Privacy Notice

Who we are

We are Driftrock Limited, a company incorporated in England, company number 08717688, with its registered office at 124 City Road, London EC1V 2NX, United Kingdom.

In the UK, we are registered with the ICO as a data controller/fee payer under number ZB049770. 

Our role

For the most part, Driftrock acts as a Processor only for our clients’ data. That means when we process personal data, we are doing so purely on the instruction of another company (the Controller).

Driftrock, does on occasion, act as a Controller. This is only for the data that we process for our day-to-day internal business operations. It is a small amount of data, and we keep to a minimum the information we hold about you.

This privacy notice refers to the data we process as a Controller only. 

Your rights

You have rights in respect of our processing of your personal data. The relevant rights are:

• Right of access: You can request access to a copy of the personal data which we hold about you, as well as details about why and how we use it;
• Right to rectification: You can ask us to change or complete any personal data we hold about you which is inaccurate or incomplete;
• Right to erasure / right to be forgotten: You have a right, under certain circumstances, to ask us to delete any personal data we hold about you. Please note that there may be situations where we must retain your personal data after a request for erasure where we have a lawful basis for doing so;
• Right of restriction: You can ask us to restrict (i.e. prevent) the processing of your personal data where you have objected to our use of it and we have no lawful basis to continue processing your personal data;
• Right of data portability: In certain circumstances, you can ask us to transfer the data we hold about you to another service. This would be sent in a structured, commonly used, electronic form;
• Right to object: You can object to us using your personal data for particular purposes; and
• Automated decision making: You have a right not to be subjected to automated decision making and profiling, in certain circumstances.

If you want to exercise any of these rights, please contact us:

• By email at: dpo@driftrock.com 
• By post: Driftrock Limited, 124 City Road, London EC1V 2NX United Kingdom

You also have the right to lodge a complaint about our processing with a supervisory authority; in the UK that is the ICO whose details are here: 

• https://ico.org.uk/make-a-complaint/ 

Data sharing and transfers

We have a number of processors such as cloud service providers who act on our behalf. We have Data Processing Agreements in place with these processors to ensure that your data is processed in compliance with the law and only upon our instruction. We never sell your data.

Transfers of your data outside the UK or EEA

When we work with external service providers outside the UK or EU, we only transfer data if the destination country or organisation is considered by the UK or EU to have sufficient data protection safeguards in place (‘adequacy’) or, if not, we take steps to ensure your data's safety, such as using EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or signatories to the UK extension to the EU-US Data Privacy Framework. 

Automated decision making

We do not use your personal data in any automated processes to make decisions about you.

Technical and operational security

We take data protection and information security responsibilities seriously. Driftrock’s systems are certified to the ISO 27001 and ISO 9001 standards for managing information security and quality. Our staff receive training in data protection and information security. All our data and devices are encrypted. We maintain up to date anti-virus and anti-malware protection.

What happens if our business changes hands?

We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, depending on the lawful basis, be permitted to use that data only for the same purposes for which it was originally collected by us.

In the event that any of your data is to be transferred in such a manner, you will be contacted in advance and informed of the changes.

Changes to our Privacy Policy

We may change this Privacy Policy from time to time (for example, if the law changes). We recommend that you check this page regularly to keep up to date.

If we make any material changes to the way we process and use your personal data, we will contact you to let you know about the change.

Contact us

If you have any questions about this privacy notice or our privacy practices, please contact our DPO as shown above.

If you submit a data subject request please note that we will need to process some personal data to handle the request. The lawful basis for the processing is Legal Obligation. We would hold the applicable data for 12 months or for as long as legally or contractually required, depending on the nature of the data, and a record of the request is held for 8 years.

‍

Tell me more…

To see more about how we use your personal data, read the notice or notices below which apply best to your relationship with us:

• Client, Agent, Platform User
• Potential Client or Agent
• Website Visitor
• Supplier or Potential Supplier
• Driftrock Director or Shareholder
• Candidate Employee

‍

- - -  

‍

Client, Agent, Platform User Privacy Notice

Data that we hold and how we use it

As a Driftrock Client, or Agent on behalf of a Client, we may hold the following data on you: name, email, role, company you work for, phone number, LinkedIn URL, industry, location, Driftrock access status, signature or e-signature, company address.

We use this data for: billing purposes, contract signing, managing our relationship (including booking calls, maintaining your contact information), sending you necessary service emails, and for handling any feature change requests you make. We may send you information about our product and services that we think will be of interest to you. 

If you have been featured in a client case study, we have a record of any quotes or testimonials attributed to you. 

If you take part in a customer feedback session for product improvement, we also hold any notes collected during the session, and possibly a video recording of the session.

If you consent to the use of non-essential cookies on the platform, we use the following data to help us understand and improve use of the product: IP address, usage data, name, company you work for.

We will have received this information directly from you and your use of the platform.

Lawful basis for processing

Our lawful basis for processing your data is Contract when it’s for entering into or carrying out our contract, such as for e-signing and billing. The lawful basis is Consent when you consent to using non-essential cookies on the platform. For the other processes listed above, our lawful basis is our Legitimate Interest for business development and product improvement. 

As you are a corporate entity, we also abide by the Privacy and Electronic Communications Regulations (PECR). This means we give you the chance to opt out of email or text marketing on any that we send you. We only share details of our own goods and services in our marketing.

Retention periods

• For contract e-signing, in-app billing, and service emails, the data is held for 7 years after the end of the contract.
• Platform usage analytics are held for the duration of the contract.
• For contact relationship management, the data is held for 6 years after the end of the contract.
• Information from customer feedback and feature change requests is held for 3 years. 
• For sending marketing emails, the data is held for 2 years.
• Case studies information is held for 3 years.

‍

- - -  

Potential Client or Agent Privacy Notice

Data that we hold and how we use it

As a Potential Client, or Agent on behalf of a Client, we hold the following data on you: name, email, role, company you work for, phone number, LinkedIn URL, industry, location, your correspondence with our team, data about keyword searches and interactions with our social media content.

We collect or use this data when we: identify leads, manage information (such as contact details and industry sectors), track and manage our relationship (including communicating with you and arranging calls), and when we use email marketing, social media advertising and search engine optimisation to send you product or service information that we think will be of interest to you. 

When we do technical and compliance checks for a commercial contract, we may hold these additional details: signature or e-signature. 

We receive most of these data directly from you, or from details you have made publicly available e.g. on LinkedIn. We may use third party tools to source other contact details of people we believe our product or service is relevant to.

Lawful basis for processing

When we do technical and compliance checks for a commercial contract, our lawful basis for processing that data is Contract.

For the other activities listed above, our lawful basis is Legitimate Interest for business development. 

As you are a corporate entity, we also abide by the Privacy and Electronic Communications Regulations (PECR). This means we give you the chance to opt out of email or text marketing on any that we send you. We only share details of our own goods and services in our marketing. If your details were not sourced directly from you, then we contact you once we have them to let you know that we have your data and give you the chance to opt out.

Retention periods

• For technical and compliance checks and commercial contract negotiation, we hold your information for 7 years after the end of the contract.
• For collecting lead sign-ups and sending marketing emails, we hold your information for 2 years.
• When identifying potential Client and Agent leads, tracking leads, managing contacts and corresponding with you, we hold your information for up to 3 years.
• Data about your interactions with our social media advertising is retained for the duration of the advertising.

- - -  

Website Visitor Privacy Notice

Data that we hold and how we use it

As a visitor to our website we hold information about your usage of the website, including IP address and tracking information.

This information is sourced from your activity, using cookies. We use it to enable website functionality, and to monitor and understand user behaviour on the website in order to make improvements. 

Lawful basis for processing

Our lawful basis for processing your data is Consent when you agree to non-essential cookies, and Legitimate Interest for cookies that enable essential functionality. 

Retention periods

• We hold website user data for up to 30 days. 

- - -  

Supplier or Potential Supplier Privacy Notice

Data that we hold and how we use it

As a supplier or potential supplier to Driftrock, we may hold the following data about you: name, email, role, company you work for, company address, telephone, invoice details, bank details, signature or e-signature.

We use this data for reviewing tenders for goods and services, entering into supplier contracts, and paying invoices. The data we hold will have come directly from you. 

Data sharing 

We share some data with our accountancy partners in order to pay invoices. We have Data Processing Agreements in place with our processors to ensure that your data is processed in compliance with the law and only upon our instruction. 

Lawful basis for processing

Our lawful basis for processing your data is Contract when the data is used with a view to enter into a contract, or to fulfil the contract by paying you. 

Retention periods

• Data associated with paying invoices is held for 7 years after the end of the contract.
• Contract information is held for 6 years after the end of the contract (or to the end of any warranty or service periods, if longer).
• Information about tenders or quotes is held, if successful, for 6 years after the end of the contract (or to the end of any warranty or service periods, if longer). If unsuccessful, for 400 days after the last correspondence. 

‍

- - -  

Driftrock Director or Shareholder Privacy Notice

Data that we hold and how we use it

If you are a Director or Shareholder of Driftrock, we hold the following data about you: register of Directors' interests, details of shareholdings.

This data would have been sourced directly from you. 

Data sharing

We share the data with Companies House, our accountant, auditors, and regulators if required.

Lawful basis for processing

Our lawful basis for this processing is Legal Obligation. 

Retention Periods

• These records are kept for as long as legally required. 

- - -  

Candidate Employee Privacy Notice

Data that we hold and how we use it

As a Candidate Employee we hold the following data on you: name, email, CV information, address, phone number, interview notes, location, salary, start date, correspondence relating to an offer, and references received. We use this in the recruitment process and for finalising a contract, if successful.

We will have received this information directly from you or generated it during the recruitment process. 

Lawful basis for processing

Our lawful basis for processing your data is Contract; we use the data to recruit appropriate candidates for roles at Driftrock and to draft a contract for successful candidates. 

Retention periods

• If you are not successful in securing a role, then we will keep your details on our database for a period of 12 months. 
• If you are successful in gaining employment with Driftrock then you will fall under the Employee Privacy Notice going forward; please refer to the employee handbook.

‍