Privacy Matters

Aninstance Consultancy Privacy Policy

What is Aninstance Consultancy?

Aninstance Consultancy is the trading name of Daniel Bright, an independent provider of web and technical consultation services and software development, based in Moray, Scotland. Aninstance Consultancy provides full-stack technical support services, cloud services management, software solutions and consultation.

"Daniel Bright, trading as Aninstance Consultancy", will hitherto be abbreviated to "AC" in the remainder of this document, for the sake of brevity.

AC's website address is: https://www.aninstance.com

AC is a “Data Controller” of personal information submitted by clients. This means that AC is responsible for deciding how and why client submitted data is processed.

AC is registered with the Information Commissioner's Office as a Data Controller.

How to get in touch

All data protection or personal information enquires should be emailed to privacy@aninstance.com, or sent by post to the business address as specified in AC's Data Protection Registration, lodged with the Information Commissioner's Office.

Definitions

  • Client: An individual or organisation for whom AC has provided paid or unpaid (pro bono publico) work, by prior agreement. For the purpose of this document, a client is defined as an individual or organisation for whom aforesaid work occurred at least once during the past 7 years. If the "client" is an organisation, the "data subjects" would be any named representatives of that organisation, as registered on the client account with AC at the time any given client data was recorded by AC or AC's vendors or service providers. If the "client" is an individual, the "data subject" would be that individual.
  • Client account data: Data about the client, including but not limited to: Contact details; ticketing and invoicing data; transaction history; work diary entries for services for consultation provided to the client.
  • Data controller – A controller determines the purposes and means of processing personal data.
  • Data processor – A processor is responsible for processing personal data on behalf of a controller.
  • Data subject – Natural person
  • Personal data – The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.
  • Special categories personal data – The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.
  • Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Third party – means a natural or legal person, public authority, agency, company, organisation or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

What personal data is collected and why

Client information

Transaction records

AC retains transaction records both online and offline, for the purpose of fulfilling work orders and contracts, and to pursue the legitimate interests of our AC. These records are retained for the duration and in the manner described in the sections below.

Contact information

AC may store contact information (including names, addresses, email addresses and telephone numbers) for new or existing clients in order to contact in relation to:

  • Ongoing service contracts
  • Support tickets
  • Invoicing and billing (including processing transactions and maintaining a transaction history for AC and client access)
  • Offering new or existing products or services provided by AC or AC's affiliates (this communication is opt-in, and clients are entitled to opt-out at any time)

You have the right to request amendment or deletion of your contact information at any time. To do so, please email privacy@aninstance.com

Information provided in communications

AC may store and process personal information that is provided in communications related to AC's products, services and consultancy for the purpose of providing such products, services and consultancy, and for other purposes that are in the legitimate business interests of AC. For example, a client's name and details of a support request may be recorded in a ticketing system or in a work diary.

Other party information

AC may encounter personal information of other parties that is controlled by clients whilst undertaking work for those clients. AC will endeavour to treat that data in accordance with obligations under the GDPR. AC will only process such data for the purpose of providing the support or consultation service requested by client. For example, transaction records may be encountered during maintenance of an e-commerce website, or personal information of the client's colleagues or employees may be processed whilst working on the client's systems.

Website contact forms and email

When you use contact forms on AC's website, the information you provide will only be used for the purpose for which it was submitted (for example, to respond to an enquiry or work through a support ticket).

Your data will be stored so long as is necessary for the legitimate interests of AC. Your data may be archived offline (not directly accessible through the public internet) for the purpose of maintaining records of business activity and to allow review of previously undertaken work, both for the benefit of AC and the submitter of that data (for example, the client). Archived email is encrypted at rest and protected by a strong password with 2nd Factor Authentication (2FA).

You have the right to request details of this type of data that AC holds about you, and to request it’s amendment if erroneous, and/or it's deletion.

To make such a request, please email privacy@aninstance.com

Data submitted through contact forms may also be stored in backups of web servers, which typically last for no more than 6 months. Please see below for details of AC's website data backup policy.

Website and web service cookies

Cookies are small strings of information that a website or web service places on the user’s web browser in order to identify that browser and store small amounts of (possibly unique) information. AC will set cookies on websites and web services that are necessary to facilitate the secure operation of those websites and web services and to allow users, clients and customers to use the websites and web services for the requested purpose - for example, to complete the checkout process when making a transaction, or to login and access secure areas of the websites and web services.

