We are Oxford Creativity Limited. You can find further details about us and how to contact us in the 'Our details' section. In this notice, "we", "us" and "our" refer to Oxford Creativity Limited. We own the trademark brand 'Oxford TRIZ™'.
This notice explains how we handle the personal data we obtain about our website visitors, clients and people who contact us. For the purposes of EU data protection law, we are the ‘controller’ of this personal data (meaning that we determine why and how it is processed).
The types of personal data we process in the normal course of our business are:
The purposes for which we use personal data in the normal course of our business, the types of personal data we use for those purposes and our legal bases for doing so are set out in the table below. An explanation of what the different legal bases mean can be viewed here.
|Purposes of processing||Types of personal data||Legal basis|
|Analysing use of our website, e.g. finding out how many people visit various parts of the site.||
|Our legitimate interests in monitoring, maintaining, improving and protecting our website.|
Providing our training and consultancy services to clients and communicating with clients in connection with providing those services.
|In respect of individual clients, the legal basis we rely on is that our processing is necessary for the performance of a contract with the individual to provide training to them.
In respect of business clients, the legal basis we rely on is that our processing is necessary for the purposes of our legitimate interests in providing our training and consultancy services to our business clients.
Providing our free online learning resources to individuals that request them.
|Our legitimate interests in providing our free online resources to individuals that request them, enabling individuals to benefit from free learning opportunities and enabling us to demonstrate and promote our skills and expertise and raise our profile.|
Providing our blog articles and insights to individuals that request them.
|Our legitimate interests in providing our blog articles and insights to individuals that request them, enabling individuals to benefit from free news and updates that may be of interest to them and enabling us to demonstrate and promote our skills and expertise and raise our profile.|
|Communicating with individuals, e.g. in response to an enquiry.||
|Our legitimate interests in communicating with individuals that contact us.|
Sending marketing communications such as our monthly e-newsletter (see more on this in the ‘Using personal data for marketing purposes’ section below).
|Our legitimate interests in promoting our business, services, learning resources, skills and expertise, maintaining relationships with our clients, driving sales and sustaining and growing our business.|
Client relationship management, including dealing with complaints, keeping records of our interactions with clients and other people and keeping in contact with clients and other people with whom we have interacted.
|Our legitimate interests in providing a good quality service to clients, dealing effectively with complaints and maintaining relationships with clients, people who have attended our training sessions and workshops and others who have expressed an interest in our services and learning resources.|
|Tracking recipients’ interactions with our monthly e-newsletter.||
|Our legitimate interests in monitoring and improving our e-newsletter.|
As part of our business development activities we may also use personal data obtained from publicly available sources to identify individuals who work for organisations that we consider might have an interest in our services and resources, in order to send marketing communications to such individuals in their capacity as business contacts for such organisations.
Individuals can opt out of receiving our marketing communications by clicking on any unsubscribe link in the emails or emailing firstname.lastname@example.org at any time.
We regularly assess the contacts in our customer relationship management (CRM) database and their interactions with our marketing content, website and resources to inform our decisions about who to send marketing communications to and ensure that the marketing communications we do send are relevant and suitable to the recipients. Where contacts in our CRM database have not interacted with our marketing content, website or resources for a significant period (e.g. 6 months), we may stop sending some or all marketing communications to such individuals and may remove the contact from our CRM database.
In addition to the core processing activities set out above, we may also process personal data if and to the extent necessary for the following purposes:
Establishing, exercising or defending legal claims
|Our legitimate interests in defending legal claims brought against us, enforcing claims against others and protecting and asserting our legal rights and the legal rights of others|
|Obtaining or maintaining insurance coverage, managing risks or obtaining professional advice||Our legitimate interests in protecting our business against risks|
|Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator.||Compliance with a legal obligation|
|Protecting a person’s vital interests||Protection of vital interests|
It is only lawful to process personal data if there is a legal basis for doing it. Below is an explanation of the legal bases referred to in this notice.
Legitimate interests: processing of personal data is necessary for the purposes of the legitimate interests of us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individuals to whom the personal data relate
Necessary for the performance of a contract: processing of personal data is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract
The personal data described in this notice may be shared with the following categories of recipients, where and to the extent necessary for the purposes described in this notice.
|Service provider name||Nature of services||Type of personal data processed|
|Google LLC||Website analytics (Google Analytics)||Usage data|
|Backblaze, Inc.||Cloud data storage and back-up||All categories of personal data described in this notice|
|HubSpot Ireland Limited||
Customer relationship management (CRM) platform
|HubSpot Ireland Limited||Management of our social media interactions||Correspondence data received via private or direct message using our social media accounts|
|HubSpot Ireland Limited||Website hosting||Webinar request data, resource request data, blog subscription data and correspondence data using our web contact form|
|HubSpot Ireland Limited||Provision of the various web forms on our website and processing of data collected using them||Webinar request data, resource request data, blog subscription data and correspondence data using our web contact form|
|SharpSpring, Inc.||Delivery of our monthly e-newsletters; provides statistics around email opening and clicks to help us monitor and improve our e-newsletter||Names and email addresses comprised in contract data, attendee data, webinar request data, resource request data, blog subscription data, correspondence data, plus e-newsletter tracking data|
|ClickMeeting Sp. z.o.o||Platform for organization and delivery of our live webinars||Webinar request data, usage data and any additional information provided by webinar participants during live webinars|
|Pay Pal (Europe) S.a.r.l. et Cie, S.C.A||Payment processing of fees for our services||Contract data|
There may also be circumstances in which we need to share personal data with other organisations or individuals, such as where disclosure is necessary for the purposes set out in the ‘Other processing purposes’ section above.
In all cases, we will only share personal data with such recipients where and to the extent reasonably necessary for the relevant processing purpose and in accordance with applicable data protection law.
This section describes the circumstances in which the personal data we process may be transferred to countries outside the European Economic Area (EEA) and the safeguards in place to protect that data once it has been transferred.
In addition to the known transfers described above, it may become necessary to transfer personal data described in this notice to organisations based outside the European Economic Area in connection with the purposes described in the ‘Other processing purposes’ section above. If this happens, we would ensure that such a transfer complies with the conditions for transfers stipulated by applicable data protection law.
EU-U.S. Privacy Shield: this is an adequacy decision of the European Commission in respect of the transfer and subsequent processing of personal data to and by organisations in the U.S. who self-certify their compliance with the Privacy Shield Framework Principles contained in Annex II to the European Commission Implementing Decision (EU) 2016/1250 of 12 July 2016. Further information can be found on the Privacy Shield website: and in the ICO guidance
Adequacy decision: this means an official decision adopted by the European Commission that a country (or a territory or specified sector within a country) or international organisation ensures an adequate level of protection for personal data.
Standard contractual clauses: these are standard data protection clauses for data transfers between EU and non-EU countries adopted by the European Commission pursuant to a decision of the European Commission that those clauses provide an adequate level of protection for personal data transferred between the parties to those clauses. See the Europa website for more information on, and links to, the standard contractual clauses.
We will only retain the personal data described in this notice for as long as necessary to fulfil the processing purposes described in this notice.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means, and applicable legal requirements.
We will apply the following general retention periods and/or retention criteria to the personal data described in this notice:
These retention periods are subject to any longer retention periods that may be necessary for compliance with a legal obligation, protecting a person’s vital interests or the establishment, exercise or defence of legal claims.
Upon expiry of the applicable retention period we will delete personal data in accordance with applicable laws and regulations.
Unfortunately the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
We will notify affected individuals and any applicable regulator of any personal data breach where we are legally required to do so.
You have a number of different rights you might be able exercise against us in relation to personal data about you that we process. These are rights to:
The availability of these rights varies depending on the legal basis that we rely on for processing the relevant personal data. Below we have summarised these rights and explained how you can request to exercise them.
