Privacy Policy This is our Privacy Statement which explains how we obtain, use and keep your personal data safe. Your personal data is data which by itself or with other data available to us can be used to identify you. We’re committed to keeping your personal information safe in accordance with applicable data protection laws. We are Counting What Counts Ltd, the data controller. You can contact our Data Protection Officer (DPO) at Counting What Counts Ltd, 20 Elin Way, Meldreth, Royston, England, SG8 6LX, if you have any questions. THE TYPES OF PERSONAL DATA WE COLLECT AND USE This is our Privacy Statement which explains how we obtain, use and keep your personal data safe. Your personal data is data which by itself or with other data available to us can be used to identify you. We’re committed to keeping your personal information safe in accordance with applicable data protection laws. THE TYPES OF PERSONAL DATA WE COLLECT AND USE More The types of personal data we capture and use will depend on what you are doing on our website. We’ll use your personal data for some or all of the reasons set out in this Privacy Statement. Examples of the personal data we use in relation to our websites may include: • Full name and personal details including but not limited to things like your preferred email address. USING YOUR PERSONAL DATA: THE LEGAL BASIS AND PURPOSE More We’ll process your personal data: As necessary to perform our legitimate business with you, your account, policy or service. As necessary for our own legitimate interests or those of other persons and organisations, e.g. Arts Council England. As necessary to comply with a legal obligation. You must understand that you are free at any time to change your mind and withdraw your consent. The consequence of withdrawing your consent might be that you can no longer do certain things. SHARING OF YOUR PERSONAL DATA More Subject to applicable data protection law we may share your personal data with: Companies or organisations that have a legitimate business relationship with us and a legitimate right to access any such data Sub-contractors and other persons who help us provide our products and services Companies and other persons providing services to us Legal and other professional advisors INTERNATIONAL TRANSFERS More In some instances your personal data may be transferred outside the UK and the European Economic Area. This will only occur if we are certain that the safety and integrity of your data can be reasonably guaranteed. CONTACTING US More Contacting us by email When you contact us, we may need to collect some personal details like your name, email address and phone numbers. Email isn’t 100% secure so you shouldn’t send any other information via this method. Our email address is [email protected] Emails are stored on our industry standard internal contact systems which are secure and can’t be accessed by external parties. We may store this information to identify trends, to aid in our provision of support, and for the purposes set out in the monitoring of communications section as necessary to comply with any legal obligations and for our legitimate interests. Contacting us by phone If you need to contact us by phone, you can do so with any questions or requests on this number: +44 (0) 1223 656 255. We may record your name, email, phone number and purpose of your call, in order to best assist you with your enquiry. Some of this information may be stored in a 3rd party application such as a Customer Relationship Manager (CRM) but any such use will be proportionate and in line with our business relationship. If you wish to see the information we hold on you please submit an access request to [email protected] and we will provide that information to you in line with GDPR guidance. Contacting us by post If you need to contact us by post, you can do so with any questions or requests at this address: Counting What Counts Ltd, 20 Elin Way, Meldreth, Royston, England, SG8 6LX. We may store this information to identify trends, to aid in our provision of support, and for the purposes set out in the monitoring of communications section as necessary to comply with any legal obligations and for our legitimate interests. USING YOUR PERSONAL INFORMATION FOR DIRECT MARKETING More We’ll tell you if we intend to use your information for marketing purposes and we’ll give you the opportunity to opt out if you want to (unless we need a consent to use your information for marketing purposes – if we do we’ll seek one). If you receive marketing emails and don’t want to in future, please use the unsubscribe link within the email and we’ll remove you from future emails. SURVEYS More We’ll treat any survey information you provide with the same high standard of care as we do with any other customer information, using any details provided strictly within the terms of our legitimate business interest and this Privacy Statement. COOKIES More Cookies are small text files placed on your computer, smartphone or other device and are commonly used on the internet. We use cookies and similar technologies to: • collect information that will help us understand visitors’ browsing habits on our website • compile statistical reports on website activity, e.g. number of visitors and the pages they visit • in some cases, remember information about you when you visit our site. We may need to do this to provide some of our services e.g. if you use the ‘Remember me’ option on the login form. If you would like to learn more about how we use cookies then please refer to our cookie policy https://impactandinsight.co.uk/cookie-policy/ RETENTION TIMES More We’ll retain your personal data as long as a business relationship exists between you and us or until you ask to be removed from our system. Please note that any data submitted to the platform from surveys will not be removed as this does not constitute personal or sensitive information. Your rights under applicable data protection law Your rights are as follows (please note that these rights don’t apply in all circumstances): • The right to be informed about our processing of your personal data • The right to have your personal data corrected if it’s inaccurate and to have incomplete personal data completed • The right to object to processing of your personal data • The right to restrict processing of your personal data • The right to have your personal data erased (the “right to be forgotten”) • The right to request access to your personal data and information about how we process it • The right to move, copy or transfer your personal data. Data anonymisation and aggregation Your personal data may be converted into statistical or aggregated data which can’t be used to identify you, then used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described above. GOVERNANCE More We have implemented appropriate information security policies and procedures in line with ISO 27000 and the Cyber Essentials framework including: Procedures to regularly review data access rights Procedures for the secure disposal of data, media and equipment Procedures to regularly review our risk exposure and table appropriate mitigations that consider possible impact on customers and end-users, best practice solutions, and resource availability Internal Data Protection and Information Security policy documents are being updated for employees to align with Data Protection Law requirements and employees will be trained on their corresponding obligations. COMPLAINTS More We hope that you won’t ever need to, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to [email protected]. We will investigate and respond to all complaints we receive. You also have the right to lodge a complaint with the supervisory authority in your country of residence, place of work or the country in which an alleged infringement of data protection law has occurred within the EU. The Information Commissioner’s Office (“ICO”) is the UK data protection regulator/supervisory authority. For further information on your rights and how to complain to the ICO, please refer to the ICO website. CHANGES TO THIS PRIVACY STATEMENT More We’ll notify you if there are any material changes to this Privacy Statement if required by applicable law or where we intend to process your personal data for a new purpose before we start that new processing activity. LEGAL STATEMENT ABOUT THIS PRIVACY STATEMENT More This Privacy Statement is not designed to form a legally binding contract between CWC Ltd and users of our website or online services. LINKS TO OTHER WEBSITES More Certain hypertext links in this website may lead you to websites which are not under the control of Counting What Counts Ltd. When you activate these, you may leave our website. These links are provided solely for your convenience and do not represent any endorsement or recommendation by Counting What Counts Ltd. We accept no responsibility or liability for the contents of any website to which a hypertext link exists and gives no representation or warranty as to the information on such websites. NO LIABILITY FOR UNAVAILABILITY More We accept no liability for any loss that may arise if the goods or services advertised within this website become unavailable. CONTACTING US ABOUT OUR PRIVACY STATEMENT More Write to our Data Protection Officer at John Knell at Counting What Counts Ltd, 20 Elin Way, Meldreth, Royston, England, SG8 6LX if you have any questions or concerns. CUSTOMER RESPONSIBILITY More It is your responsibility to ensure that your computer is virus protected. We accept no responsibility for any loss you may suffer as a result of accessing and downloading information from this site. SECURE ONLINE SERVICES More You can easily identify secure websites by looking at the address in the top of your browser which will begin https:// rather than https://. All information passed between you and CWC Ltd when using our online services is sent using secure industry standard encryption.