Detailed information on the processing of Personal Data

Personal Data is collected for the following purposes and using the following services:

• Analytics

  The services contained in this section enable the Owner to monitor and analyse web traffic and can be used to keep track of User behaviour.

  Google Analytics (Google Ireland Limited)

  Google Analytics is a web analysis service provided by Google Ireland Limited (“Google”). Google utilises the Data collected to track and examine the use of Hanco, to prepare reports on its activities and share them with other Google services.
  Google may use the Data collected to contextualise and personalise the ads of its own advertising network.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: Ireland – Privacy Policy– Opt Out.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

• Backup saving and management

  This type of service allows the Owner to save and manage backups of Hanco on external servers managed by the service provider itself. The backups may include the source code and content as well as the data that the User provides to Hanco.

  OVH Storage and backup (OVH Hosting Ltd.)

  OVH Storage and backup is a service to save and manage backups provided by OVH Hosting Ltd.

  Personal Data processed: various types of Data as specified in the privacy policy of the service.

  Place of processing: United Kingdom – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

• Collection of privacy-related preferences

  This type of service allows Hanco to collect and store Users’ preferences related to the collection, use, and processing of their personal information, as requested by the applicable privacy legislation.

  iubenda Consent Solution (iubenda srl)

  The iubenda Consent Solution allows to store and retrieve records of Users’ consent to the processing of Personal Data, and information and preferences expressed in relation to the provided consent.
  In order to do so, it makes use of a Tracker that temporarily stores pending information on the User’s device until it is processed by the API. The Tracker (a browser feature called localStorage) is at that point deleted.

  Personal Data processed: Data communicated while using the service; Tracker.

  Place of processing: Italy – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  iubenda Cookie Solution (iubenda srl)

  The iubenda Cookie Solution allows the Owner to collect and store Users’ preferences related to the processing of personal information and in particular to the use of Cookies and other Trackers on Hanco.

  Personal Data processed: Tracker.

  Place of processing: Italy – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

• Connecting Data

  This type of service allows the Owner to connect Data with third-party services disclosed within this privacy policy.
  This results in Data flowing through these services, potentially causing the retention of this Data.

  Zapier (Zapier, Inc.)

  Zapier is a workflow automation service provided by Zapier, Inc. that automates the movement of Data between (third-party) services.

  Personal Data processed: Data communicated while using the service.

  Place of processing: United States – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

• Contacting the User

  Contact form (Hanco)

  By filling in the contact form with their Data, the User authorises Hanco to use these details to reply to requests for information, quotes or any other kind of request as indicated by the form’s header.

  Personal Data processed: company name; email address; first name; last name; phone number; state; various types of Data.

  Category of personal information collected according to CCPA: identifiers; commercial information; internet information.

  Contact form (Hanco)

  By filling in the contact form with their Data, the User authorises Hanco to use these details to reply to requests for information, quotes or any other kind of request as indicated by the form’s header.

  Personal Data processed: company name; email address; first name; last name; phone number; state; various types of Data.

  Category of personal information collected according to CCPA: identifiers; commercial information; internet information.

  Mailing list or newsletter (Hanco)

  By registering on the mailing list or for the newsletter, the User’s email address will be added to the contact list of those who may receive email messages containing information of commercial or promotional nature concerning Hanco. Your email address might also be added to this list as a result of signing up to Hanco or after making a purchase.

  Personal Data processed: email address; first name; gender; last name.

  Category of personal information collected according to CCPA: identifiers; biometric information.

• Data transfer outside of the UK

  The Owner is allowed to transfer Personal Data collected within the UK to third countries only subject to specific legal requirements (so-called "restricted transfers"). Restricted transfers may take place according to the conditions specified below.

  Users can enquire with the Owner to learn which legal basis applies to which specific service.

  Data transfer abroad based on consent (UK) (Hanco)

  If this is the legal basis, Personal Data of Users shall be transferred from the UK to third countries only if the User has explicitly consented to such transfer, after having been informed of the possible risks due to the absence of an adequacy decision and appropriate safeguards.

  In such cases, the Owner shall inform Users appropriately and collect their explicit consent via Hanco.

  Personal Data processed: various types of Data.

  Category of personal information collected according to CCPA: internet information.

