1. WHO ARE YOU AND WHAT IS GOREPORT?
1.1. We are MobileReport Ltd trading as ‘GoReport’, a company registered in Northern Ireland, with address at 10 Heron Road, No. 3 Suite A, Belfast, BT3 9LE and company number NI607089 (“we”, “us”, “our”). We are registered with the Information Commissioner’s Office. Our registration number is Z3300101.
1.2. We provide a software tool (the GoReport® Software) which enables you to capture, process and reproduce surveying data. The purpose of the tool is to allow you to create reports and output data quickly and easily and transfer them to whoever you choose to (whether it’s your colleagues or your clients).
1.3. You may be given access to the GoReport® Software if either you or someone else has purchased a licence to use the software (whoever purchases the user licence, our Client) and has designated you as a user of the software (Permitted User).
2. WHAT IS THIS POLICY?
2.1. In order to make use of our services, from time to time we may need to process Personal Data (that is information which can be used to identify someone). This Personal Data may be about you or other people. This policy explains how we will use the Personal Data we hold.
2.2. We hold Personal Data about 4 groups of people (Data Subjects):
(i) Client Data: that is Personal Data about our Client (including key contact data);
(ii) Prospective Client Data: that is Personal Data about prospective clients (including their key contact data) who have not entered into a contract for services with us;
(iii) Permitted User Data: that is Personal Data about Permitted Users; and
(iv) Customer Data: that is Personal Data uploaded by a Permitted User on to the GoReport® Software (other than Client Data).
2.5. If you have any questions about the policy, feel free to send us an email to firstname.lastname@example.org.
3. ARE YOU A CONTROLLER OR A PROCESSOR?
(a) We are a Controller in respect of any Client Data (Personal Data about our Clients and prospective clients and their key contacts) we hold. This means that we take decisions about what types of Personal Data we think we need to collect about our Clients and prospective clients and how to use it to make our business work.
(b) We are a Controller in respect of any Prospective Client Data (Personal Data about prospective clients and their key contacts) we hold. This means that we take decisions about what types of Personal Data we think we need to collect and retain about prospective clients and how to use such information for the purposes of our business.
(c) We will hold Permitted User Data (Personal data about Permitted Users given to us by our Client) as both a Controller and Processor. Which one, will depend on the data and the processing activity. For more information on this, have a look at paragraph 6 below.
(d) We are a Processor in respect of any Customer Data (Personal Data uploaded by a Permitted User). This means that we are only processing that data at the request of the Permitted User and we’re not making decisions about what data to collect and how it should be used.
4. WHAT PERSONAL DATA DO YOU COLLECT?
4.1 We might store Personal Data about you which has been collected in the following ways:
(i) Information which you give us if you request further information about our services, purchase a user licence or when you use the GoReport® Software. This might include:
- Your name and contact details
- your financial details;
- your account preferences and settings;
- messages you send using the GoReport® Software;
- details about surveys you’ve carried out
(ii) If you are designated as a Permitted User by our Client, we may also receive information about you from our Client (who purchased the user licence to use the GoReport® Software). This might include
• your name, contact information (including an email);
• your administrative rights.
(iii) Information which other Permitted Users upload on to the GoReport® Software about you. This might include:
• details about a survey carried out;
• any other opinions expressed by a Permitted User in content uploaded.
• how you use GoReport® Software (including your user preferences and interests);
• any in-app purchases you make;
• details about user visits; and
• details about the device you use to access GoReport® Software.
For more details about our Cookies Policy, please see here.
5. HOW WILL YOU USE DATA ABOUT CLIENTS AND PROSPECTIVE CLIENTS AND WHAT IS YOUR LAWFUL BASIS FOR DOING SO?
5.1 We hold and process Client Data as a Controller, which means we must have a ‘lawful basis’ for doing so. We have set out how we use Client Data along with our lawful basis below:
(i) TO PROVIDE OUR SERVICES: to provide you with the GoReport® Software (which may include support and maintenance of your account on the GoReport® Software). Such processing is necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract.
(ii) ADMINISTRATION AND DISPUTE RESOLUTION: We may also need to process Personal Data about you to meet our internal administration requirements and for matters such as dispute resolution. Such processing is necessary for the purposes of our legitimate interest, which is in this case is to function as a business. We consider such use will go no further than a Data Subject would reasonably expect; is likely to align with the Data Subject’s interests (by enabling us to provide a sustainable business model) and is unlikely to be detrimental to the fundamental rights and freedoms of you as a Data Subject.
(iii) MARKETING: from time to time we might contact our clients by email or telephone about updates to our services, new features or functions or new products we are bringing out. These communications may be tailored on the basis of what we think your interests are (from looking at data collected using cookies and from looking at your past transactions). We will always include the right to opt out in any such correspondence.
Our lawful basis for such processing is that it is necessary for the purpose of our legitimate interest: namely to continue as a business. We consider such use will go no further than a Data Subject would reasonably expect; is likely to align with a Data Subject’s interests and with the easy opt out option, is unlikely to be detrimental to the fundamental rights and freedoms of the Data Subject.
(iv) RICS LICENSING SCHEME: If you are using any RICS scheme materials, we may also need to use your Personal Data to check that you are a current member of the RICS Licensing Scheme. We are unable to provide you with such materials if you are not a member, as such this processing is necessary to enable us to perform the contract you signed up to with us.
(v) AGGREGATE DATA: We may collect aggregate data about Permitted Users and about Client transactions or interactions with us. Any such data will be anonymised and used for business and market research purposes.
5.2 We may use Prospective Client Data for marketing purposes or to take steps to enter into a contract if you have asked us to do so.
(i) MARKETING BY ELECTRONIC COMMUNICATIONS: We will never contact you by email or other electronic communication unless we have obtained your consent, in which case that will be our lawful basis for such processing. Our communications may be tailored in a way we think may be of interest to you (we might try to work this out by collecting information about you from data collected using cookies or other similar technologies or from communications between you and us).
(ii) MARKETING BY TELEPHONE: As with most businesses, we want to reach out to find new customers who we think might be interested in what we do. In order to do this, our sales team might carry out some research online and if we think we’ve found a good fit, we might contact you by telephone to ask if you are interested in having a chat about our services. In any such call we will clearly identify who we are and the nature of the call and if you tell us you don’t want to hear from us again, we will respect that. We regard such processing as being necessary for the purpose of our legitimate interest: namely to continue as a business. We consider such use will go no further than a Data Subject would reasonably expect; is likely to align with a Data Subject’s interests and with the easy opt out option, is unlikely to be detrimental to the fundamental rights and freedoms of the Data Subject.
6. HOW WILL YOU USE PERMITTED USER DATA?
6.1. We will only use Permitted User Data in the following ways:
(i) TO PROVIDE OUR SERVICES: we will use the contact information and details provided to us by our Client for the purpose of providing you with access to GoReport® Software (which may include support and maintenance of your account on the GoReport® Software). We are doing this solely on the basis of our Client’s instructions and accordingly, we are acting as a Processor in this regard.
(ii) UPDATES AND NEW FUNCTIONALITY COMMUNICATIONS: From time to time we may use the contact details which we receive from our Clients when they enter into a contract to receive our services to send emails to Permitted Users regarding updates to our services and new functionality available in the GoReport® Software. We tell our Clients about this marketing service when before they enter into an agreement with us, and give them the right to opt out at that point. If our Client doesn’t opt out, we promptly send an email to each Permitted User to notify them that we have been given their details and that they will receive such communications unless they opt out. Each communication will include an easy opt-out option. We are acting as a Controller in this regard. We are relying on the fact that such processing is necessary to achieve our legitimate interest of providing an up-to-date viable survey solution for our Clients and their Permitted Users.
If you would like further details on this use of your Personal Data, or if you would like to tell us not to use your Personal Data for that purpose, please contact us email@example.com.
6.2. We may collect aggregate data about how a Permitted User uses our software. This data will be anonymised and will not identify a Permitted User.
7. HOW WILL YOU USE PERSONAL DATA UPLOADED AS PART OF A SURVEY (CUSTOMER DATA)?
7.1 We act as a processor in respect of any Customer Data you upload, which means we are processing the data only on the basis of our Client’s instructions. Except for technical processes like storage or maintenance purposes, we don’t access or make any decisions about uses of Customer Data.
7.2 We may collect aggregate data from the information uploaded, but this data will be anonymised so that an individual may not be identified from that data.
8. WILL YOU DISCLOSE PERSONAL DATA TO ANYONE ELSE?
8.1 The purpose of the GoReport® Software is to enable you to share information with your customers and other Permitted Users. If our Client has requested it, the data which you upload on to the GoReport® Software may be accessible by other Permitted Users.
8.2 We may disclose Personal Data to third parties, for the following purposes:
9. WHAT SECURITY PROCEDURES DO YOU HAVE IN PLACE?
9.1 As fellow professionals, we understand the importance of confidentiality, and that’s why we incorporate electronic, physical and managerial procedures to safeguard and secure the data you upload on to the GoReport® Software. For instance:
(a) Each of our staff members is required to enter into and abide by a strict confidentiality agreement in respect of how it handles your content. We’ll never divulge the contents of your reports without your explicit instruction, and we will treat your reports and any other data you upload as strictly confidential.
(b) Robust security measures are in place to protect the information you upload on to our software. All data is hosted on a UK cloud server, which offers a high level of security. Our secure infrastructure includes encryption, firewalls and access control, and our current hosting company is accredited by the following industry standard bodies:
- • ISO 27001:2005 (Information Security)
- • ASEA 3402 Type II (Service Organisation Control)
- • ISO 14001:2002 (Environmental Management)
(c) From time to time we may use certain third party services to help us manage our data, including CRM and accounting software. We will only ever work with companies which are contractually bound to implement high standards of security measures. If you would like further information about what third party processors we use, please contact us at firstname.lastname@example.org.
9.2 There are some steps you can take to help make sure that your data is protected. For example:
(a) if you are contacting us with a query or complaint, only ever give us your work details rather than your personal contact details;
(b) if you are sending any financial details or sensitive information, consider sending it in separate emails or encrypted, password protected documents;
(c) make sure that you keep any passwords associated with your GoReport® account secure; and
(d) if you are dealing with sensitive information (such as names and addresses) in a report, you might want to consider entering such data by text rather than through dictation. This will minimise the need to transfer your data to third parties.
10. WHERE DO YOU STORE THE PERSONAL DATA YOU COLLECT?
10.1 Any data which you upload using the GoReport® Software is held on a cloud server in the EEA. Unless you request us to, or it is strictly required in order to provide our services to you, we will not transfer any such data outside the EEA.
10.2 If you are based outside the EEA and would like further information about where we hold your data, please contact us by email: email@example.com.
11. FOR HOW LONG DO YOU STORE PERSONAL DATA?
11.1. Our retention policies for Client Data are as follows:
(i) we may store data related to financial transactions for up to 7 years to ensure that we have sufficient records from an accounting and tax perspective;
(ii) we may archive data relating to negotiations, contracts agreed, payments made, disputes raised and your use of our software for up to 6 years to protect ourselves in the event of a dispute arising between you and us;
(iii) we may store aggregate data without limitation (on the basis that no individual can be identified from the data).
Permitted User Data and Customer Data
11.2 We will only retain Permitted User Data and Customer Data for as long as your user licence for the GoReport® Software remains valid. Once it terminates, we will securely delete such data within 30 days.
11.3 We may retain aggregate data relating to the uses made of the GoReport® Software by Permitted Users without limitation. Such data will be anonymised and no individual may be identified from the use.
Prospective Client Data
11.4 We may retain Prospective Client Data for up to a year from collection. If you ask to be added to our mailing list or if we are engaged in negotiations, we may hold such data for longer to facilitate discussions or keep you informed. We will promptly delete any such data upon receiving a request from you to do so.
12. WHAT RIGHTS DO I HAVE IN RESPECT OF ANY PERSONAL DATA YOU HOLD ABOUT ME?
12.1 Data Subjects have the following rights in respect of Personal Data relating to them which can be enforced against whoever is the Controller. This will be us in respect of Client Data (and any Permitted User Data which we hold as a Controller), and our Client in respect of Permitted User Data and Customer Data:
(a) Right to be informed: the right to be informed about what Personal Data the Controller collects and stores about you and it’s used.
(b) Right of access: the right to request a copy of the Personal Data held, as well as confirmation of:
(i) the purposes of the processing;
(ii) the categories of personal data concerned;
(iii) the recipients to whom the personal data has/will be disclosed;
(iv) for how long it will be stored; and
(v) if data wasn’t collected directly from you, information about the source.
(c) Right of rectification: the right to require the Controller to correct any Personal Data held about you which is inaccurate or incomplete.
(d) Right to be forgotten: in certain circumstances, the right to have the Personal Data held about you erased from the Controller’s records.
(e) Right to restriction of processing: the right to request the Controller to restrict the processing carried out in respect of Personal Data relating to you. You might want to do this, for instance, if you think the data held by the Controller is inaccurate and you would like to restrict processing the data has been reviewed and updated if necessary.
(f) Right of portability: the right to have the Personal Data held by the Controller about you transferred to another organisation, to the extent it was provided in a structured, commonly used and machine-readable format.
(g) Right to object to direct marketing: the right to object where processing is carried out for direct marketing purposes (including profiling in connection with that purpose).
(h) Right to object to automated processing: the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects (or other similar significant effects) on you.
12.2 If you want to avail of any of these rights, you should contact us immediately at firstname.lastname@example.org. If we are not the Controller, we will need to transfer your request to the Controller – but we will only do so with your consent. If you do contact us with a request, we will also need evidence that you are who you say you are to ensure compliance with data protection legislation.
13. WHAT HAPPENS IF I NO LONGER WANT YOU TO PROCESS PERSONAL DATA ABOUT ME?
13.1 You may notify us at any time that you no longer want us to process Personal Data about you for particular purposes or for any purposes whatsoever. This may have an impact on the services you receive from us. For example, if you ask us to stop processing Personal Data about you, you will no longer be able to access the GoReport® Software since we will not be able to identify you.
13.2 A request to stop receiving direct marketing will not impact on your access to the GoReport® Software.
13.3 If we hold your Personal Data as a Processor, to facilitate your request we may need to pass it to the Controller. We will only do so with your consent.
14. WHO DO I COMPLAIN TO IF I’M NOT HAPPY WITH HOW YOU PROCESS PERSONAL DATA ABOUT ME?
14.1 If you have any questions or concerns about how we are using Personal Data about you, please contact our Data Protection Officer immediately at our registered address (see paragraph 1.1 above) or by email to email@example.com. If we are processing Personal Data about you on behalf of our Client, we will need to pass your complaint to our Client – we will only do so with your consent.
14.2 If you wish to make a complaint about how we have handled Personal Data about you, you may lodge a complaint with the Information Commissioner’s Office by following this link: https://ico.org.uk/concerns/.
15.1 Throughout this policy you’ll see a lot of defined terms (which you can recognise because they’re capitalised). Where possible, we’ve tried to define them as we go, but we thought it might be useful to have a glossary at the end for you. Anywhere in this policy you see the following terms, they’ll have the following meanings:
Client Data means Personal Data about our Client and any prospective clients and includes key contact data;
Controller is a legal term set out in the General Data Protection Regulation (GDPR), it means the party responsible for deciding what Personal Data to collect and how to use it;
Customer Data means Personal Data uploaded by a Permitted User on to GoReport® Software (other than Permitted User Data)
Data Subject means the individual who can be identified from the Personal Data;
GoReport® Software means a software tool which enables you to capture, process and reproduce surveying data;
Our Client means whoever purchased the user licence to use GoReport® Software;
Permitted User means a user designated by our Client;
Permitted User Data means Personal Data about a Permitted User given to us by our Client;
Personal Data means data which can be used to identify a living individual. This could be a name and address or it could be a number of details which when taken together make it possible to work out who the information is about. It also includes information about the identifiable individual; and
Processor is another legal term set out in the GDPR, it means the party who has agreed to process Personal Data on behalf of the Controller.
Last updated: 15-05-2018.