Privacy Notice
Who we are
We are Equin Limited, established 2007. Equin Limited is the provider of Insight, a Software as a Service product.
Company Number: 06347232
ICO data protection reference: Z1904040
Name of Data Protection Officer (DPO): Michael Cooper
Email address of DPO: [email protected]
Telephone Number: 020 3393 4005
Postal Address: Unit 6482, PO Box 6945, London, W1A 6US
Registered Office Address: Unit G Pattern Shop, Trevoarn, Hayle, Cornwall, TR27 4EZ
Insight’s Purpose
Insight is an online assessment tracking tool. Since 2007, Insight has enabled schools to record staff, pupil and assessment data for the purpose of attainment and progress monitoring.
Our Data Protection Philosophy
As a school, you are the Data Controller in respect of the personal data you store on Insight, and Equin Limited is the Data Processor. We collect personal information as a Data Controller as well, in order to operate our business.
Your data is yours. At all times we aim to respect any personal data you share with us, or that we receive from other organisations, and keep it safe.
We never sell personal information, and we’re committed to treating your data only in ways you’d expect. When we use third parties to help us deliver our services and products, we take care to ensure those third parties are equally committed to safeguarding your privacy.
We aim at all times to promote a positive culture around data protection and security. Our policies and processes are under constant review.
About this Privacy Notice
This Privacy Notice (“Notice”), together with our Terms of Service and any other documents referred to within, sets out our data collection and processing practices and your options regarding the ways in which your personal information is used. It applies to information we collect about:
- Visitors to our website at https://www.insighttracking.com/
- People who enquire about Insight;
- People who use Insight;
- People who book training or consultation calls related to the use of Insight;
- People who attend webinars hosted by Insight.
From time to time, Equin Limited may develop new products or offer additional services and may update this Notice accordingly. If we need to make changes to how we process and use your personal information, we will update this Notice and keep you informed where appropriate.
Visitors to our Website
We use Google Analytics, a third party service, to monitor anonymised data about visitors to https://www.insighttracking.com. This helps us understand how visitors find and use our website, in order to make improvements to how we deliver Insight in line with our purpose defined above, and to assess the effectiveness of our marketing. This information is only processed in a way which does not identify anyone.
Use of Cookies
Please refer to our Cookies Policy for information on how we use cookies.
Information we collect as a Data Controller
We collect certain personal information in our capacity as a Data Controller, in order to run our business. We collect information:
1. When you give it to us directly
When you get in touch with us, for example to make an enquiry about Insight, start a free trial, open an Insight account or seek support, we store personal information which may include your name, phone number and email address. Your means of contacting us may be via email, telephone, post or through an online social media service such as Twitter or Facebook.
We may also collect non-personally identifiable information about you, your school, and any trusts or other groups that your school may belong to. This may include your position at your school, the school’s and/or trust’s name, contact and DfE details. Non-personally identifiable information by itself cannot be used to identify or contact you. However, this information may be combined with other identifiers in a way that enables you to be identified.
Purpose : We use this information to address and keep track of enquiries about Insight, administer Insight accounts and free trials, and to deliver ongoing support to customers in a timely and effective manner, in line with our general purpose outlined above.
Lawful basis for processing: “Contract”. This processing is necessary for us to deliver our contracts with the schools and trusts who use Insight, or to take the required steps to address enquiries prior to entering into a contract.
Purpose : We use basic information to book individuals onto webinars hosted by Insight. These may be sessions dedicated to exploring the use of Insight, or may include more broad exploration of the use of assessment data.
Lawful basis for processing: “Consent”. Your express consent to use your information is required to make a booking. This will be collected through the Third Parties 10to8 and/or Zoom.
Right to Withdraw Consent: You have a right to withdraw your consent for us to use information collected in this way for this purpose and can do so by emailing [email protected].
Purpose: We may occasionally use this information for direct marketing purposes, to let you know about new products, tools and services we offer, where these are similar in scope to those of our products, tools and services you currently use. Any such contact will be made in line with applicable law, including the Privacy and Electronic Communications Regulations (PECR) , and in line with our general purpose outlined above.
Lawful basis for processing: “Legitimate Interests”. This processing is necessary as part of our efforts to grow our business. We take the same care over personal information collected this way as over any personal information we store. If we do contact you, we’ll always give you an upfront opportunity to opt out from future contact.
Right to Object: You have the right to object to the processing of your personal information collected under this lawful basis. Please see the ICO’s guidance for more information.
Retention: We retain personal information collected this way for up to 12 months following any enquiries, or for as long as your school is a customer of or has a free trial of Insight, or indefinitely as required to keep track of requests not to be contacted. After an Insight account is closed we retain personal information where reasonably necessary to resolve disputes, enforce our Terms of Service, meet regulatory requirements, maintain security, prevent fraud and abuse, or comply with our legal obligations (including law enforcement requests). Where none of these obligations apply, your personal information will be deleted within 12 months of your account being closed. Non-personally identifiable information about you, your school, and any trusts or other groups that your school may belong to may be retained indefinitely.
2. When it is available publicly
We may collect publicly available information about you and your school which is available from external sources, including the government’s Get Information About Schools service and school or trust websites. Personal information collected this way may include your name, phone number and email address. This may be combined with non-personally identifiable information about you, your school, and any trusts or other groups that your school may belong to, including your position at your school, the school’s and/or trust’s name, contact and DfE details.
Purpose: We use this information for direct marketing purposes, in order to keep track of people and organisations who may be interested in Insight, and to contact people and organisations where appropriate in line with applicable law, including the Privacy and Electronic Communications Regulations (PECR) , and in line with our general purpose outlined above.
Lawful basis for processing: “Legitimate Interests”. This processing is necessary as part of our efforts to grow our business. We take the same care over personal information collected this way as over any personal information we store. If we do contact you, we’ll always give you an upfront opportunity to opt out.
Right to Object: You have the right to object to the processing of your personal information collected under this lawful basis. Please see the ICO’s guidance for more information.
Retention: We retain personal information collected this way for up to 12 months following any contact, or for as long as your school is a customer of or has a free trial of Insight, or indefinitely as required to keep track of requests not to be contacted. Non-personally identifiable information about you, your school, and any trusts or other groups that your school may belong to may be retained indefinitely.
Information we collect as a Data Processor
When you use Insight, either as a customer or during a free trial period, you are the Data Controller in respect of any data you store in Insight (“Customer Data”). Our Terms of Service (“Agreement”) constitute a written contract between us which allows us to act as your Data Processor in compliance with the General Data Protection Regulation (GDPR) . The Agreement contains the specific information you need to know about:
- What personal information can be processed in Insight;
- How and where we store that personal information;
- Which sub-processors we use to deliver Insight.
Sharing and Access to Personal Information
Sub-processors
We use carefully selected processors and sub-processors to deliver Insight and to operate our business. These third parties supply the infrastructure, storage and associated services necessary for us to provide Insight. We have entered into GDPR-compliant, written contracts with our all of our processors and sub-processors. Where our use of these third parties entails the transfer of personal information outside the European Economic Area (“EEA”) to the United States, we have ensured that the contracts are safegaurded by ICO approved Standard Contractual Clauses.
You can see the specific sub-processors used for the purpose of processing your Customer Data in the Terms of Service. Where we see a need to add a new sub-processor to those specified, we will first notify you in writing (by email) to explain our purposes, and you will have the opportunity to object.
We may use additional processors to process data in our capacity as a Data Controller.
Your Authorised Users
Any employees, agents and independent contractors that you add to your Insight staff list will have access to your Customer Data (“Authorised Users”), as described in our Terms of Service. It is your responsibility to maintain your list of Authorised Users, for example by removing staff who have left the school. We accept no liability for un-authorised access where Authorised Users have not been removed from your staff list.
Since Insight is an online service accessible via the Internet, Authorised Users may access Insight from outside the UK or EEA. In such cases, a transfer of your Customer Data outside the EEA may be deemed to have occurred. You are responsible for ensuring that Authorised Users access your account in a secure and responsible way.
Our Authorised Company Employees
Authorised employees of Equin Limited may have access to your personal information and Customer Data. This enables us to offer timely, helpful support when you contact us. Company employees are trained to follow our data protection policies at all times and sign strict confidentiality agreements when they join the company. All access to schools’ data by our employees is logged.
Third Parties as Legally Required
We may disclose personal information to third parties in order to:
- comply with any legal obligation
- enforce our Terms of Service
- prevent fraud
- resolve disputes
- protect the rights or safety of ourselves or our customers
Third Parties in the Event of a Sale of Business
If Equin Limited or substantially all of its assets are sold, whether through merger, acquisition, bankruptcy, dissolution, reorganisation, or other transaction or proceeding, your personal information may be shared with any acquiring organisation and their representatives, and your personal information and Customer Data may be one of the transferred assets. In this event you will be notified.
Security
Insight is a web-based application, accessible only over a secure (HTTPS) connection. This ensures all data is encrypted while in transit.
As part of our ongoing commitment to data security, Equin Limited have achieved Cyber Essentials Plus certification.
Insight’s primary infrastructure and your Customer Data is hosted on Amazon Web Services, Inc. (“AWS”), a global leader in Infrastructure as a Service (“IaaS”). We use AWS’s data centre in London, ensuring that sensitive data remains stored within the UK.
Insight’s primary server is replicated to a secondary database and is backed up daily to prevent data loss. Backups are securely stored in a separate location and are also password-protected.
Amazon take physical and network security seriously. Their data centres are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff, video surveillance, intrusion detection systems, and other electronic means. Access to their data centre floors requires two-factor authentication a minimum of two times. Our system access to the database is via a secure, password-protected, connection.
Amazon maintain multiple certifications for its data centres, including ISO 27001 compliance, PCI Certification, and SOC reports. Their reports can be found on the AWS Compliance website and you can read more about the specifics of their approach at https://aws.amazon.com/security/.
As part of the Insight setup process, or by prior agreement to assist you in your ongoing use of Insight, you may choose to send us any Customer Data you’d like us to transfer into Insight on your behalf. You can send us data directly through Insight to ensure the highest levels of security. Please do not send sensitive data as email attachments. In this event, documents you upload to us are stored on our main servers within AWS. Authorized company employees may access this data for processing. Files we’re actively working on are stored temporarily on secure devices, for the duration of being processed.
As described in our Terms of Service, schools must provide each of their Authorised Users with their own access to Insight via an email address and password. Commonly used passwords which are known to have been previously leaked will be refused, to help ensure that secure passwords are chosen. Passwords are stored in a hashed form. We cannot view your password – if you need to reset it, you will need to follow the password reset procedure. We do not force you to change your password on a regular basis, following guidance from the National Cyber Security Centre .
We will maintain strict procedures and take all reasonable steps to protect your personal information. That said, the transmission of information via the Internet is not completely secure and so we cannot absolutely guarantee the security of Customer Data inputted to Insight. Any inputting of Customer Data is at your own risk.
Changes to this Privacy Notice
We reserve the right to change this Notice from time to time as we add new services or features or in response to changes in the law or our commercial arrangements.
29 October 2020: This Notice was updated to reflect a change in our registered office address; refine the scope of the Notice; include information about data collected for the new purpose of delivering webinars; and include updated information about the EU-US Privacy Shield now that it has been deemed invalid.
3 March 2022: This Notice was updated to reflect a change in location of data centre from Ireland to London. References to the EU-US Privacy Shield have been replaced by ICO approved Standard Contractual Clauses. Added Cyber Essentials Plus certification statement.
Removed the purpose and legal basis for processing sections under “Information we collect as a Data Processor”. This was not needed, since as your Data Processor we do not determine the purpose or legal basis for the data you collect. We’ve also removed the retention information there, since that is covered in the Terms.
Questions
If you have any questions about this Notice, or require any further information, please contact our Data Protection Officer via email at [email protected].