We at Headlight respect your privacy and are driven to protecting your personal data.
This document will detail how we gather and look after your data, we aim to be honest and will provide you information about your rights and how the laws protect you.
Headlight Consulting Ltd. Is a registered company in England and Wales, our contact details are:
Headlight Consulting Ltd.
This version was created and/or last updated on the 10th Mar 2020.
Our Policy Principles
We aim to gather, process and use as little personal data as it possible,
We aim to protect and manage your personal data in a responsible way
If we no longer need your data, and we are not required to retain it for legal purposes, we will aim to delete it or anonymise it
Your personal data will not be sold, lent, rented or shared other than the terms how is detailed in the privacy document
You are not obliged to provide us your personal data, however it may limit the services we can offer you
What personal data do we collect
Personal data, or personal information, means any information about an individual from which that person can be identified. It excludes data where the identity has been redacted, otherwise known as anonymous data.
Personal data items we collect are
Date of Birth
Bank account information
Credit and/or debit card information
Payment details of services you've purchased from us
Browser type & Version
Usage data (this is tracked via Google Analytics and not stored on Headlight-sw.co.uk)
We may need to collect personal data by law or under the terms of the contact we have with you, if you fail to provide that data when request we may not be able to perform the terms of the contract. This could lead us to having to cancel a product or service with us but we will notify you at the time.
How is the personal data collected
We may collect data from by the following means
Direct verbal interaction
Via 3rd parties, this may include analytics data from Google (based outside the UK)
Subscribe to our service
Request marketing to be sent to you
Enter a survey
Give us feedback or contact us
Why do we collect your data
Firstly, we only collect data about you when the law permits us to. We do this so can provide the best possible service and product. We may use it to:
comply with regulatory or legal obligation
adhere to and carry out the obligation of the contract we about to enter into with you or have entered into with you
Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.
We have set out a table below detailing the type of the data we collect, the purpose and/or activity it will be used for and the lawful basis for collecting and processing the type of data
We will get your expressed opt-in consent before we share your personal data with any third party for marketing purposes.
You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you at any time.
Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product or service purchase, service experience or other transactions.
Disclosures of personal data
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Some of our third parties are based outside of the EEA, so their processing of your personal data will involve transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.
We have put the appropriate security measure in place to prevent your personal data from being lost, used or accessed in any unauthorised way, altered or disclosed.
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
How long will you use my personal data for
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers, this is for tax purposes.
We may, In some circumstances anonymise your personal data (so that it can no longer be associated with you, and thus classified as personal data) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
What are your rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data.
The right to be informed: you must provide individuals with your purpose for processing their personal data, your retention periods for that personal data, and who it will be shared with.
The right of access: Individuals have the right to access their personal data. This is known as a Subject Access Request. A request can be made verbally or in writing. When a request is made Headlight has 1 month (30 days) to respond.
The right to rectification: this is the right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. When a request is made Headlight has 1 month (30 days) to respond.
The right to erasure: The right to erasure is also known as ‘the right to be forgotten’. An individual can make a request for rectification verbally or in writing. When a request is made Headlight has 1 month (30 days) to respond.
The right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, you are permitted to store the personal data, but not use it. An individual can make a request for rectification verbally or in writing. When a request is made Headlight has 1 month (30 days) to respond.
The right to data portability: The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.
The right to object: The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so.
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service and/or product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
A controller determines the purposes and means of processing personal data. In the majority of cases Headlight is the data controller. Controllers are not relieved of compliance obligations where a processor is involved.
In the majority of circumstances Headlight is the data controller. Therefore the organisation, and the people that work within it, take full responsibility for compliance with the GDPR legislation.
A person whose personal data is processed by a controller or processor - eg. a person who shares their personal data with Headlight so they can participate in user testing. Headlight employees are also data subjects.
General Data Protection Regulation (GDPR)
This is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).
Information Commissioner's Office (ICO)
The ICO is a non-departmental public body which reports directly to Parliament and is sponsored by the Department for Digital, Culture, Media and Sport (DCMS). The ICO is the government regulator which deals with the freedom of information and the protection of personal and sensitive data.
the processing is necessary for you to comply with the law (not including contractual obligations).
The interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests.
Any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including: Name; Address; Email Address; Identification number; Location data; Opinions about an individual including appraisals.