This unified Privacy and Data Policy also applies to projects such as Christian Venues. Last Update: July 5th 2018.
This policy aims to outline how we – freshSPRING Ltd – collect and process your data. We may collect your data through your use of this website, through communications you have with us, and through information that you provide to use when signing up for our services, requesting a quote or contracting us to undertake work.
We value your privacy and take our obligations seriously; we will undertake all reasonable measures to ensure that your data is stored safely, processed fairly and only used for its intended purpose. We are committed to being open and transparent about how we use your personal information, so if you do have any queries about this policy or how we collect and store data, please get in touch.
Personal data or personal information is defined as any information which can be used to identify an individual.
freshSPRING Ltd is defined as the data controller and holds responsibility for the storage and use of your personal data. freshSPRING Ltd may also be referred to as “we”, “us” or “our” in this policy document.
You are defined as the owner of your personal data. You may also be referred to as “client” in this policy document.
Legitimate business process is defined as the circumstance under which we have the right to store and process your data. For example, if you contract us to carry out work such as building a new website, we will need to add you as a contact in our project management system, generate an invoice for payment of a deposit, store or create access credentials to your website and/or hosting and so on – these are legitimate business processes as we must carry them out to undertake the work you have agreed.
Data Protection Contact
Name: Nick Gazard
Telephone: 020 7078 3954
Postal Address: freshSPRING, Unit 002, 25 Monson Road, London SE14 5FG
freshSPRING Ltd is registered as a data controller with the ICO, a regulatory body responsible for overseeing the storage and processing of personal data. Full registration details can be viewed at https://ico.org.uk/ESDWebPages/Entry/ZA337689.
Data We Collect
We collect personal data through your use of our website, through our provision of services and through communications you may have with us. This may be used for a variety of purposes including fulfilment or work, business development and marketing.
Data which we store regularly include:
- Identity and communication-based information including your name, address, E-Mail address, and telephone number
- Limited financial data including billing name and address and E-Mail addresses associated with payment services. Note: any payments are made with third-party providers; we do not store or process information such as credit card details
- Details of estimates/invoices for work which may include details of your organisation or business where relevant
- Transaction details for accounting purposes
- Analytics data including your IP address, location, browser, time zone and so on
- Marketing and communications data including contact details and opt-in/opt-out preferences
We do not knowingly collect any children’s personal data as our services are aimed exclusively at adults, nor do we collect or process any special category data.
Your data is obtained by us when you:
- Visit our website;
- Call, E-Mail or submit an enquiry through the contact form on our website;
- Subscribe to marketing, such as our newsletter;
- Request us to provide an estimate and/or design, development, training or marketing services;
- Provide us with feedback;
How We Use Your Data
We will only use your data for legitimate business interests, or to comply with legal or regulatory obligations. This may include, but is not limited to:
- Where you have contracted us to undertake work on your behalf
- Where you have consented for us to contact you, either in response to an enquiry via phone/E-Mail/form or via marketing
- Where we are required by law to provide information to legal or regulatory bodies such as HMRC or the ICO
You have certain rights under GDPR which we have outlined under ‘Your Legal Rights & Our Responsibilities’ that further your rights to privacy and control over your personal data, as well as our rights to fair processing.
The purposes for which we typically use your data are outlined below:
|Activity||Data Stored/Processed||Legitimate basis for processing|
|Register you as a client||Identity and contact details||Creation of accounts within our financial, project management and cloud storage systems for the purposes of undertaking work you have contracted us to do|
|Client relationship management||Identity and contact details, marketing and communication preferences||Notifying you of policy changes, ensuring satisfaction with the services we have provided, providing targeted information based on services you may be interested in|
|Business development||Analytics and website usage statistics||Analysis of our website usage to determine how it can be improved to better-serve visitors based on their browsing and behaviours. Note: we do not use personally identifiable information when using analytics data; we only use aggregate data – for example the % of visitors that view a given page or the average length of time spent on our website|
|Administration||Identity and contact details, financial/transactional details||For the processing of estimates and invoices, debt-recovering, fulfilment of legal and accounting obligations|
|Marketing||Identity and contact details||Newsletters and/or promotional materials sent to subscribers who have given explicit consent to receive marketing communication|
Security of Data
We have numerous methods in place to safeguard your data and ensure that your privacy is maintained. Secure passwords are required for all services used to store and process your data, with any machines or devices used to access these stored in secure locations when not in use. Staff and third-party contractors have access to personal data only for the provision of services which you have agreed to. Backup services are used routinely to ensure that your data remains protected and safeguarded against loss or accidental deletion.
