GDPR Privacy Notice

Last updated 11th February 2019

Protexia is a part of KDA Web Services Ltd.  This privacy policy will explain how our organization uses the personal data we collect from you when you use our website and services.

The main things you’ll probably want to know are:

  1. Do we sell your data?
  2. Do we share your data with 3rd parties for marketing?

The answer to both of those is no, we do not sell your data and we do not provide it to 3rd parties for marketing purposes either.  This applies to data you provide to us and data you may host with us.

In simple terms:

  • We only collect data that is necessary for the secure processing of orders received and for optionally keeping you informed about our products and services
  • We only share data with 3rd parties where it is necessary for the processing of an order
  • In a limited capacity we are a data processor for your data hosted with us

Topics:

  • What data do we collect?
  • How do we collect your data?
  • How will we use your data?
  • How do we store your data?
  • 3rd parties
  • Law enforcement
  • Employee access
  • Data processing agreement
  • Automated processing
  • Marketing
  • What are your data protection rights?
  • What are cookies?
  • How do we use cookies?
  • What types of cookies do we use?
  • How to manage your cookies
  • Privacy policies of other websites
  • Changes to our privacy policy
  • How to contact us
  • How to contact the appropriate authorities

What data do we collect?

When you place an order with us we collect certain information from you to allow us to fulfill your order, to contact with you with regards to the service(s) you have ordered and to comply with relevant law.  We collect:

  • Your name
  • Your business name
  • Your address
  • Your email address
  • Your telephone numbers

We keep this information on file for as long as you are a customer plus eight years, to allow us to comply with tax and accounting record keeping requirements (seven years) as well as retain a sensible level of backups of our system (12 months).  When you cease to be a customer some information we hold can be removed from our systems before eight years, although it may still appear in older records e.g. invoices as it is hard coded in to them when they are created.

If we ask for data where we require your consent to process it, you can freely grant and withdraw consent from within your control panel and also see what data we are holding in the system about you.

Depending on how you make payment to us we may collect certain information either from you directly or from the payment provider/method where you have given them the information whilst making payment:

  • Bank Transfer
    • Your bank account number and sort code
    • Your account name
  • Credit Card
    • Cardholder name
    • Cardholder address
    • Cardholder phone number
    • Unique generated identifier
  • Direct Debit
    • Your name
    • Your address
    • Bank name
    • Bank address
    • Account number and sort code
  • Cheque
    • Your name
    • Account number and sort code
    • Bank name
    • Bank address
  • PayPal
    • Your name
    • Your email address
    • Your address
    • Your phone number
    • Unique generated identifier

As part of our troubleshooting process, we may upon your request and action, connect to your computer so we can see your screen and/or control your system to configure your services.  At all times you will be able to disconnect us from your system should you wish. As part of our audit trail, we log which machines we have connected to and when, this will include your machine name and IP address, which is logged with the provider we use for the remote connection, Splashtop Inc.

How do we collect your data?

You directly provide us with most of the data we collect. We collect data and process data when you:

  • Register online or place an order for any of our products or services
  • Voluntarily complete a customer survey or contact us via email, social media or other methods
  • Use or view our website

We may also receive your data indirectly via our payment providers when you make a payment to us.

How will we use your data?

We collect your data so that we can:

  • Process your order and manage your account
  • Email you with information on other products and services we think will be of interest to you

When we process your order we may send your data to and use information from anti-fraud services.  During the processing of your order it may be necessary to send your data to a 3rd party that is the provider of the service ordered e.g. If you order a domain name, we will need to provide your information to the registry that runs that domain, such as Nominet for .uk domains.  A list of 3rd parties and the products/services they relate to can be found under the section “3rd parties”

How do we store your data?

Our primary method of storing your data is within our billing portal, which you may access and view the data which we hold on you.  Security updates are applied regularly.

Your data may also be in our email because you have contacted us via email or via our ticketing system, this could mean either Google G Suite or Microsoft Office 365 depending on the address emailed.

If we have produced quotes for you, provided written contracts or carried out other non-standard work for you then we may also have documents that contain your data stored in our online cloud storage via Google G Suite.

3rd parties

We do not provide your data to 3rd parties except where it is necessary to enable us to provide the service(s) you have ordered.

