Privacy Policy
Last updated November 29, 2023Risk Ledger collects and processes personal data relating to visitors to this website, in relation to the services we provide, and as part of our general business operations. The data we process, how we process it, and who receives it, varies depending on your interactions with us (details of which are set out below).
For circumstances in which Risk Ledger is a controller of personal data, the following items apply.
Details of controller
Risk Ledger Limited is the controller, is registered as a controller with the UK’s Information Commissioner’s Office (“ICO”) under number ZA485622 and has its registered office at Adam House, 7-10 Adam Street, London WC2N 6AA. For data protection matters we can be contacted by email at data@riskledger.com.
Transfers outside of the EEA
All application and corporate data are stored within the EEA by our cloud providers: AWS (Ireland, EU region) and Google (Europe region). We use a small number of other third party services to enable us to deliver our product and services, some of which are based outside of the EEA. We choose our third party providers very carefully and where international transfers are made, we have ensured the use of appropriate safeguards including adequacy decisions made, or standard contractual clauses approved, by the European Commission. To request further information about the safeguards used for such transfers, or to request a full list of the third parties used by Risk Ledger, please email data@riskledger.com.
What we collect and use
Our processing of personal data as a controller falls into the categories below:
- Visitors to riskledger.com;
- Users of Risk Ledger’s services;
- Candidates for jobs and other engagements with Risk Ledger;
- Business contacts.
Visitors to riskledger.com
When you browse this website, we collect and use data in the following ways.
Data we process:
Data on how you use the site. What pages you visit, the means you use to visit (browser version, time zone, operating system, etc.), the length of your visit, how often you visit, and information on how you navigate the site.
Identifying information:
Your IP address and unique identifiers tied to cookies.
What we do with that data:
Site optimisation, analysing aggregated data to update the site’s content and layout to improve visitors’ experience.
Basis for processing:
Legitimate interests (better understanding user behaviour to improve the way users can access the site).
Processing period:
Data holding periods are determined by cookie expiry times.
Data recipients:
Website analytics vendors and marketing automation providers.
Risk Ledger users
Data we process:
Name, email address, phone number, your employer and job role, your platform activity and IP address.
What we do with that data:
Name and job details we use for account creation and management within your organisation’s account on Risk Ledger. Contact details we use for account authentication (including multi-factor authentication) and customer support purposes. If you opt-in to marketing communications, we’ll use your email address to send broader updates about Risk Ledger. Platform activity data is recorded as audit trails for security monitoring, logging activity to maintain software quality, and site analytics to help us to improve our services.
Basis for processing:
Other than marketing communications, which rely on consent, we process this data on the grounds of our legitimate interest in providing a secure service with user attribution and industry-standard software logs.
Processing period:
All personal data associated with the service is deleted upon request by the user. The data may be held in backups for a period of 1 month after the deletion request.
Data recipients:
Our back-end infrastructure and hosting providers, logging providers, service desk software providers, and email marketing tools.
Job candidates
This includes all recruitment related data that candidates provide to us.
What we do with that data:
Contact you about your candidacy, assess your suitability for the role applied for, and to assess your suitability for relevant future roles.
Basis for processing:
We conduct this processing on the basis of our legitimate interest in finding and selecting the most suitable candidates to join our team.
Processing period:
We store your information for 12 months after we disqualify your candidacy for the role applied for. Successful candidates’ information becomes subject to our employee privacy policy/notice.
Data recipients:
Our applicant tracking system provider, testing providers used in the assessment process, and our business communication/storage providers.
Business contacts
This includes all data that is provided to us during the normal course of business (business cards, email addresses of leads, mobile numbers of leads, data collected from marketing platforms etc.).
What we do with that data:
Corresponding with you in relation to our services before and after a sale.
Basis for processing:
If you request that we contact you to provide more information on our services to you, we’ll process your data and contact you based on your request prior to entering into a contract.
Otherwise, we rely on legitimate interests for contracting and billing as part of our business operations, retaining copies of our business correspondence, and tracking consents and other notices given for data protection purposes. If at some point you opt into marketing emails, we’ll rely on your consent for processing related to that process.
Processing period:
We hold this data for 6 years from the date of the last correspondence.
Data recipients:
Cloud storage providers, marketing automation tools, our accounting providers, e-signature providers, and customer support/servicing tools.
Your rights
You can request that we correct, erase, or grant you access to personal data we hold relating to you. Where processing is based on your consent, you can withdraw that consent to our processing of your personal data at any time. To ask questions about your rights, or to request to exercise them, email data@riskledger.com.
If you’re concerned that Risk Ledger is handling your personal data improperly, you have the right to make a complaint to the ICO, which is our data protection supervisory authority.
Sub-processors - Risk Ledger Platform
Risk Ledger processes a minimal amount of personal data on behalf of the organisations who have created an account on the Risk Ledger platform. This could include: names and email addresses of supplier contacts or client users. The sub-processors used for this data are as follows.
Sub-processor: Amazon Web Services
Data processed: All data within the Risk Ledger platform
Purpose: Cloud hosting provider for the Risk Ledger production site
Location: Dublin, Ireland (EU)
Sub-processor: Google
Data processed: Names and email addresses of Risk Ledger users
Purpose: Google Workspace; used for internal business operations, including email
Location: Europe
Sub-processor: Intercom Inc.
Data processed: Names and email addresses of Risk Ledger users
Purpose: Customer support chat function
Location: United States
Sub-processor: Segment.io Inc.
Data processed: Names and email addresses of Risk Ledger users
Purpose: Platform & Analytics (Frontend)
Location: United States
Sub-processor: Salesforce
Data processed: Names, email addresses and contact numbers of Risk Ledger users
Purpose: Customer support
Location: Dublin, Ireland (EU)
Sub-processors - Risk Ledger website analytics
Risk Ledger processes a minimal amount of cookie data to understand how visitors use our website. What pages you visit, the means you use to visit (browser version, time zone, operating system, etc.), the length of your visit, how often you visit, and information on how you navigate the site are data used to improve our website to better support visitors to find the information they seek.
Sub-processor: Hubspot Inc.
Data processed: Website visitors’ device/browser data (cookie metadata)
Purpose: Website use analysis
Duration: Up to 180 days
Location: United States
Sub-processor: Zoominfo Technologies LLC
Data processed: Website visitors’ device/browser data (cookie metadata)
Purpose: Website use analysis and resilience (bot detection)
Duration: 1 day
Location: United Kingdom
Sub-processor: LinkedIn
Data processed: Website visitors’ device/browser data (cookie metadata)
Purpose: Website use analysis and resilience (bot detection)
Duration: up to 1 year
Location: United States
Sub-processor: Google Doubleclick
Data processed: Website visitors’ device/browser data (cookie metadata)
Purpose: Correlation of website visitors arriving from clicked advertisements.
Duration: up to 1 year
Location: United States