Privacy Notice

Last updated 26 May 2019

When you use MindTrackers© services (the “Services”) either as a team administrator or a team member we require certain personal information about you.

We ask that you read this Privacy Notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.

This Privacy Notice should be read in conjunction with our terms of use:

  • For team leaders (i.e. organizations/teams subscribing to Services)
  • For individual team members where their organization/team is using Services and the organization/team wants team members to participate in using Services

Who we are

MindTrackers Limited (company number 9198941) collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) which applies across the European Union (including in the United Kingdom) and we are responsible as ‘controller’ of that personal information for the purposes of those laws.

Where you are a child

Team members may only use Services if they’re over the age at which they can provide consent to data processing under the laws of their country. Administrators/subscribers must be 18 or over.

Regardless of local laws, children under 13 aren’t allowed to use our website. If you’re a parent and you learn that your child is using our website, and you don’t want them to, please get in touch with us at support@mindtrackers.com.

As a small company, we don’t have the resources to verify and track parental consent – so unfortunately, if you’re below the age at which you can provide consent in your country, you aren’t entitled to use Services.

The personal information we collect and use

Information collected by us

In the course of providing Services we collect the following personal information when you provide it to us:

  • Your name, e-mail address, and name and details of your organization/team where you are the team owner/subscriber to Services (“Administrator”)
  • Payment details (if you are an Administrator)
  • Information you input in response to our assessment questionnaires and tools (“Assessment Information”)
  • We also log your Internet Protocol (IP) address to enable us to receive and send information from and to you over the Internet. We also collect information on how you use our website, for example, by tracking which pages you visit or if you scroll to the bottom of those pages. This data can be viewed by authorized people within our organization to aid in fulfilling enquiries, improving the website and to provide you with the right information.

Information collected from other sources

We may also obtain personal information from other sources as follows:

  • Your name, e-mail address, and name of your organization/team from your organization/team owner where you are a team member who will use Services.

How we use your personal information

We use your personal information as follows:

  • We use your name and contact information to enable you to open an account on our website and manage your account, whether you are a team member or an Administrator. This gives you (and your team where applicable) access to and use of Services.
  • We may use your name, contact details and payment details for credit reference purposes (where you are an Administrator)
  • We use your Assessment Information to create aggregated reports and output which we provide to you and your team members, as well as for research and quality improvement purposes
  • To track your use of our website in order to ensure smooth functioning and security of the website

We do not make automated decisions concerning you.

Who we share your personal information with

We routinely share your personal information with our third party suppliers/providers (see details below in section headed “Transfer of your information out of the EEA”). Some of those third party recipients may be based outside the European Economic Area — for further information including on how we safeguard your personal data when this occurs, see ‘Transfer of your information out of the EEA’.

We will share aggregated assessment results with your team members. Unless you explicitly opt in to sharing them (e.g., in our “Communication Styles” assessment), your individual results will only be visible to you.

We will share personal information with law enforcement or other authorities if required by applicable law.

We may also share your personal information with third parties relating to any business sale, merger, liquidation, receivership or transfer of assets.

Whether information has to be provided by you, and if so why

The provision of your name and e-mail address is required from you to enable us to give access to Services to you or your organization/team. We will inform you at the point of collecting information from you, whether you are required to provide the information to us.

If you are an Administrator, we will also need to know your company name, its address, certain tax information (such as the VAT number) and other relevant details.

How long your personal information will be kept

We keep your information only for as long as we need it to provide services to you, to fulfil the purposes described in this policy or as otherwise described in our Terms of Use, or to comply with applicable laws, whichever is longest. This also applies to any other parties that we share your information with.

Here are some examples of categories of data along with their periods of retention:

  • payment and order data, including relevant access logs – 10 years
  • activity logs, minus the above – 1 year
  • transient activity records, such as e-mail invites or password reset requests – 3 months
  • account details – unlimited

We’ll depersonalize your information or remove it entirely from our systems once we no longer need it to comply with our legal or regulatory obligations, or for other purposes described in this policy. For example, if you delete your account, your personal data will be either deleted or anonymized in our database – although we will keep any relevant activity logs for the time period listed above.

Reasons we can collect and use your personal information

We rely on the following lawful reasons to collect and use your personal data and on occasion more than one lawful basis may apply to the processing:

  • to perform or enter into any contract with you or the organization you represent (if you are an Administrator)
  • our legitimate interests in carrying on our business in providing effective tools that promote collaboration and teamwork to organizations/teams and giving access to them to their team members; in determining what personal information we collect and share for our legitimate interests we carefully consider and balance our legitimate interests against your privacy interests
  • to comply with our legal obligations
  • to protect your vital interests or that of another person (e.g. in an emergency)
  • where you consent to the processing where we ask you to (e.g. for certain sorts of marketing or other processing where the law requires this)

Cookies

Most of the functionality on our website (such as logging in) requires cookies. For certain cookies consent is not required (e.g. those strictly necessary for the operation of the website or where collecting and using related data is in our legitimate interests), for others the law may require consent – by using our website, you consent to our use of cookies where consent is required. How we use cookies is described below.

We use “persistent” cookies on our website. Persistent cookies will remain stored on your device until deleted, or until they reach a specified expiry date.

We use cookies to enable our website to recognize you (as distinct from other users) when you visit and keep track of your preferences in relation to your use of our website.

We use Google Analytics and Hotjar to analyze the use of our website. These third party services may use cookies and other technologies to collect technical data on your behavior and your device (such as your device’s IP address or screen size). For further details, please see Hotjar’s privacy policy and Google’s privacy policy. You can also opt out of Hotjar and Google Analytics tracking at any time.

Most browsers allow you to reject all cookies, while some browsers allow you to reject just third party cookies. Blocking all cookies will, however, have a negative impact upon the usability of many websites, including ours.

Transfer of your information out of the EEA

As a worldwide digital service, we need to work with a number of providers, some of which are located outside the UK and the European Economic Area (EEA), e.g. in the U.S., in order to be able to operate our website and to make our services available online. Some of our staff also operate outside the EEA. Consequently, some of your personal data may be transferred outside the EEA. Some of the countries in question may not have data protection laws equivalent to those in force in the EEA.

We will ensure that any transfer of your personal information outside the EEA where the GDPR applies to such transfer will be subject to the appropriate or suitable relevant safeguards (e.g. European Commission approved contract), as permitted under the GDPR, with those measures designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information.

In general, we use contract clauses for such transfers (as per the Article 46.2 of the GDPR), unless the country in question is judged adequate under the Article 45 of the GDPR (including in the case of the U.S., Privacy Shield). We also limit access to your personal information to those members of our staff who have a business reason for knowing such information. If you’d like further information on this, please contact us.

Here is a list of third party providers we’ll share your information with, if necessary:

  • Postmark and Microsoft, to process and deliver our e-mails, e.g., when we respond to your messages. We’ll also collect information regarding e-mail delivery and opening rates to improve deliverability and help with troubleshooting. You can find Postmark’s privacy policy here and Microsoft’s privacy policy here.
  • Stripe, to process payments and conduct anti-fraud checks. Stripe’s privacy policy is here.
  • Google and UnitedHosting, to analyze the behaviour of our visitors as well as to host our website, databases, and related assets and services. Google’s privacy policy is here, and UnitedHosting’s here.
  • HelpScout, to manage and respond to support e-mails. Their privacy policy is here.
  • Slack and Asana, for our everyday communication and planning. Their respective privacy policies are here, and here.

We have listed all our third party providers here to be as transparent as possible. In practice, “sharing” is a very generous term when it comes to us transferring your information outside our company. We always transfer as little data as we can, also encrypting it where possible. For instance, our e-mail service provider would need to know your e-mail address to deliver a password recovery link, but we won’t share your assessment results with them.

Similarly, we may discuss an issue you’re having on Slack, which technically counts as us transferring your information (such as the e-mail address linked to your account) to Slack servers – however, Slack wouldn’t be permitted to use that information for anything beyond what’s necessary to provide their service to us.

We use all reasonable security and access control measures to secure our accounts on third party websites and the data stored therein.

Your rights

Under the General Data Protection Regulation you have a number of important rights free of charge. In summary, those include rights to:

  • fair processing of information and transparency over how we use your use personal information that this Privacy Notice is already designed to address
  • access to your personal information and to certain other supplementary information
  • require us to correct any mistakes in your information which we hold
  • require the erasure of personal information concerning you in certain situations
  • receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations
  • object at any time to processing of personal information concerning you for direct marketing
  • object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
  • object in certain other situations to our continued processing of your personal information
  • otherwise restrict our processing of your personal information in certain circumstances (for example by withdrawing consent)

For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.

If you would like to exercise any of those rights, please:

  • e-mail us
  • let us have enough information to identify you (e.g., your team membership or registration details)
  • let us have proof of your identity and address (a copy of your driving license or passport and a recent utility or credit card bill), and
  • let us know the information to which your request relates

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorized way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

How to complain

We hope that we can resolve any query or concern you raise about our use of your information.

The GDPR also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.

Changes to this Privacy Notice

This Privacy Notice was published on 26 May 2019 and last updated on 26 May 2019.

We may change this Privacy Notice from time to time, when we do we will inform you via placing the updated notice on our website.

Our Details and how to contact us

The full name of our company is MindTrackers Limited.

We are registered in England and Wales under Companies House registration number 9198941.

Our registered address is 20 Station Road, Cambridge, CB1 2JD, United Kingdom.

If you have any questions about this Privacy Notice or the information we hold about you, you can contact us by email at support@mindtrackers.com.