This privacy policy provides information about our use of personal data that we collect from you when you visit www.curtisfitch.com (our Website), when you use our contract management and procurement solutions portal (our Portal) and when you contact us. Our Website and our Portal are referred to collectively in this privacy policy as our Platforms. It also sets out information about your rights in respect of your personal data and how to contact us.  We last updated this privacy policy on 18 May 2018.

We, Curtis Fitch Limited, are committed to protecting your privacy and personal data.  We provide contract management and procurement solutions known as the CF Suite (Software Products) which are accessible via our Portal.

Our legal status under UK data protection law is that of a controller for personal data we collect from you when you browse our Website, contact us, or create an account with us. A controller is a legal term used in data protection legislation to signify the person who controls what to do with any given personal data. As data controller we have registered with the Information Commissioner’s Office and our registration number is ZA087042.

However, we do not always act as a controller. If a person or company becomes a customer of ours by signing up for or purchasing one or more of our Software Products and uses our Software Products (via our Portal) to input or process personal data or material containing personal data (or asks its employees and business contacts to input personal data via our Portal), we simply use that personal data in accordance with that customers’ instructions and as is necessary to provide our Software Products to them. For personal data processed by us via our Portal, our status under UK data protection law is that of a processor. We are processing personal data on behalf of the customer of our Software Products.

If you are invited to use our Software Products by a company or person that is a customer of ours (for example, if you are a supplier or bidder or an employee of one of our Software Product customers and your are invited to sign into a Portal hosted or ‘powered by’ us), that company or person is the controller of any personal data you submit or input to our Portal. They will be responsible for giving you information about how they will use that personal data and if you have any questions about their use of your personal data (or personal data you submit) you should contact them directly.  Their own privacy policies will apply to any personal data you input via our Portal and if you wish to exercise your rights under data protection law, you should contact them directly.

To contact us about our use of your personal data please use the details set out below.

Changes To This Privacy Policy

We may occasionally update this privacy policy. When we do, we will revise the “last updated” date at the top of this privacy policy and we will take reasonable steps to make you aware of any material changes to it. We also recommended that you revisit this page regularly to keep informed of our current privacy practices.

Collection of Information

The personal data we collect from you includes personal data you provide to us directly (for example by submitting an enquiry via our ‘Contact’ page) which may include your:

  • full name;
  • email address;
  • phone number;
  • address;

Not all of this information is mandatory, but if you do not provide information which we request from you, this may prevent us being able to provide our service to you.

We may also observe your use of our Platforms and derive certain information from this, for example through our use of cookies. Please see our cookie policy for more information. .

How Is Your Personal Data Used?

Under data protection legislation we must have at least one lawful basis for each use of personal data. The reasons we use your personal data and the lawful bases we rely on to do so are as follows and as set out in the table below.

  1. Where we have to collect personal data from you and/or use it in order to provide services under the performance of the contract we have with you, or which you have with our customers, our lawful basis is processing necessary for the performance of a contract with you (necessary for a contract).
  2. Where our use of your personal data is a benefit to us or a third party and it does not cause you unjustified harm, our lawful basis is processing necessary for our (or a third party’s) legitimate interests (legitimate interests). You can learn about your right to object, in certain circumstances, to us continuing to use your personal data for this purpose
  3. Where we ask for your permission to use your personal data in a certain way or you make clear by a positive action that you are agreeing to the use of your personal data for a particular purpose our lawful basis is consent (consent). If we request your consent and you do not give it, we will not use your personal data in that way. You have the right to withdraw any consent that you have given at any time. You can do that by contacting us, or by any other method we inform you of in this privacy policy or when we seek your consent.

 

Purpose Lawful basis
To provide you with personalised visits to our Platforms. Legitimate interests (of us, to provide a more a more engaging user experience).
To provide you with our services which you have signed up for. Necessary for a contract.
To recommend goods, services or promotions which may be of interest to you. Legitimate interests (sending our customers marketing is a commercial benefit to us and helps our customers keep up to date with other products they may be interested in). Our customers always have the right to opt-out of our use of their personal data for direct marketing purposes. This can be done for example by way of an unsubscribe link on marketing emails)
To develop our offers and the layout of our Platforms to ensure that they are as useful and enjoyable as possible. Legitimate interests (of us, so we can make our services as user-friendly as possible and offer products and services which match demand).
To communicate with you and answer your questions when you contact us. Necessary for a contract and legitimate interests (of us and you to ensure good customer service).
To benefit from the services and expertise of third party service providers. Legitimate interests (of us, for service efficiency and our users, so they experience a good quality of service).

 

In addition we will also use your information when we are required to do so by law. Where that is the case, our lawful basis is processing necessary for us to comply with a legal obligation that we are under.

For personal data inputted to our Portal, we simply act on our customers’ instructions and we process this personal data in order to provide our Software Products to them. They will have their own lawful bases for instructing us to process that personal data and you should contact them directly for more information on what lawful bases they rely on.

With whom is your personal data shared?

We may disclose your personal data to our authorised payment provider, in order to take payment for our Software Products.

We may disclose personal data to service providers who may need to process personal data on our behalf (and in accordance with our instructions) in order to provide those services. Currently, we use third parties to provide data hosting services, data storage and  customer helpdesk services. We may disclose depersonalised data (such as aggregated statistics) about the users of our Platforms in order to describe our sales, customers, traffic patterns and other site information to prospective partners, advertisers, investors and other reputable third parties and for other lawful purposes, but these statistics will include no personally identifying information.

We may occasionally be required by law, court order or governmental authority to disclose certain types of personal data. Examples of the type of situation where this would occur would be:

  • in the administration of justice; or
  • where we have to defend ourselves legally.

Finally, in the event of a reorganisation, sale or takeover we may need to disclose personal information to new entities within the group or potential acquirers and their advisers.

The Requirements of Data Protection Laws

We regard the lawful and correct treatment of your personal data by us as very important to our successful operation, and to maintaining confidence between us and our users. We ensure that our organisation treats personal data lawfully and correctly. To this end we fully endorse and adhere to our obligations under data protection legislation. In particular:

  • we will not use your personal data for any purpose that is incompatible with this privacy policy;
  • we will only collect sufficient personal data for the uses set out above;
  • we will endeavour to keep your personal data up-to-date;
  • we will not retain your personal data longer than necessary unless required to do so by law;
  • we will operate appropriate technical and organisational processes to protect your personal data against unauthorised or unlawful access or processing and against accidental loss or destruction. The measures we take are described elsewhere in this privacy policy; and
  • we will not transfer your personal data to a country outside the European Economic Area (EEA) unless safeguards are in place to protect your personal data to the standards that apply within the EEA, as explained below.

Transferring your personal data outside the EEA 

Some service providers acting our behalf (such as data storage providers  and our helpdesk services providers operate outside the EEA, currently in the USA. We may need to transfer personal data to them in connection with the provision of their services.

If personal data is transferred outside the EEA there is a risk that it will not be protected to an equivalent standard as in this country. So, before transferring your personal data we will put in place measures to ensure your personal data is protected to an equivalent standard. We will usually do this by standard contractual clauses or by a scheme approved by our data protection regulator as providing adequate protection (such as a scheme known as Privacy Shield, for transfers to US companies).

Use of Cookies

We use cookies on our Platforms in accordance with our cookie policy.

Security

We are committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorised access, use, or disclosure.

For example, we store the personal data you provide on computer systems with limited access that are located in facilities to which access is limited.

It is your responsibility to ensure the security of your password and not to reveal this information to others.

Your Rights

Under certain circumstances, by law, you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground and where we do not have compelling legitimate interests to override such objection. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you are a user of our Portal, if you wish to exercise your rights, in the first instance you should contact the business which invited you use our Portal.

If you are user of our Website and wish to exercise your rights, please use our contact details below.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. We (or our customers) may take steps to verify your identity before providing you access to your personal data or may ask that you clarify your request.

Please be aware that the rights above are not absolute and there may be circumstances where we (or our customers) are unable to comply with your request, or only able to comply with it in part.

How long we keep your personal data

We will retain your personal data for the period necessary to fulfil the purposes outlined in this privacy policy unless a longer retention period is required or permitted by law. Accordingly, your personal data shall be maintained for up to seven years following the end of the services we provide to you / your last contact with us.  This retention period may be extended if any applicable statutory or regulatory obligation requires us to hold information for a longer period. We will endeavour to delete any personal data sooner where it is not necessary for us to hold this.

For personal data submitted via our Portal that we processes on behalf of a customer, we will hold that personal data for the period our customer instruct us to and return or delete it at the end of our agreement with them.

Help us keep your details up to date

You can help us to maintain the accuracy of your information by notifying us of any change.

Children’s Information

We do not knowingly collect information from children and we do not target or direct our Platforms to children.

Links To Other Services

Our Platforms may contain links to other services. While we try to link only to services that share our high standards and respect for privacy, we are not responsible for the content, security, or privacy practices employed by operators of those other services. We encourage you to carefully review those services’ own privacy policies so that you know how they will collect, use, and share your information.

How To Contact Us

If you have questions regarding this privacy policy or our handling of your personal data, please contact us by emailing DataProtection@curtisfitchglobal.com. Alternatively you can write to Data Protection, Curtis Fitch Ltd, Eagle Tower, Montpellier Drive, Cheltenham, GL50 1TA. We will promptly address your concern and strive to reach a satisfactory resolution.

If you have any concerns about how we use your personal data, we ask that you contact us in the first instance using the contact details above. We’ll do our best to resolve the matter. However, you do also have the right to lodge a complaint to the Information Commissioner’s Office at any time.