It is important for us to be transparent and to provide accessible information to individuals about how we will use their personal data. This privacy notice can be found from https://inbot.io/privacy-notice.
- Sets out the purposes for which we hold personal data on our data subjects.
- Highlights that our work may require us to give information to third parties.
- Provides that our stakeholders have a right of access to the personal data that we hold about them.
Individuals and data subjects must take reasonable steps to ensure that personal data we hold about is accurate and updated as required. If your personal circumstances change, please inform us so that we can update your records.
Sharing personal data
It is sometimes necessary to share personal data with third party organisations. It is our responsibility to ensure that the data we share is compliant with the conditions of processing and is shared in a secure manner.
Third parties include:
- HR, Payroll, Accountants, Occupational health providers
- Recruitment agencies
- Banks and insurance companies
- Pension providers
- Local Authorities
- Cloud Infrastructure and hosting providers
- Applications that help us process and analyze data.
We abide by any request from an individual not to use their personal data for direct marketing purposes. We do not send direct marketing material to someone electronically unless we have an existing business relationship with them in relation to the services being marketed.
Sensitive personal data
In most cases where we process sensitive personal data we will require the data subject's explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.
Sensitive data will be shared on a needs basis with appropriate access controls.
Sensitive data will be collected only on the following grounds:
- Explicit consent has been given.
- Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment law.
- Processing is necessary for the reasons of substantial public interest, on the basis of Union or Member state law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
We keep personal data secure against loss or misuse. Where 3rd party organizations process personal data as a service on our behalf, we will sign appropriate contracts with those third party organisations and ensure the safety of the data transfers and storage.
Secure storing of data
- In the occasional and rare case that data is stored on printed paper, it is kept in a secure place where unauthorized personnel cannot access it, and shredded when no longer needed
- We enforce the use of 2-factor authentication for logging into our main tools and platforms. For the most sensitive data stored on cloud, we require VPN access.
- We limit the administrator access to our environment to absolute minimum necessary.
- We store our sensitive internal documents mainly in our G Suite cloud servers to avoid accidental leaks and to be able to manage access control to all important documents.
- All network users have individual logins. We don’t share usernames or passwords. Passwords must be adequately complex and changed periodically. We encourage all employees and contractors to use a password manager to create and store their passwords.
- Devices such as laptops, tablets and mobile phones should automatically lock when not in use. Mobile phones should be password protected.
- Emails containing personal data should not be sent from personal accounts.
- Employees and contractors should be careful with emails to avoid clicking suspicious attachments or links.
- Our wireless networks are password protected and encrypted.
- In the occasional and rare case data is stored on a memory stick, we store it encrypted and password protected when offline
- Servers containing personal data are kept in a secure location or in the cloud, away from general office space.
- Data is regularly backed up in line with the company’s backup procedures
- Company data is always saved to cloud, not directly to mobile devices such as laptops, tablets or smartphones
- All servers containing sensitive data are approved and protected by security software and a strong firewall.
- Employees and contractors must report loss of a device or a hack into their accounts immediately.
- We keep a record of third party access to data.
Data retention periods
We retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but if relevant, the length of retention will be determined in a manner consistent with published legal and regulatory data retention guidelines.
Documents will be stored in line with guidance stated in the document retention schedule set out by the IRMS.
Personal data processed for any purposes shall not be kept for longer than is necessary for those purposes. All records that are not needed and have reached the end of their minimum retention period should be deleted in a manner that makes them unreadable or unreconstructable.
Requesting access to your personal data
Data subjects have the right to request access to information about them that we hold. To make a request for your personal information, email us at email@example.com. As we are a startup company with limited resources, please give us 30 days to comply with your request.
You have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of the GDPR regulations.
If you would like to discuss anything in this privacy notice, please contact us at firstname.lastname@example.org.