IntroductionOn 25 May 2018, a new regulation called The General Data Protection Regulation (GDPR) came into force and applies to all UK businesses.The regulation requires businesses to document how we manage client data in a simple and easy-to-understand format. This document details how Demo Face Limited manages your data.

Legitimate Interest and Contractual Obligations

To offer our services we have to collect key bits of data about you. This data can be used to personally identify individuals and either carry a legitimate interest (a legitimate reason as to why we need it) or a contractual obligation (an agreed reason why we need it).

An example of a legitimate reason: you have contacted Demo Face Limited so we, therefore, have a legitimate interest (reason) to store your data so that we can contact you back.

An example of a contractual obligation: we are supporting the product sales process within your company, to do this we need to be able to recognise individuals in your business that need to have access to our Envoke App platform, and the authorisation to keep, manage and secure this data would be laid out in a contract.


Your name and email address

We need to know this information to be able to identify you, communicate with you, provide access to the Envoke App and to securely manage the data we hold about you. This data is also used to identify you when offering our support and assistance services. An example would be when you report a problem with accessing the Envoke App – we need to be able to identify your account to help you.

Information automatically collected

We automatically collect certain information when you visit, use or navigate the App. This information may include device and usage information, such as your IP address, browser and device characteristics, operating system, referring URLs, device name, country, location, information about how and when you use our Services and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

Like many businesses, we also collect information through cookies and similar technologies.

The information we collect includes:
  • Log and Usage Data. Log and usage data is service-related, diagnostic, usage and performance information our servers automatically collect when you access or use our Services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type and settings, and information about your activity in the Services (such as the date/ time stamps associated with your usage, pages and files viewed, searches and other actions you take such as which features you use), device event information (such as system activity, error reports (sometimes called ‘crash dumps’) and hardware settings).

  • Device Data. We collect device data such as information about your computer, phone, tablet, or other devices you use to access the Services. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration information.


You have the right to be informed about how we use your data, as laid out in this document. You have the right to update your personal data as follows:

  • To keep this data up to date you need to contact us.

  • To ask us to delete your personal data – however, there may be circumstances where we are legally entitled to retain it.

  • To get a free copy of your personal data through a Subject Access Request (covered later in this policy).

  • You can object to the processing of your data and have it restricted. There are circumstances in where we are legally entitled to refuse this request.

The security of your data

We use a number of services to manage and maintain the data we control and process. These services are vetted to make sure they abide by the highest level of security. In addition where possible we implement our own additional access controls and security procedures.

We also contract with Kimbley IT to manage our IT security; they are a certified Google Cloud Partner and are also Cyber Essentials Certified.


Google Cloud – Google Workspace

We use Google Workspace to manage our email, calendars, documents, and files in Google Drive.
We keep data for 36 months then it is auto-deleted.
You can read more about Google GDPR here.

Google Cloud Platform

We use Google’s built-in industry-standard security to store and process your data. Your data is backed up daily in line with Google’s security policy.


We use SendGrid to distribute transactional emails (new user accounts, password reset, etc) and occasional update emails on the changes to the platform. Users can opt out from update emails at any time.You can read more about SendGrid’s GDPR compliance here.


Xero is our accounting software and is used for invoicing, bank reconciliations, and other similar accountancy functions.

Our accountants, Towers and Gornall, have access to this system and process data for the purposes of bookkeeping and annual accounts.

Data stored in Xero is kept for six years from the date it was created. This is a regulatory requirement under the VAT Act 1994 (Schedule 11, paragraph 6) and HMRC Notice 700/21.

You can read more about Xero’s GDPR compliance here.

Third Party Processors

Our carefully selected partners and service providers may process personal information about you on our behalf as described below:

“Digital Marketing Service Providers

We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information. Our appointed data processors include:

Prospect Global Ltd (trading as Sopro) Reg. UK Co. 09648733. You can contact Sopro and view their privacy policy here: Sopro are registered with the ICO Reg: ZA346877 their Data Protection Officer can me emailed at:”

Subject Access Request

It is really important that you can request to find out what personally identifiable data a business holds about you.

You can email to make a SAR request. You will need to supply identification before we can proceed with the SAR, this is to make sure that you are the real owner of the data you are requesting. We will then collect the data we hold about you and release it to you within 30 days of your request and suitable identification being produced.

Your first SAR request is free of charge, however, any subsequent requests which fall within a close period of your first request will be chargeable.

Supporting global teams to do more by giving them access to virtual demos.


Our team has experience across a full range of devices and is trusted by the world’s largest life sciences and biotech companies.

Copyright © 2024. Envoke. All rights reserved.