Who We Are And About This Policy

This is the privacy policy of Bequeathed Limited (company number 10960116), whose registered office is at West End Farmhouse, Long Marston Road, Cheddington, LU7 0RS, telephone 020 3411 9730, and e-mail [email protected] In this policy we refer to ourselves as we and to users of this website as you (and related expressions must be interpreted accordingly).

Our business consists of the operation of a will-writing scheme for the benefit of charities and selected law firms to which we provide services. We set out below important information about our processing of personal data by reference to the purposes for which we do so in the context of that business.

We have published this policy with the view of engendering your trust in our processes, so that you understand what we do and why, and in order that, if you wish to challenge them, you have information about your rights and how you can contact us.

The purposes are as follows:

  • Conduct our will-writing scheme and maintaining a database of wills
  • Keeping records and accounts
  • Recording of in-coming and out-going telephone calls
  • Operating our business
  • Our website and use of cookies and tracking technologies

We have included sections dedicated to describing your rights, our contact information generally, and how you can make a complaint.

This policy does not relate to our storage of personal data you upload to Bequeathed in the course of using our drafting tool, keeping a copy of the will you draft, and keeping a record of your questions and answers, so that you can access that information for your own purposes. We perform those tasks on your behalf as a processor under the Processor Terms.

We have adopted our Processor Terms and made them binding upon us for the benefit of certain of our users in the form of a deed. A reproduction of the terms of the deed can be found here. If you would like to see a copy of the deed itself, please contact us at [email protected]. We make a charge of £50 to provide a copy. Although you are not a party to the deed, if you are a registered consumer or professional end user who uses the will-drafting tool via the Website to draft a will we are liable to you if we breach the terms set out in the deed.

The Legal Basis On Which We Process Personal Data

We believe that helping people to draft a good will is a worthwhile thing to do. The systems required to do so are complex and in order to make them available to you free of charge we rely on fees from other sources. Therefore, we have a legitimate interest in processing personal data in accordance with our scheme.

We also have a legitimate interest to keep all records relating to our business for our internal purposes and to deal with queries or complaints which may arise.

The legal basis on which we deal with people other than you depends on the circumstances. In all cases we make sure that we have a legitimate reason to do so in connection with our business.

When We Collect Information From You

We will not obtain personal information about you before you register with us to use our will-drafting services. However, see our cookie policy in relation to cookies and tracking technologies.

We communicate and deal with all manner of people in the ordinary course of our business, whether suppliers, competent authorities, and others incidentally in connection with our business. In the course of doing so, having regard to the nature and purpose of those dealings, we will obtain and process personal data.

Using And Disclosing The Information You Provide

Unless you have told us otherwise, we will use your information:

  • we will use your contact details to communicate with you during the will-writing process and after, including to help you maintain your will, and, if you opt in, to contact you about our products and services;
  • to identify when your will is affected by a change in the law;
  • in anonymised form, to inform charities as to our user-base and legacy-giving;
  • subject to your express permission, we will inform the relevant charity if you have included a legacy-gift in your will and provide the charity with your contact details;
  • where you have arrived at this website via a link on the website of one of our panel law firms or customer charities, to mark you as contact of that law firm and/or charity so that we may tailor our communications to you accordingly;
  • subject to your express permission, to provide a panel law firm that you have told us you wish to take legal advice from with your contact details;
  • to administer your user account;
  • to provide contextual online support to you during your use of the system or tools;
  • to process any request for advice or information;
  • to customise this website;
  • to ensure that any content you post complies with the terms and conditions of use of the website;
  • to ensure that content from our site is presented in the most effective manner for you and for your computer;
  • to allow you to participate in interactive features of our service, when you choose to do so;
  • to notify you about changes to our service; and
  • to analyse how our website is used and share anonymous information relating to that use with third parties.

We will retain your information for as long as we operate our will-writing scheme, and afterwards for the purposes of our Keeping Records and Accounts (see below).

We do not use or disclose data we obtain from anyone else for any purpose in the course of our business other than for which it was given to us.

If we sell or buy any business or assets we may disclose your information to the buyer or seller of the business or the assets.  If we or substantially all of our business or assets are acquired by a third party, your information is likely to be included in the transfer.

We have implemented the Google Analytics Demographics and Interest Reporting feature which provides us with aggregated information about the age and gender of our users, along with the interests they express through their online activities. Details of how we use Google Analytics cookies are contained in our cookie policy. You can opt out of the Google Analytics Demographics and Interest Reporting feature by changing your Google Ads settings by visiting https://myaccount.google.com/privacy?pli=1#ads. Alternatively, Google Analytics provides an opt-out add-on for certain internet browsers at https://tools.google.com/dlpage/gaoptout/.

Collection Of Your Information

The information about how you that we use and disclose is collected through your use of this website and information we learn from your use of the website, or through your use of our other services.

The information we collect (excluding the information you upload to Bequeathed in the course or using our drafting tool which is addressed in the Processor Terms) is:

  • how you arrived at our site
  • your name, email address, postcode
  • the pages you have visited on our website
  • any information you choose to provide us with in online chat

We will never collect information about you concerning your religion, beliefs, criminal record, health or sexuality without your explicit consent.

Cookies And Tracking Technologies

Our website sets cookies on your device, and may read cookies already on your device, regarding your use of our website and services. Please see our cookies policy for further details regarding the collection and use of this information.

Keeping Records And Accounts

We keep personal data only where and for so long as it is necessary to provide our products and services and afterwards for so long as necessary to meet our legal or regulatory obligations or, if longer, in relation to claims which could be made against us. Our normal practice is to keep information for at least 6 years.

Operating Our Business

This section is concerned with the systems we use to process personal data and our processing of personal data for internal purposes (other than personal data you upload in your use of our drafting tool which is addressed in the Processer Terms). It is not concerned with the nature of the data, the classes of individual on whom we process data, the classes of the data, the sources and disclosures of the data, nor the period of time which we hold data. For information on those topics, please consult the other sections of this policy.

We process personal data using five principal systems: Rackspace, Intercom, Zendesk, FullStory and Slack.

Rackspace

Our web application and data (i.e. data from the will-writing process and addressed in the Processor Terms) are hosted within Rackspace, in UK datacentres. All data processed Rackspace is certified to the international standard for information security, ISO 27001. This certification also includes their internal International Global Security Services and Information Technology Infrastructure Services functions. This standard provides a framework for managing our security responsibilities and provides us with a secure environment via Rackspace’s Business Security Management System.

Rackspace is trusted by many of the world’s largest corporations. Since 2009 its system has provided the foundation for an integrated and sustainable security model working in tandem with other security controls such as PCI-DSS. It is subject to on-going external assessment by the certification body, BSI with a full reassessment every three years.

Intercom

We use a third party application called Intercom as the means by which we communicate with you and provide you with support via email and online chat. All your information sent from our website to Intercom is encrypted in transit. The API and application endpoints are TLS/SSL only and score an "A+" rating on SSL Labs' tests - meaning that Intercom only uses strong cipher suites and has features such as HSTS and Perfect Forward Secrecy fully enabled.

Our use of Intercom in this way means your information will be transferred through Intercom out of the EEA, primarily to Amazon Web Services facilities in the USA. Further details about the measures Amazon take in securing its facilities and services can be found here: https://aws.amazon.com/compliance/

Intercom adheres to the EU-US Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use and retention of personal data from European Union member countries and Switzerland. Intercom, Inc. has certified adherence to and commits to apply the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability.

Further details about the measures Intercom takes in relation to privacy can be found here: https://www.intercom.com/terms-and-policies#eu-us

Zendesk

We use a third party application called Zendesk to manage any request you make of us to introduce you to one of our panel law firms so that they may, subject to their terms and conditions, provide you with legal advice. We also use Zendesk for telephone calls as addressed in our Call Recording Policy.

Your information that we collect will be attached to a Zendesk ticket that is used to provide your details and the nature of the advice you are seeking to the panel law firm. That information will be stored in the Zendesk system and transferred outside of the EEA.

Zendesk has certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to the U.S. Department of Commerce and has been added to the Department of Commerce’s list of self-certified Privacy Shield participants. Its certifications confirm that it complies with the Privacy Shield Principles for the transfer of European and Swiss personal data to the United States.

Further details about the measures Zendesk takes in relation to privacy can be found here: https://www.zendesk.co.uk/company/customers-partners/eu-data-protection/#gdpr-sub.

FullStory

We use a third party application called FullStory that records your use of our website so that we may look back at what you have done on the website when you ask us to provide you with support.

