Privacy Policy

This privacy policy was last updated on the 21st of January 2022.

Introduction

We value data protection, and we do our best to protect your personal data.

In this privacy policy you will find information about how we handle your personal data when you visit our website or use our products. We want you to know about the personal data we collect, why we need it, how we use it, and how you can control our use of your information.

This policy may change from time to time so please check this page to ensure that you are happy with any changes.

1. Who we are

1.1 We are known as Altruistiq (our trading name), and we are a limited liability company, registered as Expanding Circle Ltd, incorporated in England and Wales with company number 13115702 and with registered office address at 6th Floor One London Wall, London, United Kingdom, EC2Y 5EB (Altruistiq).

1.2 Our business offers climate software solutions to help businesses measure, manage and abate their sustainability impact (Services).

1.3 We are registered as a Data Controller with the Information Commissioner's Office (ICO) under number ZB066282.

1.4 If you have any queries regarding our use of your personal data, please do not hesitate to contact us at:

(a) trustdata@altruistiq.com; or

(b) Expanding Circle Ltd, 6th Floor One London Wall, London, United Kingdom, EC2Y 5EB

1.5 You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

2. General

2.1 This Privacy Policy, together with our Cookies Policy, sets out the basis on which any personal data we collect from you, or that you provide to us, or that we obtain from other sources will be processed by us to either offer you access to our website – available at https://www.altruistiq.com/ (Website)- or Services.

2.2 To learn more about your rights to privacy and data protection in general, we recommend visiting: ICO’s website at https://ico.org.uk/.

3. How we use Personal data - Website users

3.1 We created our Website to offer general information about our Services to potential customers but also to share insights to anyone interested in sustainability.

3.2 The main purpose of any potential processing of personal information in connection with the use of this Website is to share information about our Services and, more in general, about sustainability with the public. As we value data protection, we have made the choice of collecting and processing the minimum amount of personal information necessary to allow the basic functionalities of this Website.  

3.3 For the purposes of allowing this Website to work, while you access and use this Website, we may collect and process different kinds of personal data about you, which we have grouped together as follows:

(a) Technical Data including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this Website; and

(b) Usage Data includes information about how you use this Website.

3.4 To gain anonymised information about this Website’s usage, we use Google Analytics’ cookies only. Please note that Google Analytics’ cookies collect information and report site usage statistics but do not personally identify individual visitors to this Website. To learn more about how Google Analytics collects and uses data when you use this Website, and how you can control the information sent to Google Analytics, read Google’s page about safeguarding your data. To read our Cookie Policy please follow this link.

3.5 As we minimise our use of personal data, we rely on our legitimate interest as a company to share information about our work with the public. However, we will always rely on your consent to use non-essential cookies.

3.6 We delete any personal data we may collect while you are browsing this Website after a maximum of 180 days from collection.

4. How we use personal data - Customers

4.1 Our mission is to help businesses keeping track of their sustainability impact and finding strategies to reduce it. Whilst our Services are clearly data-driven, we have designed our processes and practices to minimise the amount of personal data we may require from our customers.

4.2 We apply the principle of data minimisation to all our processing of personal data and limit access to your information. We allow access to your personal information to our employees and advisors only and on a need-to-know basis.

4.3 The section below explains more in details how and why we process your personal data, as well as the legal basis on which we carry out each type of processing.

Types of processing

Legal Basis

Negotiations

Legitimate Interest

We will process some of your personal data to communicate with you and exchange information about our Services.

We have a legitimate interest as a business to process your personal data whilst negotiating a contract with you. We may also use your personal data to fulfil precontractual requests.

Fullfillment of Contractual Obligations

Performance of a Contract

We will use some of your personal data to deliver our Services. We will mainly need to set up a certain number of users’ account (as per your request) to allow you to use our platform.

We may share some of your personal data with our payment system provider, our affiliates, for the purpose of performing our obligations to you.

We will collect and use your personal data to be able to enter into and perform the contract you have requested from us.

Administrative Purposes

Legitimate Interest and Legal Requirement

We will use your personal data to respond to your queries, requests and complaints.

We may also keep a record of these communications to improve our services and make sure we can demonstrate compliance with Applicable Laws and Code of Conducts.

We will collect and use your personal data to fulfil our contractual obligation to you, and our legal obligations as a company.

We also have a legitimate interest to provide our services to you and the general public.

Marketing

Legitimate Interest and Consent

If you have expressly opted in to receive marketing communications from us, we will use your personal data to share with you marketing communications in line with the preferences you have provided.

We may contact you about similar services where you have used our Services and you have not opted-out of receiving this information.

We will collect and use your personal data provided that you consent to such use.

In limited circumstances, we may also process some of your personal data on the basis of our legitimate interest to providing our Services to you and the general public.

Fraud Prevention

Legitimate Interest

We may use your personal data to minimise the risk of fraud and other illegal activities.

We will process some of your personal data on the basis of our legitimate interest to protect you, our business, and third parties from fraud and other illegal activities.

General Compliance

Legitimate Requirement and Legal Interest

We may process some of your personal data to comply with our contractual or legal obligations.  

