IMPORTANT INFORMATION AND WHO WE ARE
RFA is a business-to-business (B2B) company, meaning we sell our solutions to other businesses and do not typically engage with general consumers for profit.
We are committed to being responsible custodians of the personal information that we collect in the course of operating our business.
RFA is headquartered in the United Kingdom and no data we process will be transferred outside of the UK.
We have notified the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk), of our data controller activities and we are registered with number Z3002651.
Our full details are:
Full name of legal entity: Red Flag Alert LLP
Data privacy manager: Mark Halstead
Email address: firstname.lastname@example.org
Postal address: Red Flag Technology Group Ltd 49 Peter Street, Manchester, M2 3NG
Telephone number: 0344 412 6699
Compliance With the Principles of UKGDPR
Personal data is defined as any information that can be used to identify an individual. Individuals are recognisable when business email addresses take the form of 'email@example.com,' and thus fall under the definition of personal data.
The "legitimate interests" of the data controller or a third party are one legal basis for processing personal data.
Legitimate Interest refers to our company's interest in running and managing its operations in order to provide you with a professional service. Red Flag Alert’s legitimate interests provide the legal basis for processing the personal data described above, provided that the data subject's interests or fundamental rights and freedoms do not prevail, taking into account data subjects' reasonable expectations based on their connection with the controller.
How we collect your personal information depends upon how you interact with us
The manner in which you engage with us will determine how we acquire your personal information.
Your interactions with us, our products, and services will determine the categories and particular types of personal information we collect about you. You might fit into one of the following groups of data subjects based on this interaction:
Personal data we collect from you:
We collect information provided to us each time you visit our website or engage in other online activities (further details are provided below). This information is collected based on our legitimate interests in making sure our website or other online activities function properly or that we are providing the user experience to you that we wish to provide. If it is based on our legitimate interest, we have determined that our business interest in gathering this information does not have a significant impact on your rights. In other activities, we may rely on your consent. If so, you have the ability to refuse consent or change your mind. We keep this information for as long as we have a business relationship or potential relationship with you.
Online data about you may also come through cookies and other similar technologies (such pixel tags and device identifiers) used on our site or other websites.
Red Flag Alert’s legitimate interests provide the legal basis for processing the personal data described above, provided that the data subject's interests or fundamental rights and freedoms do not prevail, taking into account data subjects' reasonable expectations based on their connection with the controller.
We use your personal information for the following purposes:
What we use your personal data for
Our legitimate reasons
To provide contractual services to our clients
For the performance of our contract with our clients or to take steps at their / your request before entering into a contract
Preventing and detecting fraud against you / our clients or us
For our legitimate interests or those of a third party, i.e. to minimise fraud that could be damaging for you / our clients and/or us
Conducting identity checks to verify the identity of our clients
Any other screening necessary
Other processing necessary to comply with professional, legal and regulatory or other obligations that apply to our business, e.g. under health and safety regulations or rules issued by our professional regulator or the government
To comply with our legal and regulatory obligations, e.g. our anti-money laundering obligations
Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies
To comply with our legal and regulatory obligations
Ensuring business policies are adhered to, e.g. policies covering information security
For our legitimate interests or those of a third party, i.e. to make sure we are following our own internal procedures to enable us to deliver the best service to you / our clients
Ensuring the confidentiality of commercially sensitive information
For our legitimate interests or those of a third party, i.e. to protect our intellectual property and other commercially valuable information
Updating and enhancing our client records
For the performance of our contract with you / our clients or to take steps at your request before entering into a contract
Marketing our services to:
- existing and former clients
For our legitimate interests or those of a third party, i.e. to promote our business to existing and former clients
External audits and quality checks
For our legitimate interests or a those of a third party, i.e. to maintain our accreditations which demonstrates our service is of the best possible quality and standard
HOW WE USE YOUR PERSONAL DATA
The activities (sources) listed below are how we obtain personal data about you or from you. We may get several categories and particular types of personal information from you depending on the activity (source). These actions might coexist, as in the case of a client visiting our website. If you give us any personal information online—for example, by completing a form or using cookies (tracking technologies)—we will only use it with your permission. You have the right to revoke consent at any time by using Your Right, depending on how you engage with us.
We process information you provide, such as your name, email address, company where you work, phone number, job function, job title, country, and any comments you provide. Given that we are a business-to-business (B2B) company, we do this in order to respond to your request for information or resources or, in our legitimate interest, to collect information in order to reach out to you for potential business interest. We may reach out to you with marketing communications using the information you submit in these online forms. You can easily opt out of future communications using the opt-out link provided in the emails sent to you. If you do opt-out, but then complete another form, you are essentially cancelling your opt-out.
Personal Data we collect automatically
Our website automatically collects certain data, through automatic data collection tools such as cookies, beacons, among others. These tools automatically collect the following information:
Technical data, such as, but not limited to, browser type, operating system, device details, online identifiers like cookie data and Internet Protocol address (IP), domain name, referral URL, time zone setting, and/or visit time stamp.
Usage Data is the data we get regarding how people use and access the website. It might include the Internet Protocol (IP) address of your computer, the browser version, a list of the pages you've visited while on our website, how long you spent on each page, the date and time of your visit, and other analytical data.
Cookies and other online tracking technologies
In order to navigate our website or technological solutions, customise and improve your experience, analyse which pages you visit, and assess the efficacy of advertising and promotional efforts, we utilise cookies and other data gathering tools.
We make use of both temporary and persistent cookies. Persistent cookies are kept on your device until they expire, unless you delete them before that time, unlike session cookies, which are temporary cookies that are deleted from the memory of your device when you shut your Internet browser or switch off your computer. Our website divides browser cookies into three categories that you can control using the "Cookie Consent Manager"; you can use this manager at any time to modify your preferences:
Google Analytics is a web analytics tool that records and analyses website traffic on our website to monitor how it is used. This information is made available to other Google services. Google may use it to contextualise and customise advertisements on its own network.
In addition to information on how you use the Website, Google Analytics may store your IP address. We, however, do not have access to your IP address since it is protected by Google.
Visit the Google Privacy Terms web page to find out more about their data privacy practices.
Server log files
When you visit our websites, we automatically collect information from server log files. This comprises your operating system, IP address, browser type, and referring and exit web sites. We take this action because it is in our legitimate interest for our website to function as intended or to determine what might need to be altered.
Other online activities
We monitor our website and technical solutions based on our legitimate interest to continuously enhance the experience for our users in order to administer our website and technical solutions and to understand how our website visitors browse around our websites and technical solutions. We may conduct additional analysis on the data we collect online in order to enhance the services, tools, and resources we offer to our users. This is further supported by our genuine interest in offering suitable content or user experiences.
Opinion / Feedback Surveys
If we engage in a general consumer survey, we process your survey responses. You may answer or not when it is presented to you. Withdrawing your consent will not be possible as we do not ask or collect identifying information and only use answers in large groupings, such as all “Yes” or “No” answers to a particular question. We would not be able to pull your answers out.
If you participate in our market or product / services research and surveys – whether delivered by us or a service provider on our behalf – we may process your email address, job title, phone number, survey responses, company name, job function, country, relationship with RFA, and any comments you provide.
On the basis of our legitimate interest in better understanding the market and enhancing our offerings, we conduct online consumer surveys to get your opinions on significant business-related issues. We do not proactively collect any personal information about you when we conduct these surveys, but cookies and data collection technologies may be used to manage the delivery of the surveys.
Interest in our Products
If you request or indicate an interest in information about our products, we process your name, email address, phone number, job title, information about the company where you work, including its website address, and any comments you provide. We add business information related to the company where you work from third party sources, such as business intelligence providers, information from publicly available sources such as LinkedIn, as well as information about the number and frequency of your interactions with us online and offline, such as at events, webinars, email communications, and our website. We maintain and update this information as we continue to engage with you. Engaging with you once you express interest in our solutions may be based on your consent or our legitimate interests. If we rely on consent, this will be clear to you that you are providing consent because you will complete a form. As such, you can cancel your consent using the opt-out link in the emails we send or by contacting us via an individual rights form, email, or phone.
We might send you marketing materials (such as sales, information, and business development materials) about our products that we believe you might find interesting. Your name, phone number, email address, postal address, job title, work function, company name, information regarding which of our goods you use or may be of interest to you, as well as any answers you make to such communications, are all processed for these communications.
We also process automatic information such as what we collect via cookies, IP address, device type, browser, and if the email was opened. We may also associate other information to the communication for insight such as company size, company financial information, and whether the company is a current or prospective customer. In general, these communications are initiated in our legitimate interest to engage you in business, but if the information was collected through our online forms, you also consented to being contacted. We track these communications to determine whether, when, and the IP address and associated city of, a marketing communication we sent was viewed based on our legitimate interest to effectively manage and improve upon such communications.
Inquiries about your opinion of our solutions from the standpoint of a customer or other user of our solutions may also be included in communications. We take this action because we want you to review our work. Using the unsubscribe link in the emails, you can always choose not to receive marketing emails.
Telephone / Video Calls
If you agreed to have a phone call or video conference with RFA recorded, we may use your name, email address, job title, picture, and voice for analytical purposes to enhance our customer relationship management and training, as well as to provide recorded information to our clients upon request. For instance, a consumer might request a demo recording for a specific solution. Any such phone calls or video conferences will be recorded after giving notice of the intention to do so. Before or during the meeting, you have the option to refuse recording, and you also have the option to ask for the deletion of the recording at any moment. Within 180 days, all such recorded sessions will be automatically destroyed.
Contracts / Relationship Management
We process your name, email address, postal address, company name, billing information (e.g., purchase order number, bank wire information), company size, company financial information, and signature along with communication content and any comments or feedback you may provide. Some information about you may come from other individuals. For example, a colleague may tell us that you moved to another company or a different role. Similarly, such information may be available publicly, such as on LinkedIn.
We use this information in order to facilitate the contract execution and to deliver on the contract. We will communicate with you, including via email, about your use of our solutions, obtain your input on new features, functionality, and content, and to provide information about updates to our solutions. We have a legitimate business interest in renewing your subscription-based solutions in order to retain you as a customer or partner along with providing additional solutions you request based on our legitimate business interest and / or contractual obligation to respond to your reasonable requests.
Using our Products
When utilising our platform and products, we might ask you for business data pertaining to the organisation where you work. This company data is kept on RFA systems, and we use it to deliver the services you've hired us to do in accordance with the terms and conditions of the contracts RFA has with your business.
In order to engage with our products and services, you will be an authorised user.
Your name, email address, username, password, IP address, job title, phone number, information about the business where you work, actions you have taken in the applications on the platform or in response to communications, such as record creation, changes, input, responses, analysis, and approvals, and tickets filed on your behalf related to our platform are processed as a licenced user or other authorised user of our platform.
At all times in our engagement and agreement with you, RFA remains a Data Processor and you the client, the Data Controller. You the Client is responsible for determining the processing purpose.
Your Rights as a Data Subject
User access and control of your data
Using the contact information provided above, you may request a copy of the personal information we have about you, as well as the ability to correct it if necessary. If you wish to withdraw your consent to our use of your data at any time, please contact The Data Protection Officer at the address listed above.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Data from a third party.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data).
We continue to place a high priority on the security of your data. We've put in place technological and security policies, guidelines, and methods to secure the personal data under our control, whether online and offline, against unauthorised access, improper use, alteration, unlawful or unintentional deletion, and loss. All our "personal user data" is restricted in our offices when we're not online.
Only Red Flag Alert workers have access to this information. However, keep in mind that no data transmission via the internet can be guaranteed to be completely safe. While we make every effort to protect your data, we cannot guarantee or promise the security of any information you submit us or that we store. Furthermore, we are not liable for the security of data that you send to us across networks that are not under our control, such as wireless networks and the Internet.
To ensure we comply with applicable legal obligations and protect the data we collect, we request written guarantees from third parties who may have access to your personal information that they will safeguard it with measures meant to offer a level of protection comparable to those taken by our Business, where necessary or relevant and practical.
Please refer to our Data Security Notice on our Web Page
Data Subject Access
Data subjects may make subject access requests (“SARs”) at any time to find out more about the personal data which RFA holds about them, what it is doing with that personal data, and why.
Data subjects wishing to make a SAR may do so in writing, using RFA’s Subject Access Request Form, or other written communication.
Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed.
All SARs received shall be handled by RFA’s management team.
RFA does not charge a fee for the handling of normal SARs. RFA reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.
How long will you use my personal data for?
We will only keep your personal data for as long as it is necessary to fulfil the reasons for which it was acquired, including to comply with any legal, accounting, or reporting obligations. We consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements when determining the appropriate retention period for personal data.
By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.
If you fill out a form on our website requesting information or provide details of your business email address, we will typically preserve your Identity, Contact, Marketing, and Communications Data for twelve months after your request, unless you express a desire to hear from us after that time-period has expired or where you have engaged RFA in providing a service to you as a client.
Unless you opt-out of receiving marketing from us, we will generally keep your Marketing and Communications Data for up to twelve months after your service contract finishes or expires (in which case we will keep a record of your opt-out request on our suppression list).
Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data. You have the right to:
Request access to your personal data.
Request correction of your personal data.
Request erasure of your personal data.
Object to processing of your personal data.
Request restriction of processing your personal data.
Request transfer of your personal data.
Right to withdraw consent.
If you wish to exercise any of the rights set out above, please contact us.
No fee usually required
Rectification of Personal Data
Data subjects have the right to require RFA to rectify any of their personal data that is inaccurate or incomplete.
RFA shall rectify the personal data in question, and inform the data subject of that rectification, within one month of the data subject informing RFA of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.
In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.
We may need to ask you for further information to verify your identity and validate your right to access your personal data (or to exercise any of your other rights). This is a security step to ensure that personal information is not shared with anybody who does not have permission to receive it. We may also call you to obtain further information about your request in order to expedite our answer.
Erasure of Personal Data
Data subjects have the right to request that RFA erases the personal data it holds about them in the following circumstances:
Unless RFA has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.
In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).
Objections to Personal Data Processing
Data subjects have the right to object to RFA processing their personal data based on legitimate interests, direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes.
Where a data subject objects to RFA processing their personal data based on its legitimate interests, RFA shall cease such processing immediately, unless it can be demonstrated that RFA’s legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.
Where a data subject objects to RFA processing their personal data for direct marketing purposes, RFA shall cease such processing immediately.
Despite our best efforts to secure your information if we suffer a data breach, we will do our best to reduce its effects and will follow the applicable notification provision of the UKGDPR and any other applicable laws within other Jurisdictions.
Third Parties with whom we may share your data:
We may share your data with third parties who provide services on our behalf.
All our third-party service providers are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.
We may also share your personal data with third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property or safety of our site, our users, and others.
Where your data is shared with third parties, we will seek to share the minimum amount necessary.
AIB GB MERCHANT SERVICES
Authenteq Tarbena GmbH HUBSPOT Tech City Labs Ltd
AWS (Amazon Web Services) Information Network Services Ltd Tora Digital
Blue Tahiti Software Ltd KoBolt Trust Payments Ltd
CHARGEBEE Microsoft Ireland Operations Ltd Vodafone
Companies House Microsoft Azure Microsoft Ireland Operations Ltd
Connell Data Ltd Microsoft Ltd Xero (UK) Ltd
Creditsafe ResponseIQ Zen Internet Ltd
Dun & Bradstreet Ltd Santander Charges Registry Trust
GB Group Ltd (GBG) The Compliance Engineers AHR Consultants
Google Ireland Ltd STRIPE
Changes to this Notice
Last Modified July 2023