Privacy Policy

Version 2.3

Introduction and our relationship with you

This Privacy Policy details how Triangle Technology Ltd. uses and protects personal data in the course of our core activities. The policy also outlines the rights data subjects have regarding their data and describes how data subjects can contact the organisation to exercise these rights.

“Personal data” is any information about a living individual which allows them to be identified from that information.

A “data subject” is taken to be any individual whose data is collected, processed or stored by the organisation.

The policy covers data processed by the following apps, websites and services:

• The Migrant Advice Portal (migrantadvice.org) and iOS & Android apps
• Triangle Technology (triangletechnology.co.uk)
• The Step Platform (stepsearch.org) and iOS & Android apps

These entities all have public-accessible functionality that can be accessed without needing to have a user account or an invitation link. Where a person is accessing these entities within a public-access context, Triangle Technology Ltd is considered the “data controller” for personal data provided to any of these entities. This means we are responsible for determining what personal data is processed and for what purpose and for securely collecting, storing and processing personal data. Triangle Technology Ltd. will be referred to as “the organisation”, “us” or “we” throughout this policy.

We also licence this software to 3^rd party organisations who use the software with their staff, clients, customers or service users. When used within these contexts, we act as the “data processor”, and the “data controller” is the 3^rd party organisation who facilitates use of the software.

This policy also covers the processing of personal data within other activities and administrative functions we undertake as part of our company operations.

Triangle Technology Ltd. is committed to processing personal data responsibly, lawfully and securely in accordance with the UK Data Protection Act 2018 (“DPA 2018”) and EU Regulation 2016/679 (the General Data Protection Regulation “GDPR”).

1. Information we process

1.1 Accessing our support tools

Where using our systems to access information, support options or access support services, we may capture any of the following types of information about the person seeking support:

• geolocation, such as co-ordinates, postcode or place boundary
• classifications of support needs, demographic information and circumstances relating to service suitability
• preferences for which types of solution the person would prefer
• name and contact details such as address or postcode, email address and telephone number

All this information will be requested from the person seeking support, or provided by a 3^rd party organisation who is supporting them after obtaining consent to do so from that person.

In some situations we may also capture information relating to the immediate family of the person seeking help. Examples of this may include a parent who has challenges raising an autistic child and is seeking support options, or a child who needs help living with a parent’s alcohol problem. It may also be necessary to state family demographic information such as the number of children and their age brackets. In order to protect the data rights of family members, whilst still providing the necessary support to the person seeking help, we ensure the following:

Data relating to another family member is only captured where it is important to establishing appropriate support options or information for the person seeking help

Any data relating to that family member is minimized such that we don’t capture any more than is required to assist the person seeking help

During usage of the platform, we may automatically capture information including:

• User interactions, such as the number of clicks and time between those clicks, and use of ‘back’ buttons
• Device information, limited to screen size, browser type and operating system

1.2 Creating and managing a user account

We capture the following information:

• Names
• Email addresses
• Passwords (hashed)
• Communication preferences

1.3 Mapping service provision data

As part of our managed data service, there are situations where we process personal information belonging to the staff of support organisations. This is most likely to occur in the context of micro-charity services and community-led groups where the point of contact is a named person. In such situations we may capture:

• Names
• Contact details

1.4 Interactions with other parties including potential customers, staff, volunteers, job candidates, contractors and suppliers

We may capture any of the following:

• names, titles and aliases
• contact details such as address or postcode, email address and telephone number

• communication preferences
• identification data including date of birth, photograph and identity document number.
• financial information, such as bank account details
• additional personal information for current or future employees, contractors or volunteers within the organisation, relevant to their employment or engagement with the organisation, which may also include details for next of kin and personality assessment classifications

1.4 Interactions with our websites and cookie policy

Cookies are only used where strictly required for the correct functioning of our websites. They are not used to capture or store personal information.

2. How personal data is used

2.1 Accessing our support tools

Any information captured as part of triage, advice tools and referral journeys is used to:

• Identify appropriate information and options for the person seeking help
• To connect individuals requiring help with appropriate support options, such as by sharing of a ‘Help Plan’ or facilitating a booking or referral to the 3^rd party service provider

Data captured through this process may (depending on the policy of the organisation using Step) be anonymised and used to:

• Provide data insights and better inform the decision making of service providers, funders, commissioners and researchers
• Help inform improvements to the platform, and assist in identifying bugs and problems

2.2 Creating and managing a user account

The personal data of account holders is used to:

• Enable access to our systems, as part of log-on and password resets
• Identify an individual to assist administrative staff in managing accounts
• Identify an individual to assist in securing our systems against cyber attacks, fraud and unauthorized activity
• Personalise communication within the system
• Inform the account holder of any important service information and updates

2.3 Mapping service provision data

Personal data belonging to 3^rd party support service providers may be used to:

• Contact them to verify the information we have mapped about them and their service
• Inform them of how we are using their information and the services we are providing
• Share contact details with people seeking support

2.4 Interactions with other parties including potential customers, staff, volunteers, job candidates, contractors and suppliers

Personal data belonging to other parties may be used for (but not limited to) the following purposes:

• To inform, or engage with, relevant individuals or organisations interested in our services
• To manage customer and partner relationships and projects
• To process payment for services we contract from other individuals or organisations
• To process payments we receive for our services
• To seek views or comments from individuals engaged with our organisation
• To manage and fulfil our obligations to any volunteers, contractors or employees of the organisation
• To meet any relevant statutory and legal obligations

3. How we share personal data

3.1 Facilitating referrals

Where a referral or booking to a third party organisation is made, personal data will be shared with that third party organisation. In this situation, both organisations will have instructed us to undertake this activity, and explicit consent will have been captured from the person seeking support. The organisation receiving the referral or booking will be bound by the terms of this agreement.

3.2 Service Provision Data

In situations where Service Provision Data includes the personal information of a member of staff of that service provider, that information may be shared with other customers using The Platform.

We have mechanisms in place to restrict the scope of sharing of this type of data, in situations where the person to whom the data describes makes a request for us to do so, or it can be inferred that the information we have was not intended to be shared without restriction.

At any point where data is shared with a third party, we require them to provide the same or equal protection of personal data as is described in this policy.

4. How we protect personal information

We have put in place technical and organizational measures to protect your information against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. However, no method of transmission over the internet, and no means of electronic or physical storage, is absolutely secure, and so we cannot guarantee the security of that information.

Our safeguards include (but are not limited to):

Adhering to our security policy, which covers both organisational security processes and controls, physical and environmental policies and vendor management

• Implementing encryption in transit and at rest
• Implementing security incident and risk monitoring tools and processes
• Undertaking regular patching and vulnerability scanning
• Implementing secure software development lifecycle approach to Platform development
• Commissioning annual penetration testing by a qualified third party

5. How we ensure the rights of individuals

Triangle Technology Ltd. will always respect the rights of data subjects regarding personal data collected, processed or stored. We ensure that personal data is processed in accordance with the eight Data Protection Principles set out by the Information Commissioner’s Office.

Data subjects have different rights depending on the lawful basis under which we process the data.

Right to access

Data subjects have the right to ask for a copy of the information held about them (including why we hold the information, who has access to it, and where we obtained it), which is called a “subject access request”.

Right to erasure

Unless we hold data due to legal obligation or on the basis of public interests, data subjects have the right to request that we delete or stop processing their data.

Right to rectification

Data subjects have the right to ask us to change incorrect or incomplete information we hold about them.

Right to restriction of processing

Data subjects have the right to ask us to restrict the way we process their personal data.

Right to object

Data subjects have the right to object to our use of their personal data, which effectively asks us to stop processing their information. Data subjects can’t object to data that is held or processed on the basis of contract, legal obligation or vital interests. While data subjects can’t formally object to data held or processed on the basis of consent, they can withdraw consent at any time.

Right to portability

Data subjects have the right to ask us to receive a copy of all personal data we hold on them, and to ask us to send it in a structured, easily accessible, machine readable format, or to ask for this data to be sent directly to another data controller.

Right to lodge a complaint

If you have a complaint that you do not believe we have dealt with appropriately, you have a right to lodge a complaint with the ICO, who are the supervisory body for data protection issues in the UK. You can contact them here: https://ico.org.uk/global/contact-us

Data subjects can make a subject access request or exercise any other rights regarding their personal data by getting in touch via our contact form on our public websites.

As recommended by the ICO, we will process any such request within 30 days, unless we consider the request manifestly unfounded or excessive, in which case we will write to you explaining the situation and the next course of action within the 30-day limit.

Requests can be made via the contact form our public websites.

6. Our lawful bases for processing personal data

We only collect or process personal data when we have a lawful basis for doing so. The six lawful bases for processing personal data are:

• Consent
• Contract
• Legal obligation
• Vital interests
• Public interest
• Legitimate interests

Most of the personal data we collect is processed on the basis of explicit consent – meaning that a person seeking support, potential volunteer, job applicant or other individual explicitly tells us they agree that the organisation will process some of their personal data for a specific, named purpose.

We also process personal data in the context of mapping Service Provision Data on the basis of legitimate interests.

We may also process personal data in order to create contracts or fulfil contractual obligations, or because we have a legal or statutory responsibility to do so. This most often applies to data processed to provide our services to organisations or individuals; to contract the services of others; to fulfil our financial obligations to HMRC and other entities; and to fulfil any employment, health and safety or safeguarding responsibilities we may have.

More rarely, we may need to process personal data based on vital interests or legitimate interests. If we process data on the lawful basis of legitimate interests, we ensure that processing this data is necessary to fulfil our core functions as an organisation, and that this processing does not overly affect the interests, rights and privacy of the person whose data we are processing.

7. Third party services we use

Triangle Technology Ltd. may use third-party services to collect, process and store personal data; or share personal data with trusted third-party services where necessary.

We ensure that any third-party service we work with is GDPR-compliant and committed to data protection. Each third-party service provider’s use of personal data is dictated by their respective privacy policy.

We currently use the following sub-processors:

Amazon Web Services, 410 Terry Avenue North, Seattle, WA 98109-5210

https://aws.amazon.com/privacy/

Digital Ocean, 101 6th Ave New York, NY 10013

https://www.digitalocean.com/legal/privacy-policy

PHD Mail, Unit 1-2 Falcon Close, Burton-on-Trent, Staffordshire, DE14 1SG
https://www.phd-uk.com/privacy-policy/

8. Our use of cookies

Triangle Technology is committed to safe and lawful use of cookies. Cookies are small data files which are placed on your device while you browse the internet which remember your device. Data collected via cookies may include pages viewed and details about your browser or device, but it does not include personal data such as your name or contact details.

Our websites use a very limited number of cookies. These include only strictly necessary cookies (those required for you to experience the full functionality of the sites), and include no personal data nor history of browser activities. As these cookies are required for the site to function, and so they do not operate on a consent basis.

9. How long we keep data for

Once we no longer have a reason to keep data according to the purposes for which it was stored, we will delete or otherwise irrevocably anonymize the data.

We currently operate a 6 month period for data captured through use of our support tools.

10. Breaches of data security

A personal data breach means that the security of personal data is compromised. This includes accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

In the unlikely event that a data breach occurs, Triangle Technology Ltd. will follow GDPR-compliant protocol by implementing a recovery plan, notifying the appropriate authorities and informing any relevant people or organisations.

Contacting us

If you have any questions about this policy, or wish to make a request concerning your personal data, please contact us here.