WHY AND HOW
WE PROCESSS INFORMATION
We keep all data processing as simple and limited as possible
We practice purpose specification and data minimisation
We only process data to deliver a service to you
TABLE OF CONTENT
We have no contact form and have chosen to use an email you can reach us on. This means you have more control over the information you choose to share.
Our email provider is ProtonMail, based in Switzerland. When you email us, data goes through ProtonMail's servers. The message content is encrypted but there is some metadata they process.
→ Sender and recipient email addresses
→ The IP address incoming messages originated from
→ Message subject line
→ Message sent and received times
To run our business and help you create more trustworthy product experiences we use a range of 3rd party tools.
This list below outlines these tools and the data we collect and process
We use G Suite by Google Cloud to manage internal and external communications.
We also use;
→ Google Docs
→ Google Slides
→ Google Sheets
→ Google Hangouts, and
→ Google Calendar
Gmail, Google Hangouts and Google Calendar are the only places the personal information you choose to share with us is stored and accessed.
→ Phone number
→ Work address
→ Email contents
Will be stored within Gmail.
We use this information to contact you directly - if you have asked us to. We do not use this information in any other way.
We currently review this information at the end of every financial year and delete all meeting records that are no longer active or relevant to our work.
We manage the commercial function of our business via Xero.
Almost all data that is accessible or stored within Xero relates to our business.
However, to produce and send an invoice, some personal data is required. This includes;
→ An email address, and
→ The name of a recipient or project contact
Commercial information, like:
→ An organisations tax number
→ The legal name of the entity, and
→ The registered office address
Are also available to us as a result of this workflow.
Like our other practices, this information is secured with strict role-based access rights.
Harvest helps us manage how we prioritise and invest our time across multiple client projects.
We’re pretty strict about how we use it. We only use it internally, meaning the information Harvest processes on our behalf relates to our team and our clients.
Data we collect and the process is limited to:
→ Name of organisation
→ Name of the organisation representative
→ Email of the representative
We don’t store documents. We don’t input any strategically sensitive information. We use the product to;
→ Manage tasks in progress (within their ‘projects’ module)
→ Schedule our time for multiple projects in advance (within their ‘scheduling’ module), and
→Track time against each task to ensure 'what we say we do' is accurately represented
We use Loom to record videos for our clients. This helps us deliver effective and easy to consume project updates. So far our clients really value this. We know this because they are saying lots of nice things. It’s helping us help them.
If we send you a Loom video update and you view it, we see the following information;
→ A notification with your profile/default name, and
→ The time/date you viewed the video
If we send you a Loom video update and you comment on it, we see the following information;
→ Content of the comment, and
→ Time/date of the comment
We collaborate with clients across multiple geographies. Often we do this in real time.
Figma helps us visually collaborate, regardless of where we or clients are located.
If you collaborate with us via Figma, we see the following information:
→ Your assigned avatar name, and
→ Any content, comments and material you contribute
We use Slack to communicate internally and run our business more effectively.
If you also use Slack we may create a shared channel to help with collaboration.
If we do set up a shared channel we see the following information:
→ Your display name
→ Your role/title if you add it
→ A profile image if you add it
→ The organisation you represent
→ Any content, comments and material you contribute
→ The date and time of your activities
When you choose to make contact with us via our website we use the information you share with us via our contact form to contact you back.
We deliberately limit the information you can provide us via this form to;
→ An email address, and
→ A free text message
When you submit a message by pressing “Send now” this information is sent to firstname.lastname@example.org.
As it stands these are the products and services we’re using that store, process or analyse data. When this changes, we’ll update this policy.
The information above specifies the data we collect and how we collect it. We do not stray from these practices.
Our legal grounds for processing your “non sensitive” personal data are contract.
This is because we only process personal data:
→ To fulfil a contractual obligation to you (e.g. process a payment and deliver you the product you've paid for via email); or
→ Because you have asked us to do something with the intent of entering into a contract (e.g. discuss a speaking engagement, request a workshop, ask us to meet you regarding a business challenge you have etc.)
🚫 No, we do not.
→ We do not use your personal data to automatically evaluate or make inferences about who you are, what you might think and how you might act
→ We do not use your personal data to make automated decisions about you
→ It might seem odd, but we would rather speak to you, engage in a conversation and figure out if there’s any mutual value in continuing our conversations and our relationship
Our workflows help us keep the data we process in good shape.
Having said that, you can contact us on email@example.com at any time to;
→ View the data we have on you
→ Correct it if it’s not accurate, and
→ Request we delete it if you no longer want us to use it in any way
🚫 We don’t and will never engage in the direct exchange of your data. That’s not our business.
The services we use act as data processors for our business. Because of this, they do have access to your personal data. As an example, when you choose to contact us via email, our email provider processes this data on our behalf. The message is sent to our email address managed by ProtonMail.
In the context of the European General Data Protection Regulation, this means we are a controller ("A controller determines the purposes and means of processing personal data") and ProtonMail is a processor ("A processor is responsible for processing personal data on behalf of a controller).
→ The exact services and data we/they have access to is detailed in the second clause of this policy above
We’re bound by specific jurisdictional regulations. But don’t think we’re limited to that. We want to do whatever we can to make our use of data as person-centric as possible. We focus first and foremost on doing the right thing by you. Regulations and requirements are simpler to get right when that’s the approach you rely on.
Yes. We plan to keep growing our business. As that happens how we use data will evolve, as long as it aligns to our core values.
This version is dated the 03/04/2022
If we make any changes to our notice that affect you as a client directly, we will let you know via email.
We are an -
We acknowledge the First Peoples of Australia, their Elders past, present and emerging. We pay our respects to the traditional storytellers, designers, artists and owners of the land on which we live and work.
WE DESIGN FOR / TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUE & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES & TRUST & VALUES / TRUST & VALUES IS OUR EDGE