Our Contact Details
Company name: So-Mo Co Ltd
Address: 2 The Towers, Chester High Road, Neston, CH64 7TA
Company Registration: 09104338 Registered in England and Wales
Main contact: Rhona Armstrong, Operations Coordinator
Data Protection Officer: Dr Holly Hope Smith, Head of Behavioural Science
- Data Controller: under UK data protection law, this is the organisation or person responsible for deciding how personal information is collected and stored and how it is used.
- Data Processor: a Data Controller may appoint another organisation or person to carry out certain tasks in relation to the personal information on behalf of, and on the written instructions of, the Data Controller.
- Special Categories of Information: certain very sensitive personal information requires extra protection under data protection law. Sensitive data includes information relating to health, racial and ethnic origin, political opinions, religious and similar beliefs, trade union membership, sex life and sexual orientation and also includes genetic information and biometric information.
Details of Personal Information which we collect and hold
The types of personal data we may collect from you may differ from person to person, depending on who you are and your relationship to us or involvement in our projects. These include:
- Identity Information: This is information relating to your identity such as your name (including and any titles which you use), gender, marital status and date of birth
- Contact Information: This is information relating to your contact details such as e-mail address, addresses, telephone numbers
- Payment Information: This is information relating to the methods by which you provide payment to us or we provide payment to you such as bank account details, credit or debit card details and details of any payments (including amounts and dates) which are made between us.
- Survey Information: This is information which we have collected from you or which you have provided to us in respect of surveys and feedback.
- Marketing Information: This is information relating to your marketing and communications preferences.
- Website, Device and Technical Information: This is information about your use of our website and technical data which we collect (including your IP address, the type of browser you are using and the version, the operating system you are using, details about the time zone and location settings on the device and other information we receive about your device)
- Social Media Services: If you view our social media accounts, we will have access to some of your information from that platform e.g through Twitter Analytics
- Information from other third-party sources: We may obtain information about you from publicly and commercially available sources and other third parties as permitted by law
Details of Special Categories of Information we may collect and hold
Special categories of information is set out in ‘Key Definitions’. For the purpose of business and project activity, in relation to the specific legitimate interest identified, we may collect and hold the following special categories of information about you: race, ethnic origin, political views, religion, trade union membership, health, sexual orientation.
Use of Information
Operating our service
We may use information about you for various purposes related to operating our business services, including to:
- Provide, maintain and improve our service.
- Monitor and analyse trends, usage and activities in connection with our services.
- Inform a current project.
Communicating with you
We may use information about you for various purposes related to communicating with you, including to:
- Respond to your comments, questions, requests, and to provide customer service.
- Communicate with you about products, services and events offered by us and others, to provide news and information that we think will be of interest to you, to conduct online surveys, to contact you about events that are being held near your locations.
- Send you technical notices, updates, security alerts and support, and administrative messages.
We may use information about you for various other purposes, including to:
- Carry out any other purposes described to you at the time that we collected the information.
Legal basis for processing
We are only able to use your personal information for certain legal reasons set out in data protection law. There are legal reasons under data protection law other than those listed below, but in most cases, we will use your personal information for the following legal reasons:
- Contract: this is in order to perform our obligations to you under a contract we have entered into with you;
- Legitimate Interests: this is where the use of your personal information is necessary for our (or a third party’s) legitimate interests, so long as that legitimate interest does not override your fundamental rights, freedoms or interests. You will be notified of the legitimate interest in the shared Privacy Notice.
- Legal Obligation: this is where we have to use your personal information in order to perform a legal obligation by which we are bound; and
- Consent: this is where you have given us your consent to use your personal information for a specific reason or specific reasons. Where you provide us with special categories of information, this is done so with your explicit consent.
Please note: for some of the purposes, there may be more than one legal reason on which we can use your personal information, because the legal reason may be different in different circumstances. If you need confirmation of the specific legal reason that we are relying on to use your personal data for that purpose, please contact us using the contact details set out at the start of this privacy notice.
Special Categories of Information
As explained in above, there are more sensitive types of personal data which require higher levels of protection. Where we process such sensitive types of personal data, we will usually do this in the following circumstances:
- We have your explicit consent;
- Where it is necessary in relation to legal claims;
- Where you have made the personal data public.
What if the purpose for processing data changes?
