Introduction

Digital Balance Ltd (“we”, “us”, “Digital Balance”) are a registered limited company within the UK under company number 2319237. Digital Balance are a creative agency providing a host of organic technical solutions in web design and development, eLearning, consultancy, and support services.

We are registered with the Information Commissioner’s Office, which is the UK’s supervisory data protection authority - “set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.”

Digital Balance is committed to data protection and data security, and we continue to assess and strengthen our security processes and procedures on an ongoing basis.

This Privacy Notice contains information about what data we collect from our users, how we use that data, our responsibilities for keeping that data safe and secure, and the rights granted to our users under the General Data Protection Regulation - a new EU law created to better protect the data of all EU Citizens.

The General Data Protection Regulation

The General Data Protection Regulation, (GDPR) (EU) 2016/679, is an EU regulation that applies to all companies and organisations who use or store the Personal Data of EU Citizens.

The GDPR exists to protect the rights and freedoms of all EU Citizens, and ensure that people who use Personal Data within their business do so in a clear, transparent, and lawful way.

The GDPR refers to companies as either ‘Data Controllers’ or ‘Data Processors’.

A ‘Data Controller’ determines the purposes and means of the processing of personal data, and a ‘Data Processor’ processes personal that data on behalf of the controller.

Personal Data refers to any information relating to an identified or identifiable natural person ('data subject')”.

As a Data Controller, Digital Balance is responsible for, and control the processing of, the personal data of our clients, users of our support systems, as well our employees.

As a Data Processor, Digital Balance is responsible for processing data for our clients - who determine how we should process their data across a wide range of web-based digital systems, on a contractual basis.

Under the GDPR, we must have a Legal Basis for using personal data. This means that we cannot use or store personal data unless we have a valid reason to do so. Valid means of Legal Basis include methods such as collecting clear and transparent consent from our users, or via a contractual agreement to process personal data.

---

Information We Collect

We collect various types of personal data across our business. This data is used for purposes such as accessing and using our support system (https://tickets.digitalbalance.co.uk/), user acceptance testing as part of our bespoke system development process, day to day communication and administration tasks, our consultancy services, as well as specific data processing activities carried out for our clients (Data Controllers).

As a Data Controller, types of information we collect include:

• Personal details such as title, name, or username
• Contact data such as contact address, e-mail address, telephone and mobile number(s)
• Image data such as a user profile image or CCTV images at our office locations
• Profile data such as a username and password
• Technical data such as system access logs or IP addresses (a type of data used for identifying computers over the internet)

As a Data Processor, we process differing types of information within our client systems. The scope of this processing is specifically determined during the system design process with each client. We do not share any personal data across multiple client systems unless we have consent or a legal basis to do so, and we will never sell personal data to a third party.

As an employer, we may collect additional information such as biographical data from job applications and CVs, or additional data relating specifically to our employees.

Information Processing

We use personal data within our systems to create and maintain user accounts, communicate effectively with our users, fulfil contractual obligations, and to ensure system security via the recording of access logs or related system actions. We may also use personal data for account management, and other administrative tasks.

As part of our daily work as a data controller and processor, we may share the Personal Data of system users with certain specific sub-processors.

A sub-processor is a third-party data processor, engaged by Digital Balance, who may use or have access to Personal Data.

The sub-processors we use have been approved by Digital Balance and security vetted to a high standard. We use sub-processing services in areas such as web hosting, or within automated emailing or administration/auditing tasks.

This includes tasks such as sending a password reset email to a user, or sending an email notification about a system update. Any such automated systems use a secure email transfer protocol to perform this function.

We will never sell Personal Data to a third-party, and always ensure that our sub-processors hold security certifications such as the ISO/IEC 27001 standard, or the globally recognised Privacy Shield framework.

Here is an overview of sub-processors we use, and how we use them.

• Rackspace (https://www.rackspace.com/) - Rackspace services are used for server hosting and provide technical support for internal and client web-based systems – including web and database hosting. Security monitoring and configuration, server backups, and other related tasks may be performed with or by Rackspace Ltd.


• SendGrid (https://sendgrid.com/) - Digital Balance uses SendGrid for email services across its internal and client sites. The service is integrated via various secure protocols and is used for automated processes such as sending registration emails, password resets, as well as email notifications.


• CloudFlare (https://www.cloudflare.com/) - CloudFlare provides a number of web based services used to enhance the speed, security, and reliability of our web applications. CloudFlare services include a global CDN (Content Delivery Network), along with WAF, DDoS protection, and SSL encryption security features.


• Google Suite (https://gsuite.google.co.uk/) - G Suite is a collection of secure web-based applications and services provided on the Google Cloud used for administration tasks via documents and spreadsheets, cloud file storage, and email communications.


• Office365 (https://www.office.com/) - Office365 is a set of Microsoft production tools for use in offline and online situations, or in combination with the OneDrive cloud storage platform. These tools are used for tasks such as word processing, spreadsheet creation and auditing, or internal and external scheduling and communications.

Data Retention

The duration for which we store personal data varies depending on what that data is used for.

We retain data according to the periods outlined in our client contracts, and within any consent agreements or opt-ins between us and our users.

In certain cases, we may need to retain data for a certain period after our contractual obligations have ended, or after a request has been made for the data to be deleted. This is for situations relating to legitimate business interests, to conduct audits, to comply with (and demonstrate compliance with) legal obligations, or to resolve disputes and enforce our agreements.

User Rights

The GDPR grants certain rights to EU Citizens. These rights include the following:

• The right to be informed about the collection and use of your personal data.
• The right of access to your personal data. This includes being able to access and view personal data we hold about you, along with any supplementary information.
• The right to have data corrected. For example if we hold details about you that should be amended or updated.
• The right of erasure (the ‘right to be forgotten’). The right to have your data deleted, for example if you no longer wish your data to be held or used by us.
• The right of portability.

To request any of the above rights, or for more information about them, please contact Digital Balance using the details provided in the contact section of this Privacy Notice.

For certain rights we will need to ensure your identity, therefore we may ask for confirmation of certain identification details to action the request.

Additional information about these rights can be found on the Information Commissioner's Office website, https://ico.org.uk/.

Data Security

Digital Balance ensure the safety and security of all our systems, and any data contained or used within them, by following strict security standards and practices.

These practices include using secure transfer protocols such as HTTPS, using separated UAT (User Acceptance Testing) and Live systems, high-strength encryption and password protection such as SSL, and fast and effective backup and restoration procedures.

Digital Balance assess the potential risks for all internal and client applications as part of the design and development process. This forms part of a base informal risk assessment that allows both ourselves and our clients to i) raise awareness of any potential risks, and ii) assess the need for further analysis such as a Data Protection Impact Assessment (DPIA).

Where necessary we carry out full Risk Assessments of systems to further ensure system security and integrity.

We also recommend to all our clients that a Penetration Test (commonly referred to as a “Pen Test”) is performed as part of the development process.

Further information about Penetration Testing can be found at https://www.ncsc.gov.uk/guidance/penetration-testing

---

Contact Information

General Information & Data Protection Enquiries
Contact: Digital Balance Ltd
Website: https://digitalbalance.co.uk/
Email: info@digitalbalance.co.uk
Tel: 01782 667077
Address: Suite 3, Three Counties House, Festival Way, Stoke-on-Trent, England, ST1 5PX

Further information regarding Data Protection Legislation and the GDPR in the UK is available from the data protection authority listed below.

Under the GDPR, all users have the right to raise any concerns with the Information Commissioner’s Office should they wish to do so.

The Information Commissioner’s Office (UK)
Website: https://ico.org.uk
e-mail: casework@ico.org.uk
Tel: 0303 123 1113 / +44 1625 545 745
Address: Water Lane, Wycliffe House
Wilmslow - Cheshire SK9 5AF

For information concerning the GDPR and Data Protection laws in other EU member states, please contact the appropriate data protection authority. A list of authorities is available at the following URL: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080