Security, Data and Privacy Policies

This policy applies to information we collect when you choose to use this website, and also to personal information which we process further to supplying the receptive service (“Receptive Service”) to our clients. We take your privacy very seriously and we ask that you read this privacy policy carefully as it contains important information on the personal information we collect about you and/or your end users (if you use the Receptive Service); what we do with such information and who such information might be shared with.

Who we are

This website is owned by Receptive Software Limited and our registered office is at Bedford House, Mowbray Street, Sheffield, S3 8EN, United Kingdom. Receptive Software Limited (‘we’ or ‘us’) are a ‘data controller’ for the purposes of the Data Protection Act 1998 and as of 25 May 2018, the General Data Protection Regulation (‘GDPR’) (as applicable the “Legislation”) where we control the purposes for which we process your personal information. We are the data processor where we are processing your or your end users personal information in order to provide the Receptive Service to our clients. We will take all appropriate steps to ensure compliance with the Legislation. Our registration number with the Information Commissioner’s Office is ZA136514. Any questions about our data protection policy or how we handle your personal data should be addressed to our Data Protection Officer (See ‘How to contact us’ below.)

What information do we collect?

We collect personal information about you (such as your name, phone number, email address, credit card address details and contact details), when you make an enquiry, subscribe to our email lists, register with us or purchase the Receptive Service from us. We also collect personal information when you contact us via the online form. We may send information about you to other parties other companies within our agents, associates and service providers and law enforcement agencies in connection with any investigation to help prevent unlawful activity.

Personal information about end users

We also collect personal information about your end-users when providing the Receptive Service. If you give us personal information on behalf of someone else such as your end-users, you confirm that either;

  1. the other person has a contractual relationship with you and knows that you will be transferring their personal data to us for specific purposes and/or

  2. s/he has appointed you to act on his/her behalf and has provided consent to the processing of his/her personal data.

Sensitive/special category personal information

We may process sensitive personal information in certain situations, for example when carrying out recruitment checks if you apply for a job with us. If we request such information, we will explain why we are requesting it and how we intend to use it. Sensitive personal information includes information relating to:

  • ethnic origin

  • political opinions

  • religious beliefs

  • trade union membership

  • physical or mental health or condition

  • sexual life We will only process your sensitive personal information with your explicit consent.

How will we use the information about you?

We process information about you so that we can: identify you and manage any accounts you hold with us provide the Receptive Service to you and your end-users if you agree, let you know about other products or services that may be of interest to you (see ‘Marketing’ section below) detect and prevent fraud customise our website and its content to your particular preferences notify you of any changes to our website or to our services that may affect you improve our services

Use of cookies

A cookie is a small text file which is placed onto your computer (or other electronic device) when you use our website. We use cookies on our website.

Where applicable, this website uses a cookie control system allowing you on your first visit to the website to allow or disallow the use of cookies on your computer/device. This complies with recent legislation requirements for websites to obtain explicit consent from users.

For example, we may monitor how many times you visit the website, which pages you go to, traffic data, location data and the originating domain name of a user’s internet service provider, to improve the user’s experience whilst visiting the website, and better understand how you use it. This information helps us to build a profile of our users. Some of this data will be aggregated or statistical, which means that we will not be able to identify you individually. You can set your browser not to accept cookies and the websites below tell you how to remove cookies from your browser. However, some or all of our website features may not function as a result. For further information on our use of cookies, including a detailed list of your information which we and others may collect through cookies please see our Website cookie policy at https://www.receptive.io/cookies.html

For further information on cookies generally visit https://ico.org.uk/for-the-public/online/cookies/

Marketing

We may use the personal information you have submitted to us on this website (or otherwise) to provide you with further information by email about the products and services we offer which you have requested and/or which may be of interest to you provided that you give us your explicit consent. You can choose to unsubscribe at any point by clicking on the link at the bottom of the email.\ Email marketing campaigns published by us may contain tracking facilities within the actual email. Subscribed activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include: the opening of emails, forwarding of emails, the clicking of links within the email consent, times, dates and frequency of activity.

Keeping your data secure

Our staff and associates are also bound by obligations of confidentiality and trained in the protection of personal data. We will take all reasonable steps to comply with the Legislation and use the appropriate technical and organisational measures necessary to safeguard your personal data.\ All Receptive production services and database servers are hosted in the AWS EU-West-1 region, which is located in Dublin, Ireland. We are committed to using industry standard network security procedures. These include but are not limited to the following:

  • Regular system updates and security patches are applied to the Receptive Services.

  • To maximize availability, production systems are hosted across a minimum of 2 availability zones within an AWS region.

  • Production systems are designed to tolerate the failure of any individual machine and restore the desired redundancy levels without human intervention.

  • In the event of normal spikes in usage, scale up / down of server instances is designed to happen without human intervention. Failover to another availability zone in the event of widespread issues in a single availability zone should happen without human intervention.

  • Encrypted connections are used in all cases that sensitive data is transferred between Receptive systems, and between the client systems and the Receptive Service.

  • All API connections between the client and the Receptive Service, and internal data transfers are encrypted with industry standard techniques.

  • No unencrypted connections are allowed to our web server, except those needed to redirect insecure requests to a secure resource.

  • Security groups and firewall rules are configured to permit access only from the specific machines / networks and using only the network ports that are required to operate the Service.

  • Penetration testing against the Receptive APIs and platform is carried out by a suitably qualified third party on a regular basis. The last penetration test was performed on 15th August 2018.

  • Two-factor authentication is used wherever practical by Receptive employees to help prevent unauthorized access to email and other internal systems.

Backups

Our database services are configured to create continuous rolling backups. Additional off-site backups are automatically taken at least hourly. For disaster recovery, backups are stored in a different AWS region from production systems, but remain within the EEA.

Payment Security

Receptive’s credit card payment processor is Stripe, who are certified to PCI Service Provider Level 1 standards. All payment card related data is sent direct from the client’s browser to Stripe’s API over encrypted connections. Receptive’s servers may store non-PCI payment data such as the last 4 digits of the card number to help the client manage their payment card.

Code security

Receptive’s development team use industry-standard policies to maintain a high quality codebase. These policies include:

  • Access to Receptive’s code is only be granted to employees who have signed the IP assignment, confidentiality contracts and supplied references.

  • Application code libraries are regularly reviewed by developers for update and security-related updates are applied as soon as practical.

  • Passwords and API keys are not committed to the code repository.

  • Access to the code repository is protected by two-factor authentication.

  • Static code analysis and automatic unit tests are run automatically on every check-in.

  • Developers peer-review any security-sensitive code.

  • A short release cycle allows bugs and issues to be fixed quickly.

  • We only share your personal data with third parties for the purpose of promoting the Receptive Service.

Account Access Policy

On occasion it may be necessary for Receptive employees to have access to personal data. This is generally restricted to 1) clients success team assisting clients with support and 2) development team investigating issues specific to a client.

The only Receptive employees with the ability to access customer accounts are senior developers and client success managers who have signed the confidentiality agreement and supplied references.

Data Breach Response Policy

As soon as a theft, data breach or exposure containing personal data is identified:

  • The process of removing all access to that resource will begin.

  • The CEO will be notified of the theft, breach or exposure.

  • The CEO will chair and form an incident response team to handle the breach or exposure. IT, along with the designated forensic team, will analyze the breach or exposure to determine the root cause.

  • The CEO will work with Receptive’s communications, legal and human resource departments to decide how to communicate the breach to: internal employees, customers, those directly affected.

Other

While we will use all reasonable efforts to safeguard your personal data, you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data that is transferred from you or to you via the internet. If you have any particular concerns about your information, please contact us (see ‘How can you contact us?’ below).

Retention Periods

Unless the law requires us to store the data for a longer period, we retain your personal data on secure servers for a period of:

  • 90 days from the date on which you cease to be a customer of ours.

  • or until you ask us to destroy it.

Your Rights

The GDPR provides the following rights for individuals whose personal data is processed:

  1. The right to be informed

  2. The right of access

  3. The right to rectification

  4. The right to erasure

  5. The right to restrict processing

  6. The right to data portability

  7. The right to object to processing

Right to access – i.e., to request a copy of your information

You can request a copy of your information which we hold (this is known as a subject access request). If you would like a copy of some or all of it, please:

  • email or write to us (see ‘How can you contact us?’ below);

  • let us have proof of your identity (a copy of your driving licence or passport); and

  • let us know what information you want.

Right to correct any mistakes in your information

You can require us to correct any mistakes in your information which we hold free of charge. If you would like to do this, please:

  • email or write to us (see ‘How can you contact us?’ below)

  • let us have enough information to identify you

  • let us know the information that is incorrect and what it should be replaced with.

Right to remove your details from our records or restrict how we use your information

You can ask us to stop contacting you for particular purposes or remove your information completely from our records. There may be a legal reason why we need to keep your personal data and in that circumstance we will destroy your personal information as soon as we are legally entitled to do so. If you would like us to stop contacting you with information about our services, please: email or write to us (see ‘How can you contact us?’ below). You can also click on the ‘unsubscribe’ button at the bottom of the email and/or newsletter

Right to lodge a complaint with the Supervising Authority

If you have any concerns or complaints about how we use your personal data we hope you will alert us to these directly (see the Contact information below). If you are still unhappy you are entitled to complain to the Information Commissioner’s Office (ICO) which is the supervising authority in the UK. Their contact details and the procedure can be found at https://ico.org.uk/

How to contact us

If you have any questions about this privacy policy or the information we hold about you, please contact our Data Protection Officer by emailing data.protection@receptive.io. If you wish to contact us about any other matter, please send an email to support@receptive.io or write to us at Receptive Software Limited, Bedford House, Mowbray Street, Sheffield, S3 8EN, United Kingdom.

Changes to the privacy policy

We may change this privacy policy from time to time. You should check this policy occasionally to ensure you are aware of the most recent version that will apply each time you access this website or use our services.