OCREUS Privacy Policy

Version 1.1 May 2018

1 OVERVIEW

1.1 Summary

Ocreus Limited (“Ocreus”, “we”, “us”) is committed to protecting and respecting your privacy and complying with the principles of the Data Protection Act and EU General Data Protection Regulation (GDPR). This policy sets out the basis on which any personal data we collect from you, or that you provide to us through your use of our website, will be processed by us.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

The data controller is Ocreus Limited, International House, 24 Holborn Viaduct, London, EC1A 2BN, United Kingdom. This means that Ocreus alone determines how your personal data will be used in relation to services we provide to you. Ocreus Limited is registered as a data controller with the Information Commissioner’s Office, registration number ZA237092.

We are committed to processing information about you fairly and in a transparent manner and the aim of this document is to provide you with sufficient information for you to be able to understand what we are doing with your data. If you are unsure how we are handling information about you or you think we could improve our privacy information please let us know.

This policy only applies to our website.  If you leave our site via a link or otherwise, you will be subject to the policy of that website provider.  We have no control over that policy or the terms of the website and you should check their policy before continuing to access the site.

1.2 Use Of This Policy

This Privacy Policy describes how Ocreus collects, uses and discloses information, and what choices you have with respect to the information.

Updates in this version of the Privacy Policy reflect changes in data protection law. In addition, we have worked to make our Privacy Policy clearer and more understandable by:

  • Arranging into sections
  • Providing clear examples to show how the policies may be implemented by Ocreus
  • Outlining what your rights are around these policies

1.3 Changes To This Policy

We may change this privacy policy from time to time but if we change it in a way which significantly alters the terms upon which you have agreed to use our website and other online services, we will post notice of the change on our website and you will be deemed to have accepted such changes. This privacy notice was last updated May 2018.

 

2 YOUR DATA

2.1 What Personal Data We Hold On You

Depending on the Ocreus services you interact with, we may hold the following personal data on you:

  • Names
  • Addresses (current and past)
  • E-mail addresses
  • Telephone numbers
  • Correspondence between us if you contact us
  • Emergency contact name, address, email address, and telephone number(s)
  • Identity verification information submitted by you (such as passport, driving licence, bank statements, utility bills)
  • HMRC (and/or other jurisdiction) tax identification numbers and related tax status submitted by you
  • Bank account information (used to make payments to you)
  • Disclosure and Barring Service (DBS) basic or standard check applications and results where you have made such applications in relation to working with Ocreus
  • Details of any limited company or other legal person you use as a contracting vehicle, including details of other directors and PSCs available through Companies House or supplied by you including third party consents for information not publicly available
  • Details of your past employments including references from past employers
  • Details of your educational and professional qualifications
  • Details of your professional skills, competencies and experience
  • Details of your visits to the Ocreus website and other online resources (such as web forms) that you access using cookies. See 5.1 for further information about our use of cookies.
  • General communication we may have with you
  • Marketing Preferences you have for our services
  • Relationships, including organisations and affiliations
  • Information on your social media profiles where you follow us
  • Data acquired by third parties that we share data with, for more info please see 2.6

2.2 The Purpose For Having It And Our Legal Reason For Doing So

We will use all the information provided to build a profile of you to be used in delivering our services to you, and to our clients.

What we use your information for Our reason for having your personal data Our legitimate interest
Marketing our services to contractors / affiliates and/or clients Updating you on contracting opportunities with Ocreus and/or the capabilities of Ocreus

Your consent to ongoing contact and marketing

Your consent to cookies

Keeping our records up to date, working out which of our services may interest you and telling you about them

Developing new services and ideas

Defining types of affiliates and potential clients for appropriate communications

Seeking your consent when we need it to contact you

Being efficient about how we fulfil our legal duties

Sending paper based communications

Building up a profile regarding you

Having appropriate security and safeguards

Processing your application to become an affiliate Understanding your capabilities and availability for client work

Understanding your suitability (e.g. meeting professional qualification requirements) and right to work

Meeting our legal obligations in relation to employment and contracting

Keeping our records up to date, working out which of our services may interest you and telling you about them

Developing new services and ideas

Defining types of affiliates for appropriate communications

Being efficient about how we fulfil our legal duties

Building up a profile regarding you

Having appropriate security and safeguards

Responding to queries To provide the best possible affiliate and client service and answer your queries quickly Keeping our records up to date, working out which of our services may interest you and telling you about them.

Developing new services and ideas

Defining types of clients for appropriate campaignsOur need to respond to concerns

 

2.3 How Long We Keep It For

We will hold information about you in our database for no more than is necessary. This means if you have actively applied to become an Ocreus affiliate (and have not notified us that you no longer wish to be considered for affiliate work), or have submitted a client work enquiry (and have not notified us that you wish your status as a potential client to be revoked), we will hold your data for a period of up to six years.

Re-applying will refresh this time period.

The same applies for any information and consent you give during affiliate on boarding or new client due diligence. We keep such information and consent for six years since it is given.

If you have provided HMRC or other tax-related information, we will keep your information for seven years to comply with HMRC rules.

We may also need to keep your records for longer to comply with any other legal obligation.

Once your records exceed the necessary time we will either anonymize them through pseudonymization or delete them securely. Pseudonymization is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field. This means all your personal data is deleted and we keep only your transaction information for compliance and record keeping.

We may also contact you where we have consent or legitimate interest before we anonymize your record to see if you would still like to be kept informed about Ocreus services.

Ocreus will hold the data on the above schedule unless:

  • You ask us to remove it;
  • We believe that you are no longer interested in our business;
  • We no longer need it for the purposes it was collected.

We always think about your best interests when we apply retention rules to our systems and are always happy to remove you at your request.

If you have any questions on how long we keep your data please contact us at dataprivacy@ocreus.com

2.4 How We Secure And Maintain It

We will take all steps reasonably necessary including policies, procedures and security features to ensure that your data is treated securely and protected from unauthorised and unlawful access and use and in accordance with this privacy policy.

Unfortunately, the transmission of information via the internet is not completely secure and although we will do our best to protect your personal data transmitted to us via the internet we cannot guarantee the security of your data transmitted to the Ocreus website from your device: any transmission is at your own risk.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Ocreus website or other online services, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

2.5 Necessary Processors

Ocreus maintains a small core operations team. In order to achieve operational efficiency and resilience, we work with some of the best third parties to provide excellent client and affiliate online services as effectively as possible.

This means the information we receive from you may pass through third party infrastructure to get to us and may ultimately be stored on third party infrastructure.

Each of our infrastructure partners is carefully reviewed and maintains the same security and standards towards data privacy as we do.

These are outlined below.

Name of Organisation Purpose
Google (G Suite) G Suite applications including email and web forms, cloud-based data storage
Microsoft (Microsoft Office 365) Microsoft Office applications, cloud-based data storage
Mayflower Disclosure Services Limited Processing of basic and standard disclosure checks to the Disclosure and Barring Service
WordPress Website management, usage and uptime statistics
Paragon Internet Group (t/a TSOHOST) Website hosting

 

2.6 Who We Share It With And How

We may disclose your personal information to third parties:

  • If we are under a duty to disclose or share your personal data to comply with any legal obligation;
  • To fulfil any service that you request from us (e.g. enquiry via our website etc.);
  • To enforce or apply our terms of use and other agreements;
  • To protect the rights, property, or safety of Ocreus, our clients, affiliates,or others including exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

We will share information about you with government agencies and some of our suppliers who process data on our behalf to help us to provide services to you. The purposes of sharing your information with these government agencies and suppliers is to notify you of our services and work opportunities, to provide you with information that you have requested from us, for administration purposes and to comply with the law.

Names / Categories of Organisation Purpose
Google Processing of email and web forms
Mayflower Disclosure Services Limited Processing of basic and standard disclosure checks to the Disclosure and Barring Service
Disclosure and Barring Service, Disclosure Scotland Processing of basic and standard disclosure checks
HMRC Processing of PAYE, NIC, VAT and other tax requirements
Standard Life Processing of pension scheme membership and pension contributions
Ocreus Clients and Potential Clients Tendering for assignments
Ocreus banking services providers Making payments to you

 

2.7 International Transfer Of Personal Data

If Ocreus transfers data outside of the European economic area, we will take measures to ensure all adequate safeguards are in place that matches the EU Data Protection standards, in accordance with legal requirements. Where recipients are located in countries which do not provide an adequate level of protection from a European data protection law perspective, we will base the transfer on appropriate safeguards, such as standard data protection clauses adopted by the European Commission or by a supervisory authority, approved codes of conduct together with binding and enforceable commitments of the recipient, or approved certification mechanisms together with binding and enforceable commitments of the recipient. You may request a copy of such appropriate safeguards by contacting us as set out in Section 6 of this Privacy Policy.

 

3 YOUR RIGHTS & ACCESSING YOUR DATA

Right of access You have the right of access to information we hold about or concerning you.  If you would like to exercise this right you should email us at dataprivacy@ocreus.com.

For example: we could provide a copy of all your information in a CSV or PDF file.

Right of rectification or erasure If you feel that any data that we hold about you is inaccurate you have the right to ask us to correct or rectify it.  You also have a right to ask us to erase information about you where you can demonstrate that the data we hold is no longer needed by us, or if you withdraw the consent upon which our processing is based, or if you feel that we are unlawfully processing your data.

Your right of rectification and erasure extends to anyone we have disclosed your personal information to and we will shall take all reasonable steps to inform those with whom we have shared your data about your request for erasure.

Right to restriction of processing You have a right to request that we refrain from processing your data where you contest its accuracy, or the processing is unlawful and you have opposed its erasure, or where we don’t need to hold your data anymore but you need us to establish, exercise or defend any legal claims, or we are in dispute about the legality of our processing your personal data.
Right to portability You have a right to receive any personal data that you have provided to us in order to transfer it onto another data controller where the processing is based on consent and is carried out by automated means. This is called a data portability request.
Right to object You have a right to object to our processing of your personal data.

This includes the right to object to any direct marketing we may undertake and to any automated decisions based on profiling which we may carry out. This also includes the right to object to any processing based on legitimate interests, such as disclosure checking.

Right to withdraw consent You have the right to withdraw your consent for the processing of your personal data where the processing is based on consent.

You can do so by contacting our data privacy team and they will immediately mark our records accordingly, this will then take effect as soon as possible.

Please be aware that some activities may already have left our system at time of consent withdrawal.

Right of complaint You also have a right to lodge a complaint about any aspect of how we are handling your data with the UK’s Information Commissioner’s Office who can be contacted at www.ico.org.uk.

If you would like to find out more about your rights please email us at dataprivacy@ocreus.com.


4 PROVISION OF THIRD PARTY DATA

You are responsible for informing and obtaining the consent of any third parties whose data you enter in to our website.

If we would like to process your personal data for any other purpose incompatible with the purposes listed above, we will provide you with appropriate additional privacy information at the point where you come across those additional purposes.  Our commitment to you is that we will not process your data for any purpose other than those listed, or similar to those listed in this privacy policy. If you interact with another part of the OCREUS Group, we will provide you with additional privacy information relating to those other uses.

 

5 TECHNICAL

5.1 Cookies

Our website uses cookies to improve and enable the functionality it provides to you. You may refuse to accept cookies by activating the setting on your browser that allows you to refuse cookies. However, if you select this setting you may be unable to access certain parts of our site. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you use our site and third party features of our site.

Details of the cookies used by our site and third party cookies associated with functions of our site are given below.

5.2 First Party Cookies

Site Cookie Name What does it do
ocreus.com DYNSRV This is a session cookie, added by our web server service provider’s load balancer to track which web server to send the visitor to. Its purpose is to improve the performance of the website.


5.3 Third Party Cookies

Site Cookie Name What does it do
.twitter.com _gat Short term tracking cookie (1 minute expiry)
.twitter.com _gid Short term tracking cookie (1 day expiry)
.twitter.com ct0 Short term tracking cookie (6 hour expiry)
.twitter.com external_referer Cookie tracking the immediate referrer to Twitter. In this case, the referrer will be ocreus.com
google.com, google.co.uk 1P_JAR Google tracking cookie
google.com, google.co.uk APISID, HSID, NID, SAPISID, SID, SNID, SSID Google account login cookies


5.4 IP Address

We may collect information about your computer, including where available your IP address, geographic location (if you allow when prompted by your browser), operating system and browser type, for system administration when you access our website. We use this information for statistical data about our users’ browsing actions and patterns when they access our website.

 

6 CONTACTING OCREUS

If you would like to find out more info about this policy or ask us any questions please contact us at dataprivacy@ocreus.com.

Ocreus Limited has appointed a data protection officer, if you would like to contact them please email dataprivacy@ocreus.com.

You should also use this contact email address for withdrawing consent or enabling your rights as a data subject.