FullStory complies with both the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework, as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland to the United States. FullStory has certified that it adheres to the Privacy Shield Principles. 

FullStory production data is both processed and stored within Google Cloud Platform’s data centers. All Google data centers that process FullStory data are located in the US. Google’s data centers are world-renowned for their state of the art security systems.

Further details about the measures that FullStory takes in relation to privacy can be found here: https://www.fullstory.com/resources/fullstory-gdpr-you/. Further details about the measures that Google takes in relation to privacy can be found here: https://cloud.google.com/security/overview/whitepaper#state-of-the-art_data_centers

Slack

We use a third party application called Slack to communicate within our business, not externally. We integrate Slack with Zendesk, Intercom and Fullstory so that we can discuss issues that are raised by users on our website amongst our team. Information collected by each of those applications may therefore also be collected by Slack and processed by Slack outside of the EEA. 

Slack Technologies, Inc. has certified with the EU-U.S. and Swiss-U.S. Privacy Shield with respect to the personal data it receives and process on behalf of its customers through its online workplace productivity tools and platform (the “Services”). Slack certifies that it adheres to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement for personal data submitted by its customers in participating European countries through the Services, and its Privacy Shield certification is available at https://www.privacyshield.gov/list. It may also process personal data its customers submit relating to individuals in the EU via other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses.

Further details about the measures that Slack takes in relation to privacy can be found here: https://slack.com/gdpr

Computers and mobile devices

Our staff and representatives use computer and communications equipment to access these systems to perform their duties, and in particular work stations, laptop computers, other mobile computing devices and mobile phones. Personal data is stored on these devices appropriate to the use for the time being.

We use personal data for the following internal purposes:

  • Training
  • Corporate governance and management

External service providers

In addition to the third party applications listed above, we have engaged external service providers to provide the following services:

  • Tier 2 Consulting Limited, for developing and maintaining our technology platform

Storage

All information you provide to us is stored on secure servers or encrypted devices. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

The transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use procedures and security features to try to prevent unauthorised access.

Recording Of In-Coming And Out-Going Telephone Calls

Please see our policy on this subject entitled Call Recording Policy.

Where Information Is Processed

Information processed via Intercom, Slack, FullStory and Zendesk is processed outside of the EEA. Data held at Rackspace is in the UK. 

Your Rights

Individuals have several rights under data protection law in relation to how we process personal data. These are identified below. More information can be obtained from the Information Commissioner’s website at www.ico.org.uk.

We cannot charge for providing information where individuals exercise their rights, except that we may charge a reasonable fee based on our administrative costs to provide additional copies where requested in connection with a request to access data, or where we can demonstrate that requests are manifestly unfounded or excessive. In the latter case we may alternatively refuse to act on a request.

If someone wishes to exercise any of their rights, please contact us at [email protected]

  • Right to be given clear and easy to understand information on what personal information we have, why and who we share it with.
  • Right to access information that we hold as personal data, subject to protecting the interests of others as appropriate.
  • Where any information we hold is inaccurate or incomplete, we can be required to rectify it.
  • Right for information to be deleted or removed if there is not a compelling reason for us to retain it.
  • Right to restrict processing of personal data for certain reasons.
  • Right for a copy of personal data to be provided for personal purposes to use across different services, including to transfer the personal information we hold to another company.
  • Where we are subject to a breach of security which is likely to result in a high risk to individuals about whom we hold data we must communicate the breach to the individuals concerned without undue delay. In some cases, this may be done by public communications. This right is subject to certain exceptions where measures have been taken to protect the information.
  • Right to object to processing of personal data.
    • You can object to us processing your personal data where it is based on our legitimate interests, in which case we can no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
    • You can object at any time to our use of personal data relating to you in connection with our direct marketing. Where you do so, the personal data shall not afterwards be processed for such purposes.
    • Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing.
    • Where we are processing personal data about you with your consent you can withdraw it at any time.

Contact

If you have any questions about this Privacy Policy or the personal data we will obtain and process about you, please contact us at [email protected].

If somoen has a complaint about our handling of personal data, we ask that thy contact us at [email protected].

If we are unable to resolve a complaint, the matter can be referred to the Information Commissioner's Office. Here are the contact details: www.ico.org.uk/concerns/. A claim may also lie in the courts.