Last Updated: 1 January 2022
What is this policy?
When you purchase our products, complete our questionnaires or contact us online, you trust us with your personal information. We are committed to maintaining the security of all personal information provided to us by visitors to, and users of our
website. We only collect and store this information about you to help us deliver the best possible service. Here we will explain what information we collect, how we collect it and what we actually do with it. By giving us your information you are agreeing for us to process it in the ways described here.
What information do we collect?
We collect personal information that helps us contact you and personalise our content for you. We will only ask for, use or share sensitive information with your consent and only for the reason we collected it (unless we need to by law).
The type of personal information we collect and hold depends on the nature of our interaction with you. The types of information we collect and hold includes (but is not limited to) a unique username and password, name, address, occupation, telephone number, email address, payment details, and information about how and where you purchase and use our products.
We will not collect from you any sensitive information revealing your race, ethnic origin, political opinions, religious or philosophical beliefs, political, professional or trade union memberships, health or disability, sexual preferences or practices or criminal records.
If we don’t need your information anymore, we will anonymise or delete it. If you are giving us others’ personal information, please do so only if they agree to this policy. When you access any website including ours, you may be providing it with information about your location, Internet provider, computer hardware, browser type and operating system.
Information for European residents and persons subject to GDPR
Information for individuals in the European Union (EU) or European Economic Area (EEA), or otherwise subject to the General Data Protection Regulation (EU) 2016/679 (GDPR), is provided in this privacy policy. Please see the section below titled: What are my rights under GDPR?
How do we collect information?
When you use our website or open our emails, you are telling us about yourself. This can be through online enquiry forms or questionnaires when you download our free resources.
Personal information may be collected when you:
- register a GRCReady account;
- update your online profile;
- submit any emails or feedback forms via our website or from using our website’s social media function;
- visit our website including, but not limited to, the volume of traffic received, logs (including the IP address of the device connecting to the website) and any content accessed;
- purchasing any of our website content; and
- make a payment using our secure credit card payment gateway. We do not retain credit card information collected through the online payment gateway.
How do cookies work on our site?
We also use software like cookies which are tiny digital identifiers that are automatically stored on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. The only personal information a cookie can contain is information you personally supply. A cookie cannot read data from your hard disk or read cookie files created by other websites. Information collected may include time, date and URL of request, your IP address (or in some cases the IP address of your company or your Internet service provider’s Internet gateway), referrer URL (the web page you arrived from) and details of your Internet browser.
We use this information in order to improve and customise your browsing experience and for analytics and metrics about our visitors both on this website and other media. If you prefer not to receive cookies, you may be able to change the settings of your Internet browser to disable cookies or to warn you when cookies are being used. This may preclude you from using some services or enhanced functionality.
For information about our use of cookies and tracking technologies to collect personal data, please see our Cookie Policy.
How we use the information we collect?
We only use your personal information where the law allows us to. We use your personal information only where:
- we need to facilitate the provision of information or products and services you have requested (i.e. to register you with the website), or to provide customer support and personalised features, and to protect the safety and security of our website;
- it satisfies a legitimate interest which is not overridden by your fundamental rights or data protection interests, for example for research and development to improve our products or services, and in order to protect our legal rights and interests;
- you’ve given us consent to do so for a specific purpose, for example we may send you direct marketing materials or publish your information as part of our testimonials or customer stories to promote our products or services with your permission; or
- we need to comply with a legal or regulatory obligation.
If you have given us consent to use your personal information for a specific purpose, you have the right to withdraw your consent any time by contacting us, but please note this will not affect any use of your information that has already taken place.
We do not share your personal information with any company outside our group for marketing purpose, unless with your express specific consent to do so.
For visitors to or users of our website who are located in the European Union, we have set out our legal bases for processing your information in the Legal Bases Table at the end of this policy.
Third-party services
We currently use the following service providers and services:
PayPal
Orders submitted on our website are directed to PayPal for processing. We have no access to your credit card data. According to PayPal’s Privacy Policy at the time of posting this page, when you visit the PayPal website or use PayPal Services, PayPal may collect data on the pages you access, your computer IP address, device identifiers, the type of operating system you’re using, your location, mobile network information, standard web log data and other information. It may also collect information about your transactions and your activities, including contact, financial and personal information. PayPal does not sell or rent your personal information to third parties for their marketing purposes without your explicit consent. It shares with us only the billing address and order details required for order processing. For more details, see PayPal’s Privacy Policy.
Google Analytics
Our website uses Google Analytics, an analysis tool of Google LLC and Google Ireland Ltd. (“Google”) to continuously improve our Services. The use includes the Universal Analytics operating mode. This makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID and thus analyse a user’s activities across multiple devices. Google Analytics uses cookies that are stored on your device and that enable us to analyse your use of our Services. The data collected by the cookies regarding the use of our Services (including your IP address) are usually transferred to a Google server in the USA and stored there (see additional information for users in the European Economic Area below in this section).
On our behalf, Google processes this data to evaluate the use of our Services, to compile reports on usage activities and to provide us with further services associated with the use of our Services. Your IP address transmitted in the context of Google Analytics will not be combined with other data from Google.
The data collected via Google Analytics is automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month.
You can prevent the collection of data through the Google Analytics cookie by adjusting your browser settings accordingly. If you deactivate cookies, you may not be able to use all functions of our Services to their full extent, however.
Further information about Google Analytics can be found in the terms of use and in the privacy policy of Google.
Google reCAPTCHA: Prevention of automated access
We make use of Google reCAPTCHA (“reCAPTCHA”) within the provision of our Services. reCAPTCHA is used to check and prevent interactions through automated access, for example through so-called bots (computer programs that perform tasks automatically and independently). reCAPTCHA is used in particular to check whether data input in connection with our Services (e.g. in a contact form) is carried out by a human or by an automated program. For this purpose, reCAPTCHA analyses the behaviour of the user on the basis of various characteristics. This analysis automatically begins as soon as the user connects with the online service, e.g. visits the website. For the purposes of this analysis, reCAPTCHA evaluates various pieces of information (e.g. IP address, duration of the user’s visit to the online service or the user’s mouse movements). The data collected during the analysis is forwarded to Google. The analyses by reCAPTCHA are carried out entirely in the background.
Please find details regarding Google reCAPTCHA in Google’s Privacy Notice.
LinkedIn is a business networking platform. It typically acts as a third party host where website owners have placed one of its content sharing buttons in their pages, although its content and services can be embedded in other ways. Although such buttons add functionality to the website they are on, cookies are set regardless of whether or not the visitor has an active LinkedIn profile, or agreed to their terms and conditions. For this reason it is classified as a primarily tracking/targeting domain. This site uses cookies from LinkedIn to track user behaviours and market to users based on their behaviours.
What if I upload personal information or documents to the website?
In some cases, you might provide personal and or corporate information to us by entering it into our cloud based solutions because you want us to host that information for you. Alternatively, your information may be disclosed to us by an organisation with whom you interact and to which we provide a cloud based service.
When we collect or hold personal information in this way, it is only used or disclosed for the purpose contemplated by you or the organisation that has disclosed that information to enable us to provide the product or service sought. This information may be stored on our web servers but will only be accessed by us to provide technical support, or to carry out other functions reasonably necessary to provide the product or service. This information will not be disclosed in any other way without the individual’s written consent.
How we share information we collect
It is our policy not to provide your personal data to third parties for those third parties’ direct marketing purposes without your consent, and we do not sell personal data to third parties. We share information with other companies in our group in order to operate our website and to offer and improve our products and services.
- We share information with third parties that help us operate, provide, support, improve, and market our products and services, for example third-party service providers who provide cloud hosting, maintenance, backup, storage, infrastructure, billing, payment processing, customer support, business analytics, and other services.
- Third-party service providers have access to your personal information only for the purpose of performing their services and in compliance with applicable laws and regulations. We require these third-party service providers to maintain confidentiality and security of all personal information that they process on our behalf and to implement and maintain reasonable security measures to protect the confidentiality, integrity, and availability of your personal information.
- We take reasonable steps to confirm that all third-party service providers that we engage process personal information in the manner that provides at least the same level of protection as is provided under this policy. Where any third-party provider is unable to satisfy our requirements, we will require them to notify us immediately and we will take reasonable steps to prevent or stop non-compliant processing.
- If you use any third-party software in connection with our products or services, for example any third-party software that our website integrates with, you might give the third-party software provider access to your account and information. Policies and procedures of third-party software providers are not controlled by us, and this policy does not cover how your information is collected or used by third-party software providers. We encourage you to review the privacy policies of third-party software providers before you use the third-party software.
- Our website may contain links to third-party websites over which we have no control. If you follow a link to any of these websites or submit information to them, your information will be governed by their policies. We encourage you to review the privacy policies of third-party websites before you submit information to them.
- We may share your information with government and law enforcement officials to comply with applicable laws or regulations, for example when we respond to claims, legal processes, law enforcement, or national security requests.
- If we are acquired by a third party as a result of a merger, acquisition, or business transfer, your personal information may be disclosed and/or transferred to a third party in connection with such transaction. We will notify you if such transaction takes place and inform you of any choices you may have regarding your information.
Will my data be exposed overseas?
We collect information globally. All data is stored and processed in the specific AWS region in which it is collected. No data is transferred to other regions at any stage. We store information in AWS in a number of their locations overseas including: Australia, Germany and Singapore.
