Privacy and Cookies notice

Privacy and Cookies notice

Introduction

We are Oxford Creativity Limited. You can find further details about us and how to contact us in the 'Our details' section. In this notice, "we", "us" and "our" refer to Oxford Creativity Limited. We own the trademark brand 'Oxford TRIZ™'.

This notice explains how we handle the personal data we obtain about our website visitors, clients and people who contact us. For the purposes of EU data protection law, we are the ‘controller’ of this personal data (meaning that we determine why and how it is processed).

How we use your personal data

Types of personal data we process

The types of personal data we process in the normal course of our business are:

  • Usage data: data about website visitors’ use of our website, such as IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views, website navigation paths and interactions with our marketing content, website and resources. This data is collected automatically by our analytics tracking system and third party services and involves the use of cookies. (See ‘Our use of cookies’ section for more information about our use of cookies.)
  • Contract data: data relating to our individual clients and our business clients’ personnel and representatives that we obtain in connection with entering into and performing contracts for the provision of our training and consultancy services to individual and business clients, such as names, email addresses, postal addresses and telephone numbers, job titles and payment details.
  • Attendee data: data relating to the individuals who attend our training sessions and workshops, such as names, email addresses, job titles and the companies they work for. This data may be provided to us directly by the individuals who attend our training sessions and workshops, either in advance of or during the sessions, and/or we may receive details of attendees from our business clients in respect of training sessions and workshops we provide for them.
  • Webinar request data: data relating to individuals who request to download on-demand webinars or participate in live webinars available via our website, including name, email address, phone number, company name and country. We obtain this data when people complete and submit the webinar registration forms on our website.
  • Resource request data: data relating to individuals who request access to the resources made available via the ‘learning centre’ section of our website, including name, email address, phone number, company name and country. We obtain this data when people complete and submit download request forms on our website.
  • Blog subscription data: data relating to individuals who subscribe to our blog, including name and email address. We obtain this data when people complete and submit blog subscription forms on our website.
  • Correspondence data: information contained in or relating to any communications we receive, including any personal data contained in the communication content, address and contact details and any metadata associated with the communication. We obtain this data when people contact us by email, phone, using our web contact form or webchat function or via social media platforms or any other method of communication. If you use our web contact form, our website will generate the metadata associated with communications made using it.
  • e-newsletter tracking data: information about recipients’ interactions with the newsletter such as email opening and clicks, obtained automatically by our email services provider using various technologies including clear gifs. (See ‘Our use of cookies’ section for more information about our use of these technologies.)

Core processing purposes

The purposes for which we use personal data in the normal course of our business, the types of personal data we use for those purposes and our legal bases for doing so are set out in the table below. An explanation of what the different legal bases mean can be viewed here.

Purposes of processing Types of personal data Legal basis
Analysing use of our website, e.g. finding out how many people visit various parts of the site.

Usage data

 

Our legitimate interests in monitoring, maintaining, improving and protecting our website.

Providing our training and consultancy services to clients and communicating with clients in connection with providing those services.

 

 

 

 

 

 

Contract data

Attendee data

 

 

 

 

 

 

 

 

In respect of individual clients, the legal basis we rely on is that our processing is necessary for the performance of a contract with the individual to provide training to them.
In respect of business clients, the legal basis we rely on is that our processing is necessary for the purposes of our legitimate interests in providing our training and consultancy services to our business clients.

Providing our free online learning resources to individuals that request them.

 

 

 

 

Webinar request data

Resource request data

 

 

 

 

Our legitimate interests in providing our free online resources to individuals that request them, enabling individuals to benefit from free learning opportunities and enabling us to demonstrate and promote our skills and expertise and raise our profile.

Providing our blog articles and insights to individuals that request them.

 

 

 

 

Blog subscription data

 

 

 

 

 

Our legitimate interests in providing our blog articles and insights to individuals that request them, enabling individuals to benefit from free news and updates that may be of interest to them and enabling us to demonstrate and promote our skills and expertise and raise our profile.
Communicating with individuals, e.g. in response to an enquiry.

Correspondence data

 

Our legitimate interests in communicating with individuals that contact us.

Sending marketing communications such as our monthly e-newsletter (see more on this in the ‘Using personal data for marketing purposes’ section below).

