireland, BT12 7DG (we, us, our).1.2. We provide various websites as well as a number of social media channels, relating to digital marketing, education, food and travel.
• any reference herein to ProfileTree shall be a reference to all or any such websites and/or social media channels provided by us (but excluding any third party platforms or content). Our contact details will always be included on any such website or channel.
• Generally ProfileTree can be accessed free of charge, though we also provide a number of premium services, including digital marketing services, hosting services and subscriptions to premium content. Any reference to our Premium Services shall be a reference to these paid-for services; and
• any reference to Services shall be a reference to our Premium Services as well as the provision of ProfileTree.
2. WHO DO WE HOLD DATA ABOUT?
2.1. The nature of our Services means that we may obtain and use Personal Data (that is information relating to an individual who can be identified) which we collect about the following groups of individuals (Data Subjects):
(i) Users: that is anyone who visits or accesses ProfileTree;
(ii) Clients: that is any individual or business which enters into a contract with us to receive any Premium Service, including any individuals who we contact on behalf of our Client in connection with such services.
(iii) Prospective Clients: that is employees, directors or representatives of any businesses which are not yet Clients but which we believe may be interested in becoming Clients.
We will hold Personal Data about the above listed Data Subjects as a Controller. This means that we make decisions about what data we collect and how it should be used to best serve our purposes. The reason for this notice is so that each Data Subject is clear as to what data we collect about them, what we do with that data, how long we store it for and their rights in relation to that data.
2.2. To the extent that we provide hosting services, it is likely that we may also collect and store information belonging to our Clients and that this may include Personal Data relating to third parties (Managed Data). We process any such Managed Data as a Processor, which means that we only use it in accordance with our Clients’ instructions. Our terms of processing which set out how we deal with Managed Data will be set out in the agreement we enter into with our Client in respect of such services, and is not dealt with here.
3. ABOUT THIS NOTICE
3.1. Under the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018, we are required to provide individuals about whom we hold data as a Controller with certain information about what we are doing with their data. This notice is intended to do just that. We’ve listed the individuals to whom this notice is addressed at paragraph 2.1 above.
3.2. This notice only deals with our use of Personal Data. If you click on any links to third party sites or products, you should check their privacy notices before disclosing any Personal Data to them.
3.3. We might need to change this privacy notice from time to time. We will publish our privacy notice on each ProfileTree site or channel and do our best to update you directly if we think the changes might affect you. Please do keep an eye on our notice before sending us any Personal Data.
3.4. If you have any questions about this notice feel free to send us an email to firstname.lastname@example.org.
4. WHAT PERSONAL DATA DO WE COLLECT AND WHERE DO WE GET IT FROM?
4.1. We collect Personal Data relating to Users (User Data) in the following ways:
(i) Primarily we will obtain User Data from users directly if they set up an account to use ProfileTree (User Account) and if they create a public profile for ProfileTree (User Profile). This is likely to be limited to their name, their email address, the town or city in which they live and any user name and strap line they will to include in their profile as well as the password they create. It may also include a photograph if the User so wishes.
(ii) We will also collect details of any posts uploaded by a User on to ProfileTree and any responses they receive from other Users.
(iii) We may also collect usage data in respect of a User’s use of ProfileTree. This could include location data (such as the region, town or city in which the User lives), information about what a User looked at and links clicked on, as well as IP addresses. We would do this to collect and collate aggregate data for our own business purposes.
(v) If a User contacts us directly with a support request or other issue, we may retain details of the request for our records and to make sure that the issue was properly resolved.
(vi) If a User clicks on a link on ProfileTree and consequently purchases any goods or services from a Client, we may receive information from our Client confirming that a sale was made. This is unlikely to include any Personal Data and where possible we would request that it doesn’t. Any such information would only be used to assess any payment due between us and our Client and for aggregate statistical purposes.
4.3 We may collect Personal Data relating to contacts within our Client (Client Data) in the following ways:
(i) Primarily we will obtain Client Data from our Clients when they instruct us who we should contact in connection with our Services. This is likely to include their name and business contact details as well as their role in our client’s business. We will also need to hold information about our Client which we need to set them up as a Client and avail of our rights and fulfil our obligations under any services agreement we enter into with them. This is likely to include our Clients’ financial data as well as details of any past transactions and payment history with us.
(ii) If our Client contacts us directly with a support request or other issue (whether by email, telephone or letter), we may retain details of the request for our records and to make sure that the issue was properly resolved.
(iii) If our Client signs up to receive our newsletter or receive marketing information from us, we may retain information about marketing preferences and any contact details our Client provides us with.
4.1 There are a number of ways we might collect Personal Data about contacts for prospective Clients (Prospective Client Data):
(i) If a business contacts us directly (whether by calling us up, sending us an email or if we meet a representative for a business somewhere in person) and the representative asks for information about our Services, we may retain information about that request, including their name, where they work and their business contact details.
(ii) Our marketing team may also carry out its own research using online sources to try to locate businesses and key contacts within those businesses who we think may be interested in hearing about our Services.
