# Privacy Policy ## Table of contents [[toc]] ## Introduction Your privacy is important. As such, we follow certain [principles](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/) of data processing, to safeguard your personal data. We also comply with the GDPR, which is the European law on data processing. The GDPR requires high standards of data protection. This privacy policy explains your rights regarding data about you. A lot of that information is general information. This policy also explains how and why we process your personal data, for example when you browse our websites. ## Who are we? We, Iainteractive Ltd., are a data controller. That means we decide how some of your personal data is processed. We do not have a representative. We have not appointed a data protection officer. That is OK because you can contact us directly with any enquiries. See the section on exercising your rights. ## What are your rights? You have many rights, which is good. You have the right to: * be [informed](https://ico.org.uk/your-data-matters/your-right-to-be-informed-if-your-personal-data-is-being-used/), which this document tries to do * [access](https://ico.org.uk/your-data-matters/your-right-of-access/) copies of your data * [correct](https://ico.org.uk/your-data-matters/your-right-to-get-your-data-corrected/) incorrect data * ask for [the deletion](https://ico.org.uk/your-data-matters/your-right-to-get-your-data-deleted/) of data about you * [limit](https://ico.org.uk/your-data-matters/your-right-to-limit-how-organisations-use-your-data/) the handling of your data * [transfer your data](https://ico.org.uk/your-data-matters/your-right-to-data-portability/) to another organization * [object](https://ico.org.uk/your-data-matters/the-right-to-object-to-the-use-of-your-data/) to the use of your data * information and oversight, if your data is [automatically processed](https://ico.org.uk/your-data-matters/your-rights-relating-to-decisions-being-made-about-you-without-human-involvement/) by computer software ## How to exercise your rights You should contact us with your request. Ideally, send an email to [gdpr2019@iainteractive.com](mailto:gdpr2019@iainteractive.com). Explain who you are, to allow us to find your data, and also what your request is. If we suspect that you are not who you say you are, we will ask you to confirm your identity. Doing this protects the privacy of your data, from imposters. Once we have verified your identity, we will promptly delete this extra information on your identity. We will try to be helpful when responding to your request, including responding as soon as reasonably possible. Also, we want our response to be understandable by you. Please ask for a clarification if you do not understand parts of our reply. We like to reply to your requests electronically, for example by email. This is cheaper and faster than responding by postal mail. Your request and our response is almost always free of cost. Very rarely, we will tell you that we will not answer your request. If so, we will tell you why, and remind you of your right to complain. Or, rarely, we might ask you to pay a reasonable fee. Again, these exceptions are rare. These exceptions might happen if you unfairly, and repeatedly, bombard us with very similar requests. ## Why do we want to process your data? What legal basis do you have? We process different pieces of information for different reasons. We always have a good reason for this processing. Note that sometimes we may require your consent for this processing, and [sometimes we do not](https://ico.org.uk/your-data-matters/does-an-organisation-need-my-consent/). You can withdraw your consent at any time. If you withdraw your consent, it will not cause legal problems. In particular, our past processing of your data which had your consent does not suddenly become illegal. Now we will look at the main scenarios where we process your data. If we want to process data under different scenarios, we will tell you then. ### Accessing our websites When you access our website, we immediately need to process your **IP address**, and the data about the **web page** you are requesting, such as the address of the page. This information is provided from your web browser, directly to us or our partners. See below for more information about our partners. Your browser providing this information is not a legal or contractual requirement. However, without this information, it is technologically infeasible to serve our website to you. As such, it is in our **legitimate interests** to process this information. In common with industry practice, we may temporarily keep said IP addresses and webpage addresses in **access logs**. These logs will also contain corresponding date and time. Moreover, such logs tend to contain **user agent** information about your web browser or computer. Access logs are useful for diagnosing and debugging issues with our services, and for detecting security threats against our services. Hence it is in our **legitimate interests** to have logs. Logs we directly control will be kept for, at most a week. Our partners may have different retention policies. See below for those. Their retention policies will always be appropriately justified. We use carefully selected **recipient** partners to manage and host our website for us. These partners may vary from time to time. Regardless, these partners will always be technologically competent and must comply with high standards for protecting personal data. Currently we like to use: * [Cloudflare](https://www.cloudflare.com/). They are headquartered in the United States. Cloudflare are [certified](https://www.cloudflare.com/privacypolicy/) under the [Privacy Shield](https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-data-transfers_en#eu-us-privacy-shield) framework. This ensures your data is legally protected to a high standard. * [Netlify](https://www.cloudflare.com/). They are headquartered in the United States. We have an [agreement](https://www.netlify.com/gdpr/) with Netlify. This agreement uses [standard terms](https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en), which ensures your data is [legally protected to a high standard. * Our founder. They reside in the European Union. When they (a person) provide services for us (the company), they agree to protect personal data to a very high standard, in very similar ways to this company. Namely, regarding your data, they will keep to the same timetables for deleting you data, and will only use partner **recipients** that we use directly. * Prospect One, trading as [jsdelivr](https://www.jsdelivr.com/). They are based in the European Union. As such they also have a [strong privacy policy](https://www.jsdelivr.com/privacy-policy-jsdelivr-net). Note that Cloudflare keep access logs for at most a week. Netlify keep access logs for 30 days. Cloudflare keep the logs for, at most, a week. Jsdelivr generally keep access logs