Privacy Policy
Version 2 revised 14/5/2023
1. Who We Are
Hainfort Associates Limited and its affiliates (collectively referred to as “Hainfort”, “we”, ‘our’, “us”), take our data protection and privacy responsibilities seriously. This privacy notice explains how we collect, use and share personal information in the course of our business activities.
Hainfort is committed to respecting your privacy and to complying with all applicable privacy laws and regulations, including but not limited to the UK General Data Protection Regulation (the “UK GDPR”), the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) and the Data Protection Act 2018 (the “Data Protection Laws”).
Hainfort is registered with the ICO and our registration number is ZB549057. Our entry on the ICO’s Register can be located here. We take data protection very seriously and have an appointed Data Protection Officer (“DPO”) who monitors our data protection compliance in accordance with Data Protection Laws. Please see section 8 for details on how to contact our DPO.
Hainfort Associates reserves the right to revise this privacy notice to ensure its alignment with legal obligations and our evolving business operations. If we make significant changes to this privacy notice, you will be notified when you sign in to our platform, and we will seek to inform you via our website or email.
While Hainfort often assumes the role of a data controller, for some of our activities, we may also function as a data processor or sub-processor. Here's a simple way to understand the distinctions:
- A data controller determines what personal data is collected, how it's collected, and its purpose.
- A data processor operates solely on clear instructions from the relevant data controller to process personal data on its behalf.
- A data sub-processor is engaged by a processor and will have access to or will process personal data for a specific purpose.
There can be more than one entity serving as a data controller in relation to specific personal data. If you have been asked to complete a Hainfort assessment on the Hainfort platform (“Platform”) as a participant (“Participant”) by a company or organisation that isn't Hainfort (typically your employer or potential employer), it is likely that such a company or organisation (“Client Organisation”) will also be acting as a data controller.
Here are a few instances when Hainfort might act as a data controller. Please note this list isn't exhaustive and could include, but is not limited to:
- Processing personal data from customers and potential customers
- Managing personal data of prospective, current, or former employees
- Using participants' personal data for research purposes
- Transforming participants' personal data into an anonymised form
- Processing personal data related to website usage
- Creating publicly shared profiles using participants' personal data
Whenever Hainfort serves as a data processor or sub-processor, we maintain agreements and policies to ensure data is handled securely, and that our actions comply with our customers' wishes and applicable data protection legislation.
2. What Personal Information is Collected and When
Our collection and processing of personal data vary according to the context of our interactions with you. Below, we detail the personal information we collect and the circumstances under which it is collected:
2.1 Direct Collection from Website Visitors
When you visit our website and engage in certain activities such as requesting information, accessing whitepapers, or using our 'contact us' form, we directly collect the following personal information:
- Name (first name and last name)
- Email address
- Phone number
- Postal address
2.2 Indirect Collection from Website Visitors
When you visit our website, we may collect certain data indirectly. This data includes information about your browsing habits, the type of device you are using, your geographical location, and other behavioural data to enhance your user experience and provide us with valuable insights. This information is collected through the use of analytics tools and cookies, in accordance with our Cookies Policy.
We also use a customer relationship management (CRM) system to help us manage our interactions with you. This may include tracking your activities on our site, such as the pages you visit, the content you download, and the enquiries you make.
2.3 Participants Invited to Complete an Assessment
When a Client Organisation (primary data controller) invites a Participant to complete an assessment on our platform, we collect the following information as a secondary data controller (note: for queries initially, the Participant should contact the primary data controller):
- Name
- Phone Number
- Email Address
- Date of Birth
- Gender
- Location (city)
- Educational attainment
- Professional experience
- Technical device information such as OS and browser details.
The results of the assessment, along with the processed data, are shared with the Client Organisation.
2.4 Participant Data Collected for Research
We are committed to the continual improvement of our assessments. To achieve this, we may ask Participants to provide additional information such as ethnicity and other similar attributes. This data is collected strictly for research purposes and is processed by us as the data controller.
During and after your visit, this personal information is assessed by our team of psychologists. This information is stored securely, with the utmost confidentiality. We strictly adhere to all relevant privacy laws and regulations in this regard.
While we may share our research results with third parties, we only share anonymised and aggregated data. This means that it is impossible to identify any individual from the shared data. We implement this practice to maintain the privacy and confidentiality of the personal information we collect while still contributing to advancements in our field.
2.5 Legal Basis for Processing
Where we act as a data controller, we rely on the following legal bases for the processing of personal information:
- Consent: We may process personal information where we have obtained your explicit consent to do so.
- Legitimate Interest: We may process personal information where it is in our legitimate interest as a commercial organisation, provided that this is not overridden by your interests or rights.
- Legal or Regulatory Obligation: We may process personal information where it is necessary to comply with a legal or regulatory obligation that we are subject to.
- Contractual Obligation: We may process personal information where it is necessary to perform a contract, or take steps to enter into a contract with you.
Please note that the specific legal basis for our processing will depend on the personal information concerned and the specific context in which we collect it.
2.6 Third-Party Links
Our platform may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our platform, we encourage you to read the privacy policy of every website you visit.
2.7 Children's Privacy
Our services are not intended for use by individuals under the age of 16, and we do not knowingly collect or process personal data from individuals under this age. If we become aware that we have inadvertently collected personal data from a person under 16, we will take steps to delete such information as soon as possible.
3. How We Protect and Store Personal Information
At Hainfort, the security of your personal data is of utmost importance. We employ a comprehensive range of measures to protect and store personal information securely.
3.1 Technical Measures
Our technical measures to ensure data security include:
- Secure Environments: The servers used for assessments are kept in highly secure environments.
- Regular Testing: We conduct regular testing of our security systems, including third-party expert penetration testing, to identify and rectify any potential vulnerabilities.
- Managed Access: We strictly control access to our systems and data, ensuring only individuals with a legitimate need can access personal information.
- Encryption: We use encryption technology to protect data both in transit and at rest.
- Strong Passwords: We enforce the use of strong passwords to further enhance the security of our systems.
- Two-Factor Authentication: We require two-factor authentication for added security during login processes.
3.2 Organisational Measures
To complement our technical measures, we have implemented several organisational measures:
- Employee Awareness: We ensure our employees are aware of data protection requirements and emerging threats.
- Pre-Employment Checks: We conduct pre-employment checks to ensure the trustworthiness of our personnel.
- Physical Access Controls: We have robust physical access controls to prevent unauthorized access to our facilities and systems.
- Regular Training: We provide regular training to our staff on security and data protection matters.
- Policies and Procedures: We have established policies and procedures to support and enforce our technical measures.
3.3 Data Storage
The main servers that host our assessments are housed in the highest-rated data centres. Data provided by Participants is either kept within the European Economic Area (EEA), protected by the laws of a non-EEA country deemed to provide an equivalent level of data protection, or secured with appropriate contractual safeguards.
3.4 Data Retention
We retain personal data only as long as is reasonably necessary for the purposes for which it was collected, taking into account any minimum retention periods set by law. Unless otherwise required by law or regulation, this is typically twelve (12) months following the end of the relevant service.
For Participants, the Client Organisation, as the initial data controller, determines the retention period. The default setting in our system is thirty-six (36) months, but this can be managed by the Client Organisation as per their needs and legal obligations.
4. Your Legal Rights
As a data subject, you have a number of legal rights in relation to the personal information that we hold about you. Regardless of your location, your rights related to your personal data are protected in accordance with the local data protection and privacy regulations applicable in your region. This includes, but is not limited to, the right to access, rectify, erase your data, and other rights as detailed in this policy.
4.1 Right to Contact the Data Controller
You have the right to contact the Data Controller to exercise your data protection rights. You can do this by using the contact details set out in section 8. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
4.2 Identification and Security
To protect the confidentiality and security of your personal data, we may ask you to provide additional information so we can confirm your identity before we process your request. This is a precautionary measure to ensure that personal data is not disclosed to any person who has no right to receive it.
4.3 Exercising Your Rights
You can exercise your rights by contacting us using the contact details provided. These rights include:
- Right of Access: You have the right to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Right to Rectification: You have the right to request the correction of any inaccurate personal information we hold about you.
- Right to Erasure ('Right to be Forgotten'): You have the right to request the deletion of your personal information where there is no good reason for us to continue processing it.
- Right to Restriction of Processing: You have the right to request the restriction of processing of your personal information. This allows you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it.
- Right to Data Portability: You have the right to request the transfer of your personal information to another party.
- Right to Object: You have the right to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
- Right to Withdraw Consent: Where we are relying on consent to process your personal data, you have the right to withdraw your consent at any time.
4.4 Limitations to Your Rights
Please note that in some circumstances, we may be legally entitled to refuse your request. For instance, we may not be able to fulfill your request if it is necessary to keep your information for compliance with a legal obligation, or for the establishment, exercise or defense of legal claims. In such cases, we will provide you with the reasons for the refusal.