Access: You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing that the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.
Rectification: You have the right to have any inaccurate personal data about you corrected and, taking into account the purposes of the processing, to have any incomplete personal data about you completed. We may need to verify the accuracy of the new data you provide to us.
Erasure: You have the right to the erasure of your personal data without undue delay where the personal data are no longer necessary in relation to the purposes for which we collected or otherwise processed them, you successfully object to our processing, you object to our use of your personal data for direct marketing purposes, we have processed your personal data unlawfully, or an applicable law requires the relevant personal data to be erased. However, there are exclusions to the right to erasure, including where we have overriding legitimate grounds to continue processing the relevant personal data or are required to do so by applicable law or where we need it to establish, exercise or defend a legal claim.
Restriction: You have the right to restrict our processing of your personal data where you contest the accuracy of the personal data, our processing is unlawful, we no longer need the personal data for our purposes but you require it to establish, exercise or defend a legal claim, or you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it to establish, exercise or defend a legal claim, to protect the rights of another natural or legal person or for reasons of important public interest or with your consent.
Object: You have the right to object to our processing of your personal data where we rely on legitimate interests as the legal basis for the processing. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
Object to processing for direct marketing purposes: You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes).
Data portability: where processing of your personal data is based on performance of a contract or your consent and is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
Complain to a supervisory authority: If you consider that our processing of your personal data infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
Withdraw consent: where any processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal. As we do not carry out any processing of the personal data described in this notice on the basis of consent, this right does not apply in respect of the processing described in this notice.
How to exercise these rights against us: You can exercise any of your rights in relation to your personal data that require any action by us by emailing your request to email@example.com, in addition to any other contact methods specified in this notice.
How to complain to a supervisory authority: To make a complaint to a supervisory authority, you may contact the supervisory authority of your choice using contact details made available by that supervisory authority. Relevant contact details for the UK supervisory authority, the ICO, can be found here.
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by our web server to your web browser when you visit our website and is stored by your browser. The identifier is then sent back to our server each time your browser requests a page from our server.
Cookies are either 'persistent' cookies or 'session' cookies: a persistent cookie will be stored by your web browser and remain valid until its set expiry date, unless deleted by you before the expiry date; a session cookie, on the other hand, will expire when you close your web browser.
Cookies do not typically contain any information that personally identifies a website user, but we might theoretically be able to identify individuals by linking any personal data we already have with information stored in and obtained from cookies.
We also use other similar storage technologies such as web beacons (also known as "tracking pixels" or "clear gifs"), from our email services provider SharpSpring, Inc., to collect or receive information about recipients’ interactions with our e-newsletter. These are tiny graphics files that contain a unique identifier that allow us to measure the effectiveness of our e-newsletter by understanding the actions that people take in response to receiving it.
We use SharpSpring email services to analyse recipients’ interactions with our e-newsletter. SharpSpring gathers information about email openings and clicks using various industry standard technologies including clear gifs. The information gathered relating to our e-newsletter is used to create reports about recipients’ interactions with our e-newsletter.
Please click here for a list of cookies and similar technologies that we use.
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:
Blocking all cookies will have a negative impact upon the usability of many websites, and if you block cookies, you will not be able to use all the features on our website.
This website is owned and operated by Oxford Creativity Limited. We are a private limited company incorporated in England and Wales (registered company number 03850535), having its registered office at 6-7 Bankside, Hanborough Business Park, Long Hanborough, Witney, Oxfordshire, OX29 8LJ.
We own the trademark brand 'Oxford TRIZ™'.
We are registered as a fee payer with the UK Information Commissioner's Office. Our data protection registration number is Z1571297.
You can contact us using the web contact form or any of the contact details published on the ‘Contact’ page of our website from time to time.
For enquiries relating to this notice or our processing of personal data, please contact firstname.lastname@example.org.
We may update this notice from time to time by publishing a new version on our website and, where any changes materially affect you, we will also make reasonable efforts to notify you.