Privacy Notice

Who Are We?

Croud Inc Limited, a company incorporated and registered in England and Wales with company number 07542498 whose registered office is at Cannon Place, 78, Cannon Street, London, EC4N 6AF (“Croud”, “we”, “our”) and trading as "Serpico", is committed to protecting the privacy and security of your personal information. Serpico provides PPC, SEO, social, programmatic, content and analytics technology and talent. This privacy notice sets out how Serpico uses personal information relating to our customers, prospects, visitors to our website at serpico.io and social media pages (“Website”) and people who interact with or do business with us (“you”, “your”). For website users, you should read this privacy notice in conjunction with the cookies information that is available on the Website. In relation to your personal data, Serpico acts as a “data controller” for the purposes of the Data Protection Act 2018 (“DPA”) and the General Data Protection Regulation ((EU) 2016/679) (“GDPR”).

Data Protection Principles

There are six overarching principles of the GDPR with which we will ensure compliance when collecting, storing, using, and sharing your personal data:

1. We will use the data lawfully, fairly and in a transparent way
2. We will collect the data only for valid purposes that we have clearly explained to you (either in this notice or otherwise) and not used in any way that is incompatible with those purposes
3. The data will be limited to what is relevant to the purposes we have told you about and will only be used for those purposes
4. The data will be accurate and kept up to date
5. The data will only be kept for as long as is necessary for the purposes we have told you about
6. The data will be kept securely

What data is collected?

If you use the Website, communicate with us, purchase goods or services from us or otherwise do business with us (whether as client or supplier), this will result in us collecting personal data about you. We will collect, store, and use the following types of personal information about you:

• Contact details such as your name, address, email address, fax and telephone number, including the same for individual representatives of business contacts;
• Bank and transaction details such as details about payments to and from you and other details of products and services you have purchased from or sold to us;
• Technical information such as includes IP address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the Website;
• Information about our service to you including your username and password, purchases or orders made by you, your preferences and any feedback you give us;
• Information about how you use our Website, products and services.

It is unlikely that we will need to deal with any special categories of personal data relating to you but, should you choose to provide any special categories of personal data to us, we will ensure that we take additional measures to ensure its security.

How will we use your information?

We will only use your personal information when the law allows us to do so. Most commonly, we will use your personal information in the following circumstances:

• where we need to perform the contract we have entered into with you, or to take steps to enter into that contract;
• where we need to comply with a legal obligation;
• where it is necessary for our legitimate interests (or those of a third party), so long as your interests and fundamental rights do not override those interests.
• Serpico does not generally rely on consent as a legal basis for processing your personal information other than in relation to sending third party direct marketing communications to you electronically. You have the right to withdraw consent to such marketing at any time.

We will use the personal information we collect about you to:

• register you as a client/customer;
• perform our contract with you and to provide our services;
• manage our relationship with you, including notifying your about changes to our contract or services or asking you to provide us with feedback;
• administer and protect the business and the Website;
• make suggestions or recommendations to you about similar products or services that may be of interest to you.

If you fail to provide personal information

If you fail to provide certain information when requested either by law, or under the terms of a contract we have with you, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time.

Data retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in our retention policy. To ask questions or comment about this privacy policy and our privacy practices, contact us at [email protected] . After this period, we will anonymise or securely destroy your personal information.

Data security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and the Information Commissioner’s Office of a suspected breach where we are legally required to do so.

Sharing your personal information with others

Where it is legally required or necessary in accordance with the DPA, GDPR, and other data protection and privacy laws, we may share your information with:

• other companies with whom we may partner in order to perform our contract with you;
• our group companies (see further under International Data Transfers);
• financial organisations;
• our auditors;
• survey and research organisations;
• professional advisers and consultants;
• courts and tribunals;
• professional bodies.

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or the police or to otherwise comply with the law. All our third-party partners, service providers, and suppliers are required to take appropriate security measures to protect your personal information in line with the DPA and GDPR. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

International Data Transfers

We may share your personal information with our group companies (Croud Inc. in the US and Croud Australia Pty Ltd in Australia. Croud Inc. complies with the EU-US Privacy Shield Framework (“Privacy Shield”). We ensure that your personal data is protected by requiring all of our group companies to follow the same rules when processing your personal data. These rules are called “binding corporate rules”. For further details, see European Commission: Binding corporate rules. Many of our external third parties are based outside the European Economic Area (“EEA”) so their processing of your personal data will involve a transfer of data outside the EEA. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries
• Where we use certain service providers, we may use specific contracts approved by the European Commission, which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries
• Where we use certain service providers that are based in the US, we may transfer data to them if they are part of Privacy Shield, which requires them to provide similar protection to personal data shared between Europe and the US. For further details, see European Commission: EU-US Privacy Shield

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

Automated decision-making

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

What are your rights?

As the data subject, you have specific rights to the processing of your data. Under the GDPR, you have the right to find out if we hold any personal information about you by making a “subject access request” under data protection law. If we do hold information about you, we will:

• give you a description of it;
• tell you why we are holding it;
• tell you who it has been disclosed to; and
• let you have a copy of the information in an intelligible form.

To make a request for your personal information, you can contact us at [email protected] . Individuals also have certain rights regarding how their data is used and kept safe including the right to:

• object to processing of personal data that is likely to cause, or is causing, damage or distress;
• prevent processing for the purpose of direct marketing;
• object to decisions being taken by automated means;
• in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed;
• the right for your personal information to be transmitted electronically to another organisation in certain circumstances;
• where the processing of your data is based on your explicit consent, you have the right to withdraw this consent at any time. This will not affect any personal data that has been processed prior to withdrawing consent; and
• claim compensation for damages caused by a breach of the Data Protection regulations.

Complaints

If you have a concern about the way we are collecting or using your personal data, we would ask that you raise your concern with us in the first instance contacting us at [email protected] . Alternatively you can make a complaint to the Information Commissioner’s Office at https://ico.org.uk/concerns/ or write to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Changes to this Privacy Notice

We reserve the right to update this privacy notice at any time, and we will publish and, where appropriate, make attempts to provide you with a new privacy notice when we make any substantial updates. We recommend that you review this notice periodically.

Last updated: 26 November 2018