In the unlikely event of a data breach or loss of data, we will inform you as soon as it has been identified or as is practicable. In addition, we may also inform regulatory bodies of the data breach, as well as legal professionals or insurers as required in order to protect the business.
Your personal data is stored only for as long as is required to fulfil its intended purpose. The length of time will vary depending on the nature of the data stored, and the purpose for which it was collected. Typical examples from our day-to-day business include:
- Contact details for marketing will be kept until such time you opt-out of receiving communication
- Account credentials such as PayPal or Stripe login details provided to us for the purposes of setting up an eCommerce store will be deleted as soon as the setup has been done and verified as working
- Contact details for clients will be kept for the purposes of providing ongoing support
- Financial records/transaction details will be kept for six years in line with HMRC reporting requirements
- You have the right to request the deletion of your personal data; please see the section titled ‘Your Legal Rights & Our Responsibilities’ for more information.
In some cases, consent will be implied – for example in the case you contact us requesting an estimate for work, we will assume by your submission that you consent to us contacting you with regards to that estimate. Likewise once you have entered in to a contract with us, we will assume that you are happy for us to be in touch with you regularly regarding the project.
We will always seek express consent before contacting you with marketing materials, and you are free to opt-out of these at any point. All marketing E-Mails contain a clear ‘Unsubscribe’ link which will remove you from our mailing list immediately. Alternatively you may request to opt-out via other communication channels; however these are not automated and the action of removing you from our mailing list will not be immediate.
You can disable cookies through your web browser; however please note that some aspects of the website may not function, or may function incorrectly as a result of doing this.
If you have accepted cookies but later change your mind, you can clear the stored cookies through your browser settings and preferences.
International Data Transfers
We may share your personal data with selected third-parties as outlined below purely for business purposes and service provision. Our preference is UK/EU-based providers but in some cases, this data may be transferred outside of the European Economic Area (EEA) – however, we ensure that your data remains subject to the same high level of protection afforded here by only using trusted services which provide their own rigorous data protection policies.
Your Legal Rights & Our Responsibilities
You own your data, and you have the right to know how we use it and with whom we share it. Specifically, you can:
- Make a data subject access request in which we will send you a copy of the data we store about you
- Request that data that we store about you is corrected should we incorrect or outdated information on file
- Request that you are ‘forgotten’, requiring us to delete personal information that we store about you
- Object to processing of your personal data, requiring us to cease the use of your data
- Request the transfer of data which we store about you to a nominated third-party
- Withdraw or amend the consent you have given us previously for us to use your personal data at any time
If a data subject access request is made, then we will attempt to respond to it in a timely manner, usually within one month of receiving the request in writing. In unusual circumstances, or if the data requested proves difficult to obtain, this time may be extended. We will advise you if this is the case. We may also require further information from you to identify the data that you are requesting, and to verify that the request is genuine.
There is usually no fee for a data subject access request. However, we may exercise our right to charge a reasonable fee if your request is unfounded, repetitive or excessive. In these circumstances, we may alternatively exercise our right to refuse to comply with your request.
In the event that you request us to delete or cease processing your personal data, please note that there are circumstances under which we may not be able to comply with your request. Specific examples may include, but are not limited to, the deletion of financial transaction records which we are required by law to retain for six years by HMRC.
In some circumstances, we may share your data with third parties. These may include:
- External IT service providers we use for conducting day-to-day business
- Professionals including solicitors, book-keepers, accountants or insurers for the seeking of legal advice, finance and accounting purposes or claim handling
- Regulatory bodies such as HM Revenue & Customers or the ICO to meet our legal reporting obligations
We regularly share data with the following:
|Service Provider||Service||Data Processed & Purpose||Safeguards in Place|
|Cloud-based storage, Website Analytics & E-Mail||Client-provided content, names and project details may be stored within documents for internal use-only from time to time for the purposes of completing projects and project management.|
Visitor information including IP address, browser, country of origin, pages visited, duration of visit and so on may be tracked via Google Analytics. This may be used for business development purposes to improve our website to meet identified needs of visitors.
Contact details, client-provided content, project details, passwords/access credentials may be present in E-Mails between clients and between members of the organisation and third-party contractors for the purposes of completing projects.
|A single freshSPRING Google Account is used to manage all services used. Access is limited strictly to those who need to know.|
Information stored is limited only to what is required to carry out contracted work.
Strong passwords are required for the accessing of any Google Accounts. These are changed on a regular basis and in any circumstance where a staff member or contactor may cease to work for/with freshSPRING.
E-Mails containing particularly sensitive information – such as access credentials or business/organisation-critical information – are deleted once the purpose for receiving this information has been fulfilled.
|Dropbox||Cloud storage & Backup||Client-provided content, shared materials for collaborative use on projects and backups of website files/databases for backup, archive or transfer purposes.||Access is limited to only those who require it for the purposes of project completion, project management or day-to-day running of the business.|
Data is only synced to machines which are password-protected and stored in secure locations.
Backups and client-provided data are removed once their requirement has been fulfilled, or we are no longer working on behalf of that client.
|Quickbooks||Invoicing & Accounting||Client-provided names, addresses and financial contacts for the purpose of sending estimates, quotes, invoices and tracking the payment status. Internal reporting and -upon request- to help a client with their book-keeping.||Access is limited to only those who require the details for the purpose of keeping financial records. This includes external bookkeeping and accounting professionals but they are not able to access any other data.|
Data is also connected with the project management and customer relationship management systems to help with project delivery and milestones.
|TeamWave||Project Management & Client Relations||Client contact details including name, address, E-Mail and telephone numbers are stored and used for communication whilst work is undertaken on their behalf.||Access is limited to only those who require it for the purpose of project completion and day-to-day running of the business including quote creation, project management and invoicing.|
|GoCardless||Direct Debits||Client contact details including name, address, email and bank account details are stored to enable direct debit as a payment method.||No-one within freshSPRING has access to the bank account details, they are solely used for payment update services and payment plans. Payment information is also synchronised with Quickbooks.|
|Vonage||Phoneline and Voicemail||Client phone numbers and voicemails (and hence their contents) are stored for the purposes of responding to queries, support requests and general enquiries.||Access is limited to only those providing support to freshSPRING clients.|
|MailChimp||Contact Management & Marketing||Client contact details including name and E-Mail are stored, alongside other details which may include where they signed up from and a consent statement where express consent was granted to send E-Mail communication.|
Aggregated data may also be stored alongside E-Mail campaign data for business development purposes, such as seeing the proportion of E-Mails opened or the number of clicks on a link within an E-Mail.
If clients have granted us management access to their account, we will also be able to see the data they have provided to MailChimp, their customer lists, their campaigns and so on. We will only use access to provide contracted training, services – such as developing a campaign – or support.
|Access is limited to only those who need it for the day-to-day running of the business, or those providing support to freshSPRING clients.|
Access to client accounts is limited to the duration with which we are contracted to provide services. We ask clients to revoke our access in the event we cease to work with them.
E-Mail communication is only sent to users who have provided explicit consent for us to contact them.
|Tortilla Media Ltd||Hosting Partner||Client data may be shared including contact details and support tickets for the provision of website hosting, or the resolution of issues in conjunction with our web hosting partner.|
Access to a client’s control panel may be granted to for the purposes of undertaking contracted work or providing support at the explicit request of a client.
|Access to a client’s control panel is strictly limited to those requiring access to carry out work.|