Privacy Policy

Welcome to Sifaa Ltd's privacy policy for our website www.Sifaa.com. We highly value your privacy and are dedicated to safeguarding your personal data. This policy is intended to explain how we handle your personal information when you visit our website, and to inform you about your privacy rights and the legal protections in place. The policy is presented in a layered format, allowing you to easily navigate to specific sections. Additionally, we encourage you to refer to the Glossary for explanations of certain terms used in this document.

Key Information and Our Identity

Purpose of this Privacy Policy

Our aim with this privacy policy is to provide you with details about how we collect and process your personal data as you use the Site. This includes any information you may provide when signing up for our newsletter, purchasing a product or service, or participating in a competition through our website. It's important to note that our website is not intended for children, and we do not knowingly collect data related to children.

We advise that you read this privacy policy alongside any other privacy or fair processing policy provided to you on specific occasions when we collect or process your personal data. This will ensure that you fully understand how and why we use your data. This privacy policy complements other notices and privacy policies and is not meant to supersede them.

Data Controller

We are the controller and are accountable for your personal data (referred to as Sifaa, we, us, or our in this privacy policy). We have designated a data protection officer (DPO) who is responsible for addressing any questions related to this privacy policy. If you have any inquiries or wish to exercise your legal rights, please contact our DPO using the details provided below.

Contact Details

For any questions regarding this privacy policy or our privacy practices, please reach out to our DPO using the following contact information:

Full name of legal entity: Sifaa Limited

Email address: info@sifaa.co.uk

Postal address: 82 Margery Park Road, London E7 9LB

Telephone number: +44(0)20 3488 7318

Data Protection Officer: Fraz Butt

DPO email address: info@sifaa.co.uk

You have the right to lodge a complaint at any time with the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). However, we would appreciate the opportunity to address your concerns before involving the ICO, so please contact us initially.

Changes to the Privacy Policy and Your Duty to Inform Us of Changes

We regularly review our privacy policy. The version provided here was last updated on the date indicated at the end of this document. It is crucial that the personal data we hold about you is accurate and up to date. Therefore, please keep us informed if your personal data changes during your relationship with us.

Third-Party Links

Our website may feature links to external websites, plug-ins, and applications. By clicking on these links or enabling connections, you may permit third parties to gather or distribute information about you. We do not have control over these external sites and cannot be held accountable for their privacy practices. When you navigate away from our site, we recommend reviewing the privacy policies of each website you visit.

Data Collection About You

Personal data, or personal information, refers to details about an individual that can be used to identify them. This does not include information that has been anonymised.

We may gather, utilise, store, and transfer various types of personal data about you, categorised as follows:

- Identity Data: This includes your first name, maiden name, last name, username, marital status, title, date of birth, and gender.

- Contact Data: Information such as billing address, delivery address, email, and phone numbers.

- Financial Data: Details regarding your bank account and payment card information.

- Transaction Data: Information about payments made to and from you, along with details of products and services you have purchased from us.

- Technical Data: This includes your internet protocol (IP) address, login data, browser type and version, time zone, location, browser plug-in types and versions, operating system, platform, and other technology used to access our website.

- Profile Data: Information like your username and password, your purchase history, interests, preferences, feedback, and survey responses.

- Usage Data: Data on how you interact with our website, products, and services.

- Marketing and Communications Data: Your preferences for receiving marketing from us or our partners and your communication preferences.

We also collect, use, and share Aggregated Data, which includes statistical or demographic information for various purposes. While Aggregated Data may be derived from personal data, it is not recognised as personal data legally, as it does not directly or indirectly identify you. For example, we may aggregate your Usage Data to determine the percentage of users accessing a particular website feature. However, if we link Aggregated Data with your personal data in a way that identifies you, we will treat this combined data as personal data and manage it according to this privacy policy.

We do not collect any Special Categories of Personal Data about you, which includes details related to your race or ethnicity, religious beliefs, sexual orientation, political views, trade union membership, health information, and genetic or biometric data. We also do not gather information regarding criminal convictions or offenses.

