Data Protection Policies and Procedures
We collect the following data:
- Contact details (including email address)
- Demographic details (postcode, country)
- Business-related information (company name, nature, trading name)
- IP address
- Proof of identity and address for Anti-Money Laundering (AML) and Know Your Customer (KYC) compliance.
Purpose: This data allows us to create your account, issue invoices, send updates, or contact you about your account. Note: We don't sell or distribute your information to third parties.
- Hoxton Mix CRM (Admin): Holds customer contact details, postal logs, KYC and AML checks, and audit reports related to suspicions of money laundering or terrorist financing. It also stores reports filed to Action Fraud and Audrey at Trading Standards.
- Plan Details
- Groove: Support desk ticketing system.
- Chargebee: Billing system.
Data Protection Measures
- Hoxton Mix CRM:
- 256 SSL encryption for data in transit.
- Secure access using Google login with 2-Step Verification.
- External monitoring services.
- Storage on Google Cloud Platform (GCP) and Amazon Web Services (AWS) with regular backups and stringent access controls.
- GitHub & Gitlab:
- Source code repository secured through 2-Step Verification.
- Groove: SMTP over SSL.
- Chargebee: PCI compliant with encrypted storage, ISO 27001:2013 certification, and EU-U.S. & Swiss-U.S. Privacy Shields.
- Twilio & Mailgun & Mailerlite: Secured via 2-Step Verification.
- Developer Equipment: Laptops and mobile phones encrypted and secured with biometric authentication.
Data is retained according to the Money Laundering Regulations 2007 (MLR 2007) and the General Data Protection Regulation (GDPR). Identity check records and SARs are stored for up to five years after the end of the business relationship or SAR filing, respectively.
Legal Basis for Data Processing
Data collection and processing are compliant with:
- The Money Laundering Regulations 2007 (MLR 2007)
- London Local Authorities Act 2007
Communication of Privacy Information
Subject Access Requests
We respect your right to access, correct, or delete your personal information. Requests can be made under the Data Protection Act 1998. Fees apply for unfounded or excessive requests. Reach out to email@example.com for corrections.
Physical Data Measures
Physical data is safeguarded by locking filing cabinets and maintaining postal logs.
Compliance with GDPR and MLR 2007 determines our approach to deletion requests. Some data, such as KYC and AML documentation, must be retained for five years after the end of the business relationship. However, we make every effort to respect deletion requests where regulations permit.
Updated on: 17/08/2023