Privacy
Privacy Notice
1. Introduction
Micad is committed to safeguarding the privacy of our website users and the personnel of our customers, prospective customers and suppliers.
In this notice, “we”, “us” and “our” refer to Micad Systems (UK) Ltd and its group companies, a full list of which are set out at the end of this notice.
When does this notice apply? |
This notice applies where we act as a “controller” of personal data. With respect to the personal data of users of our software systems, we do not act as a controller; instead, we act as a processor. Our legal obligations as a processor are set out in the contract between us and the relevant data controller – typically, our customer. |
2. The personal data that we collect
In this table we have set out the general categories of personal data that we process and information about the source and specific categories of that data.
Data category | Details | Sources of data |
CRM data | Data stored in our customer relationship management system; this may include your name, your company name, your email, your company telephone number, your mobile phone number, your country, as well as categorisation data and the content of communications that you send to us or vice versa. | You – or your employer, or any organisation that you represent |
Marketing data | Data processed for the purposes of our direct marketing activities: your name, email address, marketing preferences and marketing history. | You – or your employer, or any organisation that you represent |
Other communication data | Contact details and communication content not included in the above categories. | You – or your employer, or any organisation that you represent |
Event data | Information concerning your registration for and attendance at Micad events. | You – or your employer or any organisation that you represent |
Usage and analytics data | Data about your use of our website and software-based services, which may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. | Our analytics systems |
If you contact us via a website or application form, then metadata relating to that contact may be generated automatically by our systems. This could include the date and time of your contact, and associated usage and analytics data.
3. Purposes of processing and legal bases
In this table, we have set out the purposes for which we may process personal data and the legal bases of the processing.
Purpose of processing | Details | Legal basis of processing |
Relationships | We may use CRM data and other communication data for communicating with you, including complaint handling. | Legitimate interests: the establishment, development, maintenance and management of our commercial relationships; enabling the effective use of our services; providing support in relation to our services. |
Operations | We may use CRM data and other communication data in the course of contracting with customers and providing our services to customers; we may also use this data when generating invoices, payment and taxation documentation, and for credit control. | Legitimate interests: developing, operating, monitoring and securing our software, services, website and business operations generally. |
Marketing | We may use marketing data for sending direct marketing communications and managing direct marketing processes | Legitimate interests: keeping our customers informed about our products and services. From time to time, we may also undertake consent-based direct marketing. |
Events | We may use event data when arranging and running conferences, lectures and other events | Legitimate interests: improving our networks and relationships, and sharing information with our community, via events. We may also share event attendee lists, but we will only include your details on such lists if we have your consent to do so. |
Research and analysis | We may use your personal data for the purposes of researching and analysing the use of our website and services, as well as researching and analysing other interactions with our organisation. | Legitimate interests: monitoring, supporting, improving and securing our software, services, website and business operations generally. |
Record keeping | We may use your personal data for the purpose of creating and maintaining our databases, back-up copies of our databases and our organisation records generally. | Legitimate interests: ensuring that we have access to all the information we need to properly and efficiently run our organisation in accordance with this notice. |
Security | We may use your personal data for security purposes and the prevention of fraud and other criminal activity. | Legitimate interests: protection of our website and organisation, and the protection of others. |
Insurance and risk management | We may use your personal data where necessary for the purpose of obtaining or maintaining insurance coverage, managing risks and/or obtaining professional advice. | Legitimate interests: the proper protection of our organisation against risks. |
Business transactions | We may use your personal data to evaluate or conduct a merger, divestiture, restructuring, reorganisation, dissolution, sale or other corporate transaction. | Legitimate interests: the management, administration, development and transformation of our business. |
Legal claims | We may use your personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. | Legitimate interests: protection and assertion of our legal rights, your legal rights and the legal rights of others. |
Legal compliance and vital interests | We may use your personal data to stay compliant with applicable law regulations. | Compliance with legal obligations and protection of vital interests. |
4. Providing your personal data to others
Our group companies listed at the end of this notice act as joint controllers of your personal data with respect to the processing described in this notice and may share personal data insofar as reasonably necessary for the purposes, and on the legal bases, set out in this notice.
We may share your persona data with our services providers, as detailed below.
We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice.
We may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
We may disclose your personal data where such disclosure is necessary for the establishment, exercise, or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
5. International transfers of your personal data
We and our other group companies have offices and facilities in the UK, the USA and Australia. Transfers to the USA and Australia will be protected by appropriate safeguards, namely the use of standard data protection clauses adopted or approved by the competent data protection authorities.
We use a range of services providers, and some of those services providers need to process your personal data in order to enable us to operate our business generally. You can find details of international transfers to or by our services providers -detailed below.
In any case, we may transfer your personal data from the European Economic Area (EEA) to the UK and process that personal data in the UK for the purposes set out in this notice, and may permit our suppliers and subcontractors to do so, during any period with respect to which the UK benefits from an adequacy decision under EU data protection law; and we may transfer your personal data from the UK to the EEA and process that personal data in the EEA for the purposes set out in this notice, and may permit our suppliers and subcontractors to do so, during any period with respect to which EEA states benefit from adequacy regulations under UK data protection law.
6. Retaining and deleting personal data
Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
This table sets out our maximum data retention periods – in each case following the specified reference date.
Data category | Maximum retention period | Reference date |
CRM data | 7 years | The later of: (i) the date of the termination of the relevant customer contract; and (ii) the date of the last communication between us and the relevant customer. |
Marketing data | 7 years | The date of sending of the last marketing communication. |
Other communication data | 7 years | The date of the collection of the data. |
Event data | 7 years | The last day of the event. |
Usage and analytics data | 7 years | The date of collection of the data. |
If you grant to us a licence to publish any of your personal data, we may continue to retain and publish that personal data after the end of the relevant retention period in accordance with the applicable licence terms, subject to your data subject rights. If we cease to publish such personal data after the end of the relevant retention period, that personal data will be retained for a maximum period of 7 years following the date that publication ceases.
Notwithstanding the foregoing, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
7. Your rights
In this table, we have listed the rights that you have under data protection law.
Your rights | What you can do |
Right to access | You can ask for copies of your personal data |
Right to rectification | You can ask us to rectify inaccurate personal data and to complete incomplete personal data |
Right to erasure | You can ask us to erase your personal data |
Right to restrict processing | You can ask us to restrict the processing of your personal data |
Right to object to processing | You can object to the processing of your personal data |
Right to data portability | You can ask that we transfer your personal data to another organisation or to you |
Right to complain to a supervisory authority | You can complain about our processing of your personal data |
Right to withdraw consent | If the legal basis of our processing is consent, you can withdraw that consent |
These rights are subject to certain limitations and exceptions. You can learn more about the rights of data subjects by visiting:
and
You may exercise any of your rights in relation to your personal data by written notice to us, using the contact details set out below.
8. Third party websites
Our website includes hyperlinks to, and details of, third party websites. In general, we have no control over, and are not responsible for, the privacy policies and practices of third parties.
9. Updating information
Please let us know if the personal information that we hold about you needs to be corrected or updated.
10. Amendments
We may update this notice from time to time by publishing a new version on our website. You should check this page occasionally to ensure you are happy with any changes to this notice.
11. Our details
Details of our group companies are set out in this table.
Company name | Jurisdiction and number | Address |
Micad Systems (Australia) PTY Ltd | Australia, ACN 653 592 262 ABN 51 653 592 262 | Pyrmont, NSQ 2009 |
Micad Systems (UK) Ltd | England and Wales, 2121580 | G32-G38 Two Four Nine North, Church Street, Altrincham, WA14 4DZ |
Micad USA LLC | South Carolina (USA), 00818109 | 1318 N. Main St #1057, Summerville, SC 29483 |
Zetasafe Ltd | England and Wales, 04694186 | G32-G38 Two Four Nine North, Church Street, Altrincham, England, WA14 4DZ |
Our group data protection officer can be contacted by writing to privacy@micadsoftware.com.
12. Registration
We are registered as a data controller with the UK Information Commissioner’s Office.
Our data protection registration numbers are Z3370691 and Z9253709.
Service Providers
This page contains details of our service providers – those that handle personal data relating to the personnel of our customers, as well as those that handle personal data relating to the personnel of our prospective customers, suppliers and business partners.
The following terms, used on this page, have special meanings under data protection law. Controller: This is a natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor: A natural or legal person which processes personal data on behalf of a controller.
Subprocessor: A processor engaged by another processor. |
Controllers
In some cases, we provide personal data to a service provider, or enable a service provider to collect personal data, in circumstances in which that service provider is a controller of that data. We will generally act as independent controllers with respect to our processing of that data. | |||
Service provider | Services | Personal data* | Data location(s) and transfer safeguards
|
Website analytics and advertising platform services | Website and application usage and analytics data; online advertising data | Google may transfer data to the USA and the other jurisdictions in which it operates. For details of Google’s data centre locations, see: https://datacenters.google/locations/. All transfers will be protected by adequacy determinations or approved contractual protections. | |
Advertising services | Marketing data | LinkedIn may transfer data to the USA and the other jurisdictions in which it operates. All transfers will be protected by adequacy determinations or approved contractual protections. | |
*Personal data is categorised, where practicable, using the scheme set out in our privacy notice at [https://www.micadsoftware.com/resources/data-protection/].
Processors
Where we act as a controller of personal data, service providers who handle that data will usually act as our processors. This category covers, for example, the providers of our customer relationship management systems, accounting systems and general communications systems. We have obligations under data protection law to make available to data subjects information about these service providers and/or the categories of these service providers. | |||
Service provider | Services | Personal data* | Data location(s) and transfer safeguards
|
Eventbrite | Events platform | Events data | Eventbrite stores data in the USA. All transfers to the USA will be protected by approved contractual protections. |
https://www.eventbrite.co.uk/help/en-gb/articles/363929/eventbrite-eu-data-protection/ https://www.eventbrite.com/help/en-us/articles/429030/data-processing-addendum-for-organizers/ | |||
SendGrid by Twilio | Email services including mailshots | CRM data, marketing data, other communication data, event data. | Twilio may also transfer data to the USA and the other jurisdictions in which it operates. All transfers will be protected by adequacy determinations (including with respect to the EU-US data privacy framework and its extensions), binding corporate rules and/or approved contractual protections. |
https://sendgrid.com/en-us/resource/general-data-protection-regulation-2 | |||
Xero | Accounting platform | CRM data | Xero may also transfer data to the USA and the other jurisdictions in which it operates. All transfers will be protected by adequacy determinations or approved contractual protections. |
https://www.xero.com/uk/accountant-bookkeeper-guides/gdpr-and-data-privacy-in-accounting/ | |||
Zoho | Customer relationship management platform | CRM data, marketing data, other communication data, event data. Also, any data submitted using a Zoho-powered online form. | Zoho may transfer data to the USA and the other jurisdictions in which it operates. All transfers will be protected by adequacy determinations or approved contractual protections. |
*Personal data is categorised, where practicable, using the scheme set out in our privacy notice at https://www.micadsoftware.com/privacy-policy/.
Subprocessors In those circumstances where we act as a processor of personal data on behalf of our customers, service providers who handle that data will act as our subprocessors. This category covers service providers handling personal data from our application databases and personal data associated with support queries. We have obligations under our contracts with customers relating to these service providers, including an obligation to notify customers of changes to subprocessors. We may fulfil this obligation by sharing updates to this page. Under our standard terms and conditions, customers grant to us a general authorisation to appoint subprocessors and to change subprocessor appointments with respect to the services categories set out in this table. | |||
Service provider | Services | Personal data | Data location(s) and transfer safeguards
|
Amazon Web Services (AWS) | Cloud hosting, compute and related services | Personal data stored in or relating to our application databases | AWS may transfer data to the USA and the other jurisdictions in which it operates. All transfers will be protected by adequacy determinations (including with respect to the EU-US data privacy framework and its extensions) or approved contractual protections. |
Google Cloud | Cloud hosting, compute and related services | Personal data stored in or relating to our application databases | Google may transfer data to the USA and the other jurisdictions in which it operates. For details of Google’s data centre locations, see: https://datacenters.google/locations/. All transfers will be protected by adequacy determinations or approved contractual protections. |
Hevo | Platform automating data replication | Personal data provided when signing up to the services, settings and configuration data, communication data. | Our primary Hevo processing location is the EU. Hevo may transfer data to the USA and the other jurisdictions in which it operates. All transfers will be protected by adequacy determinations or approved contractual protections. |
Microsoft Azure | Cloud hosting, compute and related services | Personal data stored in or relating to our application databases | Our primary Azure data storage location is the UK. Microsoft will only transfer this personal data outside the UK under limited circumstances. Where such transfers are necessary, they will be covered by approved contractual protections. |
https://learn.microsoft.com/en-us/compliance/regulatory/gdpr | |||
SolarWinds | IT service management, asset management, CMDB, reporting | Data relating to the use of our applications | SolarWinds may transfer data to the USA and the other jurisdictions in which it operates. All transfers will be protected by adequacy determinations, or approved contractual protections. |
https://www.solarwinds.com/general-data-protection-regulation-core-it https://www.solarwinds.com/legal/legal-documents/customer-data-processing-addendum | |||
SurveyMonkey | Online surveys | Survey submissions | SurveyMonkey may transfer data to the USA and the other jurisdictions in which it operates. All transfers will be protected by adequacy determinations, or approved contractual protections. |
https://help.surveymonkey.com/en/wufoo/account/wufoo-privacy-gdpr/ https://www.surveymonkey.com/mp/legal/data-processing-agreement/ | |||
TrueContext | Forms management service | Form submission data | TrueContext may transfer data to the USA, Canada and the other jurisdictions in which it operates. All transfers will be protected by adequacy determinations or approved contractual protections. |
Zendesk | Support services platform | Personal data included in and associated with support ticket that we process via Zendesk | Zendesk may transfer data to the USA and the other jurisdictions in which it operates. In the absence of an adequacy determination protecting transfers, these transfers are protected by binding corporate rules and/or approved contractual protections. |
If you would like more information about any of our service providers and their GDPR compliance frameworks, please do get in touch via privacy@micadsoftware.com.