Other types of cookies that may be set on websites or web services owned by AC are preferential cookies (to customise the website to a user’s preference – setting the time zone or changing the colours, for example), and social media cookies (these are often served by third-party social media sites, like Twitter buttons or feeds). Users may refuse to consent to the use of preferential and social media cookies, at the cost of being unable to access those features or functionality that depend upon those cookies being set.

If non-necessary cookies are used, users are prompted to accept their use before they are set. Permission for setting non-necessary cookies may be revoked at any time by simply clearing from the browser all existing cookies set by the websites and web services owned by AC.

AC does not set cookies for the purpose of tracking users for marketing or statistical collection.

Embedded content from other websites

Articles on AC's website may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.

When embedded content is used, AC will endeavour to request consent to serve you this content prior to it being downloaded to your browser.

Analytics

AC does not currently collect personal information for statistical analytics purposes.

IP addresses

When you use AC's website or web services, the IP address of your internet connection (usually provided by your ISP) will be logged. This is deemed necessary in order to maintain the security of the website and web services. IP addresses may be retained in server backups for a period of 6 months subsequent to the time they were recorded.

Who has access to your data & where it is sent

Clients of AC have access to their own data, either directly through online interfaces, or through request. To request a copy of your personal data from AC, please email privacy@aninstance.com.

Your data may be shared with and processed by third parties who are providing services or consultation to AC. These third parties are carefully chosen and will have demonstrated a commitment to handle personal data in an approprate and lawful manner. In these cases, your personal data would only be processed by the third parties for purposes directly related to providing service or consultation to AC that is in the legitimate interest of AC.

If your personal data is sent outside the UK for storage or processing, AC will seek to ensure that it is only sent to organisations that have agreed to provide equivalent data protections as are required in UK and EU.

For example, if sent to the USA, the controller and/or processor of that data would need to demonstrate compliance with the EU-US Privacy Shield arrangement.

Currently, external companies and organisations that AC shares your data with, or who may have access to your personal data as contractors, consultants, vendors or service providers, include:

List of vendors & service providers

Below is a list of vendors and service providers used by AC. This list is not guaranteed to be exhaustive and may be subject to frequent updates.

If you would like more detailed information about which particular vendors and service providers may handle specific types of your own personal data on behalf of AC, please email privacy@aninstance.com

The privacy policies, terms and conditions of the vendors and service providers listed below may be found on their websites, the URLs of which are included here. By agreeing to AC's privacy policy, you also agree to any of your data that is transferred to these third party vendors or service providers for storage and/or processing being handed in accordance with the privacy policies, terms and conditions of the third party vendors and service providers to whom your data is transferred.

