Privacy notice

This Notice provides you with information about how we use your personal data, which we might receive in connection with our services, enquiries submitted through our website www.methree.co.uk (the Site), or otherwise in connection with our business. When we refer to you we mean any individual outside our business – you could be one of our clients, a prospective client, or a supplier, a journalist or just somebody else who has sent us an email through the Site.

We or us means MeThree Limited (company registration no. 15324609), a limited company whose registered office address is 2 Hinksey Court, Church Way, Oxford, England, OX2 9SX. We’re a data controller in relation to the personal data discussed in this Notice and are registered as a data controller at the Information Commissioner’s Office (ICO) under number ZB663885.

This Notice only covers personal data of which we are the data controller. Sometimes we handle personal data on behalf of our clients at their data processor: that’s dealt with separately in the terms we’ve agreed with our clients.

Summary

Full details are set out in the relevant sections of this Notice below, but keeping it brief:

  • we normally receive your personal data from you, but sometimes it might be from a third party with whom we are mutually acquainted (e.g. referrals);
  • we use your personal data to conduct our business, keep appropriate records and meet our legal obligations;
  • we only provide your personal data to third parties for our business purposes or as permitted by law. We don’t share your data with third party advertisers;
  • we store personal data for specified periods for our limited business purposes;
  • you have legal rights in relation to your personal data which you can exercise on request;
  • the Site does not use cookies, except for analytics purposes; and
  • you can contact us to enquire about any of the contents of this Notice.
  1. Our use of personal data
    1. When we’re engaged to provide services, we may handle personal data such as your name, contact details, information about your business, and documents and correspondence relating to the services provided by us (such as emails to and from you). We call all of this service data, and we use it for the purposes of providing our services and for record-keeping and client management purposes.
    2. When you communicate with us, or vice versa, and whether by letter, email, through the Site, through social media, or otherwise, we may handle personal data contained in or relating to that communication. may include content and metadata associated with the communication, as well as any contact details you provide to us such as your name, email address, phone number, job title, address or social media username. We call all of this communication data, and we use it for the purposes of communicating with you and record-keeping. If you are a client or prospective client, then we may also use communication data to provide you with occasional news about our business and services: you can opt out of receiving further news at any time.
    3. We may handle personal data relating to transactions, such as bank account details, contact details, transaction data or associated documents (POs, bills, invoices) in relation to payments made by us to you or by you to us (transaction data). We use this to make and receive payments and to keep proper records of the relevant transactions.
    4. If we have some other commercial relationship with you (for example, a sponsorship or referral relationship) then we may handle your contact details, and any related documents and communications. We call all of this partner data, and we process it for the purposes of administering our commercial relationship with you.
    5. We may collect data about your use of the Site (usage data). This may include your geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your use. This data is obtained through Google Analytics and other analytics providers and will be aggregated and anonymised in such a way that it’s not actually personal data – but we’re mentioning it for the sake of completeness. We process usage data for the purpose of improving our Site.
    6. Your personal data may be provided to us by someone other than you: for example, we might be introduced to you in correspondence if you and we are both advising the same client, or if we’re working for your employer then they might put us in touch with you in connection with those services. Normally this data will be communication data, service data or partner data as described above and will be processed by us for the purposes described above.
  2. Our legal basis for processing personal data, aligning with the UK GDPR and the Data Protection Act 2018.
    1. We’re required by law to identify the “legal basis” on which we handle personal data. These legal bases are set out in Article 6 of the General Data Protection Regulation (GDPR).
    2. We process personal data on the following lawful bases identified in Article 6 GDPR:
      1. for the performance of a contract with you, or to take steps at your request prior to entering into a contract with you (Article 6(1)(b) GDPR). This may be our basis for processing communication data, service data, partner data and transaction data;
      2. for our legitimate interests (Article 6(1)(f) GDPR). This may be our basis for processing:
        1. communication, service and partner data (as we have an interest in properly administering our business and communications and in developing our business with interested parties);
        2. transaction data (as we have an interest in making and receiving payments promptly and in recovering debts);
        3. any personal data in connection with legal claims (as we have an interest in being able to bring and defend claims to protect our rights and the rights of others); and
        4. any personal data in connection with backups of our IT systems or databases containing that personal data (as we have an interest in ensuring the resilience of our IT systems and the integrity and recoverability of our data); and
      3. on the basis of your consent (Article 6(1)(a) GDPR). This will be our lawful basis for using photos from events or submitted in competitions.
    3. We may also handle your personal data to comply with legal obligations (for example, we have to keep records for tax purposes).
  3. Providing your personal data to others
    1. We may disclose your personal data to our insurers and/or professional advisers to take professional advice and manage legal disputes.
    2. We may disclose personal data to our suppliers or subcontractors in connection with the uses we’ve described above. For example, we may disclose:
      1. any personal data in our possession to suppliers which host the servers on which our data is stored. In our case, our main suppliers are Google (who provide GSuite) and Microsoft (who provide Microsoft 365) and who host may host all our emails, documents and contact information; and
      2. service data to suppliers who provide us with hosted collaborative working services, like DropBox or Trello;