Some of the countries in which our companies or service providers are located may not have the privacy and data protection laws that are equivalent to those in your country of residence. When we share information with these companies or service providers, we make use of contractual clauses, corporate rules, and other appropriate mechanisms to safeguard the transfer of information.
What steps do you take to preserve the integrity and security of my information?
We use cloud service providers to host the information we collect to enable us to operate as a global platform. The platform environment has been designed and built to comply with the Center for Internet Security (CIS) Amazon Web Services Foundations Benchmarks and follows the ‘Security by Design’ principles.
Our obligation is to ensure that information about you that we collect, use and disclose is secure, accurate, up-to-date and complete. We achieve this by adopting various strategies to protect the security and integrity of your personal information. These include, depending on the nature of the personal information held in the relevant system:
- use of encryption technologies (e.g. SSL via HTTPS);
- use of firewalls and intrusion detection systems;
- restricted access;
- multifactor authentication for all user logins;
- regular back-ups;
- regular vulnerability and penetration testing; and
- anti-virus protection.
We have put in place procedures to deal with any suspected privacy breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We take all reasonable steps to protect your personal information from misuse, interference and loss and from unauthorised access, modification or disclosure. However data transmission over the Internet cannot be guaranteed to be 100% secure because risks do change over time.
Where you are required to log in to access any of our products or services, we recommend that you always log out after each session and close the browser when you finish, particularly when access is from a public terminal. You should not send credit card information through unsecured electronic mail or share your passwords with anyone else.
If we no longer need your personal information, unless we are required by law or a court or tribunal order to retain it, we will take reasonable steps to destroy or securely delete your personal information.
What happens if you receive unsolicited information about me?
In the event that:
- we collect personal information about you from someone else; or
- you are not aware that we have collected personal information about you,
we will take reasonable steps to notify you or otherwise ensure that you are aware that we have collected your personal information and the circumstances of that collection.
If we receive unsolicited personal information about you from a third party and it is clear to us that we should not have received such information (as long as it is lawful and reasonable) we will destroy or securely delete the information.
How long will we retain your personal data?
We will delete your personal data when it is no longer reasonably required for the Permitted Uses described above, or, where applicable, if you withdraw your consent, unless we are legally required or otherwise permitted to continue to hold such data. We may retain your personal data for an additional period if deletion would require us to overwrite our automated disaster recovery backup systems, or to the extent we deem it necessary to assert or defend legal claims during any relevant retention period.
What are my rights and how do I access information you hold about me?
You have the right to:
- be informed of what we do with your personal information;
- request a copy of personal information we hold about you;
- require us to correct any inaccuracy or error in any personal information we hold about you;
- request erasure of your personal information (note, however, that we may not always be able to comply with your request of erasure if the personal information is still necessary for the purpose which we originally collected it for, or for record keeping or legal compliance purposes);
- object to or restrict the processing by us of your personal information (including for marketing purposes);
- request to receive some of your personal information in a structured, commonly used, and machine readable format, and request that we transfer such information to another party; and
- withdraw your consent at any time where we are relying on consent to process your personal information (although this will not affect the lawfulness of any processing carried out before you withdraw your consent).
Our website enables you to update certain information about yourself, for example you may change your business or personal information by updating ‘My Account’ settings on our website.
You may opt out of receiving marketing materials from us by using the unsubscribe link in our communications or by contacting us. Please note, however, that even if you opt out from receiving marketing materials from us, you will continue to receive notifications or information from us that are necessary for the use of our products or services.
As a security measure, we may need specific information from you to help us confirm your identity when processing your privacy requests, refund requests or when you exercise your rights.
Any request will normally be addressed free of charge. However, we may charge a reasonable administration fee if your request is clearly unfounded, repetitive, or excessive.
We will respond to all legitimate requests within one (1) month. Occasionally, it may take us longer than a month if your request is particularly complex or if you have made a number of requests. If you wish to see your personal information, you can send requests by email to privacy@grcready.com.
We cannot provide access to personal information in certain circumstances, for example if:
- providing access would reveal information generated by us in connection with commercially sensitive matters;
- it would pose a serious threat to life, health or safety or unreasonably impact the privacy of another individual;
- your request is not serious or in good faith;
- information relates to existing or anticipated legal proceedings between the parties;
- providing access would prejudice any commercial negotiations with you;
- denying access is required or authorised by law or a court or tribunal order; or
- providing access would be unlawful or would be likely to prejudice an enforcement related activity conducted by, or on behalf of, an enforcement body.
If we refuse to provide access because of an exception listed above, we will take reasonable steps to give access in a way that meets both parties’ needs, and we will give you written notice setting out our reasons for refusal (unless it is unreasonable to do so) and the options available to you to address the issue.
