Our business consists of the operation of a will-writing scheme for the benefit of charities and selected law firms to which we provide services. We set out below important information about our processing of personal data by reference to the purposes for which we do so in the context of that business.
We have published this policy with the view of engendering your trust in our processes, so that you understand what we do and why, and in order that, if you wish to challenge them, you have information about your rights and how you can contact us.
The purposes are as follows:
We have included sections dedicated to describing your rights, our contact information generally, and how you can make a complaint.
This policy does not relate to our storage of personal data you upload to Bequeathed in the course of using our drafting tool, keeping a copy of the will you draft, and keeping a record of your questions and answers, so that you can access that information for your own purposes. We perform those tasks on your behalf as a processor under the Processor Terms.
We have adopted our Processor Terms and made them binding upon us for the benefit of certain of our users in the form of a deed. A reproduction of the terms of the deed can be found here. If you would like to see a copy of the deed itself, please contact us at [email protected]. We make a charge of £50 to provide a copy. Although you are not a party to the deed, if you are a registered consumer or professional end user who uses the will-drafting tool via the Website to draft a will we are liable to you if we breach the terms set out in the deed.
We believe that helping people to draft a good will is a worthwhile thing to do. The systems required to do so are complex and in order to make them available to you free of charge we rely on fees from other sources. Therefore, we have a legitimate interest in processing personal data in accordance with our scheme.
We also have a legitimate interest to keep all records relating to our business for our internal purposes and to deal with queries or complaints which may arise.
The legal basis on which we deal with people other than you depends on the circumstances. In all cases we make sure that we have a legitimate reason to do so in connection with our business.
We communicate and deal with all manner of people in the ordinary course of our business, whether suppliers, competent authorities, and others incidentally in connection with our business. In the course of doing so, having regard to the nature and purpose of those dealings, we will obtain and process personal data.
Unless you have told us otherwise, we will use your information:
We will retain your information for as long as we operate our will-writing scheme, and afterwards for the purposes of our Keeping Records and Accounts (see below).
We do not use or disclose data we obtain from anyone else for any purpose in the course of our business other than for which it was given to us.
If we sell or buy any business or assets we may disclose your information to the buyer or seller of the business or the assets. If we or substantially all of our business or assets are acquired by a third party, your information is likely to be included in the transfer.
The information about how you that we use and disclose is collected through your use of this website and information we learn from your use of the website, or through your use of our other services.
The information we collect (excluding the information you upload to Bequeathed in the course or using our drafting tool which is addressed in the Processor Terms) is:
We will never collect information about you concerning your religion, beliefs, criminal record, health or sexuality without your explicit consent.
Our website sets cookies on your device, and may read cookies already on your device, regarding your use of our website and services. Please see our cookies policy for further details regarding the collection and use of this information.
We keep personal data only where and for so long as it is necessary to provide our products and services and afterwards for so long as necessary to meet our legal or regulatory obligations or, if longer, in relation to claims which could be made against us. Our normal practice is to keep information for at least 6 years.
This section is concerned with the systems we use to process personal data and our processing of personal data for internal purposes (other than personal data you upload in your use of our drafting tool which is addressed in the Processer Terms). It is not concerned with the nature of the data, the classes of individual on whom we process data, the classes of the data, the sources and disclosures of the data, nor the period of time which we hold data. For information on those topics, please consult the other sections of this policy.
We process personal data using five principal systems: Rackspace, Intercom, Coview, Hotjar and Slack which we make work together using Zapier.
Our web application and data (i.e. data from the will-writing process) are hosted within Rackspace, in UK datacentres. So Rackspace’s policies and processes are our policies and processes for our physical and network security standards. Rackspace’s certifications are at https://www.rackspace.com/en-gb/certifications.
Rackspace is certified to the international standard for information security, ISO 27001. This certification also includes their internal International Global Security Services and Information Technology Infrastructure Services functions. This standard provides a framework for managing our security responsibilities and provides us with a secure environment via Rackspace’s Business Security Management System.
Rackspace is trusted by many of the world’s largest corporations. Since 2009 its system has provided the foundation for an integrated and sustainable security model working in tandem with other security controls such as PCI-DSS. It is subject to on-going external assessment by the certification body, BSI with a full re-assessment every three years.
We use a third party application called Intercom as the means by which we communicate with you and provide you with support via email and online chat. All your information sent from our website to Intercom is encrypted in transit. The API and application endpoints are TLS/SSL only and score an "A+" rating on SSL Labs' tests - meaning that Intercom only uses strong cipher suites and has features such as HSTS and Perfect Forward Secrecy fully enabled.
Our use of Intercom in this way means your information will be transferred through Intercom out of the EEA, primarily to Amazon Web Services facilities in the USA. Further details about the measures Amazon take in securing its facilities and services can be found here: https://aws.amazon.com/compliance/
Intercom adheres to the EU-US Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use and retention of personal data from European Union member countries and Switzerland. Intercom, Inc. has certified adherence to and commits to apply the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability.
Further details about the measures Intercom takes in relation to privacy can be found here: https://www.intercom.com/terms-and-policies#eu-us
We use a third party application called Coview in order to be able to provide you with Support. Through Intercom, it enables us to request that you share your screen with us so that we can see what you do. Coview is based in Germany and is compliant iwth EU GDPR policy. For further details about the measures Coview takes in relation to privacy, visit https://docs.coview.com/docs/security-and-data-protection.
We use a third party application called Hotjar. It is a website heatmap tool that helps us see what people do on our website pages: where they click, how far they scroll, what they look at or ignore.
Hotjar Heatmaps collect anonymized user behavior data, so we get an overview of our visitor behavior while always protecting end-user privacy.
All data Hotjar collects is stored electronically in Ireland, Europe on the Amazon Web Services infrastructure, eu-west-1 datacenter. Its application servers and database servers run inside an Amazon VPC, Virtual Private Cloud. The database containing visitor and usage data is only accessible from the application servers and no outside sources are allowed to connect to the database. The data retention times are no longer than 365 days. For further details visit: https://help.hotjar.com/hc/en-us/sections/115003180467-Privacy-Security-and-Operations
We use a third party application called Slack to communicate within our business, not externally. We integrate Slack with Zendesk, Intercom and Fullstory so that we can discuss issues that are raised by users on our website amongst our team. Information collected by each of those applications may therefore also be collected by Slack and processed by Slack outside of the EEA.
Slack Technologies, Inc. has certified with the EU-U.S. and Swiss-U.S. Privacy Shield with respect to the personal data it receives and process on behalf of its customers through its online workplace productivity tools and platform (the “Services”). Slack certifies that it adheres to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement for personal data submitted by its customers in participating European countries through the Services, and its Privacy Shield certification is available at https://www.privacyshield.gov/list. It may also process personal data its customers submit relating to individuals in the EU via other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses.
Further details about the measures that Slack takes in relation to privacy can be found here: https://slack.com/gdpr
We use Zapier to help make the other third-party systems work together. Zapier is EU-U.S. & Swiss-U.S. Privacy Shield compliant and details may be found at https://zapier.com/privacy/.
Our staff and representatives use computer and communications equipment to access these systems to perform their duties, and in particular work stations, laptop computers, other mobile computing devices and mobile phones. Personal data is stored on these devices appropriate to the use for the time being.
We use personal data for the following internal purposes:
In addition to the third party applications listed above, we have engaged external service providers to provide the following services:
All information you provide to us is stored on secure servers or encrypted devices. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
The transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use procedures and security features to try to prevent unauthorised access.
Please see our policy on this subject entitled Call Recording Policy.
Information processed via Intercom, Slack, FullStory and Zendesk is processed outside of the EEA. Data held at Rackspace is in the UK.
Individuals have several rights under data protection law in relation to how we process personal data. These are identified below. More information can be obtained from the Information Commissioner’s website at www.ico.org.uk.
We cannot charge for providing information where individuals exercise their rights, except that we may charge a reasonable fee based on our administrative costs to provide additional copies where requested in connection with a request to access data, or where we can demonstrate that requests are manifestly unfounded or excessive. In the latter case we may alternatively refuse to act on a request.
If someone wishes to exercise any of their rights, please contact us at [email protected]
If somone has a complaint about our handling of personal data, we ask that they contact us at [email protected].
If we are unable to resolve a complaint, the matter can be referred to the Information Commissioner's Office. Here are the contact details: www.ico.org.uk/concerns/. A claim may also lie in the courts.