For the purpose of the Data Protection Act 2018 (which enshrines the General Data Protection Regulation in British law), the data controller is Commerce Decisions Limited of 101 Park Drive, Milton Park, Oxfordshire OX14 4RY.
We value your privacy and are committed to protecting and processing your personal information responsibly.
This privacy statement describes how Commerce Decisions Limited (including our subsidiaries, Commerce Decisions Pty Ltd and Commerce Decisions Canada Inc) collects, uses and shares your information.
We may provide additional data privacy information by using a supplementary privacy notice.
PERSONAL INFORMATION WE COLLECT AND USE
This section describes the various types of information that we collect and how we use it.
Your AWARD® Account
Your name and email address is required in order to access your AWARD® account.
Website and Data Processing
Our website offers ways to communicate with you about us, our products, and services. The information that we collect on websites is used to provide you with access to the website, to operate the website, to improve your experience and to personalize the way that information is provided to you.
You may also sign up via our website to receive regular updates from us by email.
Information we may collect provided by you may include your first name, last name, email address, company, location and phone number.
We process your personal information for a variety of reasons, depending on how you interact with our Services, including:
- To request feedback. We may process your information when necessary to request feedback and to contact you about your use of our services.
- To send you marketing and promotional communications. We may process the personal information you send to us for our marketing purposes, if this is in accordance with your marketing preferences. You can opt out of our marketing emails at any time.
- To deliver targeted advertising to you. We may process your information to develop and display personalised content and advertising tailored to your interests, location, and more.
- To identify usage trends. We may process information about how you use our services to better understand how they are being used so we can improve them.
- To determine the effectiveness of our marketing and promotional campaigns. We may process your information to better understand how to provide marketing and promotional campaigns that are most relevant to you.
We use third-party tracking pixels on our website to serve targeted advertising to previous visitors of our website. Any tracking information is fully encrypted by the third-party, these include LinkedIn and Google.
We automatically collect certain information when you visit, use or navigate this website via services such as Google Analytics, Leadfeeder and Microsoft Clarity. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, and other technical information. This information is primarily needed to maintain the operation of our services, and for our internal analytics and reporting purposes.
We will only keep your personal information for as long as it is necessary, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). When we have no ongoing legitimate business need to process your personal information, we will either delete this information, or, if this is not possible (for example, because your personal information has been stored in back up archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
We have implemented appropriate and reasonable technical and organisational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal or modify your information. You should only access our services within a secure environment.
Cookies and Similar Technologies
When you visit our website and online software and support services, we collect information regarding your connection by using various online tracking technologies, such as cookies, to track information such as traffic activity and remembering information. Information that is collected with these technologies may be necessary to operate the website or service, to improve performance, to help us understand how our online services are used, or to determine the interests of our users. We treat any personal information that may be contained in cookies with the same level of confidentiality as other information you provide to us.
Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our website.
We use the information that we collect to communicate with you about relevant products, services, and offerings. We also use this information to personalize your experience with our content and advertisements, and to develop internal marketing and business intelligence. To set or update your marketing communications preferences, please visit the Commerce Decisions Preference Centre. You may also select the Unsubscribe option that appears at the bottom of each marketing email.
In order to enhance our ability to provide relevant marketing, offers and services to you and update our records, we may obtain information about you from other sources, such as public databases, joint marketing partners, affiliate programs, data providers, and from other third parties. This information includes mailing addresses, job titles, email addresses, phone numbers, intent data (or user behaviour data), social media profiles, social media URLs and custom profiles, for purposes of targeted advertising and event promotion.
A contractual relationship is created when you order a trial, or a product or service from us. While we mainly provide our products and services to businesses, individuals may also enter into an agreement with us directly as a client. We may collect any information that is reasonably necessary to prepare for, enter, and fulfil, the contractual agreement.
When you contact us to request support, we collect your contact information, problem description, and possible resolutions. We record the information that is provided to handle the support query, for administrative purposes, to foster our relationship with you, for staff training, and for quality assurance purposes. We use 3rd Party applications, Freshdesk and Absorb LMS, to provide extended support to our clients – contracts include
AWARD® Knowledgebase and Learning Management System
Our cloud and online services include Knowledgebase and LMS. We collect information about the use of these services, such as pages you view or your interactions on that page, to improve and develop our services and to generate technical and market insights.
We may collect and use information to protect you and Commerce Decisions from IT security threats and to secure the information that we hold from unauthorized access, disclosure, alteration, or destruction. This includes information from our IT access authorization systems, such as log-in information.
When you visit a Commerce Decisions location, or we visit you, we collect your name or business contact information. This information is collected for access management and to protect the security and safety of our locations and employees.
Recruitment and Former Employees
We are constantly searching for new talent for our organization, and we collect information about job applicants or prospective candidates from several sources. CVs from applicants who are not hired are removed from our systems immediately.
When an employee leaves Commerce Decisions, we continue to process information that is related to them for any remaining business, contractual, employment, legal, and fiscal purposes, including the management of pensions to the extent handled by Commerce Decisions.
Purpose and legal basis for processing
Our purpose is to calculate and present to you the potential return on investment (ROI) benefits of using the AWARD® system. To do this we collect information from use such as the number of procurements your run. We use this data to generate a report which we then present to you.
What we need
We need information from you to investigate your enquiry properly, so we ask for:
- your name
- the organisation for whom you work
- email address
- input data for the ROI calculation, 8 numeric values
Why we need it
We may use your personal information to contact you to follow up on your enquiry and offer further assistance in understanding the benefits of AWARD®.
How long we keep it
We will retain a record of each enquiry received for at least 2 years from the date the enquiry is made.
Do we use any data processors?
The data is stored on Oracle Secure Cloud and is located in a UK data centre.
GENERAL DATA PROTECTION REGULATION (GDPR) COMMITMENT STATEMENT
The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It has replaced the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.
Commerce Decisions complies with applicable GDPR regulations as a data processor and is fully committed to high standards of information security, privacy and transparency. Our success is dependent on our customers’ and partners’ ability to trust in the high priority we place on protecting and managing data in accordance with rigorous standards. We are an ISO/IEC 27001-certified organisation, and have successfully maintained this standard since 2014. We also hold the Cyber Essentials Plus certification. These standards demand a high level of information and technical security, recognising the important role we play in sensitive, strategic procurement programmes in both the public and private sectors.
PROCESSING OF DATA BY COMMERCE DECISIONS
Commerce Decisions is a Data Processor
Commerce Decisions is registered with the Information Commissioner’s Office (ICO) to comply with the Data Protection Act. (Note: the new Data Protection Act 2018 incorporates all the provisions of GDPR.) We treat our customers as the Data Controllers and ourselves as Data Processors under the definition of the Act.
Our customers own the data they load into AWARD® and are the Data Controllers for this data, ie. our customers control what happens to their data in AWARD®. Commerce Decisions processes the data on behalf of our customers, but does not own or control the data. The only data that is controlled by Commerce Decisions are AWARD® user login details (see below: ‘Personal data held in AWARD®’).
Sub-contractor to a prime
Where Commerce Decisions is a sub-contractor to a prime contractor under the GCloud or any other contract or framework, Commerce Decisions is a sub-processor to the prime and as such takes on the GDPR obligations as stated in the contract.
PROCESSING OF DATA IN AWARD®
Personal data held in AWARD®
Commerce Decisions does not hold or process any sensitive personal data other than names and email addresses, which are required to login to the system. AWARD® also contains audit trails which define the actions of its users.
The data that our clients input and store in AWARD® may contain personal information. In this case, the client is the data controller and owns the data in AWARD®. The client is responsible for its retention/deletion as appropriate.
Duration of the processing
For the duration of the licence period. Please also note that project data is retained in read-only format for a period of 7 years following contract end unless otherwise agreed.
Nature and purposes of the Processing
Email addresses are required for secure access to the AWARD® service.
Names and email addresses of primary users/contract owners (as notified to Commerce Decisions) are also logged in our CRM system in order to provide AWARD® service updates where appropriate.
Personally Identifiable Information (PII) data is collected exclusively for the execution of all the activities related to the AWARD® platform. In the Commerce Decisions business context, PII may be included in bidder/supplier bids/data uploaded into AWARD®
Type of Personal Data
Name and email address.
Categories of Data Subject
Users of the AWARD® service
Plan for return or destruction of the data once the Processing is complete UNLESS there is a requirement under union or member state law to preserve that type of data:
Personal data as outlined above will be retained in an archive of the organisation/project data for a period of 7 years following contract end, or as otherwise outlined in the contract or subsequently requested by the client. The client can request the extraction of the exportable data stored within its AWARD® instance, or an extension to the audit/read-only access licence. Following the data extraction, if requested, all customer data will be destroyed; noting that data that is stored as a result of DR back-ups will be subject to destruction in due course, but is not accessible in the ordinary course of business. Both options are chargeable – please contact your Account Manager for further details.
We only retain personal information as long as necessary to fulfill the purposes for which it is processed, or to comply with legal and regulatory retention requirements. Legal and regulatory retention requirements may include retaining information for:
- Client contractual purposes,
- audit and accounting purposes,
- statutory retention terms,
- the handling of disputes,
- and the establishment, exercise, or defence of legal claims in the countries where we do business.
When personal information is no longer needed, we have processes in place to securely delete it, for example by erasing electronic files and shredding physical records.