Codehouse Privacy Notice
This Privacy Notice is to help you understand what data we collect, why we collect it, what we do with it, the choices that we offer, and the choices and rights that you have.
We ensure that the way we work and the services we provide to you, including this website, are designed to comply with the following national and international legislation: Privacy and Electronic Communications (EC Directive) Regulations 2003, UK General Data Protection Regulation (UK GDPR).
Who we are
Codehouse designs and builds digital experiences that make brands more successful. From digital strategy to website design and build, ongoing digital optimisation, training and support, we help brands create amazing customer experiences that deliver measurable marketing results.
Codehouse Limited (hereinafter “Codehouse”) is a limited company (6359395) in England & Wales, whose registered office is at Aissela, 46 High Street, Esher, Surrey, England, KT10 9QY.
What personal information we collect from you and when we collect it
Personal information is information that can be used to identify you as an individual. It can include, but is not limited to, your first name, surname, email address, postal address, telephone number, mobile telephone number, your social media name or handle, and your IP address.
For employees, this can also include bank account details, national insurance number, ID / passport details, job references, health and medical condition details, emergency contact / next of kin name and contact details, appraisals, annual leave, disciplinary documents, and pension details.
We may collect personal information about you when you:
browse our website;
send us an email using one of the email addresses on our website;
call us regarding your wish to buy, or consider buying, our services;
become one of our customers;
download a guide, leaflet, brochure, or whitepaper from our website;
sign up to receive our newsletter;
ask for us to send you something about our services;
ask for press statements or request a media spokesperson;
register for one of our events;
attend an event or exhibition, and you have agreed with the organisers that they can supply us with your personal information as part of our taking part in that event or exhibition as a sponsor, speaker, or exhibitor;
use one of our social media channels on Facebook, Twitter, LinkedIn, Instagram, or YouTube and ask us a question, request something from us, or send us a direct message;
supply your personal details to be in the public domain, or via a publicly accessible source, such as the website of the company you work for, or on LinkedIn;
apply for a job with us;
become an employee;
become a supplier or partner; or
otherwise give us personal information in another way.
Why we collect your personal information and how we use it
We may collect your personal information for a number of reasons, such as:
to provide you with the services you have requested;
to provide you with information about our work or our activities, that you have asked to receive;
to respond to your question or enquiry;
to research the best individual within a company who might be interested in our services, and to contact you about this;
to invite you to participate in surveys, research, and use the results for statistical analysis to help improve our services;
to be a case study for us, where we may also ask for and use your name and photo on our website or other channels, with your consent;
to be a case study for us, where we may work with you to create a video, and use this video and your story on our website or other channels, with your consent;
to comply with legislation and guidance from regulatory bodies;
to enter into a contract with you, or take steps to enter into a contract with you;
for internal record keeping, such as the management of feedback or complaints;
to maintain a list of people who have explicitly told us that they do not want us to contact them;
to ensure that we keep your personal information as up-to-date and as accurate as possible;
to analyse and improve the services we offer; or
to set you up on our systems as a supplier or a staff member.
Keeping your data accurate
We aim to ensure that all information we hold about you is accurate and kept up-to-date. If any of the information we hold about you is inaccurate and either you advise us, or we become otherwise aware, we will ensure it is changed and updated as soon as possible.
We may contact you for direct marketing purposes by post, email, work phone number, or mobile phone number, if you have given us your permission to do so. We will only contact you for the purpose you requested via the channel you request, e.g. if you only want to receive our newsletter, we will only send you emails about this and nothing else. It is your choice on the type of communications and the type of information you receive from us.
We will not use your information for direct marketing purposes if you have asked us not to. However, we will retain your details on a suppression list to help ensure we do not contact you. You may ask for any personal information we hold on you to be deleted and destroyed at any time.
Legal basis for processing your data
Our legal basis for collecting and storing your data differs depending on when and why you provide us with your personal information. For example:
For the performance of a contract or to take steps to enter into a contract - if you enquire about our services, or become a supplier or a customer, then we process your data to allow us to take steps to enter into a contract with you.
To comply with legislation or regulatory guidance - if you apply for a job with us, or start employment with us as a contractor or part-time or full-time employee, we will record and store your personal information in order to comply with various employment, tax, health and safety, and data protection legislation and regulatory guidance.
For legitimate interests - if you contact us by email or via a contact us form on our websites, sign up to attend one of our events, sign up to be a speaker at one of our events, enter a prize draw, or you are a journalist who has asked for information from us, we will record and store your personal information because we believe we have a legitimate interest in doing so.
You give us your consent - Where appropriate, whenever we ask for your personal information we will ask whether you consent to our processing and storing your data. In most cases, not giving us consent to process and store your data will not change the service we provide to you.
Consent for us to collect and store your data is separate from giving us consent for direct marketing purposes, which is when you request that we send you from time to time other information than that which you have requested or signed up for. We always ask for consent for direct marketing purposes to make it explicitly clear to you what you are consenting to, and how we will be using your personal information.
Where and why we use legitimate interest, and why we need your personal data
When you email us or use a contact us form on our website
What is our Legitimate Interest? To understand who has requested information from us, and what information has been requested.
Why do we process and store your personal data? To reply to your enquiry, but also keep a record of what was said, when, and by whom, in order to take steps to enter into a contract.
Why do we conclude your rights don't override our interest? We believe our need to provide you with the information you have requested from us outweighs your rights.
When you register for one of our events
What is our Legitimate Interest? To understand who will be attending the event.
Why do we process and store your personal data? To see who the person attending the event is, and to manage the event to inform people of agenda, and where they need to go.
Why do we conclude your rights don't override our interest? The events we hold are for brand marketers only – sometimes competitor agencies try to attend – so we need to be aware of who has registered for the event. We will only store your personal data for a short time period before deleting, unless you have opted in to direct marketing.
When you sign up to become a speaker at one of our events
What is our Legitimate Interest? To understand who will be speaking at our event.
Why do we process and store your personal data? To keep a record of who has spoken at one of our events, what was presented, and to get in touch with them in the event of a query or enquiry into the content of the presentation.
Why do we conclude your rights don't override our interest? We believe our need to liaise with you on the agenda and content of our event, in your role as a speaker, outweighs your rights.
When you enter a prize draw
What is our Legitimate Interest? To allow us to contact the data subject in the event of winning the prize draw, and to anonymously keep records for reporting purposes.
Why do we process and store your personal data? Without personal data, we cannot get in touch with you to let you know that you have won the prize draw.
Why do we conclude your rights don't override our interest? We believe our need to contact you in the event that you win the prize draw outweighs your rights. We will only store your personal data for a short time period before deleting, unless you have opted in to direct marketing.
What is our Legitimate Interest? To understand who has requested information from us, and what information has been requested.
Why do we process and store your personal data? To reply to your enquiry, but also keep a record of what was said, when, and by whom, and what was published in the media.
Why do we conclude your rights don't override our interest? We believe our need to provide evidence in the event of a complaint from the public or an inquiry which will outweigh your rights.
Information sharing, disclosure, and security
We will not share your information with any third party apart from trusted partners we work with to deliver our services to you.
All our trusted partners are required to comply with data protection regulations and our high standards, and are only allowed to process your information in strict compliance with our instructions. We will always make sure appropriate contracts and controls are in place and we ensure their compliance with our instructions.
We may disclose your personal information to third parties if we are required to do so through a legal obligation, for example to the police or a government body; to enable us to enforce or apply our terms and conditions or rights under an agreement; or to protect us, for example, in the case of suspected fraud or defamation.
Our staff responsibilities
We take steps to ensure your personal information is safe and secure, and that all staff are aware of and comply with their responsibilities in relation to data protection legislation, namely:
We have a data protection policy and procedures in place.
All staff undergo training in data protection requirements.
Access to your personal data is based on job role and a ‘need to know’ basis, enforced by strict access control measures. We do this to reduce the risk of inappropriate access to personal data by staff, which is seen as good practice by the Information Commissioner’s Office (ICO).
Access to our office is through use of secure key-card entry.
We have confidential waste processes in place. This improves the security of personal data which is no longer required.
We have formal retention schedules in place to ensure that we only keep your personal information for an appropriate length of time.
We enforce regular password changes through our IT systems.
We have a clear desk policy with regard to personal information – nothing containing personal information is to be left out on a desk.
All paper files or discs containing personal information are held in securely locked cabinets, with only the appropriate staff having access to them.
Storing your information and how long we store it
We only hold your personal information for appropriate lengths of time. We take into consideration our legal obligations, the guidance of relevant UK authorities such as HM Revenue & Customs (HMRC), the Chartered Institute of Personnel and Development (CIPD), and also tax, accounting, health and safety, and employment rules when determining how long we should retain your information.
The length of time we store your personal information is as follows:
Customer Type / Record Length of time we hold data Customer Contracts 6 years from end of contract Supplier Contracts 6 years from end of contract Staff member 6 years from when you stop employment Direct marketing subscriber 2 years from the time you sign up Press 2 years from last contact Event speaker 2 years from when you sign up Contact us user 2 years from when you contact us Job applicant 6 months from when you apply for a job Event delegate 3 months (unless opted in to direct marketing) Prize draw contestant 3 months (unless opted in to direct marketing) Staff member (next of kin / bank details) 3 months from when you stop employment
When we no longer need to retain your personal information, we will ensure it is securely deleted and destroyed at the appropriate time.
If we have collected and stored your data and you have provided us with your consent to contact you by opting in to receive direct marketing from us, then from time to time, we may ask you to verify the personal information we hold on you and provide us with your consent to continue to receive direct marketing from us. We do this to ensure the personal information we hold on you, and your preferences for any contact from us, is as accurate and up-to-date as possible.
Our websites, cookies, and web beacons
Google analytics and Sitecore analytics
Our website uses Google Analytics and Sitecore Analytics to track what a visitor sees on our websites and where they go. We use this data to determine the number of people using our websites, to better understand how they find and use our web pages, and to see their journey through the websites. Read more about Google Analytics and Privacy. Contact Sitecore for more information about Sitecore Analytics and Privacy.
Although Google Analytics and Sitecore Analytics record data such as your geographical location, the device you are using to access our website, Internet browser, and operating system, none of this information personally identifies you to us. Google Analytics also records your computer’s IP address, which could be used to personally identify you, but Google do not grant us access to this for privacy reasons.
Our website is built on the Sitecore Experience Platform, which allows us to personalise and tailor content to you, based on your location and your behaviour on our website – what pages you visit, and what things you download. By using our website, you agree that we may automatically track where you go and what you do on our website, so that we may personalise the content to provide you with a better experience.
You may, if you wish, set your browser to block all cookies, including cookies associated with our services or to indicate when a cookie is being set by us. However, it’s important to remember that many of the services on our websites may not function properly if your cookies are disabled.
Our websites contain links to other websites belonging to third parties and we sometimes choose to participate in social networking websites including but not limited to Twitter, YouTube, LinkedIn, Instagram, and Facebook. We do not have any control over the privacy practices of these other websites or applications. You should make sure when you leave our website that you have read and understood that website’s privacy notice in addition to our own.
We use web beacons in the emails we send to you when we use MailChimp. Web beacons allow us to track who opened the emails and who clicked the links. This allows us to measure the performance of the emails that we send.
Third party data controllers and data processors
We use a number of third parties who process personal data on our behalf.
Data controllers – these third parties process personal data either (a) under their own terms – because you will have created an account with them to use their service, (b) as part of an off-the-shelf solution we use to deliver our services, but where we cannot control how the solution works, (c) or because they are an organisation we jointly work with to deliver our services.