 

Contract data
Attendee data
Webinar request data
Resource request data
Blog subscription data
Correspondence data

 

Our legitimate interests in promoting our business, services, learning resources, skills and expertise, maintaining relationships with our clients, driving sales and sustaining and growing our business.

Client relationship management, including dealing with complaints, keeping records of our interactions with clients and other people and keeping in contact with clients and other people with whom we have interacted.

 

Contract data
Attendee data
Webinar request data
Resource request data
Blog subscription data
Correspondence data

 

 

 

Our legitimate interests in providing a good quality service to clients, dealing effectively with complaints and maintaining relationships with clients, people who have attended our training sessions and workshops and others who have expressed an interest in our services and learning resources.
Tracking recipients’ interactions with our monthly e-newsletter.

e-newsletter tracking data

 

Our legitimate interests in monitoring and improving our e-newsletter.


Using personal data for marketing purposes


We may use names and email addresses comprised within contract data, attendee data, webinar request data, resource request data, blog subscription data and correspondence data to send email marketing communications relating to our business, services and learning resources:
  • to individuals who have attended any of our training sessions or workshops
  • to individual clients
  • to individuals who are personnel or representatives of our business clients
  • to individuals who have interacted with us, our website or learning resources, e.g. by contacting us using our web contact form, downloading resources available on our website, subscribing to our blog or registering for webinars

As part of our business development activities we may also use personal data obtained from publicly available sources to identify individuals who work for organisations that we consider might have an interest in our services and resources, in order to send marketing communications to such individuals in their capacity as business contacts for such organisations.

Individuals can opt out of receiving our marketing communications by clicking on any unsubscribe link in the emails or emailing contact@triz.co.uk at any time.

Review, retention and deletion of marketing contacts

We regularly assess the contacts in our customer relationship management (CRM) database and their interactions with our marketing content, website and resources to inform our decisions about who to send marketing communications to and ensure that the marketing communications we do send are relevant and suitable to the recipients. Where contacts in our CRM database have not interacted with our marketing content, website or resources for a significant period (e.g. 6 months), we may stop sending some or all marketing communications to such individuals and may remove the contact from our CRM database.

Other processing purposes

In addition to the core processing activities set out above, we may also process personal data if and to the extent necessary for the following purposes:

Purpose Legal Basis

Establishing, exercising or defending legal claims

 

Our legitimate interests in defending legal claims brought against us, enforcing claims against others and protecting and asserting our legal rights and the legal rights of others
Obtaining or maintaining insurance coverage, managing risks or obtaining professional advice Our legitimate interests in protecting our business against risks
Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator. Compliance with a legal obligation
Protecting a person’s vital interests Protection of vital interests


Explanation of legal bases

It is only lawful to process personal data if there is a legal basis for doing it. Below is an explanation of the legal bases referred to in this notice.

Legitimate interests: processing of personal data is necessary for the purposes of the legitimate interests of us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individuals to whom the personal data relate

Necessary for the performance of a contract: processing of personal data is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract

Compliance with a legal obligation: processing of personal data is necessary for compliance with a legal obligation imposed by UK or EU law

Protection of vital interests: processing of personal data is necessary in order to protect the vital interests of any individual

Recipients of personal data

The personal data described in this notice may be shared with the following categories of recipients, where and to the extent necessary for the purposes described in this notice.

  • Insurers and professional advisers: such as lawyers, accountants and business and marketing consultants
  • Organisations or individuals engaged by us in the course of providing our services: such as individual consultants who deliver our training events and workshops (or their personal service companies)
  • Prospective buyer: if we propose to sell or do sell any of our business or assets
  • Social media platforms: if you communicate with us via twitter, LinkedIn or Facebook, the providers of those platforms will process correspondence data sent or received via those platforms
  • Service providers: we use a number of service providers in connection with our website, services, communications and IT infrastructure, which involves those service providers processing some of the personal data described in this notice to the extent necessary to provide the relevant services. We currently use the following providers:
Service provider name Nature of services Type of personal data processed
Google LLC Website analytics (Google Analytics) Usage data
Backblaze, Inc. Cloud data storage and back-up All categories of personal data described in this notice
HubSpot Ireland Limited

Customer relationship management (CRM) platform

 

Contract data, attendee data, webinar request data, resource request data, blog subscription data, correspondence data

HubSpot Ireland Limited Management of our social media interactions Correspondence data received via private or direct message using our social media accounts
HubSpot Ireland Limited Website hosting Webinar request data, resource request data, blog subscription data and correspondence data using our web contact form
HubSpot Ireland Limited Provision of the various web forms on our website and processing of data collected using them Webinar request data, resource request data, blog subscription data and correspondence data using our web contact form
SharpSpring, Inc. Delivery of our monthly e-newsletters; provides statistics around email opening and clicks to help us monitor and improve our e-newsletter Names and email addresses comprised in contract data, attendee data, webinar request data, resource request data, blog subscription data, correspondence data, plus e-newsletter tracking data
ClickMeeting Sp. z.o.o Platform for organization and delivery of our live webinars Webinar request data, usage data and any additional information provided by webinar participants during live webinars
Pay Pal (Europe) S.a.r.l. et Cie, S.C.A Payment processing of fees for our services Contract data

There may also be circumstances in which we need to share personal data with other organisations or individuals, such as where disclosure is necessary for the purposes set out in the ‘Other processing purposes’ section above.

In all cases, we will only share personal data with such recipients where and to the extent reasonably necessary for the relevant processing purpose and in accordance with applicable data protection law.

International transfers of personal data

This section describes the circumstances in which the personal data we process may be transferred to countries outside the European Economic Area (EEA) and the safeguards in place to protect that data once it has been transferred.

  • Our use of Google Analytics involves a transfer of usage data outside the EEA – to Google LLC in the U.S.A. and to its sub-processors in the U.S.A. and elsewhere. Google LLC processes usage data as a processor on our behalf. Google LLC participates in the EU-U.S. Privacy Shield and its registration can be viewed here.
  • Our use of BackBlaze cloud data storage and backup involves a transfer of contract data, attendee data, webinar request data, resource request data, blog subscription data and correspondence data outside the EEA – to BackBlaze, Inc. in the U.S.A. and to its sub-processors in the U.S.A and potentially elsewhere. BackBlaze, Inc. processes this data as a processor on our behalf. BackBlaze, Inc. participates in the EU-U.S. Privacy Shield and its registration can be viewed here.
  • Our use of HubSpot CRM, social media management software, website hosting and web forms involves a transfer of contract data, attendee data, webinar request data, resource request data, blog subscription data, and correspondence data outside the EEA – to Hubspot, Inc. in the U.S.A. and to its sub-processors based in the U.S.A. and elsewhere. Hubspot, Inc. processes this data as a processor on our behalf. HubSpot, Inc. participates in the EU-U.S. Privacy Shield and its registration can be viewed here. Hubspot, Inc. also enters into the controller-to-processor standard contractual clauses with EU customers.
  • Our use of SharpSpring email services involves a transfer of contract data, attendee data, webinar request data, resource request data, blog subscription data and correspondence data outside the EEA – to SharpSpring, Inc. in the U.S.A. and to its sub-processors based in the U.S.A. and elsewhere. SharpSpring, Inc. processes this data as a processor on our behalf. SharpSpring, Inc. participates in the EU-U.S. Privacy Shield and its registration can be viewed here.
  • Our use of ClickMeeting may involve transfers of webinar request data, usage data and any additional information provided by webinar participants during live webinars outside the EEA. ClickMeeting Sp. Z.o.o. processes this data as a processor on our behalf. Although ClickMeeting Sp. Z.o.o. is based in Poland, some of its sub-processors are based in the U.S.A. ClickMeeting Sp. Z.o.o. ensures that there is a safeguard in place, such as Privacy Shield, in respect of each sub-processor.
  • If you use PayPal to pay for our training courses online, contract data and information relating to the payment may be transferred outside the EEA. PayPal (Europe) S.a.r.l. et Cie, S.C.A. processes this information as a controller and uses various safeguards in respect of transfers outside the EEA that occur as a result of individuals using its services. See the ‘international transfers’ section of PayPal’s privacy policy for more information.

In addition to the known transfers described above, it may become necessary to transfer personal data described in this notice to organisations based outside the European Economic Area in connection with the purposes described in the ‘Other processing purposes’ section above. If this happens, we would ensure that such a transfer complies with the conditions for transfers stipulated by applicable data protection law.

