Data Use Policy

At Straight Forward we operate in a data-driven world and are serious about respecting the personal data and privacy rights of everyone we come into contact with in running our business.

This privacy policy explains how and why we use personal data, and what we do to ensure that your information is kept safe and secure in accordance with the General Data Protection Regulation, the Data Protection Act 2018 and any other applicable data protection and privacy laws (Data Protection Laws).

This policy explains:

  1. Who we are and how to contact us
  2. How we collect and process personal data:
    1. Clients
    2. Business and professional contacts
    3. Recruitment
    4. Website shop customers
    5. CCTV
  3. Cookies and website visitors
  4. Recipients of personal data
  5. How long we store personal data for
  6. How we keep personal data safe
  7. International transfers
  8. Your rights as a data subject
  9. Updates to this policy

1. Who we are and how to contact us

We are Straight Forward Design Limited (SF, we, us or our), a limited liability company with registered number 06175417, having our registered office and main place of business at 112-114 Great Portland Street, London, United Kingdom, W1W 6PH. You can contact us by writing to us at our office address, telephoning us on 020 7580 2875 or emailing [email protected]

We are regulated as a controller under Data Protection Laws in relation to the personal data (meaning information which relates to an identified or identifiable individual) we collect and process in connection with our business. This means that we are responsible for deciding how and why we use personal data, and for keeping it safe. We are registered as a data controller with the Information Commissioner’s Office (ICO) with registration number ZA347639.

2. How we collect and process personal data

A. Clients

HOW WE COLLECT AND PROCESS PERSONAL DATA

We collect and process personal data relating to our clients and the work we do for them. This includes other people, such as the employees, officers and representatives of our corporate clients, and personal data relating to the client themselves if they are a sole trader. Usually this information is:

  • provided by clients;
  • collected in the process of providing brand related services (such as through email correspondence and exchanging business cards);
  • provided to us by third parties (such as other businesses we work with); and
  • obtained from external sources (such as Companies House).

THE TYPES OF PERSONAL DATA WE COLLECT

The types of personal data we collect will vary but usually include some or all of the following:

  • contact information (such as name, address, telephone number and email address); and
  • bank details (provided by a client or supplier and processed when we receive or make a payment).

We may process other types of personal data and, if we do, then it will be protected to the same high standards explained in this policy.

WHY WE NEED TO USE PERSONAL DATA

We use personal data because we need to for one or more of the following reasons:

  • to provide brand related services to an individual (namely, to perform a contractual obligation we owe to that individual);
  • to perform our contractual obligations (such as paying our suppliers);
  • to comply with our legal obligations; and
  • to pursue our legitimate interests in operating and promoting the success of our business, or to pursue the interests of our clients in providing our services.

If you do not provide the personal data which we need in order to enter into or to perform a contract with you, then we may not be able to contract with you or to provide the services which you have requested.

In limited circumstances, we may use personal data on the basis of your consent. If so, we will always clearly ask for your agreement to this. You are, of course, free to refuse this and we will inform you as to what (if any) consequences this might have.

B. Business and professional contacts

HOW WE COLLECT AND PROCESS PERSONAL DATA

We process personal data about individual business and professional contacts. These people include individual (or representatives from corporate) intermediaries, service providers and other organisations that have attended our events, and potential clients.

THE TYPES OF PERSONAL DATA WE COLLECT

The types of personal data we hold about these individuals typically consists of basic personal details and contact information, such as position title, name, email, address, telephone number and the person’s employer. Depending on the circumstances, and the nature of our relationship with the people involved, we may use this information to:

  • fulfil our contractual obligations or exercise contractual rights;
  • communicate with other organisations, advisers or intermediaries; or
  • send business related communications (usually by email).

OUR LAWFUL BASIS AND PURPOSES FOR COLLECTING PERSONAL DATA

We use this personal data because it is in our legitimate interests to promote our services and build business relationships.

C. Recruitment

HOW WE COLLECT AND PROCESS PERSONAL DATA

We collect, store and use personal data about individuals who apply to join us.

THE TYPES OF PERSONAL DATA WE COLLECT

This may include information:

  • you provide to us (such as in CVs, application forms, and through correspondence);
  • you provide during an interview;
  • obtained from previous employers and referees;
  • provided to us by recruitment agencies; and
  • received as a result of our carrying out background checks (such as checks for criminal convictions with the Disclosure and Barring Service).

The information we collect might include sensitive personal data, such as information about your health and sickness records.

