Unless otherwise required by law, the Information Commissioner’s Office (ICO) guidance or best practice, or in order to perform our contract with you, we will only process your personal data in the way we tell you (set out below or in our agreement with you) or in the way you ask us to, and we will give it back to you at any time.
1.1 – This policy, together with any terms and conditions or other documents we provide to you at any time during our relationship with you, sets out how we will process your personal data.
1.2 – This policy will apply to our contract with you. You are therefore advised to read it carefully. Terms used within it shall have the meaning(s) given in the Data Protection Act 1998 (Act) and/or the General Data Protection Regulation (Regulation), as applicable.
1.3 – By visiting our website at www.korubu.com/privacy (our Website), or by providing your personal data to us, you understand, accept and consent to the practices described in this policy.
1.4 – Any changes we make to this policy will be posted on this page. You are advised to check back frequently as, unless your consent is required, any changes will be binding on you when you continue to use the Website or work with us after the date of the relevant change.
1.5 – For more information relating to your rights under this policy, please see section 9.
1.6 – If you have any queries relating to this policy, please contact us at firstname.lastname@example.org in the first instance.
2. Who we are
2.1 For the purposes of the Act, the data controller (or data processor from time to time) will be KORUBU LIMITED, a company registered in England & Wales (number 10026165) with our registered office at 79 Thomas Street, Northern Quarter, Manchester, M4 1LQ
2.2 Your personal data will be held and stored by us in our internal management information systems on servers located in the UK. All personal data is processed by UK based staff who are regulated by our internal staff data protection and information security policies. All staff receive appropriate data protection training as part of their induction process with us.
3. Your consent
3.1 We do not ordinarily rely on your consent to process your personal data. We process your personal data primarily to perform our contract with, and provide our services to, you. We consider the personal data we obtain is reasonable and necessary for these purposes. However, we review this intermittently and remove any inaccurate or obsolete data in accordance with our internal data retention policy.
3.2 By using our Website and/or our services, you expressly consent to:
3.2.1 the transfers of your personal data to those specifically listed third parties in this policy, for the reasons specified; and
3.3 Where you consent to marketing from us, we confirm that we only market our services directly and do not engage any third parties to do this on our behalf.
3.4 You may exercise your rights under section 9 at any time, which includes withdrawing your consent to our processing of your personal data (where we rely on your consent to process such data). However, where this withdrawal prevents us from performing our contract with you, we may not be able to provide our services to you.
4. What we collect
4.1 We will only collect your name, business email address, address (business or personal) phone number and date of birth. This is to allow us to create your account in our internal system to monitor the progress of your order, and to contact you in relation to it.
4.2 Where you are a current, potential or former employee, worker or other member of our staff, we may collect additional categories of your personal data for the purposes of providing you with the necessary benefits under our contract with you. In those circumstances, a separate privacy notice applies and a copy is available on request.
4.3 If your personal data changes, or becomes inaccurate at any time, you must let us know to avoid any errors or delays in our services.
5. How we collect it
5.1 When you provide it to us
– Your personal data is primarily provided to us when you complete our new client form, providing us with a letter of authority to act on your behalf in relation to providing our services, or via a web form on our website www.korubu.com
– When you correspond with us by phone or e-mail as part of our business with you, any of your personal data contained in that correspondence will be retained by us.
5.2 When we collect it from you
– When you use our Website, we will automatically collect technical information about the device you use to visit, including your IP address, browser type/version and related settings.
– We also monitor your use of our Website. This includes the full URLs, your clickstreams through our Website, the pages you view and how you interact with them and how you leave the Website.
5.3 When we receive it from others.
So that we can provide our services to you, and can verify your identity and your ability to continue to make payments to us, we will use recognised third party credit rating/reference agencies to carry out credit checks on you. Any information in that credit report that allows us to identify a natural person will be retained by us for the purposes of providing our services.
6. What we use it for
6.1 Your personal data is primarily required to enable us to supply you with the relevant services and support you have requested from us, and to contact you in relation to any enquiries or requests you raise with us.
6.2 We also use your personal data to send you information by email about us, our services and any recent market updates that are similar to those you have already purchased or enquired about. We only do this where you have given us permission to do so, and you can opt-out at any time. Where you opt out, we will no longer contact you until you ask us to, and we will not prompt you to do so.
6.3 Technical information we collect about your visit to our Website is used to enable us to:
– personalise and improve its functionality and security (to keep it safe and secure)
– administer and monitor traffic and behaviours on our Website for analysis, testing, research, statistical and survey purposes; and
– ensure that we can offer you the most effective and efficient browsing experience, and make improvements where necessary.
6.4 Once collected, your personal data will be retained by us for as long as is necessary for us to provide you with the relevant services, to market our services to you (where requested) and to enable us to improve our Website. After this point, the data will be securely deleted and we will not contact you unless you ask us to.
7.1 All personal data we host is stored in accordance with our internal Information Security & Data Protection Policy, on which all staff are trained. All locally held data is encrypted using AES 256-bit encryption, and all hardware is protected using endpoint security tools.
7.2 We do not host data on any physical servers at any of our premises. All personal data we process is stored on Cloud-based servers hosted by the following providers:
– Salesforce.com, Inc., a company incorporated in the USA (Delaware) and/or salesforce.com EMEA Limited, a company incorporated in England and Wales (Salesforce) and their affiliated companies and appointed sub-processors. Salesforce impose binding corporate rules in relation to the processing of personal data within its group of companies and more information is available at http://trust.salesforce.com. All data hosted on Salesforce is backed-up by our IT Director, weekly; and
– Microsoft Azure, a Cloud-hosting solution provided by Microsoft, Inc. (Microsoft). Microsoft complies with international data protection laws regarding transfers of customer data across borders and is certified to EU-U.S. Privacy Shield Framework regarding the processing of information transferred outside of the EU to the US. More information can be found at https://www.microsoft.com/en-us/trustcenter/privacy/where-your-data-is-located.
– All personal data contained on internal or external communications is stored on Microsoft’s Office365® OneDrive.
7.3 Access to the personal data we store within our systems is restricted to personnel who have received appropriate data protection training, and those members of staff with appropriate seniority (account managers, members of our senior team, and members of our operations teams).
7.4 Access to all of our databases is by two-factor authentication software. All passwords are held securely and any access to back-end servers requires this as well as user-based authentication. Staff have access only for the purposes of performing their roles.
8.How and why we disclose your data
8.1 The very nature of our services requires us to pass your personal data to third party energy and utility providers to enable them to assess your usage needs and provide you with an accurate quote going forward. As there are many providers in the United Kingdom, it is not practical to list all of these in this policy, but where a quote is provided we will notify you as to which company is processing your personal data on our behalf.
8.2 Any websites which are linked from the Website are outside of our control and not covered by this policy. If you access those websites using the links provided, the website operators may collect information from you which will be used by them in accordance with their own privacy policies (if any). These policies may differ from ours, and we cannot accept any responsibility or liability in respect of these.
9. Your rights
9.1 In relation to all of your personal data, you have the following rights (in addition to any rights you may have under the Act or the Regulation) to ask us:
9.1.1 not to process your personal data for marketing purposes;
9.1.2 to clarify what data we hold about you, how it was obtained, to whom it has been disclosed and for how long it will be stored;
9.1.3 to amend any inaccurate data we hold about you;
9.1.4 to delete any of your data (where you no longer think we need to hold it, or you think we have obtained or processed it without your consent at any time); and
9.1.5 to only process your personal data in limited circumstances, for limited purposes.
9.2 We have the capacity to extract your personal data from our databases and provide it to you in a structured, commonly-used way (typically by .csv file).
9.3 If you wish to exercise any of your rights at any time, please contact us on the details contained at the beginning of this policy in the first instance. We will require you to verify your identity to us before we provide any personal data, and reserve the right to ask you to specify the types of personal data to which your request relates.
9.4 Where you wish to exercise any of your rights, they may be subject to payment of a nominal administration fee (to cover our costs incurred in processing your request) and any clarification we may reasonably require in relation to your request. Such fees may be charged where we consider (acting reasonably) that your request is excessive, unfounded or repetitive