Last updated: 25th July 2023 | Revision 9
Ideagen is committed to ensuring that any personal data entrusted to Ideagen, whether as a processor or controller, is collected, used, held or otherwise processed is in compliance with the UK GDPR as well as US regulations (such as the CPRA, CCPA), the Privacy Act 1988 (Cth) for Australia or any other privacy regulation applicable in the country of residence of the data subject. This is achieved by utilising the appropriate technical and organisational controls and measures.
- When accessing and using any Ideagen website or any application
- When using our services as an authorised user where we act as a controller or processor of personal data
- When working for, or acting on behalf of, an Ideagen supplier or provider when Ideagen acts as the controller or processor of personal data
- When communicating or corresponding with us (including but not limited to emails, phone calls, texts or faxes).
It does not extend to any websites or third-party links that can be accessed from the Ideagen website or application including, but not limited to, any links we may provide to social media websites.
3. Who is the controller or processor of your data?
We will act as the data controller where we make decisions on how your personal data is used in connection with the website or our applications or services. We will act as the data processor where we only use your personal data as authorised and instructed by a third party in connection with the website, or our applications or services.
Where we are acting as a data processor, the relevant third party will be acting as data controller and will be responsible for the obligations of a data controller under Data Protection Law in connection with the processing of your personal data. If you are accessing the website, or our application or services through a third party, you should contact them with queries regarding the processing of your personal data or compliance with Data Protection Law.
4. How can you contact us?
Ideagen is a limited company incorporated in England and Wales (company number 02805019) and having its registered address at One Mere Way, Ruddington, Nottingham, England, NG11 6JS.
5. How do we collect your personal data?
Your personal data is collected directly from you when using the website, or our applications or services. This will be from you providing identifiable information directly, such as by filling in a form or web enquiry, by providing documents which contain your personal data, or through telephone conversations or email exchanges which may contain your personal data. Your web browser or email client may share data with us. This is covered in our cookie notice (more on this below).
6. What personal data do we collect from you?
The following personal data may be collected from you through your use of the website or our applications or services;
- Contact information, such as first and last names, job title, email address and telephone number;
- Financial information, such as bank account and payment card details where you are transacting with Ideagen;
- Device and browser information, such as network and connection information (including Internet Service Provider and Internet Protocol (IP) addresses), device and browser identifiers and information (including device, application or browser type, version, plug-in type and version, operating system, user agent, language and time zone settings and other technical information), advertising identifiers, cookie identifiers and information and similar data;
- Account information, such as security-related information (including usernames, passwords and authentication methods);
- Usage information and browsing history, such as usage metrics, log files, content interactions and user journey history (including age navigations, a list of URLs starting with a referring site, timestamps, content viewed or searched for and other data relating to your activity on the website and the site you exit to);
- Organisational information, such as your employer or organisations of which you are a member, location, your status within an organisation, and similar data; and
- Any additional applicable information you, your employer or other organisation wishes to disclose.
7. How do we use your personal data?
Any and all of the above personal data may be required by us from time to time in order for us to interact with you and to provide you with the best possible service and experience when using our website, application and/or services. We will always process your personal data for one or more of the following lawful bases:
- Performance of a Contract – where processing your personal data is necessary for the performance of a contract, including a contract entered into (or about to be entered into) by your employer or an organisation of which you are a member.
- Legitimate Interests – where processing your personal data is necessary for the legitimate interests of Ideagen or a third party, except where these interests are overridden by your fundamental rights and freedoms.
- Compliance with Law – where processing your personal data is necessary for us to comply with a legal obligation.
- Your Consent – where you have given us your informed consent to process your personal data for a designated purpose, such as to provide you with relevant promotional materials. Such consent can be withdrawn at any time by providing us with your written request to withdraw.
Specifically, your personal data may be used by us for the following reasons:
To provide, administer and analyse our Services
Performance of a Contract
For internal research and development for new content, products, and services, and to improve, test, and enhance the features and functions of our current Services.
To use data analytics to improve our website, applications, services, marketing, customer relationships and experiences.
For internal record keeping
Performance of a Contract
To detect and prevent fraud and abuse to ensure the security and protection of all customers and others, as well as to identify and authenticate your access to the applications and our services or to identify and authenticate you before we provide you with certain information
As part of ‘Ideagen Community’ (using Gainsight inSided) open forum for Ideagen customers and wider, to collaborate, discuss and provide user insight into Ideagen and its products.
For cross-sell marketing activities to existing Ideagen customers of Ideagen’s wider product suite. These may have been identified as relevant or applicable from previous purchases and/or interactions with Ideagen
To email promotional materials that may be of interest to you
To contact you for market research purposes which may be done using email, telephone, fax, or mail
To comply with your instructions or to fulfil other specific purposes for which you have given your consent
To comply with the law and our legal obligations, including to respond to a request or order from a court, regulator, or authority, as well as to fulfil our contractual obligations with our customers when they arrange access to our services for you
Compliance with Law
Performance of a Contract
To exercise Ideagen’s legal rights, including to take action against those in breach of the terms and conditions applicable to our products and services
Compliance with Law
Performance of a Contract
To effect the sale, merger, acquisition or other transfer of control of all or part of Ideagen or its business
Unless we are obliged or permitted by law to do so, and subject to Clause 11 (see below), your personal data will not be disclosed to any third parties.
We take reasonable measures to ensure all information provided is managed securely. Access to the information you provide will be restricted to only those who have the relevant authority and is stored securely in accordance with the requirements under Data Protection Law.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use if for another reason and that reason is compatible with the original purpose. Please note that we may process your personal data without your knowledge or consent, in compliance with Data Protection Law, where this is required or permitted by law.
8. Where do we keep your data?
Your data may be kept in a number of locations depending on how you interact with us, including but not limited to the following;
- Amazon AWS
- Microsoft Azure
- Google Cloud
- Fresh Success
- Gainsight (inSided) – Ideagen Community
- HR Software
- Learning and development products
If you are resident in the UK or EU your data will reside and be processed in a UK or EU data hosting instance. For US residents your data will predominantly reside and be processed in the US. For any non-UK, EU or US residents your data may reside and be processed in other geographical locations including Australia and Asia.
Where your data is to be processed in other locations this should be addressed in any MSSA, contract or data processing agreement for Ideagen customers.
9. How do we control and secure your personal data?
We employ technical and organisational measures to protect your data. We are certified to the ISO 27001 standard which is an international standard for Information Security. Certification requires an extensive suite of policies to be maintained covering information security standards and practices. In addition to these policies Ideagen has a comprehensive approach with measures and controls in place to ensure personal data are secure. These include (but are not limited to) staff training, internal working groups, continuous monitoring and improvement, relevant background checks (where required), physical measures at our office locations, data segregation within our environments and network access controls.
In accordance with the data subject’s rights under Data Protection Law, in certain circumstances where you are required to submit personal data, you will have to positively opt-in and will also be given options to restrict our use of your personal data. This may include the following:
- Use of personal data for direct marketing purposes; and
- Sharing personal data with third parties (subject to Clause 11).
10. Your rights in relation to your personal data
Under data protection law you have the following rights (these are not all absolute rights such as the right to be forgotten);
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure (also known as the right to be forgotten)
- Right to restriction of processing
- Right to object to processing
- Right to data portability
- Right not to be subject to automated decision making
In order to review any request in line with your rights it may be necessary to verify the identity of the person exercising their rights. There is no charge for exercising your rights. If you make a request you will receive a response within one month of making the request. Should you wish to exercise any of these rights, please contact dataprotection@Ideagen.com.
In addition to the above rights you have the right to make a complaint. If you have any concerns about our use of your personal information you can make a complaint to us at email@example.com
You also have the right to complain to the ICO for any matters involving how your data may have been processed by us. The contact details are set out below ;
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: www.ico.org.uk
11. Do we use third party websites and services?
We may employ the services of other parties for dealing with matters that may include payment processing, delivery of purchased items, search engine facilities, customer support, advertising and marketing, website and data hosting and data analytics. We may provide the providers of such services with access to certain personal data provided by Users of the Website, Application or our Services.
12. What about links to other websites?
13. What would happen if there are changes to the business ownership and control?
14. What about cookies?
You may receive certain third-party Cookies on your device. This type of cookie is placed by websites and/or parties other than Ideagen. Third-party cookies include (but are not limited to) tools used to collect and analyse usage statistics, such as Google Analytics
We use the following types of Cookies:
- Essential Cookies - these are cookies that are required or essential for the operation or function of our website, applications or services. They include, for example, Cookies that enable you to log into and use secure parts of the website, our applications or services.
- Analytical or performance Cookies - these allow us to recognise and track a users’ usage of the website, our applications or services. This allows us to improve the way the website, our applications or services work and/or are provided.
- Functionality Cookies
- Targeting Cookies
You can find more information about, including a full list of, the individual first- and third-party Cookies we use, the purposes for which we use them, which services and/or applications contain them and the name of any third party Cookie providers .
All Cookies used by the website, our applications or services are used in accordance with current UK and EU Cookie Law.
We use a Cookie Notice to obtain consent before any Cookies are placed on your computer in relation to your use of our website. By giving consent to the placing of Cookies you are enabling us to provide the best possible experience and service to you.
You may, if you wish, deny consent to the placing of Cookies; however certain features of the website, our applications or services may not function fully or as intended. You cannot opt out of Essential Cookies where they are required to operate the website. Similarly, there is no option to opt out of any Cookies necessary for the operation of our applications or services.
You can choose to enable or disable Cookies in your internet browser. Most internet browsers also enable you to choose whether you wish to disable all cookies or only third-party cookies. By default, most internet browsers accept Cookies, but this can be changed. For further details, please consult the help menu in your internet browser.
You can choose to delete Cookies at any time; however, you may lose any information that enables you to access the Website more quickly and efficiently including, but not limited to, personalisation settings.
It is recommended that you ensure that your internet browser is up-to-date and that you consult the help and guidance provided by the developer of your internet browser if you are unsure about adjusting your privacy settings.
Cookies can also be disabled on your device by reviewing your browser settings.
15. Do you make any International Transfers of my personal data?
We may transfer personal data that we collect from you to other companies within the Ideagen group which are outside of the European Economic Area. In these cases, we ensure your personal data is protected by requiring all our group companies to follow the same rules when processing your personal data.
We may also transfer personal data that we collect from you to third party data processors located in countries that are outside of the European Economic Area. In these circumstances, we will always take measures to ensure we have adequate legal safeguards in place. For example, we have entered into written agreements with all relevant third-party processors that ensure your data receives the same protection as if it were being processed inside the European Economic Area.
A list of the third parties with whom we may share your personal data for the purposes set out in clause 7 above, can be provided upon request.
16. How long do we keep Personal Data?
Any personal data you submit will be retained by us for no longer than is necessary to fulfil the stated/contractual purposes, or as reasonably necessary for us to retain such information to provide you with the services which you have requested or for Ideagen to comply with laws and regulations (including satisfying any legal, regulatory, tax, accounting or reporting requirements). After the retention period is over, Ideagen securely disposes or anonymises your personal information to prevent loss, theft, misuse, or unauthorised access. If you withdraw your consent or request removal of your personal data, such data will be destroyed, but in doing so, you acknowledge that our ability to provide you with access to our website, application and services may be adversely affected. You can withdraw your consent or request removal of your personal data by contacting firstname.lastname@example.org.
Can we apply a general consent to sub-processors or do we require specific consent for individual sub-processors of the website
Do we use session based AND persistent cookies?
Session-based cookies exist only during a single session and disappear from your device when you close your browser or turn off the device. Persistent cookies remain.
Check position on performance of contract and cookies when b2b
Insert link to Cookie web-page. REMEMBER – because we will be updating this we need to make sure that the link in any Cookie Notice also gets updated to the correct web-page so that whenever new consent is granted Users know what they are consenting to.
As it stands, there are no overarching/nationwide laws in the US like the GDPR which governs data protection/cookie usage. As a nation, we lag behind when it comes to data protection law. The only relevant US legislation is the CCPA (California Consumer Privacy Act), which is statewide and applies only to entities conducting business in California, and that state's consumers.
The CCPA is similar to the GDPR, but far less rigorous. Put quickly, GDPR requires user's prior consent whereas CCPA requires businesses to give its users the ability to "opt out" of information collection processes.
Regarding cookie compliance w/ the CCPA, entities are required to acknowledge: (1) if the data you get from cookies is sold/shared w/ 3rd parties; (2) that consumers have the right to opt out from non-essential cookies.
I take the position that because this policy was drafted in accordance with GDPR, the standards of which are far more rigorous than any in the US (including the CCPA), I believe the policy is fit for US purposes.