Financial
  • PayPal, to process online payments. May be transferred to the USA for storage & processing. For this vendor’s terms, conditions & privacy policy, please visit https://www.paypal.com
  • Stripe, to process online payments. May be transferred to the USA for storage & processing. For this vendor’s terms, conditions & privacy policy, please visit https://www.stripe.com
  • GoCardless, to process online payments. May be transferred to the USA for storage & processing. For this vendor’s terms, conditions & privacy policy, please visit https://gocardless.com
  • Royal Bank of Scotland, to process online and offline financial transfers and maintain banking records. For this vendor's terms, conditions & privacy policy, please visit https://personal.rbs.co.uk
  • Co-operative Bank Plc, to process online and offline financial transfers and maintain banking records. For this vendor's terms, conditions & privacy policy, please visit https://www.co-operativebank.co.uk
IT infrastructure, web servers, cloud services, software vendors
  • Scaleway, for data storage, cloud and server infrastructure. Data may be transferred to the EU for storage & processing. For this vendor's terms, conditions & privacy policy, please visit https://www.scaleway.com
  • Guru, for data storage (including email), and web services. For this vendor's terms, conditions & privacy policy, please visit https://www.guru.co.uk
  • Postmark, for email service provision, including processing of AC's incoming and outgoing email. May be transferred to the USA for storage & processing. For this vendor's terms, conditions & privacy policy, please visit https://postmarkapp.com
  • Protonmail, for email service provision, including storage of email archives. Will be transferred to Switzerland for sotrage and processing. For this vendor's terms, conditions & privacy policy, please visit https://www.protonmail.com
  • InvoiceNinja, for invoicing, quotation, and ticketing services, including storage and processing of client's names, addresses, financial information and other personal data. Data may transferred to the USA for storage & processing. For this vendor's terms, conditions & privacy policy, please visit https://www.invoiceninja.com
  • Tarsnap, for data backup. Data may be transferred to Canada, the EU and the USA for storage and processing.For this vendor's terms, conditions & privacy policy, please visit https://www.tarsnap.com
  • Amazon Web Services, for data storage, and cloud and service infrastruture. Data may be transferred to the USA and the EU for storage & processing. For this vendor's terms, conditions & privacy policy, please visit https://aws.amazon.com
  • Digital Ocean, for data storage, and cloud and service infrastruture. May be transferred to the USA and the EU for storage & processing. For this vendor's terms, conditions & privacy policy, please visit https://www.digitalocean.com
  • ClouDNS, for DNS services. Data may be transferred to the USA and the EU for storage & processing. For this vendor's terms, conditions & privacy policy, please visithttps://www.cloudns.net
  • Namecheap, for DNS and domain registrar services. Data may be transferred to the USA and the EU for storage & processing. For this vendor's terms, conditions & privacy policy, please visit https://www.namecheap.com
  • Fasthosts, for DNS and domain registrar services. Data may be transferred to the USA and the EU for storage & processing. For this vendor's terms, conditions & privacy policy, please visit https://www.fasthosts.com
  • NextCloud, for data storage and work diary provision and archiving. Data may be stored on local NextCloud servers, and/or transferred to the EU and the USA for storage and processing. For this vendor's terms, conditions & privacy policy, please visit https://nextcloud.com
  • Google, for email service provision, including processing of AC's incoming and outgoing email and storage of email. May be transferred to the USA for storage & processing. For this vendor's terms, conditions & privacy policy, please visit https://www.google.com
  • Fastmail, for email service provision, including processing of AC's incoming and outgoing email and storage of email. Will be transferred to the USA for storage & processing. For this vendor's terms, conditions & privacy policy, please visit https://www.fastmail.com. For details of this service provider's security practices, see here: https://www.fastmail.com/help/ourservice/security.html

How long your data is retained and why

Website and web service data backups are stored as per the data backup retention policy (please see below). This data may include web server access logs, which contain IP addresses of website and web service users.

AC may retain client account data (for details of what that includes, see Definitions above), for:

  • As long as is required for accounting and auditing purposes (typically 7 years).
  • As long as is necessary to provide products, services and consultation.
  • As long as considered to be in the legitimate interests of AC.
  • Client account data may be kept in the invoicing application used by AC (for more information see the "Client account data" section, below), and/or in local and/or remote backups (for more information, see Data backup retention policy, below).

Support ticket details may be kept for up to 7 years within the invoicing application used by AC, for accounting and auditing purposes, and to provide a history to AC and AC's clients of work undertaken, services provided and products sold.

Support tickets themselves, including support related emails, and other client account data that is not stored in the invoicing application used by AC, may be retained for as long as is in the legitimate business interests of AC. Typically, this would be no longer than 6 months following the generation or submission of that information.

Client rights over their data can be found in the "What rights you have over your data" section, below.

How and where your data is stored

AC may keep personal data in the following locations:

  • UK, EU or USA based service providers (please refer to list of vendors & service providers, above). Systems are kept up-to-date with available patches and security fixes.
  • Locally at AC's premises. Data stored digitally, encrypted-at-rest, on a password protected system, with very limited, controlled access. Paper records stored in locked containers with very limited, controlled access.

Client account data

AC may store client account data (see Definitions, above, for details of what that that entails), in an invoicing application. This application may provide online access for clients to view their own client account data, and to request amendments in the event of errors in that data. The invoicing application currently in use is called InvoiceNinja (for more information, please refer to the list of current service provider's above) and may store data either locally on AC's premises and/or on EU or USA based infrastructure.

