Privacy Notice

Introduction

We have created this Privacy Policy to illustrate our strong commitment to privacy, compliance with the UK GDPR (General Data Protection Regulation) and to demonstrate the policies and practices that we have implemented to protect your personal data. We operate an Information Security Management System certified to ISO 27001 which is recognised by the Information Commissioners Office (ICO) as a tool for meeting the security requirements of UK GDPR. 

By visiting our website, you are accepting and consenting to the practices described in this policy. 

Personal Data We May Collect 

We will collect the following information: 

  • Contact Form – The information collected includes your name and email address. 

This data is voluntary information and allows us to prepare as much relevant information as possible, prior to contacting you, so we can respond to your enquiry as accurately and efficiently as possible. 

  • Cookies – When you visit our website, we will also collect data which allows us to recognise you, your preferences and how you use this website. This saves you from re-entering information when you return to the site. This data is collected by cookies from your navigation around the site. Further information on cookies can be found below. 
  • Your IP address – (this is your computer’s individual identification number) which is automatically logged by our web server. This is used to note your interest in our website and your location (e.g. county/city) for our website analytics. 

 

Why We Collect Your Personal Data 

  • For contractual reasons – to carry out our obligations arising from any contracts entered into between ourselves and our clients and to provide you the information that is requested from us. 
  • For consensual reasons – we only keep your personal data if, after sending you this Privacy Policy, you have agreed to us keeping and using your personal data. On the majority of occasions, we will have kept your personal data to provide you with other useful information similar to your initial enquiry.
    Please note: If you supply us with your business card, for example at a trade show or business event, this is implied consent that you wish our business to contact you. You can withdraw this consent at any time (see the ‘Your Rights’ section below). 
  • To notify you about changes to our service – our services and practices may change over the course of us having your personal data. If you have consented, we will use your email address to inform you of any changes we believe will affect you or the service you receive from us. 
  • We do not purchase data from third parties such as databases of email addresses and phone numbers for the purposes of marketing. 
  • We receive personal data from the information you provide us via the completion of our online contact form on our website or correspondence via the phone, email, social media or post. 

 

 

How Long Do We Keep Your Personal Data  

We do not keep personal data for longer than is necessary for the purpose we obtained it for. In practice this means: 

  • If you apply for a job at our business but your application is unsuccessful, we will permanently delete your personal data from all our systems and devices after 6 months. 
  • If you are an employee of our business who then leaves the employment of our business, we permanently delete your details and the details of your next of kin from all our systems and devices immediately upon your contract of employment with us ending. 
  • If you filled out a form on our website or enquired about our application, but the end result was that you did not subscribe, we will permanently delete your personal data from all our systems and devices after 12 months. 

 

You are welcome to make a request for us to delete your personal data at any time (see the section titled ‘Your Rights’ below). 

 

How We Keep Your Personal Data Safe 

Unfortunately, the transmission of information via the internet is not completely secure. However, we take the following steps to ensure the tightest security in line with the requirements of ISO 27001: 

  • All information you provide to us is stored on our secure servers. 
  • Only the necessary personnel have access to your personal data, to minimise risk. 
  • We use strong, randomly generated passwords, which are changed regularly. We also use multi-factors authentication, where a user requires multiple pieces of information to access personal data we hold. These steps help to keep your personal data that we hold in Cloud-based services that include: 
  • Monday.com – CRM system 
  • WordPress – website host 
  • OneDrive – data folders, as secure as possible. 

 

 

Cookies 

This site uses cookies – small text files that are placed on your machine to help the site provide a better user experience. In general, cookies are used to retain user preferences and provide anonymised tracking data to third party applications like Google Analytics. As a rule, cookies will make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. 

We suggest consulting the Help section of your browser or looking at the About Cookies website which offers guidance for all modern browsers. 

 

Data Breaches 

In the unfortunate and rare event of a data breach that poses a risk to you, we will inform the Information Commissioner’s Office (ICO) and yourself without due delay and, where feasible, within 72 hours of the breach to comply with the UK GDPR. This will give you an opportunity to try and take steps to protect your position, for example, enable you to change passwords and inform your banks that you may be at risk of identity fraud. 

