Terms and Conditions These terms and conditions, together with any documents referred to herein (the "Terms") between DueDil Limited (registered number: 06999618) a company whose registered office is at 10 Queen Street Place, London EC4R 1AG ("DueDil") and the customer identified on a relevant order form (the "Customer") submitted by the Customer and accepted by DueDil (the "Order Form") are effective from the date indicated on the Order Form. Overview DueDil has developed services, including data and software services (the “Services”) which include, without limitation: (a) the DueDil Website at: https://www.duedil.com, user interface and documentation as well as any programming fixes, modifications, enhancements, improvements, updates, additions, derivative works and related material (the “DueDil Website”); (b) the DueDil Application Programming Interface, user interface and documentation as well as any programming fixes, modifications, enhancements, improvements, updates, additions, derivative works and related material (“API”); (c) data, that includes without limitation data provided by third parties (each, a “DueDil Data Supplier”), which is made available via the DueDil Website or API (as appropriate) (the “Data”); and (d) where specified in the relevant Order Form, the ability for a Customer to download PDF or CSV images available from the DueDil Website (the “Documents”).(e) DueDil Enrich, an application built within Microsoft Dynamics 365 as well as any programming fixes, modifications, enhancements, improvements, updates, additions, derivative works and related material DueDil’s privacy and cookies policies, which are updated from time to time, and copies of which can be found at https://www.duedil.com/privacy and https://www.duedil.com/cookie-policy (the “Privacy and Cookies Policies”), set out the terms on which DueDil uses cookies and processes any personal data it collects from the Customer or that the Customer provides to DueDil. These Terms together with the Privacy and Cookies Policies and the Order Form are the "Agreement", and any conflict between them shall be resolved in favour of the relevant Order Form provided the intention and meaning of the relevant provision of such Order Form is clear. By signing the Order Form you acknowledge and agree to be bound by the Agreement. Licence and Intellectual Property Rights DueDil hereby grants to the Customer, for the duration of any period as set out in the relevant Order Form (the “Contract Term”), a personal, non-exclusive, non-sublicensable and non-transferable right to access and use the Services for internal business use only, subject to the terms of this Agreement. All rights not expressly granted to the Customer under this Agreement are reserved by DueDil (and/or its licensors). The Customer agrees that all personnel who will use the Services will be its employees, temporary employees or individual contractors whose access must be for the sole benefit of the Customer and in compliance with this Agreement. The Customer is responsible for such representatives' compliance with this Agreement. The number of personnel whom the Customer may permit to use the Services is set out in the relevant Order Form. The Customer undertakes to DueDil that it will: (i) not attempt to circumvent any of the security features of the Services; (ii) ensure that there is no multiple use of logins i.e. each user code/user name must be assigned to a single individual and used by that individual only to access the Services; and (iii) not enable or allow others to access the Services using any user codes or user names provided to it. The Customer shall notify DueDil immediately of any unauthorized use of any passwords, user codes or user names or any other known or suspected breach of security. The Customer shall be responsible for installing any software and/or hardware required to use the Services. The Customer agrees that the Services (and all related trademarks and service marks (whether registered or unregistered)) are the sole property of DueDil and the Data is the sole property of DueDil or, where appropriate, its licensor and that it will not (without express written consent from DueDil): (i) create derivative works based on the Services except to the extent such derivative works are an essential technical function of the Customer's use of the Services; (ii) reproduce the Services, sell or assign, license or disclose or otherwise transfer or make available the Services in any form to any third party; (iii) remove or alter any proprietary notices or marks on the Services; or (iv) copy, modify, reuse, disassemble, decompile, reverse compile, reverse engineer, frame, mirror or otherwise translate the Services or any portion thereof except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation. The Customer shall not under any circumstances: (i) use information from the Services to build a database for use as a substitute for the Services; (ii) use information from the Services to build a database for resale or for access by a third party in competition with DueDil and/or the Services; (iii) authorise or, by failure to exercise commercially reasonable efforts to protect information from the Services in its possession, permit such information to be made available in any way to a third party for resale in competition with DueDil; or (iv) provide access to or information from the Services to a third party for resale in competition with DueDil or to a third party that plans to resell to a further third party access to the Services or information obtained from the Services. DueDil (or its relevant licensors) shall own all right, title and interest, including but not limited to all intellectual property rights, in and to the Services. The Agreement is not a sale agreement and does not convey to the Customer any rights of ownership in or related to the Services. DueDil reserves the right to, at any time without prior notice, make modifications to the design, operational methods, specifications, systems, and other functions of the Services. The Customer shall have sole responsibility for and hereby warrants to DueDil the accuracy, quality, integrity, legality, non-infringement of any third party intellectual property rights, reliability and appropriateness of all data which is uploaded to or entered into the Services by the Customer or on its behalf (the "User Content") and DueDil shall have no liability whatsoever for such User Content. For the avoidance of doubt, the Customer shall be responsible for obtaining and maintaining all licences required for the use of the User Content within the Services, including payment of all associated licence fees and other costs and the Customer shall ensure that such User Content complies with generally accepted content standards. Save as specified in the Agreement, all intellectual property rights in the User Content will remain vested in the Customer (or its relevant licensors). The Customer hereby grants to DueDil a perpetual, royalty free, non-exclusive, non-transferable licence to use, store, modify and copy the User Content in order to perform the Agreement. The Customer hereby warrants to DueDil that it has the full requisite power and authority to grant DueDil such usage rights in the User Content and that there are no additional consents or approvals required for granting such usage rights. Document Downloads The Order Form specifies the Customer’s allocated quota of downloads or calls to the API (the “Customer Quota”). Each download or call within the Customer Quota shall be deemed non-exchangeable and non-refundable. Upon the expiration of the Contract Term, any unused Customer Quota will lapse. Warranties Each of DueDil and the Customer warrants to the other that: (i) it possesses the legal right and ability to enter into the Agreement; and (ii) neither the performance of its obligations under this Agreement nor the use of the Services will violate any applicable laws, rules or regulations in the United Kingdom and, in the case of the Customer only, any jurisdiction other than the United Kingdom where it accesses the Services, or cause a breach of any agreements it has with any third parties The Customer warrants and undertakes to DueDil that: (i) it is entering into this Agreement for business purposes only, i.e. it is not contracting as a ‘consumer’; (ii) it will at all times supply truthful and accurate information to DueDil and will not misrepresent itself to the public through its use of the Services; (iii) it will not unreasonably interfere with other DueDil customers' use of DueDil services (for example, but without limitation, through the Customers unreasonable and excessive use of the Services); and (iv) it shall use the Services only for lawful purposes and in accordance with the Agreement. In the event of any breach of any of the foregoing warranties and undertakings of the Customer, in addition to any other remedies available at law or in equity, DueDil has the right, immediately on prior written notice, to suspend or terminate this Agreement and/or the Customer’s use of the Services. The Customer shall not: (i) attempt to circumvent any security measures or technical limitations of the Services; (ii) mis-use the Services in a way which harms the interests of DueDil, the DueDil Website, any of DueDil's affiliates, the Services or other customers of DueDil (including, without limitation, by introducing viruses, trojans, worms, logic bombs or other material which is malicious or technologically harmful or by attacking the DueDil Website via a denial-of-service attack or a distributed denial-of-serve attack); (iii) forge headers or otherwise manipulate identifiers (including without limitation URLs) in order to disguise the origin of any Data transmitted through the DueDil Website; (iv) create an application that may be used to violate the Agreement or other site policy; and/or (v) adversely affect DueDil or DueDil's name, reputation, image or goodwill in connection with the Customer's use of the Services. Maintenance and Support DueDil shall use reasonable efforts to ensure that maintenance of the Services, which may require interruption of the Customer’s access to the Services or any material part of it ("Maintenance Events"), shall not be performed during “Normal Business Hours" (9.00 am to 6.00 pm local UK time, Monday to Friday, excluding public holidays) provided that DueDil may interrupt access to the Services at any time to perform essential emergency maintenance. DueDil will endeavour to give at least two weeks’ notice of scheduled maintenance, to be carried out outside of Normal Business Hours. Maintenance includes all regularly scheduled error corrections, software updates and those upgrades limited to improvements to features described in the Order Form. DueDil shall maintain and update the Services. Should the Customer determine that the Services include a defect, the Customer may at any time file error reports by contacting the helpdesk at: success@duedil.com. During maintenance periods, DueDil may, at its discretion, upgrade versions, install error corrections and apply patches to the Services or any part of it. DueDil shall use all reasonable endeavours to avoid unscheduled downtime for maintenance. The Customer shall have sole responsibility for providing support in connection with equipment, data integration tools and processes operated, developed or maintained by the Customer, including without limitation those used to: access the Services via the internet; and connect the Services to the Customer’s other software and databases. The Customer acknowledges that the Services may include software, data and information provided to DueDil by third parties, and therefore the correction of errors and resolution of defects and other problems may require third party action and not be entirely within DueDil’s control. Nature of Services and Warranty Disclaimer The content accessed through use of the Services is provided for general information only and is not intended to be used as the sole basis for any business decision. It is not intended to amount to advice (of any nature) on which the Customer should rely. The Customer must obtain professional or speciality advice before taking or refraining from any action made based on the result of content accessed through use of the Services. To the maximum extent permitted by law, DueDil expressly disclaims all warranties and representations with respect to the Services not expressly set forth in the Agreement, whether express, implied, statutory or otherwise, including without limitation, any implied warranty of fitness for a particular purpose, accuracy or completeness of responses or results from use of the Services, that the Services will meet specific requirements, will be available or uninterrupted, secure or free of software errors. The Customer acknowledges and agrees that the Services are provided on an "as is" basis and, to the maximum extent permitted by law, without any warranty of any kind and that the entire risk as to the quality and performance of the Services shall be borne by the Customer. DueDil does not and cannot control the flow of information to or from DueDil's network and other portions of the internet. Such flow depends in large part on the performance of internet services provided or controlled by third parties. At times actions or omissions of such third parties can impair or disrupt the Customer’s connection to the internet (or portions thereof). DueDil cannot guarantee such events will not occur. Accordingly, to the maximum extent permitted by law, DueDil disclaims any and all liability resulting from or related to such events. DueDil will not be liable for any loss or damage caused by a virus, distributed denial-of-service attack, or other technologically harmful material that may infect the Customer’s computer equipment, computer programs, data or other proprietary material due to the Customer’s use of the Services or to the Customer’s downloading of any content on the DueDil Website or Services, or on any website linked to the DueDil Website or Services, except where (and to the extent that) the matter causing the loss or damage is due to DueDil’s gross negligence or wilful default. For the purposes of this Clause 6.4 “gross negligence” means any act or failure to act committed by DueDil which, in addition to constituting negligence, is such a wanton and/or reckless conduct or omission that it constitutes utter disregard for harmful, foreseeable and avoidable consequences but shall not include an error of judgement or mistake made in good faith, and “wilful misconduct” means a deliberate act or omission of DueDil that deviates from a reasonable course of action or from any provision of the agreement that is done or omitted to be done with knowledge of or conscious indifference or intent to the harmful, avoidable and reasonably foreseeable consequences. DueDil makes reasonable commercial efforts to ensure content accessible through the Services is up to date and accurate. However, because DueDil obtains content from a number of different sources (including information provided by the Customer) DueDil does not endorse, support, represent, warrant or guarantee the completeness, truthfulness, accuracy, or reliability of any content accessed or accessible using the Services. If the Customer does become aware of any inaccurate or incorrect content accessed or accessible using the Services (in particular pertaining to the Customer) the Customer should inform DueDil by email to success@duedil.com and DueDil will use its reasonable endeavours to investigate such concern and, where appropriate and possible, correct inaccurate data. Content relating to credit scores, in particular, is provided and generated by a third party source. Should the Customer have any concerns about inaccurate or incorrect content in this regard the Customer should contact DueDil at success@duedil.com and DueDil will use its reasonable endeavours to pass such concern onto the appropriate third party provider. The Customer understands that by using the Services, it may be exposed to content that might be inaccurate or deceptive. Under no circumstances (save as required by law) will DueDil be liable in any way for any content accessed, or any loss or damage of any kind incurred as a result of the accessing by the Customer of the Services. DueDil assumes no responsibility for the content of websites linked on the Services. Such links should not be interpreted as endorsement by DueDil of those linked websites will not be liable for any loss or damage that may arise from the Customer’s use of them. DueDil Data Suppliers include without limitation, Creditsafe Business Solutions Ltd, C6 Intelligence Information Systems Limited, OpenCorporates, British Telecommunications plc and the Financial Conduct Authority). Payments and Invoicing The Customer shall pay for use of the Services in accordance with the fees, charges and billing terms set out in the Order Form (the “Fees”). Fees quoted are exclusive of, and the Customer shall pay, VAT applied to the Fees, at the appropriate rate. Payment shall be made in full within thirty (30) days of the date of an invoice and to the account designated by DueDil. If payment is not made within that time, DueDil may charge interest at the rate of one point five (1.5) per cent per month, and will consider suspending and may suspend access to the Services until payment is received. Confidentiality Neither DueDil nor the Customer shall, even after the expiration of the Agreement use or disclose to any third parties any Confidential Information which such party has received from the other. “Confidential Information” shall mean any information, technical, commercial or of any other kind, whether written, oral or in electronic form, except such information which is publicly known or which has come to the public knowledge in any other way than through breach of this secrecy undertaking, or has been: (i) independently developed without access to such party's Confidential Information; (ii) rightfully received from a third party; or (iii) required to be disclosed by law or by a governmental authority. DueDil shall be entitled to refer to the Customer’s use of the Services in press releases, other public announcements, advertising and other communications aimed at third parties (including email and webpages). If you choose, or you are provided with, a user identification code, password or any other piece of information as part of our security procedures, you must treat such information as confidential. You must not disclose it to any third party. Third Party Claims In the event that the Customer is notified by a third party that such party claims rights in the Services or that use of the Services infringes the rights of such third party, the Customer agrees to: (i) notify DueDil as soon as reasonably possible; and (ii) at DueDil’s request, immediately cease to use any element of the Services that allegedly infringes third party rights. Liability In no event shall : either party’s aggregate liability under this Agreement exceed an amount equal to twelve months’ Fees, save that the foregoing limitation shall not apply to any liability of the Customer arising under this Agreement in connection with: (i) any obligations to pay money; and (ii) the access and/or use of the Services, Data or Documents otherwise than as expressly permitted by this Agreement; or DueDil be liable under the Agreement for any indirect, special, incidental or consequential damage, or any damages for loss of profits or revenue by the Customer, any business interruption, any loss of anticipated savings, any loss of goodwill, opportunity or reputation, whether based in contract, tort (including negligence), breach of statutory duty or otherwise, even if foreseeable. Without limitation of any other provision of the Agreement, no DueDil Data Supplier shall be liable to the Customer for any losses, damages, liabilities, claims, costs, actions and/or expenses suffered or incurred by the Customer as a result of the use of Data by or provision of Data to the Customer. Nothing in the Agreement shall be construed as excluding or limiting any person’s liability for: (i) death or personal injury caused by negligence; (ii) fraud; or (iii) any other liability which cannot be excluded or limited under applicable law. Termination Either party shall be entitled to terminate the Agreement with immediate effect by serving written notice on the other party in the following circumstances: (i) if the other party commits a material breach of any of its obligations under the Agreement which is not capable of remedy; (ii) if the other party commits a material breach of any of its obligations under the Agreement which is not remedied within twenty-eight (28) days after receipt of a notice from the party not in breach specifying the breach, requiring its remedy and making clear that failure to remedy may result in termination; (iii) if the other party has passed a resolution for its winding up (save for a voluntary winding-up for the purpose of a voluntary reconstruction or amalgamation), is subject to a petition presented to any court for its winding-up (save for a voluntary winding-up for the purpose of a voluntary reconstruction or amalgamation), is the subject of an application for administration filed at any court or a notice of appointment of an administrator filed at any court or a notice of intention to appoint an administrator given by any person, or is the subject of a notice to strike off the register at Companies House, or is dissolved or declared bankrupt, or has a receiver, administrator or administrative receiver appointed over all or part of its assets, or enters into an arrangement with its creditors, or is unable to pay its debts within the meaning of section 123 Insolvency Act 1986, or ceases to trade or takes or suffers any similar action; and/or (iv) (in the case of termination by DueDil only) if DueDil lose the right to distribute any Data or third party software as contemplated by the Agreement. Termination of the Agreement (or of any element of it) shall not affect any rights, obligations or liabilities of either party which have accrued before termination (including, without limitation, payment obligations) or which are expressly stated to continue to have effect beyond termination. Upon termination of the Agreement, the Customer’s access to the Services and/or the Portal will cease. General The Agreement represents the entire agreement between DueDil and the Customer relating to the subject matter hereof and supersedes all prior agreements, covenants, arrangements, communications, representations or warranties, whether oral or written, by any officer, agent, employee or representative of either of the parties as well as applicable non-mandatory local laws and international regulations. DueDil reserves the right to modify the terms and conditions of the Agreement at any time to the extent that such changes are required as a result of change to applicable laws or regulations. DueDil shall use all reasonable efforts to provide the Customer with reasonable prior written notice of any such modifications. In the event of any such modification of this Agreement by DueDil, the Customer shall have the right, within 10 days after the date of receipt of written notice of the changes or the effective date of the modifications (whichever is later), to terminate this Agreement upon written notice to DueDil. Continued use of the Services after any such notice period shall constitute acceptance by the Customer of these changes. Except for any payments due hereunder, neither party shall be responsible or liable for any failure to perform its obligations due to causes beyond its reasonable control, including but not limited to acts of God, war, riots, terrorist acts, embargoes, acts of civil or military authorities, fires, floods, earthquakes, accidents, labour conflicts, failure of any communications services for the duration of any such circumstances or cause. Neither party may assign, charge, transfer or deal in any other manner with the Agreement in whole or in part without the prior written consent of the other party save that DueDil shall be entitled to sub-contract any or all of its obligations under the Agreement to a sub-contractor but by doing so it shall be responsible for the acts and omissions of the sub-contractor to the same extent as if it had carried out the obligations itself pursuant to the Agreement. If any provision of the Agreement is held by any competent authority to be invalid or unenforceable in whole or in part then such provision shall be construed, as nearly as possible, to reflect the intentions of the invalid or unenforceable provision and the validity of the other provisions of the Agreement shall not be affected thereby. Nothing in the Agreement shall create or confer any rights or other benefits whether pursuant to the Contracts (Rights of Third Parties) Act 1999 or otherwise in favour of any person other than the parties to the Agreement save that a DueDil Data Supplier may enforce a term of this Agreement where it is an intended beneficiary. Nothing in the Agreement shall be construed as creating a partnership or joint venture of any kind between the parties or as constituting either party as the agent of the other party for any purpose whatsoever and neither party shall have the authority or power to bind the other party or to contract in the name of or create a liability against the other party in any way or for any purpose. If either party fails to exercise a right or remedy that it has or which arises in relation to the Agreement, such failure shall not prevent that party from exercising that right or remedy subsequently in respect of that or any other incident A waiver of any breach or provision of the Agreement shall only be effective if it is made in writing and signed on behalf of the party who is waiving the breach or provision. Any waiver of a breach of any term of the Agreement shall not be deemed a waiver of any subsequent breach and shall not affect the enforceability of any other term of the Agreement. It is a condition of the Agreement that neither of the parties shall be bound by, or liable to the other party for, any representation, promise or inducement (other than fraudulent misrepresentations) made by it or by any agent or person on its behalf which is not expressly contained in the Agreement. The Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales. The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with the Agreement or its subject matter or formation (including non-contractual disputes or claims). In the Agreement: (i) any reference to a statutory provision includes a reference to any modification or re-enactment of it from time to time; (ii) the singular includes the plural and vice versa; (iii) the headings are for ease of reference only and shall not affect the construction or interpretation of the Agreement; and (iv) wherever the words "including", "include", "includes" or "included" are used they shall be deemed to be followed by the words "without limitation" unless the context otherwise requires. Introduction to the Privacy Policy DueDil respects your privacy and is committed to protecting your personal data. This Privacy Policy will inform you as to how we look after your personal data in our product, when you visit our website (regardless of where you visit it from) or use our services and tell you about your privacy rights and how the law protects you. DueDil is committed to the protection of personal data and the fundamental rights of data subjects, in compliance with relevant laws such as the General Data Protection Regulation (GDPR) and any data protection, electronic communications or e-privacy laws, rules or guidance that are in force in the UK from time to time, including the Data Protection Act 1998 or 2018 or any successor legislation. In order to support a robust approach to personal data protection and information security in general, DueDil has adopted recommendations by supervisory authorities and industry best practices, including the following international standards where applicable: ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems -- Requirements ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls ISO/IEC 29134:2017 Information technology -- Security techniques -- Guidelines for privacy impact assessment ISO/IEC 29151:2017 Information technology -- Security techniques -- Code of practice for personally identifiable information protection Purpose of this Privacy Policy This Privacy Policy aims to give you information on how DueDil collects and processes your personal data through our product and your use of this website or our services, including any data you may provide through this website when you sign up to our services, visit our web pages or contact us. This website and our services are not intended for children and we do not knowingly collect data relating to children. It is important that you read this Privacy Policy together with any other privacy policy or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Policy supplements any other notices or policies and is not intended to override them. Definitions In this document, we adopt the same definitions as the GDPR, in particular: Personal data ‘means any information relating to an identified or identifiable natural personal (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. Processing ‘means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’. Controller ‘means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law’. Data Subject ‘means a natural person whose personal data is processed by a controller or processor’. Processor ‘means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing’. Personal data breach ‘means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’. Definitions from ISO/IEC 29134:2017 also apply, in particular: Data protection impact assessment (DPIA), also known as privacy impact assessment, means an ‘overall process of identifying, analysing, evaluating, consulting, communicating and planning the treatment of potential privacy impacts with regard to the processing of personally identifiable information, framed within an organization’s broader risk management framework’. Roles and responsibilities When DueDil responsible for your personal data and makes all the decisions about how your data is processed, we are acting as the controller. DueDil is also responsible for this website. However, when we are processing your personal data on behalf of a third party in accordance with their strict instructions, we are acting as a data processor. In this Privacy Policy, references to DueDil, "we", "us" or "our" means DueDil Limited. References to “you”, “your”, “yours” means you, the data subject. We have appointed a Data Protection Officer (“DPO”) and a Data Protection Manager who are responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact the DPO or data protection manager using the details set out below. Contact details Full name of legal entity: DueDil Limited Email address: privacy@duedil.com Registered office: 10 Queen Street Place, London, United Kingdom, EC4R 1AG Your duty to inform us of changes It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. The data we collect about you Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you. The type of data we collect about you depends on your relationship with us. For example, if you are a company officer or shareholder with details in our product, if you are a visitor to our website or a subscriber to our services. In all cases, we have grouped together the different kinds of data we may or are likely to collect from you: Transaction Data which may include details about payments to and from you and other details of products and services you have purchased from us. Technical Data which may include internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website and our product. Profile Data which may include your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses. Usage Data which may include information about how you use our website, products and services. Marketing and Communications Data which may include your preferences in receiving marketing from us and our third parties and your communication preferences. We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy. From time to time, we may collect some Special Categories of Personal Data about you (for example, if you are an executive contained in our product, or if you are one of our employees) (which may include details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data), as well as information about criminal convictions and offences. Should a case arise for lawful processing Special Categories of Personal Data as set out above, we ensure that all of the appropriate safeguards are in place, including the completion of a Data Protection Impact Assessment (DPIA), the introduction of any additional organisational or technical measures to reduce the associated privacy risk to an acceptable level as well as an appropriate lawful basis for processing. In respect of DPIAs, DueDil has adopted detailed procedures for conducting a DPIA and its reporting structure, in line with ISO/IEC 29134:2017. If you are unable to provide personal data Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time. How is your personal data collected? How your personal data is collected will depend on your relationship with us, for example, if you are a company executive with details in our product, if you are a visitor to our website or a subscriber to our services. We use different methods to collect data from and about you including through: Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you: apply for our products or services; create an account on our website; subscribe to our service or publications; request marketing to be sent to you; enter a competition, promotion o survey; or give us some feedback. Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy for further details. Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources, especially concerning company executives or other individuals contained in our product, but also from subscribers and visitors to our site, as set out below: Technical Data from the following parties: (a) analytics providers such as Google; (b) advertising networks; and (c) search information and other data providers. We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf. Contact, Financial and Transaction Data from providers of technical, payment and delivery services. Identity, Contact, Special Category Data or Criminal Data from data brokers or aggregators. Identity and Contact Data from publicly available sources such as Companies House and the Electoral Register based inside and the EU. Where we obtain personal data from third party suppliers, we always ensure that these suppliers are bound to respect data protection laws and your privacy rights pursuant to their contract with us. How we use your personal data We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances: Where we need to perform the contract we are about to enter into or have entered into with you or with other third parties. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Where we need to comply with a legal or regulatory obligation. Generally, we do not rely on consent as a legal basis for processing your personal data including in relation to sending direct marketing communications to you via email. You have the right to opt out of marketing or ask any questions about how we process your personal data by contacting us at any time. Purposes for which we will use your personal data We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below. Purpose/Activity Type of data Lawful basis for processing including basis of legitmate interest To register you as a new customer (a) Identity (b) Contact Performance of a contract with you To process and deliver your order including: (a) Manage payments, fees and charges (b) Collect and recover money owed to us (a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications (a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us) To manage our relationship with you which will include: (a) Notifying you about changes to our terms or Privacy Policy (b) Asking you to leave a review or take a survey (a) Identity (b) Contact (c) Profile (d) Marketing and Communications (a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services) To enable you to partake in a prize draw, competition or complete a survey (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (a) Performance of a contract with you (b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business) To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) (a) Identity (b) Contact (c) Technical (a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy) To ensure that we are able to provide a product to our customers which allows them to comply with their legal and professional obligations and to make informed investment or credit decisions. (a) Identity (b) Contact (c) Financial (d) Special Category Data and/or Criminal Data Necessary for our legitimate interests and those of our customers and in the public interest (to provide a service to our users to enable them to comply with legal obligations and make informed decisions about their investment or credit decisions). Individual privacy rights are never outweighed by our legitimate interests, since the processing of such data allows for a stable lending, investment and credit system in the UK and assists for the purposes of the prevention or detection of an unlawful act which is in the public interest (for example, protecting the public against dishonesty). To make suggestions and recommendations to you about goods or services that may be of interest to you (a) Identity (b) Contact (c) Technical (d) Usage (e) Profile Necessary for our legitimate interests (to develop our products/services and grow our business) Marketing We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing). You will receive marketing communications from us if you have requested information from us or purchased services from us or if you provided us with your details when you entered a competition or registered for a promotion and, in each case, you have not opted out of receiving that marketing. Opting out You can ask us to stop sending you marketing messages at any time by logging into the website and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you or by contacting us at any time. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, product/service experience or other transactions. Cookies You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our cookie policy. Change of purpose We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. Disclosures of your personal data We may have to share your personal data with the parties set out below for the purposes set out in the table above. External Third Parties including: (a) Service providers acting as processors who provide IT and system administration services (b) Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services (c) HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers and who may require reporting of processing activities in certain circumstances (d) Our customers or clients (for product personal data) and for all personal data, other third parties from time to time which may include market researchers or fraud prevention agencies. Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. A list of our third-party processors is available on request. Personal data breaches DueDil has established a personal data breach response procedure, adopting recommendations from ISO/IEC 29134:2017 and addressing privacy law requirements related to notification of personal data breaches. International transfers of personal data From time to time, we may share your personal data which involves transferring it to third parties who may be established outside the European Economic Area (EEA). Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented: We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries. Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries. Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA. Data retention We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for 6 years after they cease being customers for tax and legal purposes. In some circumstances you can ask us to delete your data: see Request erasure below for further information. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you. Data security We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. Your rights DueDil shall keep records of data personal data processing activities and develop appropriate procedures to ensure it can satisfy your rights as a data subject where applicable, namely: Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. Request erasure of your personal data. The right to erasure enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. If you wish to exercise any of the rights set out above, please contact us. What we might need from you We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. Time limit to respond We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. If you are not satisfied You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). Our number is Z2796684. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.