At Quarterdeck we take privacy and security incredibly seriously and we're delighted that lawmakers are finally catching up to the values and standards we've long held ourselves.
Rest assured that we take curation of your data as seriously as if it were our own.
We support not only the letter of the law of the General Data Protection Regulation but also its spirit and will ensure all services not only comply with its ordinances but go beyond where we feel more security and privacy is required.
Not only is it an important step in protecting the fundamental right of privacy for European citizens, it also raises the bar for data protection and security.
We do everything within our power and intellect to ensure we comply with the law in whichever jurisdictions are appropriate.
Why is data collected?
Data is only ever collected in service of providing our customers with the best possible experience. We will only use your personal information to administer the relationship you have with us and to provide the products and services you have requested from us.
Our business model is based on providing the best possible service to our clients and as such we only ever collect and use the minimum amount of data required to delight and exceed your expectations, which, admittedly, would be more than typical in a purely transactional relationship like buying a book or ordering a pizza.
Viewed in isolation the types of data being collected can seem unnecessary and a bit creepy.
For instance, an innocent action may be that we take a photograph at one of our public events. That might be legally disclosed as:
"Photographing and storing images of your likeness."
Let's take a hypothetical situation where Bob apologises about missing a conference call with a short email like:
"Hi Jane, Sorry to miss the conference call but my son Ethan broke his leg playing hockey and I had to rush him to A&E. Bob."
Because our email server is storing this email we are technically, by the letter of the law:
"Storing medical information about customer's family members."
"Storing names of customer's family."
"Storing information about customer's family member's hobbies and interests."
Said in isolation this sounds very creepy. So as you're reading through the types of information we store please be aware that this is a legal document and as such we are always covering the worst case scenarios and putting things in a very concise way that, on the surface, may sound unnecessary and sinister but for which there will always be an innocent explanation.
Who is collecting data?
Information is collected by Quarterdeck Ltd via any of its employees or agents. An agent is a person or legal entity not directly employed by us but contracted to fulfil part of our operating procedures. Any employees/agents working on our behalf are always fully audited and/or briefed about data security and to ensure they are compliant with data protection standards we uphold and laws in the jurisdictions in which we operate or which cover citizens with which we operate.
How is data collected?
We live in a complicated world and we can stumble across information about companies and people in a thousand places.
Like all companies in the world we use analytics software to guide the development of our website to ensure it's providing the best possible experience to users and that any errors and bugs are found and fixed as quickly as possible. This is standard operating procedure across the globe, your website will be collecting exactly the same information.
The data collected by analytics software can include: pages viewed, time spent viewing pages, buttons clicked, links clicked etc.
Data could be collected via any communication channel including (but not limited to): email, phone, website, verbal, camera, hand writing and publicly available information from sources including: your website, social media profiles, third party websites, search engines, newspapers etc.
For a full list of data being collected please refer to the section "What information is collected?"
How will data be used?
Data will either be used to fulfil our contractual obligations to provide you with a product or service in a transactional manner.
As said previously we like to go beyond purely transactional relationships to exceed expectations and provide meaningful experiences. For legal purposes this could be described as "segmenting" or "personalisation".
If you opt-in to our email list, you will occasionally receive training articles and, even more rarely, an email letting you know about an upcoming event we think might interest you.
We occasionally profile data in aggregate to test or validate the design of services or for research purposes.
We will retain data until we no longer require it in the execution of our duties or it is requested to be deleted by the data subject.
Please contact the appointed Data Protection Officer identified in the summary of this document if you wish to exercise any of your rights under GDPR or any other relevant regulations, for example if you wish to:
- Update information to keep it accurate
- Request access to personal information
- Withdraw consent
- Request deletion of data
- Request that we stop processing data
- Object to profiling or automated decision making that could impact you
- Request that data be delivered to yourself or a 3rd party
They will deal with your request expeditiously.
Who will it be shared with?
We will never share or sell your data to any third parties.
What information is collected?
Here is a breakdown of the information we might store.
In the Execution of our Training
As part of our standard operating procedures we will retain the data needed to execute the contract we have agreed with a client. This may include: name, name of company, address of company, email, phone number, industry of company, behaviours, attitude and any other areas you identify you need to work on, survey results regarding the course in which you are a participant, feedback you provide about our performance or photographs of our events which you attend.
We use an off the shelf analytics package, as most companies do, so you can expect any and all behaviour on our website to be recorded. Analytics packages tend to record data like: IP address, pages viewed, time spent viewing pages, buttons clicked, links clicked etc.
Unrequested Data or Voluntarily Supplied Information
As described in the "Why is it being collected?" & "How is it collected?" sections the information you send us via email is essentially totally open ended and infinite. People are free to send us all kinds of sensitive data about themselves which on the surface is innocent but may reveal personal information like: family details, genetic makeup or sexual orientation.
Please be assured that our staff are trained to deal with sensitive data with the highest possible standards of privacy and security and treat it as though it were their own.
For more technical information about how our email is handled review the policies of our email service providers: Fastmail, Mailgun and Sparkpost.
Like any sophisticated modern business we make use of internet providers and cloud services to give our customers the best experience possible. We complete a full privacy audit of all our Data Processors in order to ensure they live up to and operate under our high standards.
We use Digital Ocean for provision of VPS to host our website and CRM. Data is stored in a MySQL database here and backed up to Synology. Our VPS server is hosted in the United Kingdom and our file server is hosted in Amsterdam. [https://www.digitalocean.com/security/gdpr/]
We use FastMail for hosting our corporate (@quarterdeck.co.uk) email. FastMail is an Australian company. [https://blog.fastmail.com/2018/04/24/gdpr-fastmail-prepares/]
We use SparkPost for automated transactional emails. SparkPost is an American company. [https://www.sparkpost.com/gdpr/]
We use MailGun for creating audit trails of quarterdeck.co.uk emails, sent and received. MailGun is an American company. [https://www.mailgun.com/gdpr]
We use Synology as our office file server and Synology C2 as our offsite backup mechanism. We also backup MySQL database data from Digital Ocean to Synology.
"Our data centre is located in Frankfurt and meets the high privacy standards required by EU regulations. The security of data being transmitted and stored on C2 can be ensured with the support of our rigorous encryption technologies."
We use ConvertKit for email marketing. ConvertKit is an American company. [https://convertkit.com/gdpr/]
Website Analytics: Segment, Full Story, Bugsnag, Heap Analytics
We use Segment, Full Story, BugSnag and Heap for website analytics and bug catching. All these companies are American. [https://segment.com/blog/segment-and-the-gdpr/] [https://www.fullstory.com/resources/gdpr-and-fullstory/] [https://www.bugsnag.com/security/]
All our company devices have full-disk encryption using XTS-AES-128 encryption with a 256-bit key and are protected with passphrase, passcodes or biometric measures to prevent unauthorised access.