If you apply for a position with us, we may carry out a check for criminal convictions in order to satisfy ourselves that there is nothing in your history which makes you unsuitable for the role. We do this because working with us involves a high degree of trust (as you will have access to confidential information).

We only carry out criminal records checks and ask for references at the last stage of the application process, when making an offer of employment, and always act in accordance with the specific requirements of Data Protection Laws and other applicable national laws.

OUR LAWFUL BASIS AND PURPOSES FOR PROCESSING PERSONAL DATA

We use the personal data we collect about you to:

  • assess your skills, qualifications, and suitability for a role;
  • carry out background and reference checks;
  • communicate with you about your application;
  • keep records related to our hiring process; and
  • comply with legal or regulatory requirements.

We do all of this because either it is a necessary part of entering into a contract of employment with you or because we have a legitimate interest in ensuring that you are suitable for a particular role.

If you fail to provide personal data when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully.

If we need to process sensitive personal data about a job applicant, for example disability information in order to consider whether we need to provide appropriate adjustments during the recruitment process, we will ask for explicit consent to do this at the time at which we request the data or ensure that we satisfy another condition under Data Protection Laws for lawfully processing such data.

RETENTION OF APPLICANT INFORMATION

We normally retain personal data about unsuccessful candidates for between 3 and 6 months from the time we inform them of our hiring decision. We retain personal data for this period so that we can demonstrate, in the event of a legal claim, we have not discriminated against an applicant and that the recruitment process was fair and transparent. After this period, we will securely destroy this applicant’s personal data. If we wish to retain personal data on file, in case future opportunities arise, we will contact the applicant and ask for his or her consent to do so.

If you are successful, the personal data you provided in the application process will be stored as part of your personnel file.

D. POP-UP SHOP CUSTOMERS

HOW WE COLLECT AND PROCESS PERSONAL DATA

From time to time we will offer limited edition items for sale through our website shop. When we do this we will collect and process personal data from our customers that we need in order to provide them with an online account and to process the order and deliver the ordered items as well as related purposes such as handling queries and returns.

THE TYPES OF PERSONAL DATA WE COLLECT

If you buy items from us then we will directly collect the following information from you:

  • contact information including your name, delivery address, billing address, telephone number and email address;
  • purchase history data; and
  • login details (including username or email address and password).

For collecting your payment method details and processing your payment we use Stripe, a third party payments provider which holds the most stringent level of security certification available in the payments industry: https://stripe.com/docs/security/stripe.

WHY WE NEED TO USE PERSONAL DATA

We will use this personal data in order to:

  • perform our contractual obligations to fulfil the order; and
  • to pursue our legitimate interests in operating and promoting the success of our business.

E. CCTV

We operate a CCTV Security System on our premises for security purposes, to detect and prevent crime and protect the safety of our workers and visitors. We do not use it for any other purpose.

This means that we collect and store (for a limited period) images of visitors to our premises using our CCTV system and may have to use them in the event of a security incident. Our CCTV Security System is registered at the ICO.  We have a separate Straight Forward CCTV Security System Policy in accordance with the CCTV Code of Practice published by the ICO. If you have any questions, please ask us.

3. Cookies and website visitors

We do not normally collect personal data about visitors to our website unless they choose to provide such information when they contact us, for example by using the methods set out in the Contact section of our website.

We collect anonymous information about visitors to our website in order to optimise and improve the website. This might include IP addresses, browser or device details and the connection type (for example, the Internet service provider used). However, none of this information will by itself directly identify any particular user.

COOKIES

Web browsers place cookies on hard drives for record-keeping purposes and sometimes to track information (such as repeat visits). Our website uses Google Analytics cookies to enable us to measure how users interact with our website. Further information on the cookies and how they work can be found here:

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage.

You can prevent these cookies by installing the Google Analytics opt-out browser extension by visiting https://support.google.com/analytics/answer/181881?hl=en or by adjusting your browser settings.

HYPERLINKS TO OTHER SITES

Our website contains hyperlinks to third-party websites (such as Instagram, LinkedIn, Pinterest, Twitter and Facebook). We are not responsible for the content or functionality of any of those external websites.  If an external website requests personal information from you, the information you provide will not be covered by this policy. We suggest you read the privacy policy of any website before providing any personal information.

