MicroSalt Limited (‘MicroSalt’, ‘we’, ‘us’) and our group companies (‘Group’) takes the protection of privacy very seriously. This notice describes how we collect, use, and handle your personal data. It also describes your data protection rights, including a right to object to some of the processing which MicroSalt carries out. More information about your rights, and how to exercise them, is set out in the ‘Your rights?’ section below.
This notice applies to the information MicroSalt collect from customers, prospects, and business contacts when they use the MicroSalt platform, purchase MicroSalt products or are a MicroSalt shareholder. It also covers personal information collected on https://microsaltinc.com.
We are the controller for the personal data which is hosted on the MicroSalt platform or with our processors.
2. Who we are
We are MicroSalt reducing salt intake and providing healthy snacks.
The website https://microsaltinc.com in the UK is run by MicroSalt.
3. What information do we collect?
We collect and process the following information:
- When you communicate with us through our services, purchase our products or are a MicroSalt shareholder: we collect personal data when you provide it to us through our website or when you engage with us via another communication channel;
- Entering into agreement with us: when you enter into a contractual agreement with us we may collect certain details in respect of you or other representatives of your business;
- Account information: when you log into an account on our website, you will be asked to provide your name, email address, job role and password;
- Contact page: when you send us an enquiry via our contact page, we will collect your full name, email address and the details of your enquiry; and
- Automated technologies: the servers hosting our website automatically record certain information about you when you use the website, including details of your domain name, IP address, operating system and browser. MicroSalt may use this information to understand the manner in which pages of the website have been visited in order to monitor and improve our website.
Sometimes, we receive information about you from third parties.
4. How do we use this information?
We process this data for the following lawful purposes:
To fulfil a contract, or take steps linked to a contract with you including:
- To provide the MicroSalt platform and our website, and ancillary services such as customer support;
- To authenticate users of the MicroSalt platform, products or are a MicroSalt shareholder;
- To send you service, technical and other administrative emails relating to the MicroSalt platform, products or are a MicroSalt shareholder; and
- To create your user profile.
As required by MicroSalt to conduct our business and pursue our legitimate interests, in particular:
- To ensure the MicroSalt platform and our website is working as intended, such as tracking outages or troubleshooting issues that you report to us;
- To make improvements to the MicroSalt platform and our website and to help us develop new products and services;
- To respond to enquiry forms that you complete on our website;
- We use data for analytics and measurement to understand how the MicroSalt platform and our website is used. For example, we analyse data about your use of the MicroSalt platform to do things like optimise product design. This information can consist of information such as geographical location, browser type, referral source, length of visit, pages viewed and phone make and model;
- We use information you provide to investigate any complaints received from you or from others, about the MicroSalt platform, our website or other services;
- For direct marketing purposes including creating a profile about you to better understand you and tailor the marketing we serve you (including on social media). This may include information about the MicroSalt platform or information about our other products and services;
- We will use information in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation); and
- To conduct surveys and other market research to ensure our services are relevant to your needs.
Where you give us consent:
- Where required by law to send you direct marketing in relation to our services;
- on other occasions where we ask you for consent, we will use the information for the purpose which we explain at that time.
For purposes which are required by law:
- In response to requests by government or law enforcement authorities conducting an investigation.
- Processors & International Transfers: Like many companies, we use suppliers to support our data processing. Some of our key service providers are listed below. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the UK, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses. For transfers to the EU, we rely on the adequacy agreement that is in place.
|Vendor||Purpose||International Transfer Safeguard|
|Hubspot / based in the United States||Marketing automation / company updates / product information / contact database / marketing database||Standard Contractual Clauses including UK Addendum|
|Google Cloud Platform / based in the United Kingdom||Where we host our software||EU-UK Adequacy Decision|
|Google Analytics / based in the United States||Our analytics provider||EU-UK Adequacy Decision|
|Google Workspace / based in the United States||Email / file storage||EU-UK Adequacy Decision|
|Slack / based in the United States||Internal communication / communication with customers||Standard Contractual Clauses including UK Addendum|
|Zoominfo / based in the United States||Call recording software for training and quality purposes / business information database||Standard Contractual Clauses including UK Addendum|
- Legal reasons. We will share personal information outside of MicroSalt if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to (i) enforce applicable terms of service or other agreements, including investigation of potential violations and audits, (ii) detect, prevent, or otherwise address fraud, abuse, security risks, or technical issues, and (iii) protect against harm to the rights, property or safety of MicroSalt , our users, or the public as required or permitted by law.
- Group companies. We may share your information with our group of companies for the purposes of business administration, maintaining security and regulatory compliance, providing support services to end users (including IT support, where relevant), marketing and analytics.
- Business transfers. In the event that MicroSalt undergoes any reorganisation, restructuring, merger, sale, or other transfer of assets, your information will be disclosed to our advisers and any prospective purchaser’s adviser(s) and will be passed to any new owners of the business.
For data which is hosted in the MicroSalt platform: MicroSalt is a Controller for personal data hosted in the MicroSalt platform or held by Processors at our instruction. For MicroSalt users (such as customers, prospects, and business contacts) we will continue to process your personal data whilst we have a legitimate business need.
If you have exercised your data protection rights in relation to the right to be forgotten or to restrict processing, we will fulfil valid requests as soon as practicable and usually within 28 days of your request being received. Sometimes business and legal requirements oblige us to retain certain information, for specific purposes, for an extended period of time. Reasons we might retain some information for longer periods of time include security, fraud prevention, financial record-keeping, complying with legal or regulatory requirements. A retention schedule is maintained and can be made available on request. The longest period we are likely to keep your personal data is approximately 15 years.
7. Your rights
Where required by applicable law or regulation, you have the right to ask us for a copy of your personal information; to correct, delete or restrict (stop any active) processing of your personal information; and to obtain the personal information you provide to us for a contract or with your consent in a structured, machine readable format, and to ask us to share (port) this information to another controller.
In addition, you can object to the processing of your personal information in some circumstances (in particular, where we do not have to process the information to meet a contractual or other legal requirement, or where we are using the information for direct marketing). These rights may be limited, for example if fulfilling your request would reveal personal information about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. We will inform you of relevant exemptions we rely upon when responding to any request you make.
To exercise any of these rights – or get a copy of our legitimate interest balancing tests – you can get in touch with us using the details set out below. If you have unresolved concerns, you have the right to complain to an information protection authority where you live, work or where you believe a breach may have occurred.
For the provision of information marked as mandatory when you register to use the MicroSalt platform, if such information is not provided, then you will not be able to use the service. All other provision of your information is optional. If you do not provide such information, our provision of certain services to you may be detracted from.
8. Contact Details
Please contacted email@example.com for additional information.
MicroSalt is committed to a policy of protecting the rights and privacy of individuals, in accordance with GDPR. GDPR contains provisions that the Group needs to be aware of as data controllers, including provisions intended to enhance the protection of personal data.
GDPR requires that the Group needs to process certain information about its staff, customers, suppliers and other individuals with whom it has a relationship for various purposes such as, but not limited to:
- the recruitment and payment of staff;
- the day-to-day purchasing and sales of goods;
- the making or receiving of payments as part of day-to-day trading;
- to contact stakeholders about a submission or request for information received;
- in relation to any correspondence the Group receives from stakeholders or any comment or complaint stakeholders make about the Group’s products or services; and
- complying with legal obligations and government including local government.
To comply with various legal obligations, including the obligations imposed on it by GDPR, the Group ensures that all information about individuals is collected and used fairly, stored safely and securely, and not disclosed to any third party unlawfully.
All members of staff are responsible for ensuring that any personal information which they hold is kept securely and not disclosed to any unauthorised third parties. The Group ensures that all personal information is accessible only to those who have a valid reason for using it. The Group has in place appropriate security measures to protect information physically and electronically.
As a matter of best practice, other agencies and individuals working with the Group and who have access to personal information, are expected to read and comply with this policy. It is expected that departments who are responsible for dealing with external bodies will take the responsibility for ensuring that such bodies sign a contract which among other things will include an agreement to abide by this policy.
Consent as a basis for processing information although not always necessary is the best way to ensure that information is collected and processed in an open and transparent manner. Consent is especially important when the Group is processing any sensitive information, as defined by the legislation. The Board understands consent to mean that the individual has been fully informed of the intended processing and has signified their agreement.
The Board also confirms consent cannot be inferred from the non-response to a communication.
This policy will be updated as necessary to reflect best practice in information management, security, and control and to ensure compliance with any changes or amendments to the GDPR and other relevant legislation.
This policy applies to all staff of the Group. Any breach of this policy or of the legislation itself will be considered an offence and the companies’ disciplinary procedures may be invoked.
Responsibilities under GDPR mean that the Group is the “data controller” under the terms of the legislation. This means it is ultimately responsible for controlling the use and processing of personal data. The Board appoints a Data Protection Officer for each site who is available to address any concerns regarding the data held by the Group and how it is processed, held, and used.
The Board is responsible for all day-to-day data protection matters and will be responsible for ensuring that all members of staff and relevant individuals abide by this policy, and for developing and encouraging good information handling within the Group.
The Board is also responsible for ensuring that the Group’s policy is kept up to date.
Compliance with the legislation is the personal responsibility of all staff at the Group who process personal information.
Individuals who provide personal data to the Group are responsible for ensuring that the information is accurate and up-to-date.
Data protection principles
To comply with its obligations, the Group undertakes to adhere to the eight principles:
Process personal data fairly and lawfully (the right to be informed)
The Group will make all reasonable efforts to ensure that individuals who are the focus of personal identifying information are informed of the identity of the data controller, the purposes of the processing, any disclosures to third parties that are envisaged; given an indication of the period for which the data will be kept, and any other information which may be relevant.
The Group will ensure that the data is adequate, relevant and not excessive in relation to the purpose for which it is processed. The Group will not seek to collect any personal data which is not strictly necessary for the purpose for which it was obtained.
The Group will process the data for the specific and lawful purpose for which it was collected and not further process the data in a manner incompatible with this purpose. The Group will ensure that the reason for which it collected the data originally is the only reason for which it processes that data, unless the individual consents to any additional processing before it takes place.
The Group undertakes not to disclose personal data to unauthorised third parties. Legitimate disclosures may occur in the following instances:
- where the individual has given their consent to the disclosure; and
- the disclosure is required for the performance of a contract.
There are other instances when the legislation permits disclosure without the consent of the individual, such as CCTV. There are some CCTV systems operating within the Group’s premises for the purpose of protecting staff and property. The Group will only process personal data obtained by the CCTV system in a manner which ensures compliance with the legislation.
Subject Access Rights (the right of access)
Individuals have a right to access any personal data relating to them which is held by the Group.
The Group uses reasonable efforts consistent with its legal duty to supply, correct or delete personal information about stakeholders on its files.
Any individual wishing to exercise this right should apply in writing to the Data Protection Officer.
Any member of staff receiving a “Subject Access Right” request from a stakeholder forwards the request to the Data Protection Officer.
To ensure security, the Group requires a stakeholder to prove their identity with 2 pieces of approved identification before any “Subject Access Right” request can be released.
Keep personal data accurate (the right to rectification)
It is the responsibility of the individuals giving their personal data to ensure that this is accurate, and each individual should notify the Group if a change in circumstances mean that the data needs to be updated.
It is the responsibility of the Group to ensure that any notification regarding the change is noted and acted on.
Only keep personal data for as long as is necessary (the right to erasure)
The Group undertakes not to retain personal data for longer than is necessary to ensure compliance with GDPR legislation, and other statutory requirements.
This means that the Group undertakes a periodic review of the information held and implements a purge process as required.
The Group disposes of any personal data in a way that protects the rights and privacy of the individual concerned.
Restrict the process of personal information
Stakeholders have the right to prevent processing of information while that information is subject to corrective action.
At any time, a stakeholder can request to know what information is stored and request action to rectify, block, erase or destroy inaccurate information while that process is underway
Transfer of data outside the EEA
The Group ensures that no personal data is transferred to a country or a territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The Group does not transfer data to such territories without the explicit consent of the individual. This also applies to publishing information on the internet, as such a transfer of data can include placing data on a website that can be accessed from outside the EEA. The Group always seeks the consent of individuals before placing any personal data (including photographs) on its website.
If the Group collects personal data in any form via its website, it provides a clear and detailed privacy statement prominently on the website, and wherever else personal data is collected.
The right to object
The right to object allows an individual to prevent processing for purposes of:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling
- automated individual decision-making (making a decision solely by automated means without any human involvement); and
- profiling (automated processing of personal data to evaluate certain things about an individual).
GDPR introduces a duty to report certain types of personal data breach to the relevant supervisory authority. Where feasible, the Group does this within 72 hours of becoming aware of the breach.
If the breach is likely to result in a high risk of adversely affecting stakeholders’ rights and freedoms, the Group also informs those stakeholders without undue delay.