Privacy Policy

Who we are

We are Driftrock Limited, a company incorporated in England, company number 08717688, with its registered office at 124 City Road, London EC1V 2NX, United Kingdom.

In the UK, we are registered with the ICO as a data controller/fee payer under number ZB049770.

Our role

For the most part, Driftrock acts as a Processor for our clients’ data. That means when we process personal data, we are doing so purely on the instruction of another company (the Controller). We act as a Sub-processor when we work via a publisher who is collecting leads on behalf of a Controller.

Driftrock, does on occasion, act as a Controller. This is only for the data that we process for our day-to-day internal business operations. It is a small amount of data, and we keep to a minimum the information we hold about you.

This privacy notice refers to the data we process as a Controller only.

Your rights

You have rights in respect of our processing of your personal data. The relevant rights are:

Right to be informed: You have the right to be informed about the collection and use of your personal data;
Right of access: You can request access to a copy of the personal data which we hold about you, as well as details about why and how we use it;
Right to rectification: You can ask us to change or complete any personal data we hold about you which is inaccurate or incomplete;
Right to erasure / right to be forgotten: You have a right, under certain circumstances, to ask us to delete any personal data we hold about you. Please note that there may be situations where we must retain your personal data after a request for erasure where we have a lawful basis for doing so;
Right of restriction: You can ask us to restrict (i.e. prevent) the processing of your personal data where you have objected to our use of it and we have no lawful basis to continue processing your personal data;
Right of data portability: In certain circumstances, you can ask us to transfer the data we hold about you to another service. This would be sent in a structured, commonly used, electronic form;
Right to object: You can object to us using your personal data for particular purposes; and
Automated decision making: You have a right not to be subjected to automated decision making and profiling, in certain circumstances.

If you want to exercise any of these rights or to raise a data protection complaint, please contact us:

By email at: dpo@driftrock.com
By post: Driftrock Limited, 124 City Road, London EC1V 2NX United Kingdom

You also have the right to lodge a complaint about our processing with a supervisory authority; in the UK that is the ICO whose details are here:

https://ico.org.uk/make-a-complaint/

Data sharing and transfers

We have a number of processors such as cloud service providers who act on our behalf. We have Data Processing Agreements in place with these processors to ensure that your data is processed in compliance with the law and only upon our instruction. We never sell your data.

Transfers of your data outside the UK or EEA

When we work with external service providers outside the UK or EU, we only transfer data if the destination country or organisation is considered by the UK or EU to have sufficient data protection safeguards in place (‘adequacy’) or, if not, we take steps to ensure your data's safety, such as using EU Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA). When we rely on those mechanisms, we also carry out due diligence and transfer impact assessments to ensure they provide enough protection within the local legal framework.

Automated decision making

We do not use your personal data in any automated processes to make decisions about you.

Technical and operational security

We take data protection and information security responsibilities seriously. Driftrock’s systems are certified to the ISO 27001 and ISO 9001 standards for managing information security and quality. Our staff receive training in data protection and information security. All our data and devices are encrypted. We maintain up to date anti-virus and anti-malware protection.

What happens if our business changes hands?

We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, depending on the lawful basis, be permitted to use that data only for the same purposes for which it was originally collected by us.

In the event that any of your data is to be transferred in such a manner, you will be contacted in advance and informed of the changes.

Changes to our Privacy Notice

We may change this Privacy Notice from time to time (for example, if the law changes). We recommend that you check this page regularly to keep up to date.

If we make any material changes to the way we process and use your personal data, we will contact you to let you know about the change.

Contact us

If you have any questions about this privacy notice or our data protection practices, please contact our DPO as shown above.

If you submit a data subject request please note that we will need to process some personal data to handle the request. For any data subject requests where you were not the requester, we will redact (remove) information about you from our response unless you agree to provide it. The lawful basis for the processing is Legal Obligation. We would hold the applicable data for 12 months or for as long as legally or contractually required, depending on the nature of the data, and a record of the request is held for 8 years.

‍

Tell me more…

To see more about how we use your personal data, read the notice or notices below which apply best to your relationship with us:

Client, Agent, Platform User
Potential Client or Agent
Website Visitor
Supplier or Potential Supplier
Driftrock Director or Shareholder
Candidate Employee

‍

- - -

‍

Client, Agent, Platform User Privacy Notice

Data that we hold and how we use it

As a Driftrock Client, Platform User or Agent on behalf of a Client, we may hold the following data on you: name, email, role, company you work for, phone number, LinkedIn URL, industry, location, Driftrock access status, signature or e-signature, company address.

We use this data for: billing purposes, contract signing, managing our relationship (including booking calls, maintaining your contact information), sending you necessary service emails, and for handling any feature change requests you make. We may send you information about our product and services that we think will be of interest to you.

As part of maintaining our account relationship with you, we may also have information you have shared in messages to us, and notes taken during calls, or occasionally, a recording of the call.

If you have been featured in a client case study, we have a record of any quotes or testimonials attributed to you, and video footage if applicable.

If you take part in a customer feedback session for product improvement, we also hold any notes collected during the session, and possibly a video recording of the session.

If you consent to the use of non-essential cookies on the platform, we use the following data to help us understand and improve use of the product: IP address, usage data, name, company you work for.