Explanation of terms:

EU-U.S. Privacy Shield: this is an adequacy decision of the European Commission in respect of the transfer and subsequent processing of personal data to and by organisations in the U.S. who self-certify their compliance with the Privacy Shield Framework Principles contained in Annex II to the European Commission Implementing Decision (EU) 2016/1250 of 12 July 2016. Further information can be found on the Privacy Shield website:  and in the ICO guidance

Adequacy decision: this means an official decision adopted by the European Commission that a country (or a territory or specified sector within a country) or international organisation ensures an adequate level of protection for personal data.

Standard contractual clauses: these are standard data protection clauses for data transfers between EU and non-EU countries adopted by the European Commission pursuant to a decision of the European Commission that those clauses provide an adequate level of protection for personal data transferred between the parties to those clauses. See the Europa website for more information on, and links to, the standard contractual clauses.

Retention and deletion of personal data

We will only retain the personal data described in this notice for as long as necessary to fulfil the processing purposes described in this notice.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means, and applicable legal requirements.

We will apply the following general retention periods and/or retention criteria to the personal data described in this notice:

  • Usage data: the website analysis statistics provided to us by Google are retained by us for 1 year, however, these contain only aggregated data that do not enable us to identify individual users. Information provided to us by Hubspot about individuals’ interactions with our marketing content, website and resources is stored in our CRM system – see section on ‘Review, retention and deletion of marketing contacts’ for detail on our retention procedures for CRM data.
  • Contract data: we retain copies of the contracts and records of related financial transactions for 6 years after the relevant client contract has terminated, however, we will add relevant client details to our CRM system and store these for our ongoing marketing and client relationship purposes. See section on ‘Review, retention and deletion of marketing contacts’ for detail on our retention procedures for CRM data.
  • Attendee data: we retain copies of attendee lists for 1 year after the relevant event, however, we will add relevant attendee details to our CRM system and store these for our ongoing marketing and client relationship purposes. See section on ‘Review, retention and deletion of marketing contacts’ for detail on our retention procedures for CRM data.
  • Webinar request data: the details collected by the request form are automatically added to our CRM system and stored for our ongoing marketing and client relationship purposes. The form itself is automatically deleted once the details have been added to our CRM system. See section on ‘Review, retention and deletion of marketing contacts’ for detail on our retention procedures for CRM data.
  • Resource request data: the details collected by the request form are automatically added to our CRM system and stored for our ongoing marketing and client relationship purposes. The form itself is automatically deleted once the details have been added to our CRM system. See section on ‘Review, retention and deletion of marketing contacts’ for detail on our retention procedures for CRM data.
  • Blog subscription data: the details collected by the request form are automatically added to our blog emailing list until we receive an unsubscribe request from the individual and will also automatically be added to our CRM system and stored for our ongoing marketing and client relationship purposes. The form itself is automatically deleted once the details have been added to our CRM system. See section on ‘Review, retention and deletion of marketing contacts’ for detail on our retention procedures for CRM data.
  • Correspondence data: the details collected by the web contact form and webchat form are automatically added to our CRM system and stored for our ongoing marketing and client relationship purposes. The form itself is automatically deleted once the details have been added to our CRM system. Email correspondence is stored in accordance with standard email retention and archiving procedures, and relevant details obtained from email correspondence may be manually added to our CRM system. See section on ‘Review, retention and deletion of marketing contacts’ for detail on our retention procedures for CRM data.
  • E-newsletter tracking data: the data provided to us by SharpSpring are retained by us for 1 year.

These retention periods are subject to any longer retention periods that may be necessary for compliance with a legal obligation, protecting a person’s vital interests or the establishment, exercise or defence of legal claims.

Upon expiry of the applicable retention period we will delete personal data in accordance with applicable laws and regulations.

Security of personal data

We will take appropriate technical and organisational precautions to secure the personal data we process and prevent accidental or unlawful destruction, loss or alteration and unauthorised disclosure of, or access to, that personal data.

Unfortunately the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.

We will notify affected individuals and any applicable regulator of any personal data breach where we are legally required to do so.

Your rights

You have a number of different rights you might be able exercise against us in relation to personal data about you that we process. These are rights to:

  • access your personal data
  • obtain rectification or erasure of your personal data
  • restrict and/or object to processing of your personal data
  • have your personal data ‘ported’ to you or another organisation
  • complain to a supervisory authority about our processing of your personal data
  • withdraw consent to our processing of your personal data (where you have given consent)

The availability of these rights varies depending on the legal basis that we rely on for processing the relevant personal data. Below we have summarised these rights and explained how you can request to exercise them.

Access: You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing that the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.

Rectification: You have the right to have any inaccurate personal data about you corrected and, taking into account the purposes of the processing, to have any incomplete personal data about you completed. We may need to verify the accuracy of the new data you provide to us.

Erasure: You have the right to the erasure of your personal data without undue delay where the personal data are no longer necessary in relation to the purposes for which we collected or otherwise processed them, you successfully object to our processing, you object to our use of your personal data for direct marketing purposes, we have processed your personal data unlawfully, or an applicable law requires the relevant personal data to be erased. However, there are exclusions to the right to erasure, including where we have overriding legitimate grounds to continue processing the relevant personal data or are required to do so by applicable law or where we need it to establish, exercise or defend a legal claim.

Restriction: You have the right to restrict our processing of your personal data where you contest the accuracy of the personal data, our processing is unlawful, we no longer need the personal data for our purposes but you require it to establish, exercise or defend a legal claim, or you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it to establish, exercise or defend a legal claim, to protect the rights of another natural or legal person or for reasons of important public interest or with your consent.

Object: You have the right to object to our processing of your personal data where we rely on legitimate interests as the legal basis for the processing. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

Object to processing for direct marketing purposes: You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes).

Data portability: where processing of your personal data is based on performance of a contract or your consent and is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.

Complain to a supervisory authority: If you consider that our processing of your personal data infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.

Withdraw consent: where any processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal. As we do not carry out any processing of the personal data described in this notice on the basis of consent, this right does not apply in respect of the processing described in this notice.

How to exercise these rights against us: You can exercise any of your rights in relation to your personal data that require any action by us by emailing your request to dataprotection@triz.co.uk, in addition to any other contact methods specified in this notice.

How to complain to a supervisory authority: To make a complaint to a supervisory authority, you may contact the supervisory authority of your choice using contact details made available by that supervisory authority. Relevant contact details for the UK supervisory authority, the ICO, can be found here.

Our use of cookies

What is a cookie?

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by our web server to your web browser when you visit our website and is stored by your browser. The identifier is then sent back to our server each time your browser requests a page from our server.

Cookies are either 'persistent' cookies or 'session' cookies: a persistent cookie will be stored by your web browser and remain valid until its set expiry date, unless deleted by you before the expiry date; a session cookie, on the other hand, will expire when you close your web browser.

Cookies do not typically contain any information that personally identifies a website user, but we might theoretically be able to identify individuals by linking any personal data we already have with information stored in and obtained from cookies.

We also use other similar storage technologies such as web beacons (also known as "tracking pixels" or "clear gifs"), from our email services provider SharpSpring, Inc., to collect or receive information about recipients’ interactions with our e-newsletter. These are tiny graphics files that contain a unique identifier that allow us to measure the effectiveness of our e-newsletter by understanding the actions that people take in response to receiving it.

Third party analytics service providers

We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create statistics about the use of our website, which are provided to us in aggregated form. Further information about Google Analytics and Google's privacy policy is available here.
 
We use SharpSpring email services to analyse recipients’ interactions with our e-newsletter. SharpSpring gathers information about email openings and clicks using various industry standard technologies including clear gifs. The information gathered relating to our e-newsletter is used to create reports about recipients’ interactions with our e-newsletter.

Please click  here for a list of cookies and similar technologies that we use.

Managing cookies

Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:

Blocking all cookies will have a negative impact upon the usability of many websites, and if you block cookies, you will not be able to use all the features on our website.

Our details

This website is owned and operated by Oxford Creativity Limited. We are a private limited company incorporated in England and Wales (registered company number 03850535), having its registered office at 6-7 Bankside, Hanborough Business Park, Long Hanborough, Witney, Oxfordshire, OX29 8LJ.

We own the trademark brand 'Oxford TRIZ™'.

We are registered as a fee payer with the UK Information Commissioner's Office. Our data protection registration number is Z1571297.

You can contact us using the web contact form or any of the contact details published on the ‘Contact’ page of our website from time to time.

For enquiries relating to this notice or our processing of personal data, please contact dataprotection@triz.co.uk.

Changes to this notice

We may update this notice from time to time by publishing a new version on our website and, where any changes materially affect you, we will also make reasonable efforts to notify you.