This Privacy Notice was last updated on: 8th March 2024

We at the Access Group know it is a big responsibility to protect your personal data. This Privacy Notice is meant to help you understand what information we collect, why we collect it, and how you can update, manage, export, and delete your information.

We may from time to time update this Privacy Notice, where we deem it appropriate, we will seek to notify you about the changes, however, we recommend you review this page periodically.

This Privacy Notice was last updated on: 8th March 2024

Download copy

About us

The ‘Access Group’ is made up of numerous legal entities which are wholly owned subsidiaries of The Access Technology Group Limited (company registration 05575609). Our primary trading entity is Access UK Ltd (company registration 2343760) – the registered address for both is: The Armstrong Building, 10 Oakwood Drive, Loughborough, LE11 3QF, United Kingdom.

For this Privacy Notice, Access UK Ltd is the controller of the personal data which is processed by it as a controller.

Our Group Data Protection Officer is Danielle Hefford. To contact us regarding our use of personal data, you may email us at [email protected]

We have appointed Core Computer Consultants Ltd (registration number: 91755) as our EU representative under Article 27, EU GDPR. Our representative can be contacted by email at [email protected]

Why we have your information

We process personal data to fulfil our contractual obligations to our customers and to otherwise improve and market our solutions.

There are various ways in which we may process your personal data.

For example, because:

  1. an organisation you work for uses one of our solutions;
  2. an organisation you have engaged with uses our solutions to provide or otherwise make available a service to you;
  3. you have used one of our solutions where we process your data in our capacity as data controller;
  4. you have contacted us;
  5. you work for us;
  6. you visited our website;
  7. your personal data was provided to us by a third party;
  8. as a result of other lead generating activities done by us;
  9. where you sign up or are otherwise registered to one of our platforms;
  10. you are a signatory to a contract with us;
  11. you attended one of our Access led events; or
  12. through the deployment of cookies (or similar technologies).

On what legal basis we have your information

We will only ever process your personal data where we have a lawful basis to do so. We have expanded upon the reasons for us processing your personal data below.

1. Where an organisation you work for uses one of our solutions

If you use our solutions through your employer, for example, our HR, Payroll, or eLearning solutions, then we will process your personal data as a processor (your employer is the controller).

We recommend you read your employer’s relevant privacy documentation for information explaining what personal data is collected, and what for, etc.,

Third parties may also process your personal data (on our behalf). The details of these third parties will be included in the contract we hold with the controller (your employer).

See section “Further processing of your personal data” for what data we may process about you in our capacity as an independent controller.

2. Where you have engaged with an organisation that uses one or more of our solutions

If you use our solutions via a third-party organisation; for example, to submit your CV to a recruitment agency, or to donate money on a charity’s website, then we will process your personal data as a processor (the relevant third-party organisation is the controller).

We recommend you read the third-party organisation’s relevant privacy documentation for information explaining what personal data is collected, and what for, etc.,

Some of our solutions have dedicated privacy notices, where this is the case, these are accessible via our Security Portal or alternatively, they may be accessible within the solution itself.

Third parties may also process your personal data (on our behalf). The details of these third parties will be included in the contract that we hold with the controller.

See section “Further processing of your personal data” for what data we may process about you in our capacity as an independent controller.

3. Where you have used one of our solutions where we process your data in our capacity as data controller

We provide a limited number of solutions where some or all your personal data is processed by the Access Group in its capacity as a controller. For example, DesignMyNight, sPROC, Adam Procure, Adam Housing and Class4Kids.

Where you use one or more of our Access Products and we process all your data in our capacity as controller, the relevant Access Product will make its own dedicated privacy notice available to you, save for where one of the exceptions below applies:

  • Where you are a “Provider” on SProc, Adam Procure or Adam Housing - a “Provider” meaning a user who has signed up to either SProc, Adam Procure and or Adam Housing to bid on opportunities, contract management and or payment purposes.

    The lawful basis for collecting and sharing your information with Access Group customers who have procured services from you as a Provider is contractual, as the processing is necessary for the performance of the contract with you. Where the Access Group customer processes your information outside of the relevant solution, they are doing so as an independent controller of your information.

    Where we use your information to market Access Group solutions which may be of interest to you, our lawful basis is legitimate interests. The legitimate interest pursued is to share service messages pertaining to the solution that is used, and to market Access Group solutions which may be of interest to you.

    The information we will process for marketing purposes is limited to: business email address; business phone number; your name; company name; service category reference and which local authority you’re engaged with to provide services.

We use third party solutions to store and otherwise process your information, they will therefore process your personal data on our behalf.

4. Where you have contacted us

If you contact us, for example, for technical support, to inquire about our solutions, or to download some of our content, we will record the contact made and log necessary details of the interaction on our systems. We process any personal data collected via these methods as a controller.

The data collected (which may be via telephone recording) may include your first and last name, the email address and telephone number you use for business purposes, your job title, and your employer.

Our lawful basis for processing your personal data in this case is legitimate interests. The legitimate interests pursued are to support us delivering on our contractual obligations (where applicable), internal training, to improve the quality of our services, to make information available to you (including marketing), and or to resolve any conflict (where applicable).

