Data retention policy
We retain personal data for as long as necessary for the relevant activity for which it was provided or collected. This will be for as long as we provide access to the website or services to you, your account with us remains open or any period set out in any relevant contract you have with us. However, we may keep some data after your account is closed or you cease using the services for the purposes set out below.
After your account has been closed, we usually delete personal data, however we may retain personal data where reasonably necessary to comply with our legal obligations (including law enforcement requests), to meet regulatory requirements, maintain security, prevent fraud and abuse, resolve disputes, enforce our Terms and Conditions, or fulfil your request to “unsubscribe” from further messages from us.
We may retain de-personalised information after your account has been closed.
Please note: After you have closed your account or deleted information from your account, any information you have shared with others will remain visible. We do not control data that other users may have copied from the website or services.
Data archiving and removal policy
You can make a request for deletion or rectification of data by writing to us at the contact address given at the end of this Privacy Policy. We will respond to such queries within 30 days and deal with requests we receive from you, in accordance with the provisions of Data Protection Law.
Additionally at the termination of a contract the following clauses apply.
13. Termination
The Company may terminate this Agreement or the provision of any Services provided pursuant to this Agreement with immediate effect by giving written notice to the Customer if: (i) the Customer has used or permitted the use of the Services otherwise than in accordance with this Agreement; or (ii) the Company is prohibited under the laws of England or otherwise from providing the Services.
Either party may terminate this Agreement with immediate effect on giving written notice to the other party if: (i) the other party commits a material breach of any term of the Agreement and (if such a breach is remediable) the breaching party fails to remedy that breach within 30 (thirty) days of being notified in writing of the breach; (ii) the other party suspends or ceases, or threatens to suspend or cease, to carry on all or a substantial part of its business; and/or (iii) the other party is unable to pay its debts or enters into compulsory or voluntary liquidation (other than for the purpose of effecting a reconstruction or amalgamation in such manner that the Company resulting from such reconstruction or amalgamation shall be bound by and assume the Company's obligations hereunder); (iv) the other party compounds with or convenes a meeting of its creditors or has a receiver, manager or similar official appointed in respect of its assets; or (v) the other party has an administrator appointed or documents are filed with the court for the appointment of an administrator or notice is given of an intention to appoint an administrator by such party or its directors or by a qualifying floating charge holder (as defined in the Insolvency Act 1986, paragraph 14 schedule B1); or (vi) any similar event occurs under the law of any other jurisdiction in respect of that party.
Data will be retained in back ups for 35 days after initial deletion.
Data storage policy
Data storage policy is covered by the data processing agreement (https://help.appraisd.com/hc/en-us/articles/360007779458-Data-Processing-Agreement) and is audited to by ISO27001 compliant.
Of particular relevance is
8. Separation Control
Technical and organisational measures regarding purposes of collection and separated processing:
Personal Data used for internal purposes only e.g. as part of the respective customer relationship, may be transferred to a third party such as a subcontractor, solely under consideration of contractual arrangements and appropriate data protection regulatory requirements.
Employees are instructed to collect, process and use Personal Data only within the framework and for the purposes of their duties (e.g. service provision). At a technical level, multi-client capability includes separation of functions as well as appropriate separation of testing and production systems.
Customer Data is stored in a way that logically separates it from other customer data.
Customer data is encrypted at rest using AES256 bit encryption and data in transit is protected by Transport Layer Security (“TLS”). Data center location(s)
United Kingdom
Data hosting details
Data is hosted with Microsoft Azure in the UK unless otherwise agreed with your account manager.
Data hosting company
Azure
App/service has sub-processors
yes
Guidelines for sub-processors