The privacy and security of your information is very important to us and we want you to trust that the information that you have provided to us is being properly managed and protected. We have prepared this Privacy Statement to explain more about who we are and how we collect and manage your information. We are fully committed to adherence to the General Data Protection Regulations (GDPR) following implementation on the 25 May 2018.
Who we are
This privacy statement is issued by Integra (e-Quip) Limited and Integra Health Systems Limited, (collectively referred to as “Integra”, “e-Quip”, “we”, “us” or “our” in this privacy statement). We are the data processor with respect to all data and personal information mentioned in this Privacy Statement. The contact details for the company are: Data Protection Officer: Graham Stanbury Email: firstname.lastname@example.org.
Information we collect and how we use and share it
You do not have to provide us with your information although in some cases, if you do not, it may mean that you are unable to use our products or services. We collect and use personal information from you whenever you buy, use or evaluate one of our products or services, if you contact our customer support centre or sales staff, or if you contact us via our customer support web site. We generally collect this information directly from you, but in some cases, we may collect your information from other sources. For example, one of your colleagues might pass your contact details to us if he or she feels that you may be interested in any of our products or services. Integra (e-Quip) Ltd holds four types of personal information which allow us to manage and support the company’s products and to communicate with customers:
- Customer-provided information: customers’ contact details are used to facilitate day-to-day communication between the company and its customers. The contact details held are limited to:
- Email address(es)
- Telephone number(s)
- Customer contact records – Records of calls, emails and interactions with our website and customer support centre are maintained for audit, training and service improvement purposes. The extent of any personal information collected is limited to:
- Email address(es)
- Telephone number(s)
- Product or service purchase records – all quotations issued by Integra (e-Quip) Ltd and purchase orders received from customers are recorded for the purposes of managing contracts and product licences. This allows us to issue invoices for products and services provided and to submit quotations when licences are due for renewal.
- Customer provided information – internet forum membership details: customers’ authentication details (user name and email address) are held to authorise access to our internet product forums.
There are two other circumstances in which we may hold and/or process datasets which belong to you or your organisation. These are:
- Customer-owned datasets for legacy 3rd -party software applications: held by us in order to migrate the data to a format suitable for use by one or more of our products;
- Customer-owned datasets for one or more of our products: these may be held and/or processed for support and fault-resolution purposes.
In both of these situations:
- The initial request for us to hold/process the data originates from you or your organisation;
- We will obtain your written authorisation and consent before accepting the data;
- We will ask for your written confirmation that:
- The dataset contains no personal information or any such personal information has been anonymised;
- If the dataset may contain personal information then that information will be used for no other purpose than that for which it was obtained
- e. data migration or fault resolution.
We do not share your information with any other organisation without your explicit consent. However, to ensure that our communications with you fully comply with GDPR we use a communications management company, The Rocket Science Group, to control and manage all bulk communications from us to you. The Rocket Science Group will request and record your consent before sending any communications to you on our behalf. However, if we observe activity that we believe to be fraudulent, we will provide the information to the local authority and/or the police.
The legal basis for processing your personal data
We are committed to collecting and using your information in accordance with applicable data protection laws. We will only collect, use and share your information where we are satisfied that we have an appropriate legal basis to do this. This may be because:
- you have provided your consent to us using the personal information;
- our use of your information is necessary to perform our contract with you, for example, issuing quotations and invoices or providing product support in accordance with the terms of our agreement with you;
- our use of your information is in our legitimate interest as a commercial organisation, for example to operate and improve our services and to keep people informed about our products and services (including for profiling and targeted advertising) – in these cases we will look after your information at all times in a way that is proportionate and respects your privacy rights and you have a right to object to processing.
How we use the information we collect
We use personal information only for the purposes described in this Policy, except if otherwise disclosed to you at the time the data is collected or further authorised by law or by you. Customers’ contact details are used to:
- facilitate day-to-day communication between the company and its customers;
- to notify customers of:
- future events, such as user-group meetings, conferences and seminars;
- product enhancements and developments;
- upcoming software releases;
- other information that we deem from time-to-time to be relevant and of interest;
- to manage product licensing and to issue renewal quotations and invoices.
Customer contact records are used primarily so that we can respond to you if you contact the customer support centre to ask a question or to report an incident. We also use this information for audit, training and service improvement purposes. In the specific case that you have given your written authorisation and consent for us hold a dataset owned by you or your organisation in order to transform that data from its current format into a format suitable for use by one or more of our products, then we will use the that dataset solely for that purpose. If you have given your written authorisation and consent for us hold a dataset owned by you or your organisation in order to assist with fault diagnosis and rectification, then we will use the that dataset solely for that purpose.
How long we keep this information
In order to comply with the General Data Protection Regulations, your details will only be kept for the shortest time required. This will vary according to the type of data being held. We will retain customer contact information for the duration of the contract between us and the customer, or while there still remains a legitimate need to communicate with the individual concerned. At that point the personal information will be deleted or anonymised. Customer contact records (i.e. records of calls and emails to our customer support centre etc.) are retained for the duration of the contract between us and the customer. At that time the personal information will be deleted or anonymised. In some cases we keep transactional records (which may include your information) for longer periods if necessary to meet legal, regulatory, tax or accounting needs. We will also retain information if we reasonably believe there is a prospect of litigation. In the specific case that you have given your written authorisation and consent for us hold a dataset owned by you or your organisation in order to transform that data from its current format into a format suitable for use by one or more of our products, then we will retain the data until the data migration exercise has been completed and then for a further 6 months. This residual period is to allow for the resolution of migration issues which were not detected during data validation and which come to light within the first few months of the data being used by the customer. If you have given your written authorisation and consent for us hold a dataset owned by you or your organisation in order to assist with fault diagnosis and rectification, then we will retain the data until the reason for holding the data ceases. i.e. the fault or issue under investigation is either resolved or the investigation is terminated.
Under the GDPR you have the following rights to request information from us:
To access personal information
You can ask us to confirm whether or not we have and are using your personal information and for a copy of your information.
To correct / erase personal information
You can ask us to correct any information about you which is incorrect. We will be happy to rectify such information but would need to verify the accuracy of the information first. You can ask us to erase your information if you think we no longer need to use it for the purpose we collected it from you. You can also ask us to erase your information if you have either withdrawn your consent to us using your information (if we originally asked for your consent to use your information) or exercised your right to object to further legitimate use of your information, or where we have used it unlawfully or where we are subject to a legal obligation to erase your personal information. We may not always be able to comply with your request, for example where we need to keep using your information to comply with our legal obligation or where we need to use your information to establish, exercise or defend legal claims.
To restrict how we use personal information
You can ask us to restrict our use of your information in certain circumstances, for example:
- where you think the information is inaccurate and we need to verify it;
- where our use of your information is not lawful but you do not want us to erase it;
- where the information is no longer required for the purposes for which it was collected but we need it to establish, exercise or defend legal claims; or
- where you have objected to our use of your personal information but we still need to verify if we have overriding grounds to use it.
We can continue to use your information following a request for restriction where we have your consent to use it; or we need to use it to establish, exercise or defend legal claims, or we need to use it to protect the rights of another individual or a company.
To object to how we use your information
You can object to any use of your information which we have justified on the basis of our legitimate interest, if you believe your fundamental rights and freedoms to data protection outweigh our legitimate interest in using the information. If you raise an objection, we may continue to use your information if we can demonstrate that we have compelling legitimate interests to use the information.
To ask us to transfer your information to another organisation
You can ask us to provide your personal information to you in a portable, machine-readable format, or you can ask to have it sent to another data controller. You may only exercise this right where we use your information in order to perform a contract with you, or where you have granted consent for us to use your information. This is only applicable to information which we hold that is in digital form. To ensure that we only disclose information to the right individual, we will ask for proof of identity when making a request to exercise any of these rights. We will not ask for a fee, unless we think your request is unfounded, repetitive or excessive. Where a fee is necessary, we will inform you before proceeding with your request. We aim to respond to all valid requests within one month. We will inform you if we think a response will take longer than this. We may not always be able to do what you have asked, for example if it would impact the duty of confidentiality we owe to others, or if we are otherwise legally entitled to deal with the request in a different way.
To complain to a supervisory authority
You have the right to lodge a complaint with a supervisory authority (in the UK that is the Information Commissioners Office).
How to access your personal data
If you wish to see full details of the information that we hold in connection with you, you will need to make a subject access request under the General Data Protection Regulations. To initiate a subject access request, email: email@example.com or call us on 01785 74 75 75.
Keeping your details secure
Integra (e-Quip) Ltd is the data processor for the types of data identified above. We store all of our information in a secure Microsoft SQL-Server database where it is protected by the latest encryption and firewall technology and accessible only by authorised company staff.