Under data protection laws we can only use your personal information for the purposes we have told you about, unless we consider that the new purpose is compatible with the purpose(s) which we told you about. If we want to use your personal information for a different purpose which we do not think is compatible with the purpose(s) which we told you about then we will contact you to explain this and what legal reason is in place to allow us to do this.
Sharing of Information
With our service providers
We may use service providers in connection with operating and improving our service to assist with a certain function, such as payment processing, email transmission, conducting surveys or contests, data hosting, and some aspects of our technical and customer support. We take measures to ensure that these service providers access, process, and store information about you only for the purposes we authorise, subject to confidentiality obligations.
Depending on the circumstances, the organisations or people who we share your personal information with will be acting as either Data Processors or Data Controllers. Third parties we may share information with includes our clients for the purpose of delivering the commission under the terms of a contract, supplier or project partners engaged for the delivery of project commission under the terms of a contract. If data is shared with another party, you will be notified either by way of a specific Privacy Notice or direct communications for explicit consent. This does not affect your rights under data protection law. Where we share your personal information with a Data Processor we will ensure that we have in place contracts, which set out the responsibilities and obligations of us and them, including in respect of security of personal information.
We do not sell or trade any of the personal information which you have provided to us.
Following the law
We may access, preserve, and disclose information about you to third parties including content of communication, if we believe disclosure is in accordance with, or is required by, applicable law, regulation, legal process, or audits. We may also disclose information about you if we believe your actions are inconsistent with our guidelines and policies, or if necessary, to protect the rights, property, or safety of, or prevent fraud or abuse of, So-Mo or others.
Affiliate sharing and merger, sale, or other asset transfers
If So-Mo is involved in a merger, acquisition, financing, reorganisation, bankruptcy, or sale of our assets, information about you may be shared, sold or transferred as part of that transaction. We may also share information about you with current or future corporate partners, subsidiaries or affiliates.
We may de-identify or aggregate information about you and share it freely so that you can no longer be identified. We may also share information about you with your consent or at your direction or where we are legally entitled to do so.
Analytics and advertising services provided by others
- Google Analytics
- Twitter Analytics
- Meta Analytics
- Website Analytics
Transfer of information to other countries
We do not transfer your personal information outside of the EEA. So-Mo is based in the UK. Information about you will be processed in the UK. However, some third-party providers may be based in countries other than which you are resident. These countries may have data protection laws that are different to the laws of your country and, in some cases, may not be as protective. So-Mo strives to ensure that the data protection laws comply with the regulations set out in EU GDPR.
We employ technical and organisational measures designed to appropriately protect your information that is under our control. We store all information that you provide to us on secure servers. We train employees in GDPR and data security management in line with our policies and procedures. Authorised employees access information on a need-to-know basis, as required for their role. We use firewalls and anti-malware/anti-virus programmes designed to protect against intruders and test for network vulnerabilities. However, no method of transmission over the internet or electronic storage is completely secure.
We will only hold your personal data for as long as is necessary. How long is necessary will depend upon the purposes for which we collected the personal information and whether we are under any legal obligation to keep the personal information (such as in relation to accounting or auditing records or for tax reasons).
We retain certain information that we collect from you for the following reasons:
- To communicate with you
- To ensure that we do not communicate with you if you have asked us not to
- To inform an ongoing or previous project where your data has been identified as being useful to a future project
- To comply with legal, tax or accounting requirements.
When we have no ongoing legitimate business need to process your information, it will either be permanently destroyed or anonymised.
Storage & Ongoing Review
All data is stored in OneDrive for Business (Microsoft) which is stored within a UK geolocation. Microsoft have data centres in Durham, London and Cardiff.
How Microsoft ensures that we have granular control over data location, storage and usage
- Office 365 with OneDrive and SharePoint allows people to store, share and work together on content. That content as well as end user information remains in the direct control of administrators and end users. This data is owned solely by the customer. Microsoft is only its custodian in providing the service as outlined in the Online Service Terms (OST).
- Administrators and users are also in direct control of user account and contact information. For example, admins can force password updates or update a user's login information. This information is used to control access to OneDrive and can power experiences within SharePoint and all of Office 365.
- Multi-Geo enables OneDrive in your tenant to span across multiple datacentre geographies and gives you the ability to store data at rest, on a per-user basis, in your chosen geo. Microsoft will not move the data unless directed by us.
- Finally, Microsoft provides functionality to identify and manage data for the purposes of compliance with the GDPR. Microsoft provides detailed guidance on how to leverage Office 365, OneDrive and SharePoint functionality to manage and honour GDPR data subject requests (DSRs) by the GDPR deadline.
How Microsoft ensures compliance with So-Mo’s security, retention and deletion policies.
- So-Mo maintains control of the lifecycle of customer data and user-generated content. Admins and end users can add, modify, and delete data explicitly via well-known user interfaces or admin tools. Admins can set retention policies on OneDrive/SharePoint content (on a per-user basis). Data can be removed aggressively or preserved for longer periods.
- Account data synchronised from Office 365 is used to determine, based on licenses, what experience the end user is entitled to. This data follows the lifecycle of the user. Admins can add, modify and delete user accounts, and those changes will be promptly reflected in OneDrive for Business.
- Product and service usage data follows a controlled lifecycle designed to comply with GDPR data subject requests.
- Finally, with Advanced Encryption with Customer Key, administrators can be confident that when data is offboarded, that Microsoft no longer has any access.
Information Security tests are conducted once a year, or when a need for a test is identified. The types of annual tests that are conducted internally are:
- review of data held in folders, ensuring information that is no longer required for legal, compliance, statistical or research purposes has been permanently destroyed
- review of financial records, information held on past employees, and any other personal information which have been held for more than six years and is no longer required for legal, contractual, compliance or accounting purposes
In addition to the above, So-Mo routinely ensures the following measures are conducted by all staff. A record of dates and actions is kept for internal review.
- two-factor authentication used for all logins where personally identifiable data is stored
- work devices are constantly kept up-to-date with the latest software versions
- weekly firewall checks, to reflect that employee work remotely
- work laptops are registered with Nord VPN service ensuring encrypted internet safety for employees working remotely and/or from home networks
- regular antivirus, antimalware tests with software Norton360 Premium to identify and remove threats (e.g. ransomware, phishing, viruses and other digital dangers)
- regular review of activity in OneDrive and SharePoint to identify areas of risk and manage access control
- biannual senior management team meeting to discuss and review policies and procedures and identify any areas for improvement. This meeting provides an opportunity to provide additional training in data protection and cyber security.
- Fire Vault (MacOS) is enabled on all company laptops to ensure hard-disk encryption.
- No client identifiable data is stored outside of the secure cloud storage.
- No personal data, or any other data of any kind (project, employee or other) is stored anywhere other than within secure cloud storage.
Website, Device and Technical Information
You may view, update or correct your current information by sending a subject access request to firstname.lastname@example.org. You may also request to have data removed.
You can control messages you receive from So-Mo by selecting the unsubscribe link in the message that you receive, or by adjusting the communication preferences in your account settings. We will also send you a link to these settings when you first sign up and in subsequent messages. If you opt-out, we may still send you non-promotional communications, such as those about your account or ongoing business relations.
Your Rights Under Data Protection Law
We respond to all requests that we receive from individuals who wish to exercise their data protection rights in accordance with applicable data protection laws. You can initiate your rights by sending an email to email@example.com
Right to access
You have the right to ask us for copies of your personal information.
Right to rectification
You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Right to erasure
You have the right to ask us to erase your personal information in certain circumstances.
Right to restriction of processing
You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Right to data portability
You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
In addition to the rights, where we rely on consent as the legal reason for using your personal information, you have the right to withdraw your consent. You can do so by directly contacting us using the contact details set out at the beginning of this Policy. If you do make a request then please note:
- We may need certain information from you so that we can verify your identity
- We do not charge a fee for exercising your rights unless your request is “unfounded or excessive”
- If your request is “unfounded or excessive” then we may refuse to deal with your request.
Making a Complaint
If you are unhappy about the way that we have handled or used your personal information, you have the right to complain to the UK supervisory authority for data protection, which is the Information Commissioner’s Office (ICO). Please do contact us in the first instance if you wish to raise any queries or make a complaint in respect of our handling or use of your personal information, so that we have the opportunity to discuss this with you and to take steps to resolve the position. You can contact us using the details set out at the beginning of this privacy notice.
Information Commissioner's Office
You may complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have used your data.
- Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Helpline number: 0303 123 1113
- Website: https://www.ico.org.uk