The invoicing application may set cookies on the client's web browser when they access the application, in order to identify the client and to facilitate access for the client to their data (please see the Website and Web Services Cookies section, above). The current URL of this invoicing application is https://clients.aninstance.com

Client account data held in ticketing systems, work diaries and emails may be stored on AC's website, or in remote storage, or in local storage. Specifically:

  • Emails are stored either locally (digital, encrypted) or on secure servers with an email vendor, as listed above.
  • Support ticket data may be stored both in email form (as above) and as digital or paper files stored locally or with a service provider listed above.
  • Work diary entries may be stored both on and offline, locally and/or with a remote service provider, in vendor provided software as listed above.

Deletion of elements of a client account data may be requested, however requests of erasure would be considered in light of the type of data in question, the lawful requirement of data retention for auditing and accounting purposes, and the the legitimate business interest of AC.

Data backup retention policy

Personal data stored on websites, web services, local storage and cloud storage owned by AC, may be stored in backup archives, which typically exist for between 6 months and 7 years, depending upon the type of data being archived.

Financial data, including transaction histories and invoices, and all client account data stored by AC (see the Client account data section, above) would usually be kept for 7 years following the date on which it first submitted or generated, or last edited. This includes all client account data stored in the invoicing application used by AC.

This backup data is kept in a “non-live” state and stored securely. If AC needs to restore backups, AC will undertake to ensure that any restored personal information is treated in accordance with the storage and retention policies as laid out in this document. Essentially, this means that if your data has been amended or erased from a ‘live’ website or web service, then AC would seek to ensure that data is also deleted from a backup in the unlikely event in which that backup had to be restored to a ‘live’ state.

Personal data may be stored in very strongly encrypted backups on the secure Tarsnap backup service, which currently uses a storage backend provided by Amazon Web Services (AWS).

What rights you have over your data

Right to access and amend your personal information

You can request to receive a copy of the personal data AC holds about you, both online and offline.

You can request to amend any errors that occur in the personal information AC holds about you.

To request access to and/or correction of personal data, please email privacy@aninstance.com

Right to be forgotten

You can request that AC erases any personal data AC holds about you, both on website and services owned by AC and offline. This does not include any data AC is obliged or entitled to keep for administrative, legal, financial, or security purposes, or for other legitimate interests of AC.

To request deletion of information AC holds about you, please send an email to privacy@aninstance.com

Withdrawal of consent

After you have given your consent for AC to use your personal information in a particular way, or to set non-necessary cookies on your device, you have the right to request withdrawal of that consent.

  • To withdraw your consent to use non-necessary cookies, simply remove all cookies set by AC from your devices.
  • To request withdrawal of your consent to use your personal information, please contact privacy@aninstance.com

Withdrawal of consent may lead to the cessation of the provision of the associated products, services and consultation by AC.

Data breach procedures

In the event of becoming aware of a data breach, AC would seek to establish what data has been exfiltrated and to inform the subjects of that data as soon as reasonably possible.

AC would also try to inform the Data Commissioner’s Office with 72 hours of becoming aware of a data breach. AC would then take measures as are deemed appropriate to determine what happened and to make the required technical, process and policy changes as are considered necessary to minimise the likelihood of the same thing happening again.

Anyone with any information about a possible data breach, or a security vulnerability in our systems, should contact privacy@aninstance.com.

What third parties AC receives data from

  • AC does not currently receive any data about clients from third party sources.
  • AC may process personal data from other parties that is owned by AC's clients during the course of providing services to those clients. Such processing would only take place for the purpose of providing services to the clients.

What automated decision making and/or profiling does AC do with user data

  • AC does not currently use any automated decision making.
  • AC does not currently create or store profiling data for clients.

Industry regulatory disclosure requirements

AC may disclose any and all personal information that we store if required to do so under UK law.

Future changes

AC intends to publish changes to the privacy policy on this page, as and when they are made. Please check back here frequently for updates.

Making a complaint

To make a complaint, in the first instance please contact Daniel Bright, at privacy@aninstance.com.

If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office (ICO). The telephone number for the ICO is 03031231113. The ICO may be emailed here: https://ico.org.uk/global/contact-us/email/ . The postal address of the ICO is: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.

Document last updated

This document was last updated on 18 June 2018.

Changelog

  • 18 June 2018: Change of wording on 'What is Aninstancy Consultancy' section.
  • 12 June 2018: Add Fastmail as third-party service provider (with link to security practices).
  • 11 June 2018: Add Google as third-party service provider.