Privacy Policy for our Suppliers and Service Providers

This notice is provided for the prospective, existing and former suppliers and service providers (referred to in this notice as “You” and “Your”) of Phoebus Software Limited (“PSL”, “We”, “Us” and “Our”).  This notice does not form part of any contract for supplies or services.

This notice tells You:

• what information PSL may collect about You;
• what PSL uses Your personal information for; and
• who (if anyone), PSL passes it onto and the purposes for which those third parties use it.

In this notice the terms “controller” and “processor” each have a special meaning that is set by Data Protection Legislation.  In this notice “personal information” is a reference to “personal data” as defined under the Data Protection Legislation, and the term “special category data” has a special meaning as defined by the Data Protection Legislation. The meaning of each of these terms is briefly outlined later in this notice.  Any reference to “use” of personal information is synonymous with “processing” as defined under the Data Protection Legislation, and it embraces all use of the information from its creation or collection to its destruction.

The Data Protection Legislation is: (i) the Data Protection Act 2018 or any successor legislation, (ii) the General Data Protection Regulation ((EU) 2016/679) as applied under English law (“GDPR”), and (iii) the Privacy and Electronic Communications (EC Directive) Regulations 2003 or any successor legislation.

This notice is intended to meet certain obligations that PSL has as a controller.  It does not establish or evidence any obligations that will bind PSL.  It does not constitute or contain any representation or warranty by PSL.

For the purposes of the Data Protection Legislation, PSL is a “controller” in relation to Your personal information. This means that PSL is responsible for deciding what Your personal information is used for by PSL (and its processors), and how it is used. PSL is required under Data Protection Legislation to provide You with the information contained in this notice.

It is important that You read this notice, together with any other Privacy Notice that PSL may provide (the “Notices”), so that You are aware of how and why such information is collected and used.

Our main address is Phoebus Software Limited, whose registered office is at Lansdowne Gate, 65 New Road, Solihull B91 3DL.  We are a private company limited by shares, and registered in England and Wales under company registration number 02441885.  We can be contacted by email at info@phoebussoftware.com.

We have appointed a Data Protection Representative who is responsible for overseeing questions in relation to this Privacy Notice. If You have any questions about this Privacy Notice, please contact our Data Protection Representative, who can be contacted at dp@phoebussoftware.com.

Personal information is broadly, any information relating to an identifiable living individual. It does not include information where the identity has been removed (“anonymous data”).  Note that some items of personal information that are listed in this section (e.g written agreements) may not constitute or contain Your personal information if Your organisation operates through a company or similar rather than as a sole trader or unincorporated partnership.

We may collect, generate, store, share and otherwise use the following categories of personal information about You.  This personal information may be held in electronic or paper form.

• Your name.
• Your birth sex or gender.
• Your marital status.
• Your business address and business contact details, including telephone numbers and email addresses. In some cases We may also receive alternative contact details for You so that We can contact You in urgent situations.
• Details of any referees and the contents of any references they provide.
• Any bids or other responses that You provide to tenders or invitations that We issue or manage.
• Our due diligence on You, which may include (for example) credit checks or Disclosure and Barring Service checks.
• Your written agreement(s) with Us, or other agreements that We manage or are involved with (for example, for the agreements with other companies in our group).
• Your business bank account details, so that We can make payments to You or reconcile payments received from You.
• Records relating to Your performance in providing goods and services.
• Details of all invoices received from You (and associated purchase orders), and payments to You, including records of associated VAT and other taxes.
• Details of expenses claimed by You (if any) and payments to You in relation to these.
• Recorded instructions given to You under Our agreement(s) with You (or under any other agreements that We manage or are involved with).
• Our correspondence with You about You or the goods or services that You provide.
• Our correspondence with third parties about You or the goods or services that You provide.
• Records of meetings and conversations (whether with You or others) relating to You or the goods or services that You provide.
• If applicable for the goods or services that You provide for Us, We may hold health and safety records about You. This could include “special category data” (see below).

Special category data is personal information that reveals Your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; Your genetic data or biometric data (such as fingerprints); data about Your health, or data about Your sex life or sexual orientation. We will not normally use such personal information about You. Information about Your birth sex or gender, or Your marital status, is not special category data. We do not intend to collect special category data about You, and will only acquire such data if it is voluntarily provided to Us by You or one of our sources of personal information (e.g. if You are ill and You choose to tell Us about it) or if We  are required to keep records (e.g. for health and safety compliance).

To complete an order with You to buy goods or services from You, as a minimum We need the following:

• Your name, postal address, email address and phone numbers, as well as a contact within Your business and details of Your preferred method of contact (“Contact Details”).
• The description and quantities of the goods or services You will provide to Us.
• Your payment details.

If You prefer for Us to hold and/or use less personal information about You, You can choose to make less available, but please note that withdrawing or withholding personal information from Us will mean that You may not receive updates and requests for further goods and services from Us (whether by telephone, email or other means), and it may also mean that We cannot place a contract with You for the purchase of goods or services.

If You ask Us to erase any of Your personal information We may be unable to comply with Your previous instructions to Us about Your personal information.  For example, if We erase records of Your instruction not to email You, You may receive an email from Us if We subsequently lawfully acquire Your email address from a third party.

We obtain Your personal information (including that of Your staff) from the following sources:

• From Your colleagues: Your colleagues will know what personal information We obtain from them, because the member of staff (or someone they have authorised Us to deal with, such as another member of Your staff) has provided it to Us.
• From third parties who introduce Us to You: We may obtain personal information about You from third party sources, by way of introduction.  For example, We may be passed Your details by other parties within the industry/our clients as a potential supplier.
• From Your customers, clients, peers and contacts: We may obtain personal information about You from Your customers, clients, peers and contacts who have been introduced to Us or who We work with.
• From Our own observations and records: We keep records relating to the orders We place with You, the goods and services that You provide, and Our correspondence and relationship with You.

We may combine the information that We obtain from these various sources.  We may also create anonymised versions of the combined datasets, for statistical purposes such as internal analysis and reporting, and external reporting.  We may share anonymised datasets with third parties, as it is not regulated personal information.

For as long as We have access to Your personal information, We will use it for any or all of the following purposes (and compatible purposes), unless otherwise required as a result of Your exercising Your rights under Data Protection Legislation.

Sometimes, You might provide Us with another person’s personal information – e.g. when You are referring someone to Us, recommending another supplier or service provider to Us, or booking a meeting with Us on behalf of someone else.  In such cases, We require You to inform the individual what personal information of theirs You are giving to us. You must also give them Our contact details and let them know that they should contact Us if they have any queries about how We will use their personal information.

We will only retain Your personal information for as long as is necessary to fulfil the purposes We  collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.  Details of our retention policy are available from our Data Protection Representative via dp@phoebussoftware.com.  Here are key points for You to be aware of:

• We will keep Your contact details indefinitely.
• We will keep other personal information for the duration of Our trading relationship with You and Your organisation.
• In the course of Our trading relationship with You and Your organisation We will retain certain personal information, such as financial and tax information, orders and contracts, for at least 7 years following the completion, termination or expiry of the relevant order or contract with Us. We may then destroy the information.

For as long as We have access to Your personal information, We may share any of it with any of the following to the extent that they need to have access to Your personal information in order to perform their role.

Third parties listed under the heading “Our service providers” are our processors, who use Your personal information for our purposes and on our instruction (although there are circumstances where each of them can lawfully become a controller of Your personal information).

Other third parties who are listed in this section are controllers, who decide the purposes for which they use Your personal information.  This Notice explains why We share Your personal information with those third parties.  You must refer to the similar notices that they provide to understand all their intended uses of Your personal information.

Our service providers

• Other suppliers and service providers appointed by Us (or by other companies in our group) and who We manage or give instructions to.
• Our staff who are appointed as consultants, agency staff, contractors, volunteers or on any other basis other than as employees.
• Our banks who process Our payments to You and from You.
• Our professional service providers, such as accountants, auditors, legal advisers and insurance brokers.
• External IT providers who provide support to Us to manage the computers, Multi-Function Devices, phones, systems or software that We use.
• External internet-based services that We use for storing or transferring Your personal information, such as Our broadband and email providers.
• Selected third parties who help Us to perform Our contract with You. This includes third parties who help Us directly (such as other of Our suppliers) and third parties who help Us indirectly (such as service providers who host and/or transmit data about You for Us, such as Our managed IT service provider and Our broadband and telecommunications providers).

Third parties who use personal information for their own purposes

• Any employee or other member of staff within organisations who are Our customers or clients, and any member of our group.
• Our regulated service providers, such as banks, auditors, professional advisers and financial services providers, who are required to carry out compliance monitoring and reporting.
• Your and Our insurers for the purposes of Us taking out or renewing insurance, notifying the insurers, and dealing with actual or potential claims.
• Public or publicly accessible registers, such as the Disclosure and Barring Service and registers (e.g. credit reference registers) which can be accessed via an agent or operator (e.g. Experian).
• Courts, central Government departments, law enforcement authorities including HM Revenue and Customs, the Police, public bodies and authorities.
• Third party individuals, companies or groups that wish to evaluate or complete and effect the purchase or sale of, or merger with, the Company or its business or assets.

We reserve the right to disclose Your personal information to other third parties if We have lawful grounds to do so, or are under a legal obligation or permission to disclose or share it with them, or in order to establish, exercise or defend Our legal rights or to protect the rights or safety of PSL or Our personnel or supply chain participants (or their personnel).  For example, We will disclose Your personal information, if necessary, to Your suppliers or service providers, contractors or sub-contractors, as well as to those appointed by Us or members of our group of companies.

We do not give anyone else access to Your personal information in return for payment, for marketing or any commercial purposes.

Our paper records and IT systems on which PSL store Your personal information are all within the UK.

Some third parties that We work with, or that provide goods or services to us, are based outside the UK, so their use of Your personal information will involve a transfer of information outside the UK. Here are our current overseas third parties and the measures We use to safeguard Your personal information that is transferred to them:

• Google Analytics, which provides website analytics services, is based in the US. They use Standard Contractual Clauses as a means of ensuring adequate protection when transferring data outside of the European Economic Area (EEA). More information can be found at https://policies.google.com/privacy/frameworks?hl=en-US.
• com, Inc, which provides our sales and CRM software, is based in the US. They use Binding Corporate Rules approved by European data protection authorities to facilitate international transfers of EU data. More information can be found at https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/EU-Data-Transfer-Mechanisms-FAQ.pdf
• SAP Concur, which provides our expenses management service, is based overseas. They use Standard Contractual Clauses in order to ensure adequate protection when transferring data outside of the EEA. More information can be found at https://www.concur.co.uk/privacy-policy and at https://www.sap.com/documents/2020/08/2a0c01f7-a87d-0010-87a3-c30de2ffd8ff.html.

Please contact Us if You want further information on the specific mechanism used by Us when transferring Your personal information out of the UK.

It is important that the information We hold about You is current and accurate.  Please tell Us if Your personal information changes during Your relationship with Us.

Under the Data Protection Legislation and in certain circumstances, You have the right to:

• Request access: to Your personal information that We hold about You. This is commonly referred to as a “subject access request”.  This enables You to receive a copy of the personal information We hold about You and to check We are lawfully processing it.
• Request Correction: of Your personal information that We hold about You. This enables You to have any incomplete or inaccurate information We hold about You corrected.
• Request Erasure: of Your personal information. This enables You to ask Us to delete or remove personal information where: (i) there is no good reason for Us continuing to process it; (ii) You have withdrawn Your consent, if any, to Our processing; (iii) You have exercised Your right to object to processing (see below) and no exception permits Us to keep using it; (iv) it is established that We  did not have the lawful right to process Your personal information; or (v) the law requires Us to erase Your personal information.
• Object to Our use: of Your personal information where We are relying on a legitimate interest (or those of a third party) and where there is something about Your particular situation which makes You want to object to the processing on this ground and there is no exception which applies to permit Us to keep using it or We use it for scientific or historic research purposes or statistical purposes.
• Request the restriction of Our use of Your personal information: This enables You to ask Us to suspend the processing of personal information about You, for example if You want Us to establish its accuracy or the reason for Our processing it or You consider We no longer need to use Your personal information for the purposes for which it was collected or used (but You need it to be preserved for the purposes of legal claims).  You may also ask Us to restrict processing if You have exercised Your right to object to Our use of Your personal information and no exception applies to permit Us to keep using it.
• You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters. See www.ico.org.uk for details.

We do not expect to rely on Your consent for using Your personal information.  If We do ask for Your consent to use Your personal information, You have the right to withhold Your consent, and if You do give consent You can withdraw it at any time.

If You want to exercise any of Your rights please contact Us using the contact details set out at the beginning of this Notice.

You will not pay a fee to access Your personal information (or to exercise any of the other rights).  However, We may charge a reasonable fee if Your request for access is clearly unfounded or excessive.  Alternatively, We may refuse to comply with Your request in such cases.