Privacy policy | Equarisk Limited

The website equarisk.com is owned and operated by the company Equarisk Limited, registered with Companies House in the UK (company number 16177922).

Throughout this privacy policy, references to the EU GDPR should be understood to include the UK GDPR, where applicable. Although the UK has adopted the GDPR independently post-Brexit, the principles and obligations remain closely aligned. Therefore, any mention of the EU GDPR in this document should also be interpreted as referencing the UK GDPR where appropriate.

Introduction

At Equarisk, we take the protection of your personal data very seriously and always process your personal data in accordance with the statutory data protection regulations. This privacy notice tells you what to expect us to do with your personal information. Your relationship to our organisation mainly determines which data in particular are processed or used by us. For this reason, some parts of this privacy notice may not apply to you.

We regularly review and update our privacy policy. Significant changes will be communicated through our website and, when appropriate, via direct notifications. We encourage you to review this policy periodically to stay informed about how we protect your data.

Contact details

For any inquiries regarding data protection and privacy practices, please contact our Data Protection Officer (DPO):

Email: enquiries@equarisk.com

Information we collect and why

We process personal data that we receive from you when you contact us or use our website, in particular when you show interest in our software, consulting and training business.

We collect or use the following information to provide and improve products and services for clients:

Personal Identification and Contact Details
Including title, name, address, date of birth, email address, telephone number
Payment Details
Including card or bank information for transfers and direct debits
Transaction Data
Including details about payments to and from you, and details of products and services purchased
Usage Data
Including information about how you interact with and use our website, products, and services
Contractual Data
Including data arising from the fulfillment of our contractual obligations (e.g. risk and safety management consulting, recruiting contract staff, delivering training services, inspecting industrial plant)
Online Behavior and Preferences
Including IP addresses, identifying features of mobile devices, data on website/app access, geolocation data
Advertising and Sales Data
Including information on consents granted or objections lodged
Technical and Diagnostic Data
Including error logs, system performance metrics, browser and device specifications
User Preference and Configuration Data
customisation settings, saved configurations, user interface preferences, feature usage patterns
Support Communication Data
Including records of support tickets, survey responses, product review data
Authentication and Security Data
Including two-factor authentication details, login attempts, session identifiers, security tokens
Compliments and Complaints
Including information relating to compliments or complaints
Records of Meetings and Decisions
Including documenting key business interactions
Account Access Information
Including data related to how your account is accessed

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights, which are set out in brief below:

Your Right of Access
You have the right to request copies of your personal information. You can also ask for details about where we obtain your data and with whom we share it.
Your Right to Rectification
You have the right to request correction or deletion of any personal information that you believe is inaccurate or incomplete.
Your Right to Erasure
You have the right to ask us to delete your personal information.
Your Right to Restrict Processing
You have the right to request that we limit how we use your personal information.
Your Right to Object to Processing
You have the right to object to the processing of your personal data.
Your Right to Data Portability
You have the right to request that we transfer the personal information you provided to another organisation or directly to you.
Your Right to Withdraw Consent
If processing is based on your consent, you have the right to withdraw that consent at any time.

For more details on your data protection rights and any exemptions, please visit the ICO’s website.

If you make a request, we will respond without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information are outlined in the following sections.

In order to fulfill contractual obligations (Article 6, Paragraph 1 Letter b of the EU GDPR)

Processing is performed to fulfill our contract with you and to perform pre-contractual measures, instigated on your initiative. For example:

Producing project proposals
Delivering our software products
Communicating with you and your colleagues during consulting projects
Evaluating your applications for certificated training programmes
Dispatching invoices
Assessing your suitability for associate placements and employment
Enrolling and rewarding you as an associate or employee

Please refer to the relevant contractual documents and Terms and Conditions of Business for further details of the data processing purposes.

Within the context of weighing up interests (Article 6, Paragraph 1, Letter f EU GDPR)

Processing is performed to protect our legitimate interests or those of third parties unless overridden by your interests which require protection of personal data. Examples:

The need to build and maintain permanent and productive relationships with clients, suppliers, partners, employees and all other stakeholders
Managing our risks, maintaining accurate records and operating our business efficiently
Data processing and analysis to ensure a personalised appeal and tailored offerings
Data processing and analysis for the purpose of improving and developing intelligent and innovative services and products
Data processing and analysis for creating automated evaluations e.g. as the basis for price adjustments
Assertion of legal claims and defence in case of legal disputes
Ensuring IT security and IT operations
Video surveillance to exercise the right of who shall be allowed or denied access to premises and for collecting evidence in case of criminal activities Processing of incoming requests from interested parties and non-customers

On the basis of your consent (Article 6, Paragraph 1, Letter a of the EU GDPR)

Provided you have consented to us processing your personal data for specific purposes, processing is legal on this basis. Consent may be revoked at any time. This also applies to the revocation of declarations of consent that were granted to us before the EU GDPR came into effect, thus before 25 May 2018. Revocation of consent is only effective for the future and does not affect the legality of data processing up to the date of the revocation.

On the basis of legal requirements (Article 6, Paragraph 1, Letter c of the EU GDPR)

Processing may be performed in order to fulfill legal obligations. For example:

Communicating with national or regional governments in relation to company registrations or taxation
Securing or archiving data for specified purposes and periods;
Health and safety reporting
Communicating with embassies, consulates or visa issuing authoritie
Managing the employee lifecycle.

The relationship between our main operational processes and our lawful bases for processing personal data are as follows:

Project management

Purpose: Coordinating the delivery of services to clients using project methodologies.
Legal bases: Contract; Legitimate Interest

Software Operations and Maintenance

Purpose: Ensuring the smooth operation and performance of our online software services. This includes collecting diagnostic data (e.g. error logs, system performance metrics, and crash reports) to troubleshoot issues, provide timely updates, and continuously improve our software.
Legal bases: Contract; Legitimate Interest

User Support and Technical Assistance

Purpose: Facilitating effective technical support by processing data related to support tickets, bug reports, and troubleshooting queries. This ensures that any issues you encounter with our software are resolved promptly and efficiently.
Legal bases: Contract; Legitimate Interest

Business development

Purpose: Informing prospective clients about the services offered; issuing proposals; building sustainable client relationships.
Legal bases: Contract; Legitimate Interest

Contact management

Purpose: Maintaining contact details and facilitating communications between employees, associates, and all other stakeholders.
Legal bases: Contract; Legal Obligation; Legitimate Interest

Resourcing services

Purpose: Coordinating the recruitment, registration, and remuneration of associates.
Legal bases: Contract; Legal Obligation; Legitimate Interest

Travel management

Purpose: Organising business travel for Equarisk staff and associates.
Legal bases: Contract; Vital Interest; Legal Obligation; Legitimate Interest

Office administration

Purpose: Performing all activities associated with administrative support for the Equarisk group of businesses.
Legal bases: Contract; Legitimate Interest

Company legal administration

Purpose: Administering the legal requirements for registering companies within the Equarisk group.
Legal bases: Legal Obligation; Legitimate Interest

External auditing

Purpose: Facilitating periodic visits from certified auditors with access to all data.
Legal bases: Legitimate Interest

Corporate archiving

Purpose: Secure storage of business records for extended periods in offsite locations.
Legal bases: Contract; Legal Obligation; Legitimate Interest

Training services

Purpose: Managing all information pertaining to the enrolment and performance of clients and staff on training courses.
Legal bases: Contract; Legitimate Interest

Financial management

Purpose: Processing payments to suppliers of goods and services and billing clients for completed work.
Legal bases: Contract; Legal Obligation; Legitimate Interest

Accident reporting

Purpose: Administering the reporting of workplace incidents and injuries.
Legal bases: Vital Interest; Legal Obligation; Legitimate Interest

IT change management

Purpose: Undertaking technical and administrative changes to IT systems in response to personnel changes.
Legal bases: Contract; Legitimate Interest

Employee HR management

Purpose: Managing and administering the employee lifecycle.
Legal bases: Contract; Legal Obligation; Legitimate Interest

Recipients of personal data

Within our organisation, departments with access to your data are those which require them to fulfill their respective duties in the organisation and to fulfill our contractual and legal obligations.

Service providers deployed by us may also receive data. They may include:

Post and printing service providers
IT service providers
Telecommunication service providers
Payroll processors
Sales partners
Web service providers
Credit agencies
Collection agencies
Legal advisors
Auditors
Insurance providers
Banks
Suppliers of references
Customer Relationship Management (CRM) platforms for managing client interactions
Data analytics and performance monitoring providers to track software usage and system performance
Marketing automation and email service providers for targeted communication

In certain circumstances, personal data may also be forwarded to public departments (e.g. tax authorities, job centres), judicial and law enforcement authorities (e.g. police, district attorney’s offices, courts), attorneys, notaries and chartered accountants.

We only share personal data with third parties when strictly necessary to fulfill contractual obligations or comply with legal requirements.

Where we get personal information from

We collect personal information from a variety of sources to ensure we have the necessary data to provide and improve our products and services. These sources include:

Directly from you
Information you provide when you interact with our website, fill out forms, subscribe to newsletters, make purchases, or contact us directly.
Publicly available sources
Data that is already in the public domain, including professional directories, social media profiles, or public records.
Market research organisations
Third-party providers who supply insights and data to help us better understand market trends and customer preferences.
Providers of marketing lists and other personal information
External companies that offer curated lists and databases, which we use for targeted marketing in compliance with data protection laws.
Suppliers and service providers
Partners who assist with various operational tasks such as website analytics, customer relationship management (CRM), payment processing, and other services. These providers may share information necessary to support our business operations.

How long we keep information

Equarisk adopts a standard minimum retention period for data of 7 years, except where a shorter period has either been mandated in law, or where this is specified in contractual terms agreed between us and a third party.

All personal data is subject to periodic (typically annual) reviews. It will then be maintained or erased in accordance with our obligations and legitimate interests.

Your data protection rights

In line with the statutory provisions, you hold the following data protection rights:

The right to access to information about data stored by Equarisk Limited (Article 15 EU GDPR)
The right to correction (Article 16 EU GDPR)
The right to erasure (Article 17 EU GDPR)
The right to restriction of processing (Article 18 EU GDPR)
The right to data portability (Article 20 EU GDPR)
The right to object (Article 21 EU GDPR)

How to complain

If you have any concerns about our use of your personal data, you can make a complaint using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also contact the ICO:

The ICO’s Address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow, Cheshire
SK9 5AF

Helpline Number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint

International data transfers

Some service providers may process your data outside the European Economic Area (EEA). In such cases, we implement appropriate safeguards, such as standard contractual clauses or adherence to recognized data protection frameworks, to ensure your personal data remains protected.

Security measures

To ensure the security of your personal data, we employ a range of measures, including:

Encryption: Data is encrypted both in transit and at rest.
Access Controls: Access to personal data is strictly limited to authorized personnel.
Regular Audits: We conduct periodic security audits and risk assessments.
Secure Storage: Personal data is stored using secure methods and backed up regularly.
Multi-Factor Authentication (MFA): An extra layer of security is required to access sensitive systems.
Vulnerability Management: We continuously monitor and remediate security vulnerabilities through regular patch management and software updates.
Firewalls and Intrusion Detection Systems (IDS): Network-level protections are in place to detect and prevent unauthorized access.
Penetration Testing: Regular testing is conducted to identify and address potential security weaknesses.
Incident Response and Data Breach Procedures: We have established protocols to respond promptly and effectively to any security incidents.
Employee Security Training: Regular training ensures that we are up-to-date with data protection principles and best practices.
Network Segmentation: Our network is segmented to contain potential breaches and limit access to critical systems.

Collection of personal data during visits to our website

(1) If the website is used purely for information purposes, i.e. if you do not register or transfer information to us in any other way, we shall only gather personal data that your browser transfers to our server. If you wish to view our website, we will collect the following data, which are technically necessary for us to display our website to you and to guarantee stability and security (legal basis is Article 6, Paragraph 1, Sentence 1, lit. f of the EU GDPR):

IP address Date and time of request Time zone difference to Greenwich Mean Time (GMT) Content of request (specific page) Access status / HTTP status code Volume of data transferred each time Website from which the request comes Browser Operating system and its interface Language and version of browser software

(2) In addition to the data stated above, cookies will also be stored on your computer when you use our website. Cookies are small text files which are stored on your hard disk and assigned to the browser used. They allow certain information to flow to the place that set the cookie (in this case by us). Cookies are not able to execute programs or to infect your computer with viruses. They are used to make the internet offering as a whole more user-friendly and effective.

(3) Use of cookies

(a) This website uses two types of cookies, whose scope and operating principle are explained below.

(b) Transient cookies: these are automatically deleted when you close your browser. These include, in particular, session cookies. They save a so-called session ID which allow various requests from your browser to be assigned to the common session. This enables your computer to be recognised when you return to our website. Session cookies are deleted when you log out or close the browser.

(c) Persistent cookies: these are automatically deleted after a period, which can differ according to the cookie concerned. You can delete cookies at any time in the security settings of your browser.

(d) You can configure your browser settings in line with your wishes, for example by rejecting third party cookies or all cookies. Please be aware that you may not be able to use all functions of this website.

(4) Use of Google Analytics

(a) This website uses Google Analytics, a web analysis service of Google Inc. (“Google”). Google Analytics uses so-called “cookies”, text files stored on your computer that make it possible to analyse how you use the website. The information generated by the cookie about how you use this website is usually transmitted and stored on a Google server in the USA. In the event of IP anonymisation being activated on this website, your IP address will first be shortened by Google within any member state of the European Union or any other signatory state of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information on behalf of the Equarisk to analyse how you use the website, to compile reports about website activities and to provide other services to Equarisk associated with how the website and the internet are used.

