Welcome to InChorus’ privacy policy. 

 

We are InChorus Group Ltd, a company registered with Companies House in England and Wales under number 11755917 (“InChorus”/“we”/“us”/”our”). We are committed to protecting your privacy.

This policy sets out the basis, under applicable data protection law (including the General Data Protection Regulation (EU 2016/679) and the UK GDPR), on which we will collect and process personal information through your use of the InChorus online software platform and the accompanying software App (together the “Platform”). It applies to our Clients, App Users, Client Users, Marketing Contacts, our website visitors and to other individuals whose data we may process, except for our employees (“you”/”your”).

 

IN THE NORMAL COURSE OF OUR BUSINESS WE COLLECT AND PROCESS DATA IN THE FOLLOWING WAYS:

• App users who are typically employees, contractors or consultants who have been granted access to our Platform by their employer (where their employer is an existing client) (“App Users”);

• administrative users of the Platform dashboard who are acting on behalf of their relevant employer (where their employer is an existing client) (“Client Users”); and 

• trial users or potential new users of the Platform, including those who we have identified as possible future clients and to whom we are marketing or promoting the Platform and our services (“Marketing Contacts”).
• points of contact of existing clients (“Clients”).

When we refer to “personal data” in this policy, we mean any information relating to you from or in relation to which you may be identified (directly or indirectly).   

Please read this policy carefully to understand how we will use and look after your personal data. If you visit www.inchorus.org (the “Website”) or use the Platform,  your data will be processed in line with this policy and the InChorus Terms of Use (“Terms of use”) [https://inChorus.org/terms] will apply. Where your consent is required, we will seek it in compliance with the applicable data protection law as further detailed below.

 

OUR STATUS AND RESPONSIBILITIES 

In the case of App Users, Client Users, and Marketing Contacts, we are the data controller in respect of your personal data.

We are also the data controller in respect of contact information for each client contact which we hold for account and contract management purposes, including for contract queries and billing purposes.

We may act as joint data controller with our clients for some App Users data under some circumstances. In these cases, we have set out a joint controller arrangement which reflects our respective roles and responsibilities. You can ask for further information about this by contacting us at dpo@aphaia.co.uk

 

INFORMATION WE COLLECT ABOUT YOU  

For App Users and Client Users will collect and process the following data about you:

1. INFORMATION YOU MAY VOLUNTARILY PROVIDE:

• When using the Platform to log a report via the InChorus App we may collect personal information that you choose to share including your:
  • Company email address
  • Company ID
  • Ethnicity and/or race
  • Gender
  • Religion
  • Sexual orientations
  • Age range
  • Socioeconomic background
  • And disability you chose to declare
• We may also gather the names of employees recognised for positive behaviour.
• If you are a Client of us, we may collect the following information from you:
  • Company name, number and address
  • Name
  • Email address
  • Phone number
  • Correspondence
• If you contact us (by phone, email, or through the Website) we may keep a record of that correspondence for two years in case we need to contact you in relation to the issue for which you contacted us, for operational performance improvement and/or nuisance caller management. We will not use it for marketing purposes.
• If you report a problem with the Website and/or the Services, we may keep that information for two years in case we need to contact you in relation to the issue you for which you contacted us, for operational performance improvement and/or nuisance caller management. We will not use it for marketing purposes. The information you give may include your name, address, telephone number and email address.

 

2. INFORMATION WE COLLECT ABOUT YOU.

• When you use the website and interact with our Services, we automatically collect the following information.

• We use technology such as Google Analytics to collect information about your visit to our Website. You can find more information about Google Analytics here: https://analytics.google.com/analytics/web . In essence, Google Analytics enables us to analyse how you and others interact with our Website and Web App. The information we collect may include:

• IP address;
• the type of browser used(e.g. Chrome or Safari browser);
• the number of sessions per browser on each device;
• the type of device (eg Samsung) and operating system (eg Android) used;
• referrer information;
• time zone;
• user preferences; and
• which pages were visited.

            Please see the cookies section below to learn more about how we process this data.

For Marketing Contacts, we will collect and process personal data which you provide when you complete an enquiry via a website or register for a trial or otherwise contact us to request information about our products and services.  We will typically obtain contact information such as your name, employer, work email address and work telephone number.  We may also receive further personal data about you which is publicly available, such as your seniority, years of experience and employment history and similar work-related background, from third party service providers.  We shall also store and process data relating to your communications with us and your responses to our marketing emails and attendance at our events.

WHAT DO WE DO WITH THE PERSONAL DATA WE COLLECT ABOUT YOU?  WHAT IS OUR LEGAL BASIS FOR DOING SO?

Where we have collected or generated personal data from or about you, we may use this for the purposes, and on the legal bases, as set out below.

We use the information you provide to us to:

• enable us to provide the Services;
• ensure that content from our Website is presented in the most effective manner for you and for your device to achieve the most user-friendly navigation experience;
• carry out our obligations arising out of the Terms of Use; and/or
• defend our servers against malicious attacks

Where we propose using your personal information for any other uses we will ensure that we notify you first and gather your consent where relevant. Where you provide us with your consent in these cases, you will also be given the opportunity to withhold or withdraw your consent for the use of your personal information for purposes other than those listed above. Please note that the withdrawal of consent will not affect the processing which took place before the withdrawal.

1. INFORMATION YOU GIVE TO US. WE WILL USE THIS INFORMATION TO:

For Client Users

• if you are a Client User: create your Admin Account, provide our product and services, maintain communication to carry out obligations arising from our Terms of Use and the Client Agreement.
• provide you with information, products and services you request from us.
• contact you for your feedback on our services and to help us evaluate and improve our services
• notify you about changes to the Platform and any other services of ours that you use.

For these purposes, we rely on contract and consent as applicable.

For App Users – our use of aggregated and pseudonymized information

• We will only use your email and company code to identify you in order to prove that you are an employee, agent or consultant at a client organisation. Once we have verified that is the case this information is stored in separate tables, when necessary, from any Personal Data you input.
• Our Services allow you to tag incidents of bias that you may have experienced in your organisation. Your email address will not be required for tagging incidents of bias beyond the aforementioned identification process, thus your email address will not be linked to the reported incident of bias for the purposes of sharing this with your organisation. We ask you not to share information which could identify yourself or others and we will delete non-pseudonymous reports from our system, unless you advise us otherwise. However, we may share with your organisation data on the type of incident including where it occurred, what occurred and when it occurred. Although our aim is doing this  in a pseudonymous way and we do not share your name or other personal identifiers, we cannot grant this will be always the case considering the risk of identification based on context, for example, if your organisation has a very small number of employees or if other members of the staff have been aware of the incident by external means Please note that, where you use Slack, your organisation’s Slack administrator could potentially be able to see the fact that your report was submitted, without seeing the content of the report.
• The purpose of sharing the data as described above is to allow your organisation to improve upon and kick off data-driven initiatives, ultimately resulting in a happier, healthier and more successful organisation.
• We will never share your work email address, nor any part of your name that is within your work email address, for they are encrypted and stored completely separately from the pseudonymised, aggregated, and broad data we share with your employers. And of equal importance, we never take the names of the perpetrator, and therefore this can never be shared, completely maintaining your safety and security in the workplace when utilising the InChorus Platform.
• Data collected from you and other employees or personnel may be used by us in an aggregated and anonymised form for statistical and benchmarking purposes including enabling comparisons to other organisations within the same industry.

If you are an App User, we will gather your consent in order to process your data in the ways described in this section . We note that the processing of special categories of data, such as ethnicity, sexual orientation, or disability, are subject to explicit consent, so you can always choose not to provide those. For this purpose, we will provide you with a full and clear consent statement in compliance with the applicable data protection law at the point of data gathering. You can withdraw your consent at any time by contacting us at dpo@aphaia.co.uk , provided we are able to reliably re-identify you._Please note that the withdrawal of consent will not affect the processing based on consent before the withdrawal.

For Marketing Contacts

• When you complete an enquiry via a website or register for a trial or otherwise contact us to request information about our products and services we may send marketing communications about our products and services that we consider might be of your interest , therefore we will collect and use your personal data to contact you of about our news, updates, events, developments, products and services from time to time and for the purposes of entering into discussions with you in connection with your purchase of licences from us to use or have access to the Platform.  Please note that if you become a Client, there are additional specific sections in this Privacy Policy that might apply to you.
• We will process your personal information for these purposes based on our legitimate interest to market our product to companies or your consent, which you can withdraw at any time or object to processing by contacting us at dpo@aphaia.co.uk or by clicking in the link you can find at the bottom of each communication. Please note that the withdrawal of consent will not affect the processing based on consent before the withdrawal.

For Clients

• We process your personal information for account and contract management purposes, including for contract queries and billing purposes.

We rely on contract for these purposes.

2. INFORMATION WE COLLECT ABOUT YOU. WE WILL USE THIS INFORMATION:

• to share anonymised usage data which does not identify you specifically with third parties. We may combine your data with those of other users of our Website and share this information in aggregated and anonymised form with third parties to help us improve the design and delivery of our software tools, increasing the effectiveness for all users.
• to administer and improve the Platform and other services, including ensuring that content is presented in the most effective manner for you and for your computer;
• for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
• as part of our efforts to keep the Platform safe and secure.

Please see the cookies section below. Except for the strictly necessary cookies, we will only process this data based on your consent.

3. THE BASIS FOR THE PROCESSING OF YOUR DATA

We will process your personal data based on the lawful bases defined above for each category of data subject. Apart from these, we may process your personal data if the following applies:

- Processing is necessary to comply with a legal or regulatory obligation to which we are subject.

- Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party. Where this basis applies, we have undertaken the relevant Legitimate Interest Assessment to demonstrate that our compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the affected data subjects. You can request further information about this by reaching us at dpo@aphaia.co.uk

 

WHO DO WE SHARE YOUR INFORMATION WITH?

We will only share your information with other organisations where we have your permission to do so in accordance with this Policy or where we believe it is necessary for a legitimate reason connected with the Website or our Services.  Accordingly, we may share your personal information with service providers, for example of IT services, business partners, suppliers and/or sub-contractors, cloud-based communications, analytics, storage, and other services, for the performance of any contract that we enter into with your employer (such as the Client Agreement) or in the course of undertaking marketing activities. We require all our third party service providers and all other companies within our group to take appropriate and stringent security measures to protect your personal data in line with our policies. We do not allow our third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes in accordance with our instructions and the agreement we have with them.

We may also disclose your personal data to other third parties in the following circumstances:

• we may disclose your personal data to our legal advisers if they need to have access to this information in order to advise us on our legal rights and obligations; and
• if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms of Use or other contracts between us and you or your employer; or to protect the rights, property or safety of us, our customers or others. 

Except as explained above, we will not disclose your personal data to any third parties for any other purpose unless we have a legal right or obligation to do so.

OUR USE OF COOKIES, PIXELS AND LOCAL STORAGE

Cookies are small pieces of data that are stored on your computer, mobile phone or other device. Pixels are small blocks of code on web pages that do things like allow another server to measure viewing of a Web page and are often used in connection with cookies. HTML5 Local Storage is a small database located inside your browser which web pages can use to store data to speed up their processing.

We may use all three technologies from time to time, to help improve your browsing experience. Cookies do lots of different jobs, like letting you navigate between pages efficiently, storing your preferences, and generally improving your experience of our Website. Cookies make the interaction between you and our Website faster and easier. We use cookies to distinguish you from other users of the Website and our Services. This helps us to provide you with a good experience when you use the Website and also allows us to improve the Website and Services. Cookies and other things like local storage also help us authenticate you to deliver personalised content to you.

We will ask you for your consent to use the cookies as you visit our website.

INTERNATIONAL DATA TRANSFERS

The information that we collect from you may be processed outside the European Economic Area (EEA). In these cases, we will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy, by ensuring at least one of the following safeguards is implemented:

-transferring your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;

-entering into specific contractual terms which have been approved by the European Commission and which give personal data the same protection as within the EEA. In these cases we will undertake a Data Transfer Impact Assessment where required pursuant to the Schrems II decision in order to verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection for personal data transferred under this tool.

For further information on the safeguards used, please contact us at dpo@aphaia.co.uk

 

SECURITY OF INFORMATION

Where you are an App User, you will only require your company email address and company code to gain access to the InChorus App. Where we have given you a username, password and/or security information which enables you to access particular features of the Platform as a Client User you are responsible for keeping these access credentials confidential. You must not share these details with anyone, or store them in a way that may allow a third party to access them.