If you pay us by credit card or direct debit then you will be providing your details to a 3rd party payment processor:

  • Credit/debit card
    • Stripe Inc. USA
    • Worldpay & Global Payments
  • Direct Debit
    • GoCardless

Depending on what services you purchase from us, we may collect and share your information with other providers to be able to provide you with the service(s) ordered:

  • Domain Names
    • Nominet (.uk domains)
    • JISC (.gov.uk & .ac.uk domains)
    • eNom (other domains)
    • NetEarth One (other domains)
    • Domain Registrar Services Ltd. (other domains)
  • Backups
    • Acronis
  • Security Certificates
    • Rapid Web Services LLC
    • Let’s Encrypt
    • cPanel
  • Enterprise Email & Productivity
    • Microsoft (Office 365)
    • Google (G Suite)
  • Security Products
    • Sophos (AntiVirus, Device Management, Firewall)
  • Software
    • cPanel
    • CloudLinux
    • OnApp

If you contact us via email then your email will be processed by a 3rd party, depending on which address you contact us on this may by via Microsoft Office365 or Google G Suite.  We use these email services internally, so your details may be held by these services on our behalf. We also make use of cloud storage services with Google G Suite for managing documents and other information that is not security sensitive.

For accounting purposes we use Xero, which holds a copy of some of your data given to us, such as on invoices we send out, payments you make to us etc.  Our accountants, Martin Milner & Co. also have access to this information for the purpose of compiling our accounts and providing professional advice.

Ultimately our services are hosted in 3rd party facilities, for the most part we own all of our equipment but not the buildings they are housed in.  These facilities are operated by:

  • Ask4 Data Centres
    • Own equipment
    • No 3rd party physical access
    • No 3rd party login
  • IOMart
    • Own equipment
    • 3rd party physical access
    • No 3rd party login
  • Microsoft Azure
    • Microsoft equipment
    • 3rd party physical access
    • No 3rd party login
  • Google Cloud Platform
    • Google equipment
    • 3rd party physical access
    • No 3rd party login

The above providers act as data processors in so much as they house our equipment or run cloud instances for us, none of the providers have login details to our systems or make decisions on how your data is processed.  All facilities are ISO-27001 accredited.

A list of 3rd parties any what information we share with them/they process on our behalf can be found at the end of this document.

Law enforcement

We will if required by law, provide information to law enforcement and security services if properly requested.

Employee access

Our employees may access and process data about you from different systems, all of those systems have appropriate technical measures in place such as full device encryption, security software to prevent malware and viruses etc.  All employee access to data is carried out over secure encrypted connections.

Data processing agreement

Unless specifically discussed with us, we do not have knowledge of what you are using our services for, what data you are processing and how it is being processed, we act as a “mere-conduit”.

Whilst we provide the underlying platform that processing is carried out on, we take no active part in the collection or processing of any personal data or in making decisions about the lawfulness of the collection, this is your responsibility as data controller. Ultimately it is up to you to make sure that you have requested appropriate technical measures from us and that you have taken appropriate steps within your applications to secure your data.

If for troubleshooting purposes you provide us with the personal information of one of your customers it is your responsibility to make sure that you have the correct legal basis for doing so. We will treat the data the same as we treat your data, in confidence. We will proceed on the basis that you have the correct legal basis for sharing the information with us.

During any troubleshooting we may have to access other personal information you may be storing e.g. emails, email logs, databases etc. depending on the specific problem that we are looking at. We will always do our best to minimise the need to do so, but it may not always be possible.

We do not routinely access data that customers are storing, the only time this may happen is in response to reports we may receive e.g. a phishing/fraud site is being hosted and we need to look at the account and disable the site, or a site is spreading malware etc. If we do access your account in this way then we will inform you.  If we need to make a note of any data we have seen during a troubleshooting process it will be securely destroyed as soon as we have completed the troubleshooting process with you.

Automated processing

As part of your service we may deploy automated tools that check files for malware, viruses etc. and we may act on this information in the best interests of your service and that of other customers.

During our order process we may perform automated anti-fraud checks to defend against fraudulent orders.

Our systems run intrusion prevention tools that make automated decisions based on the IP address they see and the actions being performed, they use this information to decide if access to the services on our systems should be allowed.

Marketing

We would like to send you information about products and services of ours that we think might be of interest to you.  If you have agreed to this, you may opt out at a later date.

We do not provide your details to 3rd parties for marketing purposes.

What are your data protection rights?

We would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

The right to access – You have the right to request Our Company for copies of your personal data. We may charge you a small fee for this service.

The right to rectification – You have the right to request that Our Company correct any information you believe is inaccurate. You also have the right to request Our Company to complete the information you believe is incomplete.

The right to erasure – You have the right to request that Our Company erase your personal data, under certain conditions.

The right to restrict processing – You have the right to request that Our Company restrict the processing of your personal data, under certain conditions.

The right to object to processing – You have the right to object to Our Company’s processing of your personal data, under certain conditions.

The right to data portability – You have the right to request that Our Company transfer the data that we have collected to another organization, or directly to you, under certain conditions.

If you make a request, we have one month to respond to you.

What are cookies?

Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology

For further information, visit allaboutcookies.org.

How do we use cookies?

We use cookies in a range of ways to improve your experience on our website and services, including:

  • Keeping you signed in
  • Understanding how you use our website and services

What types of cookies do we use?

There are a number of different types of cookies, however, our website uses:

  • Functionality – We use these cookies so that we recognize you on our website and remember your previously selected preferences. A mix of first-party and third-party cookies are used.

How to manage your cookies

You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.

Privacy policy of other websites

The Backoops website contains links to other websites. Our privacy policy applies only to our website and services, so if you click on a link to another website, you should read their privacy policy.

Changes to our privacy policy

We keep our privacy policy under regular review and place any updates in this document and on our website.

How to contact us

If you have any questions about our privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.

Email us: [email protected]

Call us: 0800 862 00 56

Or write to us:

Protexia c/o KDA Web Services Ltd.

Unit 3, Twelve O’clock Court

Attercliffe Road

Sheffield

S4 7WW

United Kingdom

How to contact the appropriate authorities

Should you wish to report a complaint or if you feel that Our Company has not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office.

Email: [email protected]

Address: Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Data Sharing/Processing

Who What & Why Privacy Policy
Splashtop Inc. Computer ID e.g. Karl’s iPad – Audit

IP Address e.g. 10.0.2.4 – Audit

 https://www.splashtop.com/privacy
Nominet Name, Address, Business name, Telephone, Email, Domain name

Order processing

 https://www.nominet.uk/resources/privacy-notice/
eNom Name, Address, Business name, Telephone, Email, Domain name

Order processing

 https://www.enom.com/support/the-gdpr
NetEarth One Name, Address, Business name, Telephone, Email, Domain name

Order processing

 https://www.netearthone.com/support/privacy.php
Domain Registrar Services Ltd. Name, Address, Business name, Telephone, Email, Domain name

Order processing

 https://allthe.domains/terms/privacy-policy
Rapid Web Services LLC Name, Address, Business name, Telephone, Email

Order processing

 https://www.thesslstore.co.uk/privacypolicy.aspx
Acronis Name, Address, Telephone, Email

Order processing

Computer name, file lists

Service functionality

Computer detail, logs, installed apps

Service functionality troubleshooting

Backup data

Service functionality

 https://www.acronis.com/en-gb/company/privacy.html
Sophos Name, Address, Business name, Telephone, Email

Order processing

Computer name, file lists, installed apps., websites accessed in policy violation

Service functionality

 https://www.sophos.com/en-us/legal/sophos-gdpr.aspx
cPanel May have access to your/our servers for troubleshooting purposes.

Domain name

Order processing

 https://cpanel.net/privacy-policy/
Cloudlinux May have access to your/our servers for troubleshooting purposes. https://www.cloudlinux.com/privacy-policy
OnApp May have access to your/our servers for troubleshooting purposes. https://onapp.com/legal/onapp-data-processing-terms/
Stripe Name, Address, Business name, Telephone, Email

Order processing

Credit/debit card details

Order processing, but given by you not us

 https://stripe.com/gb/privacy
Worldpay Name, Address, Telephone, Email

Order processing

Credit/debit card details

Order processing, but given by you not us

 https://www.worldpay.com/uk/worldpay-privacy-notice
Global Payments Name, Address, Telephone, Email

Order processing

Credit/debit card details

Order processing, but given by you not us

 https://www.globalpaymentsinc.com/en-gb/privacy-statement
PayPal Name, Address, Telephone, Email

Order processing

Credit/debit card details

Order processing, but given by you not us

 https://www.paypal.com/en/webapps/mpp/ua/privacy-full
GoCardless Name, Address, Telephone, Email

Order processing

Bank details

Order processing, but given by you not us

 https://gocardless.com/legal/privacy/
Xero Payment references, name, address, business name, purchase history.

Accounting

 https://www.xero.com/uk/about/legal/privacy/
Martin Milner & Co. Name, address, business name, payment references

Accounting
Google G Suite Any data that you have given to us, or emailed to us in the process of creating support tickets, quote preparation, orders etc. https://privacy.google.com/businesses/compliance/
Microsoft Office 365 Any data that you have given to us, or emailed to us in the process of creating support tickets, quote preparation, orders etc. https://privacy.microsoft.com/en-gb/privacystatement
Let’s Encrypt Domain name

Order processing

 https://letsencrypt.org/privacy/
Microsoft Azure Domain name

Order processing

Backup data
Service functionality

 https://privacy.microsoft.com/en-gb/privacystatement
Google Cloud Platform Backup data

Service functionality

 https://privacy.google.com/businesses/compliance/