Consequences of Not Providing Personal Data

If we are required to collect personal data due to legal requirements or contractual obligations, and you do not provide that information when requested, it may hinder our ability to fulfill the contract we have with you or wish to establish with you (for instance, to deliver products or services). In such cases, we may need to cancel any services or products you have with us, and we will inform you if this occurs.

1. If any special category data is collected, we will include additional wording as necessary.

How We Collect Your Personal Data

We gather information about you using various methods, including:

- Direct Interactions: You might share your Identity, Contact, and Financial Data with us by filling out forms or contacting us via post, phone, email, or other means. This includes personal data you provide when you:

- Apply for our products or services

- Set up an account on our website

- Subscribe to our services or publications

- Request marketing materials

- Participate in competitions, promotions, or surveys

- Provide feedback or reach out to us

- Automated Technologies: As you engage with our website, we automatically collect Technical Data regarding your device, browsing actions, and patterns. We gather this information through cookies, server logs, and similar technologies. We may also obtain Technical Data if you visit other websites that use our cookies. Please refer to our Cookie Policy for more information.

- Third Parties and Publicly Accessible Sources: We obtain personal data from various third parties and public sources, which include:

- Technical Data from analytics providers like Google, both inside and outside the UK

- Advertising networks, also based inside and outside the UK

- Search information providers within the UK

- Contact, Financial, and Transaction Data from technical, payment, and delivery services

- Identity and Contact Data sourced from data brokers or aggregators

- Identity and Contact Data from publicly available sources, such as Companies House and the Electoral Register

Usage of Your Personal Data

We will only use your personal data where legally permissible. Generally, we will use your information in these situations:

- To fulfill the contract we are entering into or have already entered with you

- When necessary for our legitimate interests (or those of a third party) provided your interests and fundamental rights do not override those interests

- To adhere to legal obligations

For more information on the types of lawful bases we use to process your personal data, please refer to the Glossary. Generally, we do not utilise consent as a legal basis for processing your personal data, except when obtaining your permission to send marketing communications from third parties through email or text message. You have the right to revoke this consent for marketing at any time by reaching out to us.

Purposes for Using Your Personal Data

Below, we have provided a table that outlines the various ways we intend to use your personal data, along with the legal bases we rely on for each purpose. We have also highlighted our legitimate interests where applicable.

Please be aware that we might process your personal data under more than one lawful basis depending on the specific purpose. If you require details about the specific legal ground we are utilising for processing your personal data, particularly when multiple grounds are listed in the table below, please do not hesitate to contact us.

Marketing

We aim to offer you options regarding how your personal data is utilised, especially concerning marketing and advertising. Here are the mechanisms we have in place for managing your personal data:

- An unsubscribe link included in all our marketing communications

- A Contact Us form available for you to update your preferences

Promotional Offers from Us

We may analyse your Identity, Contact, Technical, Usage, and Profile Data to understand what you might want or need, or what could be of interest to you. This insight helps us determine the products, services, and offers that may be relevant to you (this is what we refer to as marketing).

You will receive marketing messages from us if you have asked for information or made a purchase and have not opted out from receiving such communications.

Third-Party Marketing

We will obtain your express opt-in consent before sharing your personal data with any third party for marketing purposes.

Opting Out

At any time, you can request that we or any third parties stop sending you marketing messages by using the opt-out links in any marketing communication or by reaching out to us directly.

Please note that opting out of marketing messages does not affect personal data given to us due to a product/service purchase, warranty registration, product/service experience, or other transactions.

You have the option to configure your browser to refuse all or certain cookies or to alert you when websites set or access cookies. Disabling or refusing cookies may result in some parts of this website being inaccessible or not functioning properly. For more details on the cookies we use, please refer to our Cookie Policy.

Change of Purpose

We will only use your personal data for the purposes for which it was collected, unless we reasonably determine that it is necessary to use it for a different reason that aligns with the original purpose. If you would like an explanation of how the new purpose is compatible with the original, please get in touch with us.

Should we need to use your personal data for a completely different purpose, we will inform you and clarify the legal basis that permits this.

Please be aware that, in compliance with the aforementioned rules, we may process your personal data without your knowledge or consent when required or permitted by law.

Sharing Your Personal Data

We may share your personal information with the following entities for the purposes outlined in the table above:

- Internal Third Parties as defined in the Glossary.

- External Third Parties as detailed in the Glossary.

- Specific third parties mentioned in the table under the “Purposes for which we will use your personal data.”

- Third parties involved in the sale, transfer, or merger of parts of our business or assets. If such changes occur, the new owners may handle your personal data per this privacy policy.

We require all third parties to uphold the security of your personal information and to comply with applicable laws. Our third-party service providers are not permitted to use your personal data for their own purposes, and they may only process your data according to our specific instructions.

Data Security

We have implemented measures to safeguard your personal data from accidental loss, unauthorised access, misuse, alteration, or disclosure. Access to your personal data is restricted to employees, agents, contractors, and third parties who need it for business reasons. They will only handle your data following our directives and are bound by confidentiality obligations.

We have established procedures to address any suspected breaches of personal data and will inform you and relevant regulators about any breaches as legally required. We utilise various protective methods for your personal data, including:

- A software management system, known as [SoftwareName], which is certified to ISO27001, equivalent to ISO/IEC 27001:2013.

- Your personal data is stored with Microsoft, which is certified to ISO27001, equivalent to ISO/IEC 27001:2013 and ISO 27018.

- We use Google Analytics for data processing, which adheres to ISO27001, ISO 27017, and ISO 27018.

- Our customer relations management (CRM) system complies with European data protection laws and the GDPR.

Data Retention

How long will we keep your personal data?

We will retain your personal data only as long as necessary to achieve the purposes for which it was collected, as well as to meet any legal, regulatory, tax, accounting, or reporting obligations.

Sharing Your Personal Data

We may share your personal information with the following entities for the purposes outlined in the table above:

- Internal Third Parties as defined in the Glossary.

- External Third Parties as detailed in the Glossary.

- Specific third parties mentioned in the table under the “Purposes for which we will use your personal data.”

- Third parties involved in the sale, transfer, or merger of parts of our business or assets. If such changes occur, the new owners may handle your personal data per this privacy policy.

Data Security

- A software management system, known as [SoftwareName], which is certified to ISO27001, equivalent to ISO/IEC 27001:2013.

- Your personal data is stored with Microsoft, which is certified to ISO27001, equivalent to ISO/IEC 27001:2013 and ISO 27018.

- We use Google Analytics for data processing, which adheres to ISO27001, ISO 27017, and ISO 27018.

- Our customer relations management (CRM) system complies with European data protection laws and the GDPR.

Data Retention

How long will we keep your personal data?

We will retain your personal data only as long as necessary to achieve the purposes for which it was collected, as well as to meet any legal, regulatory, tax, accounting, or reporting obligations.

We may keep your personal data for an extended period if a complaint arises or if we reasonably anticipate potential litigation regarding our relationship with you.

To establish how long we should retain personal data, we assess its volume, nature, and sensitivity, as well as the potential risks involved with unauthorised use or disclosure. We also consider why we process your data, whether we can fulfill those purposes in other ways, and any relevant legal or regulatory obligations.

Legally, we are required to maintain basic customer information (including contact, identity, financial, and transaction data) for six years after you stop being a customer for tax reasons.

In certain situations, you can request the deletion of your data; please refer to the section titled "Your Legal Rights" for more information.

There are instances where we might anonymise your personal data for research or statistical purposes, allowing us to use this information indefinitely without further notification to you.

Your Legal Rights

You have rights under data protection laws concerning your personal data under specific conditions. More detailed information can be found under the "Your Legal Rights" section below.

If you would like to exercise any of the rights mentioned, please [Contact Us].

No Fee Typically Required

Generally, you will not have to incur a fee to access your personal data or to exercise your other rights. However, a reasonable fee may be charged if your request is clearly unfounded, repetitive, or excessive. In such cases, we might also decline to comply with your request.

What We Might Need from You

To verify your identity and confirm your right to access your personal data or exercise your other rights, we may request specific information. This is a security measure to prevent unauthorised disclosure of personal data. We may also reach out for additional information related to your request to expedite our response.

Response Timeframe

We aim to respond to all legitimate requests within one month. However, if your request is particularly complex or if you've submitted multiple requests, it might take longer. In such cases, we will inform you and keep you updated on the progress.

Glossary

Legitimate Interests refers to our business interests in managing operations to provide you with top-notch service and a secure experience. We carefully consider any potential effects—both positive and negative—on you and your rights before using your personal data for our legitimate interests. We won’t use your data in ways that would outweigh the impact on you, unless we have your consent or are legally permitted to do so. For details on how we evaluate our legitimate interests in relation to potential impacts, please reach out to us.

Performance of Contract means handling your data when necessary to fulfill a contract you are part of or to take steps upon your request prior to forming such a contract.

Comply with a Legal Obligation involves processing your personal data when required to meet a legal obligation we are subject to.

THIRD PARTIES

External Third Parties

- Service providers outside the EU and EEA who process data, such as interpreters, transcribers, legal software suppliers, legal service providers, and confidential waste disposal experts. We have appropriate data transfer agreements in accordance with European Commission standards.

- Professional advisers (including lawyers, bankers, auditors, and insurers) who act as processors or joint controllers, both inside and outside the EEA, providing various consultancy, banking, legal, insurance, incorporation, and accounting services. We have appropriate data transfer agreements with each of these advisers, compliant with EU standards.

- Entities we collaborate with to provide visitor services at our offices or at any marketing or networking events you attend.

- HM Revenue & Customs, regulators, and other authorities in the UK who process data or act as joint controllers and may require reporting under certain conditions.

- Regulatory bodies (like the Solicitors’ Regulation Authority and The Law Society), law enforcement agencies, tribunals, court services, barristers and chambers, auditors, and government entities as required by law, regulation, or the specifics of your instruction.

YOUR LEGAL RIGHTS

You have the right to:

- Request access to your personal data, known as a “data subject access request.” This allows you to receive a copy of the personal data we hold about you and verify that we are processing it lawfully.

- Request the correction of any personal data we hold about you. This gives you the ability to have incomplete or inaccurate data corrected, although we may need to confirm the accuracy of the new information you provide.

Request the deletion of your personal data. This allows you to ask us to remove your personal information if there isn't a valid reason for us to keep processing it. You also have the right to request the deletion of your data if you’ve successfully objected to its processing (see below), if we have processed your information unlawfully, or if we need to delete your data to comply with local laws. However, please be aware that there may be specific legal reasons that prevent us from fully complying with your deletion request, and we will inform you of these reasons if applicable when you make your request.

Challenge the processing of your personal data when we are relying on legitimate interests (or those of a third party), especially if something about your situation makes you feel that this processing affects your fundamental rights and freedoms. You also have the right to object when your personal data is being used for direct marketing. In some situations, we may show that we have compelling legitimate grounds to continue processing your data, which may override your rights and freedoms.

Request a restriction on the processing of your personal data. This allows you to ask us to pause the processing in the following situations:

• If you want us to verify the accuracy of your data

• If our processing is unlawful, but you prefer we don’t erase it

• If you need us to keep your data for legal claims, even if we no longer need it for other purposes

• If you have objected to our processing of your data, and we need to confirm whether we have overriding legitimate grounds to keep using it.

Request the transfer of your personal data to yourself or to a third party. We will provide your personal data, or that of a third party you designate, in a structured, commonly used, and machine-readable format. Please note that this right applies only to the automated information that you originally consented to share with us or where we processed your data to fulfill a contract with you.

Withdraw your consent at any time if we are processing your personal data based on your consent. However, this does not affect the legality of any processing we conducted prior to your withdrawal. If you choose to withdraw your consent, we may not be able to offer certain products or services, and we will inform you if that’s the case at the time of your withdrawal.

Last updated: October 2024.