We will have received this information directly from you and your use of the platform.

Lawful basis for processing

The lawful basis is Consent when you consent to using non-essential cookies on the platform.

Our lawful basis for processing your data is Legitimate Interest:

For contract signing, account management and billing.
For business development and product improvement activities.

Retention periods

For contract e-signing, billing, and service emails, the data is held for 7 years after the end of the contract.
Platform usage data analytics are held for the duration of the contract.
For account management and contact relationship management, the data is held for 6 years after the end of the contract.
Information from customer feedback and feature change requests is held for 3 years.
Data used for sending marketing emails is held for 2 years from the last relevant interaction.
Case studies information is held for the duration of the campaign.

‍

- - -

Potential Client or Agent Privacy Notice

Data that we hold and how we use it

As a Potential Client, or Agent on behalf of a Client, we may hold the following data on you: name, email, role, company you work for, phone number, LinkedIn URL, industry, location, your correspondence with our team, data about keyword searches and interactions with our social media content.

We collect or use this data when we: identify leads, manage information (such as contact details and industry sectors), track and manage our relationship (including communicating with you and arranging calls), and when we use email marketing, LinkedIn messaging, social media advertising and search engine optimisation to send you product or service information that we think will be of interest to you.

When we do technical and compliance checks for a commercial contract, we may hold these additional details: signature or e-signature.

We receive most of these data directly from you, or from details you have made publicly available e.g. on LinkedIn. We may use third party tools to source contact details and LinkedIn URLs of people we believe our product or service is relevant to.

Lawful basis for processing

When we do technical and compliance checks for a commercial contract, our lawful basis for processing that data is Legitimate Interest.

For the other activities listed above, our lawful basis is our Legitimate Interest, for business development.

As you are a corporate entity, we also abide by the Privacy and Electronic Communications Regulations (PECR). This means we give you the chance to opt out of email or text marketing on any that we send you. We only share details of our own goods and services in our marketing. If your details were not sourced directly from you then we contact you once we have them, to let you know that we have your data and give you the chance to opt out.

Retention periods

For technical and compliance checks and commercial contract negotiation, we hold your information for 7 years after the end of the contract.
For collecting lead sign-ups, tracking marketing leads and sending marketing emails we hold the information for 2 years from the last relevant interaction.
When identifying potential Client and Agent leads, managing contacts and corresponding with you, we hold the information for as long as we think this may be of interest to you.
Data about your interactions with our social media advertising is retained for the duration of the advertising.
Messages exchanged with you on LinkedIn are retained as per the platform’s settings.

- - -

Website Visitor Privacy Notice

Data that we hold and how we use it

As a visitor to our website we hold information about your usage of the website, including IP address and tracking information.

This information is sourced from your activity, using cookies. We use it to enable website functionality (essential cookies), and to monitor and understand user behaviour on the website in order to make improvements.

Lawful basis for processing

Our lawful basis for processing your data is Consent when you agree to non-essential cookies, and Legitimate Interest for cookies that enable essential functionality.

Retention periods

We hold website user data for up to 14 months.

- - -

Supplier or Potential Supplier Privacy Notice

Data that we hold and how we use it

As a supplier or potential supplier to Driftrock, we may hold the following data about you: name, email, role, company you work for, company address, phone number, invoice details, bank details, signature or e-signature.

We use this data for reviewing tenders for goods and services, entering into supplier contracts, and paying invoices. The data we hold will have come directly from you.

Data sharing

We share some data with our accountancy partners and payment platforms in order to pay invoices.

Lawful basis for processing

Our lawful basis for processing your data is Legitimate Interest, to manage the business relationship and transactions.

Retention periods

Data associated with paying invoices is held for 7 years after the end of the contract.
Contract information is held for 6 years after the end of the contract (or to the end of any warranty or service periods, if longer).
Information about tenders or quotes is held, if successful, for 6 years after the end of the contract (or to the end of any warranty or service periods, if longer). If unsuccessful, it’s held for 400 days after the last correspondence.

‍

- - -

Driftrock Director or Shareholder Privacy Notice

Data that we hold and how we use it

If you are a Director or Shareholder of Driftrock, we hold the following data about you: register of Directors' interests, details of shareholdings.

This data would have been sourced directly from you.

Data sharing

We share the data with Companies House, our accountant, financial advisers, lawyers, auditors, and regulators if required.

Lawful basis for processing

Our lawful basis for this processing is Legal Obligation.

Retention Periods

These records are kept for as long as legally required.

- - -

Candidate Employee Privacy Notice

Data that we hold and how we use it

As a Candidate Employee we hold the following data on you: name, email, CV information, address, phone number, interview notes, location, salary, start date, correspondence relating to an offer, and references received. We use this in the recruitment process and for finalising a contract, if successful.

We will have received this information directly from you or generated it during the recruitment process.

Lawful basis for processing

Our lawful basis for processing your data is Contract; we use the data to recruit appropriate candidates for roles at Driftrock and to draft a contract for successful candidates.

Retention periods

If you are not successful in securing a role, then we will keep your details on our database for a period of 12 months.
If you are successful in gaining employment with Driftrock then you will fall under the Employee Privacy Notice going forward; please refer to the employee handbook.

‍