MOMENTUM INSTORE LTD - INTOUCH APP PRIVACY POLICY
Last updated 25/03/23
What is the purpose of this document?
Momentum Instore Limited (referred to in this document as “we” or the “Company”) is committed to protecting the privacy and security of your personal information.
Momentum Instore Limited operates the Momentum InSite One application (“InSite One”). This privacy policy includes privacy notices and describes how we collect, use and store personal information about you, when you use our InSite One app, in accordance with applicable data protection laws and the EU General Data Protection Regulation (EU 2016/679) (GDPR).
This privacy policy does not form part of any contract to provide or procure services.
The Company is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you.
It is important that you read this policy, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
Contact Details
The Company's contact details are:
Momentum Instore Limited, Beechwood Court, Springwood Way, Tytherington, SK10 2XG.
01625 569 200
(Registered in England under Company Number 2875057)
Data Privacy Manager
The Data Privacy Manager's role is to inform & advise on data protection and GDPR, monitor compliance within the organisation, cooperate & liaise with the ICO and be the point of contact for data subjects.
If you have any questions or queries regarding this policy please direct these to our Data Privacy Manager at GDPR@momentuminstore.com.
Changes to This Privacy Policy and your duty to inform us of changes
This Privacy Policy is effective as of 23/05/18 and is in accordance with the new EU 'General Data Protection Regulations (GDPR). It will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.
We reserve the right to update or change our Privacy Policy at any time and you should check this Privacy Policy periodically. Your continued use of the Service after we post any modifications to the Privacy Policy on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Privacy Policy.
If we make any material changes to this Privacy Policy, we will notify you either through the email address you have provided us, or by placing a prominent notice on our website.
The Data we Collect About You
While using InSite One, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to your name ("Personal Information") and data types described below:
| Data Type | Description | InSite One App |
|---|---|---|
| Identity Data | Includes first name, last name, username or similar identifier, title, gender & social media links. | |
| Contact Data | Includes company billing address, delivery/store/branch address(s), email address and telephone numbers. | |
| Financial Data | Includes company bank account details and spend. | |
| Transaction Data | Includes details about payments to and from you or your organisation or business and other details of products and services you or your organisation or business have purchased from us (clients), or we have purchased from you (suppliers). | |
| Technical Data | Includes your login data (time, date, number of logins etc.) you use to access our systems. | |
| Profile Data | Includes your system username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses. | |
| Usage Data | Includes information about how you use our app. | |
| Marketing and Communications Data | Includes your preferences in receiving marketing from us and your communication preferences. |
We also may collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific system feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
How is Your Personal Data Collected?
We use different methods to collect data from and about you including through:
Direct interactions as you use our app and enter data
Automated technologies or interactions as you interact with our app we may collect technical data about your equipment, browsing actions and patterns
We collect this personal data by using cookies*, and other similar technologies. Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your mobile device from a web server and stored on your mobile device's hard drive.
InSite One uses strictly necessary "cookies" to manage user permissions and your authorisation to view specific client data within the application. If you do not accept cookies, you will not be able to use the application.
*Our cookie policy can be viewed on our website.
Log Data
We collect information that your device sends whenever you exchange data with the InSite One server ("Log Data").
This Log Data may include information such as your device's Internet Protocol ("IP") address, browser type, browser version, the time and date, and other statistics.
Camera / Photography Data
The InSite One application requires access to your device's camera, to facilitate the integrated use of photography within the application. The InSite One application allows you to select images in your device's native image storage (i.e. camera roll) as an alternative to camera photography.
Location Data
The InSite One application is able to report the geographical location of users. This function is active only while the application is in use & you have opted to 'allow InSite One to access your location while you use the app'.
How we Use Your Personal Data
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances (each of these circumstances can also be referred to as a “basis” of processing):
Where we need to perform the contract we have entered into with you.
Where we need to comply with a legal obligation.
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
We may also use your personal information in the following situations, which are likely to be less common:
Where we need to protect your vital interests (or someone else's interests).
Where it is needed in the public interest or for official purposes.
Where we have obtained your consent.
The table below describes all the ways we plan to use your personal data, and which of the legal bases (see Glossary - Legal Bases) we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data. However, where we seek your consent to particular processing of your personal data, consent will be the legal basis for such processing. Please contact us if you need details about the specific legal basis we are relying on to process your personal data where more than one basis/ground has been specified:
| Purpose / Activity | Type of data | Lawful basis for processing, including basis of legitimate interest |
|---|---|---|
| To provide you with: access to visits (jobs) we have scheduled to you; the ability for you to capture and report on each visit; view visit location maps for journey planning purposes; submit expense and timesheet information; receive messages from us | (a) Identity (b) Contact (c) Transaction (d) Technical (e) Profile |
Where you are a sole trader, performance of a contract with you Necessary for our legitimate interests (to promote, sell and deliver our products/services and grow our business) |
| Google Data Analytics: Conduct data analytics studies to review and better understand the performance of our website | (a) Technical (b) Usage |
Necessary to perform the contract we have entered into with you (to promote, sell and deliver our products/services and grow our business) |
How we Store Your Personal Data
Data may be stored both electronically and in hard copy in a range of different places including:
Insite One (cloud based)
We may collect additional personal information in the course of contract activities throughout the period of our working relationship.
Change of Purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Access to Data
In order for the Company to carry out the points listed above (under "How we use your personal data"), some of your information will be shared internally on a need to know basis. This includes with members of several different departments including:
Sales & Marketing
Installation and Merchandising project teams
IT
Finance
Third Parties
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
We also share your data with third parties that process data on our behalf, in connection with outsourced system provision. For example, your personal data may be shared with:
Emphasys - development and hosting provider for Insite (our client reporting and estate management system) and our mobile app InSite One (data collection & reporting).
Governmental and regulatory bodies such as HMRC & the Information Commissioners Office
Other organisations and businesses who provide services to us such as backup and server hosting providers, IT software and maintenance providers and suppliers of other back office functions.
Other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise or possible sale or restructuring of the business (but will only do so under strict conditions of confidentiality and as permitted by GDPR)
We require all third parties to respect the security of your data and to treat it in accordance with the law.
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We will not transfer your data to countries outside the European Economic Area without your further explicit consent.
Data Security & Data Breach Notification
We treat the security of your data with the utmost importance. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed in an unauthorized way. The ability to access data is restricted to employees, agents, contractors and other third parties who have a business need to know. Some of the key measures in place to ensure this include:
The ability to access data is restricted on a need to know basis. Active Directory (“AD”) security groups are used to permission sensitive server data and Access Control Groups are used on our extranets.
SSL certificates are used on all our sites as standard, to ensure data in transit is encrypted.
All Insite One system data is subject to back-up at transaction level throughout each day, and full back-up is performed each morning. All server data is backed up using Veeam using the 3-2-1 methodology and copies stored offsite.
Insite One SQL servers are mirrored, with automatic failover (Microsoft Azure servers based in the EU)
Sophos End Point Protection software protects all employee PCs\Laptops
Server based data sits behind a WatchGuard M370 firewall with IDP & an active subscription.
“AD” policy is that all user account lockout automatically after 3 failed password attempts. Accounts can only be unlocked by a member of the IT team. Network passwords have to be at least 8 characters in length and contain at least one uppercase character and a number. These expire every 30 days.
All laptops and mobile devices are encrypted and the use of non-encrypted removable storage media is prohibited (via a Sophos Device Control policy)
A clean desk policy is in place.
Where we engage third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Data Retention Periods
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in our retention policy which information is available by request from our Data Privacy Manager (please send an email to gdpr@momentuminstore.com). To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Once we no longer have dealings with you (because for example you are no longer a client or supplier), we will retain and securely destroy your personal information in accordance with our data retention policy or applicable laws and regulations.
The Company may need to keep certain information to respond to and defend against legal claims for up to 6 years. We will review your personal data regularly during any retention period to ensure that it is still needed, is accurate and not excessive. Your personal information will be kept securely and in any event destroyed after 6 years (unless required by law to be maintained for longer).
Your Legal Rights
As a data subject, under certain circumstances, you have a number of rights under data protection laws in relation to your personal data:
Request access - You can access and obtain a copy of your data on request (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Correction - You can require us to change incorrect or incomplete data we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Erasure - You can require us to delete or stop processing your personal data, for example where the data is no longer necessary for the purposes of processing. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
Object to processing - You can object to the processing of your personal data where the organisation is relying on its legitimate interests (or those of a Third Party) as the legal ground for processing;
Request the restriction of processing - You can request the restriction of processing. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.;
Transfer request - You can request the transfer of your personal information to another party;
DATA SUBJECT ACCESS REQUESTS
All data subject access requests from individuals to view their data being held by Momentum Instore should be addressed to GDPR@momentuminstore.com. The Company will firstly ask you to complete a Subject Data Access Request form for the purposes of properly verifying the identity of the individual making the request, ensuring it is lawful for us to provide the individual with the requested information and to understand specifically what data is being requested. The Company will then supply the electronic information requested within 1 month from the date of request for standard information requests. More complex information requests may take up to 3 months.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer in writing at GDPR@momentuminstore.com.
RIGHT TO BE FORGOTTEN
The Company recognises an individual's "Right to be Forgotten", and such requests should be sent to GDPR@momentuminstore.com.
RIGHT TO BE COMPLAIN
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
NO FEE USUALLY REQUIRED
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
RIGHT TO WITHDRAW CONSENT
In the circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Data Protection Officer at GDPR@momentuminstore.com. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Glossary / Terms
GDPR - General Data Protection Regulation is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). ... GDPR is effective across the EU on May 25, 2018.
Data Controller - a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed
Data Subjects - means an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about. The Act does not count as a data subject an individual who has died or who cannot be identified or distinguished from others.
Lawful bases for data processing - The lawful bases we use for processing data, as set out in Article 6 of the GDPR are:
Consent: the data subject has given clear consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract we have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legitimate interests: the processing is necessary for your legitimate interests of the legitimate interests of one of a 3rd party (unless there is a good reason to protect the individual's personal data which overrides those legitimate interests).
Legal obligation: the processing is necessary to comply with the controller's legal obligations.
Public interest: Where processing is needed in the public interest or for official purposes.
ICO - Information Commissioner's Office (https://ico.org.uk). The UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Prospect (Sales Lead) - Potential customer or client qualified on the basis or their buying authority, financial capacity, and willingness to buy. The personal data of multiple data subjects may be held by us relating to a single customer or client.
Client - Customer or client for whom we are contractually engaged to provide and deliver a service(s) or have done work for in the past and are likely to do work for in the future. Multiple data subjects may be held by us relating to a single active customer or client.
Supplier (Vendor) - A person or company that provides goods &/or services to Momentum Instore. The personal data of multiple data subjects may be held by us relating to a single supplier.
Insite - Our Client reporting and Estate management portal, hosted and developed by our 3rd party partner, Emphasys.
ERP - Our Enterprise resource planning tool delivering integrated core business processes.
CRM - Our Customer relationship management tool used to store and analyse prospect and client data subjects and relationships.
App - Application (software) designed to work on a mobile or tablet. We operate an InSite One app (used by our field teams to collect data).
AD - Active Directory (“AD”) is a Microsoft technology that allows networks administrators to manage users, computers and other devices on a network. It is a primary feature of Windows Server, an operating system that runs both local and Internet-based servers.