Privacy Policy
How we collect, use, and protect your personal data
Last updated: June 28, 2023
Section 1: Introduction and Scope
1.1 This policy describes Tactful Ltd's commitment to protecting privacy when using Tactful Engage or successor products as specified in the Order Form.
1.2 The policy covers: controller information, data types collected, usage purposes, third-party disclosures, international transfers, security measures, retention, and your legal rights.
Controller Information
- Company: Tactful Ltd (Private Limited Company)
- Registration: England, Company No. 10279888
- Address: The Venture Centre, Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, United Kingdom, CB25 9PB
- Data Protection Authority: UK Information Commissioner's Office, Registration No. ZA277573
- Contact: privacy@tactful.ai
Policy Updates: Last updated June 28, 2023. Changes will be notified via product or email.
Section 2: Data Collection
Types of Personal Data Collected
- Contact Data: Name, identification number, email, telephone
- Correspondence Data: Records of communication and survey responses
- Anti-fraud Data: Financial information, creditworthiness, transaction details, identity documents
- Payment Data: Card and payment information
- Technical Data: IP address, login data, usage information
- User Credentials: Usernames and passwords
- Usage Data: Product usage details
- Marketing and Communications Data: Marketing preferences
Collection Methods
Personal data is collected through:
- Third parties (directly)
- Cookies (per Cookie Policy on tactful.ai)
- Direct interactions: registration, product use, marketing requests, correspondence
- Social media (Facebook, WhatsApp, and others)
- Public sources
- Third-party analytics providers
Failure to Provide Data: Where data is legally required or contractually necessary, failure to provide it may prevent contract performance.
Aggregated Data
Aggregated statistical or demographic data is collected for monitoring and developing the Product. This data does not identify individuals and is not considered personal data. However, combining aggregated data with personal data makes it subject to this policy.
Section 3: Personal Data Usage
Personal data is used where it is necessary to perform contracts with you, necessary for our legitimate interests (balancing your rights), or required for legal compliance.
| Purpose | Data Types | Legal Basis |
|---|---|---|
| Registration | Contact Data | Contract performance; Legitimate interests |
| Communication — Responding to queries, support, relationship management, surveys | Contact Data, Correspondence Data, User Credentials, Marketing and Communications Data | Contract performance; Legitimate interests; Legal obligations |
| Payment — Processing orders, managing payments, debt recovery | Contact Data, Correspondence Data, Transaction Data, Payment Data | Contract performance; Legitimate interests |
| Fraud Prevention — Investigating and preventing fraud; may share with fraud prevention agencies | Anti-fraud Data, Contact Data, Correspondence Data, Transaction Data, Payment Data | Legal obligations; Legitimate interests |
| Product Operation — Delivery, login generation, troubleshooting, maintenance, support, hosting | Contact Data, Correspondence Data, User Credentials, Technical Data, Usage Data | Contract performance; Legal obligations; Legitimate interests |
| Analysis of User Requirements — Understanding service requirements, business analysis, product development | Contact Data, Correspondence Data, User Credentials, Usage Data, Marketing and Communications Data | Legitimate interests |
| Marketing | Contact Data, Correspondence Data, User Credentials, Usage Data, Technical Data, Marketing and Communications Data | Consent (for direct marketing via email, push, SMS). Right to withdraw per Section 8. |
| Content Delivery — Effective content presentation; may share with partners and service providers | Contact Data, Correspondence Data, User Credentials, Usage Data, Technical Data, Marketing and Communications Data | Legitimate interests |
Section 4: Third-Party Disclosures
Personal data may be shared with:
| Third Party | Purpose |
|---|---|
| Group members | Administration of group operations |
| Service providers | Hosting, advertising, marketing |
| Professional advisors | Consulting, legal, banking, audit, insurance, accounting |
| HM Revenue & Customs | Reporting of processing activities |
| Potential purchasers | In connection with business sale |
Section 5: International Transfers
5.1 Personal data may be accessed, transferred, or stored outside the UK or European Economic Area, including the United States.
5.2 The supplier safeguards personal data as described in this policy.
5.3 Appropriate safeguards meeting UK/EU GDPR requirements are implemented, including:
- UK International Data Transfer Agreement (IDTA)
- EU Commission Standard Contractual Clauses
- Supplementary measures as needed
5.4 Contact the supplier for information on specific transfer mechanisms.
Section 6: Security Measures
6.1 Appropriate security measures prevent accidental loss, unauthorized access, alteration, or disclosure.
6.2 Access is limited to employees, agents, contractors, and third parties with a business need.
6.3 Representatives process data only on instructions and are subject to confidentiality duties.
6.4 Procedures are in place for suspected breaches; notification is provided as legally required.
6.5 No data transmission over the Internet can be guaranteed to be secure from intrusion, but the supplier maintains commercially reasonable physical, electronic, and procedural safeguards.
6.6 Data is stored and accessed subject to security policies and standards.
6.7 Users are responsible for keeping passwords confidential and complying with security procedures.
Section 7: Data Retention
7.1 Retention periods are based on business needs and legal obligations (legal, regulatory, tax, accounting, reporting requirements).
7.2 Data is retained only as long as necessary for processing purposes and related permissible purposes.
7.3 Longer retention applies if a complaint is filed or litigation is reasonably anticipated.
7.4 Retention determination considers: amount, nature, and sensitivity of data; risk of harm from unauthorized use or disclosure; whether purposes are achievable through other means; and applicable legal, regulatory, tax, and accounting requirements.
7.5 When no legitimate business need remains, the supplier will either irreversibly anonymise data (and may further retain and use it) or securely destroy it.
Section 8: Your Legal Rights
8.1 Contact the supplier using the details in Section 1 for questions about personal data use.
8.2 Under certain conditions, you have the following rights:
| Right | Description |
|---|---|
| Request Access | Require the supplier to provide copies of personal data held about you |
| Request Correction | Require updates to inaccuracies in personal data |
| Request Erasure | Request deletion of data the supplier no longer has the right to lawfully use |
| Object to Processing | Object to processing based on legitimate interests (unless overriding grounds exist) |
| Request Restriction | Suspend processing to: establish data accuracy; address unlawful use; retain for legal claims; or verify overriding grounds |
| Request Transfer | Transfer data in a structured, machine-readable format to third parties (applies to automated data provided with consent or used for contract performance) |
| Withdraw Consent | Stop particular processing activities based on consent |
8.3 Rights are subject to exemptions safeguarding public interest (crime prevention) and supplier interests (legal privilege).
8.4 The supplier responds within one month in most cases.
8.5 Withdrawal of consent may prevent access to certain products or services.
8.6 There is no fee to access data or exercise rights; however, a reasonable fee may apply for unfounded, repetitive, or excessive requests.
8.7 If unsatisfied, you have the right to complain to the UK ICO or the competent supervisory authority in your country of residence.
UK Information Commissioner's Office: ico.org.uk
Related documents
Tactful Ltd trading as Tactful AI. Registered in England — Company No: 10279888. The Venture Centre, Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, United Kingdom, CB25 9PB.