Chimp Management Ltd (“we”) are committed to protecting and respecting your privacy and complying with the data protection laws that apply to our business activities.
This notice describes how we process the personal data we obtain about our website visitors, our clients’ employees and representatives, our individual customers, people who contact us and potential/prospective clients. Please read this notice to understand our practices regarding your personal data and how we will treat it.
For the purposes of the data protection laws applicable in the United Kingdom, the data controller of the processing described in this notice is Chimp Management Ltd, a company registered in England and Wales with company number 08185752 whose registered office is at Lodesbarn Farm, Peak Forest, Buxton, Derbyshire, SK17 8EE United Kingdom.
2. How we process your personal data
In this section we explain the types of personal data we obtain, the purposes we use that data for and the legal basis we rely on to process personal data for those purposes.
3. Types of personal data we obtain
The types of personal data that we obtain and use during our business activities are:
Website usage data:
- technical data about website visitors’ devices and browsers such as the Internet Protocol (IP) address used to connect devices to the Internet, geographical location, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform and login information.
- information about website visitors’ use of our website such as referral source, length of visits to certain pages, page views, website navigation paths including the clickstream to, through and from our sites (including date and time), products viewed or searched for, page response times, download errors, page interaction information (such as scrolling, clicks, and mouse-overs) and methods used to browse away from pages.
- social media plugins or integrations on our website for LinkedIn, Twitter and Facebook, certain information about our website visitors (IP addresses and information about their browsers and the operating systems) will be transmitted to those social media providers when they browse our website.
Business operations data:
- data relating to our client and client’s personnel and associated representatives that we obtain in connection with entering into and performing contracts for the provision of our sessions and other products and services. This includes names, business email addresses, business location addresses, telephone numbers and job titles of our clients’ ‘stakeholders’ and other business contacts with whom we communicate to get contracts signed, process invoices and payments and make practical arrangements for the provision of our sessions and other products and services.
- information contained in or relating to any communications we receive, including any personal data contained in the communication content, address and contact details and any metadata associated with the communication. We obtain this data when people contact us by email, phone, via social media platforms or any other method of communication.
Business development data:
- information relating to individuals who work for organisations that we consider might have an interest in our products and services, which we obtain as part of our business development activities from publicly available sources or from the individuals themselves, e.g. at conferences or other events. This is likely to include standard business contact data such as name, business email address, job title, company, company location and phone number.
- we obtain website visitors’ names and email addresses if they choose to sign up for our newsletter, conference & events updates or waitlists via our website.
- data provided to us by website visitors via any of our website forms such as our ‘contact us’, enquiry, and event registration forms. This includes the visitor’s name, email address, job title, company and company details and any free-text content completed by the visitor. The forms on our website also generate metadata associated with the submission of the form, such as the time and date of submission.
Mentor-led participant data: data relating to or obtained from individual staff of our clients who participate in live sessions, whether conducted face-to-face or remotely.
- each participant’s name, business email address, business phone number, job title and employer name, to the extent provided to us.
- each participant’s personal email address, personal phone number where provided to us.
- information arising out of focus groups, surveys and interviews conducted by us as part of a pre-session scoping exercise, which may include names and job titles, demographic information, user opinions, diversity data and individual views and observations on employer/colleagues.
- information supplied and disclosed to us as part of our one-to-one screening process such as GP contact details, medication and previous psychological health history.
- information contained in third-party reports from previous training, which is usually aggregated or anonymised.
- information arising out of focus groups, interviews, one to one discussions conducted during the session, which may include demographic information, user opinions, diversity data, individual views on employer/colleagues, or personal data shared as part of the screening
- data about participants’ completion of tasks/sessions
- any personal data captured in an audio, photographic or video recording of the session (if the session is recorded)
- participants’ ratings and feedback on the session, provided by participants using hard copy or online feedback forms (the participant’s IP address if completed online).
- participants’ names, email addresses and other information relating to their job, if and to the extent that participants choose to provide this information to us in feedback forms or by other means for the purpose of receiving follow-up and/or other emails from us
- further information about participants, as determined and provided by our client should they choose to do so
Digital participant data: data relating to individual customers who engage with our digital products such as our digital workshops, programmes and keynotes including names, email addresses and any other information they choose to provide via our digital products, provided to us directly by those individuals when they download, install and use our digital products, and data collected automatically such as technical data about users’ devices and browsers and analytical data about their use of the digital product.
- name and business email address, which is usually provided to us by our clients in advance of the session and then separately submitted online by the participants when they register to take part in the session
- each participant’s personal email address where provided to us.
- IP addresses, which are collected automatically by digital products used by us
- session history (scores, time spent, completion data), which is collected automatically by the digital products
- ratings and feedback on the digital products, which is provided to us online by individual participants names, email addresses and other information relating to their job, if and to the extent that participants choose to provide this information to us in feedback forms or by other means for the purpose of receiving follow-up and/or other emails from us
- 360 diagnostics: the user’s name, email address, phone number and job title; the name, email address, phone number and job title of the user’s manager and their feedback on the user; the name, email address, phone number and job title of each colleague that provides 360 feedback; manager performance data; aggregated participant performance data
3.1 Why we use personal data
Core processing purposes
This section describes the purposes for which we use personal data in the normal course of our business, the types of personal data we use for those purposes and our legal basis for doing so. An explanation of what the different legal bases mean can be viewed here:
|Types of personal data
|Purposes of processing
|Website Usage Data
|Analysing use of our website, (e.g. finding out how many people visit various parts of the site and how they use it) in order to improve our website content and our website visitors’ browsing experience, present our website in the most effective manner for our visitors, allow website visitors to participate in interactive features of our website and keep our website safe and secure.
|Our legitimate interests in operating a website that successfully promotes our business, expertise, products and services and is engaging and convenient for our website visitors in order to drive sales and sustain and grow our business in a secure way.
|Website usage data Business Development Data
|Serving online targeted advertising to people who have shown an interest in our products and services.
|Our legitimate interests in promoting our products and services to people who have engaged with our website and shown an interest in our products and services in order to grow our business.
|Business operations data Mentor led participant data
|Providing our products and services, such as live sessions and follow-up communication to our business clients and individual participants.
|Our legitimate interests in providing our products and services to business clients as our core business activity.
|Digital participant data Special categories of personal data
|Providing digital products to our business clients and individual participants
|Performance of a contract (where the data is necessary to provide the product or particular services requested by the individual via the product) In relation to special categories of personal data, consent given by the individual users of the products.
|Business development data (where participants have indicated they are happy to receive communications)
|Sending marketing communications about our products and services, including our e-newsletter. Measuring, understanding and improving the effectiveness of this marketing
|Our legitimate interests in promoting our products and services and maintaining relationships with our business clients, individuals who have participated in our sessions and individual customers in order to drive sales and sustain and grow our business.
|Business operations data
|Responding to enquiries
|Our legitimate interests in communicating with individuals who contact us in order to develop our business and client relationships and provide a good quality service to clients and potential clients.
|Business operations data
|Dealing with complaints
|Our legitimate interests in providing a good quality service to clients, dealing effectively with complaints and maintaining relationships with clients.
|Business operations data Mentor led participant data Digital participant data
|Keeping business records relating to our transactions, contracts, and provision of products and services
|Our legitimate interests in the effective and proper administration of our business, and, where records are required to be kept by law (e.g. relating to tax), to comply with legal obligations to which we are subject.
|Business operations data Mentor led participant data Digital participant data Note the above is aggregated and non-reversible so that the resulting data sets contain no personal data
|Analysing and understanding use of, and feedback on, our products and services so that we can improve the content and functionality of our products and services
|Our legitimate interests in improving our products and services for the benefit of our clients and the individuals who use our products and services and to sustain and grow our business by ensuring that our products and services continually evolve to be market-leading and competitive.
In addition to our core processing purposes set out above, we may also process personal data if and to the extent necessary for the following purposes:
|Establishing, exercising or defending legal claims
|Our legitimate interests in defending legal claims brought against us, enforcing claims against others and protecting and asserting our legal rights and the legal rights of others
|Obtaining or maintaining insurance cover, managing risks or obtaining professional advice
|Our legitimate interests in protecting our business against risks
|Obtaining or maintaining insurance cover, managing risks or obtaining professional advice
|Our legitimate interests in protecting our business against risks
|Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator
|Compliance with a legal obligation
|Protecting a person’s vital interests
|Protection of vital interests
We may from time to time offer products and services which will be subject to specific privacy policies.
Explanation of legal bases
It is only lawful to process personal data if there is a legal basis for doing it. Below is an explanation of the legal bases referred to in this notice.
Legitimate interests: processing of personal data is necessary for the purposes of the legitimate interests of us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individuals to whom the personal data relate
Performance of a contract: processing of personal data is necessary to perform a contract to which an individual is a party or to take steps at the request of an individual prior to entering into a contract
Consent: an individual has given consent to the processing of his or her personal data for one or more specific purposes
Compliance with a legal obligation: processing of personal data is necessary for compliance with a legal obligation imposed by UK or EU law
Protection of vital interests: processing of personal data is necessary in order to protect the vital interests of any individual
5. Who we disclose personal data to
The personal data described in this notice may be disclosed to the following categories of recipients, where and to the extent necessary for the purposes described in this notice:
- Insurers and professional advisers: such as lawyers, accountants and business consultants
- Organisations or individuals engaged by us in the course of providing our services: such as our Mentors who deliver our workshops, keynotes and one-to-one mentoring sessions
- Prospective buyer: if we propose to sell or do sell any of our business or assets, some of the personal data described in this notice may be reviewed by the prospective buyer and/or comprise an asset transferred to the buyer
- Social media platforms: if you communicate with us via twitter, LinkedIn, Facebook, Instagram and YouTube the providers of those platforms will process correspondence data sent or received via those platforms
- Other registered website users: if you post a message or upload any content to any of our websites, your name and any personal data contained in your message/content will be accessible to other registered website users
- Service providers: we use a number of service providers in connection with our website, services, communications and IT infrastructure, which involves those service providers processing some of the personal data described in this notice to the extent necessary to provide the relevant services.
Additionally, we may disclose your personal data to other organisations or individuals where disclosure is necessary, for example, if we are under a duty to disclose or share personal data in order to comply with any legal obligation, or in order to enforce or apply the terms of any agreement to which we are a party, or to protect the rights, property, or safety of Chimp Management, our customers, or others. This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. In all cases, we will only share personal data with such recipients where and to the extent necessary for the relevant processing purpose and in accordance with applicable data protection law.
6. International transfers of personal data
This section describes the circumstances in which the personal data described in this notice process may be transferred to countries outside the European Economic Area (EEA) or the United Kingdom and the safeguards in place to protect that data once it has been transferred.
- Service providers: our use of service providers involves some processing of personal data by our service providers in countries outside the EEA or the UK. We ensure that such a transfer complies with the conditions for transfers stipulated by applicable data protection law.
- In addition to the known transfers described above, it may become necessary to transfer personal data described in this notice to organisations based outside the EEA or the UK in connection with the purposes described in the ‘Other processing purposes’ section above. If this happens, we would ensure that such a transfer complies with the conditions for transfers stipulated by applicable data protection law.
Explanation of safeguards referred to in this section:
- Adequacy decision: this means an official decision adopted by the European Commission that a country (or a territory or specified sector within a country) or international organisation ensures an adequate level of protection for personal data.
- Standard Contractual Clauses: these are standard data protection clauses for data transfers between EU and non-EU countries adopted by the European Commission pursuant to a decision of the European Commission that those clauses provide an adequate level of protection for personal data transferred between the parties to those clauses. See the Europa website for more information on, and links to, the standard contractual clauses: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
7. Service Providers
In general, our chosen service providers used by us will only collect, use, and disclose your information to the extent necessary to allow them to perform the services they provide to us.
However, certain service providers, such as payment gateways and other payment transaction processors, have their own privacy policies with respect to the information we are required to provide to them for your purchase-related transactions. For these providers, we recommend that you read their privacy policies so you can understand the way your personal information will be handled by these providers.
If you elect to proceed with a transaction that involves the services of a third-party service provider, then your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located.
We use third-party providers to store your data, deliver our emails and make payments. For more information, please see our third-party privacy notices. Zoho CRM provides our data storage and our marketing emails & Worldpay (Click on Notices and then Consumers once on the WorldPay website to view the policy) provides our payment services.
We will take appropriate technical and organisational precautions to secure the personal data we process and prevent accidental or unlawful destruction, loss or alteration and unauthorised disclosure of, or access to, that personal data.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our sites, you are responsible for keeping this password confidential, and for all use made of your account with such password. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our sites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We will notify affected individuals and any applicable regulator of any personal data breach where we are legally required to do so.
9. Length of data storage
We will retain data only for so long as is necessary for the purposes for which we hold it. This may vary according to the type of personal data and the purposes for which we use it. If you would like to know what that means in respect of your personal data, please contact us by emailing firstname.lastname@example.org
In determining how long we retain personal data, we take into consideration the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means, our legal obligations, good industry practice, the guidance of relevant UK authorities such as HM Revenue & Customs, and also tax, accounting and health and safety rules.
10. Your personal data rights
10.1 Your Rights
You have various rights under data protection law in respect of our processing of your personal data. These include rights to:
- object to us processing your personal data for direct marketing purposes;
- withdraw any consent you may have given for our processing of your personal data (if our processing is based on your consent);
- access the personal data we hold about you (see section 9 below for further details);
- ask us to rectify any personal data we hold about you that is inaccurate or incomplete;
- ask us to delete any personal data we hold about you (in certain circumstances);
- ask us to restrict our processing of your personal data (in certain circumstances);
- object to our processing of your personal data (in certain circumstances);
- require us to give you the personal data we hold about you in a structured, commonly used and machine-readable format so that you can provide the data to another data controller, in certain circumstances;
The availability of these rights varies depending on the legal basis we rely on for processing the relevant personal data, and some rights are qualified (rather than absolute) under applicable data protection law, which we will discuss with you following your request.
10.2 How to exercise these rights
You can exercise any of the rights set out above, free of charge, by using any applicable methods set out in our communications with you, or by contacting us at email@example.com
We may ask you to provide further information in order to confirm your identity. Please also note that if you submit unfounded or excessive (for example repetitive) requests to exercise any of these rights, we are permitted under the applicable data protection law to charge a reasonable fee for providing the requested information or taking the requested action, or to decline your request.
10.3 Complaining to a supervisory authority
You also have the right to lodge a complaint about our processing of your personal data with a supervisory authority if you are concerned that our processing breaches data protection legislation or does not respect your rights under data protection law. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement. The Information Commissioner’s Office ( www.ico.org.uk) is the supervisory authority in the UK which is responsible for overseeing the application of, and enforcing, data protection law. Relevant contact details for the ICO can be found here: https://ico.org.uk/concerns/.
11. Accessing your personal data
You have the right to obtain from us:
- Confirmation as to whether we are processing (including holding) personal data about you; and
- If we are processing personal data about you, you are entitled to be provided with:
- Information as to the purposes for which we process the data;
- Information as to the categories of data that we are processing;
- Information as to the recipients or categories of recipients to whom the data has or will be disclosed;
- Information as to the envisaged period for which we will store the data, or if not possible, the basis on which that period will be determined;
- If the data was not collected from you, information about the source of the data;
- Information about any automated decision-making that produces legal effects concerning you or similarly affects you;
- Information about the appropriate safeguards used for any transfer of personal data about you outside the EEA or the UK;
- A copy of the data (further copies are available at a reasonable charge, which we will inform you of should you request further copies). Please note that this right is subject to the rights and freedoms of others in relation to their own personal data.
12. Other websites
Our website may include links to third-party websites, plug-ins and applications and we may use third party apps or services to help deliver our products and services. Clicking on those links, enabling those connections, or using those third-party services may allow third parties to collect or share data about you. We do not control these third-party websites or services and are not responsible for their privacy statements or practices. When you move from our website to a third-party website using such links, or you use any of the third-party services, we encourage you to read the privacy notice of that website or service.
13. Changes to this privacy notice
Any changes we make to our privacy notice in the future will be posted on our website and, where appropriate, notified to you by e-mail or other suitable method.
Questions, comments and requests regarding this privacy notice are welcomed and should be addressed to firstname.lastname@example.org