1.1. We are committed to safeguarding the privacy of our website visitors. In this policy, “we”, “us” and “our” refers to Decision Focus UK Limited, Decision Focus ApS and Decision Focus MidCo ApS. For more information about us, see below.
1.2. For the purpose of the General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, and relevant data protection legislation in other jurisdictions (whereby defined terminology like data controller and data processor are interpreted as their equivalent concepts in that other legislation), where we act as a data controller, the data controllers are Decision Focus UK Limited and Decision Focus ApS, Denmark and Decision Focus MidCo ApS, Denmark, whichever is your company’s contractual counterparty. Where we act as a data processor, the data processor is either Decision Focus UK Limited, or Decision Focus ApS, whichever is your company’s contractual counterparty.
2. How we use your personal data
2.1. In this Section 2 we have set out:
- when we act as a data controller (section 2.2) and when we act as a data processor (section 2.3);
- the general categories of personal data that we process in each case;
- the purposes for which we process such personal data in each case; and
- the legal bases of the processing in each case.
2.2. We act as a data controller with respect to data received from you as a website visitor (in other words, we determine the purposes and means of processing such personal data). We collect and process the following types of personal data from you in the course of your use of https://www.decisionfocus.com/ (our website):
- information contained in any enquiry submitted to us including your name, email address, contact details, and any additional information you submit when asking about our services (“enquiry data”). The enquiry data may be processed for the purposes of offering, marketing and selling relevant services to you. The legal basis for this processing is our legitimate interests, namely the proper administration of our website and business.
- information that you provide to us for the purpose of subscribing to our email notifications and/or newsletters (“notification data”). The notification data is processed for the purposes of sending you the relevant notifications and/or newsletters and making suggestions and recommendations about our own or similar products and/or services that may be of interest to you. The legal basis for this processing is our legitimate interests, namely communications with our website visitors to develop and grow our business.
- information contained in or relating to any communication that you send to us (“communication data”). The communication data may include the communication content and metadata associated with the communication. Our website will generate the metadata associated with communications made using the website contact forms. The communication data is processed for the purposes of communicating with you and record-keeping. The legal basis for this processing is our legitimate interests, namely communications with our website visitors and the proper administration of our website and business.
- information you provide to us including your name, email address, contact details, residential address, your CV and any other additional information (“recruitment data”). The recruitment data is processed for the purposes of processing your application if you apply for a job with us. The legal basis for this processing is our legitimate interests, namely to grow our business.
2.3. We act as a data processor on behalf of our clients who are the data controller and to whom we are providing our services via our platform, and their staff are our service users. In other words, the client determines the purposes and means for the processing of service users’ personal data. We process:
- personal details of clients’ staff including name, email address and contact details to provide you with our services. The legal basis for this processing is for the performance of our contract with the client.
- Personal data provided when you use the Intercom chat function. The legal basis for this processing is the performance of our contract with the client.
2.4. Please note that we may collect and process your personal data without your knowledge or consent in compliance with the above policy where this is required or permitted by law.
3. Change of purpose
3.1 We will only use your personal data for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
3.2 If we need to use your personal data for an unrelated purpose, we will notify you (or ask for your consent, as applicable) and we will explain the legal basis which allows us to do so.
In addition to the above uses we may use your information, to notify you about our own or similar products and/or services which may be of interest to you. Where we do this, we will contact you by electronic means (e-mail) only if you have consented to such communication. If you do not want us to use your data in this way, please either unsubscribe using the process set out in the relevant communication or inform us at any time by contacting us at the contact details set out below.
5. Providing your personal data to third parties
5.1 Where you are a service user, we routinely disclose your personal data to:
- any member of our group of companies (this means our subsidiaries, our ultimate holding company and all its subsidiaries) for the purposes, and on the legal bases, set out in the contract between us and the client.
- our third party service providers for the purposes of storing your data on the cloud servers of our hosting services providers and in data centres, our chat services on our platform, in order to contact you via our email API service providers, and any other service enhancement purchased by the client, as set out in the contract between us and the client.
Where you are a service user or a website visitor, we may disclose your personal data:
- in the event that we sell or buy any business or assets, to the prospective seller or buyer of such business or assets; or
- if we or substantially all of our assets are acquired by a third party, to the prospective seller or buyer of our assets in which case personal data held by us about our clients will be one of the transferred assets; or
- to protect our rights, property, or safety or that of our affiliated entities and our users and any third party we interact with to provide our website; or
- where such disclosure is necessary for compliance with a legal obligation to which we are subject; or
- where such disclosure is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
5.2 Other than as set out above and save insofar as is necessary in order for us to carry out our obligations arising from any contracts entered into between you and us, we will not share your personal data with third parties unless we have procured your express consent to do so.
6. Retaining and deleting personal data
6.1 This Section 6 sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.
6.2 Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6.3 We will retain your personal data as follows:
- usage data will be retained for a minimum period of 1 year following the date of collection, and for a maximum period of 6 years following that date unless you become a service user in which case your company’s DPA will apply;
- enquiry data will be retained for a minimum period of 1 year following the date of the enquiry, and for a maximum period of 3 years following that date unless you become a service user in which case your company’s DPA will apply;
- notification data will be retained for a minimum period of 1 year following the date that we are instructed to cease sending the notifications, and for a maximum period of 3 years following that date;
- communication data will be retained in order to keep a record of it and follow up with you as well as to keep in touch with you as part of our network; and
- recruitment data will be retained for a period of 1 year from the date of your application unless your application continues to be of interest, or you are employed by us in which case we will continue to hold your data as part of your employment record.
in each case provided that we will retain your data insofar as necessary to fulfil any request you make to actively suppress notifications and communication.
