PhixFlow Limited Privacy Policy for Customers.
We recognise that it is important for you to understand how we use your personal data. Please read this Privacy Notice carefully as it contains important information explaining how we use your personal data, whether you are a customer or potential customer, an individual getting in contact with us, or an individual whose personal data we otherwise process in the course of our business.
We will only use personal data in ways that are described in this notice and only in ways that are consistent with our obligations and your rights under applicable data protection laws (the Data Protection Act 2018, the General Data Protection Regulation (EU) 2016/679, and the UK General Data Protection Regulation). Terms used in this Privacy Notice such as “personal data”, “special categories of personal data”, “data controller”, “data processor”, and “data subject” have the meanings given to them in the applicable data protection laws.
Who we are, and who is the Data Controller?
We are PhixFlow Limited (PhixFlow), with registered number 05065889 and registered address St. Johns Innovation Centre, Cowley Road, Cambridge, CB4 0WS, England. For the purposes of data protection laws, we have appointed a Data Protection Lead who can be contacted at data.protection@phixflow.com.
The Data Controller is the organisation that makes decisions about how and for what purposes your personal data is used, and where we collect your personal data directly from you for our own purposes, we are the Data Controller.
If your data has been passed to us by a third party for processing under their instruction, that third party is the Data Controller. They should have notified you as part of their own data privacy notices and standards that they would be passing your personal data to us.
The data we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data or anonymised aggregated data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity Data includes your name; usernames or similar; marital status; title; date of birth; sex and gender.
- Contact Data includes addresses; email address and telephone numbers.
- Financial Data includes bank account and payment card details.
- Transaction Data includes information about transactions with us such as payments and details of purchases you have made.
- Technical Data includes IP addresses; login data; browser info; time zone; location; browser plug-ins; operating systems; platforms and other technology on the device used to contact us.
- Profile Data includes usernames; passwords and security answers; purchases/orders; interests; preferences; feedback and responses to surveys; and blogs and messages.
Usage Data includes information and analytics about how you use our services and products.
Marketing and Communications Data includes your preferences about receiving marketing and other communications from us or third parties.
We do not collect Special Categories of Data such as details about your ethnicity or religious beliefs.
We may also collect, use and share aggregated data such as statistical or demographic data. Aggregated data can be derived from your personal data but is not itself personal data as it cannot be used to reveal your identity. If aggregated data is ever used in combination with your personal data to make it identifiable, it will be treated in accordance with this notice.
How is your personal data collected and used, and what is our lawful basis for doing so?
The table below sets out the different methods by which your data is collected, and the purposes for which we use it. To use and process your personal data, we must have a lawful basis for doing so, as shown in the table. The different types of lawful basis are:
- your consent: we process your data where you have given your specific consent or permission for us to do so;
- performance of a contract: we process your data to perform a contract with you, such as providing services that you have requested or fulfilling your order or instructions;
- legitimate interests: we process your data as part of conducting and managing our business, for example to enable us to give you the best service/product and the best and most secure experience that we can. We consider and balance the needs and benefits to us against the impact and benefits for you of us processing your data. You are able to object to our processing and we shall consider the extent to which this affects whether we have a legitimate interest. If you would like to find out more about our legitimate interests, please contact our Data Protection Lead at data.protection@phixflow.com.
- compliance with a legal obligation: we process your data where it is necessary for us to comply with our legal obligations;
- protection of your, or another’s vital interests: we process your data in order to protect your vital interests or those of a third party;
- public interest or official authority: we process your data where it is necessary to meet a public interest or as required by an official body or authority.
Your personal data is normally collected through direct interactions with you (for example, when you communicate with us regarding the provision of products or services, or if you create an account with us) or via automated technologies (for example, when you interact with us online, there are cookies that automatically collect Technical Data about your equipment and browsing patterns).
Most commonly we will use your personal data to perform the contract we have with you, or where it is necessary for our legitimate interests (or those of a third party), or to comply with a legal obligation.
Processing for purposes relating to our Customers
Purpose/Activity | Categories of information processed? | Why are we processing your data and what is the lawful basis? | Where did we get your personal data from? |
Registration/set-up in our systems and records (including creating an account if applicable) |
| To communicate with you and establish you as a customer, under ‘performance of a contract’. | Obtained directly from you via online forms, phone or email (or otherwise) and using external third-party sources if applicable. |
Fulfilment of orders and/or requests for services |
| To communicate with you regarding products and/or services, including managing associated payments and fees under ‘performance of a contract’. | Obtained directly from you via online forms, phone or email (or otherwise). |
Managing the relationship between us |
| To communicate with you, including notifying you of changes to our terms, and asking you for feedback or to respond to a survey. This may be under ‘performance of a contract’, or to ‘comply with a legal obligation’ or under our ‘legitimate interests’ in keeping our records updated and to see how products/services are used. | Obtained directly from you via online forms, phone or email (or otherwise). |
Managing our business (and, if applicable, maintaining your account) |
| To run our business and finances, manage our administrative and IT functions (including providing you with access to and maintaining your account), administer our hosting, data reporting and analysis functions, support our network security and to prevent fraud. This processing is carried out under our ‘legitimate interest’ in managing and running our business and keeping our systems up to date. This processing is also necessary to ‘comply with a legal obligation’. | Obtained directly from you, via online forms, phone or email (or otherwise) and including via technical means such as cookies on our website. |
Developing and improving our business and relationships |
| To use our data reporting and analysis functions in order to improve our products/services, update and improve our website, build and improve our customers and other business relationships and to inform our marketing strategy. This processing is carried out under our ‘legitimate interests’ in developing and growing our business. | Obtained directly from you, via online forms, phone or email (or otherwise) and including via technical means such as cookies on our website. |
Direct Marketing |
| To make suggestions and recommendations to you about our products and services that we believe you will benefit from, under our ‘legitimate interests’ in developing and growing our business. | Obtained directly from you via online forms, phone or email (or otherwise). |
Respond or provide information to government and other authority bodies, and fulfil other legal obligations |
| To ensure we comply with any legal and statutory obligations that might arise, under ‘compliance with a legal obligation’. | Obtained directly from you via online forms, phone or email (or otherwise). |
Enquiries and Referrals to us from a third party |
| To respond to enquiries from existing and potential customers, and to respond to referrals of potential customers made to us by third parties to whom you have given your consent for your data to be shared with us. This processing is conducted lawfully on the basis of ‘our legitimate interests’, or in the case of referrals, on the basis of ‘your consent’. | Obtained directly from you, (or for referrals, from the third- party referrer), via online forms, phone or email (or otherwise). |
What profiling or automated decision making do we perform?
We do not perform any profiling or automated decision-making based on your personal data.
Any additional processing?
The personal data collected will correspond to that which is required for the processing noted above. Any additional personal data sought from you or any processing for different purposes will be subject to notice to you, setting out an explanation and, if required by law, obtaining your prior, express consent. We may process your personal data without your knowledge or consent where required by applicable law or regulation.
What happens if you fail to provide your personal data?
The information about you that we collect for the performance of our contracts and legal obligations is required in order for us to successfully fulfil our obligations to you. If you choose not to provide the personal data requested, we may not be able to enter into a contract with you to provide the products and/or services we offer. If we are already processing your personal data under a contract, you must end our contractual relationship (as/where permitted) in order to exercise some of your legal rights with regard to your personal data. If we process some personal data as part of a contractual relationship we have with a third-party Data Controller, then any requests to restrict this type of processing should be forwarded to that Data Controller; they will be responsible for discussing your concerns and making any associated decisions.
What are your legal rights?
You have the right to:
- be informed of how your personal data is used (through this notice);
- request access to any personal data held about you (through a data subject access request);
- request rectification of any inaccurate or incomplete personal data held about you;
- request erasure of your personal data where there is no valid reason for us continuing to process it, including if you have withdrawn your consent (where we are processing the data based on your consent), or if you have successfully exercised your right to object (see the right to object below). We may not be able to comply with your erasure request for specific legal reasons which will be notified to you at the time of your request;
- request restriction of processing of your personal data in certain circumstances, for example if you dispute the data’s accuracy, or if you would have the right of erasure of the data but you want us to continue to hold it, or if you need us to hold the data even when we no longer require it, or where you need it for the purpose of a legal claim, or if you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to do so;
- object to processing of your personal data where our processing is necessary for the purposes of legitimate interests but you feel that your rights and freedoms are impacted or that substantial damage is likely to you or another, unless we can demonstrate that we have compelling legitimate grounds which override your rights and freedoms;
- request transfer of your personal data to you or to a third-party. This applies only in respect of automated information initially provided to us under your consent or as used by us to perform a contract with you, and will be provided in a structured, commonly used, machine- readable format;
- withdraw consent at any time where we are relying on your consent to process your personal data. This will include processing for direct marketing purposes and for specific research purposes where you have given your consent;
- not be subject to automated processing where this results in decisions being made about you by automated processes (including profiling), and a right to prevent those decisions being enacted.
