Privacy notice
This privacy notice sets out who we are, and how and why we collect, store, and use your personal data through our website or when you get in touch to find out more about or purchase our products.
First, the official bit:
- “We” are Griffin Bank Ltd, a company registered in England and Wales with company number 10842931. Our registered office address is 9th Floor, 107 Cheapside, London, EC2V 6DN.
- “You” are an individual person using our website, https://griffin.com.
- We are based in the UK and subject to the UK General Data Protection Regulation (UK GDPR).
Beyond our legal and regulatory requirements, we want you to trust us with your personal data. We take your data privacy and security seriously, and we're fully committed to helping you exercise your rights over any personal data we hold. That's why, throughout this notice, we try to be entirely clear and transparent about:
- How, why, and when we collect your personal data
- What types of personal we collect
- Who we share it with
- How long we hold it for
- What we do to keep it safe
If anything in this policy is unclear or you have questions, please contact us at privacy@griffin.sh.
Types of personal data
We collect different types of personal data about you depending on how and why you interact with us. For example, you might browse our website to find out more about our products, log into our product sandbox to demo our product or send us feedback via email.
The list below covers all the kind of data we may collect about you during these interactions:
- Identity data - your full name, title, and date of birth.
- Contact data - your address, email address, and telephone number(s).
- Technical data - internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technical information about the devices you use.
- Transaction data - any records of communications we have had with you.
- Usage data - information about how you use our website including survey responses, download errors, and page interaction information.
- Marketing and communications data - your marketing communications preferences. information.
Our website may contain links to other websites. If you follow one of these links, please note that destination websites will have their own privacy policies and that we do not accept any responsibility or liability for these.
We use your information to keep you and us safe and secure and to give you information about our products and services, where you have expressed an interest in receiving this.
We process your information for the purposes set out above on the basis of our legitimate interest in:
- operating and improving Griffin and its website; and
- marketing our products and services to you with your consent.
We do not routinely collect and process “special category” personal data about you.
In the scenarios covered by this notice, we do not normally share your information with third-parties.
We also collect, use and share aggregated data. Aggregated data is statistical or demographic data that cannot be used to directly or indirectly identify you, and so is not considered personal data. For example, we may aggregate your usage data to help us calculate the percentage of users accessing a specific website page. If we ever combine or connect aggregated data with your personal data, we treat the combined data as personal data.
Our products, services and website are not intended for use by children, and we do not knowingly collect or use personal data about children under the age of 13.
How we collect your personal data
We collect personal data about you through three main channels.
Direct interactions. You may provide your personal data when you access our website, register for our sandbox to demo our products, contact us, send us feedback, subscribe to our marketing materials, or purchase products or services from us on behalf of your organisation.
Automated technologies or interactions. When you browse our website, we automatically collect technical data about your equipment and browsing patterns, using cookies and similar technologies. Please see our cookie policy for more information.
Third parties or publicly available sources. We may receive personal data about you from third parties and publicly available sources such as Companies House or the UK Electoral Register. We may also receive Technical data about you from the following parties:
- Google Analytics, our website analytics provider
- Beauhurst
- Leadfeeder
- Pipedrive
How and why we use your personal data
In line with data protection law, we only use your personal data if we have a “lawful basis” for doing so.
A lawful basis can include:
- Consent. This is when you have given us clear consent to process your personal data for a specific purpose. For example, you might consent to receive marketing communications from us.
- Legal obligation. This is when we need to use your personal data to comply with the law.
- Legitimate interests. In simple language, a legitimate interest is when we (or one of our third party service providers) process your personal data in a way you would reasonably expect us to, when there's a clear benefit for us or a third party in doing so, and there's a low risk of us infringing your privacy rights. You can learn more about the legitimate interest basis on the ICO website.
The table below gives a detailed breakdown of what we use different types of personal data for, and our lawful bases for doing so. See section “Types of personal data” for definitions of the terms listed below.
| Purpose | Types of personal data | Lawful basis |
|---|---|---|
| To register your organisation as a potential customer and respond to your enquiries | Identity Contact | Legitimate interest - to set up and manage customer relationships |
| To provide products and services to you, including: - to manage payments, fees, and charges - to collect money owed to us | Identity Contact Transaction | Legitimate interest - to receive payments and recover debts |
| To manage our relationship with you, including: - notifying you about changes to our products or services, terms and conditions, or this privacy notice - asking you to leave feedback or take a survey | Identity Contact Transaction | Legal obligation - we are legally require to inform you of certain changes Legitimate interest - to help us keep our records up-to-date and better understand how customers use our products and services |
| To conduct troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting of data | Identity Contact Technical | Legitimate interest - these activities are necessary for day-to-day running of our business and IT services, for network security, and to prevent fraud Legal obligation - we are legally required to have robust controls in place to prevent fraud |
| To deliver demos of our products and services to your organisation, including granting you access to our sandbox so that you can demo the products yourself. Note that you must only upload test data to the sandbox and should not demo our products using actual personal information. | (a) Identity (b) Contact | Legitimate interests - to promote our products and grow our business. |
| To track and analyse who is accessing our website and how they are using it | {" "} Identity Contact Technical Usage Marketing and communications | Legitimate interest - analysis of this data helps us measure the effectiveness of our website and marketing strategy, better define and understand our target customers, develop better customer relationships and user experiences, and improve our products and services |
| To make suggestions and recommendations about products or services that may be of interest to you | Identity Contact Technical Transaction Usage Marketing and communications | Consent or Legitimate interest - to grow our business |
Who we share your personal data with
We routinely share personal data with:
- Google, our email and website analytics provider
- Slack, our instant messenger provider
- PipeDrive, our Customer Relationship Management (CRM) software provider
We process and store your information using Amazon Web Services (AWS), our cloud service provider.
We only allow our service providers to handle your personal data if we are sure that they will protect it to the same standard we do. As part of their contracts with us, our service providers may only use your personal data to provide services to us and to you, for the purposes listed in the table above.
We may disclose your personal data to law enforcement agencies and regulatory bodies if we are required to do so.
We may also need to share some personal data with other parties during a corporate re-structuring or third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. Usually, data will be anonymised but this may not always be possible. The recipient of the data will be bound by confidentiality obligations.
Transferring your personal data out of the UK
Sometimes it is necessary for us, or our service providers, to share your personal data outside the UK. When we do this, we are subject to special rules under UK data protection law.
If we transfer your personal data outside of the UK, we must:
- confirm that the recipient is located in a country with data protection laws that are substantially equivalent to the UK's; or
- put safeguards in place (such as approved standard contractual clauses) so that your data rights are enforceable and you have access to legal remedies if something goes wrong; or
- confirm that a specific exception applies under data protection law.
Please contact privacy@griffin.sh if you would like any further information about where your personal data is transferred and what measures we have put in place.
Cookies and other tracking technologies
We use cookies on our website. For further information on what cookies are and how we use them, please see our cookie policy.
Marketing
We may use your personal data to send you marketing communications by email, text message, or post. This includes information about exclusive offers, promotions or information on new products. We will only send you marketing communications if we have your consent to do so or if it is in our legitimate interests to send them (such as business-to-business marketing). We will never sell your personal data or share it with other organisations for marketing purposes.
You can ask us to stop sending you marketing communications at any time by:
- contacting us at privacy@griffin.sh; or
- using the unsubscribe link in our emails
We may ask you to confirm or update your marketing preferences from time to time, if there are changes in laws or regulations, or if we change the structure of our business.
Even if you have opted out of all marketing communications, we might still send you necessary updates or communications about products and services you have purchased from us, or respond to direct queries from you. These are not considered marketing communications because they contain information you need to use and find value from the product.
Your rights
You have the following rights over your personal data, which you can exercise at any time without paying any fee or charge to us.
| Your rights | Our responsibilities |
|---|---|
| To access | We must provide you with access to any personal data we have collected about you if you request it. |
| To rectification | We must correct any mistakes regarding your personal data if you ask us to. |
| To be forgotten | In certain situations, we must delete your personal data if you ask us to. Although this is not an absolute right. |
| To limit or restrict how we use your data | In certain circumstances, at your request, we must restrict processing of your personal data, or parts of your personal data (for example, if you contest the accuracy of the data). |
| To data portability | If you request access to the personal data we hold about you, we must provide it to you in a structured, commonly used and machine-readable format. |
| To object | You can object to us processing your personal data for certain purposes, for example direct marketing purposes or if we are relying on our legitimate interests for the processing. |
| To not be subject to automated processing | Automated processing refers to decisions made without human involvement and includes profiling. We must not use automated processing to make a decision about you if that decision affects your legal rights or has other significant impacts for you. |
If you would like to exercise any of these rights, please write to us at privacy@griffin.sh. We try to respond to all requests within one month.
If your request is clearly unfounded, repetitive, or excessive - for example, if you've made several repeat requests in a short period of time - we may charge you a reasonable fee to cover our admin costs, or refuse your request altogether.
You can learn more about your data rights on the ICO website.
How long your personal data will be kept
We hold on to different types of personal data for different lengths of time depending on why we are using it, but we do not keep your personal data for longer than we need it. When we no longer need to hold onto your personal data, we delete it or anonymise it.
If you purchase products or services from us on behalf of your organisation, we will keep your personal data while we are providing those products or services. After that, we may keep your personal data so that we can:
- respond to any questions, complaints, or claims made by you or on your behalf
- show that we treated you fairly
- keep any records required by law
Generally, we won't store your personal information for more than seven years (which takes the statutory claims limitation period into account). If you'd like to know more about specific retention periods for different types of personal data, please contact us.
Keeping your personal data secure
We have a number of procedures and controls in place to stop your personal data from being lost, stolen, or otherwise used or accessed unlawfully.
- Access. Within Griffin, access to personal data operates on the basis of “least privilege”, which means that our employees only have access to your personal data if they absolutely need it to do their job (such as customer support managers).
- Authentication. We use modern, best practice authentication controls, including two-factor authentication. We require the same level of authentication in all third party systems, software, or applications that we use.
- Physical security. We make sure robust physical and environmental controls are in place around any data centre where we store personal data.
- Network security. We use strong firewalls, and all software is placed in the most restrictive zone possible on the basis of “least privilege”. All network zones block traffic not essential to perform their required tasks (both inbound and outbound).
- Threats and vulnerabilities. We constantly review and test the security of our platforms and IT systems to identify and fix any vulnerabilities that hackers could exploit.
We have incident management procedures in place to deal with any suspected data security breaches. You will be contacted as soon as possible if we believe your personal data has been involved in a suspected breach.
How to contact us
If you have any questions about this privacy notice or the data we hold about you, or if you want to exercise your rights under data protection law, please contact our Data Protection Officer (DPO) at privacy@griffin.sh.
How to complain
If you feel that we have misused your personal data or failed to keep it secure, you should contact our DPO at privacy@griffin.sh and clearly state that you wish to make a complaint. We are committed to investigating all complaints promptly, thoroughly, and transparently and providing you with a fair resolution as soon as we can.
You also have the right to make a complaint to the Information Commissioner's Office at any time. You can lodge your complaint in writing here: https://ico.org.uk/make-a-complaint. Alternatively, you can contact the Information Commissioner by phone at 0303 123 1113.
Changes to this privacy notice
This privacy notice was last updated in August 2022. When we update this notice, we'll post details of what has changed here. We may also contact you directly if we make changes that affect how we process your personal data.