Privacy Notice

DERIVITEC LIMITED, Privacy Notice for access to and use of Derivitec Risk Portal

Your privacy is of paramount importance to Derivitec Ltd, having its office at Level 39,
One Canada Square, London E14 5AB (hereinafter referred to as “Derivitec”, “we”,
us” or “our”, which terms shall also include our Affiliates. “Affiliates” means
any entity that directly or indirectly controls, is controlled by, or is under common control
with us. "Control" for purposes of this definition, means direct or indirect ownership or
control of more than 50% of the voting interests of the subject entity). This privacy notice
(“Privacy Notice”) applies to all products and services offered by Derivitec (the “Service”).

This Privacy Notice sets out the basis on which any Personal Data which we collect from you, or
that you provide to us, will be processed by us. In this Privacy Notice, the term “Personal Data
means data relating to a living individual who is or can be identified either from the data or
from the data in conjunction with other information that is in, or is likely to come into, our
possession, and includes personal data as described in Data Protection Legislation (as defined below).

Please read the following carefully. Registering for a Derivitec account (“Your Account”)
on our website or any mobile application, use of Your Account and accepting the terms of this
Privacy Notice indicates that you have reviewed this Privacy Notice and have agreed to be bound
by it. You will be required to expressly accept this Privacy Notice before registering Your
Account (or before continuing to use the Service), and any users who use Your Account will also
be required to expressly accept this Privacy Notice before first accessing (or before continuing
to access) our Service through Your Account. If you do not agree to these terms you must leave
our website immediately. If you choose to accept this Privacy Notice, we will keep a record of
your acceptance in this regard.

We will handle your Personal Data in accordance with Data Protection Legislation.
Data Protection Legislation” means the Data Protection Acts 1988 and 2003 and Directive
95/46/EC, any other applicable law or regulation relating to the processing of personal data
and to privacy (including the E-Privacy Directive), as such legislation shall be amended,
revised or replaced from time to time, including by operation of the General Data Protection
Regulation (EU) 2016/679 (“GDPR”) (and laws implementing or supplementing the GDPR).

Personal data

Under the EU's General Data Protection Regulation (GDPR) personal
data is defined as:

"any information relating to an identified or identifiable natural
person ('data subject'); an identifiable natural person is one who
can be identified, directly or indirectly, in particular by reference
to an identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person".

How we use your information

We fully respect your right to privacy in relation to your interactions with the Risk Portal and endeavour to be transparent in our dealings with you as to what information we will collect and how we will use your information. Also, we only collect and use individual’s information where we are legally entitled to do so.

You must register on the Risk Portal in order to use it. The registration process asks you for the following:

  • Full Name
  • Email Address
  • Password
  • Agreement to our Terms and Conditions
  • Agreement to this Privacy Notice
  • Agreement to being over 16 years of age

When you use the Risk Portal we also store the following:

  • IP Address
  • The time of your login
  • User preferences related to the app

When an error occurs in the Risk Portal we may also store the following:

  • Username or email
  • Page visited
  • Browser version

We endeavour to keep your data accurate and up-to-date. As such, you must tell us about any changes to such information that you are aware of as soon as possible. You can update your personal information held on our website page at any time.

Where we wish to use Your Data in any other way, we will ensure that we notify you and get your consent first. You will be given the opportunity to withhold or withdraw your consent for the use of Your Data for purposes other than those listed in this Privacy Policy.

We do not store any of the special categories of data covered under the GDPR.

Why does Derivitec Ltd need to collect and store personal data?

In order for us to provide you with the Risk Portal we need to collect
personal data for the following purposes:

  • To provide, improve, and ensure delivery of the Risk Portal
  • To develop new related services to users
  • To personalise the way your content is presented to you
  • To ensure the content of the Risk Portal is presented in the most effective manner for you and your computer/device
  • To provide secure login capabilities to the Risk Portal
  • To monitor secure access to our applications
  • To support your use of the Risk Portal

When you send email or other communication to Derivitec Ltd, we may retain those communications in order to process your inquiries, respond to your requests and improve our Service. Derivitec Ltd is a Data Controller (as defined in Data Protection Legislation) in respect of the your data. The legal basis upon which we process your data is our legitimate interest to provide the Risk Portal to you.

Our legal basis for processing for the personal data:

  • To provide support for our applications
  • To offer guidance around use of our applications
  • To discuss business matters

In any event, we are committed to ensuring that the
information we collect and use is appropriate for this purpose, and
does not constitute an invasion of your privacy.

In terms of being contacted for marketing purposes Derivitec Ltd
would contact you for additional consent.

Will Derivitec Ltd share my personal data with anyone else?

We may pass your personal data on to third-party service providers
contracted to Derivitec Ltd in the course of dealing with you. Any
third parties that we may share your data with are obliged to keep
your details securely, and to use them only to fulfil the service
they provide you on our behalf. When they no longer need your data
to fulfil this service, they will dispose of the details in line with
Derivitec Ltd's procedures. If we wish to pass your sensitive
personal data onto a third party we will only do so once we have
obtained your consent, unless we are legally required to do otherwise.

How will Derivitec Ltd use the personal data it collects about me?

Derivitec Ltd will process (collect, store and use) the
information you provide in a manner compatible with the EU's General
Data Protection Regulation (GDPR). We will endeavour to keep your
information accurate and up to date, and not keep it for longer than
is necessary. Derivitec Ltd is required to retain information in
accordance with the law, such as information needed for income tax and
audit purposes. How long certain kinds of personal data should be kept
may also be governed by specific business-sector requirements and
agreed practices. Personal data may be held in addition to these
periods depending on individual business needs.

Under what circumstances will Derivitec Ltd contact me?

Our aim is not to be intrusive, and we undertake not to ask irrelevant
or unnecessary questions. Moreover, the information you provide will
be subject to rigorous measures and procedures to minimise the risk of
unauthorised access or disclosure.

We may contact you:

  • for administration reasons related to the Risk Portal (e.g. to provide you with password reminders or to notify you that a particular service, activity or online content has been suspended for maintenance, or in response to a question that you ask us);
  • to provide you with information about the Risk Portal including updates and new functionality
  • to provide pre-emptive support for an error that has occured in the Risk Portal

Can I find out the personal data that the organisation holds about me?

Derivitec Ltd at your request, can confirm what information we
hold about you and how it is processed. If Derivitec Ltd does hold
personal data about you, you can request the following information:

  • Identity and the contact details of the person or organisation that
    has determined how and why to process your data. In some cases, this
    will be a representative in the EU.

  • Contact details of the data protection officer, where applicable.

  • The purpose of the processing as well as the legal basis for
    processing.

  • If the processing is based on the legitimate interests of
    Derivitec Ltd or a third party, information about those
    interests.

  • The categories of personal data collected, stored and processed.

  • Recipient(s) or categories of recipients that the data is/will be
    disclosed to.

  • If we intend to transfer the personal data to a third country or
    international organisation, information about how we ensure this is
    done securely. The EU has approved sending personal data to some
    countries because they meet a minimum standard of data protection.
    In other cases, we will ensure there are specific measures in place
    to secure your information.

  • How long the data will be stored.

  • Details of your rights to correct, erase, restrict or object to such
    processing.

  • Information about your right to withdraw consent at any time.

  • How to lodge a complaint with the supervisory authority.

  • Whether the provision of personal data is a statutory or contractual
    requirement, or a requirement necessary to enter into a contract, as
    well as whether you are obliged to provide the personal data and the
    possible consequences of failing to provide such data.

  • The source of personal data if it wasn't collected directly from
    you.

  • Any details and information of automated decision making, such as
    profiling, and any meaningful information about the logic involved,
    as well as the significance and expected consequences of such
    processing.

What forms of ID will I need to provide in order to access this?

Derivitec Ltd accepts the following forms of ID when information
on your personal data is requested:

Passport or driving licence accompanied by a utility bill (from
last 3 months)

Contact details of the Data Protection Officer:

Data Protection Officer contact details
Contact Name: Michael Armitage
Address line 1: Derivitec Ltd
Address line 2: Level 39
Address line 3: One Canada Square
Address line 4: London
Address line 5: E14 5AB
Email: gdpr@derivitec.com
Telephone: +44 203 668 3681

v1.0 Effective 24th May 2018