- Purpose of collecting data.
- Lawful basis for processing data.
- Categories of data collected.
- Methods used for data collection.
- Data retention period.
- Disclosure of personal information.
- Individuals' rights.
- Security policy.
- International transfers policy.
- Breach notification policy.
- Third-party websites.
- Changes to the policy.
- Using this policy for your own purposes.
Welcome to Neos Chronos Limited.
For the purpose of the Act and GDPR, the Data Controller is Neos Chronos Limited. We are a company registered in England and Wales, with number 08407585. Our registered office address is 5a Frascati Way, Maidenhead, SL6 4UY, United Kingdom.
To contact Neos Chronos please visit our contact page.
2. Purpose of collecting data.
We collect personal and non-personal data to improve our customers' experience and Neos Chronos' business performance. Our use of data aims (but is not limited to) to enable to
- Evaluate the usefulness and performance of our Websites
- Deliver content News Subscribers have selected to receive
- Create project proposals, negotiate contracts with Prospective Clients
- Request project proposals, negotiate contracts with Prospective Suppliers
- Fulfill contracts, send certificates and invoices to Clients
- Accept delivery, pay Supplier invoices
- Pay Employee salaries, insurance, taxes, vacation, etc.
We will never sell personal data or non-personal data.
3. Lawful basis for processing data.
We will collect data only under the existence of
- Consent - you have given clear consent for us to process your personal data for a specific purpose.
- Contract - the processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract.
- Legal obligation - the processing is necessary for us to comply with the law (not including contractual obligations).
- Legitimate interest - the processing is necessary for our legitimate interests.
4. Categories of data collected.
We distinguish the following categories of data collected
- Personal information - this is information that would allow a party to identify a person such as an individuals' full name, email address, telephone number, messaging & social media handles, postal address, bank account details, National Insurance number, financial and payment details.
- Communication preferences - this is information attached to Personal Information that specifies the type of content we can share as well as the frequency of sharing.
- Communication history - this is personal information we may create by storing records of communication interactions with us.
- Company information - this is non-personal information such as company name, company registered/postal address, company number, company VAT number.
- Non-personal browsing and site usage data - this is general information such as country or city website visitors are located (not intentionally fine-grained location information), pages visited, heat-map of visitors' activity on the site, information about the browser they are using, etc.
We do not collect any information from anyone under 18 years of age. Our Websites, Products, and Services are all directed to people who are at least 18 years old or older.
5. Methods used for data collection.
We employ direct, observed and indirect data collection methods.
- Personal information (direct) - we collect personal information provided to us directly by News Subscribers, (prospective) Clients and Suppliers and Employees either online (via our website, email exchanges, messaging & social media conversations, etc) or offline (face-to-face).
- Communication preferences (direct) - we collect communications preferences provided to us by News Subscribers online (web forms on our website).
- Communication history (direct) - we create records of communication interactions with news subscribers, (prospective) suppliers/clients, and employees either online (via our website, email exchanges, messaging & social media conversations, etc) or offline (face-to-face).
- Company information (observed and direct) - we collect company information either publicly available online (business registries, company websites) or lawfully provided to us by news subscribers, (prospective) suppliers/clients, and employees offline (face-to-face).
- Non-personal browsing and site usage data (indirect) - we collect browsing and site usage data automatically online.
We collect anonymous statistics using "cookies". Cookies are small pieces of data which are sent from a web server to an individual's web browser to help provide an anonymous identifier for users, and be able to aggregate anonymous statistics of user visits. These statistics are then used to improve the website experience. The cookies set our Websites originate from consent plug-ins and Google Analytics. The names, function and expiration times of those cookies are detailed here:
- cookiebar - this cookie is set by us to indicate if a website user has been shown a consent pop-up. It is set with an expiration time of 30 days.
- cookiebar-value - this cookie is set by us to indicate if a website user has accepted or declined the use of analytical cookies. It is set with an expiration time of 30 days.
- cookiebar-lang - this cookie is set by us on runnymarmalade.com and stores the user's chosen website language. It is set with an expiration time of 30 days.
- _ga - this Google Analytics cookie is used to distinguish anonymised users. It is set with an expiration time of 2 years.
- _gid - this Google Analytics cookie is used to distinguish anonymised users. It is set with an expiration time of 24 hours.
- _ga_<container-id> - this Google Analytics cookie is used to persist session state. It is set with an expiration time of 2 years.
Follow the link to find detailed technical information on cookies set by Google Analytics.
If you have subscribed to and provided us your consent to receive our marketing communications, then MailChimp, our email marketing automation services provider, may use other, similar technologies from time to time, like web beacons, pixels (or "clear gifs") and other tracking technologies. These are tiny graphics files that contain a unique identifier that enable us to recognise when someone has visited our website or, in the case of web beacons, opened an e-mail that we have sent them. Follow the link to find detailed technical information on cookies set by MailChimp.
If you would like to know more about cookies and how to control or delete them, then we recommend you visit aboutcookies.org.uk for detailed guidance.
7. Data retention period.
The lawful basis underpinning data collection influences data retention periods.
- Website visitors - cookies are retained until consent is revoked. In order to meet our legitimate interest, Non-personal browsing and site usage data are retained for at least 4 years.
- News subscribers - personal data and communication preferences are retained until consent is revoked.
- Prospective clients/suppliers - In order to meet our legitimate interest personal data are retained for a minimum of 12 months from the point the last active contract engagement ceased.
- Clients/suppliers - In order to meet our legal obligation personal data are retained for 6 years from the point the last active contract ceased.
- Employees - In order to meet our legal obligation personal data are retained for 6 years from the point the employment contract ceased.
- Communications history - In order to meet our legitimate interest and legal obligation, records of communications are retained for the same period as the personal data they refer to.
8. Disclosure of personal information.
In general, it is not Neos Chronos' practice to disclose personal information to third parties. We may share personal information in two instances:
- Neos Chronos may share personal information with our suppliers and service providers in order to maintain, enhance, or add to the functionality of the websites.
If Neos Chronos is required to provide a third party with your personal information (whether by subpoena or otherwise), then provided we have collected and retained an email address for you, Neos Chronos will use reasonable means to notify you promptly of that event, unless prohibited by law or Neos Chronos is otherwise advised not to notify you on the advice of legal counsel.
9. Individuals' rights.
Here is the list of your rights
- Right of access - you can contact us at any time to request access to personal data we may hold about you. We will comply with your request within one (1) month from receipt at no cost to you. We may, however, charge you a fee, or refuse to comply, if your request is manifestly unfounded, excessive, or repetitive.
- Right to rectification - you can contact us at any time to request rectification of personal data we may hold about you. We will comply with your request within one (1) month (two months for complex requests) from receipt at no cost to you.
- Right to erasure - You can trigger the erasure of personal data at any time.
- As a website visitor, you can erase your browser's cookies and stop visiting our websites
- As a news subscriber, you can unsubscribe from our mailing list
- As a prospective supplier/client/employee: please contact us at any time with your request
- As a supplier, you can stop accepting our purchase orders
- As a client, you can stop purchasing from us
- As an employee, you can submit an employment termination notice
- Right to restrict processing - You can trigger the restriction of processing of personal data at any time.
- As a website visitor, you can stop visiting our websites.
- As a news subscriber, you can update your preferences
- Right to data portability - As a news subscriber, client, or supplier, you can request an electronic copy of the personal data we may hold about you. We will comply with your request within one (1) month (two months for complex requests). We will provide your personal data in a structured, commonly used and machine-readable form (e.g. CSV).
- Right to object - You can object to the processing of personal data at any time. Due to the nature of the data processed by Neos Chronos, such objection is equivalent to the "Right to erasure".
- Rights related to automated decision making including profiling - None of Neos Chronos processing operations comprise automated decision-making including profiling. We are a business run by humans for humans.
- Right to lodge a complaint with a supervisory authority - You can contact us at any time if you have a concern about the personal information we hold about you, or how we use it. We will do our best to help. If, after contacting us, you are still not satisfied you have the right to lodge a complaint with the relevant supervisory authority. The supervisory authority will then tell you of the progress and outcome of your complaint. The supervisory authority in the UK is the Information Commissioner's Office (ICO).
Neos Chronos is registered with the ICO since the 11th June 2013. Our registration reference is ZA003790.
10. Security Policy.
We have implemented technical measures (security), organisation measures (access roles), processes (transparency of use) and commercial measures (choice of service providers/data processors) to integrate "data protection by design" into our processing activities.
- Our website and company email services are hosted on ISO 27001 certified data centers located in the European Union. Both our website and email services are configured to be accessed only via a secure connection.
- The email clients we use have spam-recognition turned on. We train our staff to use strong passwords, avoid sharing sensitive information via email, recognise phishing attempts, and do not open spam emails.
- Whenever personal information is stored on local servers, these have up-to-date firewall, virus scanning, anti-malware and operating system software. Where possible, such systems are set up to receive automatic software and security updates to minimise vulnerabilities.
- All access to servers and files containing personal information (whether stored locally or in the cloud) is restricted by password and/or secure key (and where possible: encrypted). Access to cloud servers that host our information is via a secure connection. We take regular back-ups of the information on our computer systems and keep those in a separate place.
- Only required data are processed. This is both a privacy (less exposure) and a commercial measure (higher accuracy, less cost). We take reasonable steps such as contractual templates with pre-determined placeholders to ensure that we only process what is necessary.
- Only specifically appointed employees have access to personal data, and they share personal data on a needs-basis.
- We securely remove all personal information before disposing of old computers (by using technology or destroying the hard disk).
- We operate paper-free. When applicable, we shred all confidential paper waste that might be provided to us by clients, suppliers and service providers.
11. International transfers policy.
We may transfer your personal data to recipients in countries outside the EEA. Where this is the case, we have taken steps to ensure your Personal Data is adequately protected. Neos Chronos uses the services of the following service providers/data processors:
- Strato.de – Webhosting and Email services. Strato hosts data exclusively in its own data centers the EU, Germany. No international transfers outside the EU/EEA take place for the functionalities used by Neos Chronos.
- Tresorit.com – Encrypted storage services. Tresorit uses Microsoft Azure data centers located in the EU, in Ireland. No international transfers outside the EU/EEA take place for the functionalities used by Neos Chronos.
- Xero.com – Accounting services. Neos Chronos has signed a Data Processing Addendum that warranties an adequate level of protection for any personal data processed by Xero and/or transferred by Xero outside the European Economic Area.
- MailChimp.com – Marketing Automation Services. Neos Chronos has signed a Data Processing Addendum that warranties an adequate level of protection for any personal data processed by MailChimp and/or transferred by MailChimp outside the European Economic Area.
- Google.com – Website Analytics and cloud authentication, database and storage services. For Analytics, Neos Chronos has accepted Data Processing Terms that warranty an adequate level of protection for any personal data processed by Google and/or transferred by Google outside the European Economic Area. For authentication, database and storage services no international transfers outside the EU/EEA take place for the functionalities used by Neos Chronos.
12. Breach notification policy.
Whilst we take great care to ensure any confidential information remains protected, no website and/or connected server can fully eliminate security risks. Third parties may circumvent our security measures to unlawfully intercept or access transmissions or private communications sent over the Internet.
We proactively scan notifications of our data processors and from systems to identify breaches that may have occurred. In case we identify a breach, we will always
- Contact concerned parties directly and without undue delay
- Post a reasonably prominent notice to our websites
- Use backups to return to a clean system status (software and data)
- Review and update our security policy as necessary.
13. Third-party websites.
14. Changes to the policy.