Privacy Policy

Who we are

Our website address is: https://c-p-associates.co.uk

See here for terms and conditions about the use of our website and services.

What personal data we collect and why we collect it

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

Data submitted through our contact forms is held for the purposes of replies to the enquiry only. We do not use this information for any other purpose or sell/give this information to a third party, except where required to do so by law.

Subscriptions

Where you sign up to any of our free subscription services, you agree for us to store your details for recurring emails. We may also send out occasional review emails asking for feedback on the service.
These emails will solely be generated by us and your details will not be passed to a third party except with the sole purpose of transmitting our emails to you.
You may unsubscribe using links in any of the emails we send to you either from the specific emails you are receiving, or from this and any future emails from our system. In either case we will retain a record of your request and your email address will remain on file to enable the block, but other personal information will be removed when fully unsubscribing.
Once unsubscribed, you may still receive further emails if already queued for dispatch.

Memberships

When you sign up to any of our paid membership services you agree for us to store your details to enable account management and any subscription based services offered as part of the membership. Your payment details are not stored on our systems and are processed only by our chosen payment processor.
Your membership may entitle you to receive regular emails from us and these shall abide by the same rules as for free subscriptions. We may also send out member notifications relating to new or changed services that may affect your membership.

Cookies

If you leave a comment on our site we will store a cookie retaining your details for up to 2 months. These are for your convenience so that you do not have to fill in your details again when you leave another comment. 

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

We may store other cookies to provide functional operation on the site. We do not store cookies for marketing, but we may store tracking cookies to monitor site usage and check for site misuse. This data will be anonymised except where a breach of site security is detected.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Analytics

We may use analytics to view traffic flow on our site and to improve operations. All data is anonymised and is used for traffic counts and not user tracking.

Payment Data

We do not store or process cardholder data on our systems. We do share certain personal data with the payment processor for the purpose of providing services; all cardholder data is processed through the payment processor, whom we believe to be PCI DSS compliant. Any information we receive from the payment processor to manage recurring subscriptions is limited to a secure payment ID that is linked to your account at each end, and information about the nature of the transaction so we can enact account maintenance.

Who we share your data with

We do not share your data explicitly with any third party except:

  • to provide email services where you have explicitly consented by sign up, or

  • for where required to comply with law enforcement, or

  • to provide a connection to any paid service through our preferred payment processor, or

  • to provide security checking of comments and unauthorised actions on our site.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

Where our email system detects no activity from a subscriber for a long period, the email address may be automatically suppressed to avoid mail reputation issues. For paid members we will terminate the membership if we are unable to reach the user within ninety (90) days of detecting an inactive account, having made at least ten (10) attempts within that time to all methods on file. Inactive accounts will be removed within ninety (90) days of suppression/termination.

If you are detected by our security systems as misusing the comments, or other areas being checked, we may record a permanent block on your IP address. This will not be purged. Temporary blocks and non-malicious data is retained for up to 30 days. Backups may contain copies of this data for up to 3 months.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Any removal request shall also instruct us to check any third party systems to remove any linked data that may remain. Where non-automated removals are required we shall have thirty (30) days to process the removal, or as defined in the current UK GDPR regulations.

Where we send your data

Visitor comments, searches and form submissions may be checked through an automated spam detection service. Data, including IP, geographical information, page URL, email address, message content are transmitted for the purposes of spam reputation checking. Where the content is deemed valid, user information and message content are removed from the stored records. Information is held for up to 31 days in either case.
Emails are submitted through the MailChimp service. Their privacy policy can be found here https://mailchimp.com/legal/privacy/

Additional information

How we protect your data

Access to the administrative area of this site is limited to the site owners for site operation and to the website administrator for technical issues and amendments. Where we grant other parties access they will be restricted to only necessary functions, and will only be granted access to user data if explicitly required for their role.

All admin level access is subject to strong username and password enforcement as well as multi-factor authentication, and the site itself is protected by SSL certificate.

The web server is housed in a secure data center in the UK and remote access is protected by multi-factor authentication and strong encryption certificates and IP address limitations were possible. All backups are held off-site and subject to the same level of security for access.

The site is monitored for unauthorised access attempts, and alerts are sent to the site owner and website administrator if attempts are detected. The site is regularly checked for security updates and routinely scanned for unauthorised content.

All personal data is stored on encrypted drives, and key information in the database is also separately encrypted to protect against data mining attacks.

What data breach procedures we have in place

Where we detect or receive reports of a potential data breach, we have the following process in place:

  • Apply a site-wide lock down of all accounts, with the exception of the key administration account needed

  • Reset all administrative level passwords

  • Ascertain the nature of the breach from logs, and determine what information may have been compromised

  • Determine whether the nature of the breach may contain data necessary to report the breach to the ICO – such determination will be made within 72 hours of the breach and reported to the ICO as soon as feasibly possible after this point

  • Determine whether the nature of the breach may require notification to any or all registered users and send such notification within 48 hours of the breach. This shall be done in all cases where email addresses or passwords may have been compromised

  • Determine whether the nature of the breach may require notification to law enforcement

  • Reset all backup passwords

  • Reset user level passwords / 2FA settings where necessary

  • Re-encrypt all data where applicable

  • Comply with ICO and Law enforcement actions where necessary

What third parties we receive data from

All data is taken from submissions to the site or via subscription forms only and we do not import data from third party lists

What automated decision making and/or profiling we do with user data

Data may be analysed to look for traffic patterns to aid site improvements, and may be analysed automatically by our security detection systems to protect the site. We may use segmentation of existing subscriber lists based on account status or account type. We may use segmentation to provide special offers to specific member types. We do not apply targeting based on race, gender, age or any other personal attributes that may have been identified. Where possible we avoid capturing any personal information not related to account operation.

Document History

January 2021 – Initial draft for release

February 2021 – Addition of payment processor data ahead of planned changes

March 2021 – Amendments to data retention, automated descision making, cookies in relation to new plugins. Wording changes to Third party data receipt and data sharing for clarification. Membership and Subscriptions updated to allow review and notification emails as not explicitly allowed.

June 2021 – Amendments to Who we share your data with, What rights you have over your data, Where we send your data and What automated decision making and/or profiling we do with user data sections due to changes in services used to process email. As some of the these are now generated and sent externally, wording has been updated to reflect the changes. Some minor wording changes to other areas for clarity, with no change in meaning.