1. Introduction
Towards respects the privacy of its customers, suppliers and partners. We have therefore formulated and implemented a policy on complete transparency regarding the processing of personal data, its purpose(s) and the possibilities to exercise your legal rights in the best possible way. For employees, we have formulated a separate privacy policy, available upon employment and upon request.
This privacy policy pertains to processing by Towards by means other than through the use of cookies. Towards has formulated a separate cookie policy, which can be found on our Towards's websites: https://www.wearetowards.com/
2. Definitions
Party responsible for processing personal data: Towards; with registered address at 5 New Street Square in United Kingdom; company registration number 15773852 and Data Protection Officer Fran Ukposidolo who can be reached at fran.ukposidolo@wearetowards.com (the “Controller”).
Data Protection Authority: The Data Protection Authority of United Kingdom.
Data Protection laws:
For European citizens or residents, the EU GDPR 2018; the EU e-privacy directive 2002 (soon to be replaced by the EU e-privacy regulation);
For UK citizens or residents, the UK GDPR 2020 and the UK Data Protection Act 2018
and the national laws of the countries where we operate.
3. Collection of data
Your personal data will be collected by Towards and its data processors.
Personal data means any information relating to an identified or identifiable natural person (‘data subject’).
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
4. The types of personal data we may process through third party applications:
5. The types of personal data we may process through suppliers:
6. Purposes
Towards processes personal data for one or more of the following purposes:
Customer, employee, contractor, partner or supplier management
Business and financial administration
Direct marketing
Delivery of goods or services
Work planning
7. How we collect, store or otherwise process your data:
The following business processes describe how we may collect, store or otherwise process the types of personal information:
Collection of cookies, subscription to newsletter or filling out the contact form on the website(s);
Analyse trends and profiles, for our legitimate interest to aim to enhance, modify, personalise and improve our services and communications for the benefit of our customers;
Process and respond to support requests, enquiries and complaints received from you through use of business email;
Provide services and products requested and/or purchased by you and to communicate with you about such services and/or products. We do this as necessary in order to carry out a contract with you and in accordance with our legitimate interest to operate a business;
Carry out administrative activities such as invoicing and collecting payments either locally on devices or using cloud-services;
Store and exchange personal information contained in documents through email and cloud-services;
Marketing and customer acquisition through email or using cloud-services.
8. Sharing data with third parties
We may have to share your data with third parties, including third-party service providers. We may share your anonymised data with the University of Exeter for research and service improvement purposes. We require third parties to respect the security of your data and to treat it in accordance with the law.
We may transfer your Personal Data outside United Kingdom. If we do, you can expect a similar degree of protection in respect of your Personal Data.
We will only share your Personal Data with third parties in accordance with the GDPR and as outlined in the legal justification table above.
We share your personal data with the following enterprise third parties. We also share your data with SME third parties, details of which are available upon request. You will be notified when we have engaged with a new third party recipient of your personal data.
Naq Cyber
Function
Compliance
Data categories
Email Address, First Name, Job Title, Last Name
Data subjects
Employees
Security measures
Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods.
Slack
Function
Communication
Data categories
Job Title, User Name, Photographs, Email Address, Last Name, Online Activity, First Name
Data subjects
Contractors, Employees
Security measures
Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods.
Google Workspace
Function
Communication, Document Storage, Email, HR, Legal, Office Management
Data categories
IP Address, Telephone Number, First Name, Educational and Employment History, Gender, Salary Information, Copy of ID, National Insurance Number, Sickness and Absences, Job Title, Citizen Service Number, Non-PII data, Protected characteristics, Intellectual Property, Mobile Device Information, Browser Information, User Name, Date of Birth, Contracts, Photographs, Live Location, Email Address, Last Name, Online Activity, Video, Age or Age Group, Home Address
Data subjects
Contractors, Employees, Other Data Subjects
Security measures
Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods.
Loom
Function
Communication
Data categories
Non-PII data, Intellectual Property, Browser Information, User Name, Email Address, Last Name, First Name
Data subjects
Company, Contractors
Security measures
Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods.
Heidi Health
Function
AI-Powered Tool, Clinical, Document Storage, Medical, Training
Data categories
Subscription Data, Job Title, Non-PII data, Mobile Device Information, Browser Information, Medicines, User Name, Date of Birth, General Health Data, Photographs, Email Address, Last Name, Online Activity, Age or Age Group, Medical History, IP Address, Medical Condition, First Name, Gender
Data subjects
Employees, Patients
Security measures
Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods.
Revolut
Function
Bookkeeping, Document Storage, Payment Processing
Data categories
Subscription Data, Copy of ID, Job Title, Non-PII data, User Name, Contracts, Email Address, Last Name, Telephone Number
Data subjects
Company, Employees
Security measures
Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods.
DocuSign
Function
Compliance, Document Storage, E-Signature, HR, Legal
Data categories
Salary Information, National Insurance Number, Job Title, Contracts, Email Address, Last Name, Online Activity, Home Address, IP Address, Telephone Number, First Name, Educational and Employment History
Data subjects
Contractors, Employees
Security measures
Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods.
1 Password
Function
Password Manager, Security
Data categories
Bank account or creditcard number, Browser Information, Contracts, Email Address, First Name, Intellectual Property, IP Address, Job Title, Last Name, Mobile Device Information, Non-PII data, Online Activity, Subscription Data, User Name
Data subjects
Employees
Security measures
Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods.
Flagstone
Function
Function Accounting, Bookkeeping, Compliance
Data categories
Subscription Data, Job Title, Bank account or creditcard number, Mobile Device Information, Browser Information, User Name, Contracts, Email Address, Last Name, Online Activity, Home Address, IP Address, First Name
Data subjects
Company, Users
Security measures
Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods.
Xero
Function
Accounting, Document Storage, Payment, Payment Processing, Payroll
Data categories
Contracts, Last Name, First Name, Job Title, Bank account or creditcard number, Non-PII data, Email Address, Home Address
Data subjects
Company, Contractors, Customers, Employees, Suppliers
Security measures
Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods.
Stripe
Function
Accounting, Bookkeeping, Payment Processing
Data categories
Subscription Data, Non-PII data, Bank account or creditcard number, Mobile Device Information, Browser Information, User Name, Email Address, Last Name, Online Activity, IP Address, First Name
Data subjects
Customers, Users
Security measures
Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods.
Wellifiy
Function
Subscription Data, Job Title, Bank account or creditcard number, Mobile Device Information, Non-medical tracking (e.g. sleep; food intake), Browser Information, Medicines, General Health Data, User Name, Photographs, Email Address, Last Name, Online Activity, Medical History, IP Address, Medical Condition, First Name, Educational and Employment History, Gender
Data categories
Email Address, First Name, Job Title, Last Name
Data subjects
Customers, Employees
Security measures
Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods.
BrightPay
Function
Document Storage, HR, Payroll
Data categories
Bank account or creditcard number, Date of Birth, Educational and Employment History, Email Address, First Name, Gender, Health Service/NHS Number, Home Address, IP Address, Job Title, Last Name, National Insurance Number, Salary Information, Sickness and Absences, Telephone Number, User Name
Data subjects
Contractors, Employees
Security measures
Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods.
Apron
Function
Accounting
Data categories
Bank account or credit card number, Email Address, First Name, Last Name, Telephone Number
Data subjects
Customers
Security measures
Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods.
Deputy
Function
HR
Data categories
Advice Secondary Education, Age or Age Group, Bank account or creditcard number, Contracts, Copy of ID, Date of Birth, Educational and Employment History, Educational Type, Educational Year, Email Address, First Name, Gender, Home Address, Information Guardian or Parent(s), Job Title, Last Name, National Insurance Number, Photographs, Place of Birth, Salary Information, Sickness and Absences, Telephone Number
Data subjects
Employees
Security measures
Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods.
Canva
Function
Document Storage
Data categories
Email Address
Data subjects
Company
Security measures
Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods.
International data transfers
The third parties we have engaged for the above mentioned business process may transfer your personal information to outside of your jurisdiction. Towards’s third party processors take all necessary measures to ensure the confidentiality, availability and integrity of personal data and to comply with the GDPR with regards to international data transfers. The international nature of its compliance certifications, as well as far-reaching technical security measures (including but not limited to encryption of the personal data, making the data illegible to an unauthorised recipient) are sufficient to ensure that the data subjects continue to benefit from the fundamental rights they are entitled to under the GDPR.
Where Towards transfers data to third countries, it relies on the following legal grounds for international data transfers:
An Adequacy Decision in accordance with article 45 of the GDPR
In the absence of an Adequacy Decision, appropriate safeguards in the form of Standard Contractual Clauses or Binding Corporate Rules.
In the event that Towards is reliant on Standard Contractual Clauses for the legality of its international data transfer, it ensures that the Processor or Subprocessor takes supplementary security measures to safeguard the international data transfer with one or more of the following measures:
Encryption;
Anonymisation;
Pseudonymisation.
9. Storage and protection of data
Your data is protected by Towards and its processors in pursuance to all legal requirements set by the relevant data processing laws. Towards has taken technical and organizational security measures to protect your data and requires its data processors to meet the same requirements. Towards has signed processing agreements with its processors to ensure an adequate level of data protection.
The following security measures are taken by Towards to protect your personal data in the course of the listed business processes:
10. Organisational security measures
Staff
Towards staff members are required to conduct themselves in a manner consistent with Towards’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. All staff members undergo appropriate background checks prior to hiring and sign a confidentiality agreement outlining their responsibility in protecting customer data.
We continuously train staff members on best security practices, including how to identify social hacks, phishing scams, and hackers.
Access controls
Towards maintains your data privacy by allowing only authorized individuals access to information when it is critical to complete tasks for you. Towards staff members will not process customer data without authorization
Data hosting
As a rule, data is hosted within countries and areas that provide a substantially similar level of protection as data subjects have under the GDPR. To ensure this, we rely on Adequacy Decisions as a legal basis for our international data transfers. In exceptional circumstances, where data is transferred to a country or area not subject to an Adequacy Decision, we rely on Standard Contractual Clauses with the recipient and take supplementary security measures to secure this data transfer, such as anonymisation.
Physical security
The data centres on which personal data is hosted are secured and monitored 24/7 and physical access to facilities is strictly limited to select staff.
11. Technical security measures
All devices which are used to access personal data for which we are responsible are secured with antivirus software, firewalls, encryption and access management. We regularly update operating systems and software to ensure vulnerabilities cannot be exploited.
We carry out regular vulnerability scanning of our website and have engaged credentialed external auditors to verify the adequacy of our security and privacy measures.
12. Your rights regarding information
Each data subject has the right to information on and access to, and rectification, erasure and restriction of processing of their personal data, as well as the right to object to the processing and the right to data portability.You also have the right to request that you are not made subject to decision making based solely on automated processes, including profiling, if these decisions would have a significant effect on you.
You can exercise these rights by contacting us at the following email address: enquiries@wearetowards.com. If we have any doubts as to your identity, we may request you to provide us with proof of identification, such as through sending us a copy of your valid ID. Ensure that you write “Data Request” in the subject line of your email.
Within one month of the submitted request, you will receive an answer from us. We will not charge you for submitting your request unless the request is manifestly unfounded or otherwise unreasonable in its nature. Depending on the complexity and the number of the requests this period may be extended to two months.
13. Marketing
You may receive commercial offers from Towards. If you do not wish to receive them (anymore), please send us an email to the following address: enquiries@wearetowards.com and ensure that you write“Data Opt-Out” in the subject line of your email.
Your personal data will not be used by our partners for commercial purposes.
If you encounter any personal data from other data subjects while visiting our website, you are to refrain from collection, any unauthorized use or any other act that constitutes an infringement of the privacy of the data subject(s) in question. The collector is not responsible in these circumstances.
14. Data retention
The collected data are used and retained for the duration determined by law. You may, at any time, request your data to be deleted from any Towards account, system or other data processing medium in accordance with the process described above.
15. Applicable law
These conditions are governed by the laws and regulations of the country where we are headquartered. The court in the district where we are headquartered has the sole jurisdiction if any dispute regarding these conditions may arise, save when a legal exception applies.
16. Children's Data
Our app and services are available to individuals aged 12 and over. For users who are under the age of 16, we require parental or legal guardian consent before the child can use our app or services. If you have concerns about or knowledge of a child using our services, products, websites or apps without parental consent, please contact our DPO via fran.ukposidolo@wearetowards.com to ensure we can take appropriate action as soon as possible.
17. Contact
For questions about this privacy policy, product information or information about the website itself, please contact: enquiries@wearetowards.com.
18. International data transfers
Third Party Applications
Naq Cyber
Third party headquarter address
Vlamingstraat 4, 2712BZ, Zoetermeer, The Netherlands
The primary location of processing is the The Netherlands.
Personal data collected by Naq Cyber may be stored and processed in any country where Naq Cyber or its affiliates, subsidiaries, or service providers operate facilities.
Safeguards (art. 45 GDPR)
Adequacy decision exists between United Kingdom and The Netherlands
Additional safeguards
Encryption
Anonymisation where possible
Pseudonymisation where possible
For more information, see Naq Cyber’s Privacy Policy
https://www.naqcyber.com/policies/privacy-policy
Slack
Third party headquarter address
Salesforce Tower, 60 R801, North Dock, Dublin, Ireland
The primary location of processing is the Ireland.
Personal data collected by Slack may be stored and processed in any country where Slack or its affiliates, subsidiaries, or service providers operate facilities.
Safeguards (art. 45 GDPR)
Adequacy decision exists between United Kingdom and Ireland
Additional safeguards
Encryption
Anonymisation where possible
Pseudonymisation where possible
For more information, see Slack’s Privacy Policy
https://slack.com/intl/en-nl/trust/privacy/privacy-policy
Google Workspace
Third party headquarter address
1602 Amphitheatre Parkway, Mountain View, CA, 94043, United States of America
The primary location of processing is the United States of America.
Personal data collected by Google Workspace may be stored and processed in any country where Google Workspace or its affiliates, subsidiaries, or service providers operate facilities.
Safeguards (art. 45 GDPR)
Adequacy decision exists between United Kingdom and United States of America
Additional safeguards
Encryption
Anonymisation where possible
Pseudonymisation where possible
For more information, see GoogleWorkspace’s Privacy Policy
https://policies.google.com/privacy?hl=en-US
Loom
Third party headquarter address
140 2nd St Fl 3 Fl 6, San Francisco, California, 94105, United States of America
The primary location of processing is the United States of America.
Personal data collected by Loom may be stored and processed in any country where Loom or its affiliates, subsidiaries, or service providers operate facilities.
Safeguards (art. 45 GDPR)
Adequacy decision exists between United Kingdom and United States of America
Additional safeguards
Encryption
Anonymisation where possible
Pseudonymisation where possible
For more information, see Loom’s Privacy Policy
https://www.loom.com/privacy-policy
Heidi Health
Third party headquarter address
Level 5, 24-26 Cubitt St, Cremorne VIC 3121, Australia
The primary location of processing is the The Netherlands.
Personal data collected by Heidi Health may be stored and processed in any country where Heidi Health or its affiliates, subsidiaries, or service providers operate facilities.
Safeguards (art. 45 GDPR)
Standard Contractual Clauses
Additional safeguards
Encryption
Anonymisation where possible
Pseudonymisation where possible
For more information, see Heidi Helath's Privacy Policy
https://www.heidihealth.com/legal/privacy-policy
DocuSign
Third party headquarter address
221 Main Street, Suite 1550, San Fransisco, CA 94105, United States of America
The primary location of processing is the The Netherlands.
Personal data collected by DocuSign may be stored and processed in any country where DocuSign or its affiliates, subsidiaries, or service providers operate facilities.
Safeguards (art. 45 GDPR)
Adequacy decision exists between United Kingdom and United States of America
Additional safeguards
Encryption
Anonymisation where possible
Pseudonymisation where possible
For more information, see DocuSign’s Privacy Policy
https://www.docusign.com/company/privacy-policy
1 Password
Third party headquarter address
4711 Yonge St, 10th Floor, Toronto, Ontario, M2N 6K8, Canada
The primary location of processing is Canada.
Personal data collected by 1 Password may be stored and processed in any country where 1 Password or its affiliates, subsidiaries, or service providers operate facilities.
Safeguards (art. 45 GDPR)
Adequacy decision exists between United Kingdom and Canada
Additional safeguards
Encryption
Anonymisation where possible
Pseudonymisation where possible
For more information, see 1 Password’s Privacy Policy
https://1password.com/legal/privacy/
Stripe
Third party headquarter address
510 Townsend Street San Francisco, CA 94103, United States of America
The primary location of processing is the United States of America.
Personal data collected by Stripe may be stored and processed in any country where Stripe or its affiliates, subsidiaries, or service providers operate facilities.
Safeguards (art. 45 GDPR)
Adequacy decision exists between United Kingdom and United States of America
Additional safeguards
Encryption
Anonymisation where possible
Pseudonymisation where possible
For more information, see Stripe’s Privacy Policy
https://stripe.com/en-gb-nl/privacy
Wellifiy
Third party headquarter address
16B Rotorua St, Caulfield South, VIC 3162, Australia
The primary location of processing is Australia.
Personal data collected by Wellifiy may be stored and processed in any country where Wellifiy or its affiliates, subsidiaries, or service providers operate facilities.
Safeguards (art. 45 GDPR)
Standard Contractual Clauses
Additional safeguards
Encryption
Anonymisation where possible
Pseudonymisation where possible
For more information, see Wellifiy’s Privacy Policy
https://www.wellifiy.com/privacy
Deputy
Third party headquarter address
548 Market St PMB 77267, San Francisco, CA, United States of America
The primary location of processing is the United States of America,
Personal data collected by Deputy may be stored and processed in any country where Deputy or its affiliates, subsidiaries, or service providers operate facilities.
Safeguards (art. 45 GDPR)
Adequacy decision exists between United Kingdom and United States of America.
Additional safeguards
Encryption
Anonymisation where possible
Pseudonymisation where possible
For more information, see Deputy’s Privacy Policy
https://www.deputy.com/terms
Canva
Third party headquarter address
110 Kippax, St Surry Hills, NSW 2010, Australia
The primary location of processing is Australia.
Personal data collected by Canva may be stored and processed in any country where Canva or its affiliates, subsidiaries, or service providers operate facilities.
Safeguards (art. 45 GDPR)
Standard Contractual Clauses
Additional safeguards
Encryption
Anonymisation where possible
Pseudonymisation where possible
For more information, see Canva’s Privacy Policy
https://www.naqcyber.com/policies/privacy-policy
18. International data transfers
Third Party Applications
Wellifiy
Country where data is processed or sent to
Australia
Safeguards (art. 45 GDPR)
Standard Contractual Clauses
Additional safeguards
Encryption
Anonymisation where possible
Pseudonymisation where possible
Heidi Health
Country where data is processed or sent to
Australia
Safeguards (art. 45 GDPR)
Standard Contractual Clauses
Additional safeguards
Encryption
Anonymisation where possible
Pseudonymisation where possible