Privacy Policy

At MAXX Design we take your privacy seriously and this privacy statement explains what personal data or information we collect from you and from people who visit our website and how we use it.  We would encourage you to read the information below.

Who are we?

MAXX Design is a registered company (03071832) and our registered office address is: 2 Toomers Wharf, Canal Walk, Newbury Berkshire, RG14 1DY. MAXX Design is a registered data controller (ICO registration number Z8314696).

What personal data or information do we collect?

We may collect personal data about clients, prospective clients, job applicants, our current and former employees, and suppliers.  The personal information we collect may include your name, address, email address, IP address, and information regarding what pages you access on this website and when.

How do we collect data or information from you?

We collect personal information about you when you:

  • Make an enquiry via our website or via the telephone
  • Use our website
  • Enquire about a job opportunity
  • Work for or with the business
  • Become a client and work with us
  • Exchange business cards with a member of the business

How is your information used?

We collect your personal data or information to operate the business effectively and provide you with a high-quality service.  We may use your information:

  • To deliver marketing services to you.
  • To answer enquiries that you make prior to any agreement or contract.
  • To keep you informed about our services, our insight into industry trends and best practice, and invites to events, if you have opted-in to receive these communications.
  • To process a job application
  • To fulfil our obligations as an employer
  • To provide benefits to you as an employee
  • To work with you as a supplier to our business
  • To maintain security of our office and IT infrastructure
  • To invoice you, and to track payments you make or payments made to you

We believe that all these purposes are justified on the basis of our legitimate interests in running and promoting the business, our contractual requirements to deliver the agreed services, and our legal obligations, both as a business and responsible employer.   The exception is for sending email marketing, which we carry out on the basis of consent.  If you would like to know more, please read below:

Clients

As a client, we will hold the following information about you:

  • Name and business contact information.
  • Information relating to your business activities
  • Company financial details
  • Demographic information such as postcode, preferences and interests
  • Information, photographs, videos and documents relating to the service we are providing, including communications with you.
  • Information about your clients, where we undertake campaigns on your behalf
  • Business Data – google analytics, social media and associated login/passwords where we are managing websites, digital dashboards or social media on your behalf.
  • Billing and payment information.

We store your information in our online CRM, which hosts data on secure servers based in the UK, and on our own secure servers hosted in the UK.  We may also hold paper copies of your information stored in the Newbury Office.  Communications with you will be stored in our email system, which we use G:Suite to manage.

We currently use third-party online tools:

  • Synergist to manage your contact details and the management of the project we have agreed with you. Synergist uses servers that are based in the UK (within the EEA) therefore personal information is not transferred outside of the EEA.  For more information please view Synergist’s privacy policy
  • G:Suite to manage your contact details and our electronic communications with you.  G:Suite uses servers that are based in the US, therefore personal information is transferred outside of the EEA.  For more information please view Google’s Privacy Policy
  • Dropbox Business to store or share large files with you, which may contain some of your information.  Dropbox Business uses servers that are based in the US, therefore personal information is transferred outside of the EEA.  For more information please view Dropbox’s Privacy Policy
  • Xero to manage billing and payment for our services.  Xero uses servers that are based in the US, therefore personal information is transferred outside of the EEA.  For more information please view Xero’s Privacy Policy

We will retain your details for the duration of our relationship with you, then for 7 years after.  We will retain financial records for 6 years, following the end of the current financial year.

Prospective Clients

As a prospective client, we may hold the following information about you:

  • Name and business contact information.
  • Brief information relating to your enquiry or project
  • Demographic information such as postcode

We store your information in our online CRM, which hosts data on secure servers based in the UK, and on our own secure servers hosted in the UK.  We may also hold paper copies of your information stored in the Newbury Office.  Communications with you will be stored in our email system, which we use G:Suite to manage.

We currently use third-party online tools:

  • Synergist to manage your contact details and the management of the project we have agreed with you. Synergist uses servers that are based in the UK (within the EEA) therefore personal information is not transferred outside of the EEA.  For more information please view Synergist’s privacy policy
  • G:Suite to manage your contact details and our electronic communications with you.  G:Suite uses servers that are based in the US, therefore personal information is transferred outside of the EEA.  For more information please view Google’s Privacy Policy
  • Dropbox Business to store large files, which may contain some of your information.  Dropbox Business uses servers that are based in the US, therefore personal information is transferred outside of the EEA.  For more information please view Dropbox’s Privacy Policy
  • Hubspot stores prospect information for lead generation and uses servers based in the US, therefore your personal data is transferred outside of the EEA.  Further information is available via their Privacy Policy

Where our relationship with you does not progress beyond the enquiry or proposal stage, we will retain your details for a maximum period of 2 years.

Job Applicants, Our Current and Former Employees

When you apply for a job with us, we may hold the following information about you:

  • Name, date of birth, and contact information.
  • Information relating to your qualifications and experience
  • Demographic information such as postcode
  • References where we take them up
  • Information and documents relating to the review, interview and selection process, including communications with you.

We store your information on our internal systems to help us manage recruitment and on our secure servers based in the UK.  We will also store communications with you relating to the interview process in our email system, which we use G:Suite to manage.

We currently use third-party online tools:

  • Breathe HR to manage contact details and the management of the recruitment process.  Breathe HR uses servers that are based in the UK (within the EEA) therefore personal information is not transferred outside of the EEA.  For more information please view Breathe HR’s privacy policy
  • G:Suite to manage your contact details and our electronic communications with you.  G:Suite uses servers that are based in the US, therefore personal information is transferred outside of the EEA.  For more information please view Google’s Privacy Policy

We will retain your personal data relating to the review, interview and selection process for a minimum period of 6 months and a maximum period of 1 year after the interview date.

Current and Former Employees

When you work for us, we may hold the following information about you:

  • Name, date of birth, and contact information
  • National insurance number and Unique Tax Reference (UTR)
  • Information relating to your qualifications and experience
  • Demographic information such as postcode
  • Information and documents relating to your performance and supervision as an employee of the business, including communications with you
  • Your photograph, including Passport and Driving Licence
  • Financial information, such as bank details, pension scheme and salary details
  • Information about your next of kin
  • Health information

We store your information in our HR system on their secure servers based in the UK and in hard copy in a secure filing cabinet in the Newbury office.  We will also store communications with you in our email system, which we use G:Suite to manage.

We currently use third-party online tools:

  • Breathe HR to manage your contact details and the management of the recruitment process.  Breathe HR uses servers that are based in the UK (within the EEA) therefore personal information is not transferred outside of the EEA.  For more information please view Breathe HR’s privacy policy
  • G:Suite to manage your contact details and our electronic communications with you.  G:Suite uses servers that are based in the US, therefore personal information is transferred outside of the EEA.  For more information please view Google’s Privacy Policy
  • Dropbox Business to store files, which may contain some of your information.  Dropbox Business uses servers that are based in the US, therefore personal information is transferred outside of the EEA.  For more information please view Dropbox’s Privacy Policy

We will retain your personal data for the duration of your employment and for a period of 7 years after you leave MAXX Design.  Beyond this point, we only retain minimal information about you to confirm the period of time you were employed by the business for reference purposes.  We share your information with HMRC, and our chosen pension / benefits providers.  Information about Directors of the business will be held indefinitely for historical purposes.

Event Attendees

When you sign up to or join us at an event run by MAXX Design, we may hold the following information about you:

  • Name and business contact information.
  • Information relating to your business activities
  • Demographic information such as postcode, preferences and interests
  • Information relating to you that helps ensure you enjoy the event, such as your dietary or access requirements and including our communications with you.
  • Billing and payment information

We store your information in our online CRM, which hosts data on secure servers based in the UK, and on our own secure servers hosted in the UK.  We may also hold paper copies of your information stored in the Newbury Office.  Communications with you will be stored in our email system, which we use G:Suite to manage.

We currently use third-party online tools:

  • Synergist to manage your contact details and the management of the project we have agreed with you. Synergist uses servers that are based in the UK (within the EEA) therefore personal information is not transferred outside of the EEA.  For more information please view Synergist’s privacy policy
  • G:Suite to manage your contact details and our electronic communications with you.  G:Suite uses servers that are based in the US, therefore personal information is transferred outside of the EEA.  For more information please view Google’s Privacy Policy
  • Campaign Monitor to send you an invite to the event. Campaign Monitor uses servers that are based in the US therefore personal information is transferred outside of the EEA.  For more information please view Campaign Monitor’s Privacy Policy

We will retain your information for the duration of preparing for and running the event, and for a maximum period of 2 years after the event has taken place.

Subscribers to our e-Newsletter or our Blog

When you sign up to or receive our e-newsletters or subscribe to our blog, we may hold the following information about you:

  • Name and business/personal contact information, including email address.
  • Information relating to your business activities
  • Demographic information such as postcode, preferences and interests

We store your information in our online CRM, which hosts data on secure servers based in the UK, and on our own secure servers hosted in the UK.  We also store your basic information in Campaign Monitor in order to run our campaigns and any other communications with may have with you will be stored in our email system, which we use G:Suite to manage.

We currently use third-party online tools:

  • Synergist to manage your contact details and the management of the project we have agreed with you. Synergist uses servers that are based in the UK (within the EEA) therefore personal information is not transferred outside of the EEA.  For more information please view Synergist’s privacy policy
  • G:Suite to manage your contact details and our electronic communications with you.  G:Suite uses servers that are based in the US, therefore personal information is transferred outside of the EEA.  For more information please view Google’s Privacy Policy
  • Campaign Monitor to send you marketing communications. Campaign Monitor uses servers that are based in the US therefore personal information is transferred outside of the EEA.  For more information please view Campaign Monitor’s Privacy Policy

We respect your privacy and will always offer you the opportunity to amend your marketing preferences and give you the choice to opt-out in every email.  If you opt-out of all marketing communications from MAXX Design and we have no other reason to process your personal data, we will only retain minimal information (name and e-mail) on a suppression list to ensure that we do not send you further information.

We review our marketing databases regularly and if we have not heard from you over a 3-year period, we may seek to confirm that you still wish to receive marketing communications from us.

Suppliers

When you work with the business as a supplier, we may hold the following information about you:

  • Name and business contact information.
  • Information relating to your qualifications and experience
  • Demographic information such as postcode
  • Information relating to your business activities
  • Information and documents relating to the services or products you offer, including our communications with you.
  • Financial information

We store your information in our online CRM, which hosts data on secure servers based in the UK, and on our own secure servers hosted in the UK.  We may also hold paper copies of your information stored in the Newbury Office.  Communications with you will be stored in our email system, which we use G:Suite to manage.  We will store your financial information in Xero.

We currently use third-party online tools:

  • Synergist to manage your contact details and the management of the project we have agreed with you. Synergist uses servers that are based in the UK (within the EEA) therefore personal information is not transferred outside of the EEA.  For more information please view Synergist’s privacy policy
  • G:Suite to manage your contact details and our electronic communications with you.  G:Suite uses servers that are based in the US, therefore personal information is transferred outside of the EEA.  For more information please view Google’s Privacy Policy
  • Xero to manage billing and payment for your goods and services.  Xero uses servers that are based in the US, therefore personal information is transferred outside of the EEA.  For more information please view Xero’s Privacy Policy

We will retain your information for the duration of our relationship with you and for 2 years after the last purchase we made with you.

Your Information and rights

Who has access to your information?

We do not sell or rent your personal data or information to any third party or share your information with third parties for their own marketing purposes.

We will disclose your data or information if required by law, for example by a court order or for the prevention of fraud or other crime.

We may pass your information on to third party service providers, agents or subcontractors for the purposes of completing a task or providing services to you on our behalf (e.g. managing email marketing campaigns).  However, we disclose only the personal information necessary to deliver that service and have a contract in place that requires them to keep your information secure and not to use it for other purposes.

Third party service providers who act as data processors on our behalf:

  • Punch provide account-based marketing support to MAXX Design.  They cannot use the personal data we share with them for their own purposes.
  • Ross Brooke provide accountancy and financial services to MAXX Design. They cannot use the personal data we hold for their own purposes.
  • The m group provide IT Support Services to MAXX Design and at times may be required to access our systems for maintenance, upgrade and support services.  They cannot use the personal data we hold for their own purposes.
  • DesignSheep provide video production and freelance web development services. They cannot use the personal data we hold for their own purposes.
  • Dejac Associates provide computer and technical support to the MAXX infrastructure. They cannot use the personal data we hold for their own purposes.
  • JSM Digital Ltd provide freelance web development services. They cannot use the personal data we hold for their own purposes.

Transfers outside of the European Economic Area

Your personal information in the European Economic Area (EEA) is protected by data protection laws; but other countries do not necessarily protect your personal information in the same way.  The EEA covers all countries in the EU plus Norway, Liechtenstein and Iceland.  MAXX Design uses online tools that host data outside of the EEA.  Prior to selecting such tools, we review their privacy policy and check that the company is signed up to the EU-US Privacy Shield agreement.  Companies who have signed up to this agreement commit to securing personal data in line with EU data protection legislation.

Your rights

You have certain rights over the processing of your personal information by MAXX Design.  These are:

  • The right to be informed, which is what this privacy policy is for
  • The right to access the data we hold about you
  • The right to object to direct marketing
  • The right to object to processing carried out on the basis of legitimate interests
  • The right to erasure (in some circumstances)
  • The right to data portability
  • The right to have your data rectified if it is inaccurate
  • The right to have your data restricted or blocked from processing

We ask for your consent to send you direct marketing information, and will always provide you with the opportunity to amend your preferences or to opt-out of receiving future marketing communications from us.

How you can update your information

The accuracy of your information is important to us.  If you change your contact details or if you want to update any of the information we hold on you, please email us at: [email protected] or by post at: 2 Toomers Wharf, Canal Walk, Newbury, RG14 1DY.

How you can access your personal information

You have the right to ask for a copy of the personal information MAXX Design hold relating to you. To do this please contact [email protected] or by post at: Data Protection Manager, 2 Toomers Wharf, Canal Walk, Newbury, RG14 1DY.

You also have the right to lodge a complaint about our processing of your personal data with the UK’s Information Commissioner’s Office

Keeping your data secure

When you give us personal information we take steps to ensure that it’s treated securely and strive to protect it on our internal systems.

MAXX data is primarily stored in the UK. Off site backups are taken at regular intervals but are kept for no more than 90 days, these are kept within the EU. Remote staff will have access to MAXX data who may not reside in the EU, however no permanent copies of the data is taken by staff outside of the EU. Any data removed from the EU is for the minimum required time to resolve an operational issue and then deleted.

People who can access MAXX services and data:

  • MAXX employees, appointed and vetted by MAXX
  • The m group employees, appointed and vetted by the m group (the m group has a contractual, GDPR compliant SLA with MAXX)
  • Rackspace service employees when specifically requested by the m group (Rackspace has a contractual, GDPR compliant SLA with the m group)
  • Additional partial access to the physical hardware and encrypted data in transit is granted to:
    • Rackspace, physical hardware and network access, Rackspace services execute the code written by MAXX
    • EU backup providers, physical hardware and network access
    • Additional GDPR compliant hosting related services under contractual agreement with the m group (for example, CloudFlare and mailgun)

Our hosting providers store MAXX project data, produce and keep rotational off-site backups for no more than 90 days. We secure the hardware with various leading technological measures such as keeping them patched at all times and automated scans for vulnerabilities, intrusions or unauthorised modifications. All sites also have web application level firewalls to block external attacks via CloudFlare. If we receive a specific request to delete an individual’s personal data we will remove the information if appropriate. Our back up cycles are 90 days, so the individuals details will be fully purged from our system after the 90 days has expired.

Contacting us via email

We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government standards. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

Visitors to our Website

Use of Cookies by this website

Our website uses a content management system to allow us to update content and images. Our site is hosted at Rackspace in London and uses Cloudflare to provide a secure barrier that provides complete DDoS protection. The hosting is run by an infrastructure management company called M Group contracted by Maxx Design Ltd to manage the servers and their operation

We use Google Analytics to collect anonymous information about users' activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it. The User and Event Data Retention within Google Analytics is set to ‘Do Not Automatically Expire’. Google Analytics data will be stored indefinitely, subject to acceptance and interaction of Google Analytics cookies.

Google Analytics

Cookie Names:

_ga, _ga, _gid, AMP_TOKEN, _Gac_<property-id>, _utma, _utmt, _utmb, _utmc, _utmz, _utmv

Purpose:

These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information, including IP address, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.

More Information:

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

Cloudflare

Cookie Names:

_cfduid

Purpose:

The _cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis

More Information:

https://support.cloudflare.com/hc/en-us/articles/200170156-What-does-the-Cloudflare-cfduid-cookie-do-

YouTube

Cookie Names:

APISID, HSID, LOGIN_INFO, PREF, SAPISID, SID, SSID, VISITOR_INFO1_LIVE, YSC

Purpose:

Google set a number of cookies on any page that includes a Youtube video. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Youtube users, including information that links your visits to our website with your Google account if you are signed in to one.

More Information:

https://www.youtube.com/static?template=privacy_guidelines&gl=GB

Hotjar

Cookie Names:

_hjIncludedInSample

Purpose:

Hotjar cookie. This session cookie is set to let Hotjar know whether that visitor is included in the sample that is used to generate funnels.

More Information:

https://www.hotjar.com/legal/policies/privacy

LinkedIn

Cookie Names:

BizoID, UserMatchHistory, Bcookie, Lang, lidc

Purpose:

Deliver personalised ads to your LinkedIn account

More Information:

https://www.linkedin.com/legal/privacy-policy

CommuniGator

Cookie Names:

Wow.anonymousID, Wow.schedule, Wow.session, Wow.utmvalues

Purpose:

The cookie tracks company IP’s, website history and additional contact info which is provided from a variety of data sources.

More Information:

https://www.communigator.co.uk/privacy-policy/

Facebook

Cookie Names:

Numerous Cookies

Purpose:

Used for authentication, security, advertising, analytics and measurement

More Information:

https://www.facebook.com/about/privacy/update

Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help us analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for our website operators and providing other services relating to website activity and internet usage.

Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser. However, please note that if you do this you may not be able to use the full functionality of this website

To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout

Our website works better with cookies enabled. Our cookies don’t give us, or anyone else, access to your personal data. We advise you to keep cookies enabled. However, you can choose to reject cookies. There are instructions on how to delete cookies (http://www.aboutcookies.org.uk/managing-cookies) on the ‘About Cookies’ website.

For more information about how Maxx Design Ltd processes data, please view their Privacy Policy (https://www.maxx-design.co.uk/privacy-policy). For more information about how Cloudflare processes data please view their Privacy Policy (https://www.cloudflare.com/security-policy/).

Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help us analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for our website operators and providing other services relating to website activity and internet usage.

Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser. However, please note that if you do this you may not be able to use the full functionality of this website

To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout

Hotjar

We use Hotjar to understand how you use our website and make improvements.   Hotjar may collect and process information which is automatically and passively collected, whilst you navigate through and interact with the content on our website, together with information on your device or computer (such as cookies). The sole purpose of passively collecting your information is to improve your experience when using our website

Through the Hotjar code embedded on our website, the information collected and processed includes:

 

Device-specific data

The following information may be collected related to Your device and browser:

  • device’s IP address (captured and stored in an anonymized format);
  • device screen resolution;
  • device type (unique device identifiers), operating system, and browser type;
  • geographic location (country only);
  • preferred language used to display the Hotjar Enabled Site.

 

User interactions

  • Mouse events (movements, location and clicks)
  • Keypresses

 

Log data

For a sampling of visitors, Hotjar’s servers automatically record information which is collected from our website and Hotjar’s website. This data includes:

  • referring URL and domain;
  • pages visited;
  • geographic location (country only);
  • preferred language used to display the webpage;
  • date and time when website pages were accessed.

 

Cookies

Our website uses the Hotjar cookies identified above to collect non-personal information including standard internet log information and details of your behavioural patterns upon visiting our site.  This is done to enable us to provide visitors to our website with a better experience, identify preferences, diagnose technical problems, analyse trends and generally to help improve our website.

GatorLeads Cookies (CommuniGator)

We use GatorLeads, which is a tool that identifies the business or organisation that website visitors belong to, based on a reverse IP Lookup.  GatorLeads also use cookies to process this identification, and personal information about individual users is stored. Cookies used by GatorLeads store information about your current web browsing session (pages viewed, time on site etc) and the dates and times of previous website visits.

We use this information to profile website visitors, in order to better understand the way in which our website content is viewed by different segments.

Facebook

We use Facebook on our website to enable us to track activity on the website and send relevant marketing communications. Facebook uses the data to record demographic information, for example, location, age, job, data you have made available on your profile.

Links to other websites

Our website may contain links to other websites run by other organisations. This privacy policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.

In addition, if you linked to our website from a third-party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site.

More questions?

To contact MAXX Design with a data protection query regarding the processing of your personal data, please email [email protected]

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 03/05/2018.