AUTHENTIX, LIMITED
PRIVACY POLICY
1. SCOPE OF THIS PRIVACY POLICY
This privacy policy (this “Policy”) describes the privacy practices of Authentix Limited (“Authentix“) and how it will collect, use, store and share (“process“) your personal data when you use our brand protection cloud services and products, including the associated platform and mobile application (“Brand Protection Cloud”).
This policy applies to individuals who use Brand Protection Cloud in the United Kingdom and the European Economic Area.
We are committed to protecting your privacy. It is important that you understand how we look after your personal data and how we make sure that we meet our legal obligations to you under the applicable data protection legislation (“Data Protection Law”), including, but not limited to, the General Data Protection Regulation 2016/679 (“GDPR”).
2. WHO THIS POLICY IS ADDRESSED TO
This policy describes how we use personal data of representatives of our clients or prospective clients (collectively “Clients”) and individuals who are authorised to use our services by our Clients. Our Clients are large corporations or international companies seeking the ability to utilize the Brand Protection Cloud to (a) track and trace the provenance of product origins; (b) trace the movement of a product within the supply chain; and/or (c) directly engage the end user or consumer of a product to verify authenticity or otherwise engage those consumers for communication and potential marketing purposes. The data subjects to whom this policy is addressed can be grouped as follows:
- Representatives of our Clients who engage with us to procure the Brand Protection Cloud and administer the business relationship with us e.g. sign contracts, make payme nts (“Client Representative(s)“);
- Individuals who are no minated by our Clients to act as administrators or in another user role of the Brand Protection Cloud procured by the Client (“Dashboard User(s)“);
- Individuals who are engaged by our Clients to investigate counterfeit activity and who use the Brand Protection Cloud in the course of their investigations (“Investigator(s)“); and
- Where a Client permits consumers to use either a credentialed mobile application or a natively capable smartphone query to receive authentication information or other messaging or marketing information via the Brand Protection Cloud (“Consumer(s)“).
This policy applies to information relating to individuals (i.e. natural persons) but not to information relating to corporations. It applies to representatives of corporations if those representatives are individual persons. This is because Data Protection Law only applies to information relating to natural persons. Information relating to corporate bodies may still be protected by other laws such as confidentiality and we take those obligations seriously as well.
If you have any questions in relation to this policy or generally how your personal data is processed by us please contact our Chief Sales & Marketing Officer by letter addressed to: 4355 Excel Parkway, Suite 100, Addison, Texas U.S.A. 75001 or by email at: kent.mansfield@authentix.com.
3. WHO WE ARE
In this policy, the terms “we”, “our”, and “us” are used to refer to Authentix Limited, its subsidiaries and affiliates. Authentix is a limited liability company incorporated in England and Wales with registration number 00637839 and its registered office at 7 Chessingham Park, Common Road, Dunnington, York, North Yorkshire, YO19 5SE.
Mostly, we operate as a processor of the data that you share with us when using the Brand Protection Cloud and our Client (i.e. the business which authorised your use of the Brand Protection Cloud) is the controller. This is because we process the data on their behalf and as instructed by them. Our Client’s privacy policy governs such processing therefore please review their privacy policy to understand how your information is processed and refer any questions that you may have directly to them.
However, we act as a controller when we:
- Process the personal data of Client Representatives to promote and sell our Brand Protection Cloud service and to administer our relationship with our Clients; and/or
- Process personal data of Dashboard Users, Investigators and/or Consumers for our own purposes, for example, to improve the Brand Protection Cloud and to generate Client reports on product and event activity data related to counterfeiting.
This Policy applies when we act as a controller. We will use your personal data fairly, lawfully and in a transparent manner, and in accordance with the applicable Data Protection Law.
More information on where we act as a controller and processor and, where we act as a controller, our purposes and legal basis of processing can be found in section 4.
4. THE INFORMATION WE COLLECT AND HOW WE USE IT
Under Data Protection Law, when we act as a controller, we are required to explain why we use your personal data. We are also required to have a “lawful basis” on which to process your personal data. This is summarised in the table below.
User type | Purpose | What data is collected? | Legal basis |
Client Representatives | To enter into and administer our contracts with Clients, including setting up Client accounts, administering our services, and collecting payments due to us. |
– Name – Address (incl. postcode) – Phone number – Email address – Account number – Identity document (e.g. driver’s licence or passport) – Your authorisation by the Client – Your role within the Client’s business |
We process this information as it is necessary for our legitimate interest to provide our services to our Clients. |
To promote our products and services, including by sending you newsletters and marketing emails. |
– Name – Address (incl. postcode) – Phone number – Email address – Your role within the Client’s business |
The processing is necessary for our legitimate interest to promote our business and our products and services. We will only send you marketing by email to a personally owned email address if you have given us your prior consent, which you are free to refuse. You have a right to stop us from sending you direct marketing at any time. You may do so by clicking the “unsubscribe” link in our marketing emails, or by contacting us using the details set out in this policy. |
|
To reply to and deal with complaints and queries relating to Brand Protection Cloud. |
– Name – Title – Address (incl. postcode) – Phone number – Email address – Account number |
The processing is necessary for our legitimate interest to provide users of Brand Protection Cloud with a good service. | |
To enforce and protect our rights and interests, including by obtaining legal advice and progressing claims. |
– Name – Address – Contact details – Account number – Information relating to your use of Brand Protection Cloud – Information about infringements of our legal rights including as set out in our terms and conditions – Information contained in correspondence relating to complaints and claims |
The processing is necessary for our legitimate interest to protect our business. | |
To prevent and detect unlawful activities such as fraud and money laundering. |
– Name – Account number – Company involvements – e.g. director, beneficial owner – Information relating to your use of our services – Reports provided by fraud prevention agencies |
The processing is necessary for our legitimate interests to protect our business and co-operate with law enforcement authorities. | |
Dashboard Users | As a processor, to provide Brand Protection Cloud to our Client. |
– User Name (first,last) – E-mail address |
We process data for this purpose on behalf of and in accordance with our Client’s instructions. We are therefore processors in relation to this processing and our Client is the controller. Please refer to our Client’s privacy policy. |
Investigators | As a processor, to provide Brand Protection Cloud to our Client. | – UID of the item (The item’s serial number encoded in the digital code) – App instance ID – Device ID and operating system version – Device location – IP Address – Software version and operating system of querying device – User Name (first,last) – User e-mail address |
We process data for this purpose on behalf of and in accordance with our Client’s instructions. We are therefore processors in relation to this processing and our Client is the controller. Please refer to our Client’s privacy policy. |
Consumers | As a processor, to provide Brand Protection Cloud to our Client. | – UID of the item (The item’s serial number encoded in the QR code) – PIN number – Device ID and operating system version – Device location – IP address – User agent |
We process data for this purpose on behalf of and in accordance with our Client’s instructions. We are therefore processors in relation to this processing and our Client is the controller. Please refer to our Client’s privacy policy. |
Dashboard Users, Investigators | To maintain the security of Brand Protection Cloud.
To carry out resource planning. To monitor the service levels of Brand Protection Cloud. |
Login history, which is comprised of:
– User ID |
The processing is necessary for our legitimate interest to keep Brand Protection Cloud secure.
The processing is necessary for our legitimate interest to conduct our business in an efficient manner. The processing is necessary for our legitimate interest to assure the quality of Brand Protection Cloud. |
Investigators, Consumers | To analyse counterfeit activity and trends in order to generate insights for Clients. | – UID of the item (The item’s serial number encoded in the QR code) – PIN number – Device ID, model and operating system version – Software version – Device location – IP address – User agent |
The processing is necessary for our legitimate interest to provide insights relating to counterfeiting to our Clients. |
Client Representatives, Dashboard Users, Investigators and Consumers | To analyse use of Brand Protection Cloud in order to improve our products and services. | – An identifier that corresponds to your device – Information about the device you use e.g. operating system, model, language settings – Duration, frequency and time of use – Click through information – the way you browse through and use Brand Protection Cloud – Region |
The processing is necessary for our legitimate interest to improve our products and services. |
To comply with our legal and regulatory obligations. |
All the data we hold may need to be processed to comply with legal and regulatory obligations.
These include complying with fiscal obligations and obligations to comply with court orders. |
The processing is necessary for us to comply with our legal obligations. | |
Potentially selling or obtaining financing for our business. |
The data described in this policy may need to be disclosed to potential buyers and/or funders of our business or assets, to enable them to assess and evaluate our business and assets.
All the data we hold would need to be transferred to an acquirer of our business or assets. |
The processing is necessary for our legitimate interest to conduct our business in a profitable manner. |
Where we process personal data on the legal basis of ‘legitimate interests’ (as indicated in the above table), we have determined, acting reasonably and considering the circumstances, that we are able to do so after carrying out a balancing exercise to make sure that our legitimate interests are not overridden by your interests, rights and freedoms. Where we rely on this legal basis, (a) we process the data only to the extent that is necessary for the relevant purpose; and (b) the relevant processing activities can be reasonably expected. The legitimate interests we pursue are specified in the above table with respect to each relevant purpose.
Where we process personal data on the legal basis of ‘consent’ (as indicated in the above table), you may refuse to consent to our processing and you may also withdraw your consent at any time, through the [Brand Protection Cloud settings]. This would not affect your ability to use any features of Brand Protection Cloud. Withdrawing consent does not affect any processing carried out with your consent.
5. DISCLOSURE OF YOUR PERSONAL DATA
We may disclose the personal data that we process to:
- other companies within our group, but only for the purposes specified in this policy;
- the Client who you represent or who authorised your use of Brand Protection Cloud;
- potential and actual buyers and/or funders of our business or assets;
- our service hosting, administration and development service providers;
- our provider of consumer engagement and content delivery services, BlueBite;
- our business IT service providers including providers of enterprise software;
- our advisors and consultants including lawyers, accountants and financial advisors in order for them to advise us in relation to our business;
- marketing services providers who send marketing on our behalf;
- fraud prevention agencies for the purposes of enforcing our rights and for detecting and preventing unlawful activities;
- law enforcement and regulatory agencies, including HMRC, in connection with any investigation to help prevent unlawful activity or as otherwise required by applicable law;
- courts and tribunals where required for progressing claims;
- administrators or liquidators in the event that our business goes into administration, liquidation or a similar procedure.
Where we process personal data as a processor, we may also disclose the relevant personal data as instructed by and on behalf of the relevant Client (as the controller).
6. TRANSFERS OUTSIDE OF THE EUROPEAN ECONOMIC AREA
The personal data we hold may be transferred to and processed in the United States.
Data transfers to the U.S. are undertaken on the basis of standard contractual clauses issued by the EU Commission (where the data is transferred from the European Union) and/or the UK Secretary of State (where the data is transferred from the UK), which provide appropriate safeguards for the data which is transferred.
7. RETENTION OF YOUR PERSONAL DATA
We will only process your personal data for as long as necessary to achieve the purposes for which we process it. Once it is no longer needed for these purposes, we will delete or anonymise it so that it can no longer be linked to you.
Since each item of data may be used for a number of different purposes, the determination of the relevant retention period depends on the nature of the data, why we process it and the legal and operational needs for keeping it.
We generally retain personal data for as long as the Client has an account open with us. Where data may be relevant to a claim, we will hold it until the relevant limitation period expires (under the applicable statute of limitations) or, if there is ongoing litigation, until that litigation is resolved.
Where we process personal data as a processor, the retention periods specified in our Client’s privacy policy will apply.
For more detailed information, please contact us using the contact details set out in Section 2.
YOUR RIGHTS
You have a number of rights under the Data Protection Laws in relation to the way we process your personal data, which are set out below. You may contact us using the details at the beginning of this Policy to exercise any of these rights.
In some instances, we may be unable to carry out your request, in which case we will write to you to explain why.
1. You have the right to request access to your personal data | You have the right to request confirmation that your personal data is being processed, access to your personal data (through us providing a copy) and other information about how we process your personal data. |
2. You have the right to ask us to rectify your personal data | You have the right to request that we rectify your personal data if it is not accurate or not complete. |
3. You have the right to ask us to erase your personal data | You have the right to ask us to erase or delete your personal data where there is no reason for us to continue to process your personal data. This right would apply if we no longer need to use your personal data to provide the debt manage ment services to you, where you withdraw your consent for us to process your personal data, or where you object to the way we process your personal data (see right 6 below). |
4. You have the right to ask us to restrict or block the processing of your personal data | You have the right to ask us to restrict or block the processing of your personal data that we hold about you. This right applies where you believe the personal data is not accurate, you would rather we block the processing of your personal data rather than erase your personal data, where we don need to use your personal data for the purpose we collected it for but you may require it to establish, exercise or defend legal claims. |
5. You have the right to port your personal data | You have the right to obtain and reuse your personal data from us to reuse for your own purposes across different services. This allows you to move personal data easily to another organisation, or to request us to do this for you. |
6. You have the right to object to our processing of your personal data | You have the right to object to our processing of your personal data on the basis of our legitimate business interests, unless we are able to demonstrate that, on balance, our legitimate interests override your rights or we need to continue processing your personal data for the establishment, exercise or defence of legal claims. |
7. You have the right not to be subject to automated decisions | You have the right to object to any automated decision making, including profiling, where the decision has a legal or significant impact on you. |
8. You have the right to withdraw your consent | You have the right to withdraw your consent where we are relying on it to use your personal data. |
If you have any concerns regarding our processing of your personal data, or are not satisfied with our handing of any request may by you, or would otherwise like to make a complaint, please contact our Chief Sales & Marketing Officer in the first instance using the details at the start of this policy (see section 2), so that they can do their very best to sort out the problem.
You can also contact the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF www.ico.org.uk.
9. COOKIES AND SIMILAR TECHNOLOGIES
Brand Protection Cloud uses cookies and similar tracking technologies to achieve the purposes set out in 4.
Such technologies can be, and are, used without your consent where they are strictly necessary to provide Brand Protection Cloud.
In other cases, we only use such technologies where their use has been consented to by our Client and/or by the user of Brand Protection Cloud, as required by Data Protection Law.
The tracking technologies we use | What they do | Purpose |
Cookie | This is a cookie which logs user ID, time of access, type of access (app of web portal), and user agent. This enables us to monitor access to the Brand Protection Cloud. | To maintain the security of Brand Protection Cloud. |
10. CHANGES TO THIS PRIVACY POLICY
11. We will take reasonable measures to communicate any changes to this privacy policy to you, and will post any updated privacy policies on this page.
12. This policy was last reviewed and updated in May 2021.