4. Recipients of personal data

Personal data you provide to us will be kept private and confidential. We will only disclose or share it with other organisations and third parties where this is required:

  • in connection with our business of providing brand related services and where it is in the legitimate interests of ourselves or related third parties to do so. For example, we may share your contact details with the organisations and suppliers which are involved in an actual or potential project that you and we are jointly involved in;
  • by law, such as where we are required to comply with a court order, or to share personal data with regulatory authorities (including the Information Commissioner’s Office) in the event of an audit or investigation; or
  • where we have satisfied ourselves that we have another lawful basis for sharing your personal data.

We also share personal data with some of the third parties who provide services to our firm. This includes software and cloud service providers (such as Google and Dropbox), payments service providers (which is currently Stripe) and IT support services. However, these third parties will only process personal data (which may include your information) on our behalf for specified purposes and in accordance with our strict instructions.

We only use third party service providers who have provided sufficient guarantees, as required by Data Protection Laws, that your personal data will be kept safe. We always ensure there is a written contract in place which protects your personal data and prevents it from being used for any purpose other than providing services to our business, in accordance with Data Protection Laws.

5. How long we store personal data for

We only retain personal data for as long as is necessary for the specific purposes it was collected for (or for related compatible purposes such as complying with applicable legal, accounting, or record-keeping requirements).

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from its unauthorised use or disclosure, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

6. How we keep personal data safe

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, damaged or destroyed, altered or disclosed. This includes both physical security measures (such as keeping paper files in secure, access-controlled premises) and electronic security technology (such as digital back-ups and sophisticated anti-virus protection).

We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to legal and contractual confidentiality obligations.

We have put in place reporting procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority of a breach when we are legally required to do so.

7. International transfers

We normally only store personal data within the European Economic Area (EEA). However, some of the technology and support services we use are provided by international organisations and/or companies which are based outside the EEA. Before using such service providers, we take steps to make sure that any personal data they process is adequately protected and transferred in accordance with Data Protection Laws, usually by one or more of the following methods:

  • ensuring the recipient is in a country which the European Commission has deemed provides adequate protection for personal data;
  • implementing appropriate safeguards such as requiring the recipient to enter into Standard Contractual Clauses approved by the European Commission; or
  • (if the recipient is based in the USA) transferring personal data to recipients who are certified under the EU-US Privacy Shield Framework. For example, both Google and Dropbox, whose cloud-based services we use in our business, are registered under the Privacy Shield Framework.

If you would like more detailed information on the measures and safeguards which we implement for such data transfers, then please contact us using the details set out in section 1 above.

8. Your rights as a data subject

Data Protection Laws provide you with certain rights in relation to your personal data. These are as follows:

  • The right to access your personal data. This enables you to receive a copy of the personal data we hold about you.
  • The right to request correction or completion of personal data. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • The right to request erasure of your personal data. This enables you to ask us to delete or remove personal data (though this may not apply where we have a good, lawful reason to continue using the information in question). You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
  • The right to object to processing of your personal data. You can object to us processing your personal data for legitimate interests purposes or for direct marketing.
  • The right to restrict how your personal data is used. You can limit how we use your personal data in certain circumstances. Where this applies, any processing of your personal data (other than storing it) will only be lawful with your consent or where required for legal claims, protecting certain rights or important public interest reasons.
  • The right to have a portable copy or transfer your personal data. You can request us to provide you, or (where technically feasible) a third party, with a copy of your personal data in a structured, commonly used, machine-readable format. Note this only applies to personal data which we obtain from you and, using automated means, process on the basis of your consent or in order to perform a contract.
  • The right to withdraw consent. If we are relying on consent to process your personal data then you have the right to withdraw that consent at any time.

RESPONDING

We try to respond to all personal data requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. Please also bear in mind that there are exceptions to the rights above and some situations where they do not apply.

We may need to request additional information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you to clarify your request.

FEES FOR MAKING A REQUEST

You will not normally have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is manifestly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

HOW TO MAKE A REQUEST

If you want to exercise any of the rights described above, please email [email protected] or write to Data Protection Requests, Straight Forward Design Limited, 112-114 Great Portland Street, London, United Kingdom, W1W 6PH.

YOUR RIGHT TO COMPLAIN TO A SUPERVISORY AUTHORITY

You have the right to complain to a data protection supervisory authority (which, in the UK, is the ICO) if you are not satisfied with our response to a data protection request or if you think your personal data has been mishandled. For further information on how to make a complaint, please visit https://ico.org.uk.

9. Updates to this policy

We will update this policy from time to time. The current version will always be posted on our website. This policy was last updated on 23 November 2018.