We are Defaqto Limited (Company No 2870220 registered in England with our registered office at Financial Research Centre, Pegasus Way, Haddenham, Aylesbury, Buckinghamshire, HP17 8LJ, United Kingdom) and we refer to ourselves as "Defaqto", “we” or “us” or “our” in this document. We own and operate this “Website” on our own behalf, including as a portal to the certain Contracted Services offered by us.
Defaqto Limited is the data controller under the General Data Protection Regulation (‘GDPR’) and specific UK legislation incorporating the requirements of GDPR in relation to the processing of your personal data in connection with the Website and the Contracted Services. If you have any queries relating to our use of your personal data or any other related data protection questions, please contact our Compliance Officer via firstname.lastname@example.org
We will only keep your information for as long as we are either required to by law or as is relevant for the purposes for which it was collected. We maintain a data retention policy to meet our GDPR obligations in this respect.
Data that we collect
We may collect and use various information, including some or all of the following, relating to you or people you represent: the names; email addresses; postal codes; the Website or the Contracted Services usernames, passwords and preferences, use of our Website (for example, the pages viewed, the website from which you came to visit our Website), notes, thoughts, comments and opinions.
Use of the Website
We will never collect sensitive information about you without your explicit consent or unless you instruct us to use it. For example, in uploading material onto the Website, you may make data available to us, which may include sensitive data, and in uploading such data you provide your deemed consent to our collection of that data, and use for the purposes for which it was uploaded. That purpose may include access by a third party that you envisage gaining access to that data.
We may also collect information from third parties in order to verify any data that you have supplied to us.
We need information about you so that you can use the Website or the Contracted Services, including using tools and functionality, uploading material onto the Website and entering into discussions and interaction with other users of the Website.
We need your email address and other contact details, in particular, for sending you essential information relating to the Website. This includes (without limitation) the following:
- To allow you to go ahead and register for the Website or the Contracted Services. This includes sending an email to you to confirm your details, to give you initial information about the Website or the Contracted Services, and to enable you to commence using the Website or the Contracted Services.
- To give you a link to enable you to reset a password if you tell us or the Website that you have forgotten it.
- To send you information generally relevant to the Website or the Contracted Services. This may include informing you about developments or changes with the Website or the Contracted Services.
- In case we have any queries concerning any aspect of your use of the Website or the Contracted Services.
- To respond to you over any queries you raise with us.
We also need to use your contact details and other information for any aspect of the Website or the Contracted Services (including, but without limitation, providing customer support, preventing or investigating prohibited activity, enforcing the Terms and Conditions and verifying information). We also use your information to detect any fraud or Website or abuses and, where permitted by data protection and privacy law, we may also disclose information about you, or access your account:
- if required or permitted to do so by law; and/or
- if required to do so by any court, the Financial Conduct Authority, the Office of Fair Trading or any other applicable regulatory, compliance, Governmental or law enforcement agency; and/or
- if necessary in connection with legal proceedings or potential legal proceedings; and/or
- in connection with the sale or potential sale of all or part of our business or the company.
If we reasonably believe false or inaccurate information has been provided and fraud is suspected, details may be passed to fraud prevention agencies to prevent fraud and money laundering.
We may maintain your history (such as products viewed, guides read, and your general activity on the Website) for up to six years following that action.
You must only submit to us, or the Website, information which is accurate and not misleading, and you must keep it up-to-date and inform us of changes. By submitting data in respect of you and anyone else, you must ensure that you have full authority and consent to supply us with that data on their behalf and you warrant to us that you have that authority.
We will collect payment information from you (such as your payment card details) when you purchase particular services via the Website that require payment. We will collect such payments either through an online payment service provider, by telephone, webform or by email. Where payment is obtained using an online payment service provider, it is they rather than us who obtains your personal data regarding your payment details (such as your payment card). Where payment is obtained by telephone, webform or email, we will apply our “Card Not Present” processes and as such will retain documentary evidence of your approval for up to 18 months. (If you have any queries about the way your payment card or other payment data is stored, you should email us at email@example.com)
Other uses of your personal information
We may also use your personal information for other parts of the Website and services, for example to send you promotional or marketing information about us, promotions, events, our newsletters, anything relating to our business partners, or anything in which you show an interest.
