cookies! omnomnom

inforocket is a trading name for me! Patrick Robertshaw.

Data’s part of my business and rest assured that I take data privacy very seriously (goofy website headlines notwithstanding).

The text below sets out in moderately sober (and hopefully clear) legal language the policy which governs how I – as a trading entity – deal with data. The TLDR of it is that:

  • I adhere to EU data protection law (including GDPR) because I think it's excellent and holds the rights of the individual highest.
  • This means I also adhere to UK data protection law (because it's presently still the same).
  • I only collect/process data if necessary
  • I don't share data for profit
  • I never sell data

but do feel free to read the whole thing.

introduction

Patrick Robertshaw trading as inforocket – hereafter referred to as inforocket, we, us or our – needs to gather and process personal information about individuals for core business purposes, such as accounting, staff administration and marketing. Individuals can include customers, suppliers, contractors, business contacts, employees and other people the organisation has a relationship with, or may need to contact.

This policy explains how personal data is collected, stored, and handled in order for us to comply with our own organisation’s privacy and data protection standards – and to adhere to the European Union’s General Data Protection Regulation, which became law on 25 May 2018 as well as the UK's implementation of that law in the form of the Data Protection Act 2018.

why this policy exists

This data protection policy ensures inforocket:

  • Complies with data protection laws and follows good practice
  • Protects the rights of our staff, our customers and partners
  • Is open and transparent about how we store and processes the data of individuals
  • Protects inforocket and others from the risks of a data breach

General Data Protection Regulation (GDPR)

The General Data Protection Regulation describes how organisations — including inforocket — across all European member states must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper, or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. At the time of writing (June 2021) UK law on data protection follows GDPR principles per guidance published by the UK Information Commissioner's Office.

GDPR defines Personal Data as any information that can directly or indirectly identify an individual and includes: forename; surname; title; photo; address; email address; IP address; Location data; Cookies; and Profiling and Analytics data.

The Regulation also places much stronger controls on the processing of Special categories of personal data including: Race; Religion; Political opinions; Trade Union membership; Sexual orientation; Health information; Biometric data; and, Genetic data.

the scope of this policy

This policy applies to:

  • The head office of inforocket
  • Any staff or volunteers working at inforocket
  • Any contractors, suppliers or other people working on behalf of inforocket

the data we collect

This policy applies to all data that inforocket holds relating to identifiable individuals, even if that information technically falls outside of the General Data Protection Regulation Act 2018. This can be made up of:

Identity Data including first name, surname, marital status, title, gender and photo.

Contact Data including business name, billing address, postcode; email address and telephone numbers.

Financial Data including bank account and payment card details.

Transaction Data including details about payments, invoices, and receipts between you and inforocket, and other details of products and services we have purchased from one another.

Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our services.

Profile Data includes your online username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.

Usage Data includes information about how you use our website, and our products or services.

Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.

Third Party Services Data includes account user names and passwords for email accounts, social media channels and hosting or domain account information which you might choose to provide so inforocket can manage or maintain aspects of your online presence.

how and when we collect data

inforocket collects data from you:

Directly when you contact us by telephone, email, or complete and submit any form on our website.

Indirectly when you take some action on our site (passive data).

We may also have personal data about you, if you:

  • Have met a member of inforocket in person
  • Are a supplier to inforocket
  • Are a contractor, former-contractor, employee or former employee of inforocket
  • Have established a connection with us online, for example on social media platforms where inforocket has a presence

Like almost all websites we also collect some data in the form of cookies.

about cookies

An HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small block of data placed on a user's computer or other device by a web browser while the user is browsing a website. Cookies enable websites to store stateful information (such as items added in the shopping cart in an online store) on the user’s device or to track the user's browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past). They can also be used to save for subsequent use information that the user previously entered into form fields, such as names, addresses, passwords, and payment card numbers.

Cookies are used for useful and sometimes essential functions on the web. Most importantly, authentication cookies are most commonly used by web servers to tell whether the user has logged in or not, and with which account they are logged in. Without such a mechanism, the site would not know whether to send a page containing sensitive information or require the user to authenticate themselves by logging in. The security of an authentication cookie generally depends on the security of the issuing website and the user's web browser, and on whether the cookie data is encrypted. Security vulnerabilities may allow a cookie's data to be read by an attacker, used to gain access to user data, or used to gain access (with the user's credentials) to the website to which the cookie belongs (see cross-site scripting and cross-site request forgery for examples).

You can choose to accept or decline cookies. By default most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

about tracking and third party cookies

Tracking cookies, and especially third-party tracking cookies, are commonly used as ways to compile long-term records of individuals' browsing histories — a potential privacy concern that prompted European and U.S. lawmakers to take action in 2011. European law requires that all websites targeting European Union member states gain "informed consent" from users before storing non-essential cookies on their device.

inforocket also uses some third party cookies for tracking and analytics services, such as Google Analytics. In addition we may link or embed elements which may bring third party cookies with them – for example YouTube videos, Vimeo videos or Google Fonts - into our site.

Third party organisations like these are Data Processors and have obligations to confirm to the European Union GDPR laws. The presence of third party cookies does not give inforocket access to any data that personally identifies an individual (such as a name, email address or billing information), or other data which can be reasonably linked to an individual.

inforocket does not sell advertising space, and as such does not employ third party advertising cookies.

protecting data

As well as outlining our responsibilities to you when we store, handle or process your data in our work, this policy exists to protect inforocket from risks such as:

  • Breaches of confidentiality. For example: information being given out inappropriately
  • Failing to offer choice. By law everyone is free to choose how a company uses data which relates to them
  • Reputational damage. For example: inforocket's reputation would suffer if hackers successfully gained access to sensitive data we'd been entrusted with

By transparently outlining our data handling policy here we aim to empower you to make an informed choice when you consent to us storing, handling or processing your data.

defining responsibilities

Anyone who works for, or with, inforocket has some responsibility for ensuring data is collected, stored and handled appropriately. Anyone that handles personal data must ensure that it is handled and processed in line with this policy and European data protection principles.

our general guidelines

The only people able to access data covered by this policy should be those who need it for their work. Data should not be shared informally. When access to confidential information is required, staff and contractors can request it from Patrick Robertshaw, Owner of inforocket.

Staff and contractors should keep all data secure, by taking sensible precautions and following the guidelines below:

  • In particular, strong passwords must be used and they should never be shared
  • Personal data must not be disclosed to unauthorised people, either within the company or externally
  • Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of
  • Staff, volunteers and contractors should request help from Patrick Robertshaw, Owner of inforocket if they are unsure about any aspect of data protection

inforocket will ensure that any staff and contractors working with or for us are made aware of these guidelines, have read and agreed to them. We undertake to provide necessary support to any staff or contractor in understanding their responsibilities when handling data.

data storage

These rules describe how and where our data should be safely stored.

inforocket is primarily a digital business and printed data is extremely rare. In cases when data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. These guidelines also apply to data that is usually stored digitally but has been printed out for some reason:

  • When not required, the paper or files should be kept in a locked drawer or filing cabinet
  • Authorised people should make sure paper and printouts are not left where unauthorised people could see them, for example on a printer
  • Data printouts should be shredded and disposed of securely when no longer required

When data is stored digitally, either on-site at inforocket, or on cloud-based systems it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

  • Data should be accessible only by identifiable user accounts with strong passwords which are never shared
  • Data is to be stored on removable or portable media (like a CD, DVD or USB Drive), only if absolutely neccessary.
    • Where possible removable/portable media should be encrypted
    • Media must be kept locked away securely when not being used
    • data must be securely removed from removable media or the media destroyed once it is no longer in use
  • Data should only be stored on designated drives and servers
  • Data should only be uploaded to approved cloud computing services
  • Data should be securely backed up regularly in line with best practice, and including off-site back-ups for disaster recovery
  • Data should never be saved directly to unsecured devices

If you have any questions about storing data safely not covered above these can be directed to Patrick Robertshaw, Owner of inforocket.

what we do - and don't do - with your data

We do not share your personal data with any third parties. However personal data is of no value to us unless inforocket can make use of it for our day-to-day core business purposes.

It is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

  • When working with personal data, staff and contractors should ensure the screens of their computers are always locked when left unattended
  • Personal data should not be shared informally
  • Personal data should never be sent in the body of an email or as an unencrypted attachment
  • Wherever possible data should be encrypted before being transferred electronically
  • Personal data should never be transferred outside of the UK and European Economic Area
  • Staff and contractors should not save copies of personal data to their own computers. Always access and update the central copy of any data

duration of storage

inforocket retains different types of data for different lengths of time.

Identity Data, Contact Data, Profile Data and Marketing & Communications Data: is stored for the length of time that an individual is a customer of, or a supplier to, inforocket.

Contact Data, Financial Data and Transaction Data: is stored for a minimum of seven years, in accordance with guidelines from the UK Government’s HM Revenue and Customs.

Technical Data and Usage Data: is mostly stored for a maximum of 7 months.

Google Data: is stored for 14 months. For more information, please see Google’s Support pages.

Third Party Services Data: is stored for the length of time that an individual is a customer of inforocket.

data accuracy

The law requires inforocket to take reasonable steps to ensure data is kept accurate and up to date.

  • Data will be held in as few places as necessary and additional copies will not be created
  • We take reasonable opportunities to ensure data is maintained up to date. An example might be updating contact information when an email signature change is noted
  • Where possible, inforocket will make it easy for individuals to update their own data that we holdabout them
  • We update data when inaccuracies are discovered, such as removing old addresses when no longer in use

disclosing data

subject access requests

All individuals who are the subject of personal data held by inforocket are entitled to:

  • Ask what information we hold about them and why
  • Ask how to gain access to it
  • Be informed how to keep it up to date
  • Be informed how we are meeting our privacy and General Data Protection Regulation obligations

If an individual contacts inforocket requesting this information, this is called a Subject Access Request.

You may request details of data which we hold about you under the EU’s General Data Protection Regulation. Subject Access Requests should be made by email to Patrick Robertshaw, Owner at hello@inforocket.scot. In accordance with EU regulations, we aim to provide all the relevant data to you within 30 days and for no fee.

We will always verify the identity of anyone making a Subject Access Request before handing over anyinformation.

disclosing data for other reasons

In certain circumstances, the EU General Data Protection Regulation allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, inforocket will disclose requested data. However, we will ensure the request is legitimate, seeking assistance from legal advisers where necessary.

This Policy was prepared by Patrick Robertshaw, Owner at inforocket and may be considered operational from 25 May 2018 onward.