It’s always good to know where things stand. Here’s where we set out the important stuff regarding privacy so you know what’s what.
Collection of information
We collect Personal Data directly or indirectly from you, including in the following ways:
- when you access our websites;
- when you communicate with us, whether by phone, email, “contact us” forms, snail mail, courier, carrier pigeon, or by any other means;
- when you sign up for any of our sweepstakes, contests, or other promotions;
- when you request sample reports or other materials or information about us or our business;
- when you signing up for or attend any seminars, conferences, parties, get-togethers, pub crawls, or other events we put on, sponsor, host, or attend;
- referrals; and
- through automated means such as communication protocols and cookies (for more about cookies, see Cookies below).
Personal Data may include the following, not all of which we collect:
|Identifiers||Such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.|
|Personal information categories listed in the California Client Records statute (Cal. Civ. Code § 1798.80(e))||Such as a name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, river’s icense or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card umber, debit card number, or any other financial information, medical information, or health insurance information. Some personal data included in this category may overlap with other categories.|
|“Sensitive Personal Data” under the UK Data Protection Act 2018||Personal Data consisting of information as to: (a) the racial or ethnic origin of the data subject; (b) their political opinions; (c) their eligious beliefs or other beliefs of a similar nature; (d) whether they are a member of a trade union; € their physical or mental health or ondition; (f) their sexual life; (g) the commission or alleged commission by them of any offence; or (h) any proceedings for any offence committed r alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings. We do not knowingly collect this type of data.|
|“Sensitive Personal Data” under the GDPR||Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, iometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. We do not knowingly collect this type of data.|
|Protected classification characteristics under California or US federal law||Such as age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental isability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). We do not knowingly collect this type of data.|
|Commercial information||Such as records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or endencies. We do not knowingly collect this type of data.|
|Biometric information||Such as genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. We do not knowingly collect this type of data.|
|Internet or other similar network activity||Such as browsing history, search history, information on a person’s interaction with a website, application, or advertisement.|
|Geolocation data||We do not knowingly collect this type of data, but inferences about your location can be drawn from your IP address information.|
|Sensory data||Audio, visual, thermal, olfactory, or similar information. We do not knowingly collect this type of data.|
|Inferences drawn from other Personal Data||Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.|
You agree that we can, subject to applicable law, use your Personal Data (including, as applicable, sharing relevant Personal Data with our affiliates, resellers, channel partners, service providers, and/or agents) to operate and improve the websites; respond to your requests and inquiries; conduct analysis and research; prevent fraud or misuse; protect our rights or property or the safety of you or others; and send you communications regarding events you have signed up for, information you have requested, or other requests you have made, or for reasonably relevant things we believe you might find to be of interest. We may also disclose Personal Data if we believe in good faith that we are required to do so by law, or that doing so is necessary to comply with legal process, respond to requests from law enforcement or governmental agencies, to respond to claims, or to protect our rights.
Your Personal Data is stored and processed in the countries in which we or our affiliates or service providers maintain facilities, which includes the UK, EU, US, and South Africa. We reserve the right to transfer and store your Personal Data outside the country in which you reside.
As we continue to develop our business, we might sell or buy subsidiaries or business units. In such transactions, as well as in the event we or part of our business or assets are acquired by a third party, your Personal Data and other information will generally be one of the transferred business assets. We reserve the right to include your Personal Data and other information, collected as assets, in any such transfer to a third party. Additionally, your Personal Data and other information could be disclosed as part of a bankruptcy involving us.
Persons under 18 years of age
Links to third party websites
When you visit our websites, we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. We do not make, and do not allow Google in its capacity as our data processor, to make, any attempt to find out the identities of those visiting our website through such analytics information.
If you requested, or opted-in to receive, marketing communications from us, from time to time we may send you information about Black Swan news, events, reports, and services of ours that we think you might find to be of interest. You have the right at any time to stop us from contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes, please click the unsubscribe link in the marketing email we sent you or send a request to DPO@blackswan.com asking to be unsubscribed.
Consent for Electronic Communications
We use contact information you provide us with to communicate with you regarding your inquiry or request. By providing this contact information, you consent to receive such communications at such e-mail address, mailing address, and/or telephone number.
What Are Cookies and how do we use them?
How we treat “Do Not Track” or similar signals
Some browsers provide you with “do not track” options. Because there is not yet a common understanding of how to interpret the “do not track” signal, we do not currently respond to the browser “do not track” signals when you access our websites.
Legal basis for processing
The legal basis we rely on to process your Personal Data is article 6(1)(f) of the UK GDPR, which allows us to process Personal Data when its necessary for the purposes of our legitimate interests.
How long is the Personal Data kept for?
Do we use any data processors?
Yes, we have service providers that act on our behalf that process your Personal Data. This would include our cloud provider (AWS (Ireland)) and others, such as Google Analytics. These data processors do not have our permission to extract or use your Personal Data for other purposes.
We may share and process your Personal Data with Black Swan’s affiliates in the US, EU, and South Africa.
We will take steps to ensure that your Personal Data receives an adequate level of protection in the jurisdictions in which we process it. When we share Personal Data with our affiliates, we do so in a manner consistent with our privacy protocols and in compliance with local laws and regulatory requirements.