6.4 Notwithstanding the other provisions of this Section 6, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject.
7. Security of personal data
7.1 We will take appropriate technical and organisational precautions to secure your personal data and to prevent your personal data from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal data to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
7.2 We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
7.3 We will store all your personal data on secure servers.
7.4 The following personal data will be stored by us in encrypted form: your name, email address, and contact information.
7.5 Data relating to your enquiries that are sent from your web browser to our web server, or from our web server to your web browser, will be protected using encryption technology.
7.6 You acknowledge that the transmission of unencrypted (or inadequately encrypted) data over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
8. Updating information
8.1 Please let us know if the personal information that we hold about you needs to be corrected or updated by emailing us at firstname.lastname@example.org.
8.2 We will endeavour to update your personal data as soon as possible and within 14 working days of any new or updated personal data being provided to us, in order to ensure that the personal data we hold about you is as accurate and as up to date as possible.
9. Where we store your personal data
9.1 All information we hold about you is stored on secure AWS servers located in the UK, EEA and the USA.
9.2 The data that we collect from you may be transferred to, and stored at, a destination outside the United Kingdom and/or the European Economic Area ("EEA"). It may also be processed by staff operating outside the United Kingdom and/or EEA who work for us or for one of our suppliers. Such staff maybe engaged in the provision of services.
9.3 In the event we transfer your personal data to a country without an adequacy decision from the United Kingdom, any such transfer will be subject to standard contractual clauses approved by the United Kingdom’s Information Commissioner’s Office and/or the EU Commission and any other appropriate safeguards which may be applicable to such transfers.
9.4 If you would like further information, please contact us at email@example.com.
10. Your rights
10.1 In this Section 10, we have summarised the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
10.2 Your principal rights under data protection law are:
- the right to access – you can ask for copies of your personal data in a structures, commonly used and machine-readable format;
- the right to rectification – you can ask us to rectify inaccurate personal data and to complete incomplete personal data;
- the right to erasure – you can ask us to erase your personal data in certain situations;
- the right to restrict processing – you can ask us to restrict the processing of your personal data in certain circumstances;
- the right to object to processing – you can object to the processing of your personal data (a) for purposes of direct marketing; (b) where decisions are being taken by automated means which produce legal effects concerning you or similarly significantly affecting you; and (c) in certain other situations where we are continuing to process your personal data;
- the right to data portability – you can ask that we transfer your personal data to another organisation or to you in certain situations;
- the right to complain to a supervisory authority – you can complain about our processing of your personal data and claim compensation for damages caused by our breach of any data protection laws; and
- the right to withdraw consent – to the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in certain circumstances.
10.3 You may exercise any of your rights in relation to your personal data by emailing firstname.lastname@example.org and provide us with proof of your identity (e.g. copy of your passport or driving license and a recent utility or credit card bill) and let us know the information to which your request relates.
10.4 For further information on each of the rights above, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation.
11. Acting as a data processor
Insofar as we act as a data processor rather than a data controller our legal obligations as a data processor are set out in the contract between us and the relevant data controller.
12. About cookies
12.1 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
12.2 Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
12.3 Cookies do not typically contain any information that personally identifies a user, but personal data that we store about you may be linked to the information stored in and obtained from cookies.
13. Cookies that we use
13.2 We use the following cookies for the following purposes:
- Strictly necessary cookies - these are cookies that are required for the operation of our website;
- Targeting cookies - these cookies record your visit to our website, the pages you have visited and the links you have followed to our affiliates’ websites. We will use this information to make our website, offers e-mailed to you and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
14. Managing cookies
14.1 Necessary, analytical and functionality cookies used on our website are set by HubSpot. Details of the various cookies and how long they last can be found here. Please note that we have no control over these cookies, but you are able to control them via the banner you see when you enter the website.
14.2 Cookies which are strictly necessary for the core functionality of our website are enabled by default and set automatically at the point you access our website.
14.3 Any cookies which are not strictly necessary for the functioning of our website will not be set unless you expressly consent to them through the cookie banner by clicking “accept”.
14.4 You may block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website.
15.1 We may update this policy from time to time by publishing a new version on our website.
15.2 Any changes we may make to this policy in the future will be notified and made available to you using our website. You should check this page to ensure you are happy with any changes to this policy. Your continued use of the services and our website shall be deemed your acceptance of the varied policy.
16. Our details
16.1 This website is owned and operated by Decision Focus ApS.
16.2 You can contact us:
- using our website contact form; or
- by email, using email@example.com.
16.3 Details for Decision Focus ApS, Denmark are:
- registered office address: Bregnerødvej 144, 3460 Birkerød
- company registration number: DK 27 98 45 84
17. How to complain
17.1 We hope that we can resolve any query or concern you raise about our use of your information
17.2 The General Data Protection Regulation and the UK GDPR also give you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state or the UK where you work, normally live or where any alleged infringement of data protection laws occurred.
17.3 The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/make-a-complaint/ or telephone: 0303 123 1113.
17.4 The supervisory authority in Denmark is the Danish Data Protection Agency who may be contacted at https://www.datatilsynet.dk/english or telephone: 33 19 32 00.
18. Data protection registration
18.1 We are registered as a data controller with the UK Information Commissioner’s Office.
18.2 Our data protection registration number is ZA457933.