Cookie Policy

Version 1.1 | November 2018

The GDPR has introduced increased requirements in relation to cookies, reflected in the FibreCRM Cookies Policy & Procedures.

FibreCRM uses Google Analytics, a simple, easy-to-use tool that helps website owners measure how users interact with website content. As a user navigates between web pages, Google Analytics provides website owners JavaScript tags (libraries) to record information about the page a user has seen, for example the URL of the page. The Google Analytics JavaScript libraries use HTTP Cookies to “remember” what a user has done on previous pages / interactions with the website.

Important: Read the Google Analytics privacy document for more details about the data collected by Google Analytics.

Google Analytics supports three JavaScript libraries (tags) for measuring website usage: gtag.jsanalytics.js, and ga.js. The following sections describe how each use cookies.

The analytics.js JavaScript library is part of Universal Analytics and uses first-party cookies to:

  • Distinguish unique users
  • Throttle the request rate

The ga.js JavaScript library uses first-party cookies to:

  • Determine which domain to measure
  • Distinguish unique users
  • Throttle the request rate
  • Remember the number and time of previous visits
  • Remember traffic source information
  • Determine the start and end of a session
  • Remember the value of visitor-level custom variables

By default, this library sets cookies on the domain specified in the document.host browser property and sets the cookie path to the root level (/).

This library sets the following cookies:

Historically, Google Analytics provided a JavaScript measurement library named urchin.js. When the newer ga.js library launched, developers were encouraged to migrate to the new library. For sites that have not completed the migration, urchin.js sets cookies identically to what is set in ga.js. Read the ga.js cookie usage section above for more details.

For customers that are using Google Analytics’ Display Advertiser features, such as remarketing, a third-partyDoubleClick cookie is used in addition to the other cookies described in this document for just these features. For more information about this cookie, visit the Google Advertising Privacy FAQ.

Currently FibreCRM does not utilise or benefit from the personal data collected via the use of cookies. However, should this change FibreCRM will adhere to the following policy.

Simon Leek (Director of FibreCRM Ltd) is the Data Controller. Simon`s contact details are as follows:

Address:                     

FibreCRM Ltd

Tremough Innovation Centre

Penryn

Cornwall

TR11 5GR

Telephone:                  020 3598 0898

Email:                          simon@fibrecrm.com

Website:                      www.fibrecrm.com

Twitter:                       @fibrecrm

Office Hours:               09:30 to 17:30 Monday to Friday

FibreCRM does not employ a Data Protection Officer (DPO), as under the GDPR we are not required to do so. However, we have assigned the role of “Data Protection Lead” (DPL) to an existing member of the FibreCRM team (Richard Jackson)

Richard is a Certified GDPR Practitioner (IBITGQ) and the role closely mirrors that of a DPO. We apply the same standards to the DPL position as the DPO role, and FibreCRM is committed to supporting our DPL and providing all the resources required to comply with the GDPR.

Contact Details:

DPL:                             Richard Jackson

Address:                      FibreCRM Ltd

                                    Tremough Innovation Centre

                                    Penryn

                                    Cornwall

                                    TR11 5GR

Telephone:                  020 3598 0898

Email:                          richard.jackson@fibrecrm.com

FibreCRM processes personal data for Customer Relationship Management (CRM) software.

CRM is a strategy for managing an organisation’s relationships and interactions with customers and potential customers (prospects and/or leads).

CRM is designed to allow a Data Controller to manage their customer/business relationships, as a tool for growth and business development, efficiency and integration with existing/other business software tools.

In its simplest form, CRM provides a central location for storing customer and prospect information, and that data can be shared with internal colleagues. CRM tracks the historical interactions with customers, through telephone calls, emails, meetings and documentation.

Typical CRM systems will provide tools such as:

  • File and Content Sharing
  • Sales Forecasting
  • Email Campaign Generation
  • Instant Employee Messaging
  • Email Integration
  • Software Integration (FibreCRM specialises in the integration of its CRM products with accountancy practice software)
  • Dashboard Analytics
  • Prompts and Reminders, Calls to Action

FibreCRM will only process personal data where the data subject has either confirmed their consent for us to do so, or where there is a legitimate interest. In the instance of processing on the lawful basis of legitimate interest, FibreCRM will in every case carry out a full and robust Legitimate Interest Assessment (LIA) which will include/involve the ICO`s recommended 14-point check list, and the 3-stage balancing test – as follows:

Legitimate Interest as a Lawful Basis for Processing Personal Data:

“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, where the data subject is a child.”

Legitimate Interest 14-point Checklist:

  1. We have checked that legitimate interest is the most appropriate basis
  2. We understand our responsibility to protect the individual’s interests
  3. We have conducted a legitimate interest assessment (LIA) and kept a record of it, to ensure that we can justify our decision
  4. We have identified the relevant legitimate interests
  5. We have checked that the processing is necessary and there is no less intrusive way to achieve the same result
  6. We have done a balancing test (see below), and are confident that the individual’s interests do not override those legitimate interests
  7. We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason
  8. We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason
  9. If we process children’s data, we take extra care to make sure we protect their interests
  10. We have considered safeguards to reduce the impact where possible
  11. We have considered whether we can offer an opt out
  12. If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA
  13. We keep our LIA under review, and repeat it if circumstances change
  14. We include information about our legitimate interests in our privacy notice

Three Stage Balancing Test:

  1. FibreCRM identifies the legitimate interest(s). This is achieved through balanced consideration:
  • Why does FibreCRM want to process the data – what are we trying to achieve?
  • Who benefits from the processing? In what way?
  • Are there any wider public benefits to the processing?
  • How important are those benefits?
  • What would the impact be if FibreCRM couldn’t go ahead?
  • Would FibreCRM`s use of the data be unethical or unlawful in any way?
  1. FibreCRM applies the necessity test. This considers:
  • Does this processing help to further that interest?
  • Is it a reasonable way to go about it?
  • Is there another less intrusive way to achieve the same result?
  1. FibreCRM carries out a balancing test. We consider the impact of our processing and whether this overrides the interest we have identified. We find it helpful to consider the following:
  • What is the nature of FibreCRM`s relationship with the individual?
  • Is any of the data particularly sensitive or private?
  • Would people expect FibreCRM to use their data in this way?
  • Is FibreCRM happy to explain it to them?
  • Are some people likely to object or find it intrusive?
  • What is the possible impact on the individual?
  • How big an impact might it have on them?
  • Is FibreCRM processing children’s data?
  • Are any of the individuals vulnerable in any other way?
  • Can FibreCRM adopt any safeguards to minimise the impact?
  • Can FibreCRM offer an opt-out?

FibreCRM`s core business activity is the provision and subsequently product support for Customer Relationship Management (CRM) software. Our primary clients are accountancy practices, a strong market sector for CRM. On that basis our generic legitimate interest is as follows (in the case of each Data Subject we conduct a specific Legitimate Interest Assessment (LIA), the following statement is a broad description of our lawful basis for processing persona data:

  • FibreCRM has an interest in processing personal data, for promoting and providing CRM software products for the accountancy practice sector
  • Processing the data by the method(s) we apply is the most appropriate means of engaging with the current/prospective customer, and this data processing is a means of furthering the interests of the data subject
  • FibreCRM has carefully considered the impact upon the data subject and is of the view that the data subject would expect FibreCRM to process their data in this manner. In addition, there will either be an existing relationship with the data subject (in many instances on a contractual basis, a further basis for the lawful processing of personal data) or the processing will not be found to be intrusive where the data subject is not yet known to FibreCRM. This is balanced by our consideration that CRM is a standard tool within the accountancy practice sector, and that all accountancy practices would expect a CRM provider to process their personal data based on legitimate interest

FibreCRM will, on occasion, need to transfer personally identifiable data outside the EEA, to third countries or international organisations. This is necessary due to the need to access appropriate CRM product expertise which not always available in the EEA and is for the benefit of our clients and data subjects. FibreCRM closely monitors the findings and recommendations of the Article 29 Working Party, in relation to guidelines and recommendations on data transfers, binding corporate rules and contractual clauses.

FibreCRM respects and adheres to all six GDPR principles of personal data processing and based on data retention we refer to the principle of Data Minimisation.

Data Minimisation is a principle that states that data collected and processed should not be held or further used unless this is essential for reasons that were clearly stated in advance to support data privacy. In the General Data Protection Regulation (GDPR), this is defined as data that is adequate and/or relevant.

On that basis, FibreCRM retains data only for as long as is required, and at the point there is a) no requirement for retaining that data and/or b) it becomes irrelevant to the original purpose for processing – that data is erased.

The GDPR provides the following rights for individuals:

  • The Right to be Informed
  • The Right of Access
  • The Right to Rectification
  • The Right to Erasure
  • The Right to Restrict Processing
  • The Right to Data Portability
  • The Right to Object
  • Rights in relation to Automated Decision Making and Profiling

In each instance and with respect to each of the 8 data subject rights, FibreCRM has created a clear and transparent set of policies and procedures. These are designed to demonstrate our compliance under the GDPR, provide the data subject with the rights they are entitled to, and maintains our data protection standards and culture. These policies and procedures are freely available on request, please contact Richard Jackson (DPL) for further information.

FibreCRM does not rely on Consent as our lawful basis for processing personal data, however if at any stage we do rely on Consent as our lawful basis – we will ensure that the Data Subject is afforded the opportunity to withdraw their consent, as easily as it was to give their Consent initially.

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority (ICO in the United Kingdom), in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.

ShouLd the data subject desire to lodge a complaint with the ICO in relation to a perceived infringement to the GDPR in respect of data that relates to them, FibreCRM provides information to guide the data subject towards how to manage this complaint.

In more details, the complaint will progress in this manner:

  • Every data subject should have the right to lodge a complaint with a single supervisory authority (ICO in the UK), in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject
  • The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case
  • The supervisory authority (ICO) should inform the data subject of the progress and the outcome of the complaint within a reasonable period
  • If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject
  • To facilitate the submission of complaints, the ICO should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication

FibreCRM processes personal data only where there is a lawful basis to do so, and it every instance provides the data subject with a clear and straightforward route to “opting out” of that data processing or to request to have their data erased.

There is no obligation on the data subject to provide the personal data, and there are no consequences of failure to provide it to FibreCRM.

ICO Helpline:                   

  • 0303 123 1113(local rate, calls to this number cost the same as calls to 01 or 02 numbers)
  • If calling from outside the UK, please call +44 1625 545 700
  • The ICO welcomes telephone calls in Welsh on 029 2067 8400
  • Rydym yn croesawu galwadau yn Gymraeg ar 029 2067 8400
  • The ICO`s normal opening hours are Monday to Friday between 9am and 5pm
  • Link: https://ico.org.uk/concerns/

ICO Scotland:

The Information Commissioner’s Office – Scotland
45 Melville Street
Edinburgh
EH3 7HL

Telephone: 0303 123 1115

Email: Scotland@ico.org.uk

ICO Wales:

Information Commissioner’s Office – Wales
2nd Floor, Churchill House
Churchill Way
Cardiff
CF10 2HH

Telephone: 029 2067 8400
Email: wales@ico.org.uk

ICO Northern Ireland

The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place, 
Belfast
BT7 2JB

Telephone: 028 9027 8757 / 0303 123 1114
Email: ni@ico.org.uk

We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our Site.

Sensitive and private data exchange between the Site and its Users happens over a SSL secured communication channel and is encrypted and protected with digital signatures.

The GDPR has introduced increased requirements in relation to cookies, reflected in the FibreCRM Cookies Policy & Procedures.

FibreCRM uses Google Analytics, a simple, easy-to-use tool that helps website owners measure how users interact with website content. As a user navigates between web pages, Google Analytics provides website owners JavaScript tags (libraries) to record information about the page a user has seen, for example the URL of the page. The Google Analytics JavaScript libraries use HTTP Cookies to “remember” what a user has done on previous pages / interactions with the website.

Important: Read the Google Analytics privacy document for more details about the data collected by Google Analytics.

Google Analytics supports three JavaScript libraries (tags) for measuring website usage: gtag.jsanalytics.js, and ga.js. The following sections describe how each use cookies.

The analytics.js JavaScript library is part of Universal Analytics and uses first-party cookies to:

  • Distinguish unique users
  • Throttle the request rate

The ga.js JavaScript library uses first-party cookies to:

  • Determine which domain to measure
  • Distinguish unique users
  • Throttle the request rate
  • Remember the number and time of previous visits
  • Remember traffic source information
  • Determine the start and end of a session
  • Remember the value of visitor-level custom variables

By default, this library sets cookies on the domain specified in the document.host browser property and sets the cookie path to the root level (/).

This library sets the following cookies:

Historically, Google Analytics provided a JavaScript measurement library named urchin.js. When the newer ga.js library launched, developers were encouraged to migrate to the new library. For sites that have not completed the migration, urchin.js sets cookies identically to what is set in ga.js. Read the ga.js cookie usage section above for more details.

For customers that are using Google Analytics’ Display Advertiser features, such as remarketing, a third-partyDoubleClick cookie is used in addition to the other cookies described in this document for just these features. For more information about this cookie, visit the Google Advertising Privacy FAQ.

Currently FibreCRM does not utilise or benefit from the personal data collected via the use of cookies. However, should this change FibreCRM will adhere to the following policy.

Overview:

FibreCRM must inform our website visitors where and when we set cookies on our website, and clearly explain what those cookies do (and why they do it). FibreCRM must also gain the website visitor`s consent. That consent can be implied but must be knowingly given.

There is an exception for some cookies that are essential for providing an online service at someone’s request. For example, to remember what is in their online basket, or to ensure security in online banking.

The same rules apply if FibreCRM uses any other form of technology to store or gain access to information on someone’s device.

What is a Cookie?

A cookie is a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.

What does FibreCRM need to do to comply?

The rules on cookies are in regulation 6 of the GDPR, FibreCRM must:

  • Tell people the cookies are there;
  • Explain what the cookies are doing and why; and
  • Get the person’s consent to store a cookie on their device

If FibreCRM does this the first time we set cookies, we do not have to repeat it every time the same person visits your website. However, we must always consider that devices may be used by different people. If there is likely to be more than one user, FibreCRM may repeat this process at suitable intervals.

What else is covered, apart from Cookies?

Although this policy focuses on cookies, regulation 6 of the GDPR applies to anyone who stores information on a user’s device or gains access to information on a user’s device, in either case by any method.

This means the same rules apply to any similar technologies – such as Local Shared Objects (sometimes called Flash cookies) – and can also cover other types of technology, including apps on smartphones, tablets, smart TVs or other devices.

These rules also outlaw spyware or any similar covert surveillance software that downloads to a user’s device and tracks their activities without their knowledge.

What information must FibreCRM give our users?

PECR do not set out exactly what information you must provide or how to provide it – this is up to you. The only requirement is that it must be “clear and comprehensive” information about your purposes. You must explain the way the cookies (or other similar technologies) work and what you use them for, and the explanation must be clear and easily available. Users must be able to understand the potential consequences of allowing the cookies. You may need to make sure the language and level of detail are appropriate for your intended audience.

This is like the transparency requirements of the first data protection principle (privacy notices).

What counts as consent?

To be valid, consent must be freely given, specific and informed. It must involve some form of positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving FibreCRM consent. FibreCRM cannot show consent if we only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read.

Consent does not necessarily have to be explicit ‘opt-in’ consent. Implied consent can also be valid. If FibreCRM is relying on implied consent, we need to be confident that our users fully understand that their actions will result in cookies being set. However, in some circumstances (for example, collecting sensitive personal data such as health details) it is likely that explicit opt-in consent is more appropriate.

Does FibreCRM need consent from the subscriber or from the user?

Regulation 6 states that consent should be obtained from the Subscriber or User.

‘Subscribers’ and ‘Users’:

PECR defines subscribers and users as follows:

Subscriber:     “a person who is party to a contract with a provider of public electronic communications services for the supply of such services”

User:                “any individual using a public electronic communications service”

The subscriber is the customer who has a contract with the service provider – in other words, the person named on the bill for the telephone line or internet connection, or the person who owns the SIM card on a pay-as-you-go mobile contract. This may be an individual or an organisation.

The user is any individual using the phone or internet connection. This will not always be the same person as the subscriber – for example they might be the subscriber’s employee, a customer, a family member or a friend.

‘Corporate Subscribers’ and ‘Individual Subscribers’:

Corporate Subscriber:           Subscribers that are a corporate body with separate legal status. This includes companies, limited liability partnerships, Scottish partnerships, and some government bodies.

Individual Subscriber:            Individual customers (including sole traders) and other organisations (e.g. other types of partnership).

In practice FibreCRM may not be able to tell who the subscriber is and who is a user – which means we may not be able to distinguish between consent provided by the subscriber and by the user. The key will be that valid consent has been provided by one of them.

PECR does not say whose wishes should take precedence if they are different. If there appears to be a conflict – for example, if a subscriber or user previously consented but now the current user of the same device objects – FibreCRM will rely on the most recent indication. This would mean we always respect the current user’s preferences, even if we cannot be sure of the subscriber’s preferences.

Exemptions:

There is an exemption if:

  • The cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • The cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.

This means FibreCRM is unlikely to need consent for:

  • Cookies used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website;
  • Session cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – e.g. online banking services; or
  • Load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers.

However, it is still good practice to provide users with information about these cookies, even if you do not need consent.

FibreCRM will (where necessary) refer to the opinion adopted by European data protection authorities in June 2012 (Article 29 Working Party opinion 04/2012), which clarifies that some usage of session-ID cookies, multimedia cookies, and user interface customisation cookies (eg language-preference cookies) is likely to fall within the information society services exemption.

Do the rules still apply if the data is anonymous?

Yes. Although cookies that process personal data give rise to greater privacy and security risks than those that process anonymous data, PECR apply to all cookies.

If FibreCRM cookie data is not anonymous, we will also need to comply with the Data Protection Act. FibreCRM may need to consider whether you could use anonymised data instead, to comply with the third data protection principle (which concerns personal data being adequate, relevant and not excessive). This is likely to be particularly relevant where you are not using the data to provide a service to the user – for example, if you are simply counting visitors to a website.

How do these rules affect apps?

Apps store information on smart devices, and some apps may also access information on the device (e.g. contacts or photos). App developers should therefore provide clear information to users about what the app does, and exactly how it uses their information, before users click to install the app.

FibreCRM Limited has the discretion to update this privacy policy at any time. When we do,

we will post a notification on the main page of our Site, revise the updated date at the bottom of this page. We encourage Users to frequently check this page for any changes to stay informed about how we are helping to protect the personal information we collect. 

Contacting us

If you have any questions about this Privacy Policy, the practices of this site, or your dealings with this site, please contact us at:

FibreCRM Limited
http://www.fibrecrm.com

Address:         

Tremough Innovation Centre
Tremough Campus 
Penryn 
Cornwall 
TR10 9TA 
United Kingdom

Telephone:      +44(0)203 598 0898
Email:              legal@fibrecrm.com