Privacy Policy
SECTION 1
1. Introduction and navigating this Policy
1.1 This document (Policy) describes your controller, Tactful Ltd’s (Supplier), commitment to protecting your privacy whilst using the product known as Tactful Engage (or its successor) components and any other software product(s) expressly specified in the Order Form (Product).
1.2 In particular:
SECTION 1
Introduces the Policy; sets out information about the Supplier and the Supplier’s Group; and describes the scope of the Policy.
SECTION 2
Describes:
1. the types of personal data that the Supplier collects; and
2. how the Supplier collects that personal data.
SECTION 3
Describes how the Supplier uses the personal data that it collects.
SECTION 4
Describes or lists the disclosures of personal data that may be made by the Supplier to third parties.
SECTION 5
Describes the arrangements that have been put in place by the Supplier with respect to international transfers of personal data.
SECTION 6
Describes the technical and organisational security measures that have been adopted by the Supplier to protect your personal data from and against unauthorised and unlawful processing, accidental loss, destruction, disclosure, damage or alteration.
SECTION 7
Sets out the Supplier’s personal data retention policy.
SECTION 8
Describes your legal rights in connection with the Supplier’s collection and processing of your personal data.
2. Information about the Supplier and controller
Supplier
The Supplier is a Private Limited Company that is incorporated under the laws of England with registration number 10279888.
Address
The Supplier’s registered address is: Stirling House Business Centre, Cambridge Innovation Park, Waterbeach, Cambridge CB25 9QE, United Kingdom.
Data Protection Authority
The Supplier is registered with the UK Information Commissioner’s Office under number ZA277573.
Contact
If you have any questions about this Policy or the Supplier’s privacy practices, then you can contact the Supplier via email at privacy@tactful.ai.
3. Scope of the Policy
This Policy applies to all personal data collected, accessed, or otherwise processed by the Supplier in connection with your use of the Product.
4. Changes to the Policy
4.1 The Supplier may change this Policy from time to time and any such updates will be notified to you: (a) through the Product; or (b) by e-mail.
4.2 This Policy was last updated on: 28 June 2023
SECTION 2
5. Types of personal data collected
Personal data, or personal information, means any information identifying or relating to a data subject (individual) that the Supplier can identify (directly or indirectly) from that data alone or in combination with other identifiers that the Supplier possesses or can reasonably possess. The Supplier may collect, use, store, and transfer various personal data of yours and categorises this data by type as follows:
Contact Data
Such as name, personal identification number, e-mail address, and telephone number.
Correspondence Data
Such as records of correspondence including survey responses.
Anti-fraud Data
Such as, to the extent required, information relating to financial situation, creditworthiness or any criminal or fraudulent activities provided to the Supplier directly or by third parties, including information which establishes identity, such as driving licences, passports and utility bills; information about transactions, credit ratings from credit reference agencies; fraud, offences, suspicious transactions, politically exposed person and sanctions lists.
Payment Data
Such as card or other payment data used to process payments to the Supplier.
Technical Data
Such as IP address, login data, and usage data.
User Credentials
Such as usernames and passwords.
Usage Data
Such as details of your usage of the Product.
Marketing and Communications Data
Such as your marketing preferences.
6. How the personal data is collected
Third parties
Directly from third parties
Cookies
through the deployment of cookies as described in the Supplier’s “Cookie Policy” available on the Supplier’s website (tactful.ai).
Interactions
directly through interactions with you including:
1. registration and onboarding to the Product
2. use of the Product (including via Tactful systems)
3. following requests for marketing to be sent to you
4. correspondences to the Supplier’s contact addresses and telephone numbers
5. information disclosed by customers’ custom systems.
Social media
through social media apps (Facebook, WhatsApp, and others) and third-party email providers.
Public sources
through other publicly available sources
Analytics providers
through third-party analytics providers.
7. Failure to provide personal data
Where the Supplier needs to collect or process personal data by law, or under the terms of a contract that it has with (or in connection with) you, and you fail to provide that data when requested, the Supplier may not be able to perform the relevant contract.
8. Aggregated data
8.1 The Supplier collects, uses, and shares aggregated data (such as statistical or demographic data) for purposes connected to the monitoring and development of the Product (Aggregated Data).
8.2 Aggregated Data could be derived from your personal data but is not considered to be personal data in law because this data does not directly or indirectly reveal your identity.
8.3 For example, the Supplier may aggregate your Usage Data collected to calculate the percentage of users accessing a specific Product feature.
8.4 If the Supplier combines or connects Aggregated Data with your personal data (so that you can be directly or indirectly identified) then the Supplier will treat the combined data as personal data which can only be used in accordance with this Policy.
SECTION 3
9. How the Supplier uses personal data
9.1 The Supplier may use the personal data collected as described in Section 2 for the limited purposes set out in this Section 3.
9.2 In most cases, personal data will be used:
9.2.1 to the extent necessary to perform a contract that the Supplier has with you;
9.2.2 to the extent necessary for the Supplier’s Legitimate Interests (or those of a third party) and provided that your interests and fundamental rights are not overriding; or
9.2.3 where the Supplier needs to comply with a legal obligation.
9.3 The Supplier has listed its legal basis for processing the personal data in Table A below and, in each case, has carefully considered the purpose of the processing, the necessity of the processing, and has balanced the same against your interests.
9.4 In most cases, the Supplier considers the Supplier’s Legitimate Interests to be conducting its business in a way that gives you the best service/product and the best and most secure experience.
9.5 You can contact the Supplier for additional information concerning how it assesses the Supplier’s Legitimate Interests against potential impacts on you.
Table A (Legal bases for processing)
Purpose/Activity
Type of Data
Lawful Basis for Processing
(inc. Basis of Legitimate Interest)
Registration
- Registering you as a user of the Product
- Contact Data
Lawful basis for processing:
- To allow the Supplier to perform the contract (Supplier’s Contract Performance)
- To the extent necessary for the Supplier’s legitimate interests (Supplier’s Legitimate Interests)
Basis of the Supplier’s Legitimate Interests:
- To conduct its business (including business administration) (Conduct Reason)
Communication
- Responding to queries
- Communicating with you (including in connection with support and maintenance issues)
- Managing the relationship (including notifying you of changes to terms and conditions and this Policy)
- Requesting the completion of surveys
- Contact Data
- Correspondence Data
- User Credentials
- Marketing and Communications Data
Lawful basis for processing:
- the Supplier’s Contract Performance
- the Supplier’s Legitimate Interests
- processing to the extent necessary to allow the Supplier to comply with a legal obligation (Supplier’s Legal Obligations)
Basis of the Supplier’s Legitimate Interests:
- the Conduct Reason
- to ensure the security of the Product and the Supplier’s associated services (Security Reason)
- to ensure that you receive the best service/product (Quality Reason)
- to keep records updated and to study how customers use the Product (Operational Reason)
Payment
To process and deliver the order for the Supplier’s services including:
- managing payments and fees
- collecting and recovering money owed to the Supplier
- Contact Data
- Correspondence Data
- Transaction Data
- Payment Data
Lawful basis for processing:
- the Supplier’s Contract Performance
- the Supplier’s Legitimate Interests
Basis of the Supplier’s Legitimate Interests:
- the Conduct Reason (including to recover debts owed to the Supplier)
Fraud prevention
To investigate and prevent fraud as may be required by applicable law and regulation and best practice at any given time.
- Anti-fraud Data
- Contact Data
- Correspondence Data
- Transaction Data
- Payment Data
Lawful basis for processing:
- the Supplier’s Legal Obligations
- the Supplier’s Legitimate Interests
Basis of the Supplier’s Legitimate Interests:
- the Conduct Reason (including to allow the Supplier to ensure the legality of the Product)
If false or inaccurate information is provided and fraud is identified or suspected, details may be passed to fraud prevention agencies and may be recorded by us or by them.
Operation of the Product
To deliver the Product (including generating and managing login credentials, troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data services)
- Contact Data
- Correspondence Data
- User Credentials
- Technical Data
- Usage Data
Lawful basis for processing:
- the Supplier’s Contract Performance
- the Supplier’s Legal Obligations
- the Supplier’s Legitimate Interests
Basis of the Supplier’s Legitimate Interests:
- the Conduct Reason
- the Quality Reason
- the Security Reason
Analysis of user requirements
The Supplier may analyse personal data in order to better understand:
- your and the Supplier’s other customers’ services and marketing requirements
- the Supplier’s business
- how the Supplier may develop its products and services
- Contact Data
- Correspondence Data
- User Credentials
- Usage Data
- Marketing and Communications Data
Lawful basis for processing:
- the Supplier’s Legitimate Interests
Basis of the Supplier’s Legitimate Interests:
- the Conduct Reason (including studying how customers use the Product, to develop the Product, to grow the Supplier’s business and to inform the Supplier’s marketing strategy
Marketing
The Supplier also uses personal data to provide you with updates and offers where you have chosen to receive these.
- Contact Data
- Correspondence Data
- User Credentials
- Usage Data
- Technical Data
- Marketing and Communications Data
Lawful basis for processing:
- Consent: Generally, the Supplier relies on your consent as a legal basis for sending direct marketing communications to you by email, push notifications, SMS, or other method (Third Party Marketing Messages).
- Withdrawing consent: You can withdraw your consent such direct marketing communications as described in Section 8.
Content delivery
To ensure that content, including from our Product, is presented in the most effective manner for you and for your device, which may include passing your data to business partners, suppliers and/or service providers.
- Contact Data
- Correspondence Data
- User Credentials
- Usage Data
- Technical Data
- Marketing and Communications Data
Lawful basis for processing:
- the Supplier’s Legitimate Interests
Basis of the Supplier’s Legitimate Interests:
- the Conduct Reason (including studying how customers use the Product, to develop the Product, to grow the Supplier’s business and to inform the Supplier’s marketing strategy).
SECTION 4
10. Disclosures of personal data
The Supplier may share personal data with third parties as follows:
Third party
Purpose
Members of the Supplier’s Group
In connection with the administration of the Supplier’s Group.
Service providers
In connection with the hosting of our Product, advertising and marketing.
Professional advisors
In connection with the provision of consulting, legal, banking, audit, insurance, and accounting services.
HM Revenue & Customs
In connection with the reporting of processing activities in certain circumstances.
Potential purchasers
In connection with the sale of the Supplier or its business (or any part of it, including the Product).
SECTION 5
11. International transfers of personal data
11.1 Personal data may be accessed by staff or third parties in, transferred to, or stored at, a destination outside the UK or the European Economic Area (EEA), including the United States of America.
11.2 The Supplier will, in all circumstances, safeguard personal data as set out in this Policy.
11.3 In certain circumstances, complying with paragraph 11.2 will require the Supplier to ensure that appropriate safeguards have been put in place which meet the requirements of the UK or EU General Data Protection Regulation, for example, using the UK International Data Transfer Agreement (IDTA) or the EU Commission’s Standard Contractual Clauses for transfers of personal data outside the UK or EEA, together with any supplementary measures.
11.4 You may contact the Supplier for further information on the specific mechanism used to transfer personal data outside of the UK or EE
SECTION 6
12. Security measures (how the Supplier protects your personal data)
12.1 The Supplier has put in place appropriate security measures designed to prevent personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed.
12.2 In addition, the Supplier limits access to personal data to those employees, agents, contractors, and other third parties who have a business need to process the personal data.
12.3 The Supplier’s representatives will only process personal data on the Supplier’s instructions and are subject to a duty of confidentiality.
12.4 The Supplier has put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where it is legally required to do so.
However:
12.5 No data transmission over the Internet can be guaranteed to be secure from intrusion but the Supplier maintains commercially reasonable physical, electronic, and procedural safeguards to protect personal data in accordance with data protection laws.
12.6 All data and information provided to the Supplier is stored and accessed and used subject to our security policies and standards.
12.7 Where the Supplier has given you (or where you have chosen) a password which enables you to access the Product or certain parts of the Product, you are responsible for keeping this password confidential and for complying with any other security procedures notified to you by the Supplier from time to time.
12.8 The Supplier’s commitments with respect to the Product are as described in the End User Licence Agreement located on the Supplier’s website.
SECTION 7
13. Retention of personal data
13.2 The Supplier retains personal data only for so long as is necessary for the processing purpose(s) for which the information was collected (see Section 3), and any other permissible related purpose.
13.3 The Supplier may retain personal data for a longer period than described in paragraph 13.2 in the event of a complaint or if it reasonably believes there is a prospect of litigation.
13.4 To determine the appropriate retention period for personal data, the Supplier considers:
13.4.2 the potential risk of harm from unauthorised use or disclosure of the personal data;
13.4.3 the purposes for which it processes the personal data (and whether the Supplier can achieve those purposes through other means); and
13.4.4 the applicable legal, regulatory, tax, accounting, or other requirements.
13.5.2 securely destroys or puts beyond use the data.
SECTION 8
14. Your legal rights
14.2 Under certain conditions, you have the following rights:
Right
Description
Request Access
The right to require the Supplier to provide a copy of the personal data it holds about you.
Request Correction
The right to require the Supplier to update any inaccuracies in the personal data it holds about you.
Request Erasure
The right to request the deletion of personal data that the Supplier no longer has the right to lawfully use.
Object to Processing
The right to object to any processing based on the Supplier’s Legitimate Interests except where the Supplier can demonstrate that is has compelling legitimate grounds to process your information which override your rights and freedoms.
Request Restriction of Processing
The right to request that the Supplier’s processing of personal data is suspended in the following scenarios:
1. To establish the accuracy of the data.
2. Use of the data is unlawful but deletion is not required.
3. Retention of the data is needed (even if the Supplier no longer requires it) in order for you to establish, exercise, or defend legal claims.
4. You have objected to the use of the personal data but the Supplier needs to verify whether it has overriding legitimate grounds to use
Request Transfer
The right to request the transfer of personal data in a structured, commonly used, machine-readable format to an applicable third party in certain circumstances. This right only applies to automated information which you initially provided consent to the Supplier to use or where the Supplier used the information to perform a contract with you.
Withdraw Consent
Where processing is based on consent, the right to withdraw consent at any time so that the Supplier stops that particular processing activity.
14.3 The exercise of the rights set out above is subject to certain exemptions to safeguard the public interest (e.g., the prevention or detection of crime) and the Supplier’s interests (e.g., the maintenance of legal privilege).
14.4 If you exercise any of the rights set out above then the Supplier will check its entitlement and respond in most cases within a month.14.5 If you withdraw your consent to processing, the Supplier may not be able to provide certain products or services to you.
14.6 You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, the Supplier may charge a reasonable fee if a request is clearly unfounded, repetitive, or excessive. Alternatively, the Supplier could refuse to comply with the request in these circumstances.
14.7 If you are not satisfied with the Supplier’s use of your personal data or the Supplier’s response to any exercise of the rights described in this Section then you have the right to complain to the UK ICO or the competent supervisory authority in your country of residence.
14.8 The contact details for the UK Information Commissioner’s Office are available at https://ico.org.uk/about-the-ico/who-we-are/.