We maintain appropriate technical and organisational measures to ensure that an appropriate level of security in respect of all personal data we process. Once we have received your information, we will use strict procedures and security features which are appropriate to the type of personal data you have provided to try to prevent unauthorised access or inadvertent disclosure. 

RETAINING YOUR INFORMATION

We will not store your personal data for longer than is reasonably necessary to use it in accordance with this policy or with our legal rights and obligations. For the avoidance of doubt, aggregated and anonymised data and any information other than personal data can be stored indefinitely.

In particular:

• For App Users, we will retain your personal data for a period 30 days after our relationship with your employer has ended. After this period, your personal data will be anonymised or deleted. 
• For Client Users, we will retain personal data for a period of 1 year after our relationship with the employer has ended.
• For Marketing Contacts: we will retain your personal data for a period for so long as necessary to continue to provide you with updates or other marketing emails or other communications in circumstances in which you have consented (where necessary) or else not unsubscribed to receiving such communications and in which we have a continued legitimate interest in undertaking that marketing.

YOUR RIGHTS  

We think it is important that you are able to control your personal information.

You have the following rights in regards to your personal information:

• You have the right to ask us not to process your personal information for marketing purposes. You can exercise your right to prevent such processing at any time by contacting us at dpo@aphaia.co.uk
• Access. You have the right to access information about the personal data we hold about you. The law gives you the right to request a copy of the personal information we hold about you. We first require you to prove your identity with 2 pieces of approved identification to ensure your right to access your personal data (or to exercise any of your other rights).  This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We reserve the right to charge a reasonable fee in response to unreasonable or repetitive requests, or requests for further copies of the same information.
• Right to object to processing.  You have the right to object at any time where we are relying on consent or on our legitimate interest (or those of a third-party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms
• Rectification. You have the right to request that we rectify any inaccurate personal data that we hold about you.

• Erasure.  You have the right to request that we erase any personal data that we hold about you, based on one of a number of grounds, including the withdrawal of your consent. . We also reserve the right to retain your personal data in an anonymised form for statistical and benchmarking purposes.

• Request to restriction of processing. This enables you to ask us to restrict the processing of your personal data in certain circumstances, for example if you want us to establish its accuracy or the reason for processing it.

• Portability. You have the right to obtain copies of your personal data to enable you to reuse your personal data across different services and with different companies. You may also request that your personal data is transmitted directly to another organisation where this is technically feasible using our data processing systems.

• Change of preferences. You can change your data processing preferences at any time. For example, if you have given your consent to direct marketing, but have changed your mind, you have the ability to opt out of receiving marketing communications by emailing us at support@inchorus.org.
   
• If you wish to complain about the processing of your personal information then please contact us first, but if we do not satisfactorily deal with your complaint, then you may contact the Information Commissioner. If you want to stop using the Website and the Services, you may do so. If you do, you may also want to remove any cookies that we have placed on any device used to access the Website and the Services.

You can exercise any of these rights by contacting us at dpo@aphaia.co.uk

THIRD PARTY PROPERTIES ACCESSED FROM THE WEBSITE EG OTHER WEBSITES

Our Website and Services may contain links to and from the online properties of third parties. If you follow a link to any of these online properties, please note that these online properties have their own privacy policies which will govern use of any personal information that they process. Please check these policies carefully before you click on any links and/or submit any personal information to these online properties.

CHANGE OF CONTROL

If the ownership of our business changes, we may transfer your information to the new owner so they can continue to operate the Website and provide the Services. The new owner will be obliged to comply with this Policy.

CHANGES TO OUR PRIVACY POLICY  

Any changes we may make to this Policy will be posted on this page. Where it makes sense because the changes are material, we will notify you by e-mail or in another appropriate manner such as when you next interact with the Website.

CONTACTING US IS EASY AND WE WANT TO HEAR FROM YOU

We really do welcome any questions, comments and requests you may have regarding this Policy. You can contact us by emailing us at dpo@aphaia.co.uk

We have also appointed a Data Protection Officer who you can contact using the contact details below: