6. Use Of Aggregated Information

6.1 Your information may be converted into statistical or aggregated data in such a way as to ensure that you are not identified or identifiable from it. Aggregated data cannot be linked back to you as a natural person. We may use this data for analytical and research purposes.

‍

7. Others Who May Have Access To Your Data

Our main service providers

7.1 We may disclose your information to our advisors, affiliates, and third-party service providers for the purpose of general compliance and fraud prevention.

7.2 Third party service providers may also include cloud service providers; hosting, email and content providers; marketing agencies and administrative services providers.

7.3 We only disclose to third party service providers the selection of personal information that is necessary for them to provide their service and we have contracts in place that requires them to keep your information secure and not to use it other than in accordance with our specific instructions.

Other ways we may share your personal information

7.5 We may share your personal information with a third party if we are under a duty to disclose or share it in order to comply with any legal obligation, to detect or report a crime, to enforce or apply the terms of our contracts or our legal rights or to protect the rights, property or safety of our employees, agents, contractors, and customers. We will always take steps with the aim of ensuring that your privacy rights continue to be protected.

Business Transfer

7.7 In the event that we sell or buy any business or assets, or if Altruistiq or substantially all of its assets are acquired by a third party, we will disclose your personal data to the prospective seller or buyer of such business or assets (at all times in accordance with all applicable data protection laws).

7.8 If you object to our sharing of your personal data in the context of a business transfer, we will not be able to continue to provide our Services to you.

‍

8. Storage And Data Transfers

8.1 We store and process your personal data within the UK and the European Economic Area (EEA).

8.2 We do not transfer your personal data outside of the EEA.

8.3 We store your personal data through cloud service providers based within the EEA.

8.4 Please contact us at trustdata@altruistiq.com if you want further information on how we store your personal data.

‍

9. Data Retention

9.1 Our general policy is to keep personal data for as long as it is necessary to perform our contractual obligation with the relevant customer. However, in some cases we may have to keep some personal data for a longer period of time.

9.2 We only retain customers’ personal data for a maximum of 30 calendar days from the end of the latest contract we have in place with such customer (Data Retention Framework).

9.3 From time to time, we may be advised by our legal advisors to retain part of a customer’s data beyond our Data Retention Framework. This is necessary to ensure that we are able to protect our companies, our employees, agents and contractors from future liabilities and that we comply with legal requirements.

‍

10. Security

10.1 We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

10.2 All information you provide to us is transmitted using TLS encryption, it is stored on our secure servers behind firewalls, and it is encrypted at rest by default.

10.3 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

10.4 Please be aware that if you use third-party service providers, we will not have control over their security measures and procedures to protect personal data as they are an independent third-party company. Therefore, sharing personal data with such third-party providers is at your own risk.

‍

11. Cookies

11.1 For information on the cookies we use, the purposes for which we use them and how you can exercise your choices regarding our use of your cookies, see our cookie policy

‍

12. Your Rights

12.1 You have several rights in relation to your personal information under Data Protection Laws. In relation to certain rights, we may ask you for more information to confirm your identity and, where applicable, to help us to search for your personal information.

12.2 Except in rare cases where additional time may be required, we will respond to you within one month from either (i) the date that we have confirmed your identity, or (ii) where we do not need to do this because we already have this information, from the date we received your request.

Accessing your personal information

12.3 Under Data Protection Laws you have a legal right to ask to see a copy of the personal information that we hold about you. Such requests are called subject access requests.

12.4 If you would like to make a subject access request, please contact us at trustdata@altruistiq.com.

12.5 You will also need to provide one form of identification and proof of your address, for example, driving licence, utility bill, and if appropriate, any particulars about the source or location of the information you are requesting.

12.6 Further information about subject access requests can be found on the Information Commissioner's website https://ico.org.uk

12.7 We may not provide you with a copy of your personal information if this concerns other individuals or if we have another lawful reason to withhold that information.

Correcting and updating your personal information

12.8 The accuracy of your information is important to us and we are working on ways to make it easier for you to review and correct the information that we hold about you.

12.9 In the meantime, if you change your name or address/email address, or you discover that any of the other information we hold is inaccurate or out of date, please let us know by contacting us in any of the ways described at the end of this policy or by updating your details on your account.

Withdrawing your consent

12.10 Where we rely on your consent as the legal basis for processing your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this policy.

12.11 If you would like to withdraw your consent or object to receiving any direct marketing to which you previously opted-in, you can do so using the unsubscribe tool in that communication (if it is an email), or by writing to us or calling us using the contact details at the end of this policy. If you withdraw your consent, our use of your personal information before you withdraw is still lawful.

12.12 If you have provided consent for your details to be shared with a third party, and wish to withdraw this consent, please also contact the relevant third party in order to amend your preferences.

Objecting to our use of your personal information

12.13 Where we rely on our legitimate business interests as the legal basis for processing your personal information for any purpose(s), you may object to us using your personal information for these purposes by emailing or writing to us at the address at the end of this policy. Except for the purposes for which we are sure we can continue to process your personal information, we will temporarily stop processing your personal information in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise, we will provide you with our justification as to why we need to continue using your data.

Erasing your personal information or restricting its processing

12.14 You may ask for your personal information to be removed from our systems by emailing or writing to us at the address at the end of this policy. Unless there is a legal reason that allows us to use your personal information for longer, we will make reasonable efforts to comply with your request.

12.15 You may also ask us to restrict processing your personal information where you believe it is unlawful for us to do so, you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings. In these situations, we may only process your personal information whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.

Transferring your personal information in a structured data file ('data portability')

12.16 Where we rely on your consent as the legal basis for processing your personal information or need to process it in connection with a contract, we have entered into with you, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly used and machine-readable form.

12.17 You can ask us to send your personal information directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.

Complaining to the UK data protection regulator

12.18 We would like to be able to resolve all your concerns, and we hope that we can do so. Where we haven't been able to do this, you have the right to complain to the ICO if you are concerned about the way we have processed your personal information. Please visit the ICO's website for further details: https://ico.org.uk.

‍

13. Changes To This Policy

13.1 We may review this policy from time to time and any changes will be notified to you by posting an updated version on our Website.

‍

14. Contact Us

14.1 Please contact us for any questions, comments and requests regarding this privacy policy.

14.2 If you wish to write to us, please write to us at:

Expanding Circle Ltd, 6th Floor One London Wall, London, United Kingdom, EC2Y 5EB

14.3 Our email address for data protection queries is:

trustdata@altruistiq.com

‍

Key Definitions

Applicable  Laws

Applicable Laws means:

any law, statute, regulation, or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the services are provided to or in respect of;

the common law and laws of equity as applicable to the parties from time to time;

any binding court order, judgment or decree;

any applicable guidance, guidelines or codes of practice issued by any relevant Data Protection Supervisory Authority (in each case whether or not legally binding);

any applicable industry code, policy or standard (in each case whether or not legally binding); and

any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;

Data Protection Laws

Data Protection Laws means all Applicable Law relating to the processing, privacy, and/or use of Personal Data, including:

the UK GDPR;

the UK Data Protection Act 2018;

the EU GDPR Regulation (EU) 2016/679;

any laws which implement any such laws; and

any laws which replace, extend, re-enact, consolidate or amend any of the foregoing (whether or not before or after the date of this Agreement).

Data Protection Supervisory Authority

means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.

Data  Controller

Data Controller means the individual or organisation that, alone or jointly with others, exercises overall control over how Personal Data are processed and the purposes of such treatment.

Data  Processor‍

Data Processor means any person (other than an employee of the data controller) who processes the data on behalf and under the instruction of the Data Controller.

Lead  Supervisory Authority

In the GDPR, the general rule is that the supervision of cross-border processing activity, or involving citizens of, more than one EU country, is led by only one supervisory authority, called the Lead supervisory authority. This is known as the One Stop Shop principle. A lead supervisory authority is the body with the primary responsibility for dealing with a cross-border processing activity (e.g., when a company carrying out processing activity in several Member States is being investigated.).

The supervisory authority of the country where the main establishment of the organisation is based will be the lead authority.

Where an organization has a single establishment in the EU, but the processing substantially affects or is likely to substantially affect data subjects in more than one Member State, the lead supervisory authority is the supervisory authority of the place of that single establishment.

Where an organisation has several establishments in the EU, the principle is that the main establishment is the place of the central administration of that organisation.

However, if another establishment takes the decisions about the purposes and means of the processing - and has the power to have such decisions implemented – then that becomes the main establishment.

The lead supervisory authority mechanism is only applicable in the context of a company's cross-border processing activities. Consequently, companies must assess whether they meet one of the following criteria where either:

• processing takes place in the context of the activities of businesses or organisations in more than one member state where the business or organisation is established in more than one member state; or

• processing takes place in the context of the activities of a single establishment but substantially affects or is likely to substantially affect individuals across more than one member state.

Please note that ICO cannot be a Lead Supervisory Authority as the UK is not part of the European Union.

Personal  Data

Personal data is defined in the UK GDPR as any information relating to an identified or identifiable natural person. It can include obvious data like your name but also identification numbers, online identifiers and/or one or more factors specific to the physical, physiological, genetic, economic, cultural or social identity of that person.

Special Category of Data‍

Special category data includes any data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation.