Who we are
Seccl Technology Limited and Seccl Custody Limited (collectively referred to herein as “Seccl”, “us”, “our”,” we”) are committed to processing personal data in line with our responsibilities under the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018. Our offices are in Bath and Edinburgh, with a satellite office in London.
Our contact details:
Name: Seccl Technology limited
Address: 20, Manvers Street, Bath, BA1 1JW
E-mail: operations@seccl.tech
Compliance team/data protection officer:
If you need more information about the personal data we process, your rights or have any concerns about your personal data or our processing, please contact us at compliance@seccl.tech
Our services
Seccl website
We are data controllers for any personal data we receive when contacted by you directly or via our website forms.
Seccl products, services and technology
Where customers use our products, services or technology we are joint data controllers with those customers.
What personal data do we collect and process?
Seccl website (https://seccl.tech) and/or customer hub (https://customer.seccl.tech)
- your name
- company name
- work email address
- marketing and communication preferences from us and associated third parties
- your interests, preferences, and survey responses
- details about how you use our website
Seccl products, services and technology
- title
- your name (first name, last name)
- address
- email address
- marital status
- employment status
- login credentials – username/password
- account ID
- telephone/mobile phone number
- date of birth (DOB)
- national insurance number (NINO)
- nationality
- gender
- bank account and sort code details
- purchases, orders, payments made by you
- products and services your purchased from us
- your feedback about our services and products
- details about how you use our platform, products, services
- we may also process Anti-Money Laundering (AML) information provided to us by third parties, due to our regulatory obligations.
How we collect and process personal data
We use different methods to collect and process personal data from or about you, including:
Direct interactions
You provide us with personal data directly when submitting our website contact forms or when corresponding with us by post, phone, email or other methods. This includes personal data you provide us when you:
- apply for or purchase one of our products or services.
- create an account on our platform (including our customer hub).
- enter a competition, promotion or survey.
- provide us with feedback or contact us directly.
- request marketing materials from us.
- subscribe to our services or publications.
- engage in any other interaction with us.
Cookies
When you browse our website we collect data, via cookies, about your browsing actions, equipment, and patterns. Cookies also help us improve your website experience, for more information about cookies, see our Cookie Policy. You can choose not to accept certain cookies in your browser, but this may affect some website functionality or features.
Third parties or publicly available sources
We may receive personal data about you from third parties or via public sources, including:
- analytics providers such as Google - outside the UK
- advertising networks - inside or outside the UK
- search information providers - inside or outside the UK.
- identity and contact data - data brokers or aggregators.
- identity and contact data - from publicly available sources.
How we use your personal data and lawful basis
Our primary purpose for processing your personal data is to provide the products, services, or technology you requested. In line with data protection laws and regulations, we only process personal data where we have a lawful basis for doing so. Our lawful bases for processing are:
- Where we provide products or services to you under a contract (contractual basis)
- Where we have legal or regulatory obligations (legal basis)
- Where you have given us your explicit consent (consent basis)
- Where it is in our (or our third party’s) legitimate interests and where those interests do not override your interests, rights, or freedoms (legitimate interests’ basis)
Contractual basis
- processing your personal data where it is necessary for the performance of a contract, which you are a party or to take steps, at your request, before entering a contract.
- to administer and/or manage the products, services, or technology that you signed up for
- to contact you with important information regarding your contracted products, services, or technology
Legal and regulatory basis
- processing your personal data where it is necessary for compliance with legal and regulatory obligations that we are subject to, including HM Revenue & Customs; Financial Conduct Authority (FCA) and Information Commissioner’s Office (ICO) and other United Kingdom authorities who require us to report information to them in specific circumstances.
Consent basis
- where you consent to us contacting you when necessary, including routine communications or to share updates about our services and newsletters.
- where you consent or opt-in to receive direct marketing communications from us, or a third party, via online, phone, email, or text message.
- where you consent to receiving information about recommended goods, services or promotions that interest you.
Consent and legitimate interest bases
- where you consent to us recording video calls and live chats with our customer services representatives, for internal training purposes.
- where you consent to us sharing your personal data with our partners, for managing internal business processes and our services to you, in the most effective way.
Changing your mind – (opting-out)
- if you change your mind and no longer consent to receiving information from us, you can opt-out (at any time), by simply contacting us or associated third parties.
Legitimate interest basis
- to improve and develop our products, services, and internal operations, including troubleshooting, data analysis, testing, market research campaigns, statistical and survey purposes.
- to provide a tailored and personal experience when using our online products and services
- to measure or understand the effectiveness of relevant advertising provided by us.
- to measure, understand and gain feedback on the effectiveness of our services, allowing us to enhance and improve the services we provide.
- to allow us to continually improve our technology by understanding the way our products and services are used by you.
Your legal rights as data subjects
When processing your personal data, we must consider the following individual rights, that you are granted (as a data subject) under data protection laws.
Right to be informed
- you have the right to request that we confirm whether we are processing your personal data or not.
- you have the right to be given our contact details.
- you have the right to request name and contact details of our representative or data protection officer.
- you have the right to request the purposes of processing.
- you have the right to request the lawful basis for processing.
Right of access
- you have the right to access your personal data – commonly known as a subject access request (SAR)
- subject access requests can be made by contacting us verbally, or in writing (email, letter)
- we cannot charge a fee to deal with a request in most circumstances.
Right to rectification
- you have the right to have inaccurate personal data corrected or completed, where it is incomplete.
- you can make a request for a rectification or correction by contacting us verbally, or in writing (email, letter)
- there are some limited circumstances, where we can refuse a request for rectification or correction.
Right to erasure (or the right to be forgotten)
- you have the right to have your personal data erased or deleted - also known as ‘the right to be forgotten’.
- right to erasure requests, include circumstances where you successfully exercised your “right to object.”
- you have the right to request your personal data is erased or deleted - where your personal data is no longer necessary for the purpose it was originally collected or processed for
- you have the right to request your personal data is erased or deleted – where we are relying on consent as our lawful basis for holding your data and you withdraw consent
- you have the right to request your personal data is erased or deleted – where we are relying on legitimate interests as our lawful basis for processing, where you object to the processing and there is no overriding legitimate interest to continue processing
- you have the right to request your personal data is erased or deleted – where we are processing your personal data for direct marketing purposes and you object to that processing
you have the right to request your personal data is erased or deleted – where we have processed your personal data unlawfully (i.e. in breach of the lawfulness requirement) - you have the right to request your personal data is erased or deleted – where we have to comply with a legal obligation
- you can make a request for erasure by contacting us verbally, or in writing (email, letter)
- BUT the right is not absolute and only applies in certain circumstances, i.e., legal, or regulatory requirements may override your request.
Right to restrict processing
-
you have the right to request a restriction or suppression to processing your personal data.
-
when processing is restricted, we are permitted to store the personal data, but not use it.
-
right to restrict processing requests, include cases where:
- you ask us to establish the accuracy of personal data.
- we may have used your personal data unlawfully, but you do not want it to be erased.
- you want us to hold the personal data, where there is no longer a requirement for us to process it i.e., where you need to establish, exercise or defend a legal claim OR where you have objected to processing and we need to verify whether there are overriding legitimate grounds.
-
you can make a request to restrict processing by contacting us verbally, or in writing (email, letter)
-
BUT this is not an absolute right and only applies in certain circumstances.
Right to data portability
- you have the right to data portability, where you request to obtain and reuse your personal data, for your own purpose, across different services, which includes history of website usage or search activities and/or location data.
- BUT this right only applies to information you provide us, where we are considered a data controller.
Right to object
- you have the right to object to us processing your personal data in certain circumstances – where we are relying on a legitimate interest (or those of a third party).
- you have an absolute right to object and stop your personal data being used for direct marketing.
- you can make a right to object request by contacting us verbally, or in writing (email, letter)
- BUT in certain cases, where the right to object applies, we may be able to continue processing if we can show that we have a legitimate reason for doing so, that does not conflict with your rights, interests, or freedoms.
Automated decision making and profiling
- you have the right not to be subject to automated decision making (deciding something solely by automated means without human involvement), including profiling, where it results in a legal or significant negative impact on you.
- you have the right to request an explanation of any logic, where automated decisions are made about you.
Right to complain
- You have the right to complain to us, or against us to the ICO, at any time. In the first instance, we would like to be given the chance to deal with your concerns, before you approach the ICO, by contacting compliance@seccl.tech.
- Alternatively, you can contact the Information Commissioner’s Office (ICO), the UK’s supervisory, regulatory authority, for any concerns you have over our handling of your personal data
Responding to your requests (data subject access requests - DSARs)
- We have one calendar month to respond to your request, but we may extend the time by a further two months if your request is complex or we have multiple requests from you. However, we will always let you know within one month and explain why any extension may be necessary.
- If you need more information about the personal data we process, your rights or have any concerns about your personal data or our processing, please contact us at compliance@seccl.tech.
- In most cases there is no fee applicable to personal data or rights requests, however, we reserve the right to charge a reasonable fee to cover any administrative burden, where your request is unfounded, overly excessive, or duplicates information previously received.
Disclosure to third parties (sub-processors)
We may disclose your personal data to third-party sub-processors on occasions where we cannot reasonably perform the processing activity ourselves or where we have made a business decision to do so. Where a sub-processor is used, we always perform due diligence and/or define contractual clauses to ensure they adhere to our data protection, security and data privacy requirements.
Our website (https://seccl.tech)and customer hub (https://customer.seccl.tech) – sub-processors and locations
- customer relationship management (CRM) - EU
- surveys or process feedback - EU
- web and usage analytics -US
- cloud development platform and hosting – US
- cloud-based authentication and authorization platform – EU
Our products, services and technology – sub-processors and locations
- cloud infrastructure and hosting services – UK data centers
- database managed services – UK data centres
- IT management and administration services – UK
- customer service platform - EU
Third-party links
Our website, products or services may include third-party links or associations to applications, contributors, plug-ins and/or other websites. Clicking on these links or enabling connections may allow third parties to collect or process personal data about you. We do not control third-party websites and are not responsible for their privacy statements. When you leave our website, please ensure you review and consider any third-party privacy policies.
International transfers
On occasions where we process your personal data outside the UK, we take appropriate measures to ensure that your personal data and rights are given equivalent levels of protections, granted under UK data protection laws. In these cases, we consider the following:
-
is the transfer to another country or territory covered by adequacy regulations?
-
is the transfer to the US under the UK Extension to the EU-US Data Privacy Framework?
-
are we relying on transfer mechanisms and transfer risk assessment (TRA) under UK GDPR:
- International Data Transfer Agreement (IDTA) OR
- International Data Transfer Addendum (Addendum) – under UK GDPR, we cannot rely solely on new EU Standard Contractual Clauses (SCC) and must include the UK Addendum.
Personal data security
The protection and security of your personal data is our priority, where we take a layered approach to our security controls across the following areas: organisation, people, physical, and technology, and we align with international security standards and frameworks.
Storage and retention
We store and retain (keep) your personal data for as long as reasonably necessary to fulfil the purpose it was originally collected. We also keep it for additional purposes, where we are obligated to satisfy accounting, legal, regulatory, reporting and tax requirements. On limited occasions, we may keep personal data longer, where you raise a complaint against us, or where we reasonably believe there is a prospect of litigation.
Privacy policy last update
We aim to keep this privacy policy under regular review in line with our legislation and regulatory requirements. Last review and updated date: 19th November 2024.