      3. communication data to providers of email marketing services such as MailChimp; or
      4. transaction data and other relevant personal data to third parties for the purposes of fraud protection, credit risk reduction and debt recovery.
    3. We do not allow our data processors to use your personal data for their own purposes. We only permit them to use your personal data for specified purposes, in accordance with our instructions and applicable law.
    4. We may also disclose your personal data where necessary to comply with law.
    5. If any part of our business is sold or transferred, your personal data may be disclosed to the new owner.
  4. International transfers of your personal data
    1. In certain circumstances, your personal data may be transferred outside the United Kingdom (UK) and the European Economic Area (EEA). These situations are limited and are conducted with full regard for the legal and regulatory framework applicable to such transfers. For example, our operations involve the use of services provided by Microsoft and Google, whose servers may be located globally, including locations outside the EEA.
    2. When transferring your personal data to service providers located outside the UK or EEA, we implement appropriate safeguards to ensure that your personal data remains protected. This may involve the use of Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office (ICO) and the European Commission for transfers under UK GDPR and EU GDPR, respectively. We no longer rely on the Privacy Shield framework for transfers to the United States, following its invalidation. Instead, we will adopt any alternative mechanisms deemed adequate by UK and EU authorities. For more detailed information on the specific safeguards applied, please feel free to contact us.
    3. Circumstances of International Transfers:
      1. With Your Consent: We may transfer your personal data outside the UK and EEA with your explicit consent, after informing you about the potential risks of such transfers for which there may not be adequate safeguards. 
      2. Under Your Instructions: If you require us to engage in activities that necessitate transferring your personal data outside the UK and EEA (for example, to support a campaign in another country), we will do so in compliance with applicable laws and safeguards. 
      3. For Continuity of Service: On occasions where our personnel travel outside the UK and EEA, we may need to transfer personal data to ensure continuity of our services. Such transfers will be subject to the safeguards mentioned above.
  5. Data security. We have put in place appropriate security measures to protect your personal data. We also have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where required by law.
  6. Retaining and deleting personal data
    1. We will delete personal data when it’s no longer needed, and in particular:
      1. service, partner and transaction data will be retained for seven years after the end of the relevant contractual relationship;
      2. communication data will be retained for the period of the enquiry or chain of correspondence and then deleted after twelve months;
      3. usage data (which is anonymised, and therefore not personal data) may be retained by us indefinitely.
    2. We maintain system backups for disaster recovery purposes and may retain those backups for up to 30 days. That means that information which is deleted from our live systems may still remain in backup for up to 30 days.
    3. We may retain your personal data longer where necessary to comply with law or in connection with any legal claim.
  7. Your rights
    1. You have rights under data protection law – they are complex, and subject to exemptions, and you can read guidance from the Information Commissioner’s Office at ico.gov.uk for a fuller explanation of your rights. In summary, though:
      1. the right to access: you have the right to confirmation as to whether or not we process your personal data and, where we do, to access to the personal data, together with certain additional information;
      2. the right to rectification: you have the right to have any inaccurate or incomplete personal data about you rectified or completed;
      3. the right to erasure: in some circumstances you have the right to the erasure of your personal data (for example, if the personal data are no longer needed for the purposes for which they were processed or if the processing is for direct marketing purposes);
      4. the right to restrict processing: you have the right to restrict the processing of your personal data to limit its use. Where processing has been restricted, we may continue to store your personal data and will observe the restrictions on processing except to the extent permitted by law;
      5. the right to object to processing: you have the right to object to our processing of your personal data on the basis of legitimate interests (discussed above) or for direct marketing purposes and if you do so we will stop processing your personal data except to the extent permitted by law;
      6. the right to data portability: you have the right to receive your personal data from us if the legal basis for our processing is the performance of a contract with you, and such processing is carried out by automated means; and
      7. the right to complain to a supervisory authority: if you consider that our processing of your personal data is unlawful, you have a legal right to lodge a complaint with the ICO.
  8. About cookies
    1. A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
    2. Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
    3. Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
    4. Our Site does not use cookies, except for third-party analytics cookies provided by Google Analytics which are to collect usage data and provide reports to us.
    5. Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can obtain up-to-date information about blocking and deleting cookies via the support pages made available by your browser operator.
  9. Our detailsYou can contact us:
    1. by post at 2 Hinksey Court, Church Way, Oxford, England, OX2 9SX;
    2. by email at hello@methree.co.uk .
  10. Third Parties and Security
    1. The Site may contain links to third party websites and refer to third party service providers and other entities. If you follow a link to any third party website or deal with any third party entity referred to on the Site, then they may have their own privacy and cookie policies, and we are not responsible for their use of any personal data which you may provide to them.
    2. We do our best to ensure the security of personal data provided to us (and to use only reputable service providers), any transmission of data via the Internet is by its nature insecure and we cannot guarantee the security of any personal data you provide to us.
  11. Amendments. We may update this Notice from time to time by publishing a new version on the Site. You should check occasionally to ensure you are happy with any changes to this Notice, although we may notify you of material changes to this Notice using the contact details you have given us.