If you would like to exercise any of these rights or if you have any queries about this notice or the way that we use your data, please contact our Data Protection Lead at data.protection@phixflow.com.
Accessing your data
If you have created an online account with us, you can access key personal data held about you by logging in to your account on the website. You are responsible for updating your personal details on the account if they change.
You can gain access to the personal data held by us about you by emailing our Data Protection Lead at data.protection@phixflow.com with the subject line: “Subject Access Request”. When you submit a ‘subject access request’, you will need to provide confirmation of your identity by contacting us using the email address that you have provided us with initially, including your phone number for us to contact you to confirm your identity. We may ask for a copy of your passport/driving licence in order to carry out further identity checks. Our response to a subject access request will normally be made within thirty (30) days. Our response is provided free of charge to you unless our Data Protection Lead deems your request as being excessive or unfounded. If this is the case, we will inform you of our reasonable administration costs in advance. We will also inform you if there are any associated delays. You will then have the opportunity to choose whether you would like to pursue your request. If you believe we have made a mistake in evaluating your request, please see the section above regarding your rights and the section at the end of this Notice on ‘Who can I complain to’.
Children
Our website, services and job roles are not directed towards children (as defined by local law), nor do we knowingly collect information from children or about children without parental consent except where we have to do so to comply with applicable law.
Third-Party Links
Our website and services may include links to third parties with third-party websites or applications. Interacting with these may allow them to collect or share your data. We don’t control these third-parties and aren’t responsible for their privacy practices. Once you leave our website and when you access third-party services or websites, our privacy notice doesn’t apply to those services or sites. We recommend reading the privacy notice of every service or website you use. Contact the relevant third parties directly if you have concerns about their data practices.
Security of your Data
We take the security of your personal data seriously and have put physical, technical, operational and administrative strategies, controls and measures in place to help protect your personal data from loss, damage, unauthorised access, use or disclosure as required by law and in accordance with accepted good industry practice. We will always keep these under review to make sure that the measures we have implemented remain appropriate.
In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know and all our third-party processors are obliged to implement equivalent data security measures. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these security measures may be obtained by contacting our Data Protection Lead at data.protection@phixflow.com in the first instance.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data when transmitted across the internet and any such transmission is at your own risk.
How long will your personal data be kept?
We hold different categories of personal data for different periods of time. Where there is a time frame laid down by law, we will use this. Where there is no legal framework, we will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it (for example, as required to satisfy any legal, accounting, or reporting obligations), or as necessary in the event of a complaint to resolve disputes. We will make an informed and demonstrably logical decision as to how long is an appropriate amount of time. For example, we hold copies of contracts for six (6) years after they have ended in order to respond to any potential legal action. We specify the retention periods for your personal data in our Data Retention Policy.
If we process your data on the basis of ‘legitimate interests’, we will retain your data for as long as the purpose for which it is processed remains active. Details of how often we review the status of our legitimate interests are set out in our Data Retention Policy.
It is important that the personal data that we store is relevant and up-to-date. Anything that ceases to be relevant or accurate will be destroyed, as long as retention is not required for one of the reasons set out above.
Who else will receive your personal data (including disclosure or sharing of your information)?
We will only disclose your personal data to third parties where required by law or to our employees, contractors, designated agents, or third-party service providers who require such information to assist us with administering our relationship with you, including third-party service providers who provide services to us or on our behalf.
Third-party service providers may include, but are not limited to, IT system support suppliers, analytics providers, and data storage or hosting providers. These third-party service providers may be located outside of your home jurisdiction.
