Skip to content
READ OUR

Privacy Policy

Privacy-policy-

This Privacy Policy describes the information that we gather on or through our Services and how we use and process such information. For each processing purpose we will articulate the reason for requiring the data, what data we will process, the legal basis for processing the data and how long we will keep the data.

Where the legal basis of consent is to be used, this will be gathered freely, and we will use clear, plain language that is easy to understand, and you will be able to remove your consent at any point.

What information do we collect about you?

We collect/process information so that we can provide the best possible experience when you utilise our services.  This section of the policy will describe the purpose for processing your personal data, the legal basis to do so and how long we will keep your data.

Our Product / Service

Fospha Pro collects data from various sources, including:

Client Data: This includes data provided by our clients (the businesses using Fospha Pro) about their marketing activities, such as advertising spend, campaign details, and website analytics. This data may include information about their customers, but only if and to the extent that our clients have the necessary legal basis and consent to share this data with us for this purpose. We act as a data processor on behalf of our clients in these circumstances. The types of customer data typically processed include:

  • Pseudonymous Identifiers: These are identifiers like transaction IDs, or hashed email addresses, which do not directly identify an individual but can be used to track marketing interactions.
  • Marketing Interaction Data: This includes data about how users interact with marketing campaigns, such as clicks, views, conversions, and purchases.
  • Aggregated and Anonymized Data: We may also process aggregated and anonymized data derived from the client data, which does not identify any individual.

Third-Party Data: Fospha Pro may integrate with third-party data providers to enrich the data collected from clients. This data may include demographic information or other marketing-related data. We only work with reputable third-party providers who have appropriate data privacy practices in place.

How Fospha Pro Uses Data:

Fospha Pro uses the collected data for the following purposes:

  • Marketing Measurement and Attribution: To analyze the performance of marketing campaigns and attribute conversions to different marketing touchpoints.
  • Reporting and Analytics: To provide clients with reports and insights on their marketing performance.
  • Product Improvement: To improve the functionality and performance of Fospha Pro.

Requests to correct, amend, or delete data where Fospha is the data processor for our customers (the data controller) should be addressed to our customers using the details required on their privacy policy. Upon receipt of requests we will act within 30 days.

Corporate

If you choose to become a customer of our service, personal data items such as Name, Email Address and Telephone number may be stored in our Corporate Cloud Storage, Corporate Email Platform or our Help Desk platform.

We will process data using the under the legal basis of legitimate interest. A contract will be in place with your employer, however we will need to use legitimate interest to process your data given we do not have a direct contractual relationship with the data subject.

Personal data will be retained for a period of up to 2 years for an active customer account.

Marketing

We would like to send you information about products and services of ours which may be of interest to you. You have a right at any time to stop us from contacting you for marketing purposes. The personal data will include names, addresses, email addresses, employer, job title and telephone numbers.

We will process data using the following legal rationales to send marketing information, if you are an individual and not associated with a contracted client we will ask for your consent. If you are associated with a contracted client, we will use contractual obligation as the legal basis to process the data. If you are associated with a previous contracted client, we will use legitimate interest as the legal basis to process the data. All of the above rationales for marketing information can be removed by informing us of your wish to remove consent.

We will retain personal data for active customer leads for a period of up to 1 year, a lead will be active under the following circumstances

  • An email sent by our organisation has not received an unknown account bounce back
  • An email has been sent to our organisation from the data subject

Cookies

Like many websites, we use cookies and similar technologies to collect additional website usage data and to improve our Services. Website usage information is collected using cookies to monitor aggregate site usage metrics such as total number of visitors, pages viewed and web traffic routing on our Services. We will store the cookie values on our platform to allow us to perform our analysis, however this will not be used to target marketing material to an individual user.

We will process data under the legitimate interest legal basis as we only use the data to perform aggregated tracking analysis and will not target individuals based upon this analysis and you also need to accept our cookie policy to allow us to process the data.

We will retain active cookie data for a period of up to 1 year, a cookie will remain active if a user re-visits our platform.

Learn more about how we use cookies by reading our  Cookie Policy.

CCPA

In relation to the California Consumer Privacy Act (CCPA), we confirm the following

  • We do not sell any personal information
  • We do not offer any financial incentive for your personal information
  • You will not receive any discriminatory treatment by our business for exercising your privacy rights
  • We will not charge you for exercising your privacy rights
  • Upon receiving a request to know or a request to delete, we will confirm receipt of the request within 10 business days and provide information about how the business will process the request.
  • We will respond to requests to know and requests to delete within 45 calendar days.
  • We shall not disclose in response to a request to know a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics.
  • We are able to provide the information and classification of information when responding to a Request to Know request
  • We are able to delete the personal information in relation to a Request to Delete request

Updating These Terms

We may change our Service and policies, and we may need to make changes to these Terms so that they accurately reflect our Service and policies. Unless otherwise required by law, we will notify you at least 30 days before we make changes to these Terms and give you an opportunity to review them before they go into effect. Then, if you continue to use the Service, you will be bound by the updated Terms. If you do not want to agree to these or any updated Terms, you can request an account deletion.

Your Rights

Accessing or Rectifying your personal data

We want to make sure that your personal information is accurate and up to date and you have the right to request a copy and update the personal data that we hold about you. You may ask us to correct or remove information you think is inaccurate. In most circumstances before we are able to invoke your rights we may need to verify you as the data subject, therefore we will request data from you and this will be checked against our records before we can proceed. If you would like to invoke this right, please email or write to us at the below address.

 

Deletion

Based upon the retention periods described above we will remove your personal data from our platforms.

 

Object, Restrict or Withdraw Consent

You may wish to object to or restrict our ability to process your personal data, this can be done either via email or in writing, using the contact details below. Further context may need to be requested to ensure we can carry out the relevant tasks on our platforms to perform the request.

 

Portability

You may wish to port your personal data to another platform. This can be done either via email or in writing, using the contact details below.

Who we are and how to contact us

We are the data controller responsible for defining and managing how your personal data is processed.

Our company name is Fospha Limited

Our company address is  Scale Space, 58 Wood Lane, London, W12 7RZ.

Our email address is  dpo@fospha.com

To Whom We Disclose Information

Except as described in this Policy, we will not intentionally disclose the Personal Data or Client Data that we collect or store on the Service to third parties without the consent of the data subject. We may disclose information to third parties if you consent to us doing so, as well as in the following circumstances:

 

Unrestricted Information

Any information that you voluntarily choose to include in a Public Area of the Service, such as a public profile page, will be available to any Visitor or User who has access to that content.

 

Service Providers

We work with third party service providers who provide email hosting, core corporate applications, web hosting, maintenance, and other services for us. These third parties may have access to, or process Personal Data or Client Data as part of providing those services for us. We limit the information provided to these service providers to that which is reasonably necessary for them to perform their functions, and our contracts with them require them to maintain the confidentiality of such information.

Service providers include:

FiveTran

  • Registration & Address: REG. 5245598, 1221 Broadway Street, Floor 20, San Francisco, CA, United States
  • Personal Data Storage Location: Google Cloud Platform, europe-west-2 (London) Google Cloud Platform (GCP) does not publicly disclose the exact addresses of its data centers, including those in the europe-west2 region, which corresponds to London, United Kingdom. This non-disclosure is a standard security practice to protect the infrastructure and ensure data security.
  • Description of Processing: For the purpose of our secure data pipelines/movement. 
  • Data Adequacy: IDTA

Amazon Web Services EMEA SARL

  • Registration & Address: Amazon Web Services EMEA SARL’s registered business address is: 38 Avenue John F. Kennedy, L-1855 Luxembourg.  In the United Kingdom, the UK branch of Amazon Web Services EMEA SARL is located at: 1 Principal Place, Worship Street, London, EC2A 2FS, United Kingdom.
  • Personal Data Storage Location: AWS region eu-west-2 (UK, London). Amazon Web Services (AWS) does not publicly disclose the specific physical addresses of its data centers, including those in the eu-west-2 region, which corresponds to London, United Kingdom. This practice is part of AWS’s security measures to protect its infrastructure and ensure data security.
  • Description of Processing: Hosting
  • Data Adequacy: IDTA

Intercom R&D Unlimited Company

  • Registration & Address: REG. 538158, 18-21 St. Stephen’s Green Dublin 2, Ireland.
  • Personal Data Storage Location: Amazon Web Services (AWS) eu-west-1 region, located in Dublin, Ireland.
  • Description of Processing: Customer Support Services
  • Data Adequacy: EEA

Blenheim Chalcot IT Services India Private Limited

  • Registration & Address: U72300MH20 14FTC256115. Registered business address is: 103-104/B Wing, Fulcrum Hiranandani Business Park, Sahar Road, Andheri East, Mumbai, Maharashtra 400099, India 
  • Description of Processing: Application development, back-office finance and invoicing services and helpdesk queries.
  • Data Adequacy: IDTA supported by TRA/TIA

Hubspot

  • Registration & Address: REG.: 401929, 25 First Street, 2nd Floor Cambridge, MA 02141, United States 
  • Personal Data Storage Location: AWS – us-east-1 region
  • Description of Processing: CRM
  • Data Adequacy: SCC, EU-US Data Privacy Framework with UK extension

BC LTF Limited

  • Registration & Address: REG.: 5064255, 58 Wood Lane, White City, London, W12 7NZ, United Kingdom 
  • Description of Processing: Internal company operations
  • Data Adequacy: UK

Planhat AB

  • Registration & Address: REG.: 556991-642, Malmskillndsgatan 13, 111 57 Stockholm, Sweden
  • Personal Data Storage Location: Google Cloud Platform, europe-west-1(Belgium) and Europe-west-4(Netherlands)
  • Description of Processing: Customer Success Platform
  • Data Adequacy: EEA

Overseas transfers

The information you provide may be transferred to countries outside the European Economic Area (EEA) that do not have similar protections in place regarding your data and restrictions on its use as set out in this policy. However, we will take steps to ensure adequate protections are in place to ensure the security of your information. The EEA comprises the EU member states plus Norway, Iceland and Liechtenstein. By submitting your information, you consent to these transfers for the purposes specified above.