What are my rights under GDPR?
Individuals in the EEA or otherwise subject to the GDPR have the following rights, subject to certain exceptions and conditions:
Right to access: You may obtain confirmation as to whether we process personal data about you, to receive a copy of your personal data and obtain certain other information about how and why we process your personal data. We may require you to prove your identity before providing the requested information. If you require multiple copies of your personal data, we may charge a reasonable administration fee.
Right to rectify: You may request that your personal data be amended or rectified where it is inaccurate and to have incomplete personal data completed.
Right to erasure: You may request deletion of your personal data, which is available under certain defined circumstances.
Rights to restrict or object to processing: You may request we restrict the processing of your personal data, or you may object to our processing of your personal data, each of which is available under certain defined circumstances.
Right to data portability: You may request to receive a copy of your personal data, that you provided to us, in a structured, commonly-used, machine-readable format, and you have the right to send the data to another organisation (or ask us to do so if technically feasible) under certain defined circumstances.
Right to withdraw consent: Where we process personal data based on your consent, you have a right to withdraw your consent at any time.
Right to complain to a supervisory authority: If you believe that the processing of your personal data violates the GDPR or applicable EU member state data protection law, you may lodge a complaint with a supervisory authority, in particular in the country where you normally reside or work, or in the place where the alleged violation occurred.
Information about your right to object according to Art. 21 DSGVO Individual right of objection
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Art. 6 (1) lit. f GDPR; this also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
Who do I contact to exercise my rights under GDPR?
You can contact us at privacy@grcready.com
Further, we have appointed Neos IT Services GmbH as our GDPR Representative in the European Union. The Representative can be reached as follows:
Neos IT Services GmbH
Landsberger Str. 155
80687 Munich
Germany
info@neosit.com
How can I correct details you hold about me?
If you are a registered user of GRCReady, you can edit your information at any time through your ‘My Account’ settings. However, you can contact us by email at privacy@grcready.com to request amendments to any of your personal information which is inaccurate or out of date.
If we:
- correct personal information that we previously disclosed to third parties, and you request that we notify these third parties of the correction, we will take reasonable steps to comply unless it is impracticable or unlawful to do so; and
- refuse to amend your personal information as requested, we will provide you with written notice setting out our reasons (unless it is unreasonable to do so) and the options available to you to address the issue.
Changes to this Privacy Policy
We may amend this policy from time to time by posting the updated policy on our website. By continuing to use our website after the changes come into effect, you agree to be bound by the revised policy.
Policy towards children
Our products and services are not directed to individuals under 16. We do not knowingly collect personal information from individuals under 16. If we become aware that an individual under 16 has provided us with personal information, we will take steps to delete such information. Contact us if you believe that we have mistakenly or unintentionally collected information from an individual under 16.
What do I do if I have a concern or question?
If we become aware of any ongoing concerns or problems you may have with our handling of your personal information, we will take reasonable steps to address these concerns in accordance with our internal procedures for complaints and inquiries.
If you have any queries relating to this policy or you have a problem or complaint, please contact us at privacy@grcready.com
Legal Bases Table
Processing purpose | Type of data processed | Legal basis |
To register you as a user on our app | Account Data | To perform our services with you |
To enable you to use our products and services | Account Data, Transaction Data, Support Data, Technical Data and User Content | To perform our services with you |
To process your payments | Account Data, Transaction Data, Financial Data | To perform our services with you |
To notify you about changes to our products, services, or terms | Account Data | To perform our services with you |
To administer and maintain safety and security of our website | Technical Data | To perform our services with you |
To study usage of our products or services | Transaction Data, Support Data, Technical Data, Usage Data | Legitimate interest to improve our website, products, and services |
To gather feedback on our products, services, or features | Account Data | Legitimate interest to improve our website, products, and services |
To provide information on products or services that may be of interest to you | Account Data, Preference Data | Consent, which you may withdraw any time |
Legal Bases Table
Processing purpose | Type of data processed | Legal basis |
To register you as a user on our app | Account Data | To perform our services with you |
To enable you to use our products and services | Account Data, Transaction Data, Support Data, Technical Data and User Content | To perform our services with you |
To process your payments | Account Data, Transaction Data, Financial Data | To perform our services with you |
To notify you about changes to our products, services, or terms | Account Data | To perform our services with you |
To administer and maintain safety and security of our website | Technical Data | To perform our services with you |
To study usage of our products or services | Transaction Data, Support Data, Technical Data, Usage Data | Legitimate interest to improve our website, products, and services |
To gather feedback on our products, services, or features | Account Data | Legitimate interest to improve our website, products, and services |
To provide information on products or services that may be of interest to you | Account Data, Preference Data | Consent, which you may withdraw any time |