Client Privacy Policy and Terms of Service
Updated 22nd July 2022
As a client of Toasted Digital, you share certain datasets with us in order for us to be able to deliver the services you have asked us to provide you with. We are committed to safeguarding the privacy of this data. The following privacy policy sets out in as simple terms as possible:
- - The client data that we hold and process.
- - What we do with this data.
- - Security and our extended policies concerning your data.
- - Your rights concerning your data.
In preparation for GDPR, we have performed a full audit of our data sets and reviewed all of our data policies.
If you have any questions about your personal data, privacy or security, please contact [email protected] - You may also contact us at:
Toasted Digital Limited,
3rd Floor, 86-90 Paul Street
London EC2A 4NE
Clients
The data we collect
We may collect the following data.
- - Your name
- - Business name
- - Email address
- - Business address
- - Website Address
- - Social Media Links
- - Data specific to projects including project descriptions, briefs, meeting times and locations, feedback, estimates, invoices and receipts.
What we do with the data
We only use this data in the legitimate interest of the day to day running of our business. This includes:
- - Contacting you with regards queries to do with existing and past projects.
- - Generating bookkeeping documents such as estimates/quotes/invoices concerning your projects.
- - Operational processes that are required to complete your project. For example, sharing an email internally so that a developer can contact you with regards a technical question.
Data Processors
We use third-party processors to process some data on our behalf. We only use processors with clear GDPR commitments, and only in the legitimate interest of running our business and delivering your projects.
We may use:
- - G Suite to receive and respond to your queries, for organising events and for storing project related files: https://cloud.google.com/security/gdpr/
- - FreeAgent to generate estimates and quotes for you: https://www.freeagent.com/company/gdpr/
- - Dropbox to store project-related files and share internally: https://www.dropbox.com/en_GB/security/GDPR
- - GoCardless to process direct debits: https://gocardless.com/blog/gdpr/
- - Basecamp to project manage: https://basecamp.com/about/policies/privacy/gdpr
A note on GoCardless
We do not have access to bank account or sort code information that you share with GoCardless. We can access and edit your name, address and email address only. We can view but not edit your bank name. When you create a direct debit mandate with GoCardless, you must read and understand their Privacy Policy.
Internal Data Proccessing
We process some data internally in the legitimate interest of running our business and delivering your projects.
We may use
- - Our custom CRM to manage your website hosting. This is a basic system which monitors your website's version number and the version numbers for plugins/add-ons. This allows us to upgrade it for you when a new CMS or plugin/add-on version is available. We store your name and email address here so that we can contact you in relation to upgrades.
Third Parties
We will on occasion work with third party contractors and agencies in the legitimate interest of running our business and delivering your projects. All third parties are required to comply with our privacy policy.
Processing Data on behalf of you
We may occasionally need to process personal data collected by you, in order to fullfil our obligations to you. Under these circumstances:
- - Data will not be collected or processed for any other reason other than those necessary for us to fulfil our duties to you.
- - If any data must be transferred between you and us, it will be encrypted.
- - We will not retain any personal data collected by you for any longer than is required to fulfil our duties to you. Deletion is subject to our data deletion policy (see below)
- - Any data we process which is collected by you will be handled in line with your own GDPR and Privacy Policy
Real world example: As an agency, we may need to write custom code to export data from a database which you have collected personal data in, for you to process. Data we export may be be visible to the developer working on the project, but is limited to only those who need to see it to perform their task. We will transfer this data to you encrypted, and delete the export data in line with our deletion policy.
Security
Toasted Digital takes security seriously. We:
- - Have a secure by design password manager. Passwords are shared internally on a need to know basis only. Passwords are encrypted using AES256 bit encryption with PBKDF2 SHA256, 4096 iterations.
- - Have an internal password policy for limiting the spread of password data.
- - Require all of our devices have as much security as possible. This includes computer encryption where compatible, password protection and 2-factor auth where available.
- - Have 2 Factor Auth set up on any third party services where possible.
- - Have SSL on our website.
- - Have offices in a secure managed building.
- - Have reviewed the security of our third-party services. Please see the above GDPR commitment links under "Data Processors."
Toasted Digital is Cyber Essentials Certified.
Consent
At this time, we don't use your data for anything other than delivering your projects (including communicating with you about them) and administering our business in accordance with local (English) law. We may also get in touch with you via your business email address or phone number to enquire about future projects. If we require your consent in future (for example as part of a mass mailing list) we would seek this from you.
We do not share your data with any third parties other than specified in this privacy policy. We do not sell your data to anyone.
Request of data or deletion
You can request a copy of, or request deletion of the data we hold on you at any time. Please see:
Data breaches
Please see our data breach policy for what happens in the event of a data breach.
What does all of this actually mean for you?
In short:
- - We do everything we can to keep your data secure and safe.
- - We only use your data to deliver your projects and administer our business in accordance with local law.
- - You have to right to get in touch with us and request a copy of all the data we store for you.
- - You also have the right to request that data is deleted.
Legacy Data
Toasted Digital has reviewed its legacy data in relation to our data retention schedule. We have applied and continue to apply the same rules to legacy data.
Hosting Clients
If your website is hosted with Toasted Digital, you and we both have responsibilities with regards GDPR and any personal data that you choose to upload to our servers.
Hosting clients are responsible for the security of their code and processing of any personal data uploaded to their server space.
By default, we do not access client hosted data unless we are asked to undertake specific tasks by a client. Clients maintain the position of primary administrator for their websites and data. Toasted Digital only provides hosting space for clients, and ultimately clients control what data processing will occur in this space.
As a hosting client, you are required to obtain and handle all personal data in accordance with GDPR. If you do not, we will suspend your account until you can resolve this.
If Toasted Digital becomes aware of any issue that arises from code uploaded to your server space by you or on your behalf that could threaten the security of your server space or our extended servers as a whole, we will suspend your account until you can resolve it.
We will also suspend any accounts found to be:
- - Hosting content which breaks English law.
- - Hosting any pornographic content
- - Hosting any gambling content
- - Hosting mass mail out software
We'll always reach out to you to see if we can help and assist in any way in making sure you adhere to our terms of service.
What we do
We may store login credentials for your hosting space and content management systems so that we can perform ad hoc and agreed regular maintenance tasks for you. These are encrypted in our password manager using AES256 bit encryption with PBKDF2 SHA256, 4096 iterations. They are shared internally on a need to know basis only and subject to our password policy.
We take security on our servers very seriously, so our third-party suppliers and we take regular actions to maintain the security of our servers. Please find their GDPR commitments:
- - For MODx clients please see our server supplier SkyToaster: https://my.skytoaster.com/index.php?rp=/knowledgebase/99999223/General-Data-Protection-Regulation-GDPR.html
- - For WordPress clients please see our server supplier FlyWheel: https://getflywheel.com/wordpress-support/how-flywheel-is-preparing-for-gdpr/
If you are a maintenance client, we may also perform other security tasks. Such as:
- - Updating your content management system
- - Updating your site plugins
- - Malware removal
Addtional key information
- - Toasted Digital does not store or process any additional personal data for our hosting clients than already outlined in this privacy policy.
- - Hosting clients can request at any time a backup of their server from Toasted Digital. We will endeavour to deliver this within 7 working days or as soon as is possible.
- - Toasted Digital does not offer email hosting.
- - All of our server data centres are located in the UK.
By continuing to use Toasted Digital services from the 22nd of July 2022, you understand and agree to this client privacy policy and terms of service.
Related Documents
- Data Retention Schedule
- Data Deletion Policy
- Data Subject Access Requests
- Data Destruction Policy
- Data Breach Policy