Red Flag Alert Technology Group Privacy Policy


Purpose of this privacy policy

RFA is a business-to-business (B2B) company, meaning we sell our solutions to other businesses and do not typically engage with general consumers for profit. 

We at Red Flag Alert Technology Group. (hereafter referred to as “RFA”) are committed to keeping your information private. This privacy policy will explain how we handle your personal information when you use our Platform or visit our website.

We are committed to being responsible custodians of the personal information that we collect in the course of operating our business.

This Privacy Policy ("Policy") explains in full how, in our capacity as a data controller, we collect, use, disclose, or otherwise process and safeguard personal information as part of running our business and providing services to our clients and customers.


Red Flag Alert Technology Group is the controller and responsible for your personal data (collectively referred toas Red Flag, we, us or our in this privacy policy).

 RFA is headquartered in the United Kingdom and no data we process will be transferred outside of the UK.

We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, please contact the data privacy manager using the details set out below.

We have notified the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (, of our data controller activities and we are registered with number Z3002651.

Contact details

Our full details are:
Full name of legal entity: Red Flag Alert LLP
Data privacy manager: Mark Halstead
Email address:
Postal address: Red Flag Technology Group Ltd 49 Peter Street, Manchester, M2 3NG

Telephone number: 0344 412 6699

Compliance With the Principles of UKGDPR

Personal data is defined as any information that can be used to identify an individual. Individuals are recognisable when business email addresses take the form of ',' and thus fall under the definition of personal data.

The "legitimate interests" of the data controller or a third party are one legal basis for processing personal data.

Legitimate Interest refers to our company's interest in running and managing its operations in order to provide you with a professional service. Red Flag Alert’s legitimate interests provide the legal basis for processing the personal data described above, provided that the data subject's interests or fundamental rights and freedoms do not prevail, taking into account data subjects' reasonable expectations based on their connection with the controller.


How we collect your personal information depends upon how you interact with us

The manner in which you engage with us will determine how we acquire your personal information.

Your interactions with us, our products, and services will determine the categories and particular types of personal information we collect about you. You might fit into one of the following groups of data subjects based on this interaction:

  • Website visitors - Individuals that access our online properties or website
  • Employees/Applicants - Those who are employees, direct contractors, job applicants, or former employees
  • General Consumers - Those who interact with us in ways that have not yet been mentioned, such as those who respond to surveys from customers or partners or who express interest in our solutions or content


Personal data we collect from you:

We collect information provided to us each time you visit our website or engage in other online activities (further details are provided below). This information is collected based on our legitimate interests in making sure our website or other online activities function properly or that we are providing the user experience to you that we wish to provide. If it is based on our legitimate interest, we have determined that our business interest in gathering this information does not have a significant impact on your rights. In other activities, we may rely on your consent. If so, you have the ability to refuse consent or change your mind. We keep this information for as long as we have a business relationship or potential relationship with you.

Online data about you may also come through cookies and other similar technologies (such pixel tags and device identifiers) used on our site or other websites.

Red Flag Alert’s legitimate interests provide the legal basis for processing the personal data described above, provided that the data subject's interests or fundamental rights and freedoms do not prevail, taking into account data subjects' reasonable expectations based on their connection with the controller.

 We use your personal information for the following purposes:

What we use your personal data for

Our legitimate reasons

To provide contractual services to our clients

For the performance of our contract with our clients or to take steps at their / your request before entering into a contract

Preventing and detecting fraud against you / our clients or us

For our legitimate interests or those of a third party, i.e. to minimise fraud that could be damaging for you / our clients and/or us

Conducting identity checks to verify the identity of our clients

Any other screening necessary

Other processing necessary to comply with professional, legal and regulatory or other obligations that apply to our business, e.g. under health and safety regulations or rules issued by our professional regulator or the government


To comply with our legal and regulatory obligations, e.g. our anti-money laundering obligations

Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies

To comply with our legal and regulatory obligations

Ensuring business policies are adhered to, e.g. policies covering information security

For our legitimate interests or those of a third party, i.e. to make sure we are following our own internal procedures to enable us to deliver the best service to you / our clients

Ensuring the confidentiality of commercially sensitive information

For our legitimate interests or those of a third party, i.e. to protect our intellectual property and other commercially valuable information

To comply with our legal and regulatory obligations

Updating and enhancing our client records

For the performance of our contract with you / our clients or to take steps at your request before entering into a contract

To comply with our legal and regulatory obligations

Marketing our services to:

- existing and former clients
- third parties who have previously expressed an interest in our services
- third parties with whom we have had no previous dealings

For our legitimate interests or those of a third party, i.e. to promote our business to existing and former clients

External audits and quality checks

For our legitimate interests or a those of a third party, i.e. to maintain our accreditations which demonstrates our service is of the best possible quality and standard

To comply with our legal and regulatory obligations



This Website


  • We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
  • Where we need to perform the contract we are about to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.
  • Where you have given your explicit consent to receive marketing communications from us


The activities (sources) listed below are how we obtain personal data about you or from you. We may get several categories and particular types of personal information from you depending on the activity (source). These actions might coexist, as in the case of a client visiting our website. If you give us any personal information online—for example, by completing a form or using cookies (tracking technologies)—we will only use it with your permission. You have the right to revoke consent at any time by using Your Right, depending on how you engage with us.

Online Forms

We process information you provide, such as your name, email address, company where you work, phone number, job function, job title, country, and any comments you provide. Given that we are a business-to-business (B2B) company, we do this in order to respond to your request for information or resources or, in our legitimate interest, to collect information in order to reach out to you for potential business interest. We may reach out to you with marketing communications using the information you submit in these online forms. You can easily opt out of future communications using the opt-out link provided in the emails sent to you. If you do opt-out, but then complete another form, you are essentially cancelling your opt-out.


Personal Data we collect automatically

Our website automatically collects certain data, through automatic data collection tools such as cookies, beacons, among others. These tools automatically collect the following information:

Technical information

Technical data, such as, but not limited to, browser type, operating system, device details, online identifiers like cookie data and Internet Protocol address (IP), domain name, referral URL, time zone setting, and/or visit time stamp.

Usage Data

Usage Data is the data we get regarding how people use and access the website. It might include the Internet Protocol (IP) address of your computer, the browser version, a list of the pages you've visited while on our website, how long you spent on each page, the date and time of your visit, and other analytical data.

Cookies and other online tracking technologies

In order to navigate our website or technological solutions, customise and improve your experience, analyse which pages you visit, and assess the efficacy of advertising and promotional efforts, we utilise cookies and other data gathering tools.

We make use of both temporary and persistent cookies. Persistent cookies are kept on your device until they expire, unless you delete them before that time, unlike session cookies, which are temporary cookies that are deleted from the memory of your device when you shut your Internet browser or switch off your computer. Our website divides browser cookies into three categories that you can control using the "Cookie Consent Manager"; you can use this manager at any time to modify your preferences:

  • Required cookies: These cookies are necessary to enable the basic features of this site to function, such as allowing images to load or allowing you to select your cookie preferences.
  • Functional cookies: These cookies provide us with the ability to assess and enhance our performance by tracking how you use the site. They might also be applied to enhance visitors' experiences on this website. As an illustration, remembering your log-in credentials or giving us details about how our site is utilised.
  • Advertising cookies: These cookies may be used to disclose data with advertisers so that the ads you see are more relevant to you, allow you to disclose certain pages with social networks, or allow you to post comments on our site.
  • Some cookies may be placed by third party service providers who perform some of these functions for us.
  • In addition, you can change the browser settings in your internet browser, such as Internet Explorer, Google Chrome, or Mozilla FireFox, to prevent cookies and trackers from being used. Sometimes your selections on a website conflict with these settings. When you visit our page and choose a cookie, your preference is saved as a cookie and, depending on your browser settings, may overrule your choice. For instance, if you've configured your browser settings to reject all non-essential cookies, your choice may be overridden.


Google Analytics

Google Analytics is a web analytics tool that records and analyses website traffic on our website to monitor how it is used. This information is made available to other Google services. Google may use it to contextualise and customise advertisements on its own network.

In addition to information on how you use the Website, Google Analytics may store your IP address. We, however, do not have access to your IP address since it is protected by Google.

Visit the Google Privacy Terms web page to find out more about their data privacy practices.


Server log files

When you visit our websites, we automatically collect information from server log files. This comprises your operating system, IP address, browser type, and referring and exit web sites. We take this action because it is in our legitimate interest for our website to function as intended or to determine what might need to be altered.


Other online activities

We monitor our website and technical solutions based on our legitimate interest to continuously enhance the experience for our users in order to administer our website and technical solutions and to understand how our website visitors browse around our websites and technical solutions. We may conduct additional analysis on the data we collect online in order to enhance the services, tools, and resources we offer to our users. This is further supported by our genuine interest in offering suitable content or user experiences.


Opinion / Feedback Surveys

If we engage in a general consumer survey, we process your survey responses. You may answer or not when it is presented to you. Withdrawing your consent will not be possible as we do not ask or collect identifying information and only use answers in large groupings, such as all “Yes” or “No” answers to a particular question. We would not be able to pull your answers out.

If you participate in our market or product / services research and surveys – whether delivered by us or a service provider on our behalf – we may process your email address, job title, phone number, survey responses, company name, job function, country, relationship with RFA, and any comments you provide.

On the basis of our legitimate interest in better understanding the market and enhancing our offerings, we conduct online consumer surveys to get your opinions on significant business-related issues. We do not proactively collect any personal information about you when we conduct these surveys, but cookies and data collection technologies may be used to manage the delivery of the surveys.


Interest in our Products

If you request or indicate an interest in information about our products, we process your name, email address, phone number, job title, information about the company where you work, including its website address, and any comments you provide. We add business information related to the company where you work from third party sources, such as business intelligence providers, information from publicly available sources such as LinkedIn, as well as information about the number and frequency of your interactions with us online and offline, such as at events, webinars, email communications, and our website. We maintain and update this information as we continue to engage with you. Engaging with you once you express interest in our solutions may be based on your consent or our legitimate interests. If we rely on consent, this will be clear to you that you are providing consent because you will complete a form. As such, you can cancel your consent using the opt-out link in the emails we send or by contacting us via an individual rights form, email, or phone.


Marketing Communications

We might send you marketing materials (such as sales, information, and business development materials) about our products that we believe you might find interesting. Your name, phone number, email address, postal address, job title, work function, company name, information regarding which of our goods you use or may be of interest to you, as well as any answers you make to such communications, are all processed for these communications.

We also process automatic information such as what we collect via cookies, IP address, device type, browser, and if the email was opened. We may also associate other information to the communication for insight such as company size, company financial information, and whether the company is a current or prospective customer. In general, these communications are initiated in our legitimate interest to engage you in business, but if the information was collected through our online forms, you also consented to being contacted. We track these communications to determine whether, when, and the IP address and associated city of, a marketing communication we sent was viewed based on our legitimate interest to effectively manage and improve upon such communications.

Inquiries about your opinion of our solutions from the standpoint of a customer or other user of our solutions may also be included in communications. We take this action because we want you to review our work. Using the unsubscribe link in the emails, you can always choose not to receive marketing emails.


Telephone / Video Calls

If you agreed to have a phone call or video conference with RFA recorded, we may use your name, email address, job title, picture, and voice for analytical purposes to enhance our customer relationship management and training, as well as to provide recorded information to our clients upon request. For instance, a consumer might request a demo recording for a specific solution. Any such phone calls or video conferences will be recorded after giving notice of the intention to do so. Before or during the meeting, you have the option to refuse recording, and you also have the option to ask for the deletion of the recording at any moment. Within 180 days, all such recorded sessions will be automatically destroyed.


Contracts / Relationship Management

We process your name, email address, postal address, company name, billing information (e.g., purchase order number, bank wire information), company size, company financial information, and signature along with communication content and any comments or feedback you may provide. Some information about you may come from other individuals. For example, a colleague may tell us that you moved to another company or a different role. Similarly, such information may be available publicly, such as on LinkedIn.

We use this information in order to facilitate the contract execution and to deliver on the contract. We will communicate with you, including via email, about your use of our solutions, obtain your input on new features, functionality, and content, and to provide information about updates to our solutions. We have a legitimate business interest in renewing your subscription-based solutions in order to retain you as a customer or partner along with providing additional solutions you request based on our legitimate business interest and / or contractual obligation to respond to your reasonable requests.


Using our Products

When utilising our platform and products, we might ask you for business data pertaining to the organisation where you work. This company data is kept on RFA systems, and we use it to deliver the services you've hired us to do in accordance with the terms and conditions of the contracts RFA has with your business.


RFA Platform

In order to engage with our products and services, you will be an authorised user.

Your name, email address, username, password, IP address, job title, phone number, information about the business where you work, actions you have taken in the applications on the platform or in response to communications, such as record creation, changes, input, responses, analysis, and approvals, and tickets filed on your behalf related to our platform are processed as a licenced user or other authorised user of our platform.

At all times in our engagement and agreement with you, RFA remains a Data Processor and you the client, the Data Controller. You the Client is responsible for determining the processing purpose.


Your Rights as a Data Subject

User access and control of your data
Using the contact information provided above, you may request a copy of the personal information we have about you, as well as the ability to correct it if necessary. If you wish to withdraw your consent to our use of your data at any time, please contact The Data Protection Officer at the address listed above.

Data disclosure
As detailed in the table below, we may be required to disclose your personal data with our third-party service providers. Your personal information may also be shared with third parties to whom we sell, transfer, or merge parts of our business or assets. Alternatively, we could try to buy or merge with other companies. If our company changes hands, the new owners may continue to use your personal information in the same manner as described in this privacy policy.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Data from a third party.

It is your responsibility to ensure that:  you have an appropriate legal basis to share such personal data with us; and (ii) the third-party data subject reads and understands this Privacy Policy when you provide us with a third party's personal data (for example, any personal data relating to your employees, officers, and/or agents). We shall not be held liable to any third parties if you do not follow this rule.

Aggregated Data, such as statistical or demographic data, may be collected, used, and shared for any reason. Aggregated Data may be derived from your personal data, but it is not deemed personal data in the eyes of the law because it does not expose your identity directly or indirectly. We may, for example, aggregate your Usage Data to determine the percentage of people that utilise a certain website feature. However, if we combine or connect Aggregated Data with your personal data in such a way that the combined data can be used to identify you directly or indirectly, we recognise the combined data as personal data and handle it in line with this privacy policy.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data).

We continue to place a high priority on the security of your data. We've put in place technological and security policies, guidelines, and methods to secure the personal data under our control, whether online and offline, against unauthorised access, improper use, alteration, unlawful or unintentional deletion, and loss. All our "personal user data" is restricted in our offices when we're not online.

Only Red Flag Alert workers have access to this information. However, keep in mind that no data transmission via the internet can be guaranteed to be completely safe. While we make every effort to protect your data, we cannot guarantee or promise the security of any information you submit us or that we store. Furthermore, we are not liable for the security of data that you send to us across networks that are not under our control, such as wireless networks and the Internet.

To ensure we comply with applicable legal obligations and protect the data we collect, we request written guarantees from third parties who may have access to your personal information that they will safeguard it with measures meant to offer a level of protection comparable to those taken by our Business, where necessary or relevant and practical.

Please refer to our Data Security Notice on our Web Page

Data Subject Access

Data subjects may make subject access requests (“SARs”) at any time to find out more about the personal data which RFA holds about them, what it is doing with that personal data, and why.

Data subjects wishing to make a SAR may do so in writing, using RFA’s Subject Access Request Form, or other written communication.

Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed.

All SARs received shall be handled by RFA’s management team.

RFA does not charge a fee for the handling of normal SARs. RFA reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

How long will you use my personal data for?

We will only keep your personal data for as long as it is necessary to fulfil the reasons for which it was acquired, including to comply with any legal, accounting, or reporting obligations. We consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements when determining the appropriate retention period for personal data.

By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.

If you fill out a form on our website requesting information or provide details of your business email address, we will typically preserve your Identity, Contact, Marketing, and Communications Data for twelve months after your request, unless you express a desire to hear from us after that time-period has expired or where you have engaged RFA in providing a service to you as a client.

Unless you opt-out of receiving marketing from us, we will generally keep your Marketing and Communications Data for up to twelve months after your service contract finishes or expires (in which case we will keep a record of your opt-out request on our suppression list).

Your legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. You have the right to:

Request access to your personal data.
Request correction of your personal data.
Request erasure of your personal data.
Object to processing of your personal data.
Request restriction of processing your personal data.
Request transfer of your personal data.
Right to withdraw consent.

If you wish to exercise any of the rights set out above, please contact us.

No fee usually required

Rectification of Personal Data

Data subjects have the right to require RFA to rectify any of their personal data that is inaccurate or incomplete.

RFA shall rectify the personal data in question, and inform the data subject of that rectification, within one month of the data subject informing RFA of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.

In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.

We may need to ask you for further information to verify your identity and validate your right to access your personal data (or to exercise any of your other rights). This is a security step to ensure that personal information is not shared with anybody who does not have permission to receive it. We may also call you to obtain further information about your request in order to expedite our answer.

Erasure of Personal Data

Data subjects have the right to request that RFA erases the personal data it holds about them in the following circumstances:

  • It is no longer necessary for RFA to hold that personal data with respect to the purpose(s) for which it was originally collected or processed
  • The data subject wishes to withdraw their consent to RAF holding and processing their personal data
  • The data subject objects to RFA holding and processing their personal data (and there is no overriding legitimate interest to allow RFA to continue doing so)
  • The personal data has been processed unlawfully
  • The personal data needs to be erased in order for RFA to comply with a particular legal obligation.

Unless RFA has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.

In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

Objections to Personal Data Processing

Data subjects have the right to object to RFA processing their personal data based on legitimate interests, direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes.

Where a data subject objects to RFA processing their personal data based on its legitimate interests, RFA shall cease such processing immediately, unless it can be demonstrated that RFA’s legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.

Where a data subject objects to RFA processing their personal data for direct marketing purposes, RFA shall cease such processing immediately.

Data Breaches

Despite our best efforts to secure your information if we suffer a data breach, we will do our best to reduce its effects and will follow the applicable notification provision of the UKGDPR and any other applicable laws within other Jurisdictions.


Third Parties with whom we may share your data:

We may share your data with third parties who provide services on our behalf.

All our third-party service providers are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.

We may also share your personal data with third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property or safety of our site, our users, and others.

Where your data is shared with third parties, we will seek to share the minimum amount necessary.


Authenteq Tarbena GmbH                    HUBSPOT                                             Tech City Labs Ltd

AWS (Amazon Web Services)                Information Network Services Ltd         Tora Digital

Blue Tahiti Software Ltd                         KoBolt                                                  Trust Payments Ltd

CHARGEBEE                                          Microsoft Ireland Operations Ltd           Vodafone

Companies House                                 Microsoft Azure Microsoft Ireland Operations Ltd

Connell Data Ltd                                   Microsoft Ltd                                        Xero (UK) Ltd

Creditsafe                                             ResponseIQ                                          Zen Internet Ltd

Dun & Bradstreet Ltd                            Santander Charges                                Registry Trust

GB Group Ltd (GBG)                              The Compliance Engineers                    AHR Consultants

Google Ireland Ltd                                STRIPE



Changes to this Notice

We may revise this privacy policy from time to time and will post the date it was last updated at the top of this privacy policy. We will provide additional notice to you if we make any changes that materially affect your privacy rights.



Last Modified July 2023