We aim to respond to all legitimate requests within one month. Occasionally, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
In exercising your rights, please be aware that, depending on the right exercised, you may impact your use of our services.
5. Automated Individual Decision-Making, including Profiling
As defined in the General Data Protection Regulation (GDPR), automated individual decision-making refers to decisions made about individuals based solely on automated processing, including profiling, which produce legal effects concerning the individual or similarly significantly affect them.
We want to clarify that the assessments provided by Hainfort do not fall under the category of "Automated Individual Decision-Making, including Profiling" as defined by the GDPR.
Our psychometric and aptitude assessments, although a valuable tool in recruitment and personnel development processes, should never be used in isolation. They are designed to be part of a broader, comprehensive decision-making process. It is vital to consider our assessments alongside all other information that the Client Organisation has collected on a Participant.
6. Marketing Communications
We value your privacy and strive to handle your personal data with respect and integrity. This section outlines how we use your personal information in relation to marketing activities.
6.1 Marketing Communications
We may use your personal information to let you know about our products and services that we believe will be of interest to you. We may contact you by email, post, or telephone or through other communication channels that we think you may find helpful. In all cases, we will respect your preferences for how you would like us to manage marketing activity with respect to you.
6.2 Responsible Marketing Practices
We aim to provide you with marketing communications that we believe are relevant, timely, and of interest to you. To achieve this, we use a sensible frequency for our marketing communications and carefully select the information we share with you.
6.3 Opting Out
You have the right to opt out of marketing communications at any time. You can exercise this right by clicking on the "unsubscribe" link in the emails we send you. Alternatively, you can send an email to privacy@hainfort.com with your request.
Please note that even if you opt out of receiving marketing communications, we may still send you non-marketing communications, such as those about your account or our ongoing business relations.
6.4 Cookie Preferences
You can manage your preferences regarding cookies by visiting our Cookie Policy page at https://www.hainfort.com/policies/cookie-policy. This page provides comprehensive information about how we use cookies and how you can control their use.
6.5 Reviewing Our Privacy Policy
We recommend that you check this privacy policy regularly. We will update this policy from time to time to reflect any changes in the way we handle your personal data or any changes in applicable laws. If we make significant changes, we will make that clear on the Hainfort website or by some other means of contact such as email, so that you are able to review the changes before you continue to use our services.
7. International Data Transfers
Given the international nature of our operations, your personal data may be transferred and processed outside of your home country. Our primary servers are located in the UK, where your data is stored. However, due to the global reach of our clients and participants, data may be accessed from different countries within the EU, EEA, and Switzerland.
7.1 Data Transfers within the EU, EEA, and Switzerland
When personal data is transferred within the countries of the EU, EEA, and to Switzerland, it remains protected under the General Data Protection Regulation (GDPR). These jurisdictions are deemed to provide an adequate level of protection for personal data by the European Commission.
7.2 Data Transfers outside the EU, EEA, and Switzerland
In circumstances where data needs to be transferred to countries outside the EU, EEA, or Switzerland, we ensure that such transfers are carried out in compliance with relevant data protection laws. This may involve the use of specific contractual clauses approved by the European Commission which give personal data the same protection it has in the EU.
We take all necessary measures to ensure that your personal data is treated securely and in accordance with this privacy policy when it is transferred internationally. If you would like further information on the specific mechanisms we use to protect your personal data during international transfers, please contact us using the details provided in section 8.
8. Contacting Us
We are committed to respecting your rights in relation to your personal information and to responding to your requests promptly and transparently.
8.1 Exercising Your Rights
Our appointed Data Protection Officer (“DPO”) monitors our data protection compliance in accordance with Data Protection Laws. If you wish to exercise any of your rights where we are acting as the data controller, please contact our DPO using the details provided below. Whether you have a question, would like to exercise your rights, or report a concern, we are here to assist you.
Email: privacy@hainfort.com
Phone: +44 789 703 0618
8.2 Reporting a Data Breach
If you suspect a data breach and we are acting as a data processor or sub-processor, we encourage you to contact us even if we are not the data controller. Please note, however, that while we will do our best to assist you, we are not ultimately responsible for helping you exercise your rights if we are not the data controller.
8.3 Contacting the ICO
You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe that we have not complied with the requirements of the UK GDPR, the GDPR or the Data Protection Laws with regard to your personal data. You can contact the ICO at https://ico.org.uk/.
Please do contact us before you approach the ICO so we have an opportunity to address your concerns directly and swiftly. We value your privacy and strive to handle your personal data in compliance with all applicable laws and regulations.