Everything you need to know about how we treat your data
At Quarterdeck we take privacy and security incredibly seriously and we're delighted that lawmakers are finally catching up to the values and standards we've long held ourselves.
Rest assured that we take curation of your data as seriously as if it were our own.
We support not only the letter of the law of the General Data Protection Regulation and others but also its spirit and will ensure all services not only comply with its ordinances but go beyond where we feel more security and privacy is required.
Not only is it an important step in protecting the fundamental right of privacy for European citizens, it also raises the bar for data protection and security.
We do everything within our power and intellect to ensure we comply with the law in whichever jurisdictions are appropriate.
Data is only ever collected in service of providing our customers with the best possible experience. We will only use your personal information to administer the relationship you have with us and to provide the products and services you have requested from us.
Our business model is based on providing the best possible service to our clients and as such we only ever collect and use the minimum amount of data required to delight and exceed your expectations, which, admittedly, would be more than typical in a purely transactional relationship like buying a book or ordering a pizza.
Viewed in isolation the types of data being collected can seem unnecessary and a bit creepy.
For instance, an innocent action may be that we take a photograph at one of our public events. That might be legally disclosed as:
Photographing and storing images of your likeness.
Let's take a hypothetical situation where Bob apologises about missing a conference call with a short email like:
Sorry to miss the conference call but my son Ethan broke his leg playing hockey and I had to rush him to A&E.
Because our email server is storing this email we are technically, by the letter of the law:
Storing medical information about customer's family members.
Storing names of customer's family.
Storing information about customer's family member's hobbies and interests.
Said in isolation this sounds very creepy. So as you're reading through the types of information we store please be aware that this is a legal document and as such we are always covering the worst case scenarios and putting things in a very concise way that, on the surface, may sound unnecessary and sinister but for which there will always be an innocent explanation.
Information is collected by Quarterdeck Ltd via any of its employees or agents. An agent is a person or legal entity not directly employed by us but contracted to fulfil part of our operating procedures. Any employees/agents working on our behalf are always fully audited and/or briefed about data security and to ensure they are compliant with data protection standards we uphold and laws in the jurisdictions in which we operate or which cover citizens with which we operate.
We live in a complicated world and we can stumble across information about companies and people in a thousand places.
Like all companies in the world we use analytics software to guide the development of our website to ensure it's providing the best possible experience to users and that any errors and bugs are found and fixed as quickly as possible. This is standard operating procedure across the globe, your website will be collecting exactly the same information.
The data collected by analytics software can include: pages viewed, time spent viewing pages, buttons clicked, links clicked etc.
Data could be collected via any communication channel including (but not limited to): email, phone, website, verbal, camera, hand writing and publicly available information from sources including: your website, social media profiles, third party websites, search engines, newspapers etc.
For a full list of data being collected please refer to the section "What information is collected?"
Data will be used to fulfil our contractual obligations to provide you with a product or service in a transactional manner.
As said previously we like to go beyond purely transactional relationships to exceed expectations and provide meaningful experiences. For legal purposes this could be described as "segmenting" or "personalisation".
If you opt-in to our email list, you will occasionally receive training articles and, even more rarely, an email letting you know about an upcoming event we think might interest you.
We occasionally profile data in aggregate to test or validate the design of services or for research purposes.
We don’t keep data around if there is no point, we don’t hoard data for no reason and of course we don’t retain it if there is no lawful basis. We will retain data until we no longer require it in the execution of our duties or it is requested to be deleted by the data subject.
Please contact the appointed Data Protection Officer identified in the summary of this document if you wish to exercise any of your rights under GDPR or any other relevant regulations, for example if you wish to:
They will deal with your request expeditiously.
We will never share or sell your data to any third parties.
Here is a breakdown of the information we might store.
As part of our standard operating procedures we will retain the data needed to execute the contract we have agreed with a client. This may include: name, name of company, address of company, email, phone number, industry of company, behaviours, attitude and any other areas you identify you need to work on, survey results regarding the course in which you are a participant, feedback you provide about our performance or photographs of our events which you attend.
It's often assumed that consent is the only lawful basis for data processing under the GDPR but there are six in total. Because of this it is further assumed that any outbound sales or marketing email is not GDPR compliant because the recipient didn't give consent to receive the email. Consent is only one legal basis. The others are contract, legal obligation, vital interests, public interest and legitimate interests.
All companies have a legitimate interest in marketing and selling their products or services. Sending cold email to personal email addresses without consent may not be compliant under the GDPR but we are a B2B company only dealing with corporate clients where the rules are slightly different.
B2B Direct Marketing is recognised as a legitimate interest under Recital 47 of the GDPR and is deemed a legal basis for processing data. This effectively means that GDPR defers to the existing Data Protection Act in respect of B2B email.
The ICO, which is responsible for upholding GDPR in the UK, say this in its direct marketing guidance:
These rules on consent, the soft opt-in and the right to opt out do not apply to electronic marketing messages sent to ‘corporate subscribers’ which means companies and other corporate bodies eg limited liability partnerships, Scottish partnerships, and government bodies. The only requirement is that the sender must identify itself and provide contact details.
Furthermore, the ICO’s direct marketing checklist reveals that as long as individual employees can opt-out then you can email them, without a confirmed opt-in.
If we email you it is because we reasonably assume that you are the type of company that would use managment training. This could be for many reasons, among them:
We won't give an exaustive list here.
If we contact you it may not mean that you are on a database or we are storing your contact details. One of our people may have just emailed you using publicly available data on your website or LinkedIn for example.
Please note that if you request to be "Removed from our database" or any similar wording we will delete all your data. This may have unintended consequences as we cannot retain your preference to be opted-out. This means at some point in the future if someone comes across your details again they may well contact you again.
None of our analytics software records any personal information.
For details review the documentation of our analytics provider, Fathom.
As described in the "Why is it being collected?" & "How is it collected?" sections the information you send us via email is essentially totally open ended and infinite. People are free to send us all kinds of sensitive data about themselves which on the surface is innocent but may reveal personal information like: family details, genetic makeup or sexual orientation.
Please be assured that our staff are trained to deal with sensitive data with the highest possible standards of privacy and security and treat it as though it were their own.
For more technical information about how our email is handled review the policies of our email service providers: Fastmail and Mailgun.
Like any sophisticated modern business we make use of internet providers and cloud services to enable us to give our customers the best possible experience. We choose providers who have a strong commitment to privacy and stay away from services whose business practices rely on data harvesting (e.g. Google, Facebook). We complete a full privacy audit of all our Data Processors in order to ensure they live up to and operate under our high standards.
We use Digital Ocean for provision of VPS to host our websites and web apps. We use a Digital Ocean data centre located in the United Kingdom.
We use FastMail for hosting our corporate (@quarterdeck.co.uk) email. FastMail is an Australian company.
We use MailGun for automated transactional emails. MailGun is an American company.
We use a Synology NAS as our office file server and Synology C2 as an offsite backup mechanism.
Our data centre is located in Frankfurt and meets the high privacy standards required by EU regulations. The security of data being transmitted and stored on C2 can be ensured with the support of our rigorous encryption technologies.
We use Flare and Fathom for website analytics and bug catching. Flare is run in the EU and Fathom is Canadian.
All our company devices have full-disk encryption using XTS-AES-128 encryption with a 256-bit key and are protected with passphrase, passcodes or biometric measures to prevent unauthorised access.