Each email regarding such parts of Website will provide you with an opportunity to opt out of receiving further emails from us regarding these communications. Any changes to your communication preferences will be processed by us within two working days of our receipt of your instruction; however, you may still receive non-essential communications in the intervening time between your submission and when it is processed.
We may further anonymise data about users of the Website or the Contracted Services generally and use it for various purposes, including ascertaining the general location of our users and usage of publications (including feedback and annotations that users make about publications), and supplying that anonymised data to third parties such as publishers. However, that anonymised data will not be capable of identifying you personally.
Third parties and links
We may exchange information with third parties for the purposes of fraud protection and credit risk reduction.
We may transfer our databases containing your personal information if we sell our business or part of it.
We have in place appropriate technical and security measures to prevent unauthorised or unlawful access to, or accidental loss of or destruction or damage to, your information.
We store your personal details on a secure server. We use firewalls on our servers. If you send your payment card details through to the online payment service provider, we would require them to use encryption. Whilst we are unable to guarantee 100% security, this makes it hard for a hacker to decrypt your details.
We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of your information. Our security procedures mean that we may occasionally request proof of identity before we disclose personal information to you.
You are responsible for protecting against unauthorised access to your password and to your computer.
We operate under the General Data Protection Regulation (‘GDPR’), effective from 25 May 2018 (which replaces the Data Protection Act 1998 from that date). In the UK, the requirements of GDPR have been incorporated into the Data Protection Act 2018.
The DPA and GDPR apply to ‘personal data’ we process and the data protection principles set out the main responsibilities we are responsible for.
We must ensure that personal data shall be:
a) processed lawfully, fairly and in a transparent manner;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and where necessary kept up to date;
e) kept for no longer than is necessary for the purposes for which the personal data are processed. We operate a data retention policy that ensures we meet this obligation.
We only retain personal data for the purposes for which it was collected and for a reasonable period thereafter where there is a legitimate business need or legal obligation to do so. For detail of our current retention policy contact our compliance officer at firstname.lastname@example.org
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
We ensure lawful processing of personal data by obtaining consent; or where there is a contractual obligation to do so in providing appropriate products and services; or where processing the data is necessary for the purposes of our legitimate interests in providing appropriate products and services.
To meet our data protection obligations, we have established comprehensive and proportionate governance measures.
We ensure data protection compliance across the organisation through:
a) implementing appropriate technical and organisational measures including internal data protection policies, staff training, internal audits of processing activities, and reviews of internal HR policies.
b) maintaining relevant documentation on processing activities.
c) implementing measures that meet the principles of data protection by design and data protection by default including data minimisation, pseudonymisation, transparency, deploying the most up-to-date data security protocols and using data protection impact assessments across our organisation and in any third party arrangements.
Under GDPR you have the following specific rights in respect of the personal data we process:
1. The right to be informed about how we use personal data.
2. The right of access to the personal data we hold. In most cases this will be free of charge and must be provided within one month of receipt.
3. The right to rectification where data are inaccurate or incomplete. In such cases we shall make any amendments or additions within one month of your request.
4. The right to erasure of personal data, but only in very specific circumstances, typically where the personal data are no longer necessary in relation to the purpose for which it was originally collected or processed; or, in certain cases where we have relied on consent to process the data, when that consent is withdrawn and there is no other legitimate reason for continuing to process that data; or when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
5. The right to restrict processing, for example while we are reviewing the accuracy or completeness of data, or deciding on whether any request for erasure is valid. In such cases we shall continue to store the data, but not further process it until such time as we have resolved the issue.
6. The right to data portability which, subject to a number of qualifying conditions, allows individuals to obtain and reuse their personal data for their own purposes across different services.
7. The right to object in cases where processing is based on legitimate interests, where our requirement to process the data is overridden by the rights of the individual concerned; or for the purposes of direct marketing (including profiling); or for processing for purposes of scientific / historical research and statistics, unless this is for necessary for the performance of a public interest task.
8. Rights in relation to automated decision making and profiling.
Please contact our compliance officer at email@example.com for more information about the GDPR and your rights under data protection law or if you have a complaint about data protection at Defaqto.
Alternatively contact our supervisory authority for data protection compliance (www.ico.org.uk):
Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)