Privacy Policy

Last updated: 28th February 2024

Our privacy policy aims to give you information on how Exacta PLC collects, stores, uses and shares your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.

When we process personal data of UK residents, we are subject to the UK General Data Protection Regulation, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulation.

This privacy policy supplements other notices and privacy policies and is not intended to override them. Any questions about this policy can be sent to us at:

Exacta PLC

125 Deansgate

Manchester

M3 2BY

Tel: 0161 669 8165

Email: dataprotection@exacta.co.uk

Changes to the privacy policy

We keep our privacy policy under regular review. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

The data we collect

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed.

We may collect, use, store and transfer different kinds of personal data about you as follows:

identity data, which includes first name, maiden name, last name, username or similar identifier, title.
contact data, which includes service address, correspondence/billing address, delivery address, email address and telephone numbers (landline and mobile phone number).
financial data, which includes bank account details.
transaction data, which includes details about payments to and from you and other details of products and services you have purchased from us.
technical data, which includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our services.
profile data, which includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
usage data, which includes information about how you use our website, products and services.
promotional and communications data includes your preferences in receiving marketing from us and your communication preferences.

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

We do not collect special categories of personal data.

How personal data is collected?

We use different methods to collect data, including through:

direct interactions. You may give us your identity, contact and financial data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

apply for our products or services
use our Client Portal application
request marketing information to be sent to you
give us feedback or contact us.

automated technologies or interactions. As you interact with our websites, we will automatically collect technical data about your browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. Please see our Cookie Policy for further details.

How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

where we need to perform the contract, we are about to enter into or have entered into with you.
where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests.
where we need to comply with a legal obligation.
where the processing is necessary for us to perform a task in the public interest.

Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.

Purposes for which we use personal data

The following describes how we use personal data and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. We may process personal data for more than one lawful ground depending on the specific purpose for which we are using it.

Purpose/Activity

Type of data

Lawful basis for processing including basis of legitimate interest

To register you as a new customer and verify your identity when you use our services or contact us

(a) Identity

(b) Contact

Performance of a contract with you

To process and deliver your order including:

Manage payments, fees and charges
Collect and recover money owed to us

(a) Identity

(b) Contact

(d) Transaction

(e) Marketing and Communications

(a) Performance of a contract with you

(b) Necessary for our legitimate interests (to recover debts due to us)

To monitor, record, store and use any email or other electronic communications with you for training purposes, so that we can check any instructions given to us and to improve the quality of our customer service, and in order to meet our legal and regulatory obligations

(a) Identity

(b) Contact

(d) Transaction

(e) Profile

(f) Marketing and Communications

(a) Necessary for our legitimate interests

(b) Necessary to comply with a legal obligation

To manage our relationship with you which may include:

(a) Notifying you about changes to our website or applications, services, terms or privacy policy

(b) Asking you to leave a review or take a survey

a) Identity

(b) Contact

(d) Marketing and Communications

(a) Performance of a contract with you

(b) Necessary to comply with a legal obligation

(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

To enable you to complete a survey

(a) Identity

(b) Contact

(d) Usage

(e) Marketing and Communications

(a) Performance of a contract with you

(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)

To administer and protect our business and our websites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

(a) Identity

(b) Contact

(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

(b) Necessary to comply with a legal obligation

To deliver relevant content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you

(a) Identity

(b) Contact

(d) Usage

(e) Marketing and Communications

(f) Technical

Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

To use data analytics to improve our website, products/services, marketing, customer relationships and experiences

(a) Technical

(b) Usage

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our websites updated and relevant, to develop our business and to inform our marketing strategy)

To make suggestions and recommendations to you about goods or services that may be of interest to you

(a) Identity

(b) Contact

(d) Usage

(e) Profile

(f) Marketing and Communications

Necessary for our legitimate interests (to develop our products/services and grow our business)

Conducting checks to identify our customers and verify their identity

Screening for financial and other sanctions or embargoes

Other processing necessary to comply with professional, legal and regulatory obligations that apply to our business, e.g. under health and safety regulation or rules issued by our professional regulator

(a) Identity

(b) Contact Data

To comply with our legal and regulatory obligations

Gathering and providing information required by or relating to audits or quality checks, e.g. the audit of our accounts, enquiries or investigations by regulatory bodies

(a) Identity

(b) Contact Data

(d) Transaction

(a) To comply with our legal and regulatory obligations

(b) Necessary for our legitimate interests or a those of a third party, i.e. to maintain our accreditations so we can demonstrate we operate at the highest standards

Ensuring business policies are adhered to, e.g. policies covering security and internet use

(a) Technical

(b) Usage

Necessary for our legitimate interests or those of a third party, i.e. to make sure we are following our own internal procedures so we can deliver the best service to you

Ensuring the confidentiality of commercially sensitive information

(a) Identity

(b) Contact Data

(d) Transaction

(e) Technical

(f) Profile

(a) Necessary for our legitimate interests or those of a third party, i.e. to protect trade secrets and other commercially valuable information

(b) To comply with our legal and regulatory obligations

Preventing unauthorised access and modifications to systems

(a) Technical

(b) Usage

(a) Necessary for our legitimate interests or those of a third party, i.e. to prevent and detect criminal activity that could be damaging for us and for you

(b) To comply with our legal and regulatory obligations

Statutory returns

(a) Identity

(b) Contact Data

(d) Transaction

To comply with our legal and regulatory obligations

Ensuring safe working practices, staff administration and assessments

(a) Identity

(b) Contact

(d) Usage

(e) Profile

(f) Marketing and Communications

(a) To comply with our legal and regulatory obligations

(b) Necessary for our legitimate interests or those of a third party, e.g. to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you

Marketing our services and applications to:

existing and former customers
third parties who have previously expressed an interest in our services
third parties with whom we have had no previous dealings

(a) Identity

(b) Contact

(d) Usage

(e) Profile

(f) Marketing and Communications

Necessary for our legitimate interests or those of a third party, i.e. to promote our business to existing and former customers

Credit reference checks via external credit reference agencies

(a) Identity

(b) Contact Data

Necessary for our legitimate interests or those of a third party, i.e. to ensure our customers are likely to be able to pay for our products and services

To provide the personal data of individuals associated with businesses within our case management system(s) operated by us for case management purposes

(a) Identity

(b) Contact

(a) Necessary for our legitimate interests

(b) Necessary for us to perform a task in the public interest

Marketing

We strive to provide choices regarding certain personal data uses, particularly around marketing and advertising.

Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and you have not opted out of receiving that information.

ii. Opting out

You can ask us to stop sending you promotional messages at any time by contacting us at any time or by following the opt-out links on any marketing message sent to you.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transactions.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Policy.

Change of purpose

We will only use your personal data for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Disclosures of your personal data

We routinely share personal data with:

third party suppliers who help us to perform our services;
other third parties we use to help us run our business; namely Datel based in the United Kingdom;
credit reference agencies;
our insurers and brokers;
our bank;
our clients via our case management system(s) operated by us.

We only allow our service providers to handle your personal data if we are satisfied that they take appropriate measures to protect your it. We may also share personal data with external auditors, e.g. in relation to accreditation and the audit of our accounts.

We may disclose and exchange information with law enforcement agencies and regulatory bodies such as Ofcom or the Information Commissioner’s Office, to comply with our legal and regulatory obligations.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Data location and retention

Data may be held at our offices and those of our group companies, third party agencies, service providers, representatives and agents as described above (see above: ‘Disclosures of your personal data’).

We will keep your personal data for as long as is necessary:

to perform services as agreed with you
to respond to any questions, complaints or claims made by you or on your behalf;
to show that we treated you fairly;
to keep records required by law.

We will not retain your personal data for longer than necessary for the purposes set out in this notice. Different retention periods apply for different types of personal data.

When it is no longer necessary to retain your personal data, we will delete or anonymise it.

Your rights

You have the following rights, which you can exercise free of charge:

Access	The right to be provided with a copy of your personal data (the right of access)
Rectification	The right to require us to correct any mistakes in your personal data
To be forgotten	The right to require us to delete your personal data — in certain situations
Restriction of processing	The right to require us to restrict processing of your personal information, in certain circumstances, e.g. if you contest the accuracy of the data
Data portability	The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party, in certain situations
To object	The right to object: at any time to your personal data being processed for direct marketing (including profiling); in certain other situations to our continued processing of your personal data, e.g. processing carried out for the purpose of our legitimate interests.
Not to be subject to automated individual decision making	The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.

For further information on each of those rights should contact our Data Privacy Lead at dataprotection@exacta.co.uk or in writing to:

Data Protection Lead

Exacta PLC

125 Deansgate

Manchester

M3 2BY

This contact should include:

enough information to identify you
proof of your identity and address (e.g. a copy of your driving licence or passport and a recent utility or credit card bill); and
let us know what right you want to exercise and the information to which your request relates.

Keeping your personal data secure

We have appropriate security measures to prevent personal data from being accidentally lost or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your data will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Unfortunately, no data transmission over the internet or any other network can be guaranteed as 100% secure. As a result, whilst we strive to protect your personal data, we cannot ensure and do not warrant the security of any information you transmit to us, and this information is transmitted at your own risk.

How to complain

We hope that our Data Privacy Lead can resolve any query or concern you may raise about our use of your data.

The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns or telephone: 0303 123 1113.