We use third party solutions to record and log the contact made with us; they will therefore process your personal data on our behalf.

5. Where you work for the Access Group

If you are an employee of ours, then we will process your personal data as a controller. 

Our lawful basis for processing is described in the dedicated employee privacy notice. 

The relevant privacy notice is made available to you on our internal systems. If you need help locating it, please ask your leader or Employee Success.

6. Where you visit our website

Your personal data, such as your first and last name, telephone number, email address, postal address, job title, employer and any other relevant contact details may be collected by us when you contact us using any of our online forms available on our website.

The lawful basis for processing this information is legitimate interests. The legitimate interest pursued is to keep you informed about the solutions we offer which we think may be of interest to you (i.e., marketing).

Where personal data is collected by us via mechanisms available via the website, we will process that data using third party solutions. These third parties will process your personal data on our behalf.

7. Where your data was provided to us by a third party

We work with several reputable third parties for the purpose of them supplying to us business contact details to allow us to effectively market our solutions. We may also collect information about you from other sources, for example, public sources or third-party social network sites.

Our lawful basis for processing is legitimate interests. The legitimate interest sought is the marketing of our available solutions.

All personal data obtained by us through our sources is done on the basis that we are the controller. 

Where we obtain your personal data through these sources, we will process that data using third party solutions. These third parties will process your personal data.

8. Where we collect your data through lead generating activities done by us

We may collect your personal data through various lead generating activities such as events, webinars, and other networking activities.

Our lawful basis for processing is legitimate interests. The legitimate interest sought is the marketing of our available solutions, or where relevant, to engage with you regarding a sales and purchase agreement.

All personal data collected by us is done on the basis that we are the controller.

Where we obtain your personal data through these activities, we will process that data using third party solutions. These third parties will process your personal data on our behalf.

9. Where you sign up or are otherwise registered to one of our platforms

To give you access to any one of our platforms we require you to register/be registered. The information about you that we process is done so in our capacity as controller. Our lawful basis is legitimate interests. The legitimate interest pursued is the security and confidentiality of the Access Group’s information.

The reference to platforms above includes but is not limited to our: (a) Customer Success Portal (which also includes our Information Security Portal); (b) Finance Portal; and (c) Renewals Portal.

The information required for registration to our platform is limited to: your name, work email address, telephone number, job title, and employer.

Where you submit reviews, testimonials, or other user-generated content (in each case which may contain your views, opinions etc.,) on our platforms, we may reproduce, and display such content for marketing and promotional purposes.

10. You are a signatory to a contract with us

If you act as a signatory on a contract with us, we will process a limited amount of your personal data. This is likely to include your: name, work email address, job title, location data (e.g., IP address used when signing), and your signature (which may be digital or handwritten).

We process this information in our capacity as controller. Our lawful basis is legitimate interests. The legitimate interest pursued is contract management and administration.

11. You attended one of our Access led events

When in attendance at an Access-led event, we may take photographs and or video footage. We process this information in our capacity as a controller, and our lawful basis is legitimate interests. The legitimate interest pursued is to generate marketing/promotional material.

Where you express any opinion/view regarding Access, we may record the same and use and otherwise reproduce this for marketing and promotional purposes. This information will be processed in our capacity as a controller, and our lawful basis is legitimate interests. The legitimate interest pursued is to generate marketing/promotional material.

12. Through the deployment of cookies or similar technologies

We use cookies (and similar technologies) when you use our websites, platforms, solutions (collectively “sites”), and when you interact with us via email. This is to optimise your experience of us and our sites.

In relation to the website that you’re on reading this notice, please see our Cookie Policy for more information.

Our lawful basis for processing personal data via cookies is consent.

All personal data collected by us through our sites and emails are done on the basis that we are the controller.

Cookies and similar tracking technologies are used to collect information about your browsing behaviour and interactivity with our messages. This data is used for targeted advertising, personalising your experience with us, remarketing, analytics, reporting, understanding your preferences and measuring the effectiveness of our marketing campaigns.

Marketing

You may opt out of marketing communications at any time by following the unsubscribe instructions provided in our emails, alternatively you may contact our customer support.

Further processing of your personal data

Please see this privacy notice (also available directly through the relevant Access solution) for further processing of your personal data where you use one of our Access solutions.

In addition to the above, we also act as an independent controller of a smaller subset of data, which we either may collect: (a) directly from you; (b) from the relevant solution(s) you are using; and or (c) through a third party, because you have been identified by us as a key contact pertaining to:

(a) financial matters – meaning we may contact you regarding the payment of invoices. Our lawful basis for processing this data is legitimate interests. The legitimate interest sought is the payment of invoices; and/or

(b) the implementation of an Access solution – meaning we may store some of your information outside of our primary CRM. Our lawful basis for processing this data is legitimate interests. The legitimate interest sought is the administration and management of the Access Group’s business activities.

(c) services or goods we have or might need to procure. Our lawful basis for processing this data is legitimate interests. The legitimate interest sought is the administration and management of the Access Group’s business activities.

In all of the above cases, the information we process is limited to your first name; surname; business email address; location; business phone number; Access Product user role(s); job title; and telemetry data.

We may also use your information to market to you Access Group solutions we think may be of interest to you/your employer. Our lawful basis is legitimate interests. The legitimate interest sought is the sale of Access Group solutions.

Sharing your personal data

We may have to ad hoc share your personal data with regulators, law enforcement bodies, government agencies, courts or other third parties where we think it’s necessary to comply with applicable laws or regulations, or to exercise, establish or defend our legal rights.

We have also partnered with reputable third parties to provide a best-in-class service offering to you and our wider customer base (which may include the marketing of Access Group solutions or compatible solutions provided by the Access Group’s trusted partners). Where sharing your personal data with our trusted partners means a transfer to a third country (without an adequacy decision or adequacy regulations, as applicable) is to take place, we will ensure we put in place appropriate safeguards and supplementary measures to ensure an essentially equivalent level of protection (as compared to the UK and EU GDPR) to your personal data will be given.

We may also share your personal data with other members of the Access Group: we will only do this where we have a lawful basis for doing so, for example, fulfilment of contract or legitimate interests. Where the receiver of your personal data is an Access Group entity which is in a third country without an adequacy decision or adequacy regulation (as applicable), the transfer will be safeguarded by, at minimum, an intra-group agreement (which includes recognised model clauses and the UK’s IDTA).

Lastly, we may share your personal data with third parties in connection with a sale of the Access Group (or any part thereof). Where that divested entity becomes a controller of your information, they will supply or otherwise make available to you their relevant privacy notice.

Google disclosure

The Access Group has a variety of applications available via the Google Play Store, including SpitFire, PeopleXD, Applause, and others.

SpitFire’s use of information received, and any of our transfers of information to any other app, from Google APIs will adhere to Google API Services User Data Policy and Google’s Limited Use Requirements.

This same disclosure applies to all applications made available via the Google Play Store by the Access Group.

Further processing of your personal data

Where you use one of our solutions, we may derive or create anonymous data and information about your use of that solution. This anonymised data will be further aggregated before being used either by us or a third party nominated by us to improve our products. We may also commercialise this information, for example, to provide insights to third parties.

Our lawful basis for the anonymisation and aggregation process is legitimate interests, and we carry out this processing as a controller. 

The legitimate interest pursued is statistical analysis to drive informed decision making, for the benefit of both the Access Group and other third parties.

Post completion of this anonymisation and aggregation process (which is irreversible), the data is no longer considered personal data for the purpose of applicable data protection legislation.

Sharing your personal data

We may have to ad hoc share your personal data with regulators, law enforcement bodies, government agencies, courts or other third parties where we think it’s necessary to comply with applicable laws or regulations, or to exercise, establish or defend our legal rights.

We have also partnered with reputable third parties to provide a best-in-class service offering to you and our wider customer base (which may include the marketing of Access Group solutions or compatible solutions provided by the Access Group’s trusted partners). Where sharing your personal data with our trusted partners means a transfer to a third country (without an adequacy decision or adequacy regulations, as applicable) is to take place, we will ensure we put in place appropriate safeguards and supplementary measures to ensure an essentially equivalent level of protection (as compared to the UK and EU GDPR) to your personal data will be given.

We may also share your personal data with other members of the Access Group: we will only do this where we have a lawful basis for doing so, for example, fulfilment of contract or legitimate interests. Where the receiver of your personal data is an Access Group entity which is in a third country without an adequacy decision or adequacy regulation (as applicable), the transfer will be safeguarded by, at minimum, an intra-group agreement (which includes recognised model clauses and the UK’s IDTA).

Lastly, we may share your personal data with third parties in connection with a sale of the Access Group (or any part thereof). Where that divested entity becomes a controller of your information, they will supply or otherwise make available to you their relevant privacy notice.

Storage and disposal of your personal data

Where we have your personal data acting in our capacity as a controller, we will delete your personal data in accordance with our data retention schedule (available via our Security Portal), or as otherwise required by data protection legislation: including where you choose to exercise your rights as a data subject (see ‘Your Rights’ section for more information).

Where we have your personal data acting in our capacity as a processor, we will delete your personal data in accordance with the controller’s instruction, or as otherwise required by data protection legislation. If we are required by law to retain any of your personal data, we will inform the controller of this lawful obligation.

Your rights

Regardless of your geographical location, we will process your personal data in accordance with the rights stated below:

  • Your right of access - You have the right to ask us for copies of your personal information.
  • Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
  • Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
  • Rights in relation to automated decision making.

To exercise any of these rights, please contact [email protected]

Where we rely on consent as a lawful basis of processing, you may withdraw your consent at any time by emailing us at [email protected]

Important note

If you feel we have not processed your data in accordance with the Principles and Rights of the individual under GDPR (EU or UK), please contact [email protected] (or our EU representative, [email protected]) for our complaints procedure, or you may raise a complaint with the Information Commissioners Office - external link (or other relevant supervisory authority) but we would like the opportunity to resolve any issues first.