Privacy Notice
Quill is part of Dye & Durham (UK) Holdings Limited (“Dye & Durham”), a company incorporated in England and Wales with registered number 11844231 at Companies House and whose registered office is at Imperium, Imperial Way, Reading, Berkshire, United Kingdom, RG2 0TD.
Our Data Protection Officer can be reached by emailing dpo@quill.co.uk.
Quill plays multiple roles when it comes to processing your data. In some situations, we act as a Controller, in others we are the Processor. In circumstances where we are just a Processor of personal data, we are doing so purely on the instruction the client you are engaged with, or are an employee of (the Controller).
Quill does on occasion, act as a Controller. That will usually be the data of potential and existing employees, clients, potential clients, investors, and website users and then technical data when you use our tools.
Being a Controller means that we are trusted to look after and deal with your personal information in accordance with this notice. We determine the ways and means of processing your data and must therefore be accountable for it.
This privacy notice refers to the data we process data as Controller only.
As a data subject, you have a number of rights over your personal data under the Data Protection Laws:
- Right of access: You can request access to a copy of the personal data which we hold about you as well as details about why and how we use.
- Right to rectification: You can ask us to change or complete any personal data we hold about you which is inaccurate or incomplete.
- Right to be forgotten/erasure: You have a right, under certain circumstances to ask us to delete any personal data we hold out you. Please note that there may be situations where we must retain your personal data after a request for erasure where we have a lawful basis for doing so.
- Right of restriction: You can ask us to restrict (ie prevent) the processing of your personal data where you have objected to our use of it and we have no lawful basis to continue processing your personal data.
- Right to data portability: In certain circumstances, you can ask us to transfer the data we hold about you to another. This would be sent in a structured, commonly used, electronic form.
- Right to object: You can object to us using your personal data for particular purposes.
- Automated decision making: You have a right not to be subjected to automated decision making and profiling in certain circumstances.
If you want to exercise any of these rights, please just contact us on dpo@quill.co.uk.
You also have the right to lodge a complaint about our processing with a supervisory authority – in the UK that is the ICO whose details are here.
Data that we hold and how we use it
As a potential client, we hold your name, job title and business contact details so we can build a relationship with you. This data will have been sourced directly from you at an event, or from your company website or a similar publicly available source. We only hold your data if we legitimately think you will have an interest in using our software or services and send you information on webinars or other marketing materials. You are welcome to opt out at any time. If we call you, we sometimes record the calls to help ensure that we are giving you the best experience and to help train our staff and analyse our performance. If we do this, we will always ask for your consent.
Lawful basis for processing
Our lawful basis for processing your data is a Legitimate Interest for marketing purposes. As you are a corporate entity, we also abide by the Privacy and Electronic Communications Regulations (PECR). We give you the change to opt-out of all marketing on anything that we send you. We only share details of our own software and services in our marketing. If your data was not sourced directly from you, then we contact you once we have the data to let you know that we have your data and give you the chance to opt-out. Our legitimate interest balancing test indicates that this is a legitimate purpose: you would not be surprised to hear from us based on the nature of your job role, and our processing does not cause any harm or risk to you as a data subject. If we record calls, we do so only with your consent.
Data sharing and transfers
Like most companies, we use a number of other companies as part of our data processing, for example, cloud services and technology services. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example, Standard Contractual Clauses or the UK’s International Data Transfer Agreement. We do not sell your data to anybody, and we do not share it with anyone other than our contracted processors.
Retention periods
We hold data on potential clients for as long as we think you are likely to be interested in our software and services, or until the point at which you opt out of communications. At this point you are added to a suppression list, so we do not contact you again. When you become a client, then the privacy notice for clients will apply.
Data that we hold and how we use it
As a client, we hold the contact and payment details required to carry out our contract with you, manage our relationship and keep you up to date with changes and improvements to our software and services. This data would have been sourced from you directly. We also use your data to send you marketing material on our own upcoming software and services.
Lawful basis for processing
Our lawful basis for processing your data is a combination of Contract and Legitimate Interest. We use legitimate interest when we use your data to keep you up to date with changes and improvements to our software and services. Results of a legitimate interest balancing test indicate that this use is pursuing a legitimate interest, is necessary for the purpose of keeping you updated and growing our business, and unlikely to cause you risk or harm.
Data sharing and transfers
Like most companies, we use a number of other companies as part of our data processing, for example, cloud services and technology services. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example, Standard Contractual Clauses or the UK’s International Data Transfer Agreement. We do not sell your data to anybody, and we do not share it with anyone other than our contracted processors.
Retention periods
We hold data on clients for the length of time that you are a client of ours, then another 7 years in case of any dispute.
Data that we hold and how we use it
As a potential employee we hold the following information on you: Name, CV/resume, industry qualifications/experience, salary expectations, contact details, interview notes, references, educational background/qualifications and pre-employment check results.
Lawful basis for processing
Our lawful basis for processing your data is a combination of contract, legitimate interest, legal obligation and consent, depending on the process. On the whole, we are processing the data to create and maintain a relationship with you and test your suitability for the role. As the journey towards onboarding progresses, we are obliged by law to do certain checks, such as your eligibility to work in the UK. We use consent only to maintain your data in the event that the job you applied for is not ideal at the time and we want to stay in touch with you. You can withdraw consent at any time.
The data we hold on you would have come directly from you or from an agency, where you have applied for the role. If we did not source the data directly from you then we will contact you within one month to let you know the details of processing.
Data sharing and transfers
Like most companies, we use a number of other companies as part of our data processing, for example, cloud services and technology services. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example, Standard Contractual Clauses or the UK’s International Data Transfer Agreement. We do not sell your data to anybody, and we do not share it with anyone other than our contracted processors.
Retention periods
We hold data on potential employees for various periods, depending on the situation. If you were unsuccessful and we want to stay in touch then we will ask your consent to hold that data for a further 12 months, in case of another role being suitable in that time.
If you were not a good fit for the role and not short listed then your data is deleted as soon as it is no longer needed.
If you were shortlisted, but did not get the role then we keep your data until the successful candidate passes their probation period (8 months). After that we will ask your consent to hold the data for a further 12 months. If consent is not given then the data will be deleted.
If you did get the role you applied for then you become an employee and the employee privacy notice will apply.
If you are an employee of Quill, please refer to the Fair Processing Notice that is stored in the Staff Portal.
Data we process
When you browse our website, we drop only essential cookies that make our site work without consent. When we drop analytics or tracking cookies, we do so only with your consent, gained via the cookie banner. You can withdraw your consent at any time. You can read more about cookies in our Cookie Policy.
Data sharing and transfers
Like most companies, we use a number of other companies as part of our data processing, for example, cloud services and technology services. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example, Standard Contractual Clauses or the UK’s International Data Transfer Agreement. We do not share your data to anybody without your consent unless it with our contracted processors.
Data that we hold and how we use it
As a user of Quill, we process data about the way you use our application, including your IP address and browsing time. This helps us to optimise the performance of Quill, monitor it for security purposes and drive improvements for our users.
We also process your data so we can drive improvements to Quill and to allow bug reporting and analysis. We ask your consent for this. We use your contact details to send you service updates.
Lawful basis for processing
We use legitimate interest when we use your data to improve the performance of Quill, process your data for service messages, and protect it from illegal use. Results of a legitimate interest balancing test indicate that this use is pursuing a legitimate interest, and unlikely to cause you risk or harm.
Data sharing and transfers
Like most companies, we use a number of other companies as part of our data processing, for example, cloud services and technology services. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example, Standard Contractual Clauses or the UK’s International Data Transfer Agreement. We do not sell your data to anybody and we do not share it with anyone other than our contracted processors.
Retention periods
We delete your data 12 months after you cease using the application.
Data that we hold and how we use it
As a potential supplier, we hold your name, job title and business contact details so that we can build a relationship with you in case we need something that we believe you many be a good fit to provide. This data will have been sourced directly from you at an event, or from your company website, referral or similar publicly available source.
Lawful basis for processing
Our lawful basis for processing your data is legitimate interest and contract. When we connected it was with a view to entering into a service contract together. If either party decides not to go forward, then we use legitimate interest to retain the data should we require additional services. Our legitimate interest balancing test indicates that this is a legitimate purpose: we are sure you will want to hear from us when we might require additional services, and it is unlikely to cause you risk or harm.
Data sharing and transfers
Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example, Standard Contractual Clauses or the UK’s International Data Transfer Agreement. We do not sell your data to anybody, and we do not share it with anyone other than our contracted processors.
Retention periods
We hold data on potential suppliers for 2 years after our last contact.
Data that we hold and how we use it
As a supplier, we hold the contact and payment details required to manage our relationship and pay you for the services you provide. This data would have been sourced from you directly.
Lawful basis for processing
Our lawful basis for processing your data is a combination of Contract and Legitimate Interest. We use legitimate interest when we use your date to let you know about other services we might require. Our legitimate interest balancing test indicates that this is a legitimate purpose; we are sure you will want to hear from us when we might require additional services, and it is unlikely to cause you risk or harm. We use contract when we process data to manage our relationship with you (e.g. to pay you).
Data sharing and transfers
Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. We also transfer your data to our accountants to ensure you are paid appropriately. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example, Standard Contractual Clauses or the UK’s International Data Transfer Agreement. We do not sell your data to anybody, and we do not share it with anyone other than our contracted processors.
Retention periods
We hold data on our suppliers for the length of time that we are engaged together, then another 7 years in case of any dispute.
We do not use your personal data in any automated processes to make decisions about you.
All data is password protected, access controlled, backed up securely and encrypted when appropriate.
All employees are trained in data protection and are aware of their obligations to ensure the privacy of all data subjects.
Data Privacy by Design and Default is an integral part of our development processes.
All devices are protected by a leading enterprise mobility management technology. For detailed security information, please see our security documentation.
We may change this Privacy Policy from time to time (for example, if the law changes). We recommend that you check this page regularly to keep up-to-date. If we make any material changes to the manner in which we process and use your personal data, we will contact you to let you know about the change.
We may, from time to time, expand or reduce our business and this may involve the sale and/or transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, depending on the lawful basis, be permitted to use that data only for the same purposes for which it was originally collected by us.
In the event any of your data is to be transferred in such a manner, you will be contacted in advance and informed of the changes.