Introduction

This statement provides a summary of the personal information we collect, and the ways in which we use that information. This statement distinguishes between personal information which we collect, and personal information which we may receive and process as part of our contractual arrangements with our customers.

If you are not a current customer or user of our services, it is likely that the section ‘Information

where we are the Controller’ is most relevant to you, since it pertains to data we collect and use for our own purposes.

If you are a customer or are interested in our policies towards data which we receive, hold, and process as part of the services we offer to our customers, please review the section entitled ‘Information where we are the Processor’.

Definition of Personal Data

Personal data is defined by the ICO as information that relates to an identified or identifiable individual.

If it is possible to identify an individual from data, and the data in question relates to that individual, then that data is considered personal information. Even if information does not directly identify an individual it is possible that it might indirectly identify an individual. In either case, it is personal data.

Where this policy applies

This policy applies to all information which you provide to us via our website, an Atamis system, or otherwise to Atamis employees. It also applies to personal data we receive from our customers and partners.

This policy does not apply to the data processing activities of other organisations, even where we refer you to other organisations on our website or elsewhere.

Information Where we are the Controller

Where Atamis gathers information for its own business purposes, it is defined as the Controller of that data. Data controllers are responsible for ensuring that they gather, hold, and process data in a responsible manner, in line with legal requirements. This section describes how we treat such data, and what rights you have if we control your data.

Types of Information We Collect

Atamis collects a number of types of personal information under certain circumstances. These include:

• Information about your use of the Atamis website, provided by Google Analytics
• Information which you provide to us directly via any medium
• Information gathered when you communicate with us or we communicate with you
• Information we receive from third parties (including customers and partners)

How We Use this Information

Atamis may use your information for the following purposes:

• Storing your information securely on the Salesforce.com platform, on which Atamis hosts its business functions.
• Generating website usage data (for example, number of page views)
• Granting you access to website pages, documentation, and content
• Sending you relevant content (where you give us permission to do so)
• Contacting you to discuss our services (where you give us permission to do so)
• Expediting the organisation of events, and producing attendee lists for use at said events (where you sign up for such events).
• Controlling access to Atamis systems and protecting data held on Atamis systems
• Generating internal marketing data (e.g. the number of people who have requested calls in the last month)

Disclosure of Your Data to Third Parties

Atamis will only disclose your information to third parties under specific circumstances. These are:

• Where we are required to do so for legal reasons
• With our partners, on the condition that partners act in accordance with both this privacy policy and relevant legislation

We will not disclose information to other third parties for the purposes of direct marketing.

Retention Schedule

The length of time for which data is retained depends upon the type of information:

Type of Personal Data	Retained Until
Contact Information of prospective customers	2 Years after last successful contact OR Immediately if confirmed out of date
Contact Information of active and former customers	5 Years after lass successful contact OR Immediately if confirmed out of date
Contact Information of the primary contact associated with Atamis trial systems.	2 Years after last successful contact OR Immediately if confirmed out of date
‘Do not Contact’ requests	All information except the email address is deleted when the ‘Do Not Track’ request is actioned. The email address and/or phone number is retained indefinitely in order to ensure we comply with the request made but may not be linked to any other personal information.
Job Applications, CVs	2 years after receipt. The personal information of successful candidates is stored as per the Atamis Information Security Policy.

Your Rights

If you believe that we have erroneous, incomplete, or outdated information relating to you, you may request that it be corrected or deleted.

You may also request a copy of all information we hold on you.

You may request that we delete or do not process your information and, provided that there is a legal basis to do so, we will comply.

Finally, you are in control of the circumstances under which we contact you, and the manner in which we use your information to do so. Please note that if you request that we do not contact you again, we will retain a record of those contact details specifically in order to avoid contacting you. We will not use this data for any other purpose.

If you’d like to request any of these changes, please visit our Contact page, submit a form and a member of our team will be in touch.

Information Where We Are the Processor

In the context of delivery of services to customers, Atamis acts as Data Processor. We may receive, hold, and process your personal data if it is provided to us by a customer, or if it is necessary to fulfil agreed contractual activities on behalf of a customer.

More details of the contractual terms governing the processing of personal information are available within our Terms and Conditions, or within the specific contract we have with the customer. These terms require our customers to comply with the law when providing us with personal data.

The customer remains the designated Data Controller, and defines the circumstances and scope of the processing which Atamis undertakes on its behalf.

Types of Information We Receive

Atamis may receive personal information during service delivery. These include:

• Personal information which is provided to us by customers
• Personal information which is contained within data sent to us by customers
• Information gathered when you communicate with us or we communicate with you
• Information about your use of Atamis Services and Systems
• Information which you provide to us via online forms or registrations

How We Use and/or Process this Information

Atamis may use your information for the following purposes:

• Generating system usage data
• Controlling access to Atamis Systems and protecting data held on Atamis systems
• Delivery of services, data products, and analysis to the customer as contractually agreed
• Contacting you on behalf of the customer, as contractually agreed with the customer

Disclosure of personal information to third parties

Atamis will only disclose personal information to third parties under specific circumstances. These are:

• Under the instruction of the customer, acting in their capacity as data controller (Atamis will advise customers if it believes that an instruction risks breaching legislation or contractual agreement)
• Where we are required to do so for legal reasons
• With Salesforce.com, in the context of storing data on the Force.com cloud services platform subject to the Atamis Standard Terms and Conditions.
• Where it is strictly necessary to do so for Atamis to fulfil agreed contractual activities as a data processor (for example during supplier research activities which directly support Atamis services to the customer)

Retention Schedule

Where we are a data processor, we store data only as agreed with the customer (the data controller). We delete customer data within 1 month of the end of a contract, unless otherwise agreed with the customer. We retain contact information associated with former customers for audit and accountability purposes, but this information is not used for marketing purposes.

Your Rights

Customers may request that we transfer information which they have provided to another organisation and we will comply, provided there is a legal basis to do so.

If you believe that we have erroneous, incomplete, or outdated information relating to you, you may request that it be corrected or deleted. You may also request a copy of all information we hold on you.

You may request that we delete or do not process your information and, provided that there is a legal basis to do so, we will comply. If we are processing information for a legitimate purpose on

behalf of a customer, we may under certain circumstances be entitled to refuse to delete or restrict our processing of your information.

Finally, you are in control of the circumstances under which we contact you, and the manner in which we use your information to do so. Please note that if you request that we do not contact you, we will indefinitely retain a record of your contact details specifically in order to avoid contacting you. We will not use this data for any other purpose.

If you’d like to request any of these changes, please visit our Contact page, submit a form and a member of our team will be in touch.

Please note that we are likely to consult with the customer prior to responding to you. Accordingly, a response to requests may instead be received from our customer since they, as data controller, define the parameters of our processing of your information.