Safety Cloud App Privacy Policy

Why a Privacy Notice

At Citation Limited, we understand that your privacy and the security of your personal data is extremely important. This notice gives you information about what we do with your personal data, how we manage it, what we do to keep it secure, and the importance data protection plays in how we operate, as well as your rights in relation to the personal data we hold about you.

As a UK based business our handling of your information is controlled by the UK Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (known as UK GDPR).

Our data protection approach is supported from the top of the business and is a core competence of how we operate, which we continually strive to improve.

Who are we?

When we say ‘we’ or ‘us’ in this notice, we are referring to Citation Limited.

Citation as a data processor

For the purposes of this notice, we are the data processor, unless it has been specifically noted otherwise.

This notice relates to the collection and processing of personal data for the Citation Limited as a data processor.

The data controller is our clients who provide data to Safety Cloud. We will ensure that they fulfil their obligations under current legislation.

The personal data we collect from you

• Name, date of birth, telephone number (when you fill out our accident form or alleged food poisoning forms)
• Asset/audit inspection records
• Accident data – for staff and third parties
• Special category/medical data (only if you provide these in our accident form or alleged food poisoning forms)
• Internal safety alerts

Why do we collect this data?

This data is collected for the purposes of delivering Health and Safety services to you. This is required for business and operational use, audit, and analysis.

Who can access it?

The data onSafety Cloud can be accessed by clients (permissions dependent) and Citation employees (consultants) for the purposes of support.

Data from your device, usage of our application

When you access our application, we may use tools such as cookies, beacons, and similar technologies for analytical purposes.

We use this information to help us improve our service and your experience; to improve how you and others view the app, and to improve functionality, engagement, and performance. This helps us identify opportunities to develop our services further, our compliance with applicable usage terms and for overall security of Citation products, services, and applications. It will be used primarily to identify the uniqueness of each user for security and identification purposes.

Cookies, beacons, and similar technologies on our app and in email communications

Our use of cookies, beacons and similar technologies is to better understand how you interact with our app and email communications.

We use cookies on our app for a variety of reasons including remembering your settings, load balancing, marketing, and analytics. These will be either our cookies or third-party cookies, all of which can be configured by you using the cookie preference centre to configure the settings you are most comfortable with.

We use cookies to allow the best user experience possible, here is a list and purpose of the cookies in use:

Your data storage and security

Safety Cloud data is hosted on Microsoft Azure cloud platform at their UK West data centre.

Azure is a world leading platform as a service (PAAS) provider and have extremely rigorous security policies using cutting edge technologies to protect your service and data. They are ISO 27018/27001 compliant.

Backup ofSafety Cloud data is undertaken on a nightly basis using Azure's built incapabilities.

Azure carries out OS patching, firewall, malware/antivirus provision and DDOS prevention on our servers under their service.

Azure uses the industry-standard Transport Layer Security (TLS) 1.2 or later protocol with 2,048-bit RSA/SHA256 encryption keys.

For more information on Azure's security stance see here:

https://azure.microsoft.com/en-gb/overview/trusted-cloud/

Safety Cloud 2 is constantly monitored for vulnerabilities by Outpost24. They are a leading cyber assessment company who provide this penetration testing service through both automated and manual processes. For more information, please see: https://outpost24.com/services/penetration-testing

Purpose for processing and the legal bases for processing we rely on

We collect and process personal data for the following purposes and with the following legal bases engaged:

• For most elements of our app, we are processing based on the legitimate interest to operate and administer the application for our clients. Where app security is concerned and the activities through our cookies that enable a secure site, this is administered as a legitimate interest.
• We may ask you for personal data when dealing with enquires, this data would be processed as a legitimate interest in being able to effectively follow up on your enquiry. This is also the case where it relates to a service enquiry or complaint, unless of course it is linked to a contractual obligation, this could include service updates and client communications, in which case it is processed as part of the fulfilment of our contract with you.
• Setting up and managing your journey as a client is done in line with the terms of our contract with our client. This is also the case when it comes to good administration of matters relating to your contract with us.
• We may use personal data relating to usage of our online platforms for reporting and analytical purposes, this is a legitimate interest in trying to improve our offering and further the growth of the business.
• We will send sales and marketing communications such as emails, SMS or phone calls related to our services and those services of other companies in the CitationGroup, only if we can do so in accordance with all data protection legislation.
• We maintain a marketing database that contains the basic details of individuals who have consented to us sending information about new products or services to them, usually via email. Each marketing email that is sent provides you with the ability to unsubscribe from receiving marketing emails at anytime. Alternatively, you can opt-out by sending a request to hello@citation.co.uk
• There are legal obligations that we must comply with, these could be tax-related, dealing with local or national government, or the authorities, agencies or courts and professional advisors.

We will attempt to redirect the third party to obtain the requested data from you directly where possible. We will promptly notify you of any third-party request and give you a copy unless we are legally prohibited from doing so. For valid requests that we are not able to redirect to you, it may be in our legitimate interest to protect our rights and if necessary, to disclose information for the protection of these rights or complying with court orders.We will only do this when we are legally compelled to do so, and we will always make sure that we provide only the data specified in the legal order.

