Last updated: 8 February 2024
We take privacy seriously. When handling Personal Information, we will comply with Applicable Privacy Laws, including (as applicable) the UK Data Protection Act 2018 (DPA) and the United Kingdom General Data Protection Regulation (UK GDPR), and the General Data Protection Regulation (EU) 2016/679 (EU GDPR).
WHO IS FIRMCHECK?
Firmcheck is a company headquartered in London, England, and has a New Zealand-based parent company: Connectworks Limited.
The name and contact details of our Data Protection Officer (DPO) for the purposes of the GDPR, UK GDPR, and NZ Privacy Act are:
PERSONAL INFORMATION WE COLLECT AND HOW WE COLLECT IT
We collect your Personal Information in a number of ways when you use the Website or Service. These can broadly be categorised as follows:
Information that comes directly from you. This is the Personal Information about you that you enter into the Website or Service yourself, such as your date of birth, email address and other contact details, including any Personal Information you provide through the registration or subscription process, through any contact with us (e.g. Website enquiry form or email) or when you use the Service. If you don’t want to provide your Personal Information, you don’t have to, but it may restrict the function of some parts of the Website or Service.
Information we receive from third parties. As a service for managing multi-party clients, it is likely that at least some of the Personal Information about you that we have access to through the Website or the Service will have been entered by someone else. At a minimum, your personal profile (which requires your name, email address, and user role) will have been created by someone other than you, in order for you to be invited to use the Service. The majority of such Personal Information will be anything about you that is recorded by the professional advisor who manages the Subscription, but it might also be possible for other third parties to store information about you. We may also collect Personal Information from publicly available sources.
Information we receive from your use of the Website and Service. Some Personal Information is automatically collected when you perform any action on, or interact with, any part of the Website or Service, including:
- clickstream data, which is a record of how you navigate or click through our Website or Service; and
Whenever you lodge a support query on the Website, we collect your name and email address, in order to be able to reply to you and provide the support or advice requested.
HOW WE USE YOUR PERSONAL INFORMATION
- to create accounts within the Website and the Service;
- to provide our Website and Service (including support services) and otherwise carry out our obligations under the Terms of Service;
- to bill you (or the Subscriber or Client on whose behalf you are acting) and to collect money that is owed, including authorising and processing credit card transactions; and such processing is necessary for the performance of the contract between you (or the Subscriber or Client on whose behalf you are acting) and us.
We also process your Personal Information:
- to verify your identity;
- to communicate with you (including responding to feedback and information requests relating to the Website and the Service, to let you know when we are experiencing technical difficulties, and to alert you of new features or developments);
- to communicate with, and comply with our obligations to, our third-party service providers, suppliers and other users of our Website and Service;
- to send administrative messages, reminders, notices, updates, security alerts, and other information relevant to your (or an associated Subscriber’s or Client’s) use of the Website and/or the Service;
- to track access to the Website and Service in order to help detect and prevent any fraudulent or malicious activity;
- to analyse and report on usage of the Website and Service, so we can improve the Website and Service;
- to send you (or the Subscriber or Client on whose behalf you are accessing the Service) marketing and promotional messages and other information that may be of interest to you where you (or the Subscriber or Client on whose behalf you are accessing the Service) have consented to receiving such material. You can opt out of receiving marketing materials from us by using the opt-out facility provided (e.g. an unsubscribe link) or by emailing us at firstname.lastname@example.org;
- to protect and/or enforce our legal rights and interests, including defending any claim; and
- to comply with our legal obligations, including any notification and reporting obligations and any access directions imposed on us by an applicable Government agency, law enforcement agency or regulatory authority,
and such processing is necessary for the purposes of a legitimate interest pursued by us, and we have assessed that our interests are not overridden by your interests or fundamental rights and freedoms.
We may also process your Personal Information for such other purposes that are compatible with the original purposes described above, or that you otherwise consent to.
DISCLOSING PERSONAL INFORMATION
We may disclose your Personal Information to:
- service providers and suppliers who provide necessary goods and/or services to us, and any other partners who help us market and sell the Website and/or the Service - for instance to manage customer relations, send out newsletters and/or to process payments;
- any business that supports us, including hosting or maintaining any underlying IT system or data centre that we use to provide our Website and/or Service;
- other third parties to anonymise and aggregate statistical information;
- a person who can require us to supply Personal Information (e.g. a Government agency, regulatory authority or law enforcement agency);
- respond to due diligence requests and/or transfer Personal Information in the case of a sale, merger, consolidation, liquidation, reorganisation or acquisition of our business; and
- any other person or client authorised by you.
The rights of disclosure in this section may, if applicable, be subject to further restrictions contained in data processing agreements with our Subscribers and/or third party service providers (as applicable).
Also, you should be aware that:
- Anyone who has been granted access to the Firmcheck’s Website will be able to view elements of the Personal Information recorded in your Firmcheck profile. In most cases, this access will be granted by the administrator that manages the relevant Subscription, but there are occasionally instances when we are requested to facilitate this access on the Subscriber’s behalf.
- Whenever you accept an invitation to access the Service information in your profile will also be visible, on an ongoing basis, to the party that created that invitation. We note that a “party” in this sense may consist of more than one actual person (for example, where an invitation to the Service is extended by a professional services firm, your profile may be visible to a number of staff members that belong to that firm). A list of all the parties that have such access to your data is contained in your personal profile. If you want to revoke access by any party, you can do so from your personal profile, though we recommend contacting the relevant party first.
OVERSEAS TRANSFERS OF PERSONAL INFORMATION
We store Personal Information on services located in the United Kingdom. We may transfer Personal Information to our parent company Connectworks Limited (in New Zealand) and reputable third party organisations inside or outside the United Kingdom and EEA when we have a business to engage these organisations. Each organisation (including Connectworks Limited) is required to safeguard personal data in accordance with our contractual obligations and Applicable Privacy Laws.
We utilise the services of third party processors (or subprocessors, as applicable) in various countries who may access your Personal Information. An up-to-date list can be found below. Consequently, we may transfer Personal Information to persons or entities located in these countries.
If we transfer Personal Information to a third party located in a country outside:
- the European Economic Union that the European Commission has not recognised as providing adequate protection, if required by the EU GDPR we will enter into an agreement with that third party that containing the standard contractual clauses approved by the European Commission; or
- the United Kingdom that the United Kingdom Government has not recognised as providing adequate protection, if required by the UK GDPR we will enter into an International Data Transfer Agreement or Addendum (as appropriate) issued under section 119A of the UK Data Protection Act 2018.
CONTROLLER AND PROCESSOR STATUS
Where we process, use or disclose Personal Information for our own purposes, for purposes related to our business, or where professional standards regulations apply, we will be a “data controller” under the EU GDPR and/or the UK GDPR.
While we take reasonable steps to maintain secure internet connections, the supply of Personal Information over the internet is at your own risk.
HOW LONG WE KEEP PERSONAL INFORMATION
COOKIES AND TRACKING
We use web analytic tools, such as Segment, Mixpanel, and Smartlook to collect information about use of our Website and Service, with the goal of improving our Website and Service. These web analytic tools collect information such as how often users visit the Website and Service, what pages they visit when they do so, and what other sites they used prior to coming to the site.
We may use various technologies to collect and store information about you when you use the Website and/or the Service, and this may include using cookies and similar tracking technologies, such as pixels and web beacons, as described below.
A cookie is a piece of information that our web server may send to your machine when you visit our Website. The cookie is stored on your device, but does not identify you or give us any information about your device.
The types of cookies we use may include:
- Strictly necessary cookies: These cookies are essential to the full functionality of our Website. They enable you to navigate around our Website and use its features. Without these cookies, you may not be able to access all the functions of our Website or the Service.
- Performance cookies: These cookies collect information about how you use our Website and the Service. All information these cookies collect is anonymous and only used to improve our Website and Service.
- Functionality cookies: These cookies allow our Website to remember the choices you make (for example, your user name, language or your region). Although these cookies are used to enhance the performance of our Website and Service, they are non-essential to their use. However, without these cookies, certain functionality may become unavailable.
The length of time a cookie will stay on your browsing device depends on whether it is a persistent or session cookie. Session cookies will only stay on your device until you stop browsing. Persistent cookies will stay on your browsing device until they expire or are deleted.
Web beacons are tiny graphics with a unique identifier that may be included on the Website for several purposes. For example, we may use web beacons to deliver or communicate with cookies, to track and measure the performance of the Website and Service, to monitor how many visitors view our Website, and to monitor the effectiveness of our advertising. Unlike cookies, which are stored on an individual’s hard drive, web beacons are typically embedded invisibly on web pages (or in an email). We use these web beacons to customise content and advertising and to analyse traffic to our Website.
PROTECTING PERSONAL INFORMATION
We take the protection of Personal Information seriously and we will take reasonable steps (using physical, electronic and procedural safeguards) to keep Personal Information in our possession safe from loss, unauthorised activity, or other misuse. Staff who handle your Personal Information are provided with training on how to do so appropriately.
You have a number of rights in respect of your Personal information, as follows:
- Access: You can ask us to verify whether we are processing personal data about you, and if so, to provide more specific information.
- Correction: You can ask us to correct our records if you believe they contain incorrect or incomplete information about you.
- Erasure: You can ask us to erase (delete) your personal data after you withdraw your consent to processing or when we no longer need it for the purpose it was originally collected.
- Processing restrictions: You can ask us to temporarily restrict our processing of your personal data if you contest the accuracy of your personal data, prefer to restrict its use rather than having us erase it, or need us to preserve it for you to establish, exercise, or defend a legal claim. A temporary restriction may apply while verifying whether we have overriding legitimate grounds to process it. You can ask us to inform you before we lift that temporary processing restriction.
- Data portability: In some circumstances, where you have provided personal data to us, you can ask us to transmit that personal data (in a structured, commonly used, and machine-readable format) directly to another company if it is technically feasible.
- Automated Individual Decision-making: You can ask us to review any decisions made about you which we made solely based on automated processing, including profiling, that produced legal effects concerning you or similarly significantly affected you.
- Right to Object to Direct Marketing including Profiling: You can object to our use of your personal data for direct marketing purposes, including profiling. We may need to keep some minimal information to comply with your request to cease marketing to you.
- Right to Withdraw Consent: You can withdraw your consent that you have previously given to one or more specified purposes to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case.
If you would like to exercise your Data Subject Rights, you can email our Data Protection Officer at email@example.com. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. No fee is required to make a request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.
Please note that in certain circumstances we may refuse to respond to a rights request where we have the right to do so under Applicable Privacy Law, for example, where a request is manifestly unfounded or excessive.
If you are not satisfied with the response you receive you may also contact the UK Information Commissioner’s Officer at https://ico.org.uk/concerns/handling/ to report any concerns you have about out handing of your personal information.
The address for the ICO is as follows:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
If you have any queries about our data use, please contact the data controller (likely to be an accounting firm) who is the Subscriber.