 

We are exempt from informing you and the ICO of any data breaches if: 

  • Appropriate technical and organisational procedural measures were applied after a data breach. 
  • Subsequent measures were taken to ensure that the high risk no longer exists. 
  • The effort to make such a notification would be disproportionate to the risk posed by the breach. This applies when the number of people affected by the data breach is so vast that notifying people on an individual basis within the required 72-hour period is not feasible. For example, if millions of people are affected by the data breach, then a press release would be put in the media in place of individual notification to quickly inform everybody affected. This would then be followed up with notifications informing individuals affected but would not have to be within the 72-hour period. Our business would cooperate and work with the ICO in the majority of cases where the data breach is large-scale. 

 

Sharing Your Personal Information 

  • Our website, or any subsequent email correspondence, may contain links to other sites. We do not share personal information with those sites and are not responsible for their privacy practices. 
  • We use third parties to process our own business information and we also provide contact information to third parties for the purposes of entering into and fulfilling business contracts. We maintain a list of third parties, which varies according to the nature of the solutions and services, and we will disclose on request the identities of third parties to whom personal information has been provided. We also comply with our obligations under the UK GDPR with regard to the use of sub-processors. 
  • We do not transfer data outside of the UK. 

 

 

 

Your Rights 

Under the UK GDPR you have the right to: 

  • be informed about the collection and use of your personal data. 
  • have access to personal data about you. 
  • have data about you deleted. 
  • have information about you corrected. 
  • object or restrict the Processing of data about you. 
  • data portability to allow you obtain and reuse your personal data for your own purposes, across different services. This allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. This enables you to take advantage of applications and services that can use this data to find a better deal for you. 
  • rights related to automated individual decision making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about you). You can request human intervention or challenge the decisions of automated decision making and profiling. 

 

Due to our business’ compliance with UK GDPR we ensure: 

  • Once we have verified your identity, we respond to and resolve all Subject Access Requests we receive from you regarding your personal data within the 30-day time limit of you making the request as outlined under the UK GDPR. 
  • We also do not charge you any fees for making a Subject Access Request or for us resolving your Request. 
  • We send you the information you need to resolve your Subject Access Request in the format that you made the request in. For example, if you emailed us to make your Subject Access Request, we will email the required information to you.  
  • We always justify why we cannot comply with your Subject Access Request. For example, if you are enquiring about personal information, we had about you but have since deleted due to our 12-month data retention period (see above) we will inform you of this. 

 

If Subject Access Requests made are deemed to be excessive or unfounded, we reserve the right granted to us under UK GDPR to: 

  • refuse to provide you with the information, always justifying in writing the reasons behind our refusal. 
  • charge a reasonable admin fee and again, always justifying in writing the reason for any fees. 
  • If your Subject Access Request is particularly complex, for example, we have to go through a large sum of data to access the information necessary to resolve your Subject Access Request, we will write to you within the first 30 days of you making the Subject Access Request and inform you why it will take us longer to comply with your request. Under the UK GDPR, if we follow these steps, we will have a further 2 months to comply with your Subject Access Request. 

Erasing the Personal Data We Have About You 

  • We will erase any personal data we have about you when you withdraw your consent to us having that data (which you can do at any time), where having the data is no longer necessary and where we can find no legitimate interest for Processing the data any longer. 
  • If at any time you wish to withdraw consent, for us or any company associated with us please send a request to the following e-mail address: info@chime-it.com 

 

Reserving the rights granted to us under the UK GDPR and demonstrating our compliance, we will only refuse to erase your data if: 

  • we need your personal data in order to comply with legal obligations. 
  • we require your personal data for the establishment, exercise or defence of legal claims. 
  • your personal data is necessary for us to perform a public interest task or exercise official authority. 
  • we need your personal data for public health reasons. 
  • we require your personal data for archival, research or statistical purposes. 
  • your personal data is necessary for us to exercise our right to freedom of expression or information. 

In the majority of cases, we will be able to delete the personal data we hold about you if you request us to do so. Where we cannot, we will always provide you with justification in writing as to why we cannot comply with your request. 

Links to other websites 

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy policy. You should exercise caution and look at the privacy policy applicable to the website in question. 

.

FOR GENERAL INQUIRIES: