Keyloop Holdings (UK) Limited and all of its subsidiaries and affiliates (“we”, “us”, “our”) are committed to respecting your privacy and about protecting the privacy and security of the personal data collected or generated in connection with your relationship with us (“Personal Data”). Please read the following notice carefully to understand our practices regarding your Personal Data and how we collect, process, share and protect your data. We also share details of the choices and rights you have in relation to your Personal Data.
Is Keyloop a data controller or data processor?
When you use our websites, enquire about our services, apply for a role with us or come to work for us we are a Data Controller which means that we are responsible for deciding how we may collect and use your Personal Data and this Privacy Notice shall apply to you.
We also act as data processors of the personal data that our customers provide to us or use our services to collect, store or process (typically dealerships and vehicle manufacturers). Where we are data processors only it is our customers’ legal responsibility to provide the data subjects with their own privacy notice and this Privacy Notice would not apply to you. If you then have queries in relation to their use or processing of personal data you should contact them directly.
What Personal Data do we collect, process, store and use?
We may collect, process, store, and use your Personal Data, in a variety of ways depending on the services that govern our interactions. We will only collect and use your Personal Data if it is relevant to the services or products we are providing to you.
Special Categories of Personal Data include details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data. We will process Special Categories of Personal Data only where relevant and if necessary and as we may be permitted under law, in particular in the following circumstances (i) with your written consent; (ii) where we need to carry out our legal obligations; (iii) where it is needed in the public interest, or if you are a vulnerable customer, or for equal opportunities monitoring and in line with this Privacy Notice.
The types of Personal Data we process may include:
|Personal Details||Age, gender, marital status and date of birth.|
|Identity / Contact Details||First name, last name, maiden name, title, residential address and status, billing address, delivery address, email address and telephone numbers, identity documents (such as passport or driving licence), photographs and images of you.|
|Employment Data||Employment status, job title, duration, employment address, work telephone number and email address, previous employers’ details, employee number.|
|Nationality||Nationality and citizenship, length and/or right of residency, visa information.|
|Transaction Data||Information about products you may wish to purchase from us, quotations and contractual documents regarding our products and services.|
|Technical Data||Device identifiers such as internet protocol (IP) address, username or similar identifiers, login data, browser type and version.|
|Contact with us||Information and records created as a result of your interactions with us, such as telephone or web chat conversations, CCTV footage, postal mail, online contact , contact via app, including information about how you use our websites, apps and other services, contact profiles including user names and passwords, your interests and preferences, feedback and survey responses.|
|Marketing||Marketing and communication preferences, use of other media and means of communications, such as Facebook, LinkedIn, Twitter etc.|
|Fraud, Sanctions and Crime Data||Information about fraud, theft, sanctions, Politically Exposed Persons information or criminal activity which may be apparent if we conduct due diligence on our customers that includes your details.|
We may also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data could be derived from your Personal Data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Privacy Notice.
If you apply to work for us, there may be third parties involved in the application process, such as recruitment agencies or job recruitment websites. They will have their own Privacy Notices and we advise you to visit their websites to check how they will use your personal data too. When a candidate applies for a role with Keyloop and they are successful, we have a specific Privacy Notice for employees, which we will provide you with when you join us.
It is important that the Personal Data we hold is kept up-to-date and is accurate. If we have collected your Personal Data, please let us know as soon as possible if there are any changes to it or if you become aware of any errors in the Personal Data that we hold and we will use reasonable efforts to ensure it is adjusted accordingly.
Why do you collect and process my Personal Data?
We will only use your Personal Data when the law allows us to. Most commonly, we will use your Personal Data in the following circumstances:
- To provide information (such as brochures requested), support and to process general enquiries you might make through our website.
- Where we need to comply with a legal obligation.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to do so in order to perform a contract we are about to enter or have entered. This may also include us performing a contract with one of our corporate customers (which may be your employer) such as where we might provide your employer with our training product(s) for your benefit as a well as other end users.
Where we need to collect personal data by law, or under the terms of a contract we have with you (or your employer), and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you or your employer (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
Generally, we do not rely on consent as a legal basis for processing your Personal Data although we will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us at email@example.com or by using any unsubscribe links available in the messages. If you have not opted out from receiving marketing from us you will receive marketing communications from us if you have requested information from us or purchased our products or services.
Specific Purposes of Processing
We process your Personal Data for the following purposes:
|Purposes for processing Personal Data|
|Provision of services to you and customer relationship management.|
|Marketing, provision of product and company information and updates.|
|Delivery of service bulletins and product information and related information to customer contacts.|
|Asking you to submit a review or take a survey.|
|Legal and regulatory compliance, litigation, investigations, and risk management (including systems for storage of legal work products, documents and information).|
|Other legal and customary business-related administration, such as making back-up copies of files for business continuity, as needed for computer system maintenance and other everyday human resource purposes.|
|Personal Data collected through internal websites, including without limitation in connection with subscriptions for newsletters, downloads of materials and registration for products and services, including online and offline Personal Data pertaining to prospective, current and former customer contacts.|
|Data processed by our threat management platform and its related technologies and procedures that will provide advanced prevention, detection, response and intelligence capabilities to protect us and the employee data we process.|
|Systems enabling collaboration, including document sharing.|
|Systems for storage and distribution of internal emails and archiving historical data.|
|Business operations purposes, including maintaining records related to mergers, acquisitions, reorganizations, sales, distributions, dispositions, financial management and reporting.|
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Third Party Links
Our sites may contain links to other sites, including those of our business partners and corporate customers. While we seek to link only to sites that share our high standards and respect for privacy, we are not responsible for the privacy practices employed by other sites and you are advised to check each sites’ own Privacy Notice.
Disclosure to Third Parties
We may share your Personal Data with the categories of parties listed below for the use, purposes and situations described in this Privacy Notice, where we are required to do so by law, to enter into, manage and administer any contract with you (or your employer where applicable) or for other purposes that we notify you of in this Privacy Notice.
Who we may share your Personal Data with:
- Our affiliates within the Keyloop group of companies and to our shareholders
- Other data processors who provide us with services to enable us to provide our services to you, but only where they use the data only for purposes consistent with this Privacy Notice and under our instructions. These may include our supply chain, our insurers, our professional advisers or our IT suppliers.
- The data controllers who purchase our services and who we are under contract with (including corporate customers who may be your employer).
- Any organisation we are required to share the Personal Data with by law, such as those needed to assist in the event of an emergency, statutory authorities, such as law enforcement, tax authorities and any credit reference or fraud prevention agencies as may be required.
- Acquiring organisations if we are involved in a sale or a transfer of some or all of its business (Personal Data shall be anonymised preceding sale where possible).
Our third-party service providers and other entities in the group are required to take appropriate security measures to protect your Personal Data in line with our policies. We do not allow our third-party service providers to use your Personal Data for their own purposes unless they also provide services to you as data controllers and then they are responsible to you directly for your dealings with them. We only permit them to process your Personal Data for specified purposes and in accordance with our instructions.
International Transfers of Personal Data
Due to the global nature of our business, your Personal Data may be transferred across international borders. If you are resident in a country that requires additional provisions to be put in place when conducting international transfers of your Personal Data, we ensure that we do so only in accordance with the applicable laws (such as the EU GDPR and UK GDPR). Wherever possible, we rely on transferring Personal Data to countries that are deemed to have adequate protection for personal data by the UK government or decisions made by the European Commission.
If the country involved in the transfer is not on a list of countries deemed to have adequate protection measures in place, we will use an alternative appropriate method of protecting your Personal Data, such as the EU’s Standard Contractual Clauses (“SCCs”) or the UK’s International Data Transfer Agreements (”IDTA”).
How do we protect your Personal Data?
We have implemented technical and organisational security measures to protect your Personal Data against unlawful or unauthorised access, use or modification, in addition to protecting against accidental loss or damage.
If we share information with third parties, they will only process your Personal Information on our instructions and where they have agreed to treat the information confidential and to keep it secure.
In addition, we limit access to your Personal Data to those employees, affiliates, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data protection or information security breaches and will notify you and the appropriate regulator where applicable.
How long do you keep my Personal Data for?
We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for and subject to our retention policy.
To determine the appropriate retention period for Personal Data, we consider:
- the volume, nature, and sensitivity of the Personal Data;
- the potential risk of harm from unauthorized use or disclosure;
- the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements;
- the time periods within which we have rights to enforce any terms that apply and the time periods within which you have the right to enforce any claims against us.
We also retain Personal Data for the purpose of satisfying any legal, regulatory, accounting, or reporting requirements and guidance. Typically this is a period of six years after you cease to have a contract or relationship with us.
In relation to Personal Data we process in connection with the provision of one of our training products, where you have not logged in to your account for more than 24 months, we may delete your account and the associated data. Where your account information is deleted, you will not be able to access your training records or history and may be required to undertake such training again where you have no suitable records.
In some circumstances we may anonymize your Personal Data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Under certain circumstances you have rights under data protection laws in relation to your Personal Data. The summary below is based on the rights enshrined in the General Data Protection Regulation but if different laws apply in your jurisdiction where we collect and process your Personal Data we will comply with those in relation to individuals’ rights.
To exercise your rights, where Keyloop is the data controller, please contact us at firstname.lastname@example.org.
- Right to Access your Personal Information (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
- Right to Rectification of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected although we may need to verify the accuracy of any new data you provide to us
- Right to Request Restriction of Processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy, or the reason for processing it or where you need us to hold the Personal Data in order to exercise, establish or defend legal claims, or if we need to verify our overriding legitimate grounds to use it.
- Right to Erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).
- Right to Object to Processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes.
- Right to Data Portability (transfer) of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Right to withdraw consent: In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your Personal Data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact email@example.com. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
You will not usually have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is unfounded or excessive.
Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.
If there are any statutory time limits for us to respond to legitimate requests we will use reasonable efforts to meet them. Occasionally, if a request is more complex, or we need more information from you, or if you have made a number of requests, we may need to notify you of an extension to the time limit.
We commit to resolving complaints about our handling of your Personal Data in a timely manner. If you would like to make a complaint, you should contact our Data Protection Officer by email (wherever possible): firstname.lastname@example.org. If you would prefer to write, please contact our DPO at our headquarters: The Brickworks, 35-43 Greyfriars Road, Reading, RG1 1NP., UK.
If your complaint is not satisfactorily addressed by Keyloop, you may file a complaint to the relevant data protection authority in your country. If you are in the EU or UK, the contact information of the data protection authorities may be found at http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.
Changes To This Privacy Notice
We reserve the right to update this Privacy Notice at any time, to reflect how we process and look after your Personal Data or to ensure that any changes to applicable laws are addressed. Updated versions of the Privacy Notice will be published on our website. We may also notify you in other ways from time to time about the processing of your Personal Data, such as emails.
If you have any questions about this privacy notice, please contact our Data Protection Officer by emailing email@example.com.