Privacy & Cookies Notice
Effective from 1 September 2021 (v1.1)
This privacy notice explains how we as a ‘controller’ collect and use personal data about individuals we interact with other than our staff, customers and users of our application. It also summarises the rights of such individuals under data protection law.
It is important that you read this notice together with any other notices we may provide at the time of collecting or using your personal data (which are not intended to override this notice).
This notice contains links to materials relevant to data protection laws in the United Kingdom (UK) and European Union (EU). Whether these materials are relevant to you is a matter of whether such data protection laws apply to you.
Previous versions of this notice can be provided on request by email to the email address below.
Who we are
We are StructureFlow Ltd, a company registered in England and Wales under number 10403883. We are registered as a ‘controller’ with the UK Information Commissioner’s Office under number ZA493065.
For any questions about this notice or our privacy practices, please contact our Data Protection Manager in the following ways:
Postal address: 10 Queen Street Place, London, EC4R 1AG
Who you are
This notice applies if you fall into one or more of the following categories of individuals:
Job Applicant
You have applied for a role with us through our website or by any other means.
Office Visitor
You are a visitor to our offices at WeWork Labs, Aldwych House.
Prospect
You are a prospective customer or someone who works for a prospective customer.
Supplier
You are a supplier or someone who works for a supplier.
Website Visitor
You are a visitor to our website, which you may have arrived at by clicking on a link or completing a form on LinkedIn or other website or social media platform.
The Personal Data we Hold About you
Personal data means any information which does (or could be used to) identify a living person. It does not include data where it is not possible, either alone or combination with any other data, to identify a living person (anonymised data).
As a controller, we are required to identify the personal data that we collect about you and the lawful basis relied upon by us for using your personal data for specific purposes. Under UK and EU data protection law there are six legal grounds that we may rely upon, the most relevant being where:
- use of your personal data is necessary for us to enter into and perform our contract with you (where you and not your organisation are our customer);
- use of your personal data is necessary to comply with any legal obligation on us;
- you have given your consent to us using your personal data, for example, where you have opted in to receiving marketing emails form us by completing a form on our website or elsewhere; or
- use of your personal data is necessary to pursue our legitimate interests and those interests are not outweighed by your fundamental rights and interests.
Categories of Personal Data and Purpose
The following sections provide a summary of the key categories of personal data we may hold about you, the purpose for which we use your personal data, examples of personal data within each category and the legal groun we rely upon for using your personal data:
Job Application Data
Data provided by Job Applicants or obtained by us in connection with roles we are hiring for.
Types of Personal Data
- First name and surname
- Contact details
- Education, employment history and other biographical information
- Equality monitoring information
- Interview notes
- Communications
Legal Ground
Legitimate interest (running our recruitment process, responding to and defending legal claims and promoting equal opportunities);
Contract (taking steps to enter into an employment contract with successful Job Applicants).
Marketing Data
Data obtained by us from and about Prospects and Website Visitors in the context of pre-sales marketing activities.
Types of Personal Data
- First name and surname
- Contact details
- Emails and call notes
Legal Ground
Legitimate interests (marketing our products and services to potential customers and growing our business).
Newsletter Subscription Data
Data provided to or obtained by us about Prospects and Website Visitors in connection with our email newsletters.
Types of Personal Data
- First name and surname
- Contact details
- Opens/clicks/downloads
- Country/territory
Legal Ground
Consent (where you opt-in to receiving emails from us).
Legitimate interests (where your email address has been provided to you by a company and we have added you to our email marketing database).
Office Security Data
Data obtained by our serviced office provider from Office Visitors on reception and while on the premises for the purpose of ensuring secure access to our office premises and for fire safety.
Types of Personal Data
- First name and surname
- Email address
- CCTV footage
Legal Ground
Our serviced office provider will be the controller of your personal data at the time of its collection, in accordance with any policies or notices published by them.
Supplier Personnel Data
Data provided to or obtained by us about our Suppliers or Suppliers’ personnel in connection with services being provided to us.
Types of Personal Data
- First name and surname
- Job role
- Contact details
- Communications
Legal Ground
Legitimate interests (business administration and managing our relationship with suppliers).
It is important that the personal data we hold is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
If we need to use personal data for a new purpose that is not set out above, we will inform you beforehand and explain the lawful ground on which we will rely.
Who we Share Your Personal Data With
We do not sell your personal data for marketing purposes and we never will.
The only people that will have access to your personal data include:
- our staff (who are either employed by us or engaged by us under contracts which include strict confidentiality and data protection obligations on them);
- our technical service providers (all of which will only have the access they need to provide their services to us and which have entered into contacts which include strict confidentiality and data protection obligations on them in their capacity as our processors or sub-processors, as appropriate);
- any regulatory authorities such as HM Revenue & Customs (the UK tax authority);
- our professional advisers, but only as necessary to conduct our business; and
- any actual or potential buyer of our business.
In the very rare situation where we are asked to disclose personal data in response to any legal request or court order, we will take legal advice before making any disclosure to ensure that your rights and interests are considered before responding to any such request or order.
Where Your Personal Data are Stored
For the purposes of UK and EU data protection laws, where we instruct third parties to process personal data on our behalf and that results in a transfer outside the UK or European Economic Area (EEA), we ensure that a similar degree of protection is afforded to such personal by ensuring at least one of the following safeguards is implemented:
- we will only transfer personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission; or
- where we use certain service providers, we may use specific contracts approved by the European Commission which ensure that appropriate safeguards are in place.
Please contact us for further information on the specific mechanism used by us when transferring personal data out of the UK or EEA.
How we Keep Your Personal Data Secure
We have implemented appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures are set out below:
- appropriate access controls and user authentication;
- staff policies and training;
- incident and breach reporting processes;
- use of IP anonymisation and privacy-enhancing tools;
- appropriate internal IT and network security;
- business continuity and disaster recovery processes;
- regular testing and review of our security measures; and
- contractual measures with staff to ensure confidentiality.
If there is any breach of security in relation to your personal data where we are a controller, we will notify the regulator and any affected individuals where required under data protection law.
How Long we Keep Your Personal Data for
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including to comply with any legal, regulatory, tax, accounting or reporting requirements. We retain personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you or any organisation that employs or engages you.
In some circumstances, you can ask us to delete your personal data sooner (see ‘Your rights’ below for further information).
For further information about how long we keep your personal data for, please contact us.
Cookies and Similar Technologies
We use a privately hosted analytics tool, to understand how Website Visitors arrive at and use our website platform and where they are based. We have configured our tools such that it does not use cookies and your IP address is anonymised so that we cannot identify you from the analytics data we receive from our tooling either alone or in combination with any other data we hold about you.
We also use a customer relationship management (CRM) tool. Our CRM uses cookies to identify unique visitors to our website based on ‘opaque Globally Unique Identifiers (GUID)’ that do not contain any personal data. If you do not give consent to non-essential cookies when visiting our website, none of these cookies will be stored except the ‘__hs_opt_out’ cookie which is used to remember your choice.
Our website uses cookies in relation to other services used by us which can be used to distinguish you from other users, but do not store your personal data.
To find out more about cookies, how to refuse them and how to change your device’s cookie settings, you should visit All About Cookies. Please note that if you refuse to accept cookies or change your device’s cookie settings, you may not be able to use all of our website’s features.
Our website uses the following types of cookies:
- Strictly necessary cookies – these are cookies that are required for the effective and secure operation of our website and to provide functionality that you have requested
- Performance cookies – these cookies allow us to recognise new and returning visitors to our website and see how they move around our website
- Functionality cookies – these are used to recognise you when you return to our website and remember any preferences set by you
- Advertising cookies – these cookies are used to track the effectiveness of our marketing campaigns, provide you with adverts about our products and services and limit the number of times your see an advert from us
The specific cookies used by our website are as follows:
| Cookie | Type | Duration | Further information |
| _ga | Performance | 2 years | This cookie is used by Google Analytics to distinguish users. |
| _gat | Performance | 1 minute | This cookie is used by Google Analytics to throttle the request rate. |
| _gid | Performance | 24 hours | This cookie is used by Google Analytics to distinguish users. |
| _grecaptcha | Strictly necessary | Persistent | This is a local Storage object that is stored on your device by our website to help us distinguish between humans and ‘bots’ and ensure that our website analytics data is valid. |
| hubspotutk | Performance | 13 months | This cookie is used by HubSpot to identify unique visitors to our website using an ‘opaque GUID’ which means it doesn’t store your personal data. It is passed to HubSpot on form submission and used when de-duplicating contacts. |
| __hs_opt_out | Functionality | 13 months | This cookie is used by HubSpot (which we use to track our marketing activities) to remember not to ask you to accept cookies again where you have declined them. |
| __hs_initial_opt_in | Functionality | 7 days | This cookie is used by HubSpot to prevent the cookie banner from always displaying when you have accepted them. |
| __hssc | Performance | 30 mins | This cookie is used by HubSpot to keep track of sessions and determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp. |
| __hssrc | Performance | End of browser session | This cookie is used by HubSpot to determine if you have restarted your browser when a new session is started. |
| __hstc | Performance | 13 months | This cookie is used by HubSpot to track visitors to our website It contains the domain, a unique token (called the HubSpot UTK), initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session). |
| Various LinkedIn cookies | Functionality, Performance, Advertising | Session to 2 years | LinkedIn is one of the main marketing tools used by us. If you have a LinkedIn account and access our website either directly or via a link or campaign on LinkedIn, various cookies are stored on your device by LinkedIn. Some of these cookies are used by LinkedIn to prevent malicious activity on their website, to track how LinkedIn is being used by its customers and to enable us to monitor the effectiveness of our LinkedIn marketing campaigns. For more information, see the LinkedIn Cookie Table. |
We are required to obtain your consent to all cookies except those that are strictly necessary. You will be asked to confirm your consent when you first visit our website. Alternatively, you can clear cookies after you visit our website, use a tracking blocker such as Privacy Badger or, for analytical cookies stored by Google (such as those used by LinkedIn), install the Google Analytics opt-out extension.
