Mitrefinch Ltd (Mitrefinch) is committed to processing any personal information about its clients, staff, guests and visitors in ways that comply with its legal and regulatory obligations, and to being clear about what it does with their personal information.
Mitrefinch is a global provider of Workforce Management solutions for organisations that need to monitor and manage their workforce whilst controlling costs and administering employees. We use Time and Attendance, Rostering, Payroll, HR and Access Control solutions.
Mitrefinch do not collect any special category data for its own purposes but may collect personal information which we receive when:
- You enquire or make use of our services or systems;
- as a potential new client who wishes to use or consider our services or systems;
- you submit a CV or an application when seeking employment with us;
- you engage with our social media accounts, including LinkedIn and Twitter;
- someone is recommended by a friend, a former employer, a former colleague or even a present employer;
- Or you make an enquiry on our website.
Information we collect
For our systems we may process the following types of personal information of, or from you:
- your name, address, email address, telephone number(s) and other contact details;
- your company’s name, your position in the company;
- your company’s address, company’s email address and telephone number;
- details of employee names, and ID numbers from our client’s businesses;
- your payment information such as credit or debit card details and bank account details;
- information obtained through electronic means such as IP address or cookies;
- information about your use of our information and communications systems.
Information We Share and Third Parties
- within Mitrefinch, where such disclosure is necessary to provide you with our services or to manage our business;
- with third parties who help manage our business and deliver services. These third parties have agreed to confidentiality restrictions and use any personal data we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us. These include IT service providers;
In addition, we may disclose information about you
- if we are required to do so by law or legal process;
- to law enforcement authorities or other government entities; and
- when we believe disclosure is necessary or appropriate to prevent harm or financial loss, or in connection with an investigation of suspected or actual espionage, cybersecurity or security events or other fraudulent or illegal activity.
We also reserve the right to transfer personal information we have about you in the event we sell or transfer all or a portion of our business or assets (including in the event of a reorganization, spin-off, dissolution or liquidation).
We are a cloud-based service provider and data processor. We have internal servers based in our York and Nottingham Offices in the UK but also use Microsoft Azure data centres for internal and hosted customers.
As stated above we store and process personal information mainly in the EEA, although information and personal data may be accessed by our subsidiary Companies and teams anywhere around the world. We have subsidiary companies who are based in USA, Australia and Canada. Each of these countries only access data where necessary and using our cloud-based servers and each individually comply with data privacy legislation in their respective countries.
Please note that your data may be exported to, stored and processed in, countries outside of the country in which you reside, including, without limitation, the United States and Australia. For data subjects residing in the EEA, this means that your personal information may be exported, stored, and processed outside of the EEA. We use adequate physical, administrative, and technical processes, procedures and measures to protect your personal information from unauthorized use, disclosure, and/or access.
To receive information on the recipients of your data, please contact us at email@example.com
How do we use the data we collect?
We are a data controller of personal data for our staff; visitors to our website; guests at our offices and personal contacts from our Business and Corporate clients. This information is used for legitimate interests or to fulfil our services as an employer or supplier of Workforce Management solutions.
We are a data processor of data for our clients who sign up to use our services or systems. Any data we use as part of these services and systems is under the data control of the client.
For the processing activities we undertake we collect your personal information for the following purposes:
- for internal record keeping and administration in our relationship with you;
- for the performance of a contract to provide you with services or products that you may request from us;
- send you promotional materials or other communications;
- communicate with you about, and administer your participation in, special events, programs, offers, surveys and market research;
- to fulfil our obligations to our clients, prospective clients and staff;
- evaluate potential suppliers and manage our relationships with them;
- provide and administer human resources services for Mitrefinch employees
- to meet our legal and regulatory obligations;
- for financial payments and administration;
- operate, evaluate and improve our business (including developing new products and services; enhancing and improving our products and services; managing our communications; analysing our products, services and communications; and performing accounting, auditing and other internal functions);
- to interact with users on social media platforms including LinkedIn, You Tube and Twitter.
We may process your personal information for more than one lawful ground depending on the specific purpose for which we are using your data. Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required, or permitted by law.
How do we collect this information?
We collect personal information:
- directly from clients: e.g. when you make an enquiry or purchase our services;
- from staff; through our recruitment process and contract of employment;
- from our clients and their employees;
- from publicly available sources: g. networking, social media, internet services such as Linked In, direct referrals, other Corporate bodies;
- from our website: https://www.mitrefinch.co.uk
We are committed to keeping your information up to date as far as is reasonably possible. However, if you believe that we have made an error, then please contact us at firstname.lastname@example.org and we will use reasonable endeavours to correct.
The Legal Basis for Using Your Personal Data
We will only collect, use and share your personal data where we are satisfied that we have an appropriate legal basis to do this. This may be because:
- you have provided your consent to us using the personal data;
- our use of your personal data is in our legitimate interest as a commercial organization (for example our legitimate interests in communicating with you – in these cases we will look after your information at all times in a way that is proportionate and respects your privacy rights and you have a right to object to processing as explained in the “Your Rights and Choices” section below);
- our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you (for example where you are one of our consultants, customers or vendors); and/or;
- our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we have for example fulfilment of a court order.
If you would like to find out more about the legal basis for which we process personal data please contact us at email@example.com
Keeping your information safe and secure
Mitrefinch is committed to keeping personal information secure to protect it from being inappropriately or accidentally accessed, used, shared or destroyed, and against it being lost.
Data security is of utmost importance to us and we have achieved certification to ISO 27001 externally validating the robustness of our information security systems.
Additionally, Mitrefinch takes reasonable steps to protect your personal information from unauthorised access, use, disclosure or loss, as follows:
- We limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality;
- We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so;
- We dispose of your data in adherence with industry approved processes and timescales;
- The website has security measures (including on-line and off-line physical, electronic and managerial safeguards) in place to protect against the loss, misuse, and alteration of the information under our control. As with any transmission over the Internet, however, there is always some element of risk involved in sending personal information on-line.
If you have any questions on the security of our website, you can request information from firstname.lastname@example.org
How long do we keep personal information?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Details of retention periods for other aspects of your personal information are available in our Retention Policy which is available on request at email@example.com
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of Mitrefinch we will retain and securely destroy your personal information in accordance with our data retention policy or applicable laws and regulations.
Readers and Biometrics
Mitrefinch does not collect or control Customer employee data. For Customers who use Mitrefinch terminals with a biometric or finger scanning device, the collection of Customer employee finger scan data is undertaken and controlled by the Customer. This data is used by the Customer for employee verification in connection with its employee timekeeping purposes. Such data consists solely of templates created from mathematical algorithms, not fingerprints.
Mitrefinch does not perform or control the collection of such data. Rather, Mitrefinch Customers collect such employee data through its use of the finger scanning devices and related software, and either store the data at the Customer controlled site or on secure space (in accordance with applicable law) made available by Mitrefinch in a cloud environment for that purpose.
If you would like more technical details of the systems and biometric data use in our systems please contact us at firstname.lastname@example.org
Links to other websites
Our website may contain links to other websites of interest. However, you should note that we do not have any control over these other websites. Once you have used any of these links to leave our site, therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting these sites and such sites are not governed by this privacy statement.
- help identify your computer; this helps us Compile aggregate data about site traffic and site interactions in order to offer better site experiences and tools in the future. We may also use trusted third-party services that track this information on our behalf;
- Understand and save user’s preferences for future visits;
- For Google AdSense Advertising (see below).
You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser (like Internet Explorer) settings. Each browser is a little different, so look at your browser’s Help menu to learn the correct way to modify your cookies.
If you turn off cookies, some features will be disabled. It won’t affect the experience that makes our site more efficient but some of our services will not function properly, however, you can still place orders.
Google AdSense Advertising
We also use Google AdSense Advertising on our website.
We have implemented the following:
- Remarketing with Google AdSense;
- Google Display Network Impression Reporting;
- Demographics and Interests Reporting.
We along with third-party vendors, such as Google use first-party cookies (such as the Google Analytics cookies) and third-party cookies (such as the DoubleClick cookie) or other third-party identifiers together to compile data regarding user interactions with ad impressions, and other ad service functions as they relate to our website.
Users can set preferences for how Google advertises to you using the Google Ad Settings page. Alternatively, you can opt out by visiting the Network Advertising initiative opt out page or permanently using the Google Analytics Opt Out Browser add on
Your Rights and Choices
Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, you have certain rights in relation to your personal data.
We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal data requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
You can exercise your rights by contacting us at email@example.com. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request.
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.
Right to access personal data
You have a right to request that we provide you with a copy of your personal data that we hold, and you have the right to be informed of;
- the source of your personal data;
- the purposes, legal basis and methods of processing;
- the data controller’s identity; and
- the entities or categories of entities to whom your personal data may be transferred.
Right to rectify or erase personal data
You have a right to request that we rectify inaccurate personal data. We may seek to verify the accuracy of the personal data before rectifying it. You can also request that we erase your personal data in limited circumstances where:
- it is no longer needed for the purposes for which it was collected; or
- you have withdrawn your consent (where the data processing was based on consent), and where there is no other legal ground for the processing; or
- following a successful right to object (see right to object); or
- it has been processed unlawfully; or
- to comply with a legal obligation to which Mitrefinch is subject.
We are not required to comply with your request to erase personal data if the processing of your personal data is necessary:
- for compliance with a legal obligation; or
- for the establishment, exercise or defence of legal claims; or
- for performance of a contract.
Right to object to the processing of your personal data
You can object to any processing of your personal data which has our legitimate interests as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
Right to restrict the processing of your personal data
You can ask us to restrict your personal data, but only where:
- its accuracy is contested, to allow us to verify its accuracy; or
- the processing is unlawful, but you do not want it erased; or
- it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
- you have exercised the right to object, and verification of overriding grounds is pending.
We can continue to use your personal data following a request for restriction, where:
- we have your consent; or
- to establish, exercise or defend legal claims; or
- to protect the rights of another natural or legal person.
Right to transfer your personal data
You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller, but in each case only where:
- the processing is based on your consent or on the performance of a contract with you; and
- the processing is carried out by automated means.
Right to object to how we use your personal data for direct marketing purposes
You can request that we change the manner in which we contact you for marketing purposes. You can request that we do not transfer your personal data to unaffiliated third parties for the purposes of direct marketing or any other purposes.
Right to obtain a copy of personal data safeguards used for transfers outside your jurisdiction
You can ask to obtain a copy of, or reference to, the safeguards under which your personal data is transferred outside of the European Union. We may redact data transfer agreements to protect commercial terms.
Right to lodge a complaint with your local supervisory authority
You have a right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your personal data. We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.
How to contact us: