On 25 May 2018, a new regulation called The General Data Protection Regulation (GDPR) came into force and applies to all UK businesses.
The regulation requires businesses to document how we manage client data in a simple and easy-to-understand format. This document details how Demo Face Limited manages your data.
Legitimate Interest and Contractual Obligations
To offer our services we have to collect key bits of data about you. This data can be used to personally identify individuals and either carry a legitimate interest (a legitimate reason as to why we need it) or a contractual obligation (an agreed reason why we need it).
An example of a legitimate reason: you have contacted Demo Face Limited so we, therefore, have a legitimate interest (reason) to store your data so that we can contact you back.
An example of a contractual obligation: we are supporting the product sales process within your company, to do this we need to be able to recognise individuals in your business that need to have access to our Envoke App platform, and the authorisation to keep, manage and secure this data would be laid out in a contract.
Your name and email address
We need to know this information to be able to identify you, communicate with you, provide access to the Envoke App and to securely manage the data we hold about you. This data is also used to identify you when offering our support and assistance services. An example would be when you report a problem with accessing the Envoke App – we need to be able to identify your account to help you.
Information automatically collected
We automatically collect certain information when you visit, use or navigate the App. This information may include device and usage information, such as your IP address, browser and device characteristics, operating system, referring URLs, device name, country, location, information about how and when you use our Services and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.
Like many businesses, we also collect information through cookies and similar technologies.
The information we collect includes:
You have the right to be informed about how we use your data, as laid out in this document. You have the right to update your personal data as follows:
The security of your data
We use a number of services to manage and maintain the data we control and process. These services are vetted to make sure they abide by the highest level of security. In addition where possible we implement our own additional access controls and security procedures.
We also contract with Kimbley IT to manage our IT security; they are a certified Google Cloud Partner and are also Cyber Essentials Certified.
Google Cloud – Google Workspace
We use Google Workspace to manage our email, calendars, documents, and files in Google Drive.
We keep data for 36 months then it is auto-deleted.
You can read more about Google GDPR here.
Google Cloud Platform
We use Google’s built-in industry-standard security to store and process your data. Your data is backed up daily in line with Google’s security policy.
We use SendGrid to distribute transactional emails (new user accounts, password reset, etc) and occasional update emails on the changes to the platform. Users can opt out from update emails at any time.
You can read more about SendGrid’s GDPR compliance here.
Xero is our accounting software and is used for invoicing, bank reconciliations, and other similar accountancy functions.
Our accountants, Towers and Gornall, have access to this system and process data for the purposes of bookkeeping and annual accounts.
Data stored in Xero is kept for six years from the date it was created. This is a regulatory requirement under the VAT Act 1994 (Schedule 11, paragraph 6) and HMRC Notice 700/21.
You can read more about Xero’s GDPR compliance here.
Third Party Processors
Our carefully selected partners and service providers may process personal information about you on our behalf as described below:
“Digital Marketing Service Providers
We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information. Our appointed data processors include:
Subject Access Request
It is really important that you can request to find out what personally identifiable data a business holds about you.
You can email [email protected] to make a SAR request. You will need to supply identification before we can proceed with the SAR, this is to make sure that you are the real owner of the data you are requesting. We will then collect the data we hold about you and release it to you within 30 days of your request and suitable identification being produced.
Your first SAR request is free of charge, however, any subsequent requests which fall within a close period of your first request will be chargeable.