Terms & Conditions /
Privacy Policy

Data Privacy Notice

We are REFLECT DIGITAL LIMITED with registered number 07519322 and address Kings Lodge London Road TN15 6AR. Our Data Protection Lead can be contacted at dataprotection@reflectdigital.co.uk. We have produced this privacy notice in order to keep you informed of how we handle your personal data. All handling of your personal data is done in compliance with the General Data Protection Regulation (EU) 2016/679 (“Data Protection Legislation”). The terms “Personal Data”, “Special Categories of Personal Data”, “Personal Data Breach”, “Data Protection Officer”, “Data Controller”, “Data Processor”, “Data Subject” and “process” (in the context of usage of Personal Data) shall have the meanings given to them in the Data Protection Legislation. “Data Protection Lead” is the title given to the member of staff leading our data protection compliance programme in lieu of a requirement for a Data Protection Officer.

What are your rights?

When reading this notice, it might be helpful to understand that your rights arising under Data Protection Legislation include:

• The right to be informed of how your Personal Data is used (through this notice);
• The right to access any personal data held about you;
• The right to withdraw consent at any time, by emailing dataprotection@reflectdigital.co.uk;
• The right to rectify any inaccurate or incomplete personal data held about you;
• The right to erasure where it cannot be justified that the information held satisfies any of the criteria outlined in this policy;
• The right to prevent processing for direct marketing purposes, scientific/historical research or in any such way that is likely to cause substantial damage to you or another, including through profile building; and
• The right to object to processing that results in decisions being made about you by automated processes and prevent those decisions being enacted.

You can exercise your right to access personal data held about you by emailing dataprotection@reflectdigital.co.uk with the subject line: “Subject Access Request”. When you submit a ‘subject access request’, you will need to provide confirmation of your identity by attaching a photocopy of your driver's license or passport. This is provided free of charge and our response will be made within thirty (30) days unless our Data Protection Lead deems your request as being excessive or unfounded. If this is the case, we will inform you of our reasonable administration costs in advance and/or any associated delays, giving you the opportunity to choose whether you would like to pursue your request. If you believe we have made a mistake in evaluating your request, please see the section ‘Who can you complain to?’.

If you have questions about any of the rights mentioned in this section, please contact our Data Protection Lead at dataprotection@reflectdigital.co.uk.

Who is the Data Controller?

• If we have collected your personal data directly from you for our own purposes, we are the Data Controller.
• If your data has been passed to us by a third party for processing under their instruction, that third party is the Data Controller. They should have notified you that they would be passing your personal data to us, REFLECT DIGITAL LIMITED, at the time they collected your data and within their own privacy notices/standards. For a list of Data Controllers that we process personal data for, the section below ‘Third Party Interests’.

What are the lawful bases for processing personal data?

Under Data Protection Legislation, there must be a ‘lawful basis’ for the use of personal data. The lawful bases are outlined in Article 6, Section 1 of the GDPR. They are sub-sections:

a) ‘your consent’;

b) 'performance of a contract';

c) 'compliance with a legal obligation';

d) 'protection of your, or another’s vital interests';

e) ‘public interest/official authority’; and

f) 'our legitimate interests'.

What are REFLECT DIGITAL LIMITED’s ‘legitimate interests’?

Legitimate interests are a flexible basis upon which the law permits the processing of an individual’s personal data. To determine whether we have a legitimate interest in processing your data, we balance the needs and benefits to us against the risks and benefits for you of us processing your data. This balancing is performed as objectively as possible by our Data Protection Lead. You are able to object to our processing and we shall consider the extent to which this affects whether we have a legitimate interest. If you would like to find out more about our legitimate interests, please contact dataprotection@reflectdigital.co.uk.

About our processing of your data

We might collect, use, store and transfer different kinds of Personal Data about you which we have grouped together as follows:

Identity Data such as names, usernames or similar; marital status; title; date of birth; sex and gender.

Contact Data such as addresses; email addresses and telephone numbers.

Financial Data such as bank account and payment card information.

Transaction Data such as information about payments and details of purchases you have made.

Technical Data such as IP addresses; login data; browser info; time zone; location; browser plug-ins; operating systems; platforms and other technology on the device used to access this website.

Profile Data such as usernames; passwords; security answers; purchases/orders; interests; preferences; feedback and responses to surveys, blogs and messages.

Usage Data such as analytics relating to how you use the website.

Marketing and Communications Data such as your preferences about receiving communications from us or third parties.

Special Categories of Data such as details about race or ethnic origins, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, genetic or biometric data.

We also collect, use and share Aggregated Data such as statistical or demographic data. Aggregated Data can be derived from your Personal Data but is not itself Personal Data as it cannot be used to reveal your identity. If Aggregated Data is ever used in combination with your Personal Data and becomes identifiable, it will be treated in accordance with this notice.

Reference	What categories of information about you do we process?	Why are we processing your data?	Where did we get your personal data from?
Client Custom Forms	Identity Data Contact Data	We provide our clients with the option to create customised web-forms for collecting personal data. Our clients, as Data Controllers, determine the purpose for collecting the information, however, we process your personal data on their behalf by hosting the service. This processing is conducted lawfully on the basis of 'performance of a contract'.	Passed by clients (Data Controllers) who will have informed you in advance of us receiving your information through their own notices.
Client 'Contact Us' Forms	Identity Data Contact Data	Our clients use 'Contact Us' web forms to collect your personal data that we process on their behalf in order to facilitate contact between the two of you through our client's website. This processing is conducted lawfully on the basis of 'performance of a contract'.	Passed by clients (Data Controllers) who will have informed you in advance of us receiving your information through their own notices.
Client Mailing Lists	Identity Data Contact Data Marketing and Communications Data	We provide direct mailing management services on behalf of our clients, including maintaining the lists to which you are subscribed, the services which send the messages, and the sending of messages. This processing is conducted lawfully on the basis of 'performance of a contract'.	Passed by clients (Data Controllers) who will have informed you in advance of us receiving your information through their own notices.
Scoop Marketing	Identity Data Contact Data Marketing and Communications Data	Providing mailing updates to subscribers to Scoop. This processing is conducted lawfully on the basis of 'your consent'.	Passed by Scoop (Data Controllers) who will have informed you in advance of us receiving your information through their own notices.
B2B Marketing	Identity Data Contact Data Transaction Data Marketing and Communications Data	Marketing to contacts at our business partners and to businesses that we believe would benefit from our services. This processing is conducted lawfully on the basis of 'our legitimate interests'.	Directly obtained.
Pre-populating	Identity Data Contact Data Technical Data Marketing and Communications Data	We offer some clients a service that allows their web-forms requesting more information from you to appear pre-populated where they already possess some personal data about you, for your convenience. This processing is conducted lawfully on the basis of 'performance of a contract'.	Passed by clients (Data Controllers) who will have informed you in advance of us receiving your information through their own notices.
Client Services	Identity Data Contact Data Financial Data Transaction Data	We hold some personal data about our client's employees in order to communicate with our clients and perform all of our obligations efficiently and transparently. This processing is conducted lawfully on the basis of 'performance of a contract'.	Directly obtained.
Supplier Contracts	Identity Data Contact Data Transaction Data	We hold some personal data about our supplier's employees in order to communicate with our suppliers and ensure effective performance of the services we receive, including fulfilling our obligations as necessary. This processing is conducted lawfully on the basis of 'performance of a contract'.	Directly obtained.
Social Media	Identity Data Contact Data Profile Data	We use social media in order to increase our presence, making it easier for clients and others to contact us. This processing is conducted lawfully on the basis of 'our legitimate interests'.	Directly obtained.

What happens if I refuse to give REFLECT DIGITAL LIMITED my personal data?

We process some personal information as part of a contractual relationship with a Data Controller. Any requests to restrict this type of processing should be forwarded to the Data Controller; they will be responsible for discussing your concerns and making any decisions.

What profiling or automated decision making does REFLECT DIGITAL LIMITED perform?

REFLECT DIGITAL LIMITED does not perform any profiling or automated decision making based on your personal data.

How long will your personal data be kept?

REFLECT DIGITAL LIMITED holds different categories of personal data for different periods of time. Wherever possible, we will endeavour to minimise the amount of personal data that we hold and the length of time for which it is held. 

• If ‘consent’ is the basis for our lawful processing of your data, we will retain your data so long as both the purpose for which it was collected, and your consent, are still valid. We will consider your consent as valid so long as you continue to receive our emails or login to our website forums. Occasionally, we might identify a legitimate interest in retaining some of your personal data that has been obtained by consent. If we do, we will inform you that we intend to retain it under these conditions and identify the interest specifically.
• If we process your data on the basis of ‘legitimate interests’, we will retain your data for as long as the purpose for which it is processed remains active. We review the status of our legitimate interests every twelve (12) months and will update this notice whenever we determine that either a legitimate interest no longer exists or that a new one has been found.
• All categories of personal data that are held by us because they are essential for the performance of a contract, will be held for a period of six years, as determined by reference to the Limitations Act 1980,  for the purposes of exercising or defending legal claims.

Who else will receive your personal data?

REFLECT DIGITAL LIMITED passes your data to the third parties listed in the section ‘Third Party Interests’ below.

Does your data leave the EU?

Yes. Details are included in the section ‘Third Party Interests’ below.

Third Party Interests

Data Controllers

Name of Third Party Controller	What processing are we performing for them?	If applicable - who is their representative within the EU?
Reflect Digital Clients	We host the website and web form enquiry data. No data is passed	N/A
HMRC and other regulatory authorities	Financial accounts required for tax purposes.		N/A

Our Data Processors

Name of Third Party Processor	Purposes for carrying out processing	If applicable – where does data leaving the EEA go and what safeguards are in place?
US Based Hosting Companies	Hosting of client website and form data from client enquiries	Contractual conditions and Privacy Shield compliance
UK Based Hosting Companies	Hosting of client website and form data from client enquiries	Contractual conditions and Privacy Shield compliance
CRM	Holding client company data, and enquiry form data from our website.	N/A
US Based Email Marketing	We use Email Marketing clients on behalf of both our clients and Reflect Digital, to send emails to our subscribers	EU Model Clauses Agreement in place
UK Based Email Marketing	We use Email Marketing clients on behalf of both our clients and Reflect Digital, to send emails to our subscribers
Email Supplier	All emails both internally and externally are sent from our Email Supplier	N/A
Email Sending Service	All emails sent from our Scoop platform are sent via our Email Sending service for additional monitoring on bounce and delivery rates.	Contractual conditions and Privacy Shield compliance
Accounting Software	Used for all invoicing/billing	Contractual conditions and Privacy Shield compliance
Financial Services	For processing of payroll, and purchasing of 3rd party software/services	N/A

Who can you complain to?

In addition to sending us your complaints directly to dataprotection@reflectdigital.co.uk, you can send complaints to our supervisory authority. As REFLECT DIGITAL LIMITED predominantly handles the personal data of UK nationals, our supervisory authority is the Information Commissioner’s Office. If you believe that we have failed in our compliance with data protection legislation, complaints to this authority can be made by visiting https://ico.org.uk/concerns/.