Privacy policy

Introduction

This Privacy Policy is issued on behalf of FlyForm (formerly known as GovNow Ltd.) so when we refer to “we”, “us” or “our” in this Privacy Policy, we are referring to FlyForm, who is responsible for processing your data.

We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we use, store and share the information we collect about you, how you can exercise your rights in respect of that information and the procedures that we have in place to safeguard your privacy.

This policy supplements any other fair processing or privacy notice that may be provided to you on specific occasions. For clients having business dealings with FlyForm, further policies apply, details of which you may obtain from your account manager.

We keep this Privacy Policy under review and will reflect any updates or changes to practice within this Privacy Policy (to reflect changes in operations and the way we process your data). This Policy was last updated on 17th October 2022.

Contacting us

FlyForm is the Controller and responsible for the website including overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact us at:

FlyForm Ltd
Capital Tower
Greyfriars Road
Cardiff
Wales
CF10 3AG

dpo@flyform.com

You have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues (ico.org.uk) or to any equivalent body in the relevant jurisdiction (collectively, the “ICO”). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

What personal data will we collect about you?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity data: includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, photographs, job title, national insurance number, age, and gender.
  • Contact data: includes billing address, residential address, delivery address, email address, work address, social media handles, telephone numbers, and fax number.
  • Financial data: includes bank account details.
  • Transaction data: includes details about payments to and from you and other details of products and services you have purchased from us.
  • Technical data: includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plugin types and versions, operating system and platform, full ‘Uniform Resource Locators’ clickstream to, through and from the Site (including date and time), and other technology on the devices you use to access the Site.
  • Profile data: includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses, products you viewed or searched for; page response times; download errors; length of visits to certain pages; and page interaction information (such as scrolling, clicks, mouse-overs, and methods used to browse away from the page).
  • Usage data: includes information about how you use the Site, products, and services.

How will we collect your personal data?

We use different methods to collect data from and about you including through:

  • Direct interactions: You may give us your Identity Data, Contact Data and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you: apply for our products or services; register for any of our events; request marketing to be sent to you; promotion or survey; give us some feedback; use the contact form; request a whitepaper download
  • Third parties or publicly available sources: We may receive personal data about you from various third parties and public sources such as analytics providers; search information providers; advertising networks; technical, payment and delivery services; data brokers or aggregators; social media platforms, business platforms and other publicly available sources, such as Companies House and the Electoral Register based inside the EU.

How do we use your personal data?


The following table sets out why we process your personal data and also our lawful basis for processing your personal data. We may rely on more than one lawful basis for processing your personal data depending on the context of the processing activity.

Purpose/activity Lawful basis for processing
Personal email marketing - From time to time, we may email you about products, services and events which may be of interest to you personally. This processing is carried out only when you have provided your consent. You can tell us not to contact you with updates and information regarding our products and services by following the unsubscribe instructions on any communications sent to you. You also have the right to opt-out of marketing at any time by emailing dpo@flyform.com.
Corporate email marketing - From time to time, we may email you about products, services and events which may be of interest to you or your organisation. We will only ever contact you with these communications if we consider you to be a ‘Corporate subscriber’ and the content is relevant to your role as an employee at the organisation you work for. This processing is carried out for our legitimate interests for us to promote our products and services to your organisation. You can tell us not to contact you with updates and information regarding our products and services by following the unsubscribe instructions on any communications sent to you. You also have the right to opt-out of marketing at any time by emailing dpo@flyform.com.
Corporate telephone marketing - From time to time, we may phone you about products or services which may be of interest to you or your organisation, this includes giving you notice and access to material such as webinars and whitepapers. We will only ever contact you with these communications if we consider you to be a ‘Corporate subscriber’ and the content is relevant to your role as an employee at the organisation you work for. We ensure all outbound marketing calls are screened against the Corporate Telephone Preference Service (CTPS) or the Telephone Preference Service (TPS). This processing is carried out for our legitimate interests for us to promote our products and services to your organisation. You can tell us or third parties not to contact you with updates and information regarding our products and services over the phone. You also have the right to opt-out of marketing at any time by emailing dpo@flyform.com.
Profiling, segmentation and targeting - The information we hold may also be used for profiling, segmentation and targeting purposes via our CRM and/or marketing automation platform. This enables us to personalise your experience and improve business performance – for example, by helping to determine which content you may find most relevant, so that we can direct you to more of this and to less of the information that you find less useful. This processing is carried out for our legitimate interests so that we can tailor our products, services and communications in a way that is timely and relevant to you by better understanding your organisation’s requirements.
Analysing the use of our website - To better understand how you access and use our website, both on an individual and aggregated basis, we use:

Google Analytics - aggregated and de-identified information on audience, acquisition, behavior and conversion
HubSpot - to track individual activities and interactions
This processing is carried out for our legitimate interests to analyse and improve your user experience and the performance of our website.
Understanding marketing/campaign performance - We use the following platforms to understand how our marketing activities are performing:

HubSpot - including email performance metrics
Google Analytics - including acquisition source
LinkedIn - including performance metrics

Data may be aggregated and analysed to create business intelligence which will enable us to report on performance and make better-informed decisions about future activities.
This processing is carried out for our legitimate interests for us to measure the reach and effectiveness of our campaigns.

In certain circumstances, we will process your personal data based on our legitimate interests. We have decided this by carrying out a balancing exercise to make sure our legitimate interest does not override your privacy rights as an individual. We document the balancing exercises that we carry out when relying upon this lawful basis for processing your personal data.

How long will we keep your personal data?

As long as you keep engaging with us, we will retain your personal information under legitimate interest for as long as we consider there is value to you and to us of maintaining contact, unless you ask us to delete it sooner.

Marketing contacts are only kept in our marketing database if they are showing signs of engagement (i.e. our database and system records at least an email click). This means we will stop emailing you if we haven’t heard from you for 12 months, and from this point you will be considered an inactive or ‘non-marketing’ contact. If you re-engage with us (by submitting a form on the website for example), you will be re-added to our mailing list and will start to receive emails again.

Non-marketing contacts are retained for a further 12 months before being permanently deleted if no further engagement is received.

In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Sharing your personal data

We will only disclose your personal data to:

  • Other third-party suppliers, business partners and sub-contractors for business administration, support, processing, services, or IT purposes.
  • Analytics or search engines that enable us to optimise and improve your website experience.
  • A third party who has purchased or merged with our organisation, in which case personal data held by us, about you, will be transferred to that third party to carry on our business.
  • Our regulators, law enforcement or fraud prevention agencies, as well as our legal advisers, courts, the police and any other authorised bodies, for the purposes of investigating any actual or suspected criminal activity or other regulatory or legal matters.
  • HMRC or other tax bodies or agencies to comply with our legal and regulatory obligations.

We may also disclose aggregate or de-identified information about our users to third parties for marketing, advertising, research or similar purposes.

Security of your personal data

We have taken reasonable steps to help protect the information we collect from loss, misuse, unauthorized access, disclosure, alteration, and destruction. These include training and awareness programmes for all staff and appropriate technical measures such as encryption of laptops, enforcement of strong password controls and virus and malware detection. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a legitimate business need to know.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

International transfers of your personal data

We may transfer your personal data to countries outside the United Kingdom in order to provide our services. The laws in these countries may not offer the same level of protection for personal data as in the United Kingdom.

If we transfer personal data to countries outside of the United Kingdom, we will do so in a lawful way and may rely on:

  • An adequacy decision from the Secretary of State, which says that the recipient country provides an adequate level of protection of personal data.
  • Appropriate safeguards to protect the personal data (for example, the approved standard contractual clauses or international data transfer agreement).
  • A lawful exception to the rules relating to overseas data transfers (for example, the transfer is necessary to perform a contract with you, which is in your interests).

Your rights to access, amend or delete the information we hold

You have certain rights in relation to your personal data. We have summarised these rights below:


Right Description
To be informed A right to be informed about the personal data we hold about you
Of access A right to access the personal data we hold about you.
To rectification A right to require us to rectify any inaccurate personal data we hold about you.
To erasure A right to ask us to delete the personal data we hold about you. This right will only apply where (for example):

- We no longer need to use the personal data to achieve the purpose we collected it for.
- Where you withdraw your consent if we are using your personal data based on consent.
- Where you object to the way we process your data (see the right to object described below).

If you request us to delete your data, we will retain minimum personal data to document these requests and thereby avoid using your personal data for any purpose.
To restrict processing In certain circumstances, a right to restrict our processing of the personal data we hold about you. This right will only apply where (for example):

- You dispute the acuracy of the personal data held by us.
- Where you would have the right to ask us to delete the personal data but would prefer that our processing is restricted instead.
- Where we no longer need to use the personal data to achieve the purpose we collected it for, but you need the data for the purposes of establishing, exercising or defending legal claims.
To data portability In certain circumstances, a right to receive the personal data you have given us, in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation, at your request.
To object A right to object to our processing of the personal data we hold about you where our lawful basis is for the purpose of our legitimate interests, unless we are able to demonstrate, on balance, legitimate grounds for continuing to process the personal data which override your rights or which are for the establishment, exercise or defence of legal claims.

In particular, you can exercise your right to object to marketing communications being sent to you by utilising opt-out mechanisms in emails we sent to you.
In relation to automated decision-making and profiling A right for you not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning you or similarly significantly affects you.
To withdraw A right to withdraw your consent, where we are relying on it to use your personal data (for example, to provide you with brochures and newsletters).
To complain You have the right to make a complaint to our supervisory authority, which is the UK's Information Commissioner's Office.

If you would like to contact us with any queries or comments, request further information or exercise any of your available rights set out above, please email use the contact details in the ‘Contacting Us’ section at the top of this policy. All requests will be dealt with wherever possible within one month of receipt.