In particular, we may have to assist any public authority or criminal investigation body as required; to verify the accuracy of data we hold about you; and/or to comply with a request from you in connection with the exercise of your rights.

We  may process your personal data to comply with any legal obligation deriving  from Applicable Laws and Code of Conducts.    

We  may retain and process some of your personal data on the basis of our  legitimate interest to protect our business from legal liability.

5. Information We collect about you

5.1 In order to offer our Services to the public and fulfil our contractual obligations to our customers, we may need to collect some of your personal information. The chart below aims at clarifying what types of personal data we may need from you, depending on your interaction with us.

Types of Processing

information we may collect about you

Negotiations

Title

Name

Address

Email Address

Telephone Numbers

Other Contact Details

Fulfillment of Contractual Obligations

Title

Name

Email address

Administrative Purposes

Records of communications with customers (this is applicable only if required for compliance purposes or to protect our business from legal liability.

Fraud Prevention and General Compliance

Records of communications with customers (this is applicable only if required for compliance purposes or to protect our business from legal liability)

6. Use of aggregated information

6.1 Your information may be converted into statistical or aggregated data in such a way as to ensure that you are not identified or identifiable from it. Aggregated data cannot be linked back to you as a natural person. We may use this data for analytical and research purposes.

7. Others who may have access to your data

Our main service providers

7.1 We may disclose your information to our advisors, affiliates, and third-party service providers for the purpose of general compliance and fraud prevention.

7.2 Third party service providers may also include cloud service providers; hosting, email and content providers; marketing agencies and administrative services providers.

7.3 We only disclose to third party service providers the selection of personal information that is necessary for them to provide their service and we have contracts in place that requires them to keep your information secure and not to use it other than in accordance with our specific instructions.

Other ways we may share your personal information

7.5 We may share your personal information with a third party if we are under a duty to disclose or share it in order to comply with any legal obligation, to detect or report a crime, to enforce or apply the terms of our contracts or our legal rights or to protect the rights, property or safety of our employees, agents, contractors, and customers. We will always take steps with the aim of ensuring that your privacy rights continue to be protected.

Business Transfer

7.7 In the event that we sell or buy any business or assets, or if Altruistiq or substantially all of its assets are acquired by a third party, we will disclose your personal data to the prospective seller or buyer of such business or assets (at all times in accordance with all applicable data protection laws).

7.8 If you object to our sharing of your personal data in the context of a business transfer, we will not be able to continue to provide our Services to you.

8. Storage and Data transfers

8.1 We store and process your personal data within the UK and the European Economic Area (EEA).

8.2 We do not transfer your personal data outside of the EEA.

8.3 We store your personal data through cloud service providers based within the EEA.

8.4 Please contact us at trustdata@altruistiq.com if you want further information on how we store your personal data.

9. Data Retention

9.1 Our general policy is to keep personal data for as long as it is necessary to perform our contractual obligation with the relevant customer. However, in some cases we may have to keep some personal data for a longer period of time.

9.2 We only retain customers’ personal data for a maximum of 30 calendar days from the end of the latest contract we have in place with such customer (Data Retention Framework).

9.3 From time to time, we may be advised by our legal advisors to retain part of a customer’s data beyond our Data Retention Framework. This is necessary to ensure that we are able to protect our companies, our employees, agents and contractors from future liabilities and that we comply with legal requirements.

10. Security

10.1 We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

10.2 All information you provide to us is transmitted using TLS encryption, it is stored on our secure servers behind firewalls, and it is encrypted at rest by default.

10.3 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

10.4 Please be aware that if you use third-party service providers, we will not have control over their security measures and procedures to protect personal data as they are an independent third-party company. Therefore, sharing personal data with such third-party providers is at your own risk.

11. Cookies

11.1 For information on the cookies we use, the purposes for which we use them and how you can exercise your choices regarding our use of your cookies, see our cookie policy

12. Your rights

12.1 You have several rights in relation to your personal information under Data Protection Laws. In relation to certain rights, we may ask you for more information to confirm your identity and, where applicable, to help us to search for your personal information.

12.2 Except in rare cases where additional time may be required, we will respond to you within one month from either (i) the date that we have confirmed your identity, or (ii) where we do not need to do this because we already have this information, from the date we received your request.

Accessing your personal information

12.3 Under Data Protection Laws you have a legal right to ask to see a copy of the personal information that we hold about you. Such requests are called subject access requests.

12.4 If you would like to make a subject access request, please contact us at trustdata@altruistiq.com.

12.5 You will also need to provide one form of identification and proof of your address, for example, driving licence, utility bill, and if appropriate, any particulars about the source or location of the information you are requesting.

12.6 Further information about subject access requests can be found on the Information Commissioner's website https://ico.org.uk

12.7 We may not provide you with a copy of your personal information if this concerns other individuals or if we have another lawful reason to withhold that information.

Correcting and updating your personal information

12.8 The accuracy of your information is important to us and we are working on ways to make it easier for you to review and correct the information that we hold about you.

12.9 In the meantime, if you change your name or address/email address, or you discover that any of the other information we hold is inaccurate or out of date, please let us know by contacting us in any of the ways described at the end of this policy or by updating your details on your account.