We may also need to disclose your personal data to legal authorities and other bodies during emergency situations or to comply with a legal obligation or legal process such as enforcing agreements, and/or protecting the rights, property, or safety of our company, employees or others. If and when we disclose your personal data for these purposes, we will take reasonable steps wherever possible to ensure that we only disclose the minimum personal data necessary for the specific purpose and circumstances.
We may also need to disclose your personal data if a business transfer or change in ownership occurs and the disclosure is necessary to complete the transaction. In these circumstances, we will limit data sharing to what is absolutely necessary, and we will anonymize the data where possible.
As part of data protection compliance, we ensure that any third-party recipient respects data protection standards. We require all our third-party service providers, by written contract, to implement appropriate security measures to protect your personal data consistent with our policies and our data security obligations. We only permit our third-party service providers who process your personal data on our behalf to do so for specified purposes in accordance with our instructions, and we do not permit them to use your personal data for their own purposes.
Further details of where we may pass your data to third parties is listed in the section ‘Third-Party Interests’ below.
Does your data leave the UK?
We may transfer the personal data we collect about you to the United States and other jurisdictions that may not be deemed to provide the same level of data protection as that in the UK or EU, as necessary for the purposes set out in this Privacy Notice. Similarly, some of our trusted third-party suppliers may transfer data to the US or other jurisdictions in the same way.
Whenever we send (or permit a third party to send) your personal data outside of the UK, we ensure that a similar degree of protection is afforded to it as our own by, for example, requiring the overseas recipient to enter into particular contract terms or the European Commission’s Standard Contractual Clauses or the UK IDTA, further details of which may be found by contacting our Data Protection Lead at data.protection@phixflow.com or at ico.org.uk.
Further details on this are included in the section ‘Third-Party Interests’ below.
Third-Party Interests
Data Controllers
Name or Category of Third-Party Controller | What processing is being performed? | If applicable – who is their representative within the EU? |
HMRC, regulatory authorities or other authorities | We are joint Controller with these authorities who require reporting of processing in some situations. | N/A |
Our Data Processors
Name or Category of Third-Party Controller | What processing is being performed? | If applicable – where does data leaving the EEA go and what safeguards are in place? |
Web hosting providers | ||
Azure | Hosting of our website, including the storage of data forming the website content, and processing your personal data in order to provide you with access to our website, and if applicable, to set-up and maintain your account. | This provider is located in Europe unless otherwise agreed in a service form. |
Internal technology providers | ||
Zendesk | For handling longer term, more complex support issues. We will only use this if you choose to contact support@phixflow.com. | Where Zendesk processes customer data in the US, it ensures that appropriate safeguards are in place. Further details can be found here: https://www.zendesk.co.uk/company/agreements-and-terms/privacy-notice/#how-we-process-personal-data |
Marketing technology providers | ||
Force24 | Retrieving and analysing personal data to send you directed marketing emails. Providers of marketing automation software that enable us to send emails to customers, based on their activity on our website. | N/A |
Xero | Accounting software used to process customer accounts. | Where Zero processes customer data in the US, it ensures ‘appropriate safeguards’ prescribed by the GDPR are in place, that is, by entering into the European Commission’s standard contractual clauses with the entity the data is transferred to. Further details can be found here: https://www.xero.com/uk/data/xero-and-gdpr/ |
Contact Us
Our Data Protection Lead can be contacted at data.protection@phixflow.com if you have any questions about our processing of your personal data or would like to make a subject access or other request,
Who can you complain to?
You have the right to make a complaint at any time to our supervisory authority, the Information Commissioner’s Office (ICO), which is the UK regulator for data protection issues, by visiting https://ico.org.uk/concerns/ or the data protection authority in your jurisdiction. We would, however, appreciate the chance to deal with your concerns before you approach them, so please get in touch with us in the first instance by contacting our Data Protection Lead at data.protection@phixflow.com.
Changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, and notify us of any changes to data that you have provided us with in the past, or if you become aware that we are storing inaccurate data about you.
We keep this Privacy Notice under regular review and we reserve the right to update it at any time. We will place any updates on our website.
This Privacy Notice was last updated on 28/09/2023.