Your Rights
If UK and EEA data protection laws apply to you, you have the following rights in relation to your personal data:
Access
You have the right to be informed if your personal data is being used and the right to request a copy of the personal data held about you together with certain information about the processing of such personal data to check that are holding it lawfully.
Correction
You have the right to ask us to correct any inaccurate or incomplete personal data held about you.
Deletion
You have the right to ask us to delete or remove any personal data held about you where there is no good reason for us to continue holding it or where you have exercised your right to object.
Restriction
You have the right to ask us to restrict how we hold your personal data, for example, to confirm its accuracy or our reasons for holding it.
Objection
You have the right to object to our holding of any personal data about you which is based on our legitimate interests or those of a third party based on your particular circumstances. You also have the right to object to our holding your personal data for direct marketing purposes.
Portability
You have the right to receive or request that we transfer a copy of the personal data we hold about you in an electronic format where the basis of our holding such information is your consent or the performance of a contract and the information is processed by automated means.
Complaints
You have the right to complain to the UK Information Commissioner’s Office (ICO) or any other EU supervisory authority in relation to how we collect and use your personal data.
If UK and EU data protection laws do not apply to you we will, to the extent required by applicable law, comply with your rights under other applicable laws relating to our collection and use of your personal data.
We do not use any automated decision-making or profiling in the course of our business or the provision of our products or services.
You do not have to pay any fee to exercise any of the above rights, although we may charge a reasonable fee or refuse to comply with your request if any request is clearly unfounded or excessive. Where this is the case, we will let you know.
To protect the confidentiality of your personal data and other individuals, we may need to ask you to verify your identity before fulfilling any request in relation to your personal data.
We aim to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made several requests. In this case, we may extend the deadline by up to two months but will notify you and keep you updated on progress.
California Consumer Privacy Act (CCPA)
This section of the notice only applies if you reside in the State of California.
Definitions: Any references in this notice to personal data include references to personal information as defined under the CCPA.
Rights of access and deletion: The right of access described in the previous section is limited to the personal data that we have collected from and about you over the past 12 months. The rights of access and deletion described in the previous section will be subject to the exceptions set out under the CCPA.
Right to opt-out of the sale of personal information: Although you have the right to opt-out of the sale of your personal information, this is not something we do.
Right to non-discrimination: You have the right not to be discriminated against for having exercised your rights under the CCPA. This means that we will not deny you access to our products or services; charge you or your organisation a different price for any content available within our products or services; deny you or your organisation any benefits or charge any penalties; or provide you or your organisation with a different user experience to any other users.
Sale of personal information within the past 12 months: We have not sold any personal data in the past 12 months.
Disclosure of personal information within the past 12 months: The CCPA describes many of the activities we routinely undertake in relation to personal information as disclosures to third parties for a ‘business purpose’. We enter into contracts with such third parties which require them to keep your personal information confidential and not use it for any purpose other than to provide their services to us. In the past 12 months, we have disclosed all of the categories of personal information listed earlier in this notice to our technical service providers for the purposes of hosting our website, detecting and protecting against security incidents and debugging to identify and repair errors.
Exercising your rights under the CCPA: To exercise any of your rights under the CCPA you, or another person registered with the California Secretary of State that has been authorised by you, should contact us using the details set out above.
Changes to This Notice
We may need to make changes to this policy occasionally, to reflect any changes to our services or legal requirements. You should visit this page regularly to take note of any changes.
Copyright © 2023 StructureFlow Ltd. All rights reserved.