This page was last updated on April 1st 2020.
Brain in Hand Limited is committed to protecting and respecting your privacy. Please read the following notice carefully so that you understand your rights in relation to this information, including how your information will be collected and processed.
We are a limited company registered in England and Wales with a registered office at Hampton House, 23 Longbrook Street, Exeter, EX4 6AB, contactable at email@example.com. For the purpose of the General Data Protection Regulation (‘GDPR’), we are the data controller.
In this notice, where we say ‘you’ or ‘your’, this means either you or any authorised person acting on your behalf. Where we say ‘we’, ‘us’ or ‘our’, this means Brain in Hand Limited. We may also abbreviate Brain in Hand to ‘BiH’.
The types of personal data we use
The personal data we collect or hold about you will either be provided by you directly when enquiring about or signing up for our service or will be collected from your activity on our website and use of our services.
We may collect and use the following information about you: name, email address, mobile number, date of birth, personal description, contact preference, postal addresses, emergency contact details, contact details for your nominated support provider, details about your university and/or workplace, and sensitive information about your personal life and difficulties. We may also collect other information that is necessary to fulfil our contract with you for services that you have purchased or signed up for.
Information we collect from your use of our website and mobile application
With regard to each of your visits to our website and mobile application, we automatically collect the following information:
• Technical information: including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.
• Information about your visit including the full Uniform Resource Locators (URL) clickstream to, through, and from the website (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, mouse-overs, and methods used to browse away from the page), and any phone number used to call BiH.
How we use your personal data
In accordance with our contract with you, we will use your information to:
- provide you with services;
- personalise the content you receive to support you when using the service;
- notify you about changes to our service;
- provide you with user support;
- enforce our terms, conditions and policies;
- communicate with you.
As it is in our legitimate interests to be responsive to you and to ensure the proper functioning of our products and organisation, we use your information to:
- improve the website and mobile application and to ensure our content is presented in the most effective manner for you and your device;
- administer the website and mobile application for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- personalise the content you receive; or
- keep the website and mobile application safe and secure.
Security of your personal data
At Brain in Hand we strive to make our system as secure as possible; our aim is to protect your data and the data that we collect when you use our website, system, or other services.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your information transmitted through the website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We protect all data, in particular data relating to our users and their use of the Brain in Hand system, in a number of ways and follow industry standards where possible.
All communications between our clients (browser and mobile applications) and our servers use TLS to secure our http web traffic. This ensures that no one can listen in to the data being transmitted.
Personal Information Security
Personal information and contact information is only accessible to the administrators and responders that have been assigned to a user's responder group. Any emails or text messages sent to responders (as a result of a red traffic light press) will contain the user's initials. Personal information is only accessible once the responder has logged in.
Brain in Hand is hosted in Microsoft’s Azure data centres. Our primary servers are hosted in London; our backup servers are hosted in Cardiff. We store all our information in a MongoDb database; access to this database is limited by a firewall to only 2 IP addresses. One is the IP of our application servers, and the other is our offices in Exeter. Furthermore access is only granted to an administrator to maintain the integrity of the database.
Once created, our application servers are locked down to a level where we do not have direct access and all our applications are deployed as containers; this is to reduce our exposure to hacking. If we suspect our servers or containers have been compromised, then we can recreate from standard server images in a short period of time.
Live Chat Security
Our Live Chat software is provided by Click 4 Assistance. All data is stored in the UK with full ISO 27001 and GDPR compliance.
Any personal data that we collect from you (whether submitted directly or collected through your use of our system) will be reviewed on a regular basis to ensure that we only continue to store and process it under lawful grounds and for an appropriate time period.
Data collected through your use of our system will be stored for up to 2 years after you terminate your use of our services for the purpose of being able to reactivate the licence if needed, or in order to respond to any complaints / queries that may arise. After this time, data provided through your use of our system may be held indefinitely in an aggregated and anonymised format to assist us in compiling usage information which helps to inform system development.
You have certain rights in relation to the personal data we hold about you. Some of these only apply in certain circumstances as set out in more detail below. We also set out how to exercise those rights. Please note that we will require you to verify your identity before responding to any requests to exercise your rights. We must respond to a request by you to exercise those rights without undue delay and within one month (although this may be extended by a further two months in certain circumstances). To exercise any of your rights, please email firstname.lastname@example.org.
You have the right to know whether we process personal data about you and, if we do, to access personal data we hold about you and certain information about how we use it and who we share it with. Your right of access can be exercised by contacting us at email@example.com.
If you require more than one copy of the data we hold about you, we may charge an administration fee of £10.
We may not provide you with certain personal data if providing it would interfere with another’s rights (e.g. where providing the personal data we hold about you would reveal information about another person) or where another exemption applies.
You have the right to receive a subset of the personal data we collect from you in a structured, commonly used, and machine-readable format, and a right to request that we transfer such personal data to another party. The relevant subset of personal data is data that you provide us with your consent or for the purposes of performing our contract with you.
If you wish for us to transfer the personal data to another party, please ensure you detail that party and note that we can only do so where it is technically feasible. We are not responsible for the security of the personal data or its processing once received by the third party. We also may not provide you with certain data if providing it would interfere with another’s rights (e.g. where providing the personal data we hold about you would reveal information about another person or our trade secrets or intellectual property).
You have the right to correct any personal data held about you that is inaccurate. Where you request correction, please explain in detail why you believe the personal data we hold about you to be inaccurate or incomplete so that we can assess whether a correction is required. Please note that whilst we assess whether the personal data we hold about you is inaccurate or incomplete, you may exercise your right to restrict our processing of the applicable data as described below.
You may request that we erase the personal data we hold about you in the following circumstances:
- You believe that it is no longer necessary for us to hold the personal data we hold about you.
- We are processing the personal data we hold about you on the basis of your consent, and you wish to withdraw your consent and there is no other ground under which we can process the personal data.
- We are processing the personal data we hold about you, your emergency contacts, and your family and friends on the basis of our legitimate interest and you object to such processing.
- You no longer wish us to use the personal data we hold about you in order to send you marketing information such as news or invitations to events.
- You believe the personal data we hold about you is being unlawfully processed by us.
Also note that you may exercise your right to restrict our processing the data whilst we consider your request as described below.
Please provide as much detail as possible on your reasons for the request to assist us in determining whether you have a valid basis for erasure. Please note, however, that we may retain the personal data if there are valid grounds under law for us to do so (for example, for the defence of legal claims or freedom of expression) but we will let you know if that is the case.
You may also contact us at firstname.lastname@example.org in order to provide us with specific instructions regarding the conservation, deletion, and/or communication of your personal data in the event of your death.
Restriction of Processing to Storage Only
You have a right to require us to stop processing the personal data we hold about you other than for storage purposes in certain circumstances. Please note, however, that if we stop processing the personal data, we may use it again if there are valid grounds under data protection law for us to do so (for example, for the defence of legal claims or for another’s protection).
You may request we stop processing and just store the personal data we hold about you where:
- You believe the personal data is not accurate for the period it takes for us to verify whether the data is accurate.
- We wish to erase the personal data as the processing we are doing is unlawful, but you want us to retain the personal data to store it but not to process it.
- We wish to erase the personal data as it is no longer necessary for our purposes, but you require it to be stored for the establishment, exercise, or defence of legal claims.
- You have objected to us processing personal data we hold about you on the basis of our legitimate interest, and you wish us to stop processing the personal data whilst we determine whether there is an overriding interest in us retaining such personal data.
At any time, you have the right to object to our processing of data about you in order to send you marketing, including where we build profiles for such purposes, and we will stop processing the data for that purpose.
You also have the right to object to our processing of data about you and we will consider your request in the circumstances as detailed below if you contact us at email@example.com.
You may object where:
- We are processing the data we hold about you (including where the processing is profiling) on the basis of our legitimate interest and you object to such processing. Please provide us with detail as to your reasoning so that we can assess whether there is a compelling overriding interest in us continuing to process such data or we need to process it in relation to legal claims.
- We are processing the data on the basis of historical/scientific research or statistics and you have a particular reason to object. Your right would not apply where we have been tasked with, and it is necessary for us to undertake, such processing in the public interest.
Recipients of your information
We may share your personal information with third parties where required by law, where it is necessary to deliver our services to you or administer the working relationship with you, or where we have another legitimate interest in doing so.
We require third parties to respect the security of your data and to treat it in accordance with the law. We will only share your personal data with:
- third party service providers and partners with whom we work to deliver our service to you (for example, specialist setup support partners, traffic light response service);
- funding bodies and Higher Education Institutes with whom we work to improve our service and its delivery to you;
- regulators, law enforcement bodies, government agencies, courts or other third parties where we think it is necessary to comply with applicable laws or regulations, or to exercise, establish or defend our legal rights. Where possible and appropriate, we will notify you of this type of disclosure;
- web hosting and cloud-based storage systems used to provide our service to you and administer our business activities.
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We also require third parties to respect the security of your data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
We will not transfer Personal Data outside the EEA or to a third country in the absence of an adequacy decision by the European Commission made in accordance with GDPR Article 45.
In the event that you wish to make a complaint about how we process your personal data, please contact us in the first instance at firstname.lastname@example.org and we will endeavour to deal with your request as soon as possible. This is without prejudice to your right to launch a claim with the Information Commissioner’s Office or the data protection supervisory authority in the EU country in which you live or work where you think we have infringed data protection laws.
If you have any questions or comments about how we use your information, please email us at email@example.com. You can also write to Brain in Hand Ltd, Hampton House, 23 Longbrook Street, Exeter, EX4 6AB.
What are cookies?
Cookies are small pieces of text sent to your web browser by a website you visit. A cookie file is stored in your web browser and allows the Service or a third party to recognise you and make your next visit easier and the Service more useful to you.
Cookies can be 'persistent' or 'session' cookies.
We use both session and persistent cookies on the Service. We may use essential cookies, for example, to authenticate users and prevent fraudulent use of user accounts.
Your choices regarding cookies
Where can you find more information about cookies
You can learn more about cookies and the following third-party websites:
- AllAboutCookies: http://www.allaboutcookies.org/
Voluntary Consent to Participate policy
Brain in Hand has a comprehensive consent process for individuals, guardians and organisations who appear in internal or external reports or in any promotional material within the public domain to safeguard the individuals participating and to make sure that the context in which the data collected will be used is understood and that consent is given freely and with full understanding.
A brief explanation of the policy follows.
The full policy is available on request and Brain in Hand must make it available to any individual whose consent we are seeking to use their information.
It is Brain in Hand’s policy that, where we are collecting information from individuals and plan to use that information in the public domain, consent must be sought and obtained from the individual by the person who is collecting the data.
This information may include written and/or verbal statements, photography, or video film. The materials in which we may include this information could be for promotional activities or general business use.
The consent we seek to obtain includes that of the individual providing the information, their guardian if appropriate, and/or any organisation partnering with Brain in Hand and who is involved in the collection of this information.
Why does Brain in Hand need this information?
Brain in Hand works with partner organisations to provide a digital support system to individuals who require a little extra help but who wish to be actively involved in their own support delivery. In order to do this, Brain in Hand often needs to provide data to our partner organisations to promote the positive outcomes of the programmes that we are involved in.
We always need volunteers to appear in publicity material to help raise awareness of the work we do and the projects we are involved in. These individual’s data will help us to promote and publicise Brain in Hand so that we can continue to provide support services to those who need them.
For all of the information shown on our website which features individuals, guardians, and organisations, consent has been sought and received. The use of this data has been explained and all individuals have the right to withdraw consent at any time under our Voluntary Consent to Participate Policy.