Who we share your data with?

We may share your personal data in the following circumstances:

• Where we are using contracted service partners for services such as IT, web conferencing, hosting and system administration, email communications, analytics and research, data enrichment, and customer support. All these purposes and legal bases for processing are done in accordance with the information provided above.
• To any competent law enforcement or regulatory body, government agency, court or other third party where we believe disclosure is necessary: -
  • as a matter of applicable law or regulation,
  • to exercise, establish or defend our legal rights, or
  • to protect your vital interests or those of any other person.
• To a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger, or acquisition of any part of our business, provided that, we inform the buyer it must use your Personal Data only for the purposes disclosed in this Privacy Notice.
• To enforce or apply our Terms of Service or other agreements or to protect Citation and its customers (including with other companies and organisations for the purposes of fraud protection and credit risk reduction).
• To any other person with your consent to the disclosure.

Finally, we may share anonymised or aggregated data gathered in the normal course of the administration and good running of our business with third parties or service providers to enable greater analysis, improvements, industry, or service-related trends to be identified and action taken accordingly.

How long do we keep your data for?

We retain your data for as long as necessary to fulfil the purpose for its collection and processing. In some instances, this may be a set period of time. In other instances, and especially where there is a legal obligation to retain your information for a certain period of time, we will do so to comply with the legal requirement; this is typically 6 years.

Once your data is no longer required it will be deleted or, if it is technically not possible to delete, we shall ensure sufficient controls are in place to put it beyond future use.

International Transfers

All our data is hosted in the UK and other parts of the EEA. Where transfers that may occur in the future are concerned, we ensure that there is a legal bases for the transfer and a lawful transfer mechanism in place prior to any transfer.Transfer mechanisms would include European Commission Standard Contractual Terms addendum or International Data Transfer Agreement, along with a completed Transfer Risk Assessment.

Your rights

Under data protection legislation, you have rights as an individual in respect of the personal data we hold about you – these are set out in more detail below. If you wish to exercise any of these rights, you can do so by contacting the Data Protection Officer at DPO@citation.co.uk. Please note that you will need to provide us with evidence of your identity for us to complete your request.

These rights include:

• The Right to be informed – As a Data Controller, we are obligated to provide clear and transparent information about our data processing activities. This is provided by this Privacy Notice along with any related communications we may send you.
• The Right of Access – this is the right to access data we hold about you and, where required, an explanation of that data.
• The Right to Rectification – this is the right to have inaccurate or incomplete data rectified.
• The Right to Erasure – this is also known as the ‘right to be forgotten’ and means that in certain circumstances you have the right to ask us to delete data we hold about you.
• The Right to Restrict Processing – this is where you can request that we restrict/block processing of your Personal Data (but still retain it)
• The Right to Data Portability – this allows people to reuse their Personal Data by requesting it in a useable format.
• The Right to Object – this right allows you to object to us processing your Personal Data. This is typically related to processing based on legitimate interest, performance of a task in the public interest, direct marketing, and processing for scientific or historical research.

Please note that as we are the data processor, we will be obliged to make the data controller aware of any rights requests received in order for us to fulfil our obligations.

Security of Personal Data

We take every reasonable, proportionate and commercially viable precaution to protect personal and commercial data. These are organisational, technical, and physical measures to protect against unlawful or accidental access, disclosure, loss, or alteration.

Whilst we take a robust stance to security, no method of storage and transmission is 100% secure and, in some instances, out of our control. For that reason, you are entirely responsible for password security, controlling access to your devices and accounts, access to your environment in our platforms, signing out and closing down web/app sessions once completed.

If you have any further questions regarding data security and legal compliance or wish tobe sent copies of our security certification, then please contact us on hello@citation.co.uk.

ICO Registration

We are registered with the Information Commissioner's Office (ICO), our certificate number is Z510281X.

Incident responses

In line with our regulatory requirements, we have a set of processes for incident management, including data breaches. These processes include the required notifications to be sent to the Information Commissioner's Office and to clients.

Complaints and queries

We try to meet the highest standards when collecting and using personal data. For this reason, we take any complaints we receive very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading, or inappropriate. We would also welcome any suggestions for improving our procedures.

This privacy notice was drafted with brevity and clarity in mind. It may not provide exhaustive detail of all aspects of our collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below:-

Data Protection Team

Kings Court

Water Lane

Wilmslow

SK9 5AR

Or you can email us at DPO@citation.co.uk

If you would like to make a complaint about the way we have processed your personal data, you can contact the Information Commissioner’s Office in their capacity as the statutory body which oversees data protection law - www.ico.org.uk/concerns

It is worth noting that the ICO expects an individual to address any complaints with the organisation before contacting the regulator.

Changes to this privacy notice

We keep our Privacy Notice under regular review and would encourage you to also review this notice regularly. This Privacy Notice was last updated on 27^th of November 2023.