Privacy and Cookie Policy

Who we are

Fraction 7, Limited (company number 10638447) the parent company developers, managers and owners of Community Box. Our registered offices are at 8 Glantraeth Estate, Valley, Holyhead, Wales, LL65 3AN. We enable clients to drop beautiful directories into their existing websites.

For the purposes of data protection legislation:

• We are a Tier 1 registered organisation with the Information Commissioner’s Office. Our registration number is ZB181504

• To the extent that EU and UK Privacy Laws apply to our handling of information about you, Community Box is a “data controller”.

• To the extent that the California Consumer Privacy Act applies to our handling of information about you, Community Box is a “business”

• To the extent that EU and UK Privacy Laws apply to our handling of your Profile or your Members’ Profile data, Community Box is a “data processor” or a “data sub-processor”

• To the extent that the California Consumer Privacy Act applies to our handling of information about your Profile or your Members’ Profile data, Community Box is a “service provider”

Definitions

In this document the following terms are used:

• Visitors: people who visit your website, and interact with the Community Box directory that you have embedded thereupon

• Members: people who have ownership of, or manage one or more profiles in your directory

• Functionality: the totality of the features offered by Community Box, including but not limited to, the ability to embed one or more user-driven directories on your website

• EEA: the European Economic Area

• SOC: System and Organization Controls, as defined by the American Institute of Certified Public Accountants

• HIPAA: Health Insurance Portability and Accountability Act of 1996

• NIST: National Institute of Standards and Technology

• FedRAMP: Federal Risk and Authorization Management Program

Consent

In plain English: You don’t have to share your data with us, but without sharing it, we cannot provide you with the Functionality.

Providing us with personal data is purely consensual. You are not obligated under any laws to provide us with any personal data, but without providing such personal data, we cannot provide you with the Functionality.

This privacy notice applies to personal information we collect about you when you interact with us (for example when you use our website or platform). It sets out:

• what information we collect, and from whom;

• how we use that information;

• how long we keep your information;

• whom we share your information with;

• how your information is protected;

• your rights in relation to the information we hold about you.

We keep our privacy notice under regular review, and we encourage you to periodically review this page for the latest information on our privacy practices. Any material changes will be notified to you by updating them on our website, together with any such other methods as may be appropriate.

This Privacy Policy also extends to data which may be provided to us by our clients and other parties who may provide us with data, or access to data, from time to time, in the course of dealing with that party.

Our use of your personal data will always have a lawful basis, either because it is necessary for our performance of a contract with you, or because you have consented to our use of your personal data, or because it is in our legitimate interests. Specifically, we may use, and you consent to us using, your data for the following purposes:

• providing and managing your access to our platform & website

• personalising and tailoring your experience on our platform & website

• providing you with cost guidance about our Functionality and/or goods

• providing you with other information about our Functionality and/or goods

• supplying our Functionality and/or goods to you, which may include:

o access to the Community Box Platform

o IT support for your use of Community Box's Platform.

• communicating online, through social media, by post, email or telephone or by any other means, with you;

• providing you with newsletters and other material, which may include marketing material, relevant to our Functionality and/or goods, email or other means (provided that you may unsubscribe or opt-out at any time, and where practicable, we will include a link to facilitate that);

• analysing your use of our website & platform to enable us to improve our website & platform and your user experience.

What information does Community Box collect?

Information you provide to us voluntarily

You may give us your personal information when you:

• sign up for a Community Box account

• upgrade to a paid Community Box plan

• interact with our Customer Support team

• opt-in to receive emails from us

• use, or provide a comment on our websites

• correspond with or contact us

• interact with us on social media platforms

• sign up to one of our newsletters or other communications

• otherwise interact with us or provide information to a third party to be referred to us

Where we request information from you, we will collect the information set out in the relevant forms or pages. You may choose to provide additional information to us when you contact us or otherwise interact with us or provide information to a third party to be referred to us.

Information we collect automatically

We, or the companies that work on our behalf, or any 3rd-party sub-processors, collect data related to visitors to our websites automatically, including what pages you have viewed, for how long and your website journey. We may also collect data relating to your usage of the dashboard, and relating to how your members make use of the embedded Community Box directory. We do so, both in order to:

• improve the quality of the service

• detect and quickly respond to any bugs, crashes or other service degradations

• collect usage data for you to access, to help you monitor how visitors to your directory are interacting with the directory

Information is also collected about how you arrived at our websites in the first place, including what links or adverts of ours you have viewed or clicked on to reach us, or any search terms you have used. Where you see an advert for us outside of our websites, for example on social media, we will place a cookie on your browser so that, when you access our websites, we recognise that you have seen an advert of ours elsewhere. Information collected automatically using cookies or other tracking technologies includes your IP address. We may also place cookies on your browser to make it easier for you to login, and to allow our Customer Support team to respond more quickly to your queries. We may also place cookies on your Members’ and Visitors’ devices as and when they access your embedded directory, to make logging in easier for them and to make it easier for us to assist you with any support requests that you get from your Members and Visitors.

Information which is available publicly

Your personal information may be available to us from external publicly available sources: for example, geo-demographic information and information from public registers such as listed directorships, information from the electoral roll and press reports, or social media.

What types of data does Community Box process?

We collect, store and use the following types of data:

• your name, email address and postal address

• details about your Community Box account

• information you provide on other individuals

• correspondence you have had with us

• information about your computer/mobile device and your visits to and use of our websites

• details about you that are stored in documents in different formats, or copies of them

• any other information shared with us as described in Section 1 above.

How does Community Box use my data, and on what legal basis?

The following sections describe in more detail how Community Box may use your information, and in particular the legal grounds on which we rely in doing so.

What we use your personal information for

We use the information collected for a number of purposes, including:

• to verify and manage your account

• to provide you with technical and account-related support

• to make and manage payments

• to manage our relationship and communicate with you

• to respond to complaints and seek to resolve them

• to enhance your online experience

• to better understand our account holders and supporters in general

• to respond to individual experiences shared with us and for editorial content

• to understand your website journey, including what pages you have viewed and for how long

• to improve the effectiveness our advertising campaigns

• to administer and keep safe and secure our websites and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes

• to train our staff and measure the quality of the service we give you

• to obey laws and regulations that apply to us

The legal grounds we rely on to process your information

The legal grounds on which we rely are:

• to fulfil our contractual obligations (for example in order to provide Functionality requested by account holders and to contact you if a problem arises with them);

• to pursue our legitimate interests (for example to facilitate your use of our websites, or for marketing);

• your consent; and / or

• to fulfil a legal duty

Legitimate interests

When we rely on our legitimate interests, these are as follows:

• keeping our records up to date

• charging for Community Box accounts

• developing our account offers

• marketing our products and Functionality

• administering our websites and keeping them safe and secure

• ensuring that content is presented in the most effective manner for you and your devices

• facilitating your use of our websites and platform

• measuring the use of our platform & websites and improving their content and accessibility

• tailoring content and our communications so that they are most relevant to you;

• complying with legal and/or regulatory requirements

• identifying trends in customer/client behaviour

• informing and generating content

Handling and Security of your data

Community Box processes data in data centres based in the EEA and the United States of America (for information about the legal framework applying to data transfers from the EEA to United States please see section 6), as well as in the cloud.

Where SOC and HIPAA compliance is relevant, these data centres are SOC 2 Type II and HIPAA certified.

Where HIPAA compliance is not relevant (for cloud processing, for example) the cloud providers are FedRAMP and NIST 800-53 compliant, these regulations map onto HIPAA for the purposes of cloud processing.

The data centres and cloud processing functionality are operated by Amazon Web Services and UpCloud.

Who does Community Box share my information with?

Day-to-day

To help us provide the Service and to pursue our legitimate interests, we share your personal information with the third parties listed below, who provide functionality to Community Box or who act on our behalf for purposes such as payment processing or customer support. We do not authorise these companies to use or disclose your personal information except for the purpose of providing the service we request of them. Community Box is based in the United Kingdom, but some third-party data processors are based outside of the European Economic Area (EEA).

Help Scout

We use Help Scout to handle customer support and problem resolution. Most interactions you make with us will likely be handled by, and stored in, in Help Scout. Your can read Help Scout’s Privacy Policy here: https://www.helpscout.com/company/legal/privacy/

Zoom

We use Zoom for customer calls and webinars. You can read Zoom’s Privacy Policy here: https://explore.zoom.us/en/privacy/

Google Calendar

We use Google Calendar to schedule calls and meetings with our customers. You can read Google’s Privacy Policy here: https://policies.google.com/privacy?hl=en-US

Google Mail

We use Google Mail to handle any some email correspondence with our customers, consultants and suppliers. You can read the Google Mail Privacy Policy here: https://policies.google.com/privacy?hl=en-US

Amazon Web Services

We use Amazon Web Services to perform cloud-based processing as part of providing the core functionality of Community Box. You can read the Amazon Web Services Privacy Policy here: https://aws.amazon.com/privacy/

PostMark

We use PostMark to handle service-based email interaction with you (for example, to notify you of new profiles being added) and with your members (for example, if one of your members requests a password-reset link, which will be sent to them by email). You can read the PostMark Privacy Policy here: https://wildbit.com/privacy-policy

Mapbox

We use Mapbox to provide mapping and geocoding functionality, as part of the normal operation of Community Box. You can read the Mapbox Privacy Policy here: https://www.mapbox.com/legal/privacy

Google Maps

Although we no longer use Google Maps, some legacy customers are still using Google Maps as their mapping solution. For those customers, you can read the Google Maps Privacy Policy here: https://policies.google.com/privacy?hl=en-US

Stripe

We use Stripe to handle payment processing. You can read the Stripe Privacy Policy here: https://stripe.com/en-gb/privacy-center/legal

Other circumstances in which we will disclose your information

We will disclose your information to local and foreign regulators, governments, law enforcement authorities, advisors, courts, tribunals and arbitrators when we have a legal obligation to do so or when we believe our compliance with the request to be fair, reasonable and lawful, e.g. to detect, prevent or investigate security breaches, fraud or other crimes.

We will also disclose your information to establish, exercise or defend legal claims, for example: (i) to enforce our Terms and Conditions; (ii) to ensure the safety and security of our users, consumers and third parties; and (iii) to protect our rights and property and the rights and property of our platform and website visitors, consumers and third parties.

Data transfers outside the European Economic Area

As part of its normal operation, Community Box or its third parties (see section 4) may transfer data about citizens in the EEA to to other data centres around the world. Such transfers are regulated by the Standard Contractual Clauses brought into effect by the Commission Implementing Decision C(2021) 3701 and the Commision Implementing Decision C(2021) 3972, of 4th June 2021.

In plain English, these Standard Contractual Clauses declare that, to the extent that it is practical, wherever data belonging to citizens in the EEA flow to non-EEA countries, protection similar to that which applies within the EEA will continue to apply.

For more details about the above, and links to the full text of these SCCs please see the following page: European Commission adopts new tools for safe exchanges (europa.eu).

How long is my information retained?

Whenever we collect or process your personal data, we will only keep information about you for as long as we need to fulfil the purposes for which we are processing your information or for an appropriate retention period thereafter. At the end of that retention period, your data will either be deleted or anonymised. Examples of our retention periods are:

• Where you are a client/customer, we would normally keep your information for the duration of your contract and then a period of up to seven years after you cease being a client/customer.

• Where we need to keep your information for financial reporting obligations, we would normally keep it for seven years from the date of payment.

• Where we need to keep your information relating to complaints you have made, we would normally keep it for seven years from the end of that matter.

• All data pertaining to personal abuse, stalking, and harassment are kept until the legal authorities no longer require it to be kept.

What are my data protection rights?

You have the following rights in relation to your personal data:

• Access: The right to request access to and a copy of your personal information (which can be done by emailing help@communitybox.co);

• Restriction: You can ask us to pause processing your information in certain circumstances (eg you are disputing its accuracy);

• Rectification: You can have any inaccuracies in your personal information corrected;

• Deletion/right to be forgotten: You can ask us to delete all your personal information in certain circumstances (eg if the information is no longer necessary for the purposes for which it was collected);

• Objection: You can object to us processing your personal information in certain circumstances;

• Objection to marketing: please contact us at help@communitybox.co to opt-out of direct marketing communications;

• Portability: You can ask us to transfer your information electronically to you or another organisation in certain circumstances;

• Withdrawal of consent: Where we rely on your consent to process your information, you can withdraw consent at any time, although this will not affect our uses of your personal information prior to the withdrawal of your consent; and

To lodge a complaint with the Information Commissioner’s Office (“ICO”) or other relevant supervisory authority: You can complain to the ICO at http://www.ico.org.uk/global/contact-us/email or other relevant supervisory authority about any aspect of our handling of your information.

More information about the right to complain can be found at https://ico.org.uk/for-the-public/. If you have any questions about these rights, or you would like to exercise them, please contact us at help@communitybox.co.

Please be aware that you are under no obligation to provide us with your personal information. However, failure to do so may, in some circumstances, will prevent us from being able to provide you with the Functionality of the product, or otherwise interact with you.

When exercising your data protection rights we may ask you to verify your identity in order to help us respond efficiently to your request.

If you would like to exercise any of the above rights, please email us at help@communitybox.co.

All of these rights are free to exercise and we will do our best to respond to you as quickly as possible and in any event, within 72 hours of receipt of your written request. We will inform you within 72 hours of receipt of such a request if we will need longer to respond, for example due to the complexity of the request.

We want to make sure that your personal information is accurate and up to date. Please always let us know at help@communitybox.co if you think that it is not and needs updating.

Third Party Websites and social media

Where we provide links to other websites, we do so for information purposes unless otherwise indicated. The other websites are outside our control and are not covered by this privacy notice. If you access other websites using the links provided, the operators of these websites may collect information from you which will be used by them in accordance with their privacy notice, which may differ from ours.

On some pages of our websites, third parties that provide content, applications or plug-ins through our websites may track your use of content, applications and plug-ins or customise content, applications and plug-ins for you. For example, when you share an article using a social media sharing button on our websites (e.g., Facebook or Twitter), the social network that has created the button will record that you have done this.

Use of our website and Functionality by minors

In plain English: We don’t knowingly collect information about children. Furthermore, our Terms and Conditions prohibit Community Box from being used by minors, or used for the purpose of storing information of any kind about minors.

We will not knowingly contact or engage with children under the age of 18. If you have reason to believe that a child under the age of 18 has provided us with their personal data, please contact us, and we will act in accordance with the applicable law.

Updates to this Privacy Policy

Community Box may need to update this Privacy Notice from time to time. You can see when the Privacy Notice was last updated by checking the date at the top of the page. A summary of changes can be found in this section, along with the date they were made.

If we make any updates, such as materially changing how we use your personal data, we will alert you as required by applicable privacy laws.

The privacy policy is reviewed annually in line with our risk assessment and Data Protection Impact Assessments.

What can you do if you are unhappy with the way we have processed your personal data?

You also have a right to lodge a complaint with the supervisory authority for data protection. In the UK this is:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

0303 123 1113 (local rate)

https://ico.org.uk