Sovy Trust Solutions Limited Privacy Policy
Our Privacy Commitment
We are Sovy Trust Solutions Limited, trading as Sovy. Our mission is to simplify business compliance for all businesses, small to large, all over the world. We help our clients understand complex regulations and create, manage and operate practical compliance programmes. Sovy’s compliance as a service uses cloud-based innovative privacy-analysis tools, personal data processing records, tailored templates, plain-language guidance and good old-fashioned expert advice.
We live and do what we help our clients do: adhere to regulations, respect your privacy, uphold your privacy rights and do our level-best to protect your personal (and commercial) data from harm.
Our Privacy Policy
To make our Privacy Policy clear and simple, we provide a summary below, followed by sections with more detail. Click to expand those sections. We can answer your questions or address concerns if you contact us at [email protected], or contact us by phone or post (details provided below).
If you like our privacy policy, that’s great! We would love to help you tailor your own and provide a license to use our tools and templates, see TERMS. Sign up for our affordable compliance as a service here.
Sovy's privacy policy summary and detail describe the:
- types of information we collect and how we use personal data;
- steps we take to ensure your personal data are handled appropriately;
- safeguards and measures we use to protect your personal data; and
- rights you have to your personal data and how you can manage your personal data that we handle.
In summary:
- We use Cookies. This helps us run our website and apps, evaluate site technical performance and working conditions, manage communications with you and provide our services if you work with us. More about Cookies here to the summarized cookies section and Sovy's Cookie Consent Manager here.
- We handle personal data. If we do handle your personal data (such as name, email address, IP address, locational data, payment details, site or application usage data, data in your CV, Sovy Compliance Hub or Academy profile), we ensure such processing is in accordance with the General Data Protection Regulation (GDPR), Ireland's Data Protection Acts 1998-2018, UK Data Protection Act 2018, ePrivacy, and other applicable regulations. We use different methods of obtaining personal data from and about you, including:
- Direct interactions, where you provide the information to us, such as by filling in forms on our site or in the Sovy Compliance Hub, or through email contact;
- Usage and marketing interactions, when you use our site or apps, and we may use technical measures such as cookies stored on your computer (consistent with our policy and notices below or your consent); or
- Publicly available sources, where we collect and process personal data, taking into consideration lawful means to process.
Processing means doing anything with or to your personal data. This can refer to collecting, manipulating, storing, disclosing, or erasing data, among other actions. We may make use of general, anonymised, information about how you use our website or interact with our services and use it to help us improve our services. For example, IP addresses are anonymised when storing website or app usage data, so your usage data is not easily identifiable.
In another example, if you subscribe to our mailing list or contact us directly, your contact information will be stored and only used to communicate with you for those specific purposes.
Also, some of our services are automated processes, in that humans are not involved. The decisions made at the end are simply to provide recommendations for you and have no legal or similarly significant effect. We also make sure that no automated decision is based on sensitive categories of data.
More about personal data handling here.
- We collaborate with other companies. We may transfer personal data to other companies (third parties) such as data hosting providers, cloud service applications and payment processors. If we do share your personal data with third parties, we ensure that sharing is lawful (with your consent, by contract, or based on legitimate interests). Third parties are prohibited from using your personal data for their own purposes outside of our agreement with them. We review and maintain a record of our suppliers’ and partners’ compliance with the GDPR and other regulations. We use data processing agreements in our contracts. We maintain a supplier risk and compliance programme, including procedures to engage our suppliers and partners in critical times, such as when investigating data security issues. We may transfer personal data internationally to countries inside and outside of the European Economic Area (EEA). Countries outside the EEA may be recognised by the European Commission as providing adequate data protection. We use commercially recognised safeguards when we transfer. We take additional steps if we transfer to countries that are not recognised as adequate. More about collaboration with third parties and international transfers here.
- You have rights. You can make requests regarding your personal data, such as asking us what personal data we have about you. You can allow or remove consent for use, request restriction on certain types of processing, request erasure or to fix errors. You can ask to receive your information in a digital format. Also, you can lodge a complaint with a supervisory authority, if you feel we have not handled your personal data properly or responded to your request properly. Our supervisory authority is Ireland’s Data Protection Commission, www.dataprotection.ie. Before submitting your complaint to a supervisory authority, we ask that you first try to settle the matter with us. Our Data Protection Officer is John Popolizio and can be contacted at [email protected], or at Sovy Trust Solutions Limited, St Gall’s House, St Gall Gardens South, Milltown, Dublin 14, D14 Y882, Ireland. Our customer service number is +353-1-669-4774. More about your rights here.
You can read the complete policy below.
- In this privacy policy, "Sovy”, "we”, "us” and "our” refer to Sovy Trust Solutions Limited, trading as Sovy, a company registered in Ireland, No. 610835, with a registered office at St Gall’s House, St Gall Gardens South, Milltown, Dublin 14, D14 Y882, Ireland. Sovy is registered in the United Kingdom, No. BR020695, with a registered office at Kemp House, 152-160 City Road, London, EC1V 2NX, United Kingdom.
- We are committed to safeguarding the privacy and personal data of our website visitors, clients, partners, associates and others. Our privacy programme is governed, in part, by the EU General Data Protection Regulation (GDPR), the Data Protection Act of 2018 and other regulations. We recognise other jurisdictions’ decisions and interpretations of the GDPR, and our programme reflects those requirements when we operate in those areas, including serving clients there. This privacy policy outlines how we collect, manage, use and protect your personal information.
- "Personal data” that we process means any information that relates to a living, identifiable person, including but limited to names, physical and email addresses, internet identifiers, phone numbers, and other information relating to that person, and either individually or combined that can be used to identify that person.
- "Process” or "Processing” as noted in this policy mean the activities we perform on personal data, such as collection, transmitting, computing, storage and disposal.
- This policy applies when we are a data controller, as a joint controller, or a processor as defined in the GDPR. As a data controller, we determine the means and purpose of personal data processing; as a joint controller we share the determination of the means and purpose of personal data processing with another data controller. As a processor, we process personal data on behalf of a controller (most often, our client). We will amend this policy to cover other multi-controller situations as they arise in our business.
- Our personal data processing is consistent with privacy regulation principles:
- We process personal data lawfully, in a way that you would reasonably expect, and we are open and clear about our personal data processing practices;
- We will only collect and process personal data that we need to and when it is necessary for processing that is required by our websites, apps and services;
- We will only collect and process personal data that is optional, such as marketing, after we receive your informed, freely given consent enabled by privacy controls on our websites, apps and services; you can opt out at any time after providing consent;
- When we do process personal data, we will be clear about why and how we are doing so, and for how long we will retain the personal data;
- We will take steps to ensure the personal data is accurate and provide means to correct inaccuracies; and
- We implement appropriate, common, technical and organisational controls to safeguard personal data for integrity and confidentiality.
- Here we describe:
- the general categories of personal data that we may process;
- the source and specific categories of that data, in case we did not obtain it directly from you;
- the purposes for which we may process personal data; and
- the legal reasons (known as lawful bases) for processing personal data.
- We collect, store, process and transfer different personal data types. We group personal data, collection source, purpose and lawful bases into the following categories:
- Direct Interactions: We process personal data you provide directly to us through our website, apps and services. This could happen when you:
- correspond with us or make an enquiry such as a request for information about our services, knowledge portal guidance, professional opportunities, sponsored programmes or contribution to a regulatory agency's call for comments;
- sign up for our free or paid services, under a contract;
- verify your identity when accessing our services;
- support our public outreach and education by contributing to our blogs or social media postings;
- apply for a job or to volunteer as an intern;
- visit any of our premises which may employ CCTV surveillance (images on film) for security and safety purposes;
- opt into communications and/or marketing services by providing consent (which can be withdrawn);
- participate in any of our events, webinars or other projects, including opting in, by providing consent (which can be withdrawn), to be filmed, photographed, or recorded during an event or project; or
- contact us or become involved with us in any other way not listed above.
We process this information to provide the service or information you have requested. Our lawful basis for processing is legitimate interests (unless it is consent or contract as noted above).
- Usage Data: We may process data about your use of our website, apps and services. The usage data may include:
- IP address;
- geographical location;
- browser type and version;
- operating system;
- referral source;
- length of visit;
- page views;
- website navigation paths; or
- information about the timing, frequency and pattern of your service use.
The source of the anonymised usage data is our website, apps, Compliance Hub or Academy. We process this information for service performance monitoring and security purposes, and to improve our website and services. Our lawful basis for processing is legitimate interests.
- Account and Profile Data: Account and Profile Data: When you provide personal data, such as details to purchase a service, sign up for a free service such as a Privacy Scan or Free Privacy Essentials, set up a profile in the Compliance Hub or Academy, add compliance programme details or complete compliance courses, or register interest in our services, open jobs or investment in our company, we may process personal data:
- name;
- address;
- telephone number;
- email address;
- payment details;
- social media account ID;
- electronic communications ID;
- employment or candidate information; or
- prospective investor self-certification information.
We use account and profile data to:
- operate our website, apps and services;
- provide our services, products or information you have requested;
- ensure the security of our website, apps and services;
- tailor your compliance programme, policies, procedures and privacy management tools;
- attest to your compliance progress as a participant in your company's programme;
- issue tailored compliance training certificates, badges or other recognition;
- provide tailored recommendations to improve your compliance programme;
- maintain back-ups or restore instances of your data;
- process your job enquiry requests;
- respond to your enquiries and complaints; or
- generally, communicate with you about your account and profile.
Depending upon the nature of the processing, the lawful basis for this processing is either our legitimate interests or contract performance.
- Special Category Data: We may request or receive, with your explicit consent or by contract or legal requirement, then process personal data designated as special category data under the GDPR, relating to your:
- biometrics
- union affiliation; or
- health information.
Special category biometrics data may be processed for identification (such as use of fingerprint for systems access), if you supply it directly to us as an optional means to govern access to our apps and services.
Special category union information may be processed as part of your training record, if you supply it directly to us, or it is supplied to us as part of your organisation's compliance profile in our systems.
Special category health data may be processed, for example, the purpose of satisfying an insurance contract obligation, or processing a health-related leave request (as required by applicable law).
Before collecting and processing any special category data about you, we will make it clear what information we are collecting, why we need it, whether it requires explicit consent or is part of by contract or legal requirement. We take additional measures to safeguard special category data, such as encryption and technical access controls. The lawful basis for this processing is either consent or contract performance.
- Children's Data: We do not actively collect or process information from or about children (under 16s). If a special situation arises where we need to handle children's data, we will always ask for consent from a parent or guardian prior to collection about children under the age of majority or age described in regulations in a jurisdiction where data is being sought. Our services and products are not knowingly directed at, nor do we knowingly collect any information from persons under the age of thirteen (13). If you are under 13 years old, please do not use this website or its applications. If you learn that your child has provided us with personal data without your consent, please contact us at [email protected].
- Direct Interactions: We process personal data you provide directly to us through our website, apps and services. This could happen when you:
- Additionally, we may process your personal data identified in this policy where necessary for:
- the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The lawful basis for this processing is legitimate interests (protection and assertion of our legal rights, your legal rights or the legal rights of others); or
- the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice. The lawful basis for this processing is legitimate interests (proper protection of our business against risks);
- compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
- We will not sell your personal data to any third parties, but we may sometimes share details with, trusted, contracted service providers who are authorised to process on our behalf, or whom we work with in partnership to deliver our services.
- We may also use companies to deliver services and process your data on our behalf, including the delivery of postal mail, sending emails and text messages, processing payment or bank details and analysing stakeholder trends anonymously to assist us in offering better services.
- We may disclose your personal data to contracted third-party data processors, acting on our instruction under contract and under the same purposes, and on the lawful bases, set out in this privacy policy.
- Financial transactions relating to our services are handled by our payment services providers. We will share transaction data with our payment services providers only to the extent necessary for the purposes of processing your payments, if any, and dealing with complaints and queries relating to such transactions and protecting us from fraudulent transactions.
- We do not participate in programmes offered by, nor disclose personal data to, third-party suppliers of goods and services for the purpose of enabling them to contact you so that they can offer, market and sell to you relevant goods and/or services. If we enter into such programmes, we will update this policy and not include you unless you provide consent to opt into marketing and communications from those third parties. Each such third party would act as a data controller in relation to the personal data that we supply to it (and we may be joint controllers in some situations); and upon contacting you, each such third party would supply to you a copy of its own privacy policy, which will govern that third party’s use of your personal data.
- We may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person (for example to government bodies for tax purposes or law enforcement agencies for the prevention and detection of crime, subject to such bodies providing us with a relevant and lawful request in writing). We may also disclose your personal data where such disclosure is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
- Sovy is an Irish company, operating and processing data in Ireland and other countries, with third-party processors noted below. We receive personal data from website visitors, app and services users from clients around the world. Also, Sovy is registered as doing business in the United Kingdom but does not have a separate legal entity there.
- Sovy works with, trusted, contracted third-party suppliers, contractors and partners who are authorised to process personal data:
Company Processing Location Amazon Web Services Ireland (EU-West 1; clients may request custom Compliance Hub and Academy processing locations) Microsoft United States Elucidat United Kingdom HubSpot United States (AWS-East); Germany (Google Cloud Platform) Google Ireland YouTube United States Facebook United States Sage Ireland Stripe United States Slack Ireland, United States Zendesk Across EU, AP and United States centres - We perform international data transfers in compliance with the GDPR’s rules for those transfers, including technical and organisational safeguards for the protection of personal data.
- For the Canada, Japan, Switzerland and USA, we rely on the European Commission’s recognition that those countries outside the EU offer an adequate level of data protection (an adequacy decision). We are monitoring the data protection matters related to Brexit and will be updating our policies and procedures during the transition period.
- For the other countries not covered by the European Commission’s adequacy decision, we employ additional safeguards to protect international data transfers, including the use of standard contractual clauses, for data transfers to data controllers or processors, adopted or approved by the European Commission.
- You may request more information about the safeguards that we have in place for the transfer of personal data by contacting us at [email protected].
- We keep personal data that we process for any purpose or purposes for the least amount of time that is necessary. Client data are retained for the duration of the contract service; financial data associated with a client contract is retained for up to seven years to satisfy financial reporting obligations. Personal data for marketing purposes are retained for one year, unless consent is granted to maintain for additional periods, in one-year increments. Cookie data are retained for the duration noted below in the cookies section. Employee and contractor personal data are retained for as long as a person is employed or contracted with us, and then retained for a period thereafter consistent with local employment regulations. Professional candidate personal data are retained for no longer than one year after the close of the job opening or candidate search.
- In some cases, it is not possible for us to specify in advance the periods for which your personal data will be retained. In such cases, we will determine the maximum period of retention based on our legitimate needs to retain data.
- Additionally, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
- Where possible, we may keep your records up to date using publicly available, professionally accessible or by-invitation sources. For example, we use LinkedIn, Facebook and other social networks’ tools as well as personal-invite features. Also, we process changes to your details when you provide them to us. We do not mass-harvest information (also known as scraping) from those sources. You may object to us keeping records up to date using these methods.
- We delete your personal data at the end of the retention period, or earlier if we can. For example, if you request data be deleted and removal from marketing, we will do so before our stated retention period; but if you request service profile data to be removed before the end of our legal obligation to you, other parties or agencies, we may not be able to do so. We will notify you of these conditions.
- Your principal rights under the GDPR are the:
- right to access;
- right to rectification;
- right to erasure;
- right to restrict processing;
- right to object to processing;
- right to data portability; and
- right to complain to a supervisory authority.
- You have the right to confirmation as to whether we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.
- You have the right to have any inaccurate personal data about you rectified and, considering the purposes of the processing, to have any incomplete personal data about you completed.
- In some circumstances you have the right to the erasure of your personal data without undue delay. Those circumstances include: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent to consent-based processing; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; and the personal data have been unlawfully processed. However, there are exclusions of the right to erasure. The general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims.
- In some circumstances you have the right to restrict the processing of your personal data. Those circumstances are: you contest the accuracy of the personal data; processing is unlawful but you oppose erasure; we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
- You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the lawful basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
- You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal data for this purpose.
- You have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes on grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest. Currently, we do not process personal data for scientific or historical research purposes.
- To the extent that the lawful basis for our processing of your personal data is:
- consent; or
- that the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract; and
- such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
- If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
- To the extent that the lawful basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
- We may withhold personal information that you request to the extent permitted by law.
- We may withhold personal information that you request if the requests are deemed vexatious, manifestly unfounded, excessive or repetitive.
- You may instruct us at any time not to process your personal information for marketing purposes.
- You may exercise any of your rights in relation to your personal data by written notice to us by contacting us at [email protected].
- What is a cookie: Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device, preferences and generally help to improve your online experience. Cookies may either be “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed. Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies. Please be aware that some areas of our website may not function if you do not accept the use of some cookies or if your web browser does not accept certain cookies. You can find more information about cookies at: www.allaboutcookies.org and www.youronlinechoices.eu.
- We use cookies for the following purposes and periods of time:
Strictly Necessary: These are always presentCookie Name Lifespan Owner and Purpose consent_obj 30 Days www.sovy.comUsed to remember user consent to cookie types.PHPSESSID 1 Day www.sovy.comMaintains user session on websitePerformance: These are not set until you provide consent
Cookie Name Lifespan Owner and Purpose _ga 1 Year www.sovy.comTracks user behaviour on website_gat_gtag_[ID] 3 Months www.sovy.comTracks user visits on website_gid 1 Year www.sovy.comIdentifies website users by assigning a random number_ga 1 Year newrelic.comTracks user behaviour on website_gid 1 Year newrelic.comTracks user behaviour on website_mkto_trk 1 Year newrelic.comTracks user behaviour on websiteei_client_id 1 Year newrelic.comTracks user behaviour on websiteFunctional: These are not set until you provide consent
Cookie Name Lifespan Owner and Purpose currencycode 2 Months www.sovy.comRemembers currency settings for an online purchaseMarketing: These are not set until you provide consent
Cookie Name Lifespan Owner and Purpose hubspotutk 8 Months www.sovy.comUsed to keep track of a visitors identity__hssrc 3 Months www.sovy.comTracks user behaviour on website__hstc 3 Months www.sovy.comTracks user behaviour on website__hssc 3 Months www.sovy.comTracks user behaviour on websiteJSESSIONID 3 Months .nr-data.netTracks user behaviour on websitetest_cookie 2 Months .doubleclick.netIdentifies website visitors browser cookiesNID 2 Months .google.comCreated by Google to help customize ads on Google properties by remembering your most recent searches your previous interactions etc.__cfduid 2 Months .hscollectedforms.netCreated by the CloudFlare to speed up page load times__cfduid 2 Months .usemessages.comCreated by the CloudFlare to speed up page load times - Managing your cookies: By using our website, you agree that we can place the strictly necessary cookies on your device. If you want to restrict or block any of the third-party cookies that we do not control, you should do this through the web browser settings for each browser you use, and on each device you use to access the internet. You can manage your cookie consent settings here. For cookies we can’t control, here are links to managing cookie settings for common browsers:
- Chrome: https://support.google.com/chrome/answer/95647?hl=en
- Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
- Opera: http://www.opera.com/help/tutorials/security/cookies/
- Internet Explorer: https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies
- Safari: https://support.apple.com/kb/PH21411
- Edge: https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy
- If you block all or some cookies, you will not be able to use all the features on our website, some functions may not operate as intended, and you may not be able to access subscription services.
- We may update this policy from time to time by publishing a new version on our website.
- We may notify you of changes to this policy by email or through a private messaging system on our website, apps or services.
Last revised: 2 April 2020