Withdrawing your consent

12.10 Where we rely on your consent as the legal basis for processing your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this policy.

12.11 If you would like to withdraw your consent or object to receiving any direct marketing to which you previously opted-in, you can do so using the unsubscribe tool in that communication (if it is an email), or by writing to us or calling us using the contact details at the end of this policy. If you withdraw your consent, our use of your personal information before you withdraw is still lawful.

12.12 If you have provided consent for your details to be shared with a third party, and wish to withdraw this consent, please also contact the relevant third party in order to amend your preferences.

Objecting to our use of your personal information

12.13 Where we rely on our legitimate business interests as the legal basis for processing your personal information for any purpose(s), you may object to us using your personal information for these purposes by emailing or writing to us at the address at the end of this policy. Except for the purposes for which we are sure we can continue to process your personal information, we will temporarily stop processing your personal information in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise, we will provide you with our justification as to why we need to continue using your data.

Erasing your personal information or restricting its processing

12.14 You may ask for your personal information to be removed from our systems by emailing or writing to us at the address at the end of this policy. Unless there is a legal reason that allows us to use your personal information for longer, we will make reasonable efforts to comply with your request.

12.15 You may also ask us to restrict processing your personal information where you believe it is unlawful for us to do so, you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings. In these situations, we may only process your personal information whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.

Transferring your personal information in a structured data file ('data portability')

12.16 Where we rely on your consent as the legal basis for processing your personal information or need to process it in connection with a contract, we have entered into with you, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly used and machine-readable form.

12.17 You can ask us to send your personal information directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.

Complaining to the UK data protection regulator

12.18 We would like to be able to resolve all your concerns, and we hope that we can do so. Where we haven't been able to do this, you have the right to complain to the ICO if you are concerned about the way we have processed your personal information. Please visit the ICO's website for further details: https://ico.org.uk.

13. Changes to this policy

13.1 We may review this policy from time to time and any changes will be notified to you by posting an updated version on our Website.

14. Contact us

14.1 Please contact us for any questions, comments and requests regarding this privacy policy.

14.2 If you wish to write to us, please write to us at:

Expanding Circle Ltd, 6th Floor One London Wall, London, United Kingdom, EC2Y 5EB

14.3 Our email address for data protection queries is:

trustdata@altruistiq.com

Key Definitions

Applicable  Laws

Applicable Laws means:

any law, statute, regulation, or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the services are provided to or in respect of;

the common law and laws of equity as applicable to the parties from time to time;

any binding court order, judgment or decree;

any applicable guidance, guidelines or codes of practice issued by any relevant Data Protection Supervisory Authority (in each case whether or not legally binding);

any applicable industry code, policy or standard (in each case whether or not legally binding); and

any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;

Data Protection Laws

Data Protection Laws means all Applicable Law relating to the processing, privacy, and/or use of Personal Data, including:

the UK GDPR;

the UK Data Protection Act 2018;

the EU GDPR Regulation (EU) 2016/679;

any laws which implement any such laws; and

any laws which replace, extend, re-enact, consolidate or amend any of the foregoing (whether or not before or after the date of this Agreement).

Data Protection Supervisory Authority

means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.

Data  Controller

Data Controller means the individual or organisation that, alone or jointly with others, exercises overall control over how Personal Data are processed and the purposes of such treatment.

Data  Processor

Data Processor means any person (other than an employee of the data controller) who processes the data on behalf and under the instruction of the Data Controller.

Lead  Supervisory Authority

In the GDPR, the general rule is that the supervision of cross-border processing activity, or involving citizens of, more than one EU country, is led by only one supervisory authority, called the Lead supervisory authority. This is known as the One Stop Shop principle. A lead supervisory authority is the body with the primary responsibility for dealing with a cross-border processing activity (e.g., when a company carrying out processing activity in several Member States is being investigated.).

The supervisory authority of the country where the main establishment of the organisation is based will be the lead authority.

Where an organization has a single establishment in the EU, but the processing substantially affects or is likely to substantially affect data subjects in more than one Member State, the lead supervisory authority is the supervisory authority of the place of that single establishment.

Where an organisation has several establishments in the EU, the principle is that the main establishment is the place of the central administration of that organisation.

However, if another establishment takes the decisions about the purposes and means of the processing - and has the power to have such decisions implemented – then that becomes the main establishment.

The lead supervisory authority mechanism is only applicable in the context of a company's cross-border processing activities. Consequently, companies must assess whether they meet one of the following criteria where either:

• processing takes place in the context of the activities of businesses or organisations in more than one member state where the business or organisation is established in more than one member state; or

• processing takes place in the context of the activities of a single establishment but substantially affects or is likely to substantially affect individuals across more than one member state.

Please note that ICO cannot be a Lead Supervisory Authority as the UK is not part of the European Union.

Personal  Data

Personal data is defined in the UK GDPR as any information relating to an identified or identifiable natural person. It can include obvious data like your name but also identification numbers, online identifiers and/or one or more factors specific to the physical, physiological, genetic, economic, cultural or social identity of that person.

Special Category of Data

Special category data includes any data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation.