From the TinCloud

Privacy Notice

Introduction

This notice explains how we will handle and process personal information we obtain about individuals who are our customers (Tin Cloud as 'data controller' under GDPR). It also explains how we process personal data on your behalf (you are 'data controller', Tin Cloud is 'data processor' under GDPR)

Information about the EU General Data Protection Regulation (GDPR) can be found here: eugdpr.org In the UK, GDPR is upheld by the ICO: ico.org.uk

Aworka aworka.com is a cloud based web service developed by us. We use Aworka to process your personal data.

Lawful basis for processing

We process personal data solely for the purpose of managing your subscription to Aworka.

The lawful basis for us to process your personal information is by written contract. By signing up for an account with Aworka, you agree to our Terms of Service aworka.com/terms and this Privacy Notice aworka.om/privacy which include permission for us to collect and process your personal information for the purposes of billing and support.

Information processing and sharing

During sign up you must provide the following personal information:

  1. Business Name (which could be an individual’s name, e.g. if self-employed)
  2. Address (this could identify an individual’s home address if the business is operated from home)
  3. Email Address

You may add further personal information later to your Aworka profile:

  1. Individual’s Title, First Name(s) and Last Name
  2. Phone numbers (up to 3)
  3. VAT Reg No
  4. Invoice notes
  5. Event and To Do notes

We maintain a record of your subscription invoices and payments and may keep notes relating to the management of your account. We do not store your card or bank details as payments are handled by third party processors, see 'Sub-processors'.

We do not add or collect any other personal information.

We do not share this information with third parties, unless required to do so by law.

We use our Aworka system to store and process your information. Processes include generation of invoices; payment collection; debt tracking; subscription management.

Data Retention

We processes your information for the duration of the contract plus a retention period.

The retention period for expired free trials and suspended subscriptions is one month and three months respectively. The retention periods are designed to give you a reasonable grace period to subscribe or restart your subscriptions without losing data.

After the retention period, your Aworka account is deleted, including all the information your have entered. We will contact you before deleting your data to ensure you have exported a copy of your data if required.

You may request earlier deletion of their data, see ‘Right to Erasure’ below.

Following account deletion, We may still retain personal information in two ways:

  1. Your contact information as shown our invoices to you is retained for 6 years, to comply with HMRC record keeping requirements.
  2. Your contact information will not be erased from Aworka backup archives. See 'Data Retention' below.

Your Rights

You have rights in relation to how we processes your personal information, as follows:

Right to be Informed

This Privacy Notice aims to inform you how we processes, retain and share your personal information. This notice is presented to you for approval just before we collect any personal information from you and is also accessible at any time at aworka.com/privacy We will notifiy you before we use your personal data for any new purposes. We review this notice regularly and welcome comments and suggestions to improve content or clarity to privacy@tincloud.com

Right of Access

You have the right to obtain a copy of your personal information held by us and details of how we processes your data. In most cases, you can access your own data through your Aworka account settings page and this notice describes how personal information is processed by us.

Right to Rectification

You have the right to have inaccurate personal data rectified. In most cases, you can rectify your own data through your Aworka account settings.

Right to Erasure

You have the right to have your personal data erased. This is only possible if your Aworka subscription is ending and your account is to be closed, as your personal data is required for billing active subscriptions.

Right to Restrict Processing

You have the right to restrict the processing we undertake using your personal data. Since we only uses personal data for billing, processing can only be restricted if your Aworka account is closed.

Right to Data Portability

You have the right to receive the personal data we hold in a commonly used machine readable format. We will provide information is CSV format and can forward this directly to another data controller if required.

Right to object and Rights related to automated decision making including profiling

Although you have these rights, we does not use personal data for direct marketing purposes or use any automated decision making or profiling processes.

Should you exercise any rights listed above and request information or require action by us, we will respond within 28 days. Tin Cloud may need to verify your identity before a response is provided using information held, e.g. a verification email or text message.

Data Processing

The personal data of your customers is processed using our cloud based Aworka software and its sub-processors, where:

  1. We will only act on your written instructions (unless required by law to act without such instructions)
  2. We will ensure that people processing your content are subject to a duty of confidence
  3. We will take appropriate measures to ensure the security of processing
  4. We will only engage sub-processors with your prior consent in writing
  5. We will assist you in providing customer access and allowing your customers to exercise their rights under the GDPR
  6. We will assist you in meeting your GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
  7. We will delete or return your content, including all personal data, as requested at contract end
  8. We will submit to audits and inspections, provide you with whatever information you need to ensure that we are both meeting our Article 28 obligations, and inform you immediately if asked to infringe the GDPR or other data protection law of the EU or a member state.
  9. You are responsible as data controller for ensuring that we protect and process your data in accordance to GDPR principles, so that you also meet your obligations under GDPR. The information in the following sections should assist.

Information held

You can view the customer personal information fields held and processed by Aworka through the Aworka web application itself. This includes: Names, Addresses, Phone numbers, Email addresses, Geographic locations of addresses (lat/long) and any other personal information you may enter into customer, job, invoice notes, job descriptions and job and customer references fields, or any other fields containing freely editable text.

Security

We employ industry standard practices to ensure the security of the data processed by Aworka. These include:

  1. Use of HTTPS secure connections to all pages of the Aworka web application.
  2. Remote login to Aworka servers via username/password is disabled, replaced with secure shell access via private key.
  3. Database backups are encrypted on the database server before uplaod to remote cloud storage.
  4. Encryption of user passwords.
  5. Frequent update of server operating systems, to ensure deployment of latest security patches and improvements.
  6. Frequent review of security practices and maintained action plan.

Sub-processors

Aworka is integrated with sub-processors for the following:

Purpose Sub-processor Notes
Hosting Digital Ocean Server droplets host Aworka application and database, which are all physically located in the UK (London region).
Payment Processing PayPal Data controller of card/bank details
Payment Processing GoCardless Data controller of card/bank details
Email Delivery SparkPost Sends emails your customers, unless you specify your own SMTP server. Be aware it is your responsibility to ensure the GDPR compliance of your own SMTP server host
Cloud Storage Amazon Web Services Storage of backup archives. Archives are encrypted before upload. Lifecyle rule automatically deletes backup archives after one year.
Address Mapping Google Maps Geocoding of customer addresses

Sub-processors are assessed for GDPR compliance prior to Aworka integration.

We will ask for your written consent before changing or adding to the sub-processors above.

Your Customers' Rights

Your customers have several rights relating to your processing of their personal information. In most cases, you will be able to handle these requests directly, using the features built into Aworka:, e.g. ability to view, edit, export as CSV, and print informaion. We will also support you as required to satsify your customers' requests when needed, by email within 28 days.

Data Retention

You can delete customers within the Aworka app. However, this does not currenty remove them from the database as the job and payment history is required to maintain the accuracy of your financial reports generated by Aworka. Instead, you have the option to 'anonymize' deleted customers. This replaces all fields that may contain a customer's personal information with garbled text. In addition, Aworka can automatically anonyize customers deleted after a time period you specify according to your own policies for customer data retention. There are separate Aworka settings for customer and invoice retention periods so that invoices may be kept longer as typically required by taxation authorities.

Even after anonymisation in the live Aworka system, you should be aware that personal data will not be erased from Aworka backup archives:

  1. Personal data residing on the production Aworka server infrastructure and therefore potentially accessible via the internet can be erased.
  2. It is currently impractical to isolate individual personal data within the archive to erase it, so personal data will remain in backup archives.
  3. Personal data will not be restored back to production systems, except in rare instances, e.g. after a natural disaster or serious security breach.
  4. Backup archives are protected with strong encryption, to minimise the risk of data breach.
  5. Backup archives are deleted after a year, balancing the benefit of backups to support disaster recovery and technical support, against the principle to minimise retention times to reduce data risk.

Breach Notification

You will be informed within 72 hours of a personal data breach or their personal data and/or their customer's personal data, meaning a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Operational Base

Tin Cloud and the servers hosting Aworka and its database are UK based. Backup archives are also currently stored in the EU (although could be safely stored anywhere as the archive files are encrypted).

Contact and Complain

Tin Cloud, a trading name of Mr Christopher Powell, is the data controller for the personal information supplied by Aworka subscribers. Tin Cloud develops and maintains the Aworka web service, and is a data processor of your customers' personal information, if you use Aworka.

Please contact us to exercise any of your rights or express concerns regarding compliance with the terms of this notice by:

  1. Email: privacy@tincloud.com
  2. Using the Contact Us buttons in the Aworka web application
  3. In Writing to: Mr C Powell, Tin Cloud, Watergate Farm, Advent, Camelford, Cornwall, PL32 9QL, United Kingdom
  4. Or if you think we are using or processing your personal information in a way that is not consistent with this privacy notice or with the law, you can lodge a complaint with the Information Commissioner’s Office. Contact details are available at ico.org.uk/concerns
Back