for short periods of time. Sometimes jsdelivr keep the logs for longer, when justified and required for improving security or functionality. For more details, read the respective company's privacy practices and agreements. We linked to those documents previously. ### Contacting us There are multiple private ways to contact us. You can contact us by post, through our website, by email, and by telephone. When you do this, you tend to tell us personal data. For example, you might tell us your **name** or account name. You might tell us your postal or email **address**, or your phone might tell us your **phone number**. Also, of course, you will tell us the **contents of your letter or email**. Now, you would not normally be legally or contractually required to give us this information. Of course, if you do not, then it might be physically impossible for you to contact us, or we might be unable to help or respond because we cannot identify you. If you contact us, we will generally by default keep the information for up to two years. This also applies to a response we send to you. Remember you have a right to deletion, if you would like this period of time to be shorter. It is in our **legitimate interests** to keep these records by default. In particular, these records fulfil a business need. They allow us to respond to your enquiries more effectively, by taking into account related past enquiries and our responses. We do not automatically record phone calls. However, if you leave an answer phone message, the message is by default kept automatically for up to a month. This is for the **legitimate** purpose of listening to, and acting upon, the message. We use various **recipient** partners for sending, receiving, and storing our mail. These may vary from time to time, similarly to our web hosting partners. Currently we like to use: * Netlify, who allow you to email us by you using a form on our website. For more information on Netlify, see the section on you Accessing our websites. * [Runbox](https://www.runbox.com), for handling our email. This includes when you contact us on our website. Runbox [care strongly about privacy](https://info.runbox.com/why-runbox/privacy-protection/). * [UK Postbox](https://www.ukpostbox.com/); [PC2Paper](https://www.pc2paper.co.uk/); and Registered Office (UK), trading as [The Edinburgh Office](https://theedinburghoffice.com/). These companies are all based in the United Kingdom, and hence respect privacy. We also use **recipient** partners to provide telephone services. Again, these may very from time to time. Currently we like to use: * [TTNC](https://www.ttnc.co.uk/). They have a strong [privacy policy](https://www.ttnc.co.uk/about-us/privacy-policy). However, note that for billing and legal purposes they are required to keep call records. This can include your **telephone number**. ### Legal and contractual reasons We have said previously that when we process your data, we do this with good reason, and only for a limited time. This limited time is generally shorter. However, sometimes for legal or contractual reasons, that limited time has to be much longer. #### Tax reasons For **tax** and accounting purposes, we might be legally obliged to information such as **receipts** or **invoices** for a long time. This is often required by law, or by the tax authorities, to be six or seven years. #### Contractual reasons Another scenario is that we enter into a **contract** with you. For example, you might buy a product or service from us. To be able to manage the performance of the **contract**, we would **legitimately** need to know key information. For example, we might need to know **who you are**, and we would need to know **what** we agreed, and **when** that agreement happened. We would usually need to retain that information for the length of the contract, certainly during any cooling off period. #### Legal disputes and legal reasons Even after the end of a contract, it is good practice for us to keep some of the contract information. This is because if you or we have a problem with the performance of the contract, it may be possible to seek damages for a long time after the contract ends. For example in Scotland, debt tends to be statute barred after five years. As such we may keep contract information for up to this long after the end of the contract. We realise that this is potentially a very long time period. Because of this, we want to mitigate the impact. For example, after two years we might simply delete the information, if we think the contractual risk is low. Or if the information is kept, we aim to archive the information separately, probably using strong encryption. Regardless, there is a small possibility that there is an active dispute, ongoing at the end of that retention period. In this case, we would need to keep the information for the lifetime of the dispute. In fact, generally, we might need to process data in unforeseen ways, if and when required by law. Generally we will require a legal court order, or similar. Occasionally, we might voluntarily hand over information to law enforcement. This would be if we legitimately believe we can help prevent or investigate evil. ### Direct marketing First, we will **never** sell your information to **third parties** for marketing to you. We do not currently have an email newsletter. Nor do we have other forms of direct marketing. #### Possible future email newsletter In the future we might introduce an email newsletter. If you were to sign up, we would require your **email address**. You would not be under a legal or contractual obligation to give us this information, but without it we cannot sign you up, because we cannot address the newsletters to you. You could also optionally tell us your **name**, also for us addressing the email to you. You signing up for any newsletter would be entirely opt-in, with your **consent**. Remember, you have a right to withdraw consent at any time. We might also check **deliverability** of our emails. That is, we would check whether our emails are received or read by you. This is a common industry practice. Checking this would be in our **legitimate interests**. It allows us to automatically unsubscribe inactive users. Us doing this is helpful, because it reduces the number of unwanted emails. In other words, this is good practice, and the opposite of what spammers do. We would also inform you about the **recipient** partners we would use, to help us deliver the newsletters to you. As you would hope, these partners would be reputable, and would protect your data. ## If you are unhappy If you are happy, you have to right to complain. Usually it is easiest to contact us one more time, to solve your problem. Hopefully that helps. Otherwise, you can [contact a supervisory authority such as the ICO](https://ico.org.uk/make-a-complaint/your-personal-information-concerns/). You can even take us to court, though we hope that is not necessary.