Updated 22nd October 2019
- - The client data that we hold and process.
- - What we do with this data.
- - Security and our extended policies concerning your data.
- - Your rights concerning your data.
If you have any questions about your personal data, privacy or security, please contact [email protected] - You may also contact us at:
Toasted Digital Ltd
534 Metal Box Factory
30 Great Guildford St
London SE1 0HS
The data we collect
We may collect the following data.
- - Your name
- - Business name
- - Email address
- - Business address
- - Website Address
- - Social Media Links
- - Data specific to projects including project descriptions, briefs, meeting times and locations, feedback, estimates, invoices and receipts.
What we do with the data
We only use this data in the legitimate interest of the day to day running of our business. This includes:
- - Contacting you with regards queries to do with existing and past projects.
- - Generating bookkeeping documents such as estimates/quotes/invoices concerning your projects.
- - Operational processes that are required to complete your project. For example, sharing an email internally so that a developer can contact you with regards a technical question.
We use third-party processors to process some data on our behalf. We only use processors with clear GDPR commitments, and only in the legitimate interest of running our business and delivering your projects.
We may use:
- - G Suite to receive and respond to your queries, for organising events and for storing project related files: https://cloud.google.com/security/gdpr/
- - Freeagent to generate estimates and quotes for you: https://www.freeagent.com/company/gdpr/
- - Dropbox to store project-related files and share internally: https://www.dropbox.com/en_GB/security/GDPR
- - GoCardless to process direct debits: https://gocardless.com/blog/gdpr/
- - Basecamp to project manage: https://basecamp.com/about/policies/privacy/gdpr
- - Highrise CRM to track current and potential project leads: https://highrisehq.com/privacy/
- - Pipredrive CRM to track current and potential project leads: https://support.pipedrive.com/hc/en-us/articles/360000335129-Pipedrive-and-GDPR
A note on GoCardless
Internal Data Proccessing
We process some data internally in the legitimate interest of running our business and delivering your projects.
We may use
- - Our custom CRM to manage your website hosting. This is a basic system which monitors your website's version number and allows us to upgrade it for you when a new CMS version is available. We store your name and email address here so that we can contact you in relation to upgrades.
Processing Data on behalf of you
We may occasionally need to process personal data collected by you, in order to fullfil our obligations to you. Under these circumstances:
- - Data will not be collected or processed for any other reason other than those necessary for us to fulfil our duties to you.
- - If any data must be transferred between you and us, it will be encrypted.
- - We will not retain any personal data collected by you for any longer than is required to fulfil our duties to you. Deletion is subject to our data deletion policy (see below)
Real world example: As an agency, we may need to write custom code to export data from a database which you have collected personal data in, for you to process. Data we export may be be visible to the developer working on the project, but is limited to only those who need to see it to perform their task. We will transfer this data to you encrypted, and delete the export data in line with our deletion policy.
Toasted Digital takes security seriously. We:
- - Have a secure by design password manager. Passwords are shared internally on a need to know basis only. Passwords are encrypted using AES256 bit encryption with PBKDF2 SHA256, 4096 iterations.
- - Have an internal password policy for limiting the spread of password data.
- - Require all of our devices have as much security as possible. This includes computer encryption where compatible, password protection and 2-factor auth where available.
- - Have 2 Factor Auth set up on any third party services where possible
- - Have SSL on our website
- - Have offices in a secure managed building
- - Have reviewed the security of our third-party services. Please see the above GDPR commitment links under "Data Processors."
Toasted Digital is Cyber Essentials Certified.
At this time, we don't use your data for anything other than delivering your projects (including communicating with you about them) and administering our business in accordance with local (English) law. We may also get in touch with you via your business email address or phone number to enquire about future projects. If we require your consent in future (for example as part of a mass mailing list) we would seek this from you.
Request of data or deletion
You can request a copy of, or request deletion of the data we hold on you at any time. Please see:
Please see our data breach policy for what happens in the event of a data breach.
Toasted Digital is still in the process of reviewing its legacy data in relation to our data retention schedule. We hope to have this process completed by the end of 2019.
If your website is hosted with Toasted Digital, you and we both have responsibilities with regards GDPR and any personal data that you choose to upload to our servers.
Hosting clients are responsible for the security of their code and processing of any personal data uploaded to their server space.
By default, we do not access client hosted data unless we are asked to undertake specific tasks by a client. Clients maintain the position of primary administrator for their websites and data. Toasted Digital only provides hosting space for clients, and ultimately clients control what data processing will occur in this space.
As a hosting client, you are required to obtain and handle all personal data in accordance with GDPR. If you do not, we will suspend your account until you can resolve this.
If Toasted Digital becomes aware of any issue that arises from code uploaded to your server space by you or on your behalf that could threaten the security of your server space or our extended servers as a whole, we will suspend your account until you can resolve it.
We will also suspend any accounts found to be:
- - Hosting content which breaks English law.
- - Hosting any pornographic content
- - Hosting any gambling content
- - Hosting mass mail out software
We'll always reach out to you to see if we can help and assist in any way in making sure you adhere to our terms of service.
What we do
We may store login credentials for your hosting space and content management systems so that we can perform ad hoc and agreed regular maintenance tasks for you. These are encrypted in our password manager using AES256 bit encryption with PBKDF2 SHA256, 4096 iterations. They are shared internally on a need to know basis only and subject to our password policy.
We take security on our servers very seriously, so our third-party suppliers and we take regular actions to maintain the security of our servers. Please find their GDPR commitments:
- - For MODx clients please see our server supplier SkyToaster: https://my.skytoaster.com/index.php?rp=/knowledgebase/99999223/General-Data-Protection-Regulation-GDPR.html
- - For WordPress clients please see our server supplier FlyWheel: https://getflywheel.com/wordpress-support/how-flywheel-is-preparing-for-gdpr/
If you are a maintenance client, we may also perform other security tasks. Such as:
- - Updating your content management system
- - Updating your site plugins
- - Malware removal
Addtional key information
- - Hosting clients can request at any time a backup of their server from Toasted Digital. We will endeavour to deliver this within 7 working days or as soon as is possible.
- - Toasted Digital does not offer email hosting.
- - All of our server data centres are located in the UK.
- Data Retention Schedule
- Data Deletion Policy
- Data Subject Access Requests
- Data Destruction Policy
- Data Breach Policy