Outrageous Impact Ltd GDPR policy (updated: 6 Jan 2019)
At Outrageous Impact we adhere to the EU’s General Data Protection Regulations (GDPR).
This policy explains how we collect and treat any information you give us. You won’t find any complicated legal terms or long passages of unreadable text. We’ve no desire to trick you into agreeing to something you might later regret.
Our policy covers
- Why we value your privacy
- How we collect information
- What information we hold
- How we handle your information when you take part in research with Outrageous Impact
- How we work with younger people and those in vulnerable positions
- What we use your information for
- Who’s responsible for information at Outrageous Impact
- Who has access to information about you
- The steps we take to keep your information private
- How to get us to change or remove your data
- Your rights under GDPR
- How to complain
- Changes to the policy
1- Why we value your privacy
We value your privacy as much as we do our own, so we’re committed to keeping your personal and business information safe. We’re uncomfortable with the information companies, governments, and other organisations keep on file, so we ask for only the bare minimum from our customers and website visitors.
We’ll never use your personal information for any reason other than why you gave it, and we’ll never give anyone access to it unless we’re forced to by a lawful court order.
2- How we collect information
- When you contact Outrageous Impact via our website, we will ask for contact information including your name, email address, and telephone number so that we can reply to your enquiry.
- We use Google analytics which builds profiles of your internet activity. Here is Google’s GDPR compliance.
- Our online diary system is YouCanBookMe. Their GDPR policy is here.
- We collect email when you sign up for our newsletters. We use Mailchimp and they have certified they are GDPR compliant.
- Our customer and potential customer database is called Pipedrive. They have certified they are GDPR compliant.
- If you go on to be a customer, we will add you to our financial system, FreeAgent, their GDPR policy is here.
- If you are a customer you may chose to pay by card via Stripe. Their GDPR statement is here.
- TSO Host Webmail is our email system. Here is TSO’s GDPR policy.
- When we do online research interviews, these will be recorded on Zoom. Zoom’s GDPR compliance is here.
- We store key documents, including interview transcripts, on Google Docs (we use two-factor authentication).
- All our computers are password protected. We always use a second layer of authentication, where this is available.
- We use Backblaze to back up all our computers. Their GDPR compliance is here.
3- What information we hold
- When you contact us we will ask for your name, email address, phone number, and the company you work for.
- We collect the same if you book a slot in our online diary.
- If you sign up for a newsletter, we only collect your email address and name.
- When you buy something from us, we collect your name, email address, phone number, and a delivery address.
- If you do business with us, we also collect your business name and bank details and keep records of the invoices we send you and the payments you make.
4- How we handle your information when you take part in research with Outrageous Impact
- If you take part in research, as an interviewee or focus group participant, we will keep details of your name, contact information, and PayPal details for paying incentives.
- If you take part in research, as an interviewee or focus group participant, we will also hold details of what you have told us. We will ensure that information you give us is anonymised, and that all identifying information is stored separately.
- Once we no longer need the information you have given us, we will delete it.
5- How we work with younger people and those in vulnerable positions
Research puts the researcher in a privileged and potentially risky position. The starting perspective for Outrageous Impact will always be the welfare of the research participant, followed by the protection of the researcher/s. To ensure that research is conducted ethically and safely with younger people and those in vulnerable positions, we will:
- Use Disclosure/Barring Service Checked researchers.
- Only ever do research with a chaperone present (at all times) to support the participant.
- If the research is conducted online, we will only do this when a chaperone can accompany the research participant.
- We will use a consent process that is easy to understand (based on written or verbal consent).
- We will be clear that participants may withdraw their consent at any point, and the research will be stopped.
- If participants are being offered incentives, this will not be contingent on them maintaining their consent.
6- What we use your information for
We use your contact information to send you details of our products and services. When we do, you have the option to unsubscribe from these communications and we won’t send them to you again. We might also email or phone you about our products and services, but if you tell us not to, we won’t get in touch again. We will use your information to send you invoices, statements, or reminders.
7- Who’s responsible for your information at our company
Patrick, our founder, is responsible for the security of your information. You can contact him by email at email@example.com or by phone on 07809 240021 if you have any concerns about the information we store.
8- Who has access to information about you
When we store information in our own systems, only the people who need it have access. Our management team have access to everything you’ve provided, but individual employees have access to only what they need to do their job.
We stand against state surveillance. There may however be times when we are compelled by government or other state agencies to disclose information we hold. To date this has never happened.
We will only release your data on production of a lawful court order. In addition, we will, unless the court says we may not, let you know if your data is requested in this way.
9- The steps we take to keep your information private
Where we store your information in online services, we restrict access only to staff who need it.
Where it is offered, we use two-factor authentication for all online services.
Outrageous Impact’s own computers are all password protected and use external authentication.
10- How to get us to change or remove your data
We want to help. As it is your data, our starting presumption is that we will make the changes you need.
You can unsubscribe from our marketing at any time (at the bottom of every Mailchimp email).
You have a right to see, and correct other data we hold on you. Please just contact firstname.lastname@example.org.
11- Your rights under GDPR
The right to be informed – You have a right to know about our personal data protection and data processing activities, details of which are contained in the Outrageous Impact GDPR Policy.
The right of access – You can make what is known as a Subject Access Request (“SAR”) to request information about the personal data we hold about you (free of charge). If you wish to make a SAR please contact email@example.com
The right to correction – Please inform us if information we hold about you is incomplete or inaccurate in any way and we will update our records as soon as possible, in any event within 24 working hours. We will take reasonable steps to communicate the change to any third parties to whom we have passed the same information.
The right to be forgotten – Please notify us if you no longer wish us to hold personal data about you (although in practice it is not possible to provide our Service without holding your personal data). Unless we have reasonable grounds to refuse the erasure, on receipt of such a request we will securely delete the personal data in question within 24 working hours. The data may continue to exist in certain backup, but we will take steps to ensure that it will not be accessible.We will communicate the erasure to any third parties to whom we have passed the same information.
The right to restrict processing – You can request that we no longer process your personal data in certain ways, whilst not requiring us to delete the same data.
The right to data portability – You have right to receive copies of personal data we hold about you in a commonly used and easily storable format (please let us know a format which suits you). You may also request that we transfer your personal data directly to third party (where technically possible).
The right to object – Unless we have overriding legitimate grounds for such processing, you may object to us using your personal data if you feel your fundamental rights and freedoms are impacted. You may also object if we use your personal data for direct marketing purposes (including profiling) or for research or statistical purposes.
Right around automated decision making – You have a right not to be subject to automated decision-making (including profiling) when those decisions have a legal (or similarly significant effect) on you. You are not entitled to this right when the automated processing is necessary for us to perform our obligations under a contract with you, it is permitted by law, or if you have given your explicit consent. At Outrageous Impact we do not use these sorts of techniques.
Right to withdraw consent – If we are relying on your consent as the basis on which we are processing your personal data, you have the right to withdraw your consent at any time. Even if you have not expressly given your consent to our processing, you also have the right to object (see above).
12- How to complain
We take complaints very seriously. If you’ve any reason to complain about the ways we handle your privacy, please contact firstname.lastname@example.org
13- Changes to the policy
If we change the contents of this policy, those changes will become effective the moment we publish them on our website.