Sense and Adapt Academy Privacy Notice
Data for which the Sense and Adapt Academy is the Data Controller
How we use your information
This privacy notice tells you what to expect when The Sense and Adapt Academy collects personal information. It applies to information we collect about:
Visitors to our websites;
People who contact us via social media;
People who call our phone numbers;
People who email us;
People who use our services, e.g. customers who engage us to manage their marketing or marketing related services;
Job applicants and our current and former employees
Visitors to our websites
By providing personal information to The Sense and Adapt Academy in any of the ways described in this policy, by instructing or authorising another party to provide such information, or by entering into a contract with the Sense and Adapt Academy that requires such processing, you agree that you are authorised to provide the information, that you accept this privacy policy and that the Sense and Adapt Academy is authorised to process it.
The Sense and Adapt Academy will collect a range of information on you, either via activity via our website or emails, ticketing systems, telephone, in person or at trade shows. This information includes:
Name
Organisation
Job title
Address of employment
Phone number
Email address
IP address
Username
Payment details in the case of ordering a service from us
We will not collect sensitive categories of personal data without your explicit consent.
The Sense and Adapt Academy will not collect data relating to minors as defined under UK law. Minors as defined by UK law are not permitted to use The Sense and Adapt Academy Services or interact with us as a corporate entity.
The Sense and Adapt Academy may from time to time contact customers via email regarding service related matters such as billing, account management and maintenance. These emails are an important part of our service to you.
For business contacts who are not currently customers, The Sense and Adapt Academy may contact you via email and other electronic means to promote our services to you. If you do not wish to receive these communications, you can unsubscribe at any time. All email communications we send will contain a clear link to manage your subscription preferences.
We only store personal contact details for contacts who have given these to us by signing up for information communications from us, applying for a role with us, or have provided us these details as their preferred address.
Data retention.
We will keep your personal information for as long as you are a customer of The Sense and Adapt Academy or a relevant marketing contact.
After you stop being a relevant marketing contact or unsubscribe from our communications, we will remove your data as part of our annual data reviews. Where a contact has been removed from our system, because the information is out of date or the contact has unsubscribed, we may retain a small amount of information relevant to controlling marketing activities. These details typically include email address, subscription preferences and reasons not to contact.
After you stop being a customer, we may keep your data for up to 10 years for the following reasons:
To respond to any questions or complaints.
To comply with legal requirements.
Data transfers and the use of Data Sub Processors
The Sense and Adapt Academy will not share your data with a third party not directly associated with the provision of services without your explicit consent. The Sense and Adapt Academy will not transfer Subject data to a third party country outside of the UK or EEA that is not compliant with the applicable data protection laws via adequacy agreement, Binding Corporate Rules or other legally appropriate means as defined by the Information Commissioners Office without your explicit consent.
The Sense and Adapt Academy makes use of a number of third party organisations for the purposes of delivery of Services to the Customer.
Whilst the following list is not intended to be exhaustive, The Sense and Adapt Academy typically only transfers the personal data relating to our customers, where required for the activities set out below, to the following third parties or Data Processors:
Hubspot Inc – Customer Relationship Management and marketing activities
Active Campaign – Customer Relationship Management and Marketing Activities.
Fasthosts Ltd – Domain names and email hosting
Microsoft Ltd – Email and internal document management
Dropbox Inc – data storage
Square Space – Web Management and Hosting
The Sense and Adapt Academy will update this list from time to time as our systems and operations evolve and we will inform you accordingly.
By interacting with The Sense and Adapt Academy as defined in this policy, you provide your consent for this transfer and use of our Data Processors and their Data Sub-Processors, and for transfer to any other appropriate third-party Data Processor for the purposes of delivery of the Services and customer relationship management activities. No data transfer will be undertaken that is outside of the strict scope of the purposes stated in this policy, or that will materially degrade the security of your data or your rights.
The Data Processors and Sub Processors we use will be contractually bound to process only in accordance with our instructions and to maintain technical and organisational controls in compliance with our security policy and the requirements of the GDPR.
Commitment to confidentiality and security of processing
The Sense and Adapt Academy will use appropriate technical and organisational security measures within our sphere of responsibility to ensure an appropriate level of confidentiality, integrity and, where The Sense and Adapt Academy is the Data Controller, availability of your data and to ensure its availability in the event of a business continuity incident.
The Sense and Adapt Academy will undertake security and data protection assessments of any third parties we elect to use prior to transfer of any customer data and regularly thereafter.
Visitors to our website
When someone visits www.senseandadaptacademy.com we use a small number of third-party services, including Google Analytics, Hubspot and Active Campaign to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site, understand how the website is being used, personalise areas of the website and understand how marketing channels are performing. Where consent has not been requested and provided, this information is only processed in a way which does not personally identify anyone.
We use standard software to collect information for the strict purpose of tracking activity on our site. This allows us to understand how many people use our site and which pages and features are most popular. The information we normally collect and store is
The name of your Internet service provider
The web site that referred you to us (if any)
The date and time the pages were accessed
The page or pages you requested.
Your approximate (nearest city) geographic location
You never transmit personally identifying information that you do not enter yourself, and this is always your option. This information cannot be collected unless you specifically elect to send it to us. This information is used internally only for the purpose of fulfilling the request or for contacting you directly and is not sold to any other organisation. Your information is transmitted directly to The Sense and Adapt Academy and is stored securely in the services that we use for this purpose.
Job applicants, current and former Sense and Adapt Academy employees
We have outlined below details about the type of information that The Sense and Adapt Academy keeps about job applicants, current and former employees and the purposes for which it keeps them.
Your rights
Under the Data Protection Act 1998, you have rights as an individual which you can exercise in relation to the information we hold about you.
Complaints or queries
The Sense and Adapt Academy tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of The Sense and Adapt Academy’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
If you want to make a complaint about the way we have processed your personal information, you can either email info@senseandadaptacademy.com
If you are not satisfied with our response you can contact the statutory body which oversees data protection law – www.ico.org.uk/concerns.
Access to personal information
The Sense and Adapt Academy tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a data request to us. If we do hold information about you we will:
give you a description of it;
tell you why we are holding it;
tell you who it could be disclosed to;
let you have a copy of the information in an intelligible form: and
Provide it to you within one month from the date of the ‘subject access request’.
To make a request to The Sense and Adapt Academy for any personal information we may hold you need to put the request in writing addressing it to our Data Department, or writing to the address provided below.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the Data Department.
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 1stDecember 2021.
We reserve the right to change our privacy policy. A revised policy statement will only apply to data collected subsequent to its effective date. Any revisions will be posted at least 30 days prior to its effective date.
How to contact us
If you want to request information about our privacy policy you can email us at info@senseandadaptacademy.com or write to:
Data Department
Sense and Adapt Academy
11 Rowan Crescent
Letchworth Garden City, Herts.
SG6 4EY
Purpose and Scope of The Sense and Adapt Academy Data Processing on behalf of Data Controllers
For the purpose of providing the Services, The Sense and Adapt Academy will process Customer Provided Data. To the extent that Customer Provided Data is comprised of Personal Data, the parties acknowledge that The Academy acts as a Data Processor for all Customer Provided Data supplied to the Academy by the Customer as well as the Customer’s own customers or agents.
The Services are provided on the basis that either:
the Customer is the Data Controller for all Customer Provided Data supplied to the Academy under the Services and has complied with its obligations under the applicable Data Protection Laws, including but not limited to obtaining the required consents (“Data Protection Consents”); or
where the Customer is a Data Processor on behalf of a Data Controller, that the Sense and Adapt Academy is a sub-Data Processor and that the Customer has:
1. ensured that all necessary Data Protection Consents have been obtained or other lawful grounds for Processing have been correctly established;
2. entered into the required contractual arrangements, including arrangements with the relevant Data Controller for The Sense and Adapt Academy to act as sub-processor legally;
3. has complied with its obligations as Data Processor under the applicable Data Protection Laws; and
4. shall be liable to the Data Controller for The Sense and Adapt Academies acts and omissions as a sub-Data Processor.
By accepting this addendum, the Customer indicates their acceptance of the provisions below and warrants that the basis of the Services set out in this Data Processing Addendum is accurate.
Nature of the Processing
The Sense and Adapt Academy undertakes a range of Processing as defined by the Services, i.e. the provision of marketing and website hosting services to the Customer, the choice of which is determined by the Customer.
The Sense and Adapt Academy provides marketing services to support the Customer’s or Customer’s agents’ processing of data to that end.
The Sense and Adapt Academy has access to process and manipulate Customer Provided Data under the Customer’s written instruction for the purposes of their marketing activities and customer communications.
Any processing by The Sense and Adapt Academy of Customer Provided Data (which may comprise Processing of Personal Data) is determined by the Customer insofar as it is the Customer that ultimately determines what the Services will be and, therefore, what data processing occurs.
The Sense and Adapt Academy classifies all Customer Provided Data as the same type of data and does not maintain visibility of different types of Customer Provided Data or categories of Personal Data within this set.
The Sense and Adapt Academy applies the same level of generic security controls to all Customer Provided Data.
The Sense and Adapt Academy provides a service which constitutes among other things the provision of websites, hosting, storage, networking and dedicated servers to Customers. Whilst we will try to ensure the compliance of those underlying services with the applicable Data Protection Laws, we do not maintain reliable access to the Operating Systems, applications or data that Customers upload to their Customer Hosted Solution, so the Customer is responsible for all data protection issues not related to the underlying services.
Duration of Processing
The Customer is responsible for the duration of the processing of any Personal Data comprising Customer Provided Data. While the Agreement is in force, The Sense and Adapt Academy will Process all such Personal Data in accordance with the Customer’s written instructions.
Security and compliance of the underlying hosting infrastructure
The Sense and Adapt Academy along with its third-party suppliers will be responsible for maintaining the GDPR compliance of the underlying hosting infrastructure, within the scope of the services provided to the customer. The Sense and Adapt Academies personnel are subject to a duty of confidence that is compliant with the applicable Data Protection Laws.
The Sense and Adapt Academy has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.
A non-exhaustive list of technical and organisational measures are as set out below. By entering into this addendum, the Customer confirms that it has reviewed and approved the following measures:
SECURITY MANAGEMENT & POLICY
Use of third party hosting providers that have in place an information security management system based on an industry international standard (currently ISO27001:2013)
HR & ACCESS CONTROL
Vetting of all Sense and Adapt Academy personnel prior to commencement of employment
Appropriate on-hire, role change and termination activities related to Sense and Adapt Academy access and asset management
Restriction of Sense and Adapt Academy access to customer data or Customer Provided Data to those personnel with a business need for access
The ability to audit all Sense and Adapt Academy personnel access to Customer Provided Data and/or Customer Hosted Data
OPERATIONAL SECURITY
Appropriate availability, performance and security logging, monitoring and audit controls for the underlying infrastructure.
Vulnerability management systems to help ensure the patch and configuration levels of the underlying infrastructure appropriate to The Sense and Adapt Academies scale and policies.
Hardening of underlying infrastructure devices to levels that are materially in accordance with good industry practice.
Appropriate encryption in transit and at rest for sensitive operational data such as API calls, control panel access, customer credentials and key material managed by The Sense and Adapt Academy.
Backups and infrastructure redundancy within the underlying hosting infrastructure appropriate to our Terms and Conditions and SLAs.
Appropriate security of all Sense and Adapt Academies end-user devices used by The Sense and Adapt Academy to access the underlying hosting infrastructure, Customer Hosted Data and Customer Hosted Solutions
INCIDENT MANAGEMENT & COMMUNICATION
Sufficient internal incident management procedures including the commitment to escalate relevant security incident to impacted Customers without undue delay
AVAILABILITY OF CUSTOMER HOSTED SOLUTIONS AND SERVICES
Temporary loss of Availability or Integrity related to an Emergency Maintenance or Scheduled Maintenance is not considered to be a loss of Availability under the applicable Data Protection Laws.
In accordance with the Services being provided, The Sense and Adapt Academy is not able to decide how Personal Data comprising Customer Provided Data is processed, as it is processing data under the written instruction of the Customer
As the Data Controller the Customer has the following responsibilities under GDPR:
1. Maintain appropriate technical controls to secure and monitor for security
2. Where the above is included within the scope of a Customer SLA, The Sense and Adapt Academy will undertake the work based on instructions from the Customer, but the Customer remains responsible for the efficacy of the controls implemented.
3. Undertaking all organisational measures required to ensure compliance with the basic principles for processing (articles 5, 6, 7 and 9 of the GDPR) and Subject’s rights (Articles 12-22 of the GDPR) at point of collection of data, and be aware of the technical and organisational security controls put in place by The Sense and Adapt Academy, maintain additional technical and organisational controls to ensure compliance during processing, storage and removal
4. Undertake and manage all communication with Data Subjects
5. Maintain any required relationship with the Information Commissioner’s Office on behalf of the Data Controller
The Sense and Adapt Academies use of Data Sub-Processors
By entering into this Data Protection Addendum, the Customer hereby permits The Academy to appoint sub-processors of Personal Data and, for the term that the Data Protection Addendum is in force, shall have a general right to appoint sub-processors of Personal Data. The Academy shall provide the Customer with prior notification before appointing any sub-processors of any Personal Data that are in addition to those noted in this Data Processing Addendum.
The Academy utilises a small number of Data Sub-Processors in order to provide Services to the Customer. The following list of Data Sub Processors used to provide Services will be updated from time to time to reflect the current operational position:
Hubspot Inc – Customer Relationship Management and marketing activities
Active Campaign – Customer Relationship Management and Marketing Activities.
Fasthosts Ltd – Domain names and email hosting
Microsoft Ltd – Email and internal document management
Dropbox Inc – data storage
Square Space – Web Management and Hosting
The Academy will update the Customer of the use of any new Data Sub-Processor prior to adoption of the Sub-Processor and transfer of Customer Provided Data or provision of any form of access to Customer Hosted Solutions by support ticket or email, and the Customer must ensure that all necessary Data Protection Consents are obtained or other legitimate grounds for processing the Personal Data are established. The Customer’s continued use of the Services constitutes approval for the use of this new Data Sub-Processor and a repeated warranty by the Customer that the use of all sub-processors is lawful under the applicable Data Protection Laws subject to The Academy complying with its obligations under the applicable Data Protection Laws in respect of appointing sub-processors. The Academy will perform appropriate due diligence on the Data Sub-Processor, as we will on any security-impacting supplier.
The Academy will maintain written contracts with all The Academies Sub-Processors including any relevant GDPR-related compliance requirements and will conduct regular checks to confirm their continuing conformance with Data Protection Laws.
Transfer to non GDPR-aligned locations or Sub-Processors
The Academy will not transfer Customer Hosted Data to any Data Sub-Processor located outside of the EEA or to any other third-party location not deemed appropriate by Binding Corporate Rules, Privacy Shield or other adequacy decision defined on a continuing basis by the Information Commissioner’s Office without explicit written permission from the Customer.
Processing in accordance with written instructions
The Academy will only process Customer Provided Data (which may or may not include data for which the Customer is the Data Controller) in accordance with the Data Controller’s written instructions, which for the purposes of data protection and this addendum are taken to be in whole contained within the section ‘Purpose and scope of The Academies Data Processing on behalf of Data Controllers.’ No other written instructions can be accepted as they will fall outside of the scope of our services.
Assistance with Customer data protection obligations
Insofar as The Sense and Adapt Academy provides data processing services to the Customer, The Academy will assist the Data Controller in meeting their data protection obligations including:
1. Carry out internal Data Privacy Impact Assessments as the Data Processor for all Services and provide summaries of these as required to the Customer
2. To inform the Customer of the possibility of a material security breach to their Customer Provided Data if detected by our systems without undue delay.
3. Keep a record of all Processing of Personal Data performed in relation to the Services.
4. Notify the Customer of any Security Incident resulting in a data breach affecting their Customer Provided Data, that has occurred or has been suspected to one of our sub-processors and where we have been notified by the sub-processor without undue delay
5. For termination of contract for reasons other than breach of Acceptable Use Policy or non-payment of fees, provide a reasonable period in which the Customer can use standard tools to extract the data themselves provided that such extraction by the Customer does not prejudice The Sense and Adapt Academy or its systems. In all cases The Sense and Adapt Academy will delete all Customer Provided Data on our infrastructure as part of decommissioning a customer service.