Personal information we collect
When you visit the Site, we automatically collect certain data about your device, including information about your web browser, IP address, time zone and some of the cookies that are installed on your device. Additionally, as you browse the site, we collect information about the individual web pages that you view, what websites or search terms referred you to the site, and information about how you interact with the site. We refer to this automatically-collected information as “Device Information.”
We collect Device Information using the following technologies:
- “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.
- “Log files” track actions occurring on the site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
- “Web beacons,” “tags,” and “pixels” are electronic files used to record information about how you browse the site.
Additionally, when you make an enquiry through the site, we collect certain information from you, including your name, email address and phone number. We refer to this information as “Enquiry Information.”
How do we use your personal information?
We use the Enquiry Information that we collect generally to communicate with you in response to your enquiry.
We use the Device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimize our site (for example, by generating analytics about how our customers browse and interact with the site, and to assess the success of our marketing and advertising campaigns).
Sharing your personal information
We may share your Personal Information with third parties to help us use your Personal Information, as described above.
We also use Google Analytics to help us understand how our customers use the site–you can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.
We may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.
Do not track
Please note that we do not alter our site’s data collection and use practices when we see a Do Not Track signal from your browser.
If you are a European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted. If you would like to exercise this right, please contact us through the contact information below.
The Agency is committed to processing data in accordance with its responsibilities under the DPA.
DPA requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the DPA in order to safeguard the rights and freedoms of individuals; and processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
- This policy applies to all personal data processed by the Agency.
- The Responsible Person shall take responsibility for the Agency’s ongoing compliance with this policy.
- This policy shall be reviewed at least annually.
Lawful, fair and transparent processing:
- To ensure its handling of data is lawful, fair and transparent, the Agency shall maintain a Register of Systems.
- The Register of Systems shall be reviewed at least annually.
- Individuals have the right to access their personal data and any such requests made to the Agency shall be dealt with in a timely manner.
- All data handling by the Agency must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests
- The Agency shall note the appropriate lawful basis in the use of Third-party Systems.
- Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Agency’s third-party systems.
- The Agency shall take reasonable steps to ensure personal data is accurate.
- Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
Personal data security:
- The Agency shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
- Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
- When personal data is deleted this will be done safely such that the data is irrecoverable.
- Appropriate back-up and disaster recovery solutions are in place.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Agency shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO.
Security procedures and guidelines
Data security is of great importance to us and to protect your data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure your collected data.
This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.
We take security measures to protect your information including:
Physical and managerial security procedures:
- Limiting access to our buildings to those that we believe are entitled to be there (by use of passes, key card access and other related technologies);
- Implementing access controls to our information technology.
- We use appropriate procedures and technical security measures (including strict encryption, anonymisation and archiving techniques) to safeguard your information across all our computer systems, networks, offices and stores.
- Never asking you to disclose your own passwords,
- Advising you never to enter your account number or password into an email or after following a link from an email.
Access to information:
- Employees at the Company will only be granted access to the information that they need to fulfil their role within the organisation. Staff who have been granted access must not pass on information to others unless they have also been granted access through appropriate authorisation.
Secure disposal of information:
- Care is taken to ensure that information assets are disposed of safety and securely and confidential paper waste must be disposed of in accordance with relevant procedures on secure waste disposal. Where an external shredding service provider is employed, secure paper disposal bins are in each office and used in all instances of confidential paper disposal.
- Electronic information is securely erased or otherwise rendered inaccessible prior to leaving the possession of the Company, unless the disposal is undertaken under contract by an approved disposal contractor.
- In cases where a storage system (for example a computer disc) is required to be returned to a supplier it should be securely erased before being returned unless contractual arrangements are in place with the supplier which guarantee the secure handling of the returned equipment.
Information on desks, screens and printers:
- Members of staff who handle confidential paper documents will take the appropriate measures to protect against unauthorised disclosure, particularly when they are away from their desks. Confidential documents are locked away overnight, at weekends and at other unattended times.
- Computer screens on which confidential or sensitive information is viewed should will be sited in such a way that they cannot be viewed by unauthorised persons and all computers are locked while unattended.
- Encryption methods are always used to protect confidential and personal information within the Company and when transmitted across data networks. We also use encryption methods when accessing the Company network services, which requires authentication of valid credentials (usernames and passwords).
- Where confidential data is stored on or accessed from mobile devices (for example, laptops, tablets, smartphones, external hard drives, USB sticks, digital recorders) the devices themselves are encrypted (using “full disk” encryption), irrespective of ownership. Where strictly confidential data is stored in public, cloud-based storage facilities the data must be encrypted prior to storing to ensure that it is not possible for the cloud service provider to decrypt the data.
- Where data is subject to an agreement with an external organisation, the data should always be handled (stored, transmitted or processed) in accordance with the organisation’s specified requirements.
- Where there is a requirement to remove or transfer personal information outside of the Company, it is always kept in an encrypted format. Encryption is used whenever appropriate on all remote access connections to the organisation’s network and resources.
It is the responsibility of all the Company employees with remote access privileges to the company network, to ensure that their remote access connection is given the same consideration as the user’s on-site connection to the Company, including;
- Secure remote access must be strictly controlled.
- Control will be enforced via one-time password authentication or public/private keys with strong passphrases.
- At no time, should any the Company employee provide their login or email password to anyone else.
- The Company employees with remote access privileges must ensure that their company owned or personal computer or workstation, which is remotely connected the company network, is not connected to any other network at the same time, except for personal networks that are under the complete control of the user.
- All hosts that are connected to the Company internal network via remote access must use the most up-to-date anti-virus and malware software and approved firewalls.
Security breach management:
The Company’s definition of a breach for the purposes of this and related documents, is a divergence from any standard operating procedure (SOP), which causes a failure to meet the required compliance standards as laid out by our own compliance program objectives and/or those of any regulatory body.
Compliance in this document means any area of business that is subject to rules, laws or guidelines set out by a third-party which are to be followed and which, when breached, could cause emotional, reputational or financial damage to a third-party.
Breach management approach:
The Company has robust objectives and controls in place for preventing security breaches and for managing them if they do occur. Due to the nature of our business, the Company processes and stores personal information and, in some cases, confidential client data and as such, require a structured and documented breach incident program to mitigate the impact of any breaches.
Whilst we take every care with our systems, security and information, risks still exist when using technology and being reliant on human intervention, necessitating defined measures and protocols for handling any breaches. Should there be any compliance breaches, we are fully prepared to identify, investigate manage and mitigate with immediate effect and to reduce risks and impact.
The Company have the below objectives with regards to Breach Management:
- To maintain a robust set of compliance procedures which aim to mitigate risks and provide a compliant environment for trading and business activities.
- To develop and implement strict compliance breach and risk assessment procedures that all staff are aware of and can follow.
- To use breach investigations and logs to assess the root cause of any breaches and to implement a full review to prevent further incidents from occurring.
- To comply with regulating bodies and laws on compliance breach methods, procedures and controls.
- To protect consumers, clients and staff – including their data, information and identity.
To read our full Information Security Policy, click here.
When you make an enquiry through the site, we will maintain your Enquiry Information for our records unless and until you ask us to delete this information.
For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by email at [email protected] or by mail using the details provided below:
Vital Marketing Limited. 1 Mill Street, Leamington Spa, Warwickshire CV31 1ES.
Registered details and VAT
Registered in England: 05680957. Registered office: Blythe Liggins, Edmund House, Rugby Road, Leamington Spa. VAT: GB 876308593.