Sponge UK Limited
privacy policy.
Sponge External Privacy Notice
Sponge Group Limited is committed to protecting the privacy and security of the personal data of our employees, contractors and the other third parties we deal with in the course of our business operations, recruitment activities and the provision of our services. This Privacy Notice explains who we are, how we collect, share, and use your personal data, and how you can exercise your data protection rights.
We ensure that your personal data:
- Is processed lawfully, fairly and in a transparent manner
- Is collected only for specified, explicit and legitimate purposes
- Is adequate, relevant, and limited to what is necessary in relation to the services that we are providing you
- Is accurate and where necessary, kept up to date
- Is not kept in a form which allows for you to be identified for longer than is necessary
- Is only processed in a manner that ensures its security using appropriate technical and organisational measures to protect it against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
Our name and contact details
Sponge Group Limited, Units 2.1-2.3 Paintworks, Arnos Vale, Bristol, BS4 3EH.
Any queries relating to data protection should be directed to our Data Protection Team. dataprotection@spongelearning.com.
Our ICO registration is ZB362295.
What we do
Sponge Group Limited is an award-winning provider of digital learning solutions including bespoke learning, Learning Management Systems, and ready-to-go content.
Processing your personal data
We process and manage your personal data according to the relationship we have with you. This relationship helps us to identify the appropriate data subject category you belong to (or group of individuals whose data we process in an identical manner) and allows us to provide you the details of how we process your personal data. We interact with you and process your personal data in one of more of the following ways:
1. As a Customer
1.1. For Customer Relationship Management
We collect, store, and use your personal data to manage our relationship with you on the basis of our business contract with you.
We collect |
Business contact, call data record, contact information, email address, email content, first name, last name, mobile, occupation, password, postcode, salutation |
From |
Yourself |
Share with |
Sponge teams |
Store in |
United Kingdom |
Retain for |
Length of contract |
1.2. For Learning Content
We collect, store, and use your personal data to provide you access to content on our learning platforms on the basis of the contract we have agreed with you.
We need to process your personal information to manage the contract for our learning platforms/ portal services we are about to or have entered into with you. If you fail to provide certain information when requested, we may not be able to perform or enter into the contract for learning services access.
We collect |
Business contact, call data record, contact information, email address, email content, first name, last name, mobile, occupation, password, postcode, salutation |
From |
Yourself |
Share with |
Sponge teams |
Store in |
United Kingdom |
Retain for |
Length of Contract |
1.3. For Customer Support
We need to process your personal information to ensure that we can provide the necessary support you may require when using our services and learning management platforms and for processing invoices and taking payment. This is done on the basis of the contract we have with you. If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you.
We collect |
Company name, country, email address, first name, last name, mobile, postcode |
From |
Yourself |
Share with |
Sponge teams |
Store in |
United Kingdom |
Retain for |
Length of contract |
1.4. For Learning Analytics
We collect, store, and use your personal data to understand how our learning management platforms and services are being used. This is done on the basis of the contract we have with you.
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you.
We collect |
Behaviour, browser details, business contact, duration, employer details, first name, last name, mobile, occupation, postcode, salutation |
From |
Customer |
Share with |
Customer, Sponge teams |
Store in |
United Kingdom |
Retain for |
Length of contract |
1.5. Fulfilment of Customer Satisfaction Survey
We collect, store, and use your personal data to get feedback on the service we provide for you.
We do this based on our legitimate interests in ensuring we provide you with the best customer experience when accessing our services.
We collect |
Company name, email address, first name, last name, Views |
From |
Yourself |
Share with |
Suppliers, Sponge teams |
Store in |
United Kingdom and United States of America |
Retain for |
Three years |
1.6. To Provide System Development
We collect, store, and use your personal data to enhance our internal production systems, Enterprise Resource Planning systems and make enhancements to our platforms.
We do this on the basis of our legitimate interests in improving the efficiency and user experience of the services we provide to you.
We collect |
Contact Information, first name, last name |
From |
Yourself |
Share with |
Suppliers, Sponge teams |
Store in |
India |
Retain for |
Three years |
2. As a Learner
2.1. To Resolve Login / Technical Issues
We collect, store, and use your personal data to provide support for access to our learning management platform and services on the basis of our contract we have with your Learning Provider.
It is necessary for us to do so to support your access to our learning management platforms and to ensure the security of these systems.
We collect |
contact information, email address, email content, first name, last name, mobile, occupation, password, postcode, salutation |
From |
Yourself |
Share with |
Sponge teams |
Store in |
United Kingdom |
Retain for |
Length of contract plus 6 years |
2.2. For Facial Recognition to Access Training
Where enabled, we collect, store, and use your personal data, specifically your photograph, to provide you access to our learning management platform. This is done on the basis of the contract we have with your Learning Provider who is the data controller.
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with your Learning Provider.
We collect |
Photograph |
From |
Yourself, Learner |
Share with |
Sponge teams, yourself, Learning Provider |
Store in |
United Kingdom and Ireland |
Retain for |
Indefinitely |
3. As a Potential Customer
3.1. For email marketing
We need to process your personal information to share newsletters, promote our services and invite you to business events we believe will be of value to you.
We do this on the basis of our legitimate interests in facilitating engagement with potential new client organisations, increasing external knowledge of the Sponge brand, understanding external corporate issues, and developing appropriate solutions.
We collect |
Company name, country, email address, first name, last name, mobile, postcode |
From |
Prospective Company, Research, Website Visitors, Conference / Webinar Attendees Lists |
Share with |
Sponge teams |
Store in |
United Kingdom |
Retain for |
Three Years |
3.2. To Data Cleanse for Marketing
We need to process your personal information to ensure that we have accurate, up-to-date, and appropriate information about you to support our marketing. This is done on the basis of our legitimate interest in establishing and maintaining a business relationship with you.
We collect |
Company name, country, email address, first name, last name, mobile, postcode |
From |
Prospective Company, Research, Website Visitors, Conference Attendees |
Share with |
Suppliers |
Store in |
United Kingdom |
Retain for |
Three Years |
4. As a Website Visitor
4.1. To manage your cookie preference
We collect, store, and use your personal data to make our website more intuitive and easier to use and protect the security and effective functioning of our websites on the basis of your consent.
It is necessary for us do so to monitor how our website is used to help us (a) improve the layout and information available on our website and provide a better service to our website users and (b) monitor how our website is used to detect and prevent fraud, other crimes, and the misuse of our website
We collect |
Cookies, country, email address, ip address, name, occupation |
From |
Yourself |
Share with |
Suppliers |
Store in |
United Kingdom |
Retain for |
The duration of your browsing session. |
5. As a Potential Employee
5.1. To select candidates for employment
We collect, store, and use your personal data to assess your skills, qualifications, and suitability for the work or role, during this process on the basis of our legitimate interest.
It is in our legitimate interest to carry out background checks, communicate with you about the recruitment process and keep records related to our hiring process.
If you fail to provide information when requested, which is necessary for us to consider your job application, we will not be able to process your application.
We collect |
Behaviour, CV, date of birth, education, email address, employment, ethnicity, first name, gender, health, home address, image, interview notes, last name, location, marital status, medical, name, nationality, other data subjects, passport, race, religion, signature |
From |
Yourself and recruitment agencies |
Share with |
Recruitment agencies |
Store in |
United Kingdom and United States of America |
Retain for |
Six Months |
6. As an Actor / Model
6.1. For use in learning content
We collect, store, and use your personal data for use in our training material on the basis of the contract you have, or are about to enter into with us.
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you
We collect |
Photograph, video footage including individuals |
From |
Supplier |
Share with |
Consultant and customer |
Store in |
United Kingdom and EEA |
Retain for |
3 years |
7. As a Visitor
7.1. To comply with Health and Safety and Fire Regulations
We need to process your personal information to ensure that while you’re visiting one of our offices, we can keep you safe in case there is a fire evacuation or other health and safety incident.
We collect |
Name, Company, Vehicle registration |
From |
Yourself |
Share with |
Sponge teams |
Store in |
United Kingdom |
Retain for |
Three years |
Your data
May, in certain circumstances be provided to other third parties such as HMRC or Companies House, or other regulatory or law enforcement bodies, but only in compliance with the law and where strictly necessary.
Automated decision-making and profiling
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, including profiling, unless you have given us your consent to do so, or it is necessary for entering into or the performance of a contract.
Your rights
- Access – you have the right to ask us for copies of your personal data. This right always applies. There are some exemptions, which means you may not always receive all the personal data we process.
- Rectification - you have the right to ask us to rectify any of your personal data that you think is inaccurate or incomplete. This right always applies.
- Erasure - you have the right to ask us to erase your personal data where it is no longer required for purpose for which it was collected, or you withdraw your prior consent to us processing it and we have no other legal ground for processing it, or it is being processed unlawfully, or when it must be erased to comply with a legal obligation, or it is being used for direct marketing purposes where we have no legitimate grounds for us doing so.
- Restriction - you have the right to ask us to restrict the processing of your personal data where it is inaccurate (allowing us to verify the accuracy), or it is being processed unlawfully (and you want us to stop processing rather than erasing it), or where you have objected to us processing it while we’re verifying whether we have legitimate grounds for processing, or it is no longer required for purpose for which it was collected and you want us to keep it for the establishment, exercise or defence of legal claims.
- Portability - this only applies to personal data you have given us. You have the right to ask us to transfer the information you provided us from one organisation to another or give it to you. This only applies if we are processing personal data based on your consent or as part of a contract, or in talks with you about entering into a contract and the processing is automated.
- Objection - you have the right to object to processing your personal data if we are using legitimate interests as our lawful basis for processing, or it is being used for direct marketing.
- Withdrawing consent – you can withdraw your consent that you have previously given to us for one or more specified purposes to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case.
- You have the right to complain to a Supervisory Authority, in the UK that is the Information Commissioner’s Office.
Breaches
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Dealing with your requests
We will deal with your requests as soon as possible but may take up to 1 month (possibly extended to 3 months where the law permits). Normally there is no charge, however we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive or we could refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that your personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Note
This notice does not form part of any contract to provide services.
Changes to this privacy notice
We may update this notice from time to time and any changes we make to our policy in the future will be posted on our <intranet/website> and, where appropriate, notified to you by email. Please check our website frequently to see any updates or changes to our policy.
Supplementary information
Direct marketing
Our direct marketing activities comply with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) which means that you may receive direct marketing communications from us if you have requested these, or you have purchased any of our services and have not opted-out from receiving these, or the communications are necessary for performing a contract between us.
Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, destroyed or accessed without authorisation. While no data transmission or storage can be guaranteed to be secure, we implement a range of commercially reasonable physical, technical and procedural measures to help protect personal data. These measures include confidentiality agreements with third parties, secure development practices, security due diligence of service providers, products, services that may be used and ISO27001-based organisational security policies.
We have also put in place procedures to deal with any suspected personal data breaches and will notify you and any applicable regulator of a breach where we are legally required to do so.
Cookies
Cookies are small files we store on the device (computer, mobile phone, tablet or any other mobile device) that you use to access our website or portal - this is so we can recognize repeat users improve your experience while you navigate through the website.
We use the term ‘cookies’ to include not only cookies, but also other technologies such as pixels, web beacons and page tags. Our website uses ‘first-party’ cookies (which are set by our own website) and ‘third-party’ cookies (which are set by websites other than our own).
Telling you about and managing how we use cookies is required by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).
What cookies do we use?
We use the following types of cookie:
Necessary
These are essential for our website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
These may not be necessary for the website to function and are used to collect user personal data via analytics, ads, other embedded content and help us analyse and understand how you use our website. We always ask for your consent before using this type of cookie.
Blocking cookies
You can also disable cookies by changing settings on your browser that allows you to refuse the setting of all or some cookies. The settings and steps for managing cookies vary by browser, so we suggest referring to your browser’s documentation.
If you use your browser settings to block all cookies (including ‘Necessary’ cookies) you may not be able to access all or parts of our website.
Requesting more details about the cookies we use
For a detailed list of cookies we use including information about type of cookie, expiry periods and links to third party sites please contact dataprotection@spongelearning.com or click on this link https://www.spongelearning.com...