(iii) If a representative of a business signs up to receive our newsletter or receive marketing information from us, we may retain information about their marketing preferences and any contact details they provide us with.
5. SPECIAL CATEGORIES OF DATA AND CRIMINAL OFFENCE DATA
5.1 In the UK some types of Personal Data are afforded special status because they are considered to be more sensitive in nature and could potentially cause more harm to an individual if the data was misused.
• Special Categories of data include details about an individual’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data; and
• Criminal Offence Data means data relating to an individual’s criminal record.
5.2 We do not anticipate that we will collect or store any data relating to our users, Clients or Prospective Clients of this nature,
6. HOW WE USE PERSONAL DATA AND OUR LAWFUL BASES FOR DOING SO
6.1 We may use User Data for the purposes set out in the table below.
DESCRIPTION LAWFUL BASIS
To enable you to use ProfileTree
This includes enabling you to set up a publically available User Profile; enabling you to post public reviews, read and respond to other reviews and comments and download resources (if agreed). It is necessary for the performance of our contract with you for the provision of our Services to you.
For administration and dispute resolution purposes We may also need to process Personal Data about you to meet our internal administration requirements and, as well as for matters such as dispute resolution. It is necessary to achieve our legitimate interest of protecting our rights as a business.
To send marketing communications From time to time we might send you an email about events we are running or other products or services which we think might be of interest to you. We will always include an opt-out in any such emails.
We will only send you marketing communications if you have expressly consented to it.
To facilitate our online marketing strategy
We may collect data about how you use ProfileTree and use that information to make decisions about the type of online advertising to show you when you use ProfileTree.
It is necessary to achieve our legitimate interest of promoting our business.
To calculate the commission payable by our Clients to us
We may use the information that we receive from our Clients about any services you have purchased from them after clicking on a link on ProfileTree. This is unlikely to include any Personal Data, but if it does, such use would be limited solely and strictly to the extent necessary to achieve our legitimate interest of creating a robust revenue structure.
To create aggregate data for analysis purposes We may collect aggregate data relating to your use of ProfileTree to analyse trends per region and split by other demographic. This data may be sold to third parties or used by us to help us improve our Services. Any such data shall not include data from which an individual can be identified.
6.3 We may use Client Data for the purposes set out in the table below.
PURPOSE DESCRIPTION LAWFUL BASIS
To provide our Clients with services
This includes recording and retaining communications with our Clients about their requirements.
Necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract/ necessary to achieve our legitimate interest of creating a robust revenue structure.
Administration and Dispute Resolution We may also need to process Personal Data meet our internal administration requirements, to facilitate payments and, as well as for matters such as dispute resolution. It is necessary to achieve our legitimate interest of protecting our rights as a business.
Marketing From time to time we might send you an email about products or services which we think might be of interest to you. We will always include an opt-out in any such emails. It is necessary to achieve our legitimate interest of promoting our business.
Prospective Client Data
6.4 We may use Prospective Client Data for the purposes set out in the table below.
DESCRIPTION LAWFUL BASIS
To provide you with information about our services
If you have asked us to do so, we may use the details you give us to provide you with a quote for our services. We would usually do this by email. Consent
Marketing We might use the contact details you have provided us with to send you emails about events we are running or information about our Services which we think might be of interest to you. We will always include an opt-out in any such emails. It is necessary to achieve our legitimate interest of promoting our business.
7. DISCLOSURE OF PERSONAL DATA
7.1 We may disclose any Personal Data that we hold to our employees as well as other third parties who we engage to help us provide our Services. For example, we use third parties to provide the following services for the following services:
• Email Provider
• Host Server provider
• Marketing Database Provider
• Project Management Software
Any such parties contracted by us will be acting as our Processors and will be subject to strict contractual requirements only to use Personal Data in accordance with our privacy notice. If you would like more information about third party processors used by us, please contact us at: email@example.com.
7.2 We may also disclose Personal Data if:
7.2.2 to any buyer if we sell, transfer or merge parts of our business or our assets. If a change happens to our business, then the new owners will only be entitled to use Personal Data in accordance with the provisions set out in this privacy notice.
7.3 The nature of ProfileTree means that any post published and the User Profile of the user posting, will be publically accessible. You should consider this before publishing a post and think carefully about what information you want to include and whether you want to include any Personal Data at all. You are not required to do so.
7.4 Although you may be able to link to third party sites via ProfileTree, save as set out in this paragraph 7, we will never transfer your data to a third party without your consent.
7.4 We may sell aggregate data which we have collected from our Users’ use of ProfileTree to third parties to help them assess their performance. None of the information sold will include any Personal Data.
8. WHAT SECURITY PROCEDURES DO YOU HAVE IN PLACE?
8.1 We are aware how important it is for us to keep the data we hold about Users and other parties secure and have implemented the following processes and procedures:
8.1.1 Our employees are required to hold any data which they handle on our behalf securely and confidentially and are contractually bound to do so.
8.1.2 We make sure that any data processors (such as Mailchimp and Amazon Web Services) we use have a strong reputation for data security and are contractually obliged to implement adequate security measures to safeguard the data held.
8.1.3 While we store the content you upload to your private account, the information is encrypted and not readily accessible either to us or our employees. We could access it, for example, in an emergency or if it was necessary to comply with a request from you or to defend or protect our legal rights.
9. WHERE DO YOU STORE THE PERSONAL DATA YOU COLLECT?
9.1 We currently have servers in the EU, the US and the UK. We will always strive to use the server which is based in the same location as our customer (or as near as possible).
9.2 In respect of Personal Data relating to Data Subjects based in the EU, we will only transfer Personal Data outside the EEA if:
• the territory has been deemed by the European Commission to implement adequate safeguards;
• appropriate measures (such as model contract clauses) have been put in place;
• the company has registered with an EU recognised framework such as the EU-US Privacy Shield;
• the transfer is necessary for the performance of the contract with the Data Subject in question – for example, if Users are based outside the EEA and it is necessary to contact them in connection with our Services to Users; or
• if we have obtained explicit consent from the Data Subject.
10. OUR RETENTION POLICIES
10.1 Our retention policies are as follows:
TYPE OF DATA DESCRIPTION RETENTION POLICY
That is data we collect about the transactions our Client carries out with us. For the life of the Client contract + 7 years to ensure that we have sufficient records from an accounting and tax perspective
Financial Data That is financial data relating to our Client For the life of the client contract + 1 year in case of renewed contract and/or any payment issues outstanding after the contract is completed.
User Account Data That is any data collected which is attributable to a User Account Retained for so long as the User Account remains live, after which such data will be routinely deleted within 12 months.
Marketing Lists That is any names and emails held and used as recipients for mail shots or other unsolicited marketing Retained until opt out with update and rectification procedure carried out every 3 years
Usage Data That is any data concerning how ProfileTree is used by its users. Retained for no longer than 6 years from the date of creation.
11. RIGHTS OF A DATA SUBJECTS
11.1 Data Subjects have the following rights against the Controller in respect of Personal Data held by the Controller which relates to them.
(a) Right to be informed: the right to be informed about what Personal Data the Controller collects and stores about you and how it’s used.
(b) Right of access: the right to request a copy of the Personal Data held, as well as confirmation of:
• the purposes of the processing;
• the categories of Personal Data concerned;
• the recipients to whom the Personal Data has/will be disclosed;
• for how long it will be stored; and
• if data wasn’t collected directly from you, information about the source.
(c) Right of rectification: the right to require the Controller to correct any Personal Data held about you which is inaccurate or incomplete.
(d) Right to be forgotten: in certain circumstances, the right to have the Personal Data held about you erased from the Controller’s records.
(e) Right to restriction of processing: the right to request the Controller to restrict the processing carried out in respect of Personal Data relating to you. You might want to do this, for instance, if you think the data held by the Controller is inaccurate and you would like to restrict processing until the data has been reviewed and updated if necessary.
(f) Right of portability: the right to have the Personal Data held by the Controller about you transferred to another organisation, to the extent it was provided in a structured, commonly used and machine-readable format.
(g) Right to object to direct marketing: the right to object where processing is carried out for direct marketing purposes (including profiling in connection with that purpose).
(h) Right to object to automated processing: the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects (or other similar significant effects) on you. We do not carry out any automated decision-making process.
11.2 If you want to avail of any of these rights, you should contact us immediately at firstname.lastname@example.org. If you do contact us with a request, we will also need evidence that you are who you say you are to ensure compliance with data protection legislation.
11.3 We will confirm to you in writing to acknowledge receipt of any request we receive relating to your rights as a Data Subject, and we will let you know if we have complied with your request. If having, carried out an assessment, we believe we have an overriding reason for retaining the data, we will let you know why we have reached that conclusion.
12 WHAT HAPPENS IF YOU REQUEST US TO STOP PROCESSING PERSONAL DATA RELATING TO YOU?
12.1 You may notify us at any time that you no long want us to process Personal Data about you for particular purposes or for any purposes whatsoever. This may have an impact on the services you receive from us. For example:
12.2 If you ask us to stop processing Personal Data about you, you will no longer be able to access your user account since we will not be able to identify you.
12.3 If you ask us to stop processing Personal Data about you for direct marketing purposes, this will not impact on your ability to make access your user account.
12. DETAILS FOR QUESTIONS OR COMPLAINTS ABOUT HOW WE PROCESS PERSONAL DATA RELATING TO YOU
13.1 If you have any questions or concerns about how we are using Personal Data about you, please contact our Data Protection Officer immediately at our registered address (see paragraph 1.1 above) or by email to email@example.com. If we are processing Personal Data about you on behalf of Users, we will need to pass your complaint to Users – we will only do so with your consent.
13.2 If you wish to make a complaint about how we have handled Personal Data about you, you may lodge a complaint with the Information Commissioner’s Office by following this link: https://ico.org.uk/concerns/.
Last updated: 21st January 2019.