Privacy Policy
SECTION 1
1. Introduction and navigating this Policy
2. Information about the Supplier and controller
3. Scope of the Policy
4. Changes to the Policy
SECTION 2
5. Types of personal data collected
6. How the personal data is collected
7. Failure to provide personal data
8. Aggregated data
SECTION 3
9. How the Supplier uses personal data
SECTION 4
10. Disclosures of personal data
SECTION 5
11. International transfers of personal data
SECTION 6
12. Security measures (how the Supplier protects your personal data)
SECTION 7
13. Retention of personal data
SECTION 8
14. Your legal rights
SECTION 1
1. Introduction and navigating this Policy
1.1 This document (Policy) describes your controller, Tactful Ltd’s (Supplier), commitment to protecting your privacy whilst using the product known as Omni Engage (or its successor) components and any other software product(s) expressly specified in the Order Form (Product).
1.2 In particular:
| SECTION 1 | Introduces the Policy; sets out information about the Supplier and the Supplier’s Group; and describes the scope of the Policy. |
| SECTION 2 | Describes: 1. the types of personal data that the Supplier collects; and 2. how the Supplier collects that personal data. |
| SECTION 3 | Describes how the Supplier uses the personal data that it collects. |
| SECTION 4 | Describes or lists the disclosures of personal data that may be made by the Supplier to third parties. |
| SECTION 5 | Describes the arrangements that have been put in place by the Supplier with respect to international transfers of personal data. |
| SECTION 6 | Describes the technical and organisational security measures that have been adopted by the Supplier to protect your personal data from and against unauthorised and unlawful processing, accidental loss, destruction, disclosure, damage or alteration. |
| SECTION 7 | Sets out the Supplier’s personal data retention policy. |
| SECTION 8 | Describes your legal rights in connection with the Supplier’s collection and processing of your personal data. |
2. Information about the Supplier and controller
| Supplier |
The Supplier is a Private Limited Company that is incorporated under the laws of England with registration number 10279888. |
| Address | The Supplier’s registered address is: Stirling House Business Centre, Cambridge Innovation Park, Waterbeach, Cambridge CB25 9QE, United Kingdom. |
| Data Protection Authority | The Supplier is registered with the UK Information Commissioner’s Office under number ZA277573. |
| Contact | If you have any questions about this Policy or the Supplier’s privacy practices, then you can contact the Supplier via email at privacy@tactful.ai. |
3. Scope of the Policy
This Policy applies to all personal data collected, accessed, or otherwise processed by the Supplier in connection with your use of the Product.
4. Changes to the Policy
4.1 The Supplier may change this Policy from time to time and any such updates will be notified to you: (a) through the Product; or (b) by e-mail.
4.2 This Policy was last updated on: 28 June 2023
SECTION 2
5. Types of personal data collected
Personal data, or personal information, means any information identifying or relating to a data subject (individual) that the Supplier can identify (directly or indirectly) from that data alone or in combination with other identifiers that the Supplier possesses or can reasonably possess. The Supplier may collect, use, store, and transfer various personal data of yours and categorises this data by type as follows:
| Contact Data | Such as name, personal identification number, e-mail address, and telephone number. |
| Correspondence Data | Such as records of correspondence including survey responses. |
| Anti-fraud Data | Such as, to the extent required, information relating to financial situation, creditworthiness or any criminal or fraudulent activities provided to the Supplier directly or by third parties, including information which establishes identity, such as driving licences, passports and utility bills; information about transactions, credit ratings from credit reference agencies; fraud, offences, suspicious transactions, politically exposed person and sanctions lists. |
| Payment Data | Such as card or other payment data used to process payments to the Supplier. |
| Technical Data | Such as IP address, login data, and usage data. |
| User Credentials | Such as usernames and passwords. |
| Usage Data | Such as details of your usage of the Product. |
| Marketing and Communications Data | Such as your marketing preferences. |
6. How the personal data is collected
The Supplier may collect your personal data as follows:
| Third parties | Directly from third parties |
| Cookies | through the deployment of cookies as described in the Supplier’s “Cookie Policy” available on the Supplier’s website (tactful.ai). |
| Interactions | directly through interactions with you including: 1. registration and onboarding to the Product 2. use of the Product (including via Tactful systems) 3. following requests for marketing to be sent to you 4. correspondences to the Supplier’s contact addresses and telephone numbers 5. information disclosed by customers’ custom systems. |
| Social media | through social media apps (Facebook, WhatsApp, and others) and third-party email providers. |
| Public sources | through other publicly available sources |
| Analytics providers | through third party analytics providers. |
7. Failure to provide personal data
Where the Supplier needs to collect or process personal data by law, or under the terms of a contract that it has with (or in connection with) you, and you fail to provide that data when requested, the Supplier may not be able to perform the relevant contract.
8. Aggregated data
8.1 The Supplier collects, uses, and shares aggregated data (such as statistical or demographic data) for purposes connected to the monitoring and development of the Product (Aggregated Data).
8.2 Aggregated Data could be derived from your personal data but is not considered to be personal data in law because this data does not directly or indirectly reveal your identity.
8.3 For example, the Supplier may aggregate your Usage Data collected to calculate the percentage of users accessing a specific Product feature.
8.4 If the Supplier combines or connects Aggregated Data with your personal data (so that you can be directly or indirectly identified) then the Supplier will treat the combined data as personal data which can only be used in accordance with this Policy.
SECTION 3
9. How the Supplier uses personal data
9.1 The Supplier may use the personal data collected as described in Section 2 for the limited purposes set out in this Section 3.
9.2 In most cases, personal data will be used:
9.2.1 to the extent necessary to perform a contract that the Supplier has with you;
9.2.2 to the extent necessary for the Supplier’s Legitimate Interests (or those of a third party) and provided that your interests and fundamental rights are not overriding; or
9.2.3 where the Supplier needs to comply with a legal obligation.
9.3 The Supplier has listed its legal basis for processing the personal data in Table A below and, in each case, has carefully considered the purpose of the processing, the necessity of the processing, and has balanced the same against your interests.
9.4 In most cases, the Supplier considers the Supplier’s Legitimate Interests to be conducting its business in a way that gives you the best service/product and the best and most secure experience.
9.5 You can contact the Supplier for additional information concerning how it assesses the Supplier’s Legitimate Interests against potential impacts on you.
Table A (Legal bases for processing)
| Purpose/Activity | Type of Data | Lawful Basis for Processing (inc. Basis of Legitimate Interest) |
|
Registration
|
|
Lawful basis for processing:
|
Communication
|
|
Lawful basis for processing:
|
| Payment To process and deliver the order for the Supplier’s services including:
|
|
Lawful basis for processing:
Basis of the Supplier’s Legitimate Interests:
|
|
Fraud prevention |
|
Lawful basis for processing:
Basis of the Supplier’s Legitimate Interests:
|
| Operation of the Product To deliver the Product (including generating and managing login credentials, troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data services) |
|
Lawful basis for processing:
|
| Analysis of user requirements The Supplier may analyse personal data in order to better understand:
|
|
Lawful basis for processing:
|
| Marketing The Supplier also uses personal data to provide you with updates and offers where you have chosen to receive these. |
|
Lawful basis for processing:
|
| Content delivery To ensure that content, including from our Product, is presented in the most effective manner for you and for your device, which may include passing your data to business partners, suppliers and/or service providers. |
|
Lawful basis for processing:
|
SECTION 4
10. Disclosures of personal data
The Supplier may share personal data with third parties as follows:
| Third party | Purpose |
| Members of the Supplier’s Group | In connection with the administration of the Supplier’s Group. |
| Service providers | In connection with the hosting of our Product, advertising and marketing. |
| Professional advisors | In connection with the provision of consulting, legal, banking, audit, insurance, and accounting services. |
| HM Revenue & Customs | In connection with the reporting of processing activities in certain circumstances. |
| Potential purchasers | In connection with the sale of the Supplier or its business (or any part of it, including the Product). |
SECTION 5
11. International transfers of personal data
11.1 Personal data may be accessed by staff or third parties in, transferred to, or stored at, a destination outside the UK or the European Economic Area (EEA), including the United States of America.
11.2 The Supplier will, in all circumstances, safeguard personal data as set out in this Policy.
11.3 In certain circumstances, complying with paragraph 11.2 will require the Supplier to ensure that appropriate safeguards have been put in place which meet the requirements of the UK or EU General Data Protection Regulation, for example, using the UK International Data Transfer Agreement (IDTA) or the EU Commission’s Standard Contractual Clauses for transfers of personal data outside the UK or EEA, together with any supplementary measures.
11.4 You may contact the Supplier for further information on the specific mechanism used to transfer personal data outside of the UK or EE
SECTION 6
12. Security measures (how the Supplier protects your personal data)
12.1 The Supplier has put in place appropriate security measures designed to prevent personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed.
12.2 In addition, the Supplier limits access to personal data to those employees, agents, contractors, and other third parties who have a business need to process the personal data.
12.3 The Supplier’s representatives will only process personal data on the Supplier’s instructions and are subject to a duty of confidentiality.
12.4 The Supplier has put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where it is legally required to do so.
However:
12.5 No data transmission over the Internet can be guaranteed to be secure from intrusion but the Supplier maintains commercially reasonable physical, electronic, and procedural safeguards to protect personal data in accordance with data protection laws.
12.6 All data and information provided to the Supplier is stored and accessed and used subject to our security policies and standards.
12.7 Where the Supplier has given you (or where you have chosen) a password which enables you to access the Product or certain parts of the Product, you are responsible for keeping this password confidential and for complying with any other security procedures notified to you by the Supplier from time to time.
12.8 The Supplier’s commitments with respect to the Product are as described in the End User Licence Agreement located on the Supplier’s website.
SECTION 7
13. Retention of personal data
13.1 The Supplier’s data retention periods in respect of personal data are based on the business needs of the Supplier and its legal obligations (including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements).
13.2 The Supplier retains personal data only for so long as is necessary for the processing purpose(s) for which the information was collected (see Section 3), and any other permissible related purpose.
13.3 The Supplier may retain personal data for a longer period than described in paragraph 13.2 in the event of a complaint or if it reasonably believes there is a prospect of litigation.
13.4 To determine the appropriate retention period for personal data, the Supplier considers:
13.4.2 the potential risk of harm from unauthorised use or disclosure of the personal data;
13.4.3 the purposes for which it processes the personal data (and whether the Supplier can achieve those purposes through other means); and
13.4.4 the applicable legal, regulatory, tax, accounting, or other requirements.
13.5.2 securely destroys or puts beyond use the data.
SECTION 8
14. Your legal rights
14.1 If you have any questions in relation to the Supplier’s use of your personal data, you should first contact the Supplier using the contact details set out in Section 1.
14.2 Under certain conditions, you have the following rights:
| Right | Description |
| Request Access | The right to require the Supplier to provide a copy of the personal data it holds about you. |
| Request Correction | The right to require the Supplier to update any inaccuracies in the personal data it holds about you. |
| Request Erasure | The right to request the deletion of personal data that the Supplier no longer has the right to lawfully use. |
| Object to Processing | The right to object to any processing based on the Supplier’s Legitimate Interests except where the Supplier can demonstrate that is has compelling legitimate grounds to process your information which override your rights and freedoms. |
| Request Restriction of Processing |
The right to request that the Supplier’s processing of personal data is suspended in the following scenarios: 1. To establish the accuracy of the data. |
| Request Transfer | The right to request the transfer of personal data in a structured, commonly used, machine-readable format to an applicable third party in certain circumstances. This right only applies to automated information which you initially provided consent to the Supplier to use or where the Supplier used the information to perform a contract with you. |
| Withdraw Consent | Where processing is based on consent, the right to withdraw consent at any time so that the Supplier stops that particular processing activity. |
14.3 The exercise of the rights set out above is subject to certain exemptions to safeguard the public interest (e.g., the prevention or detection of crime) and the Supplier’s interests (e.g., the maintenance of legal privilege).
14.5 If you withdraw your consent to processing, the Supplier may not be able to provide certain products or services to you.
14.6 You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, the Supplier may charge a reasonable fee if a request is clearly unfounded, repetitive, or excessive. Alternatively, the Supplier could refuse to comply with the request in these circumstances.
14.7 If you are not satisfied with the Supplier’s use of your personal data or the Supplier’s response to any exercise of the rights described in this Section then you have the right to complain to the UK ICO or the competent supervisory authority in your country of residence.
14.8 The contact details for the UK Information Commissioner’s Office are available at https://ico.org.uk/about-the-ico/who-we-are/.