We may transfer your personal information to the following which are located outside the European Economic Area (EEA) as follows:

Mailchimp, Salesforce, Blenheim Chalcot IT Services India Private Limited and HubSpot have each provided the following safeguards to ensure the safety of your personal data

HubSpot, 25 First Street, 2nd Floor Cambridge, MA 02141 United States; for the purposes as our Marketing CRM

Salesforce.com, The Landmark, One Market Street, Suite 300, San Francisco, CA 94105 for the purpose of our Marketing CRM

Mailchimp, Salesforce and HubSpot have each provided the following safeguards to ensure the safety of your personal data, and it shall be processed to at least the same standards as set out by the General Data Protection Regulations: Mailchimp, Salesforce and HubSpot each participates in The Privacy Shield framework, which is accepted by the European Commission as evidence that an adequate level of protection exists for the personal data in the country, territory, or organisation where it is being transferred, in this case, the United States.

You can obtain a copy of the safeguards and any other of Mailchimp’s data protection documentation by visiting https://mailchimp.com, or applying via post to Mailchimp, The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA.

You can obtain a copy of the safeguards and any other of HubSpot data protection documentation by visiting https://www.hubspot.com, or applying via post to HubSpot, 25 First Street, 2nd Floor Cambridge, MA 02141 United States.

You can obtain a copy of the safeguards and any other of Salesforce data protection documentation by visiting https://www.salesforce.com, or applying via post to Salesforce The Landmark, One Market Street, Suite 300, San Francisco, CA 94105 United States.

Blenheim Chalcot IT Services India Private Limited; India; For the purpose of application development, back-office finance and invoicing services and helpdesk queries.

Intercom R&D Unlimited Company 18-21 St. Stephen’s Green Dublin 2, Ireland; or the purpose of Customer Support via live chat, help center, and platform notifications in Fospha Analytics. Intercom offer an AI chatbot in the chat window called Fin, which uses an API with OpenAI, 3180 18th St, San Francisco, California, 94110, USA, for the purposes of automated customer support. OpenAI is a sub-processor of any data submitted to Fin in a chat resolution. Intercom and OpenAI have a DPA in place to ensure the safety of your data, and strict contractual guidelines in place that detail that OpenAI is contractually restricted from using any data provided to improve or train its AI model. As of 21st July 2023, OpenAI has activated zero retention policy for all customer inputs (messages sent to Fin) and outputs (responses generated by Fin), meaning this data is not stored by OpenAI. OpenAI is based in the US, and both Intercom and OpenAI are using relevant and up-to-date Standard Contractual Clauses for international transfers under GDPR, UK GPRD, or Swiss DPA (as applicable).

 

Non-Personally Identifiable Information

We may make non-personally-identifiable information available to third parties for various purposes. This data maybe automatically-collected and would be analysed to create an aggregated view of the data, ensure the reported information was anonymous.

 

Law Enforcement, Legal Process and Compliance

We may disclose Personal Data or other information if required to do so by law or in the good-faith belief that such action is necessary to comply with applicable laws, in response to a facially valid court order, judicial or other government subpoena or warrant, or to otherwise cooperate with law enforcement or other governmental agencies.

 

Change of Ownership

Information about data subject, may be disclosed and otherwise transferred to an acquirer, successor or assignee as part of any merger, acquisition, debt financing, sale of assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets and only if the recipient of the personal data commits to a Privacy Policy that has terms substantially consistent with this Privacy Policy.

Our Data Security

Tell The Reader More

We have appropriate security measures in place to prevent personal information from being accidentally lost, used or accessed in an unauthorised way.

The following security procedures, and technical and organisational measures to safeguard your personal information have been put in place:

  • In cases where personal data is being processed in third countries or third parties, a rigorous data protection impact assessment is being performed to ensure that your data is always secured.
  • Our application platform is hosted in ISO 27001 certified secure data centres in the UK.
  • Firewalls, intrusion detection and prevention, anti-virus and anti-malware and backup and disaster recovery is in place to prevent data loss or deletion.
  • 24/7 security guard, closed circuit television and a door access control system to authorized personnel secures our offices and data centres.
  • Our applications are engineered by following industry standards to minimise security vulnerabilities and updates on a regular basis.
  • Intrusion detection and prevention secures the network traffic to the servers and applications.
  • Anti-malware and anti-virus software is deployed to all of our servers and regularly scan and update with the latest anti-malware and virus signatures.
  • We regularly apply critical, security patches and firmware updates to operating systems and physical hardware to minimise the risk of vulnerabilities
  • Our employees undergo background screening and selection processes, with a restricted list of employees having access to secure areas of the applications, databases and physical infrastructure. The access to the secure areas are logged and auditable.
  • We will use all reasonable efforts to safeguard your personal information. However, you should be aware that the use of the Internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal information which is transferred from you or to you via the Internet.
  • We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
  • We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
  • Our employees receive regular Security and Data Privacy awareness training.

This privacy policy was last updated on April 2023.