Updated 28/10/2019 Version 1.1-Website
Reason for collecting information
Dewi Development Ltd collects data in order to be able to deliver its services to its customers.
Dewi Development Ltd treats its data as a key asset of the business and recognises its importance and value to the business, as well as the customers who own it.
In order to ensure its security, Dewi Development Ltd develops its IT policies and procedures to the ISO 27000 standards.
Information we collect
To deliver all of our services we will collect any of the following information
- Contact name
- Contact job title
- Contact address
- Invoice name
- Invoice job title
- Invoice address
- Delivery address
- Contact phone numbers
- Contact e-mail addresses
- Service booked
- Payment details
- Service costs
- Customer feedback
By submitting an enquiry, we will collect the following additional information:
- Reason for enquiry
- Enquiry details
By initiating a chat with us through the on-line messenger function, we will collect the following additional information:
- Chat history
- Chat notes
- Chat Device
- Chat times and duration
- Chat location
By placing a review of our services on Trustpilot, they will collect:
- Your name
- E-mail address
- Your review
- Your IP address
We will use invoice details to generate invoices which we will send to you electronically or post to you.
Where you request to pay by credit card, we will add invoice details into our partner organisation, iZettle invoice system to generate an invoice. This will provide you with the option to pay the invoice through a link. Our partner will take your credit card details and process payment to ourselves. They will not hold your card details but maintain your contact information so we can easily invoice you again.
As part of providing training at your premises, we will collect any of the following additional information
- Candidate full name
- Candidate address
- Candidate e-mail address
- Candidate phone numbers
- Candidate event details
- Candidate event results
- Candidate evaluation of the event
- Bookers feedback and impact of the event
As part of providing application or website development, we will collect the following additional information:
- Service requirements
- Application requirements
- Test data
- User data, if hosting the system
As part of providing facilitated sessions or acting as a consultant, we will collect the following information
- Information gathered during consultation or facilitation
- Names of people taking part
- Contact details of people taking part
As part of providing you on-line access to the details of the services we have provided to you, we will collect the following information to manage your account.
- Password in an encrypted format
- Language preference
- E-mail address
- User action logs
- Information provided by your browser
Using our website
Like many sites, we collect ‘Log Data’ provided by your browser. The ‘Log Data’ can include:
- Browser and version
- IP address
- Pages of the site visited
- Date and time of visit
- Country visited from
- Time spent on a webpage
- Terms used to search to find the site
We use Google Analytics to help us understand how our site is used. This may provide additional anonymous analytic information not listed above. Please review Google Analytics if you require further information.
How we process data
We collect data solely to be able to deliver services to our customers.
We do not sell any data to any other business.
We use the contact details to:
- Communicate about an estimate, quote, order, feedback
- Communicate about the contract
- Update you on our services
- Maintain a relationship with you
- We use your invoice details to be able to:
- Invoice you for services or products
- Provide reminders of non-payments
- Provide receipts of payments
We use the delivery address to:
- Deliver any products
- Log where a service is to be undertaken
We use order and service costs to:
- Provide you with a history of products and services provided to you
- Provide financial accounting to HMRC and Companies House
We use customer feedback to promote our services:
- On the website
- In marketing materials
We process your enquiry to be able to respond to your individual questions.
We log the type of enquiry to:
- To handle your enquiry through the right team and in the appropriate time frame
- Understand the trends in enquiries we receive.
We process your web chats to be able to respond to your questions.
The web chats during working hours will be delivered to our computer application or to the phone when we are not in the office.
The web chats outside working ours or when an agent is not available will be notified by e-mail to the team. We will use the logged e-mail address to respond to you in working hours.
We request your name and e-mail address to start the chat so we can:
- Respond to you by name
- E-mail you any information you require
- E-mail you back, should we miss your chat request for any reason
- E-mail you if our conversation is interrupted by system failure or poor mobile internet connection
We process your reviews to:
- help us understand your opinions on the business and the service delivered
- improve our business through your feedback
- support other customers review your comments, so they can make decisions about whether to use our services
- promote our business by using comments in our marketing materials
When you write a review, they collect the information to:
- display against our business profile page
- notify us that you have written a review and allow us to respond through their website
- allow us to display our overall star rating on our website
The host company collect your IP address:
- to derive the approximate city location of the reviewer, in order to localise reviews
- so they can trace the used computer in the case of misuse or unlawful actions while visiting their website
The host company place cookies on your device when you visit their website, to:
- manage functionality of the site
- remember you when you return to the website to place another review
- track use of the website, so they can improve their functionality and understand the number of visitors
We collect your candidate details to manage the event, this includes:
- Pre-event information
- Pre-event evaluation
- Post-event information
- Post-event evaluation
- Notification of changes to the event
We collect your candidate results and contact details to:
- Request the certificates from the awarding body
- Send you your certificates of completion
- Notify you of relevant CPD development opportunities
- Notify you of the qualifications that you need to renew
We collect your evaluation information to:
- Improve the events in the future.
- Develop future courses/events.
We collect bookers feedback and impact assessments, to:
- Review how our courses supported your development in the workplace.
- Develop future courses/events
We will enter your candidate name and results in information in NucoPlus system, administered by Nuco Training, in order to request your certificates. We may add your delivery address information into the NucoPlus system in order for your courses certificates to be delivered directly to your company.
We work in partnership with Viking Training Ltd, who may deliver some courses on our behalf. We will share event and candidate information with Viking Training Ltd in order for them to deliver the event on our behalf.
If an accident or safeguarding concern takes place during the event, we may use data to pass to the appropriate authority to help protect your interests and life. This may include but limited to Police, Ambulance Service or Social Services.
We use the information to set up services to meet your needs. This may be with our systems or with third parties as discussed with you.
We use application requirement information to build websites or specialised applications to meet your needs.
We use username information to set up users in the systems, to allow your users to access the websites or applications.
We utilise provided data to test the application or website works as specified. We will generate data as part of this testing.
We will use application requirements and may use test data to support the development of user manuals for your systems.
We will store the data generated by the websites or applications we have developed for you, where you have requested we host your systems.
We will only access this data when requested by yourselves for support.
To diagnose a reported problem by yourselves.
To test the system when implementing an upgrade.
We will use the data collected during a facilitated session or consultation to:
- Progress the facilitation or consultation
- Produce a post-session report
- Carry out research into the area of consultation, as requested by yourselves
We will use names and contact details of people taking part in the facilitation or consultation for:
- Distribution of pre-event information, where required
- Information within post-event reports, written for your attention
- Distribution of post facilitation or consultation information or reports
- Distribution of post-event evaluation, where applicable
If you register for the online portal, we will store your account details and site preferences.
We will use your account details to manage your access to your own account, so you can view the services you have booked or received with us and manage your personal details.
We will use user log details to
- Report your login in history and identify breaches to access
- Investigating concerns raised of inappropriate user use of the system
- Investigate reports of incorrect data in the system
We will use account settings to lock accounts where there concern of attempted breaches of access.
We will use account settings to block access where we have reasonable information on the misuse of the system.
Information provided by the browser
We collect browser to:
Identify attempted breaches to the system
Help us to improve our website experience by understanding the devices, browsers and countries accessing our systems.
Understand the pages that:
- receive a lot of visits
- people spend a long time reading
- people do not stay on
- fail to load and provide errors
Understand what search words bring people to the website
Legal basis for processing data
By ordering with us, you begin a contract with us to deliver a service or product to you. We process your data for the duration of the contract in order to deliver your service or product.
We have a legal obligation to maintain financial records and to report to HMRC and Company House on a yearly basis.
We will utilise your order, invoice and payment details to support us in producing these reports.
We will share data with the police, where we identify an illegal act has occurred or there is deemed to be a risk to life.
We will share data with the police where an appropriate warrant is produced, identifying that an illegal act has occurred and the data is required as evidence.
By raising a request with us, we process your information to respond to your request and providing you with your required information.
By initiating a webchat with us, we process your information to respond to your chat request and provide you with your required information.
By initiating a chat with us, we process your information in order to respond to your chat questions.
By ordering a service or product with us, we will use your contact details to:
- maintain a relationship with you
- keep you up to date with relevant services or products
- Keep you up to date with changes to the business
By undertaking training with us, we use your results to remind you of your options for Continual Professional Development (CPD) or renewal of qualifications, up to a year after the expiry of your qualification. This allows you to keep skills up to date and book renewal or CPD sessions with a relevant organisation.
You have the option to opt-out of these services and to define which is your preferred communication method.
By adding a review to our third-party provider, you agree to the information being shared publicly and for us to respond through the third-party site to your comments. By placing your public review, we may also use your reviews in our marketing on social media, on our website and our printed materials.
If during an event a Safeguarding concern arises with an adult and the decision is made to refer to the appropriate support agency, which could include but not limited to the Police, Ambulance Service or Social Services, the consent of the adult will be sought verbally.
If a Safeguarding concern arises with an adult or child, where the life is in danger, a referral will be made to the Police or Ambulance Service.
If an accident occurs during an event and the individual’s life is in danger, a referral will be made to the Ambulance Service, which may include the Police.
The appropriate data held by Dewi Development Ltd will be shared, where it is deemed appropriate in protecting the individual's life.
Keeping your data secure
We work to the ISO 27000 standard for securing out IT infrastructure.
We use dual-factor authentication for accessing information, where provided by the supplier.
We build our websites to use dual-factor authentication.
We expect all administrators of your sites to use dual-factor authentication.
We build all our websites with SSL encryption as standard.
We apply the latest updates released by vendors.
We back-up all data with our hosts or on our internal backup drives.
Sharing of information
We only share data with our partners in order to deliver a service to our clients. We do not share data for any other reason.
We do not sell data to any other source.
We share data with partners when applicable for the following actions:
- Registering candidates on accredited courses with our awarding body and to issue certificates
- Informing our partner training organisation of the course they are delivering and for them to inform us of the candidate results
- To provide you with an invoice that you can pay by credit card
- To host our webchat functionality
- Providing data to our accountants to complete our legal requirements for year-end and tax reporting.
We are partnered with the following organisations:
- Nuco Training Ltd and First Aid Awards for accreditation of our courses
- Viking Training Ltd for partnered training
- iZettle to raise invoices that can be paid by credit card
- WBV Ltd for our yearly accounts
- Tawk for our web chat functionality.
- Trustpilot for hosting the reviews of our service
Hosting your website
Websites that we have developed for our clients are externally hosted.
We contract with 1&1 IONOS to provide this service.
1&1 IONOS provides the following services:
- Domain name management
- SSL certificates for domains
- E-mail management
- File storage
- MS Office licencing and hosting
Their services are hosted in the EU and compliant with EU GDPR regulations.
Your contract is held with Dewi Development Ltd and your contract data is not stored with 1&1 IONOS. Only data you store on the services listed in 3.3 is held with 1&1 IONOS.
1&1 IONOS manage the back up of their services.
We will at times create our own backup before implementing any changes to the systems we are managing for you.
Storage of your data
We store active work in the Cloud, allowing us to work remotely.
We store archived work on our own secure servers.
OneBox provides our Cloud storage solution. Their servers are based in Europe and meet the EU GDPR requirements.
Your data is encrypted and cannot be accessed by OneBox support staff without our authorisation.
If we need to transfer files between Dewi Development Ltd and yourselves, that contain personal or sensitive information, we will not do so by e-mail.
We will transfer files through OneBox, where we can control who can access files.
We will remove transfer files from OneBox, once they have been successfully transferred or the collaboration on the files has ended.
Data hosted in Cloud environment will be backed up by the provider.
Data hosted on our secure servers will be backed up locally on a daily basis and off-site on a weekly basis.
We have a Data Retention policy which defines the specifics of how long each type of data is held. This schedule is available on request.
In general, we keep customer data for the following lengths of time:
- Your customer file, order history and candidate results are kept for 6 years after you close your account.
- Your customer correspondence is kept for 6 years.
- Event information is kept for 1 year.
- Event evaluation and event candidates are kept for 4 years.
- Our financial records are kept for 7 years.
If an online account is held, the user can review their information through the online account and update their personal information.
Data information requests will be responded to within a maximum of 1 month.
There is no fee to request to review personal data, except the following cases, may incur a charge to cover the administration cost where:
- Repeated requested that are excessive
- A request is manifestly unfounded
Right to object
An individual may request not to have their data processed for particular activities. We can stop data being processed for:
- Updates on the service or product
- Information on similar relevant services or products
- Information on changes to the business
We will aim to change preferences the same working day, but it may take up to 30 working days to filter into already planned activities.
Right to be forgotten
An individual will be required to answer security questions to prove their identity and ownership of the data before any data will be released.
All deletion requests will be considered and responded to in writing within one month.
All deletion requests will be considered against the General Data Protection Act (GDPR) 2018.
The erasure will not take place, where it meets a reasonable need in line with the General Data Protection Act 2018. This may be due to, but not limited to, data being held:
- As part of our the legal requirement
- For the establishment, exercise or defence of a legal claim
We will review the policy to ensure it still meets the need in the following situations:
- On a yearly basis
- When our systems which process our data are changed
- When there is an incident
We will investigate any concern of a data breach.
We will inform the Information Commissioners Office of any breaches within 72 hours.
We will inform individuals affected by the data breach, once individuals and impact are identified.
We will make changes to our policy and reasonable improvements to our systems to prevent the breach from occurring again.
Changes to the policy
The policy takes effect from the dates covered in the version control.
Privacy policies should be reviewed periodically.
Material changes to the policy will be notified to individuals via e-mail or through a prominent notification on the website.