This notice (together with our Conditions of Use and any other documents referred to on it) tells you what to expect when C4DI Ltd uses your personal data.
It does not provide exhaustive detail of all aspects of our collection and use of personal data, but we are happy to provide any additional information or explanation needed.
Any requests for this should be sent to firstname.lastname@example.org.
This privacy notice applies to information we collect about:
· visitors to our websites;
· visitors to our premises;
· online surveys including those on the C4DI website;
· people who use our online services e.g. who subscribe to our newsletter;
· people who register to attend, sponsor or host one of our events
· Members and prospective members;
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 25thMay 2018.
Who is C4DI Ltd?
C4DI Ltd (C4DI) is a private company limited by guarantee registered in England & Wales No 8441026 and our registered address is:
Wykeland House, 47 Queen Street, HULL. HU1 1UU.
C4DI provides infrastructure, support, a community and a co-working environment for growing technology businesses.
C4DI is committed to protecting and respecting your privacy and our use of personal data on this website is aimed at helping us achieve these aims.
C4DI Ltd has appointed an internal Privacy Officer who you can contact if you have any questions or concerns about our personal data policies or practices.
31-38 Queen Street,
The European Union’s General Data Protection Regulation provides you with certain rights. A good explanation of them (in English) is available on the website of our National Privacy Regulator, the Information Commissioner’s Office.
In the UK you have rights as an individual under the Data Protection Bill 2018 which you can exercise in relation to the information we hold about you.
You can read more about these rights here – https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/
A right to information and access
You have the right to know whether C4DI Ltd is processing your personal data and to have access to the personal we may have about you.
You may also request information about: the purpose of the processing; the categories of personal data concerned; who we might have shared the data with; what the source of the information was (if you didn’t provide it directly to us); and how long it will be stored for.
Reasonable access to your personal data will be provided at no cost upon request made to C4DI Ltd at email@example.com .
To make sure we do not disclose your information to someone else, we may ask you to provide information to confirm your identity. This may include asking you to provide identification documents.
If access cannot be provided within 30 days, C4DI Ltd will provide you with a date when the information will be provided.
If for some reason access is denied, C4DI Ltd will provide an explanation as to why access has been denied.
A right to correct
You have a right to correct the information we hold about you if it is inaccurate. Where we need to investigate the accuracy of the data, you have the right to request we restrict our use of that data e.g. by temporarily removing your profile from our website ‘member bio’ area.
A right to erasure
You may request that we erase the data we hold about you; but this is not an absolute right and is subject to exceptions. Where we have a lawful reason to retain your data even when you request we delete it, you have the right to restrict our use of your data to that reason only.
A right to object to the use of your personal data for direct marketing
You can stop direct marketing communications from us at any time:
· Click the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails.
Note: We will retain a copy of that email address on our “master do not send” list in order to comply with your no-contact request.
· Contact us by any of the methods described in this notice or on our website
Please note that you may continue to receive communications for a short period while our systems are fully updated.
A right to not be subject to automated decision making
You have the right to object to a decision which has been made solely by automated reasons. Essentially, this right allows you to request that the decision is reviewed by a human. Please contact us if you require any more information on how this right may apply to you.
A right to data portability
When technically feasible, C4DI Ltd will—at your request—provide your personal data to you or transmit it directly to another controller in a commonly used, machine readable format e.g. csv.
A right to complain
You have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how we use your personal data.
In the UK this is the Information Commissioner’s Office – www.ico.org.uk/concerns.
The reasons we can lawfully use your data
We only use your personal data when we have a lawful basis to do so.
The General Data Protection Regulation sets out a number of these, but the ones we most commonly use are:
In many situations, we collect and use your personal data with your consent.
For example, when you sign up to receive our email newsletters.
Performance of a Contract
There are situations where we need to use your personal data in order to provide the service you have asked us for (or to allow others to do so on our behalf).
For example, if you sign up for a co-working membership with us we need to use your personal details to process your membership application and provide the services you ask us to. This could include passing your name, contact information and preferences to companies who provide services on our behalf such as car parking.
If the law requires us to, we may need to collect and process your data.
For example, we are obliged by law to share limited information about the people who pay for our services to HMRC if requested.
We may use your personal data to pursue our legitimate businesses interests in a way which might reasonably be expected as part of running our business as long as it does not materially impact your interests, rights and freedoms.
These legitimate business interests can include:
• enhancing, modifying, personalising or otherwise improving our services and communications for the benefit of our members and users.
For example, we may introduce a new service or benefit we reasonably believe would be of interest to those businesses who have expressed an interest in membership. This means you may hear from us highlighting that service or membership benefit as a reason for your business to join as a member.
• to understand how people interact with our websites
• to determine the effectiveness of our promoted roles and job alerts services.
This can also apply to uses which are in your interests and those of other users such as those which
• identify and prevent fraud
• enhance the security of our network and information systems
You have the right to object to our processing of your personal data for our Legitimate Interests at any time. Please contact us if you wish to do so.
When do we collect your personal data?
As C4DI provides services to business rather individuals, much of the information we collect in the usual course of our activities is related to your business or employer; but we may collect your personal data as part of this and/or:
• When you visit any of our websites.
• When you subscribe to receive our Newsletters and Events updates.
• When you register to attend, sponsor or host one of our events.
· When you join as a member.
· When you create a ‘member bio’ profile.
· When, as a member, you ask us to provide extra services.
· When you engage with us on social media.
· When you contact us by any means with queries, complaints etc.
· When you visit our premises to see a member and sign in as a guest.
· When you choose to complete any surveys we send you.
We will always ensure your personal data is appropriately protected whether you have provided it in connection with a business service or in your personal capacity.
What happens if you don’t give us your data?
You can enjoy our website without giving us your personal data.
However, some personal data is needed so we can supply you with the services and information you have purchased or requested.
What personal data do we collect, why and how do we use it?
We will make it clear when we collect personal data and will explain what we intend to do with it. e.g. when you register to receive our newsletters the form you use to sign up has a link to this Privacy Notice.
We collect information mainly about local businesses in order to facilitate the networking and introduction functions provided by C4DI. As part of this we may collect your personal data but it is always in connection with your professional capacity and interests.
Some examples of when we may collect and use your personal data are given in general terms below.
We collect your name, email and contact telephone numbers.
How we use it
We use this information to keep in touch with you and provide the services you have asked us to such as sending you our regular newsletter.
We may also use your contact information to send you survey and feedback requests to help improve our services. These messages will not include any promotional content and our legitimate interest to do this is to help make our products or services more relevant to you as an existing user.
We often gather information about your business and background which could include personal information such as your educational or professional history.
How we use it
We use this as part of our record of your company to better understand which of our services – or those of our members - may be of particular benefit to your business and to help plan our events and services to meet the needs of the wider business community. We do this in our mutual legitimate interest in creating and promoting an effective business community which promotes the growth of technology and related services.
We do not ask for personal card or bank information, but we may ask for financial information about you and your business if you ask for assistance with finding funding.
How we use it
We use this information mainly to understand the funding options available to you or your business and to tailor our recommendations to your needs.
Data about your preferences
The services you or your business are looking for, the areas of technology and software you are interested in, the types of funding and business support you are looking for.
How we use it
We use this information to provide infrastructure and support to you and your business in order to develop it and the tech community we aim to develop.
Your contacts with us
Details of your contact with us online, by email, telephone, the postal service or social media. Your contact details including social media username(s).
How we use it
To respond to your queriesand complaints. We need to use the information we hold about you to respond. We may also keep a record of your contacts with us to inform any future communication with you. We do this on the basis of our contractual obligations to youand our legitimate interests in providing you with a good level of service and understanding how we can improve our service based on your experience.
The data of children
We only collect the information we need to provide business support services to businesses and individuals over the age of 18.
We do not attempt to solicit or knowingly receive information from children under 16.
Technical Data that identifies you and how you use www.c4di.net
Your IP address, login information, browser type and version, session ID, time zone setting, browser plug-in types, geolocation information, operating system and version.
The pages you visit, the path you take through our site, page load times, errors you receive, how long you stay on our pages, what you do on those pages, how often, details of jobs viewed or applied for and any search terms you entered etc
How we use it
We use this information in our legitimate business interests such as improving and personalising our website and online services and to protect our business and the information we hold from fraud and other illegal activities.
Combining the data we hold about you
We want to give you the best possible service. One way to achieve that is to get the richest picture we can of who you are by combining the data we have about you.
We then use this picture to offer you information about other products and services that are most likely to interest you.
We do this as part of a legitimate interest in understanding our users and providing the highest levels of service as this allows us to tailor our promotions and to let you know about events and services which are likely to be of interest to you based on which services you have used in the past.
Visitors to our premises
Entering your information into our reception system as a visitor never leads to marketing and we use your information to manage your visit and create your visitor badge only.
When you visit the C4DI building you will be asked to complete an electronic registration by reception.
This will ask you for your name, email address and details of the person you are visiting. We use this information to monitor the security of the building and the safety of our employees and members including fire safety regulations.
Where reception is not manned at the time you register your arrival, the information you provide will be used to notify the company you are visiting that you have arrived.
Please be aware that if you have signed up with Gravitar using the email address you provide to us, our visitor system – Envoy – will pull through your profile information in order to create your visitor badge. This may lead to your profile photo being used on the visitor badge.
We do this in order to provide a simpler process to create your visitor card which is required for security purposes. Your profile information from Gravitar may then be stored in our visitor management system. We only use this to manage your visit(s) to C4DI premises.
Live and Web Events
C4DI hosts many events throughout the year. These include live events and live web conferences (collectively “events”).
Most of our events are managed using Eventbrite which asks you to provide your name, email address and company in order to register.
If you register for one of our events and you are a member, we will access the information in your member record to provide you with information and services associated with the event. If you are a non-member and you register for one of our events, we will collect your name and contact information, which we will store in our database(s) and use to provide you with information and services associated with the event.
If you are a presenter at one of our events, we will collect information about you including your name, employer and contact information, and photograph, and we may also collect information provided by event attendees who evaluated your performance as a presenter. We may also make and store a recording of your voice and likeness in certain instances.
We keep a record of your participation in C4DI events as an attendee, sponsor or presenter. This information may be used to help C4DI understand our Clients’ needs and interests to better tailor our products and services to meet your needs. e.g. by creating future events which are aimed at a specific group of members who have all attended similar events in the past.
C4DI provides an attendee list to sponsors and presenters of our events. We do this to help them understand the event attendees so they can tailor the event to the audience e.g. by making content more specific to a particular industry.
C4DI may also allow sponsors and presenters to send you material relating to the event by mail once per sponsored event, in which case C4DI engages a third-party mailing house and does not share your mailing address directly with the sponsor/exhibitor.
If you do not wish to have your information included in an attendee list or to receive information from sponsors, co-sponsors and/or exhibitors, you can express your preferences when you register for events or you may contact C4DI directly at firstname.lastname@example.org.
During an event we will ask you to confirm whether or not you would be happy for the event presenter to contact you with further information about the information presented.
With your permission we also use the email you registered with to ask you to complete a confidential survey to evaluate the event to help us understand how we can continue to provide events of the highest quality.
CCTV & Surveillance Systems
We have installed CCTV systems inside and on the outside of our building.
Images captured by CCTV will not be kept for longer than necessary. However, on occasions there may be a need to keep images for longer, for example where a crime is being investigated.
The aim of the technology is to:
help ensure the safety of our staff, members and visitors
assist in the prevention and detection of crime
monitoring building security
You have the right to see CCTV images of yourself and be provided with a copy of the images.
We operate CCTV in accordance with the codes of practice issued by the Information Commissioner and the Home Office and will only disclose images and audio to authorised bodies in connection with the purposes stated above.
The use of your data for marketing purposes
With your consent, we will use your personal data, preferences and details of the events you have expressed an interest in or attended to keep you informed by email about relevant products and services such as co-operative working groups, future events and latest news about our activities or those of our members.
We may also use your contact information tosend you relevant, personalised communications by post in relation to services and products aimed at your business. We’ll do this on the basis of our legitimate business interest.
You can withdraw your consent or object to our using your contact details to market to your business in our legitimate interests at any time.
How we protect your personal data
We maintain physical, technical and administrative safeguards to protect your personal data.
We restrict access to your personal data to those employees who need that information to perform their role and help provide services to you.
Please contact us if you have any questions about the security measures we have in place.
How long will we keep your personal data?
We’ll only keep your personal data for as long as is necessary for the purpose for which it was collected and to comply with applicable law or resolve disputes. This means we set retention periods for all the personal data we collect.
When that retention period has passed, your data will either be completely deleted in a secure manner or anonymised e.g. by aggregation with other data in a non-identifiable way for statistical analysis and business planning purposes.
Some examples of customer data retention periods:
We keep the information you have provided through our front desk visitor system for up to 3 years after the end of our commercial relationship with the business you came to visit.
After three years we will delete your personal data i.e. your name and contact details - although we may retain some of the information about your visits to C4DI in an anonymised format to help plan our business e.g. to help monitor the growth in reception traffic and understand the times we experience the highest level of demand.
Membership Expressions of Interest
Where you have provided your personal details as part of an expression of interest in membership but not proceeded with an application we will retain your personal information for up to 3 years during which period we may contact you with membership developments we think may be of interest to you. We do this as part of our Legitimate Interest in promoting our services to businesses. After this period we will remove your personal information although we may retain information about your business and anonymised records of its interactions with C4DI.
As always, you have the right to opt out of our use of your personal data for our legitimate interests. Please contact us if you wish to do so.
If you register to attend one of our events and are not a member, the associated personal data will be kept for 3 years so we can keep a record of the events you registered for and those you attended. We do this so we can better understand the events the wider business community find of interest and improve the quality and appeal of the events programme we offer.
We do this as part of our Legitimate interest in planning future events and services. Again, you have the right to opt out of our use of your personal data for our legitimate interests. Please contact us if you wish to do so.
After this point we may retain details of your relationship with us in an anonymised format in order to inform our business planning and research.
Who do we share your personal data with?
We do not reveal your personal data to third-parties unless:
· you request or authorise it (e.g. when you apply for certain services as part of your membership);
· it’s in connection with C4DI Ltd -hosted and C4DI Ltd co-sponsored events as described earlier in this notice;
• the information is provided to comply with the law (for example, to comply with a court order), enforce an agreement we have with you, or to protect our rights, property or safety, or the rights, property or safety of our employees or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction;
• the information is provided to our sub-contractors, agents, vendors or service providers who perform functions on our behalf; or
• to address disputes, claims, or to persons demonstrating legal authority to act on your behalf.
Examples of the kind of third parties we work with
IT, software and SaaS companies who support our website and other business systems.
These include our CRM provider – Pipedrive – and Sleeknote who provides our web communications platform. Both of these companies are data processors for C4DI Ltd which means they only use your data in order to provide the technical services we ask them to.
Direct email platform companies such as Campaign Monitor who help us manage our electronic communications with you.
Sharing your data with third parties for their own purposes:
We will only do this in very specific circumstances, for example:
With your consent, given at the time you supply your personal data, we may pass that data to a third party for their direct marketing purposes.
The most likely scenario where this would occur would be when you ask us to put you into contact with one of our members in connection with their services or in order to explore commercial co-operation opportunities.
We may, from time to time, expand, reduce or sell C4DI Ltd and this may involve the transfer of divisions or the whole business to new owners. If this happens, your personal data will, where relevant, be transferred to the new owner or controlling party, under the terms of this Privacy Notice.
Where your personal data may be processed
We always opt to have your data stored in the UK or EU where possible. This includes instances where a vendor offers a choice of storage locations but where the EU option is more expensive.
However, due to the global nature of the roles we source, we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA).
C4DI Ltd transfers personal data outside the EEA only:
1. to countries where there is an adequacy decision in place i.e. the EU has formally determined that there is a sufficient level of protection in place under that nation’s data protection laws; or
2. where the recipient is certified under an internationally recognised privacy framework which helps to ensure your protection; or
3. with your consent; or
4. to perform a contract with you; or
5. to perform a contract with another in your interests; or
6. to fulfil a compelling legitimate interest of C4DI Ltd in a manner that does not outweigh your rights and freedoms.
Any transfer of your personal data will follow applicable laws and we will always treat your personal information in line with the principles of this Privacy Notice.
This includes measures such as imposing contractual obligations on the recipient with respect to how they treat your data.
If you would like more information about how we protect your rights and freedoms when transferring your data outside the EEA, please contact our Data Protection Officer.
Protecting your data transferred to the United States
Many online services are reliant on US providers and/or servers which means many companies need to transfer your data to the US to provide the services and/or online functionality many people expect.
The United States has neither sought nor received a finding of “adequacy” from the European Union under Article 45 of the GDPR.
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
Membership of the scheme is voluntary but, when choosing an infrastructure partner who transfers your data to the US, we select only those companies who are members of the EU-U.S. Privacy Shield
Along with the contractual and organisational measures we have in place, we believe this helps to ensure your rights and freedoms are protected as the Privacy Shield framework is recognised by the European Union (although this may be subject to challenge by the European Data Protection Board).
What to provide
We provide individuals with all the following privacy information:
☐ The name and contact details of our organisation.
☐ The name and contact details of our representative (if applicable).
☐ The contact details of our data protection officer (if applicable).
☐ The purposes of the processing.
☐ The lawful basis for the processing.
☐ The legitimate interests for the processing (if applicable).
☐ The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
☐ The recipients or categories of recipients of the personal data.
☐ The details of transfers of the personal data to any third countries or international organisations (if applicable).
☐ The retention periods for the personal data.
☐ The rights available to individuals in respect of the processing.
☐ The right to withdraw consent (if applicable).
☐ The right to lodge a complaint with a supervisory authority.
☐ The source of the personal data (if the personal data is not obtained from the individual it relates to).
☐ The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
☐ The details of the existence of automated decision-making, including profiling (if applicable).
When to provide it
☐ We provide individuals with privacy information at the time we collect their personal data from them.
If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information:
☐ within a reasonable of period of obtaining the personal data and no later than one month;
☐ if we plan to communicate with the individual, at the latest, when the first communication takes place; or
☐ if we plan to disclose the data to someone else, at the latest, when the data is disclosed.
How to provide it
We provide the information in a way that is:
☐ easily accessible; and
☐ uses clear and plain language.
Changes to the information
☐ We regularly review and, where necessary, update our privacy information.
☐ If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.
Best practice – drafting the information
☐ We undertake an information audit to find out what personal data we hold and what we do with it.
☐ We put ourselves in the position of the people we’re collecting information about.
☐ We carry out user testing to evaluate how effective our privacy information is.
Best practice – delivering the information
When providing our privacy information to individuals, we use a combination of appropriate techniques, such as:
☐a layered approach;
☐ just-in-time notices;
☐ icons; and
☐ mobile and smart device functionalities.