This Policy set outs the basis on which any personal data provided to us by you, or received by us from third parties, will be used by us. This includes personal data which you provide to us in the course of instructing us or otherwise doing business with us, in enquiries you submit to us, or which you provide when visiting our websites at www.ridgefieldconsulting.co.uk or www.blondemoney.co.uk (the Sites).
Please read this Policy carefully and ensure that you understand our rights and responsibilities under it.
In this Policy, we or us refers to Ridgefield Consulting Limited, a company registered in the United Kingdom under number 07298742 whose registered offices are at 2 Hinksey Court, Church Way, Oxford, Oxfordshire, England OX2 9SX. We deliver some market commentary and subscription services under the trading name of Blonde Money.
We are the data controller of personal data provided to us and are registered with the ICO as a data controller under registration number Z3258940.
Full details are set out in the relevant sections of this Policy below, but in summary:
- we generally receive personal data relating to you directly from you. For example, we will receive those data if you are a client of ours or correspond with us in relation to a matter on which we are advising, if we do business with you, or if you contact us through the Sites;
- personal data may occasionally be provided to us by third parties with whom each of you and us have a relationship or may be sourced by us in our customer research;
- we use your data to conduct our business, keep appropriate records and meet our legal obligations;
- we only provide your personal data to third parties for our limited business purposes or as permitted by law. We don’t share your data with third party advertisers;
- we store data for specified periods for our limited business purposes;
- you have certain rights, prescribed by law, in relation to the processing of your data, such as rights to request access, rectification or deletion of your personal data;
- you can contact us to enquire about any of the contents of this Policy.
This Policy provides information only in relation to personal data which we process for our own purposes as data controller. In providing some services to our clients (such as payroll services) we may process data on those clients’ behalf as their data processor.
1. Our use of personal data
1.1 In this section we have set out:
(a) the general categories of personal data that we may process;
(b) in the case of personal data that we did not obtain directly from you, the source and specific categories of those data;
(c) the purposes for which we may process personal data; and
(d) the legal bases of the processing. When we refer to a “legal basis”, we mean a lawful basis set out in Article 6 of the General Data Protection Regulation (GDPR) under which we conduct the relevant processing.
Personal data we obtain from you
1.2 Where we are instructed in relation to any particular matter, we may process your personal data for the purposes of setting up that matter in our systems and performing that instruction. For example, we may process your name, contact details, date of birth and National Insurance and Unique Taxpayer Reference numbers. We may process financial information such as salary, benefits, entitlements, tax details and bank account details. We may also process personal data contained within matter-related correspondence and documents, including financial information, whether created by us or provided to us. Finally, if you are the next of kin or nominated beneficiary of one of our clients or one of our client’s employees then we may process your name and contact details where relevant to any services we provide to them (such as the administration of benefits). We call all of this matter data, and we process it for the purposes of ID, fraud prevention and anti-money-laundering checks, providing our professional services and for record-keeping purposes.
Blonde Money account data
1.3 If you are a user of our Blonde Money service, then we may process the personal data submitted by you when registering for an account at the Blonde Money Site, which may include your name, username, role, organisation and contact details and login information. We call all of this Blonde Money account data. The Blonde Money account data may be processed for the purposes of operating the Site, providing the Blonde Money service, ensuring the security of the Blonde Money Site and service, and communicating with you.
1.4 We may process personal data contained in or relating to any communication that you send to us, whether by letter, email, through the Sites, through social media, or otherwise. All of this together is correspondence data. This may include the communication content and metadata associated with the communication, as well as any contact details you provide to us such as your name, email address, phone number, job title, address or social media username. We process correspondence data for the purposes of communicating with you and record-keeping. If you are a client of ours, or have indicated your interest in our products, services or business, then we may also process correspondence data for the purposes of addressing your enquiry and providing you with occasional news about our products and services.
1.5 We may process information relating to transactions, such as bank account details, contact details or transaction data in relation to payments made by us to you or by you to us (transaction data). This may include your contact details, any bank account or sort code information provided for the purposes of making payment, and the transaction details (such as POs, bills or invoices). We do not process details of your credit or debit card: those details are processed by our payment processing service providers. The transaction data may be processed for the purpose of supplying or receiving and administering the relevant services and keeping proper records of those transactions, and for making and receiving payments.
1.6 We accept payment by credit or debit card through the Blonde Money Site by our payment processing service provider, Stripe Payments Europe, Ltd (Stripe). We do not collect or process your credit or debit card details over the Site. These are collected and processed by Stripe. If for any reason you make any payment to us offline then we may input your card details manually into a POS device and those details will be processed by another payment processing service provider, Worldpay (UK) Limited (Worldpay).
1.7 If you are or work for a supplier to us, or if we have some other commercial relationship with you (for example, a sponsorship or referral relationship) then we may process your personal data, such as your contact details, and any personal data contained within related documents, such as your proposals or our contract with you, in each case in connection with our commercial relationship with you. We call all of this partner data, and we process it for the purposes of administering and receiving the products and services you supply to us, or to administer our commercial relationship with you.
1.8 We may process data about your use of the Sites (usage data). This may include your geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your use. This data is obtained through Google Analytics and will be aggregated and anonymised in such a way that it contains no information pertaining to any identifiable individual at all – as such it is not actually personal data but we address it in this Policy for completeness’s sake. We process usage data for the purpose of improving our Sites.
Personal data we obtain from others
1.9 Your personal data may be provided to us by someone other than you: for example, we might be introduced to you in correspondence if you and we are both advising the same client, or if we advise your employer then they might put us in touch with you in connection with those services. Normally this data will be correspondence data, matter data or partner data as described above and will be processed by us for the purposes described above.
1.10 We may also obtain personal data such as the names and contact details of potential clients and business partners from our own research, from directories or from the research of third parties. This will normally be correspondence data, and used by us to contact the relevant recipients.
Our legal basis of processing
1.11 We will process personal data only on lawful bases. In particular, we will process personal data on the following lawful bases identified in Article 6 GDPR:
(a) for the performance of a contract with you, or to take steps at your request prior to entering into a contract with you (Article 6(1)(b) GDPR). This may be our basis for processing correspondence data, matter data, partner data, transaction data and Blonde Money account data;
(b) for our legitimate interests (Article 6(1)(f) GDPR). This may be our basis for processing:
- correspondence, partner and matter data (as we have an interest in properly administering our business and communications and in developing our business with interested parties);
- transaction data (as we have an interest in making and receiving payments promptly and in recovering debts);
- Blonde Money account data (as we have an interest in the administration and security of our Blonde Money Site and services);
- any personal data identified in this Policy where necessary in connection with legal claims (as we have an interest in the protection and assertion of our and your legal rights and the legal rights of others); and
- any personal data identified in this Policy in connection with backups of any element of our IT systems or databases containing that personal data (as we have an interest in ensuring the resilience of our IT systems and the integrity and recoverability of our data).
1.12 We may also process your personal data set out above where necessary for compliance with a legal obligation to which we are subject (Article 6(c) GDPR), or in order to protect your or another individual’s vital interests (Article 6(d) GDPR).
2. Providing your personal data to others
2.1 We may disclose your personal data to our insurers and/or professional advisers as necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice and managing legal disputes.
2.2 We may disclose personal data to our suppliers or subcontractors in connection with the uses described above. For example, we may disclose:
(a) any personal data in our possession to suppliers which host the servers on which our data is stored; and
(b) transaction data and other relevant personal data to third parties for the purposes of ID checking, fraud protection, credit risk reduction and debt recovery.
2.3 While we do not process credit or debit card details, these are processed by Stripe and Worldpay in order to make and receive payments for us. Stripe and Worldpay’s privacy policies are available on their websites for further information.
2.4 We do not allow our third-party data processors to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions and applicable law.
2.5 We may provide your contact details to other service providers by way of introduction where you have requested that we do so.
2.6 We may disclose your personal data where necessary to perform our services: for example, we may disclose certain matter data to HMRC or to Companies House when we make filings on your instructions.
2.7 We may also disclose your personal data where necessary for compliance with a legal obligation to which we are subject, or in order to protect your or another individual’s vital interests. For example, we have a duty under the Proceeds of Crime Act 2002 to report to the National Crime Agency (NCA) if we know or suspect that money laundering has occurred.
2.8 If any part of our business or operations is sold or transferred to, or integrated with, another organisation (or if we enter into negotiations for those purposes), your personal data may be disclosed to that organisation.
3. International transfers of your personal data
3.1 In this section, we provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (EEA).
3.2 Some of the third parties to whom we may transfer your personal data, discussed above, may be located outside the EEA or may transfer your personal data to their own service providers located outside the EEA. If so, then we will ensure that transfers made by our appointed data processors will only be made to countries in respect of which the European Commission has made an “adequacy decision”, or otherwise will only be made with appropriate safeguards, such as the use of standard data protection clauses adopted or approved by the European Commission. You may contact us if you would like further information about these safeguards.
3.3 All the servers which host our matter data and correspondence data are within the EEA.
3.4 We may also transfer personal data outside the EEA from time to time:
(a) with your consent;
(b) where required by your instructions (for example, if we are supporting you on a contractual negotiation where the counterparty is based outside the EEA); or
(c) if we take our mobile devices with us when travelling overseas to ensure continuity of service.
4. Data security
4.1 We have put in place appropriate security measures to prevent your personal data from being lost, used, accessed, altered or disclosed by accident or without authorisation. In addition, we limit access to your personal data to those officers, employees and freelancers who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
4.2 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
5. Retaining and deleting personal data
5.1 Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
5.2 We will retain and delete your personal data as follows:
(a) matter, supplier and transaction data will be retained for seven years after the end of the relevant contractual relationship;
(b) correspondence data will be retained for the period of the enquiry or chain of correspondence and then deleted after twelve months;
(c) Blonde Money account data will be deleted shortly after account closure;
(d) Site usage data (which is anonymised, and therefore not personal data) may be retained by us indefinitely.
5.3 We maintain system backups for disaster recovery purposes and may retain those backups for up to two years. That means that information which is deleted from our live systems may still remain in backup for up to two years.
5.4 We may retain your personal data where necessary for compliance with a legal obligation to which we are subject, or in order to protect your or another individual’s vital interests.
We may update this Policy from time to time by publishing a new version on either or both Sites. You should check occasionally to ensure you are happy with any changes to this Policy, although we will notify you of material changes to this Policy using the contact details you have given us.
7. Your rights
7.1 We have summarized below the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. You can read guidance from the Information Commissioner’s Office at www.ico.gov.uk for a fuller explanation of your rights.
7.2 Your principal rights under data protection law are:
- the right to access: you have the right to confirmation as to whether or not we process your personal data and, where we do, to access to the personal data, together with additional information including details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee;
- the right to rectification: you have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed;
- the right to erasure: in some circumstances you have the right to the erasure of your personal data. These might include if the personal data are no longer needed for the purposes for which they were processed or if the processing is for direct marketing purposes. However, there are some exclusions of the right to erasure, such as where processing is necessary for compliance with a legal obligation or in connection with legal claims;
- the right to restrict processing: in some circumstances you have the right to restrict the processing of your personal data. Where processing has been restricted, we may continue to store your personal data and will observe the restrictions on processing except in the case of processing permitted by applicable law (for example, in connection with legal claims or for reasons of public interest);
- the right to object to processing: you have the right to object to our processing of your personal data on the basis of the legitimate interests pursued by us or by a third party. If you make such an objection, we will stop processing the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or unless the processing is for legal claims. You also have the right to object to our processing of your personal data for direct marketing purposes and if you do so we will stop processing your personal data for that purpose;
- the right to data portability: if the legal basis for our processing of your personal data is consent, or the performance of a contract with you, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others; and
- the right to complain to a supervisory authority: if you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
8. About cookies
8.1 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
8.2 Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
8.3 Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
8.6 Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can obtain up-to-date information about blocking and deleting cookies via the support pages made available by your browser operator.
9. Our details
You can contact us:
(a) by post at 2 Hinksey Court, Church Way, Oxford, Oxfordshire, England OX2 9SX;
(b) using the contact forms on the Sites;
(c) by telephone at +01865 24 55 11; or
(d) by email at firstname.lastname@example.org.
10. Third Parties and Security
10.1 The Sites may contain links to third party websites and refer to third party service providers and other entities. If you follow a link to any third party website or deal with any third party entity referred to on the Sites, then you should note that these third parties may have their own privacy and cookie policies, and that we are not responsible for their use of any personal data which you may provide to them. You should ensure that you have read and understood any relevant policies.
10.2 Although we do our best to ensure the security of personal data provided to us (and to use only reputable service providers), any transmission of data via the Internet is by its nature insecure and we cannot guarantee the security of any personal data you provide to us.