Your privacy is very important to us. This Services Privacy Notice (the Notice) explains the privacy practices that Card Personalisation Solutions Limited employs when its customers and their end-users use any products, applications and services (together, the "Services").
When we talk about CPS, we, our, or us, in this notice, we are referring to Card Personalisation Solutions Limited. and its group companies, including identity2u.net. When we say you or End-User in this notice, we mean any individual using and accessing our Services. When we talk about an Organisation or Customer in this Notice, we are generally referring to the entity of which you are an employee, contractor, member, or other participant, that has engaged us to provide the services under the terms of a contract. The Organisation Administrators we talk about in this notice are the individuals authorised by our Customers to help administer our services internally.
By sharing your personal information with us, and by continuing to use our Services, you confirm that you have read and understood the terms of this Notice.
- through our websites (such as https://www.identity2u.net) or product feedback and surveys, and in connection with our events, sales and marketing activities, please see our general privacy notice (forthcoming as of May 25, 2018).
- when you apply for a role with CPS through our Website or otherwise, please see our candidate privacy notice (forthcoming as of May 25, 2018).
If you have any questions, comments or concerns about any aspect of this Notice or how we handle your information, please reach out to our team using the details provided under the Contact Us section of this Notice.
Our Privacy Principles
Trust and transparency are foundational to what we do at CPS. We are committed to being open about how we approach privacy at CPS, and aim to communicate with you about privacy in a way that is easy for you to understand. To support these goals, we developed these Privacy Principles to highlight our commitment to responsibly protecting and handling your personal information. Our Privacy Principles help guide decisions we make at every level of our organisation, as well as our legal obligations.
- We respect individuals' privacy by promoting informed choice.
- We collect only the personal information we need, and pseudonymise or get rid of what we don't.
- We are transparent about how we use personal information and accountable for how we and our partners use it.
- We factor security into everything we do.
- We engineer privacy into our ideas and products.
Notice to End Users
In general, our Services are intended for use by Organisations, administered to you by your Organisation, and subject to your Organisation's policies, if any. This means that in most cases we are collecting and processing your personal information on behalf of your Organisation. In these cases, we are generally acting as a processor of your personal information, processing the information according to your Organisation's instructions, because your Organisation is the controller. It is primarily your Organisation, as the controller, that controls what personal information about you we collect and how we use it. If you have privacy related questions or concerns about your Organisation's privacy practices or the choices your Organisation has made to share your information with us or any other third party, you should reach out to your Organisation's Administrator or see your Organisation's privacy policies. CPS is not responsible for the privacy or security practices of our Customers, which may differ from those set forth in this Notice.
Who we are
CPS provides card manucfacturing, bureau personalisation service, security solutions, including multi-factor authentication, trusted access and secure single sign-on tools for our customers.
identity2u.net is a website fully owned and managed by CPS in order to sell products and services related to our core markets.
What personal information we collect and how
We know that personal information is defined slightly differently across the world. That said, at CPS, we define it as any information that could be used to identify you or another individual. We think that this broad definition enables us to better respect your privacy and safeguard the information entrusted to us.
The personal information that we collect about you broadly falls into three categories - information that is provided to us, information we collect automatically, and information we process on behalf of your Organisation.
Information that is provided to us
Your Organisation's Administrator or you may provide personal information to us through the Services. This may be done, for example, when you are signed up for and use the Services, when you consult with our customer success team or you send us an email or communicate with us in any way. We will generally let your Organisation's Administrator or you know prior to collecting your personal information whether the information we are collecting may be provided on a voluntary basis and the consequences, if any, of not providing it.
We also collect your Organisation's name and assign you a related account name.
If you ever communicate directly with us, we will maintain a record of those communications and responses.
- Email address
- Billing and delivery address
- Telephone number
- Organisation name
In addition, if you purchase our Services either as an Organisation Administrator or on your own behalf, you will need to share payment and billing information such as your credit card details and billing address, and we will maintain a record of your purchases and transactional information.
Credit cards, debit cards or other means may be used to pay for our Services. We do not collect this credit card, debit card or personal financial account information. Instead, we use a third party service provider, currently Paypal or SagePay, to process our subscription billing. If you provide payment information to pay for the Services, you provide it directly to Recurly, and not to CPS. You will automatically be routed to the Recurly website to provide the information Recurly requires to process your transaction. Recurly is a third party vendor and has its own privacy statements. This Notice does not cover information collected by Recurly and CPS is not covered by or responsible for their privacy practices or statements.
Information we collect automatically
When you use the Services, we automatically collect certain information about your device and how you interact with our Services, by for example, using technologies like cookies. We do this to help us provide the Services, and to ensure that we are providing our customers and you the best experiences with our Services. From time to time, we may need to associate the data we automatically collect with other personal information we have collected about you to confirm you as an End User and to check the security of your device.
- Device information such as: device attributes (for example: hardware model; operating system; web browser version; as well as unique device identifiers and characteristics, including if your device is jailbroken, if you have a screen lock in place and if your device has full disk encryption enabled), connection information (for example, name of your mobile operator or Internet Service Provider, browser type, language and time sone, and mobile phone number); device locations (for example, internet protocol (IP) addresses and Wi-Fi); and for some Services, whether a Public Key Infrastructure Certificate is installed on your device.
- Log data, this includes information that your browser sends whenever you visit a website, included one of ours, or that your CPS mobile app sends whenever you are using it. This log data may include how you access the Services (including the device-specific information discussed above and type of integration - in other words, the application - being protected), the dates and times you access the Services, where you access the Services from (by IP address) and device event information such as crashes, system activity, and hardware settings.
- Services usage information, such as administrative and support communications with us and information about the features, content, and links you interact with, and what third party integrations you use, if any.
Information we process on behalf of your Organisation
When your Organisation or your Organisation Administrator upload, input or generate personal information in the Services about you (their End Users), we will typically act as a processor and process such personal information on behalf of your Organisation and our privacy practices will be governed by the contract we have in place with your Organisation. This Notice will not apply to such personal information.
How we use the information we collect
In general, we use the personal information we collect to operate our business and provide our Services, which includes using data to improve, research and develop our product offerings and to personalise your experiences.
- to provide and maintain the Services.
- to manage your Organisation's or your account with us, including for billing purposes as well as for our customer relationship management.
- to personalise the Services and improve your experience.
- to improve our products, technology and Services, and, where you have agreed, to provide you updates on how we are improving the Services based on any feedback you might have given.
- to analyse your use of the Services in order to ensure the technical functionality of our products, technology and Services, and to research and develop new products and services.
- to conduct aggregate statistical analysis with Performance Data. Performance Data includes aggregate, de-identified usage information and other aggregate measures of the Services' performance. We may share aggregated, de-identified Performance Data with third parties to help us better understand our customers' needs and improve the Services.
- to prevent, detect, respond and protect against potential or actual claims, liabilities, prohibited behaviour, and criminal activity.
- to comply with and enforce applicable legal requirements, agreements and policies.
- to perform other activities consistent with this Notice.
Who we share your personal information with
We may share the personal information described in this Notice with others. We generally do this where it is necessary to complete a transaction, to provide our Services to your Organisation or you, where your Organisation or you have requested or authorised us to do so, with your consent (where applicable), or as otherwise permitted or required by applicable law.
- Our group companies. We share information with entities that we control, are controlled by us, or are under our common control, to provide our Services. CPS is the party responsible for overall management and use of personal information by these affiliated parties.
- Our third party service providers and partners. We share information with service providers and partners who help us provide the Services. These service providers help us with things like cloud hosting, telephony, mobile push, and, where applicable, managed public key infrastructure services.
- Our Customers and their authorised third parties. At your Organisation's direction, we share information with the Organisation and any parties directly authorised by the Organisation. We are not responsible for your Organisation or its authorised third parties' privacy practices. Our Notice does not apply to and we are not responsible for use of your personal information by these other companies.
- A competent law enforcement body, regulatory, government agency, court or other third party. We will share personal information where we have a good faith belief that doing so is necessary (i) to comply with applicable law, (ii) to enforce our terms and conditions; (iii) to protect our rights, privacy, safety or property, and/or those of our affiliates, You or others; and (iv) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.
- Other third parties. We will share information with third parties in the event of any reorganisation, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings), in which case we will inform the acquiring or resulting company that it must use your personal information only for the purposes disclosed in this Notice.
Cookies and similar technologies
How we keep your personal information secure
Security is what we do, and we take the security of the personal information we have about you very seriously. We use appropriate administrative, organisational, technical and physical safeguards that are designed to protect the personal information we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information and to help ensure that your data is safe, secure, and only available to you and to those with authorised access (as decided by your Organisation Administrator or you, as appropriate). However, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so you should take care in deciding what information you send us in this way.
International data transfers
We currently only operate our services through our UK processing centre, and no data is transmitted outside of the EEA
How long we keep your personal information
We only keep your personal information for as long as we have an ongoing legitimate business need to do so (for example, to fulfill the purposes outlined in this Notice, to provide the Services or to comply with legal, tax or accounting requirements, to enforce our agreements or to comply with our legal obligations).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it. If this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
Legal basis for processing (European Economic Area users only)
If you are a user from the European Economic Area, where we are collecting your personal information as a controller, our legal basis for doing so will depend on the personal information concerned and the specific context in which we collect it. However, as it relates to our Services, we will normally collect personal information from you only where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms, or where we need the personal information to perform a contract with you if you have signed up for the Services on your own behalf. In some cases, we may also have a legal obligation to collect personal information from you.
If we ask you to provide personal Information to comply with a legal requirement or to enter into a contract, we will make this clear at the relevant time and let you know if the personal information is mandatory or not (as well the possible consequences if you do not provide it). Similarly, if we collect and use your personal information in reliance on our legitimate interests (or those of any third party) that are not referred to in this Notice, we will make it clear to you at the relevant time what those legitimate interests are. Typically, our legitimate interests include improving, maintaining, developing and enhancing our technology, products, services, ensuring the security of the Services and for our marketing purposes.
If you have questions or need further information about the legal basis we rely on to collect and use your personal information, please reach out to us using the details provided under the Contact Us section of this Notice.
Your rights, controls and choices
As we noted in in the Notice to end users section of this Notice, for much of the personal information we collect and process through the Services, CPS acts as a processor for its Customers, the Organisation. If you would like to exercise data protection rights for this personal information â including your rights to access, correct, or delete such data â you should contact your Organisation directly and it will deal with your request. Where required, we may provide assistance to the Organisation.
However, in those cases where we are the controller, we provide ways for you to exercise certain rights, controls and choices.
- You can access, review, change, update or delete your personal information at any time. Please note that we may impose a small fee for access and disclosure of your personal information where permitted under applicable law, which will be communicated to you. We do not charge you to update or remove your personal information.
- If you are resident in the European Economic Area, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information.
- If we have collected and process your Personal Information with your consent, then you can withdraw your consent at any time. Please note, though, that withdrawing your consent will not impact the lawfulness of any processing we conducted before you withdrew your consent, nor will it impact the processing of your personal information we conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority about our collection and use of your personal information.
In addition, many of our products and features contain settings that allow Organisations or Organisation Administrators or End Users to control how information is collected. Please see the relevant product documentation or contact us through the appropriate technical support channel for assistance.
If you would like to exercise any of your rights relating to your personal information, please start by contacting us using the contact details provided under the Contract Us section of this Notice.
We respond to all requests we receive from individuals wishing to exercise their data protection rights under applicable data protection laws. To protect your privacy and security, we take reasonable steps to verify your identity before granting you account access or making corrections to your personal information.
Changes to this Privacy Notice
From time to time, we may change this Privacy Notice in response to changing technologies, industry practices, and regulatory requirements or for other purposes. We will provide notice to you if these changes are material (this notice may be by email to your Organisation's Administrator or you at the last email provided us, by posting notice of such changes on the Website, or by other means, consistent with applicable law) and, if required by applicable law, we will obtain your consent.
You can see when this Notice was last updated by checking the last updated date displayed at the top of this Notice.
We encourage you to contact us if you have any comments or questions about this Privacy Notice or our related privacy practices. You may reach us at firstname.lastname@example.org or at our mailing address below:
Card Personalisation Solutions Limited
Unit 2, The Bramery
If you are resident in the EEA, the controller of your personal information is Card Personalisation Solutions Limited.
Contacting the Regulator
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner's Office.
You can contact them by calling 0303 123 1113.
Or go online to www.ico.org.uk/concerns (please note we can't be responsible for the content of external websites).