Data processors – these third parties process personal data on our behalf based on what we ask them to do with it, or it may be an off-the-shelf solution we use to deliver our services, but where the third party may be able to see your personal data, for example, if we ask them to fix a problem with their service or solution when it may not be working properly.
We have robust contracts, agreements, and terms of service in place with all the third party data controllers and data processors that we use to process personal data – this is to ensure that your data is secure and protected.
All third parties have been carefully chosen and all of them comply with the legislation set out in section 1 of this Privacy notice. Many of the third party data processors we use are global companies with headquarters based in the USA and are EU-U.S Privacy Shield compliant.
Some of these third parties have servers located outside the EU, which means that when you use these services whether of your own volition, or when you choose to use our services, your data is passed between the UK and a country outside the EU. These countries may not have similar data protection regulations to the UK, however we will take steps with the aim of ensuring your privacy continues to be protected as outlined in this Privacy Notice.
Pardot Cookies and Activity Tracking
Pardot sets first-party cookies for tracking purposes, and sets third-party cookies for redundancy. Pardot cookies don’t store personally identifying information, only a unique identifier.
Pardot sets the following cookies:
visitor_id<accountid> - The visitor cookie includes a unique visitor ID and the unique identifier for our Pardot account. This cookie is set for visitors to our website by our Pardot tracking code.
pi_opt_in<accountid> - If Tracking Opt-in preferences is enabled, the pi_opt_in cookie is set with a true or false value when you opt in or out of tracking. If you opt in, the value is set to true, and you are cookied and tracked. If you opt out or ignore the opt-in banner, the opt-in cookie value is set to false. The visitor cookie is disabled, and you are not tracked.
visitor_id<accountid>-hash - The visitor hash cookie contains the account ID and stores a unique hash. This cookie is a security measure to make sure that a malicious user can’t fake a visitor from Pardot and access corresponding prospect information.
lpv<accountid> - This LPV cookie is set to keep Pardot from tracking multiple page views on a single asset over a 30-minute session. For example, if you reload a landing page several times over a 30-minute period, this cookie keeps each reload from being tracked as a page view.
pardot - A session cookie named pardot is set in your browser while our staff are logged in to Pardot as a user or when you access a form, landing page, or page with Pardot tracking code. The cookie denotes an active session and isn’t used for tracking.
The Site is not directed to children under 13. We do not knowingly collect Personal Information from anyone under 13 years of age. If we determine upon collection that a user is under this age, we will not use or maintain his/her Personal Information without the parent/guardian’s consent.
Changes to the Privacy Notice
This Privacy Notice replaces all previous versions and is correct as of 17 April 2018.
Our Privacy Notice may change from time to time. We will post any Privacy Notice changes on this page and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Privacy Notice changes). We will also keep prior versions of this Privacy Notice in an archive, and you can request to see the version of the Privacy Notice you signed up to at any time by contacting us.
Your rights as an individual
Under data protection legislation, you have the right to:
obtain confirmation from us about whether we are processing your personal information, how, and why;
request that we update or amend the information we hold about you, if it is wrong;
object to the processing of your information, including for direct marketing purposes or profiling;
object to your personal information being subject to automated processing;
request a copy of the information we hold about you;
change your communication preferences at any time;
ask us to remove your personal information from our records without delay; or
raise a concern or complaint about the way in which your information is being used with a data protection authority – in the UK, the data protection authority is the Information Commissioner's Office (ICO) who can be contacted at https://ico.org.uk/.
If at any time you contact us regarding any of your rights above, we will get back in touch with you as soon as possible.
Scope of Policy; Third Party websites
This policy does not apply to entities that are not owned or controlled by Codehouse.
If you would like us to contact us to discuss our services, or if you have any questions about this Privacy Notice, then please contact us in writing via email on firstname.lastname@example.org, or by post to: Data Protection, Codehouse, 10 Eastcheap, London EC3M 1AJ.