Who are we and what do we do?
InfoTrack Limited (“InfoTrack”, “we”, “our” or “us”) has developed and owns a cloud-based SaaS platform called eCOS (Site). This privacy policy applies to the mobile application or website version of the Site that you have been instructed to use on your mobile telephone, handheld or computer device (Device) by the Client (defined below).
Our Site enables our clients who are law firms, conveyancers and estate agents (Client) to create a workspace that sends a request with onboarding tasks to you, as their customer (“you” or “your”), requiring you to:
- Access the Site by way of link sent by the Client;
- Logon to your workspace using an access code sent to your mobile;
- Digitally verify your identity and address;
- Complete property information forms; and
- Digitally sign documents;
relating to transactions involving the process of marketing, sale, purchase and rental of certain properties (Services).
This privacy policy aims to give you information on how we collect, store, use, disclose and process your personal data using the Site. It also enables us to collect your consent before we process any Special Categories of Personal Data.
This Site is not intended for children and we do not knowingly collect data relating to children.
It is important that you read this privacy policy and make sure that you fully understand and agree to it.
Controller and processor
The Client is the data controller of your personal data and we are the data processor. Our third-party providers (as outlined below) processing such data will assume the role of sub -processor.
Contact details
Our full details are:
- Full name of legal entity: InfoTrack Limited
- Name or title of contact: Data Privacy Officer
- Email address: dpo@infotrack.co.uk
- Postal address: Level 11, 91 Waterloo Road, London, SE1 8RT
- Telephone number: 020 7186 8090
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues. If you are an EU Citizen you have additional rights of complaint, see below for further detail.
Changes to the privacy policy and your duty to inform us of changes
We keep our privacy policy under regular review.
This version was last updated in June 2023. It may change and if it does, these changes will be posted on this page and, where appropriate, notified to you when you next start the Site. The new policy may be displayed on-screen, and you may be required to read and accept the changes to continue your use of the Site or the Services.
It is important that the personal data we hold about you is accurate and current. Please keep the Client informed if your personal data changes during your relationship with them.
Third party links
Our Site may, from time to time, contain links to and from the websites of our partner networks, third party providers and affiliates. Please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services, such as Contact and Location Data. Please check these policies before you submit any personal data to these websites or use these services.
The data we collect about you
We may collect, use, store and transfer different kinds of personal data about you as follows:
- Identity Data: includes first name, last name, middle name, username or similar identifier, title, date of birth, gender, driving license and passport details.
- Contact Data: includes address, email address and telephone numbers.
- Device Data: includes the type of mobile or computer device you use, a unique device identifier (for example, your Device's IMEI number, the MAC address of the Device's wireless network interface, or the mobile phone number used by the Device), mobile network information, your operating system, the type of browser you use and time zone setting.
- Financial Data: includes bank account statements and details of transactions, utility bill amounts, council tax amounts, mortgage statements, sort code and bank account number.
- Content Data: includes information stored on your Device, including login information, photos, scanned documents or other digital content needed to be uploaded into Site.
- Profile Data: includes your username and password, notification settings and preferences.
- Usage Data: includes details of how you use the Site.
- Location Data: includes your current location disclosed by GPS technology.
- Biometric Data: includes face recognition for login purposes, voice recordings and facial images. See below for more details.
Special Categories of Personal Data
As part of our Services, we offer digital identity verification checks in order for our Clients to be able to comply with anti-money laundering legislation. As part of the digital identity verification service your personal data will be subject to cross referencing checks to establish your identity.
An element of this service involves Biometric Data which shall include processing an image of you next to other key identifiers – like your name – as shown on the identity information you provide to us. The use of biometric data is necessary for the provision of the digital identity verification and as this involves Special Categories of Personal Data we need your express consent to engage in this processing.
To enable us to process Special Categories of Personal Data we need your consent. You provide us with this consent by selecting “confirm consent for verification” prior to completing your identity verification task.
We do not collect any other Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic data) other than Biometric Data as outlined above. Nor do we collect any information about criminal convictions and offences.
If you fail to provide personal data
Where we need to collect personal data under the terms of a contract we have with the Client, and you fail to provide that data when requested, we will not be able to perform the Services and will therefore notify the Client that such order for Services will be cancelled. It will then be the Client’s responsibility to make contact with you to discuss next steps.
You do not have to consent to providing your personal data to us via the Site. You may provide all of the information requested by the Site to the Client for checking manually if you would prefer. You will not be subjected to a detriment for not giving consent to this processing. Please note that such manual checks by the Client will normally take longer than digital checks and will involve you undertaking physical steps to satisfy their requirements. This is a logistical and operational point that does take some time and does require some action.
How is your personal data collected?
We will collect and process the following data about you:
- Information our Client gives us. The Client who has a professional relationship with you will provide us with your Identity and Contact Data on the Site so that they can create and fulfil a workspace for the Services and so that we can make initial contact with you about the Site. The Client, in accordance with our agreement with them, has warranted to seek your consent first before providing us with your Identity and Contact Data.
- Information you give us. This is information (including Identity, Contact, Profile, Financial, Biometric, and Content Data) you consent to giving us by using the Site or by corresponding with us (for example, by email or phone). It includes information you provide when you:
- Access the Site by way of link sent by the Client;
- Logon to your workspace using an access code sent to your mobile;
- Digitally verify your identity and address;
- Complete property information forms;
- Digitally sign documents;
- Report a problem with the Site; and
- Contact us for technical or helpdesk support.
- Information we collect about you and your device. Each time you use the Site we will automatically collect personal data including Device, Content and Usage Data. We collect this data using automated and tracking technologies installed on your Device.
- Location Data. We also use GPS technology to determine your current location. Some of our location-enabled Services require your personal data for the feature to work. If you wish to use the particular feature, you will be asked to consent to your data being used for this purpose. You can withdraw your consent at any time by disabling Location Data in your settings.
How we use your personal data
We will only use your personal data when the law allows us to do so. Most commonly we will use your personal data in the following circumstances:
- Consent means processing your personal data where you have signified your agreement by a statement or clear opt-in to processing for a specific purpose. Consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us on dpo@infotrack.co.uk. As we are a data processor, we will also inform the Client as the data controller of your withdrawal request.
- Legitimate Interest. Means the interest of our business in conducting and managing our business to enable us to give you the best and most secure Site experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Purposes for which we will use your personal data
Purpose/activity |
Type of data |
Lawful basis for processing |
|
To send you an email communication detailing how to complete the workspace for Services as requested by the Client |
Identity Contact
|
Your consent (provided to the Client who then instructs us accordingly) |
|
To use the Site and enter an access code on the Site
|
Identity Contact Financial Device
|
Your consent |
|
To deliver the Services by instructing and prompting you via the Site to: (a) Digitally verify your identity and address by way of submission of certain documents and taking an image of your face; (b) Complete the requested property information forms; and (c) Digitally sign the requested documents. |
Identity Contact Device Financial Content Profile Usage Location Biometric
|
Your consent Necessary for our legitimate interests (to fulfil the purpose of the Site and to perform the Services as requested by the Client) |
|
To manage our relationship with you including: (a) when you report an issue with the Site to us; and (b) when you contact us for technical or helpdesk support you may require when using the Site. |
Identity Contact Financial Profile
|
Your consent Necessary for our legitimate interests (to ensure we provide the best and secure Site experience through provision of support services)
|
Disclosures of your personal data
When you consent to providing us with your personal data, we will also ask you for your consent to share your personal data with the external third parties set out below for the purposes set out in the table above:
Third Party |
Third Party Service and Certification |
Location |
|
GB Group Plc
The Foundation, Herons Way, Chester Business Park, Chester, UK, CH4 9GB |
Digital identity verification checks
(ISO/IEC 27001:2013) |
UK and EEA |
|
Jumio Corporation
395 Page Mill Rd, Suite 150, Palo Alto, California 94306 |
Digital identity verification checks
(ISO/IEC 27001:2013, PCI DSS and SOC2 Type 2) |
USA Colombia India EEA |
|
Truelayer Ltd
1 Hardwick Street, London, UK, EC1R 4RB |
Verification of funds search (ISO/IEC 27001:2013) |
UK and EEA |
|
Amazon Web Services, Inc
410 Terry Avenue North Seattle, WA 98109, United States |
Cloud infrastructure (hosts our platform)
(ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 9001:2015, and CSA STAR CCM v3.0.1) |
EEA
|
|
DocuSign, Inc
221 Main Street, Suite 1000, San Francisco, CA 94105 |
Facilitation of digital execution/signature of documents (property forms)
(ISO 27001:2013, SOC 1 Type 2, SOC 2 Type 2, PCI DSS) |
USA EEA
|
In addition, we shall also share all personal data provided to us with the Client for the purposes of fulfilling an order for the Services.
International transfers
Many of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK.
Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will ensure that you have provided explicit consent to the proposed transfer after being informed of any potential risks.
- Where possible, we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
- Where we use certain service providers, we may use specific contracts approved by the UK which give personal data the same protection it has in the UK.
- We will conduct transfer risk assessments and data protection impact assessments where applicable to identify and minimise any risks associated with such third-party processing and transferring any personal data.
- We shall remain responsible for the acts and omission of any such third-party processor as if they were our acts and omissions.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
Data security
All information you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password or code that enables you to access the Site, you are responsible for keeping this password or code confidential. We ask you not to share a password or code with anyone.
Once we have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.
We will collect and store personal data on your Device using application data caches and browser web storage (including HTML5) and other technology. Where possible, we aim to use third party software that is ISO27001 accreditation, the highest information security standard.
We have put in place procedures to deal with any suspected personal data breach and will notify you, the Client and any applicable regulator when we are legally required to do so.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. We cannot however, guarantee the absolute protection and security of your personal data stored with use or with any third parties.
Data retention
For as long as the Client has a contractual relationship with us for the Services, we will continue to store your Identity, Contact, Device, Profile, Usage and Location Data, unless you make a request to have the aforementioned data deleted sooner.
Any Financial, Content and Biometric Data stored as part of the Client’s order for Services will be stored for 30 days only before it is deleted from the Site. This is to allow the Client to download and store the aforementioned data prior to deletion to be used for their purposes and for us to be able to provide helpdesk support post order of Services.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
In the event that you no longer wish to use the Site then you may request deletion of your workspace by contacting the Client or us. We will then delete any personal data we store within the Site however, any personal data already transferred to the Client will not be deleted and you will need to make a separate request to them for deletion.
Your legal rights
Under certain circumstances you have the following rights under data protection laws in relation to your personal data.
You have the right to:
- Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- if you want us to establish the data's accuracy;
- where our use of the data is unlawful but you do not want us to erase it;
- where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
- you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
You can exercise any of these rights at any time by contacting us at InfoTrack Ltd, Level 11, 91 Waterloo Road, London, SE1 8RT or on dpo@infotrack.co.uk.
Rights of EU Citizens
As we do not have a base inside the EEA and in order to meet the requirements of Article 27 of EU GDPR, we are required to appoint a representative in the EEA.
We have appointed DataRep as our Data Protection Representative in the European Union so that you can contact them directly in your home country. DataRep has locations in each of the 27 EU countries including Norway & Iceland in the European Economic Area (EEA), so that EU Citizens are able to exercise their rights in respect of personal information.
If you are a citizen of the European Union, you will be able to raise any questions or concerns regarding how to process your personal information with DataRep. To do this, you will need to:
- Send an email to DataRep at datarequest@datarep.com and quote ‘<InfoTrack Limited>’ in the subject line of the email; or
- Contact DataRep through their online webform at datarep.com/data-request; or
- Send a letter with your enquiry or complaint to DataRep at the relevant address as outlined in the table below. Please note that any mail correspondence must be addressed to ‘DataRep’ and not InfoTrack Limited as the same may not be received.
DataRep Locations
|
Country
|
Address
|
|
Austria
|
DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
|
|
Belgium
|
DataRep, Rue des Colonies 11, Brussels, 1000
|
|
Bulgaria
|
DataRep, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria
|
|
Croatia
|
DataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia
|
|
Cyprus
|
DataRep, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus
|
|
Czech Republic
|
DataRep, Platan Office, 28. Října 205/45, Floor 3&4, Ostrava, 70200, Czech Republic
|
|
Denmark
|
DataRep, Lautruphøj 1-3, Ballerup, 2750, Denmark
|
|
Estonia
|
DataRep, 2nd Floor, Tornimae 5, Tallinn, 10145, Estonia
|
|
Finland
|
DataRep, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland
|
|
France
|
DataRep, 72 rue de Lessard, Rouen, 76100, France
|
|
Germany
|
DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany
|
|
Greece
|
DataRep, 24 Lagoumitzi str, Athens, 17671, Greece
|
|
Hungary
|
DataRep, President Centre, Kálmán Imre utca 1, Budapest, 1054, Hungary
|
|
Iceland
|
DataRep, Kalkofnsvegur 2, 3rd Floor, 101 Reykjavík, Iceland
|
|
Ireland
|
DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
|
|
Italy
|
DataRep, Viale Giorgio Ribotta 11, Piano 1, Rome, Lazio, 00144, Italy
|
|
Latvia
|
DataRep, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia
|
|
Liechtenstein
|
DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
|
|
Lithuania
|
DataRep, 44A Gedimino Avenue, 01110 Vilnius, Lithuania
|
|
Luxembourg
|
DataRep, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg
|
|
Malta
|
DataRep, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta
|
|
Netherlands
|
DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands
|
|
Norway
|
DataRep, C.J. Hambros Plass 2c, Oslo, 0164, Norway
|
|
Poland
|
DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland
|
|
Portugal
|
DataRep, Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algès, Lisbon, 1495-061, Portugal
|
|
Romania
|
DataRep, 15 Piaţa Charles de Gaulle, nr. 1-T, Bucureşti, Sectorul 1, 011857, Romania
|
|
Slovakia
|
DataRep, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia
|
|
Slovenia
|
DataRep, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia
|
|
Spain
|
DataRep, Calle de Manzanares 4, Madrid, 28005, Spain
|
|
Sweden
|
DataRep, S:t Johannesgatan 2, 4th floor, Malmo, SE - 211 46, Sweden
|
|
Switzerland
|
DataRep, Leutschenbachstrasse 95, ZURICH, 8050, Switzerland
|