(b) Google will not merge the IP address transmitted by your browser and registered by Google Analytics with any other data.

(c) You can prevent cookies from being stored by making a corresponding setting in your browser software. Please be aware that if you do this, you may not be able to use all functions of this website to their full extent. In addition, you can also prevent the data generated by the cookie relating to how you use the website (including your IP address) being registered and processed by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

(d) This website uses Google Analytics with the extension “_anonymizeIp()”. This processes IP addresses in a shortened form, ruling out the possibility of personal reference. In the event that there is a personal reference in the data collected, this will be ruled out immediately and the personal data deleted forthwith.

(e) We use Google Analytics to analyse how our website is used, enabling us to improve it regularly. The statistics gained allow us to improve our offering and make it more interesting for you as a user. If in exceptional cases personal data are transmitted to the USA, Google is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. Legal basis for the use of Google Analytics is Article 6, Paragraph 1, Sentence 1, lit. f of the EU GDPR.

(f) Information from the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Terms of service: http://www.google.com/analytics/terms/us.html, Privacy overview: http://support.google.com/analytics/answer/6004245?hl=en, and the privacy policy: http://policies.google.com/privacy?hl=en&gl=en.

(5) Use of social media plug-ins

Addresses of the respective plug-in providers and URLs with their privacy policies:

(a) Google Inc., 1600 Amphitheater Parkway, Mountain View, California 94043, USA; https://policies.google.com/technologies/partner-sites?hl=en. Google is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

(b) Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/en/privacy. Twitter is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

(c) LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; http://www.linkedin.com/legal/privacy-policy. LinkedIn is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

(6) Integration of YouTube videos

(a) Our online offering includes integrated YouTube videos which are stored on http://www.YouTube.com and which can be played directly from our website. [This is all included in “advance data protection mode”, i.e. no data about you as a user are transmitted to YouTube if you don’t play the videos. Only when you play the videos will the data stated in Paragraph 2 be transmitted. We have no influence over this data transmission.]

(b) When you visit the website, YouTube receives information that you have called up the corresponding page of our website. In addition, the data stated in Article 3 of this privacy policy will also be transmitted. This is done regardless of whether you have a YouTube user account which you are logged on to or whether you do not have a user account. If you are logged on to Google, your data will be assigned directly to your account. If you do not wish your data to be assigned to your YouTube profile, you must log off before you activate the button. YouTube will store your data as a usage profile and will use this for the purposes of advertising, market research and/or requirement-orientated design of its website. Such analysis is also performed with users who are not logged on, in particular to provide requirement-orientated advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of such user profiles. To exercise this right, please contact YouTube.

(c) Further information about the purpose and extent of data collection and how they are processed by YouTube can be found in the privacy policy. There, you will also find further information about your rights and settings options to protect your privacy: https://policies.google.com/privacy?hl=en&gl=en. Google will also process your personal data in the USA and is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

(7) Integration of Google Maps

(a) We use the offering of Google Maps on this website. This allows us to display interactive maps directly on the website, enabling you to conveniently use the map function.

(b) When you visit the website, Google receives information that you have called up the corresponding page of our website. In addition, the data stated in Article 3 of this privacy policy will also be transmitted. This is done regardless of whether you have a Google user account which you are logged on to or whether you do not have a user account. If you are logged on to Google, your data will be assigned directly to your account. If you do not wish your data to be assigned to your Google profile, you must log off before you activate the button. Google will store your data as a usage profile and will use this for the purposes of advertising, market research and/or requirement-orientated design of its website. Such analysis is also performed with users who are not logged on, in particular to provide requirement-orientated advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of such user profiles. To exercise this right, please contact Google.

(c) Further information about the purpose and extent of data collection and how they are processed by the plug-in provider can be found in the privacy policy of the provider. There you will also find further information about your relevant rights and settings options to protect your privacy: https://policies.google.com/privacy?hl=en&gl=en. Google will also process your personal data in the USA and is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

Further functions and offers of our website

(1) Besides the purely informational use of our website, we also offer various services that you can use if you are interested. For this, you will as a rule have to enter further personal data which we shall use to provide the service concerned and for which the above data processing principles apply.

(2) In part, we make use of external service providers to process your data. These have been carefully chosen and contracted by us, are bound by our instructions and are regularly checked.

(3) Moreover, we may share your personal data with third parties if services are offered by us together with our partners. Further information will be given when you submit your personal data or below in the description of the offer.

(4) In the event that our service providers or partners have their head office in a state outside the European Economic Area (EEA), we will inform you about the consequences of this situation in the description of the service.