Privacy Notice
Please read this privacy notice (together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you) carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or the UK data protection authority (the ICO) in the event you have a complaint. This privacy notice supplements any other privacy notices that we have and is not intended to override them.
This privacy notice is in a layered format so you can click through to the specific areas set out below which you would like to know more about. The current version of our privacy notice will always be available on our website and we advise you to regularly check for updates.
Personal data we collect and use
If you do not provide personal data
How your personal data is collected
How and why we use your personal data
Special category and criminal offence data
Who we share your personal data with
How long your personal data will be kept
Transferring your personal data outside of the UK
Keeping your personal data secure
Changes to this privacy notice
Key Terms
The following are some key terms used in this privacy notice and an explanation of what those key terms mean:
| Criminal offence data | Data relating to criminal convictions and offences, allegations and proceedings |
| DPO | Our Data Protection Officer who is Huw Thomas (see ‘Contact us' for contact details) |
| Mailock | Our Mailock service |
| Our website | www.beyondencryption.com and any other websites which we operate |
| Personal data | Any information relating to an identified or identifiable individual |
| Reseller | Where we refer to a reseller in this privacy notice we are referring to a third party who resells or otherwise distributes our products and/or services, in practice these third parties may not call themselves resellers and so reference to a reseller could include, for example, network or channel partners or partner resellers |
| Special category personal data | Data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, genetic and biometric data (when processed to uniquely identify an individual) and data concerning health, sex life or sexual orientation |
| We, us, our | Beyond Encryption Ltd, a company registered in England and Wales under company number 08814096 |
| User | An individual who uses our website, products and/or services which shall include a person who receives and accesses (or tries to access) an encrypted Mailock email |
Who we are
In certain circumstances we are a ‘controller’ for the purposes of your personal data. We are a controller of your personal data when we determine the purposes and means of the processing of your personal data and in these circumstances this privacy notice applies to our processing of your personal data. You will find our contact details at the end of this privacy notice (see 'Contact us'). In other circumstances we may act as a processor of your personal data on behalf of a controller.
Personal data we collect and use
We may collect, use, store and transfer different kinds of personal data about you (whether because we ask for it, are provided with it by a third party or because you choose to give it to us) which we have grouped together below.
We may also collect, use, store and transfer personal data about you as a result of you using our website, products or services. Different personal data may be collected, used, stored and transferred depending upon the type of Mailock user you are.
Our website, products and services are not intended for children and therefore we do not knowingly collect or process personal data relating to children.
| Identity personal data |
|
| Contact personal data |
|
| Contract personal data | Information relating to your contract(s) with us including transaction information |
| Financial personal data | Billing, bank account and payment information |
| Technical personal data | Information from when you visit our website or use our website, products or services, including your login data, URL, IP address, browser type and version, requesting domain and country of origin of requesting domain, time zone setting and location, browser plug-in types and versions, operating system and platform, device data, and other technology on the devices you use to access our website, products or services |
| Usage data |
|
| Other personal data | Information we ask for or that you or a third party volunteer to us when you or they correspond with us by any method (including via social media) |
We collect and use this personal data for the purposes described in 'How and why we use your personal data'.
We may also collect, use and share aggregated data, such as statistical or demographic data, for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate the data about how you use our website, products or services to calculate the percentage of users accessing a specific feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
If you do not provide personal data
For customers or suppliers who are individuals (this includes sole traders and traditional/unlimited partnerships), where we need to collect personal data to enter into a contract with you or to allow you (or if you are a customer, your users) to use our website, products and services, if you (or if you are a customer, any of your users) fail to provide that data when requested (for example name and contact details), we may not be able to enter the contract with you or allow you (or if you are a customer, any of your users) to use our website, products and services or the functionality of our website, products and services may be limited. For customers who have entered into a contract, if you (or your users) do not thereafter provide personal data we ask for, this may delay or prevent us from providing our website, products and/or services to you (and/or your users) or the functionality of our website, products and services may be limited.
For users, where we need to collect personal data to allow you to use or to continue to use our website, products and services, if you fail to provide that data when requested, we may not be able to allow you to use or continue to use our website, products and services or the functionality of our website, products and services may be limited.
How your personal data is collected
We collect personal data directly from you and we may also collect information:
| From publicly accessible sources | e.g. Companies House |
| Directly from a third party service provider | e.g. payment providers, marketing service providers, delivery providers, analytics providers, search information providers and data brokers / aggregators |
| From our customers, resellers, introducers, service providers, group companies, business partners or suppliers | e.g. if you are an employee of such an entity or a user of products / services we have supplied to them or if one of our customers / users sends an email to you using our products / services |
| From cookies and similar technologies used on our website, products and services | For more information about the cookies we use and how to change your cookie preferences, please see our Cookie Policy |
| Via our IT systems, website products and services | e.g. through monitoring the use of our website, products and services and other technical systems, such as computer networks and connections, communication systems, email and instant messaging |
How and why we use your personal data
Under data protection law, we can only use your personal data if we have a proper reason (i.e. a lawful basis) for doing so. We rely on various lawful basis including
-
For the performance of our contract with you or to take steps at your request before entering into a contract.
-
To comply with our legal obligations.
-
For our legitimate interests or those of a third party.
-
Where you have given consent.
The table below explains what we use your personal data for, how we use your personal data, our lawful basis for doing so and the categories of personal data we use.
| Our purpose for using your personal data | What we do with your personal data | Lawful basis relied on under the UK GDPR | What personal data we use |
|---|---|---|---|
| For individual customers (including prospective customers) – to correspond with you about the products and/or services we offer, provide a quotation, to respond to your queries and provide our products and/or services to you (including setting up an account for you) | We will collect personal data and use it to provide a quotation, to respond to your enquiries about a potential contract and fulfil the terms of the contract with you. | Necessary for the performance of our contract with you or to take steps at your request before entering into a contract with you: Article 6(1)(b) UK GDPR |
Identity personal data Contact personal data Contract personal data Financial personal data Technical personal data Usage data Other personal data |
| For individuals who represent corporate customers with whom we (or our resellers) have contracts - to provide the organisation you represent with our products and/or services including setting up an account for you | We will collect your personal data and use it to correspond with you about the contract involving the organisation you represent. | Necessary for the legitimate interests of the organisation you represent and our legitimate interests e.g. to provide the organisation you represent with our products and/or services: Article 6(1)(f) UK GDPR |
Identity personal data Contact personal data Other personal data |
| For individuals who represent prospective corporate customers e.g. for corresponding with you about the products and/or services we offer, to provide a quotation and to respond to your queries | We will collect your personal data and use it to correspond with you about e.g. the services we offer and quotations, and to respond to your queries about the contract involving the organisation you represent. | Necessary for the legitimate interests of the organisation you represent and our legitimate interests e.g. to deal with pre-contractual enquiries or issues: Article 6(1)(f) UK GDPR |
Identity personal data Contact personal data Other personal data |
| To allow you to create an account and log-in to use our website, products and/or services using your Unipass ID and to allow Unipass ID to be used for recipient authentication | You may be given the option to link your Unipass Identity to your account whereafter it can be used to sign in to use our website, products and/or services. If the “Trust Unipass” option is enabled in the Company Admin portal linked to your user account (Mailock Pro accounts only), an automatic check occurs during the sending of all messages to determine if the recipient has a Mailock account with a linked Unipass ID. This information will be revealed to the sender of the message so that the appropriate level of challenge can be applied to the message. This ensures the correct and secure handling of the message. | Necessary for your legitimate interests e.g. for ease of use of our website, products and/or services: Article 6(1)(f) UK GDPR | Identity personal data |
| For other individuals with whom we have contracts e.g. suppliers, for corresponding with you and for taking steps under the contract with you | We will collect your personal data and use it for entering into and managing the contract with you. | Necessary for the performance of our contract with you or to take steps at your request before entering into a contract with you: Article 6(1)(b) UK GDPR |
Identity personal data Contact personal data Contract personal data Financial personal data Other personal data |
| For other individuals who represent organisations with whom we have contracts or a business relationship e.g. service providers and suppliers, for corresponding with you and for taking steps under the contract with your organisation | We will collect your personal data and use it to correspond with you about the contract involving the organisation you represent. | Necessary for the legitimate interests of the organisation you represent and our legitimate interests e.g. to manage and take steps under the contract with your organisation: Article 6(1)(f) UK GDPR |
Identity personal data Contact personal data Other personal data |
| For other individuals who represent organisations with whom we do not have contracts e.g. prospective suppliers, for corresponding with you about the services your organisation offers and to obtain a price quote | We will collect your personal data and use it to correspond with you about e.g. the services your organisation offers and to obtain a price quote. | Necessary for the legitimate interests of the organisation you work for and our legitimate interests e.g. to raise pre-contractual enquiries or issues: Article 6(1)(f) UK GDPR |
Identity personal data Contact personal data Other personal data |
| To undertake credit reference checks via external credit reference agencies where it is a condition of us entering into a contract with you | We will collect your personal data and pass it to external credit reference agencies for the purposes of a credit reference check | Necessary for our legitimate interests or those of a third party e.g. to ensure our customers are likely to be able to pay for our products and services: Article 6(1)(f) UK GDPR |
Identity personal data Contact personal data Financial personal data Other personal data |
| To manage our relationship with you or the organisation which you represent, which may include (where appropriate) notifying you about changes to our website, products or services, our terms of business or privacy notice | We will use your personal data to correspond with you where appropriate | Necessary for our legitimate interests e.g. to manage our relationship with you or the organisation you represent, and to analyse and improve the products and/or services we offer: Article 6(1)(f) UK GDPR | Potentially any data held |
| To prevent and detect fraud against you or us | We will check and monitor the security of our email and IT systems which hold your personal data and undertake other verification checks of your personal data (as necessary) | Necessary for your and our legitimate interests e.g. to minimise fraud that could be damaging for us and for you: Article 6(1)(f) UK GDPR | Potentially any data held |
| For audits, enquiries or investigations by regulatory bodies (e.g. the ICO) or law enforcement agencies | We will extract your personal data from our IT systems and disclose it as required by law or further to a court order | Necessary for compliance with a legal obligation to which we are subject (e.g. data protection law or a court order): Article 6(1)(c) UK GDPR | Potentially any data held |
| To ensure our business policies are adhered to e.g. policies covering security | We will check our use of your personal data against our business policies | Necessary for our legitimate interests e.g. to make sure we are following our own internal procedures so we can deliver the best service we are able to: Article 6(1)(f) UK GDPR | Potentially any data held |
| For operational reasons, such as improving efficiency, financial performance, quality control and ensuring we comply with applicable laws | We will use relevant personal data in data analysis software and also for manual analysis | Necessary for our legitimate interests or those of a third party e.g. to be as efficient as we can so we can deliver the best service for you or the organisation you represent, at the best price: Article 6(1)(f) UK GDPR | Potentially any data held |
| To ensure the confidentiality of commercially sensitive information | We will put in place reasonable and appropriate security measures to protect the integrity of our systems that hold your personal data | Necessary for our legitimate interests e.g. to protect trade secrets and other commercially valuable information: Article 6(1)(f) UK GDPR | Potentially any data held |
| To prevent unauthorised access and modifications to our IT systems, website, products and services | We will put in place reasonable and appropriate security measures to protect the integrity of our IT systems, products and services that hold your personal data |
Necessary for compliance with a legal obligation to which we are subject (e.g. data protection law): Article 6(1)(c) UK GDPR Necessary for our legitimate interests or those of a third party e.g. to prevent and detect criminal activity that could be damaging for us and for you: Article 6(1)(f) UK GDPR |
Potentially any data held |
| To update and maintain our business records | We will enter and hold your personal data in the relevant parts our IT systems and we may hold your personal data in manual records |
Necessary to take steps at your request before entering into a contract with you: Article 6(1)(b) UK GDPR Necessary for compliance with a legal obligation to which we are subject (e.g. data protection law): Article 6(1)(c) UK GDPR Necessary for our legitimate interests or those of a third party e.g. to make sure we can keep in touch with you where necessary: Article 6(1)(f) UK GDPR |
Potentially any data held |
| For staff management, training and administration | We will access and use your personal data held in our IT systems and may use it in emails between our staff and for training purposes | Necessary for our legitimate interests e.g. to make sure we are following our own internal procedures and working efficiently so we can deliver the best service that we are able to: Article 6(1)(f) UK GDPR | Potentially any data held |
| To deal with complaints or legal claims against us | We will review your personal data in our IT systems and may collect other information relevant to the complaint/legal claim. We will review any information collected and assess the merits of any complaint or legal claim. We may also communicate with third parties as necessary to seek advice / representation and/or in connection with legal or prospective legal proceedings. | Necessary for our legitimate interests e.g. to ensure that we are able to respond to any complaints or legal claims made against us: Article 6(1)(f) UK GDPR | Potentially any data held |
| For the external audit of our accounts (if required) | We will provide access to such personal data held as is required by our auditors in connection with their audit of financial transactions | Necessary for compliance with a legal obligation to which we are subject: Article 6(1)(c) UK GDPR | As required by our auditors for the statutory audit of our accounts |
| To keep you updated about our business and the sector in which we operate and to send you marketing, promotion and competition communications | We will use your personal data to send you marketing communications |
Necessary for our legitimate interests e.g. to promote our business: Article 6(1)(f) UK GDPR If required by law, with your consent: Article 6(1)(a) UK GDPR |
Identity personal data Contact personal data Other personal data |
| To enforce or apply terms and conditions or any other agreements relating to our website, products or services | We will review your personal data held and, if appropriate, use it to take enforcement action, including legal proceedings | Necessary for our legitimate interests e.g. to enforce our legal rights and protect our business: Article 6(1)(f) UK GDPR | Potentially any data held |
| To administer and protect our business and our website, products and services (including troubleshooting, data analysis, testing, system maintenance, support, reporting, security and hosting of data) | We will use your personal data held |
Necessary for our legitimate interests e.g. for running our business, network security and to prevent fraud: Article 6(1)(f) UK GDPR Necessary for compliance with a legal obligation to which we are subject (e.g. data protection law): Article 6(1)(c) UK GDPR |
Potentially any data held |
| To analyse, customise and improve our website, products and services and your experience (including through the use of data analytics and other cookies) | We will use personal data collected via cookies and other similar technologies on our website. | Necessary for your and our legitimate interests e.g. to understand how our website, products and services are used, to keep them updated and relevant, improve your user experience and to develop our business: Article 6(1)(f) UK GDPR |
Technical personal data Usage personal data |
| For reviews and testimonials | We will collect personal data and use it for publishing testimonials |
Necessary for our legitimate interests e.g. to promote our business: Article 6(1)(f) UK GDPR If required by law, with your consent: Article 6(1)(a) UK GDPR |
Identity personal data Other personal data |
| To invite feedback and reviews of our website, products and/or services | We will collect personal data and use it to analyse our website, products and/or services | Necessary for our legitimate interests e.g. for running our business: Article 6(1)(f) UK GDPR |
Identity personal data Other personal data |
| For training and monitoring service levels | We will use personal data collected when you require support using our website, products and services for analysis, improvements and to train staff | Necessary for our legitimate interests e.g. to ensure a consistently high level of customer service: Article 6(1)(f) UK GDPR | Potentially any personal data held |
| For recording and/or reporting accidents at our premises or connected with our business | We will use any personal data collected to (where appropriate) deliver first aid, call the emergency services and record/report the accident | Necessary for compliance with a legal obligation to which we are subject (e.g. health and safety legislation): Article 6(1)(c) UK GDPR |
Identity personal data Other personal data |
| To provide personal data to other third parties that have or may acquire control or ownership of our business or part of our business (and our or their professional advisers) in connection with a corporate transaction or restructuring, including a merger, acquisition or asset sale or in the event of our insolvency | We will extract your personal data and disclose it as necessary | Necessary for your and our legitimate interests (e.g. to ensure continuity of our business and services): Article 6(1)(f) UK GDPR |
Potentially any data held Where possible information will be anonymised during a transaction and until completion of the transaction but this may not always be possible |
| We may use personal data relating to each user and their use of our website, products and services to generate and maintain an identity confidence score in relation to them (which we call an Assure Score) which is associated with their email address and/or phone number. We may continue to maintain the Assure Score | We may create, store and update from time to time a user’s Assured Score and we may share Assure Scores with third party service providers at any time, including when you apply for services from them, in order to assist those service providers to verify your identity and make it easier for you to apply for such services seamlessly | Necessary for your, our and third parties’ legitimate interests (e.g. to provide assurances about the security of communications, assist service providers to verify your identity and make it easier for you to apply for such services seamlessly): Article 6(1)(f) UK GDPR | Potentially any data held |
Additional information for individuals who are users of, or who otherwise access or interact with, our website, products and/or services (whether or not as our customer and whether as a registered or guest user)
Our purpose for using your personal data:
-
For providing access to and enabling use of our website, products and services (e.g. registering for and setting up an account or opening an email which has been sent to you).
-
Facilitating, supporting and monitoring use of and the operation of our website, products and services (including where necessary securing communications and verifying your identity).
-
To provide information to our customers and other users about emails they have sent (e.g. whether they were opened).
-
To maintain, develop, troubleshoot, test and improve our website, products and services.
-
For securing the website, products and services and communications.
-
To deploy and process personal data collected via cookies that are strictly necessary.
-
To communicate with you about the website, products and services.
-
To generally administer, monitor and improve our business, website, products and services.
-
For enforcement of our rights and terms of use.
-
To enable us to recover and verify your account.
-
We may give you the option to link your Unipass Identity to your account whereafter it can be used to sign in to use our website, products and/or services.
What we do with your personal data:
We will collect your personal data and use it to provide, support, manage, analyse and develop our website, products and services.
Lawful basis relied on under the UK GDPR:
-
Necessary for the legitimate interests of the organisation you work, for you as our customer or a user and for our legitimate interests e.g. to allow users to access and use the products and services: Article 6(1)(f) UK GDPR
-
Necessary for compliance with a legal obligation to which we are subject (e.g. data protection law): Article 6(1)(c) UK GDPR
What personal data we use:
Potentially any data held.
Special category and criminal offence data
We do not intentionally collect any special category personal data or criminal offence data but if we do so (for example because you choose to give this to us) we will comply with law and ensure we have a proper reason for doing so and one of the number of potential ‘grounds’ for using special category personal data or criminal offence data set out in data protection law applies to our use. Where we rely on consent as a lawful basis to process your personal data, you have the right to withdraw your consent at any time. To do this, please contact us (see: 'Contact us').
We may process data relating to criminal offence data in monitoring the use of our website, products and services for security purposes, if we become aware you may have committed a crime, for example by trying to circumvent our cyber security measures. In such circumstances we may provide that information to law enforcement and/or use it to establish, exercise or defend a legal claim. In those circumstances, according to the type of activity and purpose, we would expect to rely on legitimate interests (protecting our business and users) and/or legal obligation as our lawful basis for processing and our condition for processing will likely be preventing or detecting unlawful acts and/or legal claims.
Please note that we may process your personal data without your knowledge or consent where this is required or permitted by law.
Marketing communications
We may use your personal data to send you periodic communications about our business or our website, products and/or services that might be of interest to you.
When you register for our website, products and services we may ask you to specify your marketing preferences. You can amend these at any time in your account preferences. We may ask you to confirm or update your marketing preferences if you instruct us to provide further products and/or services in the future, or if there are changes in the law, regulation, or the structure of our business.
You have the right to opt-out of receiving marketing communications at any time. There are different ways to do this:
-
You can ‘Contact us'
-
Follow the opt-out links within any marketing communication sent to you
-
Update your marketing references via our website
If you opt out of receiving marketing communications, you will still receive service-related communications that are essential for administrative or customer service purposes.
Email marketing messages may contain tracking beacons or tracked clickable links or similar technologies in order to track subscriber activity.
We will get your express consent before we share your personal data with any third party for their own direct marketing purposes.
Who we share your personal data with
Depending on the circumstances, we may share your personal data with third parties:
| Category of recipient | Use by recipient | Relevant categories of personal data that may be shared with the recipient (depending on service provided/reason for sharing) |
|---|---|---|
| Our insurers, brokers and other professional advisers in the event of a complaint or legal claim against us or where we require external advice or assistance | For assisting, advising and representing us as necessary | Potentially any personal data held |
| Credit check / identity check provider | To provide the results of a credit check / identity search |
Identity personal data Contact personal data Financial personal data |
| External auditors (if required) | For undertaking the statutory audit | As required by our auditors in connection with our audit (see: 'How and why we use your personal data') |
| Our bank | For processing financial transactions |
Identity personal data Contact personal data Financial personal data |
| Customer support provider | For providing customer support and maintenance |
Identity personal data Contact personal data |
| Our external IT service providers e.g. IT platform hosting provider, website hosting provider, IT support, email security, email service provider, document management providers, application software providers | For providing the relevant IT service to us | Potentially any personal data held |
| Our other external service providers e.g. payment providers, data analytics providers and marketing services providers | For providing the relevant service to us e.g. to pay you commission | Potentially any personal data held |
| Our introducers of new customers or business | To manage the introducer arrangement |
Identity personal data Contract personal data |
| Resellers of our products and services to end customers | To manage the reseller’s end customer’s use of and contract for our products and services and manager our contract with the reseller |
Identity personal data Contract personal data If you are a customer of a reseller then you may also choose to provide the reseller with access to other personal data by providing them with the ability to manage your subscription to our products / services. If you do so then the resultant processing of personal data by the reseller is the responsibility of the reseller and not us. |
| HM Revenue and Customs, regulators, law enforcement, public authorities or other third parties acting as controllers based in the UK where necessary to exercise our rights or comply with a legal obligation | For any purpose relating to their powers and remit | Potentially any personal data held |
| Other companies in our group | To operate the businesses operated by our group of companies and provide our products and services | Potentially any personal data held |
| Third parties to whom we may propose or choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice |
To carry out due diligence To continue to operate the business |
Potentially any personal data held Where possible information will be anonymised during a transaction and until completion of the transaction but this may not always be possible |
| Third parties that have or may acquire control or ownership of our business or part of our business (and our or their professional advisers) in connection with a corporate transaction or restructuring, including a merger, acquisition or asset sale or in the event of our insolvency |
To carry out due diligence To continue to operate the business |
Potentially any personal data held Where possible information will be anonymised during a transaction and until completion of the transaction but this may not always be possible |
| Where a user is using our website, products or services as an authorised user of one of our customers then information about that user and their use of our website, products and services may be shared with our customer | In order to fulfil our obligations to our customer and in order to provide our products and services | Potentially any personal data held |
| If a user sends an email or a user receives an email via our website, products or services they will receive and be able to see certain information about one another and if the user who is the sender of the email is an authorised user of our customer then our customer may receive information about the recipient user | In order to fulfil our obligations to our customer and in order to provide our products and services | Potentially any personal data held |
| Users of Assured Score data |
We may use personal data relating to each user and their use of our website, products and services to generate and maintain an identity confidence score in relation to them (which we call an Assure Score) which is associated with their email address and/or phone number. We may continue to maintain the Assure Score and an Assured Score will be created in relation to a user even if they did not create an account with us and instead used our website, products or services as a ‘Guest’. We may create, store and update from time to time a user’s Assured Score and we may share Assure Scores with third party service providers at any time, including when you apply for services from them, in order to assist those service providers to verify your identity and make it easier for you to apply for such services seamlessly. |
Potentially any personal data held |
We expect all third parties to respect the security of your personal data and to treat it in accordance with the law.
How long your personal data will be kept
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of fulfilling our contract with you or the organisation you represent, satisfying any legal, regulatory, tax, accounting or reporting requirements and to bring or defend legal claims. Different retention periods apply for different types of personal data.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. By law we have to keep basic information about our customers for six years after they cease being customers for tax purposes.
Please note the following:
If you set up an account with us but you do not use our related website, products or services for a prescribed amount of time (the length of time will be as determined by us in our absolute discretion from time to time) then we may treat your account as expired and deactivate it.
If you are a customer and register for a paid-account (a subscription) and you cancel your subscription your payment details will be deleted 10 days after the subscription is cancelled.
All email messages that have been secured with Mailock are set with an expiry date which depending on the type of Mailock account is normally 365 days after the message is sent. For messages sent using our Free Account or for replies sent as a “Guest”, the expiry date is set to 21 days. On expiry, the message data will be retained but it will be moved to our secure archive store where it will remain, encrypted, for up to 10 years after which time it will be permanently deleted. We are not able to see the content of any message that has been sent, due to the nature of the encryption solution which you have purchased, but other Usage personal data will still be accessible.
Users are responsible for deleting messages held in their accounts when they are no longer required and should no longer be retained. If you do not do so, then messages will continue to be stored by us for your future access if required in accordance with our retention periods (being such periods as we shall decide from time to time in our absolute discretion).
Users are also responsible, where permitted by their account, for specifying the length of time after a message is sent to a recipient that it will be available to them.
We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research, product development, business or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Details of retention periods for different aspects of your personal data are available in our retention policy which you can request by contacting us (see: ‘Contact us').
In some circumstances you can ask us to delete your personal data: see ‘Your rights'. You can also use the cookie banner on our website to change your cookie preferences.
Transferring your personal data outside of the UK
We may transfer your personal data to third parties in order to operate our business including our group companies and service providers that carry out certain functions on our behalf. This may involve transferring personal data outside the UK to countries which have laws that do not provide the same level of data protection as the UK law.
Whenever we transfer your personal data out of the UK, we will ensure the transfer complies with relevant data protection law by ensuring that, for example:
The country to which the personal data is being transferred has been deemed by the UK to provide an adequate level of protection for personal data
There are appropriate safeguards in place between us and the organisation receiving it together with enforceable rights and effective legal remedies for you (e.g. by the use of approved data protection contractual clauses).
Please contact us (see below: ‘Contact us') if you want further information on the specific mechanism used by us when transferring your personal data outside of the UK.
Your rights
You have a number of rights under data protection laws in relation to your personal data and we have set out details of these rights below. If you would like to exercise any of the above rights, please contact us (see below: ‘Contact us’) and provide us with enough information to identify you as well as what right you want to exercise and the personal data to which your request relates.
| Access | The right to be provided with a copy of the personal data we hold about you (commonly known as a "subject access request") |
|---|---|
| Rectification | The right to require us to correct the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us |
| Erasure (also known as the right to be forgotten) | In certain situations, the right to require us to delete your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request |
| Restriction of processing | In certain situations, the right to require us to restrict processing of your personal data e.g. if you contest the accuracy of the data or you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. You can ask us to stop processing the personal data whilst we look into the accuracy issues |
| Data portability | In certain situations, the right to ask us to transfer any personal data you provided to us to another organisation |
| To object | The right to object in certain situations to our continued processing of your personal data e.g. where processing is carried out for the purpose of our (or a third party’s) legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims |
| Not to be subject to automated individual decision making | The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you |
| To withdraw consent | If we are relying on consent to process your personal data (see 'How and why we use your personal data') you have the right to withdraw that consent at any time. To do this, contact us (see: 'Contact us') However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent |
| Direct marketing | You have the absolute right to object at any time to the processing of your personal data for direct marketing purposes (see: ‘Marketing communications'). |
What we may need from you:
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond:
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Charges:
You will not have to pay a fee to access your personal data (or to exercise any of the other rights mentioned above). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
Contact us:
For further information on each of the above rights, including the circumstances in which they apply, please contact us or visit the ICO’s website. Further information about how to make a complaint to the ICO can be found on the ICO website www.ico.org.uk.
Automated decision making
We do not make decisions based solely on automated processing or profiling that produce legal effects concerning you (or have similarly significant effects).
Keeping your personal data secure
We have put in place reasonable and appropriate security measures to endeavour to prevent your personal data from being accidentally lost or used, accessed, altered or disclosed in an unlawful way.
We also have procedures in place to deal with any suspected data security breach. A Network-based IDS (intrusion detection system) provides 24x7 network monitoring and alerts security personnel to any external attacks on the network. We will notify you and any applicable regulator of a data security breach where we are legally required to do so.
Unfortunately, the transmission of information via the internet is never completely secure. We cannot therefore guarantee (and do not warrant) the security of your data transmitted via our website, products or services; any transmission is at your own risk. Our website, products and services may, from time to time, contain links to other websites, software, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites, software, plug-ins or applications and are not responsible for their data protection, privacy or security practices or privacy notices. When you leave our website, product or service, we encourage you to read the privacy notice (and/or other relevant terms of use) of every third party website, software, plug-in and application you visit before you submit any data to them.
Where we have given you (or where you have chosen) a password that enables you to access certain parts of our website, products or services, you are responsible for keeping this password confidential. We ask you not to share passwords with anyone. If you are concerned about the security of your password at any time you should immediately change it by logging into your account. You are responsible for utilising multi-factor authentication where available and for using this in a secure and appropriate matter.
We are Cyber Essentials, Cyber Essentials Plus and ISO 27001: 2022 certified.
How to complain
We hope that we can resolve any query or concern you may raise about our use of your personal data. If you want to complain about how we have used your personal data, please contact us (see: ‘Contact us'). However, if we are not able to resolve your complaint to your satisfaction, you have the right to complain to the ICO. Further information about how to make a complaint to the ICO can be found on the ICO website www.ico.org.uk.
Changes to this privacy notice
We keep our privacy notice under regular review and therefore we may change it from time to time. If we do change this privacy notice we will inform you via our website. If any changes are likely to have an adverse impact on your rights under data protection law, we will use reasonable endeavours to notify you of the changes in advance in writing or by alternative means.
Changes to your personal data
It is important that the personal data we hold about you is accurate and current.
Please let us know if your personal data changes during your relationship with us, for example a new address or email address (see: 'Contact us').
Contact us
If you have any queries about this privacy notice, how we use your personal data or you want to exercise your data protection rights, you can contact us by email, post or telephone as follows:
Email: dpo@beyondencryption.com
Telephone: 020 8123 4546
Post: Beyond Encryption DPO, 1 Gloster Court, 5, Whittle Avenue, Fareham PO15 5SH
If you have an account with us and you wish to change your personal data in it (for example your email address) or deactivate it, please contact us via this email address: salessupport@beyondencryption.com.
Do you need extra help?
If you would like this privacy notice in another format (for example large print) please contact us (see: 'Contact us').
Last updated 1.3.26
Privacy Notice Version 12