ONE LIMITED – PRIVACY NOTICE

This Notice provides you with information about how we use your personal data, which we might receive in connection with our services, enquiries submitted through our website www.oneltd.co.uk (the Site), or otherwise in connection with our business. When we refer to you we mean any individual outside our business – you could be one of our clients, a prospective client, or a supplier, a journalist or just somebody else who has sent us an email through the Site.

We or us means One Limited (company registration no. 03913461), a limited company whose offices are at The Old Slaughterhouse, 3-5 Middle Way Summertown, Oxford, Oxfordshire, OX2 7LH. We’re a data controller in relation to the personal data discussed in this Notice and are registered as a data controller at the Information Commissioner’s Office (ICO) under number ZA291170.

This Notice only covers personal data of which we are the data controller. Sometimes we handle personal data on behalf of our clients at their data processor: that’s dealt with separately in the terms we’ve agreed with our clients.

Summary

Full details are set out in the relevant sections of this Notice below, but keeping it brief:

• we normally receive your personal data from you, but sometimes it might be from a third party with whom we are mutually acquainted (e.g. referrals);
• we use your personal data to conduct our business, keep appropriate records and meet our legal obligations;
• we only provide your personal data to third parties for our business purposes or as permitted by law. We don’t share your data with third party advertisers;
• we store personal data for specified periods for our limited business purposes;
• you have legal rights in relation to your personal data which you can exercise on request;
• the Site does not use cookies, except for analytics purposes; and
• you can contact us to enquire about any of the contents of this Notice.

1. Our use of personal data
   1. When we’re engaged to provide services, we may handle personal data such as your name, contact details, information about your business, and documents and correspondence relating to the services provided by us (such as emails to and from you). We call all of this service data, and we use it for the purposes of providing our services and for record-keeping and client management purposes.
   2. When you communicate with us, or vice versa, and whether by letter, email, through the Site, through social media, or otherwise, we may handle personal data contained in or relating to that communication. may include content and metadata associated with the communication, as well as any contact details you provide to us such as your name, email address, phone number, job title, address or social media username. We call all of this communication data, and we use it for the purposes of communicating with you and record-keeping. If you are a client or prospective client, then we may also use communication data to provide you with occasional news about our business and services: you can opt out of receiving further news at any time.
   3. We may handle personal data relating to transactions, such as bank account details, contact details, transaction data or associated documents (POs, bills, invoices) in relation to payments made by us to you or by you to us (transaction data).We use this to make and receive payments and to keep proper records of the relevant transactions.
   4. If we have some other commercial relationship with you (for example, a sponsorship or referral relationship) then we may handle your contact details, and any related documents and communications. We call all of this partner data, and we process it for the purposes of administering our commercial relationship with you.
   5. We may collect data about your use of the Site (usage data). This may include your geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your use. This data is obtained through Google Analytics and other analytics providers and will be aggregated and anonymised in such a way that it’s not actually personal data – but we’re mentioning it for the sake of completeness. We process usage data for the purpose of improving our Site.
   6. Your personal data may be provided to us by someone other than you: for example, we might be introduced to you in correspondence if you and we are both advising the same client, or if we’re working for your employer then they might put us in touch with you in connection with those services. Normally this data will be communication data, service data or partner data as described above and will be processed by us for the purposes described above.
   7. From time to time we might run competitions encouraging participants to send in photos of themselves, or we might take photos of events which we host or support. In each case those photos may include your personal data. We will use those photos for publicity purposes as described in the competition terms or any notice given in relation to the event.
      
2. Our legal basis of processing
   1. We’re required by law to identify the “legal basis” on which we handle personal data. These legal bases are set out in Article 6 of the General Data Protection Regulation (GDPR).
   2. We process personal data on the following lawful bases identified in Article 6 GDPR:
      1. for the performance of a contract with you, or to take steps at your request prior to entering into a contract with you (Article 6(1)(b) GDPR). This may be our basis for processing communication data, service data, partner data and transaction data;
      2. for our legitimate interests (Article 6(1)(f) GDPR). This may be our basis for processing:
         1. communication, service and partner data (as we have an interest in properly administering our business and communications and in developing our business with interested parties);
         2. transaction data (as we have an interest in making and receiving payments promptly and in recovering debts);
         3. any personal data in connection with legal claims (as we have an interest in being able to bring and defend claims to protect our rights and the rights of others); and
         4. any personal data in connection with backups of our IT systems or databases containing that personal data (as we have an interest in ensuring the resilience of our IT systems and the integrity and recoverability of our data); and
      3. on the basis of your consent (Article 6(1)(a) GDPR). This will be our lawful basis for using photos from events or submitted in competitions.
   3. We may also handle your personal data to comply with legal obligations (for example, we have to keep records for tax purposes).
      
3. Providing your personal data to others
   1. We may disclose your personal data to our insurers and/or professional advisers to take professional advice and manage legal disputes.
   2. We may disclose personal data to our suppliers or subcontractors in connection with the uses we’ve described above. For example, we may disclose:
      1. any personal data in our possession to suppliers which host the servers on which our data is stored. In our case, our main suppliers are Google (who provide GSuite) and Microsoft (who provide Microsoft 365) and who host may host all our emails, documents and contact information; and
      2. service data to suppliers who provide us with hosted collaborative working services, like DropBox or Trello;
      3. communication data to providers of email marketing services such as MailChimp; or
      4. transaction data and other relevant personal data to third parties for the purposes of fraud protection, credit risk reduction and debt recovery.
   3. We do not allow our data processors to use your personal data for their own purposes. We only permit them to use your personal data for specified purposes, in accordance with our instructions and applicable law.
   4. We may also disclose your personal data where necessary to comply with law.
   5. If any part of our business is sold or transferred, your personal data may be disclosed to the new owner.
      
4. International transfers of your personal data
   1. In some circumstances your personal data may be transferred to countries outside the European Economic Area (EEA). These are fairly limited: for example, Microsoft’s and Google’s servers are both within the EEA.
   2. Some of the other service providers discussed above may be located outside the EEA or may transfer your personal data to their own service providers located outside the EEA. We will ensure that transfers made by our data processors will only be made in accordance with law using appropriate safeguards, such as Privacy Shield or the use of standard data protection clauses approved by the European Commission. You may contact us if you would like further information.
   3. We may also transfer personal data outside the EEA from time to time:
      1. with your consent;
      2. where required by your instructions (for example, if we are supporting you on a campaign based outside the EEA); or
      3. if we take our mobile devices with us when travelling overseas to ensure continuity of service.
         
5. Data securityWe have put in place appropriate security measures to protect your personal data. We also have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where required by law.
   
6. Retaining and deleting personal data
   1. We will delete personal data when it’s no longer needed, and in particular:
      1. service, partner and transaction data will be retained for seven years after the end of the relevant contractual relationship;
      2. communication data will be retained for the period of the enquiry or chain of correspondence and then deleted after twelve months;
      3. usage data (which is anonymised, and therefore not personal data) may be retained by us indefinitely.
   2. We maintain system backups for disaster recovery purposes and may retain those backups for up to [PERIOD]. That means that information which is deleted from our live systems may still remain in backup for up to [PERIOD].
   3. We may retain your personal data longer where necessary to comply with law or in connection with any legal claim.
      
7. Your rights
   1. You have rights under data protection law – they are complex, and subject to exemptions, and you can read guidance from the Information Commissioner’s Office at ico.gov.uk for a fuller explanation of your rights. In summary, though:
      1. the right to access: you have the right to confirmation as to whether or not we process your personal data and, where we do, to access to the personal data, together with certain additional information;
      2. the right to rectification: you have the right to have any inaccurate or incomplete personal data about you rectified or completed;
      3. the right to erasure: in some circumstances you have the right to the erasure of your personal data (for example, if the personal data are no longer needed for the purposes for which they were processed or if the processing is for direct marketing purposes);
      4. the right to restrict processing: you have the right to restrict the processing of your personal data to limit its use. Where processing has been restricted, we may continue to store your personal data and will observe the restrictions on processing except to the extent permitted by law;
      5. the right to object to processing: you have the right to object to our processing of your personal data on the basis of legitimate interests (discussed above) or for direct marketing purposes and if you do so we will stop processing your personal data except to the extent permitted by law;
      6. the right to data portability: you have the right to receive your personal data from us if the legal basis for our processing is the performance of a contract with you, and such processing is carried out by automated means; and
      7. the right to complain to a supervisory authority: if you consider that our processing of your personal data is unlawful, you have a legal right to lodge a complaint with the ICO.
         
8. About cookies
   1. A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
   2. Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
   3. Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
   4. Our Site does not use cookies, except for third-party analytics cookies provided by Google Analytics, Yoast and Hotjar which are used to collect usage data and provide reports to us.
   5. Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can obtain up-to-date information about blocking and deleting cookies via the support pages made available by your browser operator.
      
9. Our detailsYou can contact us:
   1. by post at The Old Slaughterhouse, 3-5 Middle Way Summertown, Oxford, Oxfordshire, OX2 7LH;
   2. using any contact form on the Site;
   3. by telephone at +01865 200 200; or
   4. by email at hello@oneltd.co.uk .
      
10. Third Parties and Security
    1. The Site may contain links to third party websites and refer to third party service providers and other entities. If you follow a link to any third party website or deal with any third party entity referred to on the Site, then they may have their own privacy and cookie policies, and we are not responsible for their use of any personal data which you may provide to them.
    2. We do our best to ensure the security of personal data provided to us (and to use only reputable service providers), any transmission of data via the Internet is by its nature insecure and we cannot guarantee the security of any personal data you provide to us.
       
11. AmendmentsWe may update this Notice from time to time by publishing a new version on the Site. You should check occasionally to ensure you are happy with any changes to this Notice, although we may notify you of material changes to this Notice using the contact details you have given us.