1. Information About Us

Our site is owned and operated by Comply Express Unipessoal Lda (shortened name Comply Express Lda), a limited company registered in Portugal under company number 516233483, whose registered address is StartUp Madeira, Campus da Penteada, 9020-105 Funchal, Portugal. Comply Express Lda is a wholly owned subsidiary of Comply Express Ltd, Coalport House, Stafford Court, Stafford Park 1, Telford, Shropshire TF3 3BD, UK.

Comply Express Lda VAT number is 516233483.

Our Data Protection Officer is Mr John Showell, who can be contacted via our contact form, by telephone on +44 (0)330 223 6123, or by post at the above address.

2. What does this policy cover?

This Privacy Policy applies to how we use your Personal Data through your use of our website. Our site may contain links to other websites. Please note that we have no control over how your data is collected, stored or used by other websites and we advise you to check the privacy policies of any such websites before providing any data to them.

3. What are Your Rights?

Under data protection laws, you have rights in relation to your Personal Data that include:

• 1. The right to be informed about our collection and use of your Personal Data.
  2. The right to information about the Personal Data we hold about you.
  3. The right to rectification of any inaccuracies in the Personal Data we hold about you.
  4. The right to request we delete all Personal Data we hold about you (except where we are legally obliged to retain it). Upon this request, you will be ‘Forgotten’
  5. The right for you to object to us using your Personal Data for particular purposes.
  6. The right to restrict (i.e. prevent) the processing of your Personal Data.
  7. The right to data portability (obtaining a copy of your Personal Data to re-use with another service or organisation).
  8. Rights with respect to automated decision making and profiling.

Please note that we may ask you to verify your identity before responding to such requests.

You can see more about these rights at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

If you wish to exercise any of the rights set out above, please email us at ’info@complyexpress.com’.

4. What Data Do We Collect?

We consider any information that can be used to directly or indirectly identify you to be Personal Data, including without limitation, Personal Data that is accessed, collected, maintained, transmitted and/or used by Comply Express Ltd & Comply Express Lda in the normal course of our business and is subject to the provisions of this Privacy Policy and applicable law.

We collect and log your IP address, the time and duration of your visit, the time and duration of the pages on our website that you view and information about your computer system, such as your browser type and operating system.

We collect anonymous usage information on visitors to our website through the use of Google Analytics. Google Analytics employ tracking cookies to gather anonymous browser, operating system, geographic and website navigation information.

Personal information is not collected as part of your web visit but may be tied to other information which we do collect from you. We collect the following pieces of information upon request:

• 1. First name and last name
  2. Company name
  3. Email address
  4. Phone number

5. How do we use your data?

All Personal Data is processed and stored securely for no longer than is necessary in light of the reason(s) for which it was first collected. We will comply with our obligations and safeguard your rights under the General Data Protection Regulation (’GDPR’) at all times.

Our use of your Personal Data will always have a lawful basis, either because it is necessary for our performance of a contract with you, because you have consented to our use of your Personal Data (e.g. by subscribing to emails), or because it is in our legitimate interests. Specifically, we may use your data for the following purposes:

• 1. Provide, operate and maintain our services.
  2. Improve, personalise and expand our services.
  3. Understand and analyse how you use our services.
  4. Changes to terms and conditions and other legal and compliance purposes (for when we need to change this document).
  5. Updates to our products and service offerings (e.g. now offering marketing, now not offering java development).
  6. Gathering feedback (e.g. a review or feedback request).

With your permission and/or where permitted by law, we may also use your data for marketing purposes which may include contacting you by email, telephone, text message and post with information, news and offers on our products and services. We will not, however, send you any unsolicited marketing or spam and will take all reasonable steps to ensure that we fully protect your rights and comply with our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

6. Data Retention

We retain personal information we collect from you where we have an ongoing legitimate business need to do so, for example, to provide you with a service you have requested or to comply with applicable legal, tax, or accounting requirements.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is not possible, for example, because your personal information has been stored in backup archives, then we will securely store your personal information and isolate it from any further processing until deletion is possible.

7. The steps we take to ensure security of your data

Comply Express Ltd & Comply Express Lda are committed to protecting your information. To do so, we employ a variety of security technologies and measures designed to protect information from unauthorised access, use or disclosure. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. However, please bear in mind that the Internet cannot be guaranteed to be 100% secure.

8. How Can I Access My Personal Data?

If you want to know what Personal Data we have about you, you can ask us for details of that Personal Data and for a copy of it (where any such Personal Data is held). This is known as a ’subject access request’.

All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 1.

There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.

We will respond to your subject access request within 14 days and, in any case, not more than one month of receiving it. Normally, we aim to provide a complete response, including a copy of your Personal Data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.

9. Do we share your data?

We may employ third party companies and individuals to facilitate our website, to provide the service on our behalf, to perform website related services or to assist us in analysing how our website is used.

We compile statistics about the use of our website including data on traffic, usage patterns and other information. This data is anonymised and does not include personally identifiable data. We may share this derived information with affiliates.

We may be required to share data with law enforcement.

9.1. Google Analytics

This website uses Google Analytics to monitor and analyse the use of our website.

Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our website. This data may be shared with other Google services. Google may use the collected data to contextualise and personalise the ads of its own advertising network.

For more information on the privacy practices of Google, please visit their Privacy & Terms web page at: https://policies.google.com/privacy

10. Changes to this Privacy Policy

This Privacy Policy may be modified from time to time. Any change will be communicated to you via your typical communication channel(s) such as email, post, phone with reference to this policy. Only this page is to be deemed as the current and in-use version of this document.

11. What Happens If our Business Changes Hands?

We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any Personal Data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Policy, be permitted to use that data only for the same purposes for which it was originally collected by us.

In the event that any of your data is to be transferred in such a manner, you will be contacted in advance and informed of the changes. When contacted you will be given the choice to have your data deleted or withheld from the new owner or controller.

12. Children’s Privacy

It is not our policy to deal with individuals under 18 years of age. We do not knowingly collect personally identifiable information of Children under the age of 18. If you are a parent or guardian and you believe that your Child/Children may have provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from Children without verfication of parental consent, we will take appropriate steps to remove that information from our records.

13. Contact Us

If you have any questions or concerns about this Privacy Policy, please feel free to email us at ‘info@complyexpress.com’

• 1. Addendum

The General Data Protection Regulation (’GDPR’) imposes mandatory contractual obligations on the relationship between Data Controller and Data Processor. These are required to be incorporated into any contract between these parties for the contract and the processing to be and remain GDPR compliant.

This Addendum will be contractually applicable to the provision of your services and incorporates the required GDPR provisions, it takes priority over your existing agreements with us.

This Addendum also applies to how we use your Personal Data while you remain a customer and includes details about the data we store and the steps we take in securing the information.

2. Data Controller’s Obligations

As the Data Controller for data you provide us with, you shall:

• 1. Be solely responsible for determining the means and the purpose of the processing.
  2. Ensure that you implement appropriate policies to inform the Data Subjects of the purpose for collecting and processing the Personal Data, the Data Subject’s rights in relation to GDPR and shall ensure that such policy and information as required by GDPR is available to the Data Subject prior to collecting the Personal Data.
  3. The Data Controller shall implement appropriate technical and organisational measures for ensuring that by default, only Personal Data which are necessary for the specific purpose of the processing are processed. This applies to the amount of Personal Data collected, the extent of the processing, the storage period and accessibility.
  4. Ensure that you have in place such systems and processes to support your obligations under Article 32-36 of the GDPR.
  5. Access and implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the Data Subjects represented by the processing, including as appropriate:
     • The pseudonymisation and/or encryption of Personal Data.
     • The ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services.
     • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
  6. A process for regularly testing, accessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

3. Data Processor’s Obligations

We may sub-contract our duties or obligations arising under this Addendum without the prior written consent of the Data Controller. Details regarding any (if any) sub-contracting relationships will be supplied to the Data Controller as reasonably required.

As the Data Processor of data you provide us with, we shall:

• 1. Only process the Personal Data in accordance with the terms of this Addendum or any further documented instructions from the Data Controller and solely in relation to the performance thereof. If in the reasonable opinion of the Data Processor any such term or instruction infringes the GDPR the Data Processor shall immediately inform the Data Controller of such infringement and may suspend its processing.
  2. Ensure that persons employed to process the Personal Data have been required to commit themselves in writing via an employment agreement or some other contractual document to confidentially or are under an appropriate statutory obligation of confidentiality.
  3. Assess and implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the Data Subject represented by the processing.
  4. The Data Processor shall, taking into account the nature of the processing, assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, to enable the fulfilment of the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR.
  5. The Data Processor shall assist the Data Controller in the compliance of its obligations pursuant to Article 32-36 of the GDPR.
  6. The Data Processor shall, at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller after the end of the provision of the Services, and delete existing copies unless copies of the Personal Data need to be retained for compliance with the Data Processor’s statutory obligations.
  7. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and, if requested, contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
  8. The Data Processor must keep compileable electronic records, such as raw emails, of its processing activities performed on behalf of the Data Controller, including:
     • The details of the Data Controller/ Data Processor and any representatives, sub-processors and data protection officers.
     • The categories of processing activities performed.
     • Information regarding cross-border data transfers, if any.
     • A description of the technical and organisational security measures implemented in respect of the processed data.
  9. The Data Processor must notify any Data Breach to the Data Controller (at the Data Protection Officer details), as soon as possible after it becomes aware of the same. Such notice can be given verbally but must be followed up in writing within a reasonable time with the following details: the nature of the Personal Data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.

Regarding transfers of Personal Data to a third party or an international organisation, such shall only be undertaken on the instruction of the Data Controller, save where the Data Processor is required to do so by law, in which case, the Data Processor shall inform the Data Controller of that legal requirement before processing,unless that law prohibits such information on important grounds of public interest.

4. How do we use your data?

Our use of your Personal Data will always have a lawful basis, either because it is necessary for our performance of a contract with you, because you have consented to our use of your Personal Data (e.g. by subscribing to emails), or because it is in our legitimate interests.

All Personal Data is processed and stored with reasonable securely, for no longer than is necessary in light of the reason(s) for which it was first collected. We will comply with our obligations and safeguard your rights under the GDPR at all times.

We may have to share your Personal Data with the parties set out below:

• 1. Other companies in our group who provide services to us.
  2. Service providers who provide IT and system administration services.
  3. Professional advisers including lawyers, bankers, HR advisors, auditors and insurers
  4. Government bodies that require us to report processing activities.
  5. Third parties to whom we sell, transfer, or merge parts of our business or our assets.

We require all third parties to whom we transfer your data to respect the security of your Personal Data and to treat it in accordance with the law. We only allow such third parties to process your Personal Data for specified purposes and in accordance with our instructions.

Some or all of your data may be stored outside of the European Economic Area (”the EEA”) (The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein). You are deemed to accept and agree to this by using our site and submitting information to us. If we do store data outside the EEA, we will take all reasonable steps to ensure that your data is treated as safely and securely as it would be within the UK under the GDPR legislation

Personal Data means any information capable of identifying an individual. It does not include anonymised data.

5. Marketing Communications

With your permission and/or where permitted by law, we may also use your data for marketing purposes which may include contacting you by email, telephone and post with information, news and offers on our products and services. We will not, however, send you any unsolicited marketing or spam and will take all reasonable steps to ensure that we fully protect your rights and comply with our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Under the Privacy and Electronic Communications Regulations, we may send you marketing communications from us if (i) you made a purchase or asked for information from us about our services or (ii) you agreed to receive marketing communications and in each case you have not opted out of receiving such communications since. Under these regulations, if you are a limited company, we may send you marketing emails without your consent. However you can still opt out of receiving marketing emails from us at any time.

You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you OR by emailing us at ’info@complyexpress.com’ at any time.

If you opt out of receiving marketing communications this opt-out does not apply to Personal Data provided as a result of other transactions, such as purchases etc.

6. Data Retention

We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. When deciding what the correct time is to keep the data for we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure and the processing purposes, if these can be achieved by other means and legal requirements.

For tax purposes, the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers.

In some circumstances, we may anonymise your Personal Data for research or statistical purposes, in which case, we may use this information indefinitely without further notice to you.

7. Data Protection Warranties and Survival

Notwithstanding any other provision of this Addendum, the Parties warrant that, upon receipt of Personal Data, each shall duly observe all its obligations as a Data Controller and/or Data Processor under the Data Protection Act (“DPA”) and the GDPR, which arise in connection with the Processing and the performance of its respective rights and obligations under this Addendum.

The provisions of this Addendum are expressly agreed by the Parties to survive any termination of this addendum, howsoever arising. This Addendum shall be governed by the laws of Wales and the parties hereby submit to the exclusive jurisdiction of the English Courts.