Privacy Policy
corac is based at Centaur House, Ancells Business Park, Fleet, Hampshire. GU51 2UJ - United Kingdom.
We operate conscientiously within the requirements of the General Data Protection Regulations 2018 and other electronic marketing legislation. We work within the principles of fair data processing, namely:
This statement (together with our Terms and Conditions), as may be amended from time to time by updates on this page, sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us, as data controller and a data processor. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
1. What This Privacy Statement Covers
This statement covers how we treat any personal information that we collect and receive either from our website or as part of our broader operating processes.
We do not sell or pass on any personal information about our members or prospective prospects (unless compelled to do so by law) and we only use any information shared with us for running and improving our services and in that capacity operate as a data controller and, in the extent that we process the data, as a data processor.
This statement tells you what information we collect, the steps we take to protect and secure it, how we use and share information, and finally, how you can contact us with questions or concerns.
2. Information We Collect
(a) Personal Information.
We collect personal information (e.g., name, email address, phone number, etc.) when you:
We also maintain a simple prospect database justified under a Legitimate Interest assessment where we collate names and contact details of B2B prospects (from activity on consent-based social media platforms) who are in professional roles that we believe would be interested in membership.
(b) Other User Information.
When you access and use our services, we may collect additional contextual information about your company as well as your service delivery preferences. We do not link this additional data to any other information we collect about you and do not undertake any profiling activity from this type of data.
(c) Billing Information.
If you contract us we will require your billing information in order to process the transaction. Billing information includes your name, address, telephone number, bank details and other information necessary to process the transaction. However we use PayPal to collect fees and do not use, collate or store credit card numbers.
(d) IP Addresses and Cookies.
corac uses the Weebly platform for its website which collects information about your computer, including where available your IP address, operating system and browser type, for system administration. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual. For the same reason, the platform obtains information about your general internet usage by using a cookie file which is stored on the hard drive of your computer.
Cookies contain information that is transferred to your computer’s hard drive. A cookie consists of information sent by a web server to a web browser, and stored by the browser. The information is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser. Weebly uses both “session” cookies and “persistent” cookies on the website. It will use the session cookies to keep track of you whilst you navigate the website and persistent cookies to enable the website to recognise you when you visit. Session cookies will be deleted from your computer when you close your browser. Persistent cookies will remain stored on your computer until deleted, or until they reach a specified expiry date.
The website uses cookie information in the following ways:
Most browsers allow you to reject all cookies, whilst some browsers allow you to reject just third party cookies. For example, in Internet Explorer you can refuse all cookies by clicking “Tools”, “Internet Options”, “Privacy”, and selecting “Block all cookies” using the sliding selector. You may refuse to accept cookies by activating this setting on your browser, however, if you select this setting you may be unable to access certain parts of our site. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you log on to our site.
Disclosure of this information
This information may be disclosed to third parties:
3. Information Use, Legal Basis, Sharing, Disclosure, and Retention
(a) Use and Legal Basis.
Sales and Service Delivery. corac uses key contact prospect and client data for developing and issuing sales proposals and for providing its products and services – and justifies this under the legal basis of “Contract”.
Training Delivery and Assessment. corac also collates, stores and uses members names, job titles and email addresses to facilitate training delivery and to issue and notify candidates of their results and certificates. corac justifies this under the legal basis of “Contract”.
Marketing Emails. corac uses personal data to contact prospective B2B members with information about our services. We justify this through a “Legitimate Interests” assessment and offer opt-out functionality for those no longer wishing to hear from us in this way.
Social Media. corac uses social media to make contact with individuals who might be interested in aspects of our service or future services. In these instances we do not hold or process any data, we engage on an opt-in platform within the terms and conditions of said platform provider. We consider this activity as “Consent” based.
Administrative and Legal. We also process small amounts of employee and subcontractor data under the legal basis of “Contract” and, if in the Vital Interests of the data subject, or with specific consent, or to comply with Employment or Health and Safety or another Legal requirement will hold special category data such as medical history or driving convictions.
(b) Sharing.
corac does not share, sell, rent or trade personal information with any third parties for marketing or promotional purposes. It will only share limited data with suppliers where required operationally - for example a training assessment platform partner.
It does share small quantities of employee data for administrative and legal purposes.
It also reserves the right to share data with relevant authorities if compelled to do so to comply with legal obligations.
(c) Disclosure.
corac may disclose personal information under the following circumstances:
(d) Retention. We will retain existing member information for as long as a membership account is active with us or as needed to provide our services – and where required to comply with our legal obligations, resolve disputes, and enforce our agreements. We will retain all prospective member data ongoingly until any such time that we receive a request to opt-out.
4. Confidentiality and Security
We use physical, electronic, and procedural safeguards to protect personal information - Our IT arrangements aspire to “Data Protection by Design” and should be able to detect a significant data breach. Where such a breach could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage we will notify the ICO. Where a breach is likely to result in a high risk to the rights and freedoms of individual data subjects, we will also notify those concerned directly and at the earliest practical opportunity. We shall then fully investigate a data breach and implement corrective action to prevent recurrence.
By using our services or providing personal information to us, you are consenting to corac communicating with you electronically regarding security, privacy, and administrative issues related to your use of our services. We may post a notice on our website if a security breach occurs. In these circumstances, we may also send an email to you at the email address you have provided to us.
Data transmissions over the Internet are not 100% secure. Consequently we cannot guarantee or warrant the security of any information you transmit to us and you do so at your own risk. Once we receive your transmission, we use reasonable efforts to ensure security on our systems.
Specifically, corac follows the Information Commissioners Office guidance on Data Security for SME’s in that:
1. We assess, limit and manage the data we process
2. We follow the Cyber Essentials guidelines
3. We secure our data
4. We secure our data in the cloud
5. We back up our data
6. We train our staff
7. We keep an eye out for problems
8. We know what we should be doing
9. We minimise our data
10. We utilise credible IT partners
5. Right to Be Informed
We strive to ensure that all those engaging with us are informed of our arrangements for processing personal data through this Privacy Statement which is linked to from our email signatures and website home page.
6. Right of Access
We will respond to data requests within 1 month and will only charge for requests that are manifestly unfounded or excessive. If we have grounds to refuse a request we will inform the data subject and make them aware of their right to complain to the ICO or to seek civil action – again within 1 month of receiving the request
7. Right to Rectification
For personal data obtained directly from a data subject under the legal basis of consent – and obtained indirectly from a data subject under the legal basis of legitimate interest – we will correct any inaccuracies in a data subject’s personal data upon receipt of a request. For personal data held under the legal basis of “Contract” or “Vital Interests” or “Legal Obligations” we will endeavour to correct the data upon request but may not be able to do so if changing the data may conflict with our legal obligations or disadvantage us in a future legal action. In cases where we cannot rectify the data for these reasons we shall inform the data subject and make them aware of their right to complain to the ICO or to seek civil action
8. Right to Erasure
For personal data obtained directly from a data subject under the legal basis of consent – and obtained indirectly from a data subject under the legal basis of legitimate interest – we will erase a data subject’s personal data upon receipt of a request / opt-out notification. For personal data held under the legal basis of “Contract” or “Vital Interests” or “Legal Obligations” we will endeavour to erase data upon request but will not be able to do so if holding the data is necessary to fulfil our legal obligations or may be necessary as evidence in a future legal action involving us. In cases where we cannot erase the data for these reasons we shall inform the data subject and make them aware of their right to complain to the ICO or to seek civil action
9. Right to Restrict Processing
For personal data obtained directly from a data subject under the legal basis of consent – and obtained indirectly from a data subject under the legal basis of legitimate interest – we will restrict the processing of a data subject’s personal data upon receipt of a request / opt-out notification. For personal data held under the legal basis of “Contract” or “Vital Interests” or “Legal Obligations” we will endeavour to facilitate the requested restriction upon request but will not be able to do so if restricting the processing of the data prevents us from fulfilling our legal obligations or the current processing of the data may be necessary as evidence in a future legal action involving us. In cases where we cannot restrict the processing of the data for these reasons we shall inform the data subject and make them aware of their right to complain to the ICO or to seek civil action
10. Right to Data Portability
For personal data obtained directly from a data subject under the legal basis of consent – we shall provide, upon receiving a request, the data that we hold in a standard, widely accessible format
11. Right to Object
For personal data obtained directly from a data subject under the legal basis of consent – and obtained indirectly from a data subject under the legal basis of legitimate interest – we will cease to process a data subject’s personal data upon receipt of a request / opt-out notification
12. Changes to this Privacy Statement
corac reserves the right to revise, modify, or update this statement at any time. We will notify you via email about material changes in the way we treat personal data or by placing a prominent notice on this website.
13. Contacting corac
If you have a privacy concern regarding FPL, or this statement, you may contact us via support@corac.org.uk
We operate conscientiously within the requirements of the General Data Protection Regulations 2018 and other electronic marketing legislation. We work within the principles of fair data processing, namely:
- Using information in a way that people would reasonably expect.
- Thinking about the impact of our processing.
- Being transparent and ensuring that people know how we’ll use their information.
This statement (together with our Terms and Conditions), as may be amended from time to time by updates on this page, sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us, as data controller and a data processor. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
1. What This Privacy Statement Covers
This statement covers how we treat any personal information that we collect and receive either from our website or as part of our broader operating processes.
We do not sell or pass on any personal information about our members or prospective prospects (unless compelled to do so by law) and we only use any information shared with us for running and improving our services and in that capacity operate as a data controller and, in the extent that we process the data, as a data processor.
This statement tells you what information we collect, the steps we take to protect and secure it, how we use and share information, and finally, how you can contact us with questions or concerns.
2. Information We Collect
(a) Personal Information.
We collect personal information (e.g., name, email address, phone number, etc.) when you:
- Send us an enquiry through our website
- Email us
- Work with us as a member, supplier or employee
- Undertake training with us
We also maintain a simple prospect database justified under a Legitimate Interest assessment where we collate names and contact details of B2B prospects (from activity on consent-based social media platforms) who are in professional roles that we believe would be interested in membership.
(b) Other User Information.
When you access and use our services, we may collect additional contextual information about your company as well as your service delivery preferences. We do not link this additional data to any other information we collect about you and do not undertake any profiling activity from this type of data.
(c) Billing Information.
If you contract us we will require your billing information in order to process the transaction. Billing information includes your name, address, telephone number, bank details and other information necessary to process the transaction. However we use PayPal to collect fees and do not use, collate or store credit card numbers.
(d) IP Addresses and Cookies.
corac uses the Weebly platform for its website which collects information about your computer, including where available your IP address, operating system and browser type, for system administration. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual. For the same reason, the platform obtains information about your general internet usage by using a cookie file which is stored on the hard drive of your computer.
Cookies contain information that is transferred to your computer’s hard drive. A cookie consists of information sent by a web server to a web browser, and stored by the browser. The information is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser. Weebly uses both “session” cookies and “persistent” cookies on the website. It will use the session cookies to keep track of you whilst you navigate the website and persistent cookies to enable the website to recognise you when you visit. Session cookies will be deleted from your computer when you close your browser. Persistent cookies will remain stored on your computer until deleted, or until they reach a specified expiry date.
The website uses cookie information in the following ways:
- To ensure that content from the site is presented in the most effective manner to you and to your computer
- To allow you to participate in interactive features of the website, when you choose to do so - eg liking a post.
Most browsers allow you to reject all cookies, whilst some browsers allow you to reject just third party cookies. For example, in Internet Explorer you can refuse all cookies by clicking “Tools”, “Internet Options”, “Privacy”, and selecting “Block all cookies” using the sliding selector. You may refuse to accept cookies by activating this setting on your browser, however, if you select this setting you may be unable to access certain parts of our site. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you log on to our site.
Disclosure of this information
This information may be disclosed to third parties:
- If corac or substantially all of our assets are acquired by a third party, in which case personal data held by it about our customers will be one of the transferred assets.
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms and Conditions and other agreements; or to protect the rights, property, or safety of our clients, customers or others.
- Our site may, from time to time, contain links to and from the websites of our partner networks, clients, affiliates or other external websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these privacy policies. Before you submit any personal data to our site, you may want to check the policies of our client, for whom we are collecting the data, and whom for your purposes is the data controller. In the absence of any details being listed on our site, you may contact us at or on the details provided below.
3. Information Use, Legal Basis, Sharing, Disclosure, and Retention
(a) Use and Legal Basis.
Sales and Service Delivery. corac uses key contact prospect and client data for developing and issuing sales proposals and for providing its products and services – and justifies this under the legal basis of “Contract”.
Training Delivery and Assessment. corac also collates, stores and uses members names, job titles and email addresses to facilitate training delivery and to issue and notify candidates of their results and certificates. corac justifies this under the legal basis of “Contract”.
Marketing Emails. corac uses personal data to contact prospective B2B members with information about our services. We justify this through a “Legitimate Interests” assessment and offer opt-out functionality for those no longer wishing to hear from us in this way.
Social Media. corac uses social media to make contact with individuals who might be interested in aspects of our service or future services. In these instances we do not hold or process any data, we engage on an opt-in platform within the terms and conditions of said platform provider. We consider this activity as “Consent” based.
Administrative and Legal. We also process small amounts of employee and subcontractor data under the legal basis of “Contract” and, if in the Vital Interests of the data subject, or with specific consent, or to comply with Employment or Health and Safety or another Legal requirement will hold special category data such as medical history or driving convictions.
(b) Sharing.
corac does not share, sell, rent or trade personal information with any third parties for marketing or promotional purposes. It will only share limited data with suppliers where required operationally - for example a training assessment platform partner.
It does share small quantities of employee data for administrative and legal purposes.
It also reserves the right to share data with relevant authorities if compelled to do so to comply with legal obligations.
(c) Disclosure.
corac may disclose personal information under the following circumstances:
- In certain situations, we may disclose personal data in response to lawful requests by public authorities, including but not limited to national security or law enforcement requests. We may also disclose your personal information as required by law, such as to respond to court orders, or similar legal processes, to establish or exercise our legal rights or, defend against legal claims, or if in our judgment in such circumstances disclosure is required or appropriate.
- If we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our various terms of use, or as otherwise required by law.
(d) Retention. We will retain existing member information for as long as a membership account is active with us or as needed to provide our services – and where required to comply with our legal obligations, resolve disputes, and enforce our agreements. We will retain all prospective member data ongoingly until any such time that we receive a request to opt-out.
4. Confidentiality and Security
We use physical, electronic, and procedural safeguards to protect personal information - Our IT arrangements aspire to “Data Protection by Design” and should be able to detect a significant data breach. Where such a breach could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage we will notify the ICO. Where a breach is likely to result in a high risk to the rights and freedoms of individual data subjects, we will also notify those concerned directly and at the earliest practical opportunity. We shall then fully investigate a data breach and implement corrective action to prevent recurrence.
By using our services or providing personal information to us, you are consenting to corac communicating with you electronically regarding security, privacy, and administrative issues related to your use of our services. We may post a notice on our website if a security breach occurs. In these circumstances, we may also send an email to you at the email address you have provided to us.
Data transmissions over the Internet are not 100% secure. Consequently we cannot guarantee or warrant the security of any information you transmit to us and you do so at your own risk. Once we receive your transmission, we use reasonable efforts to ensure security on our systems.
Specifically, corac follows the Information Commissioners Office guidance on Data Security for SME’s in that:
1. We assess, limit and manage the data we process
- Personal data that is held by corac is generally contract based information held on employees or members to facilitate doing business.
- A small amount of targeted, B2B prospect data is also processed by corac within the parameters of a Legitimate Interest Assessment
- All of the corac team promote our Privacy Statement via their e-mail signatures to provide transparency over our data processing.
- Information relating specifically to employees is held only on the director’s PC which is password protected or a paper copy locked in a cabinet in the main office.
- Member information is held on a sales database, e-mail client and our accounting package (Xero) which is a password protected cloud based solution.
2. We follow the Cyber Essentials guidelines
- corac has a fire wall solution in place on its main, serviced office internet connection.
- All corac employees are asked to remove software that is not required on their PC’s.
- Default passwords are changed on software packages.
- All corac employees have separate passwords for their PC’s and different software platform usernames and passwords..
- Passwords and access to systems are changed immediately upon an employee leaving the organisation or are disciplined for gross misconduct.
- corac has a respected malware and anti-virus software installed on all PC’s. All alerts are noted and actioned.
- Malware and anti-virus software is updated annually or automated updates are accepted.
3. We secure our data
- All hard copy personal data on employees and members is held in a locked cabinet in the main corac office and only the Director has keys to this cabinet.
- The Director may hold personal data on employees on their PC but this are password protected.
- PAYE information is sent direct to employees via an electronic payslip service.
- Member personal data is held on a sales database and in spreadsheets that are password protected and only accessible by employees.
- Member financial information data is held online in either our accounting package (Xero) or on our banking portal, both of which are password protected.
- Old project folders are held online using Dropbox which may contain client personal data. Dropbox is password protected and only available to relevant employees.
- Backups of the Dropbox folders are done monthly and held in a safe at the corac Director’s home.
4. We secure our data in the cloud
- Data is secured via password protected Dropbox, Database and Xero platforms in the cloud.
- Access to these can be achieved via PC or mobile device.
5. We back up our data
- corac uses Dropbox to store member data for business development and live engagement projects.
- corac uses Dropbox to store old member records and backs this up on a monthly basis onto external hard drives one copy of which is kept in the safe at the Director’s home.
- corac requests that PC hard drives of team members have minimal member data and project information held on them to minimise theft or loss issues.
6. We train our staff
- corac regularly highlights data security at its team meetings and ensures that Anti-Virus software is up to date and working.
7. We keep an eye out for problems
- corac management regularly encourages team members to report any concerns they have about data security and ask them to run vulnerability scans on their PC’s.
8. We know what we should be doing
- corac has an annual review of what personal data it currently holds on its system as part of a GDPR audit.
- corac has regular training sessions for data security for its team in proportion to the size of the organisation.
9. We minimise our data
- corac minimises the amount of personal data held on its systems.
- Employee personal data is kept to a minimum and held in hard copy in a locked cabinet. Old employee data is only held for as long as legally required.
10. We utilise credible IT partners
- corac uses recognised IT suppliers with verified security robustness.
5. Right to Be Informed
We strive to ensure that all those engaging with us are informed of our arrangements for processing personal data through this Privacy Statement which is linked to from our email signatures and website home page.
6. Right of Access
We will respond to data requests within 1 month and will only charge for requests that are manifestly unfounded or excessive. If we have grounds to refuse a request we will inform the data subject and make them aware of their right to complain to the ICO or to seek civil action – again within 1 month of receiving the request
7. Right to Rectification
For personal data obtained directly from a data subject under the legal basis of consent – and obtained indirectly from a data subject under the legal basis of legitimate interest – we will correct any inaccuracies in a data subject’s personal data upon receipt of a request. For personal data held under the legal basis of “Contract” or “Vital Interests” or “Legal Obligations” we will endeavour to correct the data upon request but may not be able to do so if changing the data may conflict with our legal obligations or disadvantage us in a future legal action. In cases where we cannot rectify the data for these reasons we shall inform the data subject and make them aware of their right to complain to the ICO or to seek civil action
8. Right to Erasure
For personal data obtained directly from a data subject under the legal basis of consent – and obtained indirectly from a data subject under the legal basis of legitimate interest – we will erase a data subject’s personal data upon receipt of a request / opt-out notification. For personal data held under the legal basis of “Contract” or “Vital Interests” or “Legal Obligations” we will endeavour to erase data upon request but will not be able to do so if holding the data is necessary to fulfil our legal obligations or may be necessary as evidence in a future legal action involving us. In cases where we cannot erase the data for these reasons we shall inform the data subject and make them aware of their right to complain to the ICO or to seek civil action
9. Right to Restrict Processing
For personal data obtained directly from a data subject under the legal basis of consent – and obtained indirectly from a data subject under the legal basis of legitimate interest – we will restrict the processing of a data subject’s personal data upon receipt of a request / opt-out notification. For personal data held under the legal basis of “Contract” or “Vital Interests” or “Legal Obligations” we will endeavour to facilitate the requested restriction upon request but will not be able to do so if restricting the processing of the data prevents us from fulfilling our legal obligations or the current processing of the data may be necessary as evidence in a future legal action involving us. In cases where we cannot restrict the processing of the data for these reasons we shall inform the data subject and make them aware of their right to complain to the ICO or to seek civil action
10. Right to Data Portability
For personal data obtained directly from a data subject under the legal basis of consent – we shall provide, upon receiving a request, the data that we hold in a standard, widely accessible format
11. Right to Object
For personal data obtained directly from a data subject under the legal basis of consent – and obtained indirectly from a data subject under the legal basis of legitimate interest – we will cease to process a data subject’s personal data upon receipt of a request / opt-out notification
12. Changes to this Privacy Statement
corac reserves the right to revise, modify, or update this statement at any time. We will notify you via email about material changes in the way we treat personal data or by placing a prominent notice on this website.
13. Contacting corac
If you have a privacy concern regarding FPL, or this statement, you may contact us via support@corac.org.uk
