When Simprints collects your information, we are required by law to be fair in notifying individuals on how their information will be managed and to inform them of their rights. More than that, we want to be transparent, open, and ethical in our practices.
We adhere to the world’s highest privacy and data protection standards, the EU’s General Data Protection Regulations (GDPR), and abide by the UK’s Privacy and Electronic Communications Regulations (PeCR) when sending electronic communications.
This privacy notice provides information on how we use personal data relating to our individuals we do business with (also referred to in this notice as 'you'), including:
• project beneficiaries, especially those individuals whose biometrics we collect to identify them for services and programs delivered by our partners;
• Simprints’ employees, interns, volunteers, and contractors;
• subscribers to Simprints’ newsletter, emails, and publications;
• representatives of prospective or existing partner organisations and service providers;
• registrants for events, webinars, and promotions;
• donors and lenders as part of our fundraising; and
• website users, complainants, and enquirers.
We have additional, separate privacy notices for project beneficiaries, our employees, and those wishing to become our employees.
We try to give you all the information you need at the point of collection. However, it can be difficult to give you all the information in a small space, or to tell you everything in as much detail as you may want.
In that case, we redirect you to this longer notice, which outlines a more general approach to privacy that you may read at your leisure. This general privacy notice does not provide product- or service-specific information, which is contained in separate privacy notices.
We try to use plain language throughout this document. However, there are a lot of details that may be important for you to know.If you want a more principle-based approach to our general intention surrounding privacy, please read our Privacy Promise. You may also skip ahead to your question(s) of interest directly.
Sometime Simprints is a data controller under GDPR and sometimes we are a data processor. Regardless of our role, we take our responsibilities very seriously. When appropriate we perform data protection impact assessments for relevant projects and will often publish these on our website when possible.
The entire reason we exist is to help people get the aid and services to which they are entitled. Holding biometric data to identify people is the way we accomplish that, and we take the collection, storage, and security of that data as our highest priority. We always ask for permission to hold biometric data.
Our partners use our services to ensure that the right people get the assistance they need. We take holding people's biometric data so seriously, we require our partners to meet rigorous privacy standards before sharing any data with them, as described in project-specific data sharing agreements. If one of our partners can’t convince us that they will uphold these standards - we will not share any data with them. We also require our partners to offer alternative forms of identification to ensure that access to essential services and programs is not denied to people who do not want to provide their biometric data.
Apart from research purposes (described below), we will never use biometric data for any other reason. We won’t sell it or give it to anyone other than our service providers or our partners. Our service providers are contracted as processors and are all held accountable to the GDPR. We only share data with our partners if we are able to establish a comprehensive data sharing agreement.
Sometimes we use data from our operations as a digital identity provider for research in order to improve our products and services. On these occasions, we will obtain informed consent to use the data for research. We will anonymise or pseudonymise the information whenever possible for this purpose.
We process the business contract details of our partners and suppliers in order to pay them and be paid by them. This includes details of bank accounts and company representatives. We rely on legitimate interests to hold this data in order to operate, and given this is public “business to business” (B2B) contact information, we reasonably expect that you may be approached as a representative of your company.
Apart from people who enquire about us directly, we don’t capture information about visitors of our website, with the exception of anonymous analytics from our website provider on how many people have visited and what they have looked at. In order to do this, our provider uses cookie technology.
Recruitment and Employee Administration
We hold personal data on our current, future, and past employees. We collect this because we require it to enter into employment contracts or have legal obligations to hold it for taxation reasons.
Sales and Marketing
We may use B2B contact information on partners and prospects for marketing purposes, such as sending you relevant communications about our products, services, events, or other relevant information. We don’t target the public, but rather people who have expressed an interest in us, approached us, contacted us, or were referred to us. We will make it clear on initial contact that you may request us to remove your information at any time by emailing firstname.lastname@example.org. We will make this process as easy as possible.We will not pass your information on to other providers unless you ask us to, and we will not sell your information to any other third party.
This will vary. In all cases, we will keep it to the minimum necessary for the purpose of processing. We won’t collect more data than we have to. The information may include:
• user ID numbers;
• location data;
• biometric data, such as fingerprints or photographs;
•contact details and marketing preferences; and
• financial and payment details.
For our staff, we also process other data, including more sensitive classes of information, such as:
• education and employment details,
• social circumstances, physical or mental health details,
• racial or ethnic origin,
• criminal records, proof of income, and
• details of supporting mitigating circumstances.
IP addresses and cookies
We will collect data directly from you through, for example, fingerprint scans, registration forms, change of details forms, fairs and events, or our website. We will create some data internally. When providing fingerprint information, for example, Simprints’ software may generate a unique ID number and collect time and location information of the scan.
When we collect information directly from a person, we will generally provide a service-specific privacy notice at the point of collection explaining the relevant information needed and justifying why data collection is necessary.
We may also collect some data from external sources. For example:
• At conferences and events, we may occasionally collect contact details of people we wish to do business with and approach them on that basis. We will always ask if they wish to remain in contact and give them the option to have their data deleted.
• Recruiters and employment agencies may give us potential candidate information. We will only retain this information if we have entered into a contractual relationship with the external agency.
Simprints is registered in the United Kingdom and is therefore subject to the Data Protection Act 2018 (DPA) and the GDPR (General Data Protection Regulation) as it applies in the UK. Simprints' main information systems are located within the USA (United States of America) and the European Economic Area (EEA) and accessed by Simprints' employees, who may be located in regional hub centres. We process information within the EEA and the USA, but may also transfer data outside of the EEA to our suppliers as part of our operations and service delivery.
In order to protect your data, we ensure that most of the data, and all sensitive data (e.g. biometric data on individuals), is encrypted throughout its data lifecycle, whether on our platform or through others.
Some of our partners, service providers, or technology vendors may pass information outside of the EEA into jurisdictions where privacy laws, obligations and rights may vary. For such transfers, we will always ensure that appropriate assurance checks and measures are put in place to protect your privacy, and we will also point this out to you in specific privacy notices for that product or service, if applicable.
We maintain records of where all personal data is and how it is protected, as per GDPR and DPA requirements.
Largely speaking, with biometric data, you don’t have to. Fingerprints rarely change much, and we collect as little data as possible. We permanently delete data within a pre-specified time period after its usage has passed. If we are using it for research, we may ask permission to keep it longer. However if you believe we are holding data about you incorrectly, or would like to correct data we hold about you, just let us know by emailing us at email@example.com.
Where you receive information from us about our services, you can also let us know if your information has changed, and we will change it. If we receive notification than an email address we hold for you is no longer valid we may proactively remove the data ourselves.
Our employees can update their individual records on our internal self-service systems.
Simprints uses a number of third-party service providers in order to carry out the activities described above. For example, we use third-party service providers to send you mailings, store data, ensure taxes are paid, manage our internal human resources, and to administer our identity verification services.
Simprints requires these data processors to use your personal data only for the purpose of the relevant service, on instruction, and to keep data secure. We work carefully with these providers to ensure that they apply the highest standards of data management, do not give your data to anyone else, and have the highest security practices in place.Unfortunately, no system is perfect, and if there is the risk of some sort of data breach, we’ll let you know what has happened as soon as we can. If there are any risks associated with it, we will let the appropriate regulating bodies know and cooperate to fix the problem.
Legal requests and obligations
We may be required to give out information by law, for example, for taxation purposes or if requested by law enforcement. We will comply with our legal obligations, but will first ensure that the requests are valid and give only the minimum required data.
Sometimes individuals themselves will ask us to give information to others, for example, to verify an identity, to provide a reference, or to verify employment. In these cases, we will do so when we have permission and will share only the minimum required data.
We will retain your data for only as long as they are needed for the purposes described in product- and service-specific privacy notices. In the case of beneficiaries’ biometric data, we obtain consent for the number of years we can hold the data (where we are a data controller). When we are a data processor, we agree in advance with the relevant data controller what retention period will be used. We also review records periodically to remove any data that is no longer necessary, so we only hold a minimal amount of data for the purpose at that time.
We may also retain certain records for other legitimate reasons (including after your relationship with Simprints has ended), for example, to resolve any potential disputes, give employment references, and to comply with other legal obligations.
Simprints is not listed as a 'public body' for the purposes of the Freedom Of Information Act 2000 (FOIA), and, therefore, is not required to comply with the provisions of the FOIA.
It’s your data, not ours. We only do what you tell us we can do with the data. We will respect your preferences and instructions. Unless the law tells us we have to do something different, we will abide by your rules, your way. Individual rights under law are qualified (meaning they may not have these rights at all times or in all circumstances), but, generally speaking, individual rights include:
• the right to be informed about the collection and use of data;
• the right of access, i.e. to obtain a copy of your information;
• the right to correct and update data;
• the right to complain (to both Simprints and the appropriate regulatory body);
• the right to object, block, or put a hold on processing;
• the right to be erased or deleted in circumstances where (for example) we rely on consent, hold data without justification, or have excessive data;
• the right to have your data transferred to another provider if our lawful basis is consent or for the performance of a contract; and
• the right to question or challenge automated decision making (e.g. machine-based judgements), including profiling.
More information is available at: https://ico.org.uk. If you would like to exercise one of these rights, please get in touch with us at firstname.lastname@example.org.
You are entitled to a copy of your information. Before providing you with your personal data, we may need confirmation of your identity or further information about the data requested to enable us to locate your data. Please also let us know if you believe any data we hold to be inaccurate or if you have other concerns about our use of your personal data. These rights may be subject to certain exemptions, but we will always try and give you a complete record of what we have.
You can update your contact details and options for receiving communications by clicking on unsubscribe links in emails or getting in touch with us at email@example.com.
For more information, for assistance with a detailed enquiry, or if you want to exercise your rights, please contact firstname.lastname@example.org
From time to time, we will update this document if we make substantial changes to our processes, procedures, or systems, or if laws and regulations change. We will update the notice here and make reasonable efforts to inform those affected if the changes are substantial in nature.