How many privacy policies have you read?
Privacy Policy
You are not alone if you find privacy policies tedious to read. At emBold we really value clear and concise communication. We’re going to keep this part very easy for you.
We simply would not have a business if clients and research participants did not trust us to handle their data effectively, and stay up to date on data security, privacy issues and regulations.
We champion effective and ethical communication. Spamming, stalking covertly, misleading people or sharing their data without consent is wholly unacceptable.
Summary
We collect and use the following types of data:
- From research: our own or commissioned by clients. Data at the personal-level is kept to a minimum and, importantly, reported in aggregate, anonymously by default, unless consent has been provided freely.
- Relating to contracts and day-to-day legal obligations and legitimate business operations e.g. transactions, invoicing/payment, tax, diary management, business development, client relationships and communications.
- Passive data e.g. cookies/analytics via visits to the emBold website.
emBold is registered with the ICO. Registration reference: ZA321637. Our market research is conducted using the industry-standard guidelines of MRS and ESOMAR, which in turn protect the privacy rights of consumers.
If you’d like to read more detail about how we handle privacy and data protection at emBold, read our narrative description below. Kate McGhee is the Managing Director of emBold, its Data Protection lead, and she has 20+ years professional experience of data-handling and data protection issues. You can reach her by email at kate@embold.london
Narrative Privacy Policy
We’d like to tell you a true story…
The new philosophy for privacy policies is that they need to be narrative (= longer) and not try to dupe people into signing away their rights. We kept our summary succinct, but here, we need to say more…
This is our post-GDPR narrative policy. We have not used a strange automated template, that we don’t quite understand and would confuse our clients or potential clients.
We’ve not copied someone else’s policy. We don’t have those dreadful pre-ticked permission pop-ups. Instead, we have had a good think about the technology, platforms and processes we use and then wrote about it.
We asked some questions and reflected back the information we think that people might care more about when they choose to work with us, or contribute to our research.
Incidentally, if you are uncertain whether you, as a client, can work in a GDPR compliant way with your data, seek professional help. We can advise you directly on some issues or help you find an answer. It is still a new, complex and evolving area and there are some confusing and unhelpful interpretations out there. We have links with professional organisations and experts who can assist on questions we cannot answer ourselves and we’re happy to ask on your behalf, to clarify matters.
Back to our narrative privacy policy…
Mailing list
Our clients are busy and they come from different sectors. One size does not fit all for communication and we treat our clients as individuals. Clients contact us and we contact them directly. We have a monthly mailing list that our contacts can opt-in to receive. We share news we feel would interest them and keep it constanty reviewed. We hate spam. We love referrals and this is how we win most of our business. We use the MailChimp platform for our newsletter. This is also the platform we implement with clients.
Website
Our website is rather light touch too. You may have noticed. This too will be something that may change in the future. The emBold website uses HTTPS/SSL security. Our host is Bluehost based in the US. We don’t proactively collect any data via our website at the moment. We do not publish comments or use online contact forms. While we work at this scale: clients and those interested in doing business with us are invited to contact emBold staff directly via email, phone or using publicly available platforms where we maintain an active business presence e.g. LinkedIn, Twitter and Instagram.
Our Partners
Strong integrated marketing projects rely on successful partnerships. We work alongside skilled specialists: graphic designers, digital marketers, videographers, other marketing and research agencies / partners, data processors and statisticians. In order to deliver a project, we often need to share data to and partners need to share data with us. We are transparent with our clients, suppliers and research participants, in situations where data is shared or transferred; or if we need to work with a partner to deliver a specialist service. Details of these partnerships are included in contracts. We want to work with partners who share our values, ethics and commitment to data protection and privacy. We always ensure the appropriate legal grounds for processing personal data are in place. If we need additional consent from any party involved, we’ll ask for it.
Third party platforms
Entrepreneurial businesses are all standing on the shoulders of giants. The third-party platforms we use enable us to do far more in less time, giving us more opportunity to focus on things we really care about. We have listed the main platforms we use for our own business operations and we are satisfied that their level of compliance on data protection issues match our own high standards. Where data is transferred outside EU/EEA, we select providers bound by the EU/US privacy shield or equivalent safeguards. GDPR is an evolving process, so we will continue to review changes in privacy policies and advice from our peers. We like to experiment with different platforms, so this will never be an exhaustive list. Also, we need to be flexible and work with the platforms that our client and supplier teams choose too. Where consent or sharing of contact information is required, we will always act with full transparency and seek consent where required.
Xero
We use this for book-keeping and accounting. All the data stored in this platform is there because we are legally obliged to retain it. It’s transactional data and holds transactional logs of suppliers, clients past and present and invoice details for the requisite time period.
Mailchimp
An industry-standard CRM and mailing platform. We retain contact emails and very brief information about the company to ensure that our communications are relevant. We review traffic: opens and click-throughs and are satisfied that Mailchimp’s policies are based on user-consent and are fully GDPR compliant. Contacts may unsubscribe at any time.
Research Tools
We have found it better to work with our clients and select a GDPR-compliant research platform that fits with their ethos.
GSuite
Like many businesses, a premium Google back office powers our company email and day-to-day document storage and sharing. This provides a short summary of Google Cloud’s approach on GDPR. Sensitive documents and special category information are not kept on Google Drive, they are stored in encrypted format on memory-sticks or other secure digital storage and back-ups.
Calendly
We use Calendly to schedule client meetings. We find it very convenient for both parties. The contact information shared using the platform is minimal an email address and calendar reminder. If any client is uncomfortable using this service, they are very welcome to set appointment directly by contacting the relevant member of the team. Privacy policy available here.
There are a small number of third-party platforms and services we use occasionally for more minor aspects of our normal business operations that either have not yet published GDPR positions or we have not had time to research in full. If we are not satisfied that they can deliver a compliant service, we will cease our activity, withdraw data, close accounts and seek alternative platforms.
When we conducted our GDPR review in 2018, we took a strategic decision to continue not to integrate any of emBold’s business services with Facebook as a platform. We do not have an emBold business Facebook page or presence. We don’t advertise on Facebook. We don’t use the Pixel.
While we have no doubt that Facebook products offer extremely powerful analytical and targeting tools; for our own business, ethically, we are not comfortable with the level of tracking and intrusion on people’s personal lives, nor do we believe that one platform should become so dominant and thereby leave businesses who depend on it vulnerable, if terms and services change. We do not conduct business conversations with clients using Facebook Messenger.
WhatsApp is a Facebook-owned end-to-end encrypted messaging service. It’s acceptable, but we tend to steer clients towards direct SMS or email for important professional communications, rather than message functions within social media platforms. We have a separate presence on Instagram, which is also owned by Facebook. At the moment, this is an experimental channel for emBold and is not integrated with the emBold website.
Data Security
We have reviewed our data security and implemented robust plans and regular back-ups to ensure business continuity and data security. Our business devices are fully encrypted. Where clients demand, we will use client company-issued hardware for their projects and work directly on their networks/systems and in compliance with their privacy policies, under contract. At emBold, we generally do not collect or store sensitive or special category data in a way that can be attributed back to an individual. In situations where we do collect this type of data, with unambiguous consent, we ensure that this information is stored securely: encrypted and using GDPR compliant services.
Thank you for reading.
Please refer any further questions concerning this policy to emBold’s Managing Director: Kate McGhee who can be reached via kate@embold.london
We hope you found emBold’s Privacy Policy clear, informative and rather more digestible than your average policy. If so, you’re welcome. If you see this wording anywhere else, imitation is the sincerest form of flattery. We wrote it first though.
Last updated, April 2021.