Last updated: 7th May 2018
All Definitions used in this Policy can be found in a separate Definitions document, which applies across all our policies.
This Policy addresses the main obligations of interests.me regarding data protection. It addresses the rights of Data Subjects in respect of their Personal Data under the Data Protection Legislation.
The procedures and principles set out herein must be followed at all times by the Company and its Associates.
We are committed not only to the letter of the law, but also to the spirit of the law and we place high importance on the correct, lawful, and fair handling of all Personal Data, respecting the legal rights, privacy, and trust of all individuals with whom we deal.
This Policy refers to and incorporates our Data Security Statement which is a separate document.
By providing us with your data, you warrant to us that you are over 13 years of age.
- When We Are the Data Controller
The Data Subjects for whose Personal Data we are responsible as the Data Controller are:
- Website Visitors;
- Community Email Subscribers;
- Tool Users;
- Customer Organisations;
- Associates of the Company.
- When We Are Not The Data Controller
We do not act as the Data Controller for all submissions of Personal Data on our Website.
Organisational Email Subscribers are submitting their Personal Data to interests.me’s Customer Organisation, as is always clearly stated at the point of data collection.
If you are an Organisational Email Subscriber, we act as the Data Processor but not the Data Controller for your Personal Data, and we process your data only under the instructions of the Customer Organisation which is the user of our Email Services. We give our clients assistance to comply with Data Protection Legislation, however we cannot make guarantees on their behalf.
If you believe a user of our Email Services is not complying with Data Protection Legislation, we suggest you first take this up with them, but you may also report it to us at email@example.com so that we can pass on your complaint to that organisation.
- How to Contact Us About Data Protection
Our full details are:
- Full Name of Legal Entity: Interests Media Ltd, trading as interests.me
- Nominated person: Helen Cammack, COO
- Contact Email Address: firstname.lastname@example.org
- Postal Address: Tiverton, South Road, Woking, Surrey GU21 4JS, UK
If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We should be grateful if you would contact us first if you do have a complaint so that we can try to resolve it for you.
The Company is registered with the Information Commissioner’s Office under registration reference ZA063879.
- What Data We May Collect About You
The following Personal Data about you may be collected, stored and processed by us:
- Identity Data may include your first name and last name.
- Contact Data may include your own or organisational address, your billing address, your email address and telephone numbers.
- Financial Data may include your bank account and payment card details.
- Transaction Data may include details about payments between us and other details of purchases made by you.
- Technical Data may include your login data, internet protocol addresses, browser type and version, browser plug-in types and versions, time zone setting and location, operating system and platform and other technology on the devices you use to access this site.
- Profile Data may include your password, organisations you are associated with, your interests, preferences, feedback, survey or enquiry responses. It may also include your social media profiles (eg your Twitter name or Facebook page, as provided by you).
- Usage Data may include information about how you use our Services.
- Marketing & Communications Data may include whether you have opted in to receive email newsletters or other communications for marketing purposes.
- Employee Data (employees and contractors only) may include date of birth, next of kin, NI number, bank details, references from third parties, annual reviews, disciplinary records, grievance records, evidence of right to work in UK, any statutorily required criminal offence record.
We may also process Aggregated Data from your Personal Data but this data does not reveal your identity and as such in itself is not classified as Personal Data. An example of this is where we review your Usage Data to work out the percentage of Website users who make use of a specific feature of our site. If we link the Aggregated Data with your Personal Data so that you can be identified from it, then it is treated as Personal Data.
The following data is not collected, stored or processed by us:
- Sensitive Data – We do not collect any Sensitive Data about you, as defined by the Data Protection Legislation, with the exception of that statutorily required for employees (namely employee criminal convictions and offences).
- Non-Provision of Data
Where we are required to collect Personal Data by law, or under the terms of the contract between us, and you do not provide us with that data when requested, we may not be able to perform the contract (for example, to deliver a service to you). If you don’t provide us with the requested data, we may have to cancel a service you have requested but if we do, we will notify you at the time.
- How We Collect Your Personal Data
We collect data about you through a variety of different methods including:
- Direct interactions: You may provide data by filling in forms on our site (or third party sites which we direct you to, where we are the Data Controller of the data you enter) or by communicating with us by post, phone, email or otherwise, including when you:
- request our services;
- create an account on our site;
- subscribe to our service or communications such as emails;
- request resources or marketing be sent to you;
- enter a competition, prize draw, promotion or survey;
- submit an enquiry; or
- give us feedback.
- Third parties or publicly available sources: We may receive Personal Data about you from various third parties and public sources as set out below:
- Technical Data from the following parties:
- Hosts and server providers such as Amazon Web Services and WordPress based outside the EU;
- Analytics providers such as Google Analytics based outside the EU;
- Contact, Financial and Transaction Data from providers of technical, payment and delivery services such as Stripe based outside the EU.
- Identity and Contact Data from publicly availably sources such as Companies House, the Charities Commission website, and websites provided by Councils for Voluntary Service, or District, Borough or County Councils, based inside the EU.
- Identity, Contact, Profile, Marketing and Communications Data via third party forms software such as Typeform, based outside the EU, and automated forwarding services such as Zapier, based outside the EU.
- Technical Data from the following parties:
- Keeping Your Data Accurate And Up To Date
We strive to ensure that all Personal Data collected and processed is kept accurate and up-to-date. The accuracy of data shall be checked when it is collected and at such intervals thereafter as are necessary. Where any inaccurate or out-of-date data is found, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.
Please let us know if at any time your personal information changes by emailing us at email@example.com or, if you are a user of our web tool, by changing your details in ‘Settings’ when logged in.
- The Possible Lawful Grounds for Processing Personal Data
The Regulation seeks to ensure that Personal Data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. The Regulation states that processing of Personal Data shall be lawful if at least one of the following applies:
- The Data Subject has given Consent to the processing of his or her Personal Data for one or more specific purposes;
- Processing is necessary for the performance of a Contract to which the Data Subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a Legal Obligation to which the controller is subject;
- Processing is necessary to protect the Vital Interests of the Data Subject or of another natural person;
- Processing is necessary for the performance of a task (“Public Task”) carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the Legitimate Interests pursued by the controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the Data Subject which require protection of Personal Data, in particular where the data subject is a child.
- The Lawful Grounds of Our Processing
Our most common lawful grounds for processing your Personal Data are:
- Where we need to perform a Contract between us and you or a third party (the latter scenario requiring a Data Processing Agreement);
- Where it is necessary for our Legitimate Interests (or those of a third party) and your interests and fundamental rights do not override those interests;
- Where we need to comply with a Legal Obligation or regulatory obligation.
- Where we have obtained your Consent, for instance to send opt-in newsletter communications via email or other opt-in marketing communications. You have the right to withdraw consent to these marketing or newsletter communications at any time by emailing us at firstname.lastname@example.org, or by clicking on the ‘unsubscribe’ link at the bottom of each email.
- Our Specific Purposes and Lawful Grounds for Processing Your Personal Data
We will only use your Personal Data when legally permitted.
Set out below is a description of the ways we intend to use your Personal Data and the legal grounds on which we will process such data.
We may process your Personal Data for more than one lawful ground, depending on the specific purpose for which we are using your data. Please email us at email@example.com if you need details about the specific legal ground we are relying on to process your Personal Data where more than one ground has been set out in the list below.
The purposes and lawful basis on which the Personal Data listed above may be processed are:
Our lawful basis is our Legal Obligation where:
- We need to keep records for HMRC and other legal purposes. In this case we may store contact data, financial data, and transaction data belonging to Tool Users and Customer Organisations, collected from our signup forms, Settings, Payments and Account pages.
- We need to comply with necessary employment checks and legal employment requirements, permitting us to employ people including contractors necessary to run our business. In this case, we may store employee data, including contractor data, belonging to our Associates, as submitted by the Associates.
Our lawful basis is Contract where:
- We need to take payment for a contracted service. In this case, we may collect and store contact data (billing address), financial data (card details) and transaction data (payments and purchases), belonging to Tool Users and Customer Organisations, submitted via our signup forms, our Settings, Payments and Accounts pages, and via a third party payments provider, Stripe.
- We need to register you as a Tool User, enable you to manage your account and manage our relationship with you, including notifying you of changes and asking you to leave reviews or take surveys. In this case, we may collect and store the identity data (name), contact data (email address), technical data (login details), and profile data (password) belonging to Tool Users, submitted via our signup forms and Account Settings pages.
- We need to allow Customer Organisations to manage their own subscribers and send email newsletters (which we are contracted by them to do). In this case, we may (under their instruction, and acting as a Data Processor), collect and store the identity data (name) and contact data (email address) and usage data (email open rates) of Organisational Email Subscribers, collected by the Customer Organisation which is the user of our Email Services (who is in this case the Data Controller) via signup forms provided by us, and via direct upload by the user of our Email Services. We may also process this data to send email newsletters on behalf of the user of our Email Services, on their direct instruction.
- We need to provide Customer Organisations with analytical data (which we are contracted by them to do). In this case, we may (under their instruction, and acting as a Data Processor), collect, store and analyse usage data (email open information) and technical data (IP addresses relating to pageviews and social sharing), and display anonymized aggregated data to Tool Users associated with a Customer Organisation. This data will have been collected via our own Tracking Technologies in emails and on the Website, and third party Tracking Technologies provided by AddThis and Google Analytics.
Our lawful basis is Legitimate Interests where:
- We need to study how users use our services, including the use of specific features, and email open rates, in order to develop, improve and grow our business. In this case, we may collect, store and analyse technical data (IP address, browser type and version, time zone setting, location, operating system, platform, etc) and usage data (email open information, and usage of specific features) of Website Visitors, Community Email Subscribers, and Tool Users. This data will have been collected using our own tracking of email open rates, and our own records of usage in our own database, and third party cookies on our Website set by Google Analytics.
- We need to provide a requested community email newsletter service which distributes community information, in order to fulfil our business objective to improve the distribution of community information. In this case, we may store identity data (names) and contact data (email addresses) belonging to opted-in Community Email Subscribers, and process this data by sending community emails. This data will have been collected using our own website signup forms, and by opt-in signups via click-throughs on third party emails.
- We need to respond to enquiries about our service from prospective Tool Users, Customer Organisations or Sponsors, in order to grow our business. In this case, we will store data temporarily (for a maximum of 24 months), and send information emails to prospective users of our service where they have contacted us by email, or by completing a form on our Website or a third party form (provided by Typeform) linked to from our Website or from social media.
- We need to provide user support, information and reminders, in relation to a requested service. In this case, we will send emails about product updates, user hints and tips, individual support emails, and reminder emails about participating in a Community, to email addresses of Tool Users, as collected through our signup processes including our own forms and Settings pages.
- We need to allow a Tool User to invite another Tool User to be part of the same Customer Organisation, in order to provide essential user functionality and to grow our business. In this case, we may store identity data (name) and contact data (email address) temporarily, and send an invitation email plus one reminder email (if necessary) to a prospective Tool User, where this data has been submitted in our Settings pages by an existing Tool User.
- We need to allow a Community Administrator to email Organisations in their Community, in order to provide essential user functionality. In this case, we may enable the sending of an email to a protected list of the email addresses of all the Tool Users who act as the primary contact for Organisations in a Community administrated by the Community Administrator (and which have not opted out of these emails). This will be done without enabling the Community Administrator to see the email addresses.
- We need to send direct marketing emails to prospects, in order to grow our business. In this case, we will store identity data (names) and contact data (email addresses) and profile data (eg Twitter handle) of Tool User and Customer Organisation prospects, and send direct marketing emails to prospective users of our service where we have a strong reason to believe that they will be interested in our service, where the data has been collected through online research and publicly available sources, or where we first request permission to send information, and where they have not opted out from hearing from us.
- We need to comply with necessary employment checks and legal employment requirements, in order to employ people and run our business. In this case, we will store employee and Associate data, as submitted by the employee or Associate, and use it only for necessary employment checks.
Our lawful basis is Consent where:
- We need to provide a requested community email newsletter service which distributes community information to subscribers. In this case, we may store identity data (names) and contact data (email addresses) belonging to opted-in Community Email Subscribers, and process this data by sending community emails. This data will have been collected using our own website signup forms, and by opt-in signups via click-throughs on third party emails.
- We need to send a requested email newsletter marketing our business. In this case, we will store data and send direct marketing emails to prospective users of our service where they have completed an enquiry form on our Website or a third party form (provided by Typeform) linked to from our Website or from social media, and where they have opted in to communications.
We do not currently share your Personal Data with any third party for marketing purposes, and will always get your express opt-in consent before doing so.
- Our Policy on Change of Purpose
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to find out more about how the processing for the new purpose is compatible with the original purpose, please email us at firstname.lastname@example.org.
If we need to use your Personal Data for a purpose unrelated to the purpose for which we collected the data, we will notify you and we will explain the legal ground of processing.
We may process your Personal Data without your knowledge or consent where this is required or permitted by law.
- Disclosures of Your Personal Data
We may have to share your Personal Data with the parties set out below for the purposes set out in the list in Section 11 above:
- Service providers (Sub-Processors) who provide IT and system administration services.
- Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities based in the United Kingdom and other relevant jurisdictions who require reporting of processing activities in certain circumstances.
- Associates working for the Company who need access to the live database, for instance for development or maintenance purposes.
- Third parties to whom we sell, transfer, or merge parts of our business or our assets.
We require all third parties to whom we transfer your data to respect the security of your Personal Data and to treat it in accordance with the law. We only allow such third parties to process your Personal Data for specified purposes and in accordance with our instructions.
- International Transfers
Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to your Personal Data, so European law has prohibited transfers of Personal Data outside of the EEA unless the transfer meets certain criteria.
Some of our third parties service providers are based outside the European Economic Area (EEA) so their processing of your Personal Data will involve a transfer of data outside the EEA.
Whenever we transfer your Personal Data out of the EEA, we do our best to ensure a similar degree of security of data by ensuring at least one of the following safeguards is implemented:
- We will only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission; or
- Where we use certain service providers, we may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give Personal Data the same protection it has in Europe; or
- Where we use providers based in the United States, we may transfer data to them if they are part of the EU-US Privacy Shield which requires them to provide similar protection to Personal Data shared between the Europe and the US.
If none of the above safeguards is available, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time.
Please email us at email@example.com if you want further information on the specific mechanism used by us when transferring your Personal Data out of the EEA.
- Data Security
- Your Own Data Security
While we take reasonable precautions against possible security breaches of our website, member database and records, no website or Internet transmission is completely secure and we cannot guarantee that unauthorised access, hacking, data loss, or other breaches will never occur. We urge you to take steps to keep your personal information safe (including your password) and to log out of your personal account after use. If you share your password or leave your logged-in interests.me personal account unattended, your personal information or privacy may be compromised. If that happens, please report it at firstname.lastname@example.org. You must, if possible, change your password immediately. You can do this by clicking on the ‘forgotten password’ link on any sign-in page and following the instructions to create a new password. We cannot be held responsible for your failure to keep your password secure.
In addition, whilst once we have received your information we have procedures and security features in place to prevent unauthorised access, we cannot guarantee the security of your Personal Data while it is being transmitted to our site and any transmission is at your own risk.
- Data Retention
We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
When the data is no longer required, all reasonable steps will be taken to erase it without delay.
To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.
In some circumstances you can ask us to delete your data: see below (Section 18: Your Legal Rights) for further information.
If you leave our service, your Personal Data (including Contact, Identity, Profile and Marketing & Communications data) may be kept on file for up to 60 days in order to continue providing a service should you rejoin our service.
In some circumstances we may anonymise your Personal Data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
- Your Legal Rights
Under certain circumstances, you have rights under Data Protection Regulation in relation to your Personal Data. These include:
- Your right to be informed;
- Your right to request access to your Personal Data (‘Subject Access Request’);
- Your right to request correction of your Personal Data;
- Your right to request erasure of your Personal Data (the ‘Right to be Forgotten’);
- Your right to request the restriction of processing or withdraw consent;
- Your right to request transfer of your Personal Data (‘Data Portability’);
- Your right to object to the processing of your Personal Data.
You can see more about these rights at:
If you wish to exercise any of the rights set out above, please email us at email@example.com. The following sections detail these rights individually.
- Your Right To Be Informed
Where the Personal Data is not obtained from the Data Subject directly (i.e. from another party):
- If the Personal Data is used to communicate with the Data Subject, the Data Subject is informed at the time of the first communication; or
- If the Personal Data is to be disclosed to another party, the Data Subject is informed before the Personal Data is disclosed; or
- In any event, the Data Subject is informed not more than one month after the time at which the Company obtains the Personal Data.
- Your Right To Request Access To Your Personal Data (‘Subject Access Request’)
If you wish to exercise this right, please email us at firstname.lastname@example.org, marking the communication ‘Subject Access Request’.
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
The Company is normally required to respond to all legitimate requests within one month of receipt of a Subject Access Request. This can be extended by up to two months in the case of complex and/or numerous requests, and in such cases you will be informed of the need for the extension.
- Your Right To Request Correction Of Your Personal Data
If you inform us that your Personal Data held by the Company is inaccurate or incomplete, requesting that it be rectified, we will rectify the Personal Data in question, and you will be informed of that rectification, within one month of receipt of your notice (this can be extended by up to two months in the case of complex requests, and in such cases you be informed of the need for the extension).
In the event that any affected Personal Data has been disclosed to third parties, those parties shall be informed of any rectification of that Personal Data.
We may need to request specific information from you to help us confirm your identity and ensure your right to request correction of your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
- Your Right To Request Erasure Of Your Personal Data (The ‘Right To Be Forgotten’)
You may request that we erase the Personal Data we hold about you in the following circumstances:
- It is no longer necessary for us to hold that Personal Data with respect to the purpose for which it was originally collected or processed;
- You wish to withdraw your consent to us holding and processing your Personal Data (where we rely on Consent as a lawful basis for our processing);
- You object to us holding and processing your Personal Data (and there is no overriding legitimate interest to allow us to continue doing so) (see also Section 25: Your Right to Object to the Processing of Your Personal Data);
- The Personal Data has been processed unlawfully;
- The Personal Data needs to be erased in order for us to comply with a particular legal obligation.
Unless we have reasonable grounds based upon a statutory condition to refuse to erase Personal Data, all requests for erasure shall be complied with, and you will be informed of the erasure, within one month of receipt of the request (this can be extended by up to two months in the case of complex requests, and in such cases you will be informed of the need for the extension).
In the event that any Personal Data that is to be erased in response to a Data Subject request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).
- Your Right to Request the Restriction of Processing of Your Personal Data
You may request that we cease processing the Personal Data we hold about you. If you make such a request, we will, subject always to our rights under the Regulation, aim to retain only the amount of Personal Data pertaining to you that is necessary to ensure that no further processing of your Personal Data takes place.
In the event that any affected Personal Data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).
- Your Right to Request Transfer of Your Personal Data (‘Data Portability’)
You have the right to request that we assist you in transferring your Personal Data to another service.
We will respond in a timely way to this request, providing your Personal Data in an electronic format which assists you in this request.
- Your Right to Object to the Processing of Your Personal Data
You have the right to object to us processing your Personal Data based on Legitimate Interests (including profiling), direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes.
Where you object to us processing your Personal Data based on our Legitimate Interests, we will cease such processing forthwith, unless it can be demonstrated that our legitimate grounds for such processing override your interests, rights and freedoms; or the processing is necessary for the conduct of legal claims.
Where you object to us processing your Personal Data for direct marketing purposes other than as are directly related to your contractual relationship with the Company, we will cease such processing forthwith.
Where you object to us processing your Personal Data for scientific and/or historical research and statistics purposes, you must, under the Regulation, ‘demonstrate grounds relating to [your] particular situation’. We are not required to comply if the research is necessary for the performance of a task carried out for reasons of public interest.
- Data Breach Notification
All Personal Data Breaches must be reported immediately to the Company’s nominated person responsible for privacy and data protection (see Section 4: How to Contact Us About Data Protection).
If a Personal Data Breach occurs and that breach is likely to result in a risk to the rights and freedoms of Data Subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the nominated person must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.
In the event that a Personal Data Breach is likely to result in a high risk to the rights and freedoms of Data Subjects, the nominated person must ensure that all affected Data Subjects are informed of the breach directly and without undue delay.
Data breach notifications shall include the following information:
- The categories and approximate number of Data Subjects concerned;
- The categories and approximate number of Personal Data records concerned;
- The name and contact details of the Company’s nominated person (from whom more information can be obtained);
- The likely consequences of the breach;
- Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects.
- Third Party Links
This Website and our online Services may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.
We do not control these third-party websites and are not responsible or liable for their content or activities. These third party sites have separate and independent privacy policies. When you leave our website, we encourage you to read the privacy notice of every website you visit.
Nonetheless, we seek to protect the integrity of our Site and welcome any feedback about these sites.