We take commercially reasonable physical, organizational, and technical measures to protect your Personal Data in our possession. We limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They are permitted to only process your Personal Data on our instructions and they are subject to a duty of confidentiality.
We cannot guarantee the absolute security of our database, nor can we guarantee that any information supplied will not be intercepted while being transmitted over wireless networks or the Internet. We have procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Data rights for EU and UK residents
Your right of access
You have the right to ask us for copies of your Personal Data.
Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure
You have the right to ask us to erase your Personal Data in certain circumstances. This right enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you, if applicable, at the time of your request.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Your right to object to processing
You have the right to object to processing. This enables you to ask us to delete or remove Personal Data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information, which overrides your rights and freedoms
Your right to data portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.
Withdraw consent at any time where we are relying on consent to process your Personal Data.
However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If we are processing your information for criminal law enforcement purposes, your rights are slightly different.
You are not required to pay any charge for exercising your rights. We have one month to respond to you. Please contact our DPO if you wish to make a request.
Data rights for California residents
Effective on January 1, 2020, the California Consumer Privacy Act (CCPA) provides users who are California residents with specific rights regarding their Personal Data. If you reside in California, you may exercise the following rights:
- A right to disclosure of the categories of Personal Data collected by us
- A right to disclosure of the specific pieces of Personal Data collected by us
- A right to deletion of Personal Data by us (subject to certain Exceptions outlined below)
- A right to receive Personal Data in a format that will allow its transfer to third parties by you
- A right to opt-out of the “sale” of Personal Data, where a “sale” under the CCPA means “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s Personal Data to another business or a third party for monetary or other valuable consideration.” We do not sell your Personal Data.
- A right to sue for security breaches of Personal Data
Access to specific information and data portability rights
You have the right to request that we disclose to you your Personal Data we have collected about you over the past 12 months from the date of your request. Once we receive and confirm your request, we will disclose to you:
- The categories of Personal Data we collected about you
- The categories of sources for the Personal Data we collected about you.
- Our business and commercial purposes for collecting or selling that Personal Data.
- The categories of third parties with whom we shared that Personal Data.
- he specific pieces of Personal Data we collected about you.
- f we “sold” or disclosed your Personal Data for a business purpose, up to two separate lists disclosing:
- if we “sold” your Personal Data, “sales”, identifying the Personal Data categories that each category of recipient “purchased”; and
- if we disclosed your Personal Data, disclosures for a business purpose, identifying the Personal Data categories that each category of recipient obtained.
- We have not sold any of your Personal Data.
Deletion request rights
You have the right to request that we delete any of Personal Data that we collected from you and retained, subject to certain Exceptions (as listed below). Once we receive and confirm your request, we will delete your Personal Data from our records unless an Exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) for the following Exceptions:
- to complete the transaction for which we collected the Personal Data, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
- to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
- to debug products to identify and repair errors that impair existing intended functionality;
- to exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law;
- to comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.);
- to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent
- to enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
- to comply with a legal obligation; or
- to make other internal and lawful uses of that information that are compatible with the context in which you provided it.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- deny you goods or services
- charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- provide you a different level or quality of goods or services.
- suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
However, we may still offer you certain financial incentives that can result in different prices, rates, or service quality levels as permitted by the CCPA. We do not at this time provide such financial incentives.
Exercising access, data portability and deletion rights
To exercise your rights described above, please submit a request to us by either:
- emailing us at firstname.lastname@example.org and specifying your request type (disclosure, category, or deletion); or
- mailing us at: Black Swan Data Ltd, Attn DPO, 12th Floor, WeWork Building, 10 York Rd, SE1 7ND London UK, and specifying your request type (disclosure, category, or deletion).
Only you, or someone legally authorized to act on your behalf, may make a request related to your Personal Data. You may also make a request on behalf of your minor child. We cannot respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm the Personal Data relates to you. You may be required to provide additional information necessary to confirm your identity before we can respond to your request.
You may only make a request for access or data portability twice within a 12-month period. The request must:
- provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data or an authorized representative; and
- describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
Making a request does not require you to create an account with us. Also, we will only use Personal Data provided in a request to verify the requestor’s identity or authority to make the request.
Your authorized agent
You have the right to designate an authorized agent to make a request under the CCPA on your behalf.
Response timing and format
We will confirm that we received your request within ten (10) days and will respond within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period in writing. We will deliver our written response electronically or, at your option, by mail.
Any disclosures we provide will only cover the 12-month period preceding our receipt of the request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
How we notify you of modifications.
IHow can we be contacted?
By email at DPO@blackswan.com or by snail mail at: Black Swan Data Ltd, Attn: Data Protection Officer, 15th Floor, WeWork Building, 10 York Rd, London, SE1 7ND England.
How to contact the appropriate authority?
Should you wish to report a complaint or if you feel that we have not addressed your concern regarding privacy in a satisfactory manner, you may contact the U.K. Information Commissioner’s Office (ICO) at https://ico.org.uk/global/contact-us/. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
Black Swan’s Data Protection Registration Number with the ico is ZA119730.
Last revised: 18 August 2021 © 2021 Black Swan Data Ltd. All rights reserved.