  Data transfer abroad based on standard contractual clauses (UK) (Hanco)

  If this is the legal basis, the transfer of Personal Data from the UK to third countries is carried out by the Owner according to “standard contractual clauses” provided by the European Commission.

  This means that Data recipients have committed to process Personal Data in compliance with the data protection standards set forth by EU data protection legislation, which are recognized as valid also under UK law. For further information, Users are requested to contact the Owner through the contact details provided in the present document.

  Personal Data processed: various types of Data.

  Category of personal information collected according to CCPA: internet information.

  Data transfers according to a UK adequacy regulation (Hanco)

  If this is the legal basis, the transfer of Personal Data from the UK to third countries may take place according to a so called “adequacy regulation” of the UK Government.

  The UK Government adopts adequacy regulations for specific countries or territories whenever such countries or territories guarantee Personal Data protection standards comparable to those set forth by UK data protection legislation. Users can find an updated list of all adequacy regulations on the website of the Information Commissioner’s Office (ICO).

  Personal Data processed: various types of Data.

  Category of personal information collected according to CCPA: internet information.

  Other legal basis for Data transfer abroad (UK) (Hanco)

  If no other legal basis applies, Personal Data shall be transferred from the UK to third countries only if at least one of the following conditions is met:

  • the transfer is necessary for the performance of a contract between the User and the Owner or of pre-contractual measures taken at the User’s request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the User between the Owner and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for establishment, exercise or defence of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
  • the data transferred is sourced from a public register created under UK law;
  • subject to further conditions, the Owner has a compelling legitimate interest to perform a one-off transfer of Personal Data.

  In such cases, the Owner shall inform the User about the legal bases the transfer is based on via Hanco.

  Personal Data processed: various types of Data.

  Category of personal information collected according to CCPA: internet information.

• Data transfer outside the EU

  The Owner is allowed to transfer Personal Data collected within the EU to third countries (i.e. any country not part of the EU) only pursuant to a specific legal basis. Any such Data transfer is based on one of the legal bases described below.
  Users can inquire with the Owner to learn which legal basis applies to which specific service.

  Data transfer abroad based on consent (Hanco)

  If this is the legal basis, Personal Data of Users shall be transferred from the EU to third countries only if the User has explicitly consented to such transfer, after having been informed of the possible risks due to the absence of an adequacy decision and appropriate safeguards.
  In such cases, the Owner shall inform Users appropriately and collect their explicit consent via Hanco.

  Personal Data processed: various types of Data.

  Category of personal information collected according to CCPA: internet information.

  Data transfer abroad based on standard contractual clauses (Hanco)

  If this is the legal basis, the transfer of Personal Data from the EU to third countries is carried out by the Owner according to “standard contractual clauses” provided by the European Commission.
  This means that Data recipients have committed to process Personal Data in compliance with the data protection standards set forth by EU data protection legislation. For further information, Users are requested to contact the Owner through the contact details provided in the present document.

  Personal Data processed: various types of Data.

  Category of personal information collected according to CCPA: internet information.

  Data transfer to countries that guarantee European standards (Hanco)

  If this is the legal basis, the transfer of Personal Data from the EU to third countries is carried out according to an adequacy decision of the European Commission.
  The European Commission adopts adequacy decisions for specific countries whenever it considers that country to possess and provide Personal Data protection standards comparable to those set forth by EU data protection legislation. Users can find an updated list of all adequacy decisions issued on the European Commission's website.

  Personal Data processed: various types of Data.

  Category of personal information collected according to CCPA: internet information.

  Other legal basis for Data transfer abroad (Hanco)

  If no other legal basis applies, Personal Data shall be transferred from the EU to third countries only if at least one of the following conditions is met:

  • the transfer is necessary for the performance of a contract between the User and the Owner or of pre-contractual measures taken at the User’s request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the User between the Owner and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for establishment, exercise or defence of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
  • the data transferred is sourced from a public register created under the law of the country that the data originates from;
  • subject to further conditions, the Owner has a compelling legitimate interest to perform a one-off transfer of Personal Data.

  In such cases, the Owner shall inform the User about the legal bases the transfer is based on via Hanco.

  Personal Data processed: various types of Data.

  Category of personal information collected according to CCPA: internet information.

• Device permissions for Personal Data access

  Hanco requests certain permissions from Users that allow it to access the User's device Data as described below.

  Device permissions for Personal Data access (Hanco)

  Hanco requests certain permissions from Users that allow it to access the User's device Data as summarized here and described within this document.

  Personal Data processed: Contacts permission; Precise location permission (non-continuous); SMS permission.

  Category of personal information collected according to CCPA: internet information; geolocation data.

• Displaying content from external platforms

  This type of service allows you to view content hosted on external platforms directly from the pages of Hanco and interact with them.
  This type of service might still collect web traffic data for the pages where the service is installed, even when Users do not use it.

  Font Awesome (Fonticons, Inc. )

  Font Awesome is a typeface visualisation service provided by Fonticons, Inc. that allows Hanco to incorporate content of this kind on its pages.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: United States – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

  Fonts.com Web Fonts (Monotype Imaging Inc.)

  Fonts.com Web Fonts is a typeface visualisation service provided by Monotype Imaging Inc. that allows Hanco to incorporate content of this kind on its pages.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: United States – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

  Google Fonts (Google Ireland Limited)

  Google Fonts is a typeface visualisation service provided by Google Ireland Limited that allows Hanco to incorporate content of this kind on its pages.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: Ireland – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

  Google Maps widget (Google Ireland Limited)

  Google Maps is a maps visualisation service provided by Google Ireland Limited that allows Hanco to incorporate content of this kind on its pages.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: Ireland – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

  Video Vimeo (Vimeo, LLC)

  Vimeo is a video content visualisation service provided by Vimeo, LLC that allows Hanco to incorporate content of this kind on its pages.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: United States – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

  YouTube video widget (Google Ireland Limited)

  YouTube is a video content visualisation service provided by Google Ireland Limited that allows Hanco to incorporate content of this kind on its pages.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: Ireland – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

  Gravatar (Automattic Inc.)

  Gravatar is an image visualisation service provided by Automattic Inc. that allows Hanco to incorporate content of this kind on its pages.
  Please note that if Gravatar images are used for comment forms, the commenter's email address or parts of it may be sent to Gravatar - even if the commenter has not signed up for that service.

  Personal Data processed: email address; Usage Data.

  Place of processing: United States – Privacy Policy.

  Category of personal information collected according to CCPA: identifiers; internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

• Handling activities related to productivity

  This type of service helps the Owner to manage tasks, collaboration and, in general, activities related to productivity. In using this type of service, Data of Users will be processed and may be retained, depending on the purpose of the activity in question.
  These services may be integrated with a wide range of third-party services disclosed within this privacy policy to enable the Owner to import or export Data needed for the relative activity.

  Zoho projects (Zoho Corporation Pvt. Ltd.)

  Zoho projects is a project management service provided by Zoho Corporation Pvt. Ltd.

  Personal Data processed: Data communicated while using the service.

  Place of processing: United States – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

• Handling payments

  Unless otherwise specified, Hanco processes any payments by credit card, bank transfer or other means via external payment service providers. In general and unless where otherwise stated, Users are requested to provide their payment details and personal information directly to such payment service providers. Hanco isn't involved in the collection and processing of such information: instead, it will only receive a notification by the relevant payment service provider as to whether payment has been successfully completed.

  PayPal (PayPal Inc.)

  PayPal is a payment service provided by PayPal Inc., which allows Users to make online payments.

  Personal Data processed: billing address; email address; first name; last name; payment info; phone number; username; various types of Data as specified in the privacy policy of the service.

  Place of processing: See the PayPal privacy policy – Privacy Policy.

  Category of personal information collected according to CCPA: identifiers; commercial information; internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

  PayPal (PayPal Inc.)

  PayPal is a payment service provided by PayPal Inc., which allows Users to make online payments.

  Personal Data processed: billing address; email address; first name; last name; payment info; phone number; username; various types of Data as specified in the privacy policy of the service.

  Place of processing: See the PayPal privacy policy – Privacy Policy.

  Category of personal information collected according to CCPA: identifiers; commercial information; internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

  Payment by bank transfer (Hanco)

  In the event that the chosen payment method is a direct bank transfer to the current account indicated by Hanco, the Owner will collect the payment details of the User, i. e. the current account number of the sender, the SWIFT code, the bank and the name of the sender. Such data will be collected and processed exclusively within the transaction and for billing purposes only.

  Personal Data processed: company name; first name; last name; payment info; physical address.

  Category of personal information collected according to CCPA: identifiers; commercial information.

  GoCardless (GoCardless Limited)

  GoCardless is a payment service provided by GoCardless Limited.

  Personal Data processed: various types of Data as specified in the privacy policy of the service.

  Place of processing: United States – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  Stripe (Stripe Payments Ltd)

  Stripe is a payment service provided by Stripe Inc.

  Personal Data processed: various types of Data as specified in the privacy policy of the service.

  Place of processing: United Kingdom – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

• Hosting and backend infrastructure

  This type of service has the purpose of hosting Data and files that enable Hanco to run and be distributed as well as to provide a ready-made infrastructure to run specific features or parts of Hanco.

  Some services among those listed below, if any, may work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.

  Microsoft Azure (Microsoft Corporation)

  Microsoft Azure is a hosting service provided by Microsoft Corporation.

  Personal Data processed: various types of Data as specified in the privacy policy of the service.

  Place of processing: United Kingdom – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  DigitalOcean (DigitalOcean Inc.)

  DigitalOcean is a hosting service provided by DigitalOcean Inc.

  Personal Data processed: various types of Data as specified in the privacy policy of the service.

  Place of processing: United Kingdom – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  OVHcloud (OVH Hosting Ltd.)

  OVHcloud is a hosting and backend service provided by OVH Hosting Ltd.

  Personal Data processed: Usage Data.

  Place of processing: United Kingdom – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  Hanco Global Europa SRL

  Website hosting and management using WHM, WHMCS and cPanel components for client use.

• Infrastructure monitoring

  This type of service allows Hanco to monitor the use and behaviour of its components so its performance, operation, maintenance and troubleshooting can be improved.
  Which Personal Data are processed depends on the characteristics and mode of implementation of these services, whose function is to filter the activities of Hanco.

  Uptime Robot (Buzpark Bilisim Tarim Urunleri Sanayi Tic. Ltd. Sti.)

  Uptime Robot is a monitoring service provided by Buzpark Bilisim Tarim Urunleri Sanayi Tic. Ltd. Sti.

  Personal Data processed: various types of Data as specified in the privacy policy of the service.

  Place of processing: Turkey – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  Pingdom (Pingdom AB)

  Pingdom is a monitoring service provided by Pingdom AB.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: Sweden – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  Web Performance (Web Performance, Inc.)

  Web Performance is a monitoring service provided by Web Performance, Inc.Web Performance is a monitoring service provided by Web Performance, Inc.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: United States – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  Logentries (RevelOps, Inc.)

  Logentries is a monitoring service provided by RevelOps, Inc.

  Personal Data processed: Usage Data; various types of Data as specified in the privacy policy of the service.

  Place of processing: United States – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  Imunify 360

  Tracking of Brute Force attacks, phishing, and normal firewall activities to secure client accountsImunify 360protects linux based web servers and all hosted websites against malware infections, web attacks, vulnerability exploitation and all other threats.

  UTMStack

  UTMStack (branded as "Hanco CyberShield™ for clients) delivers log management and correlation (SIEM), with optional modules for Identity, compliance and vulnerability management, Incident response, and threat intelligence. All features are fully integrated and report to a central database, facilitating daily tasks such as monitoring and investigations.

• Interaction with external social networks and platforms

  This type of service allows interaction with social networks or other external platforms directly from the pages of Hanco.
  The interaction and information obtained through Hanco are always subject to the User’s privacy settings for each social network.
  This type of service might still collect traffic data for the pages where the service is installed, even when Users do not use it.
  It is recommended to log out from the respective services in order to make sure that the processed data on Hanco isn’t being connected back to the User’s profile.

  PayPal button and widgets (PayPal Inc.)

  The PayPal button and widgets are services allowing interaction with the PayPal platform provided by PayPal Inc.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: See the PayPal privacy policy – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

  Facebook Like button and social widgets (Facebook Ireland Ltd)

  The Facebook Like button and social widgets are services allowing interaction with the Facebook social network provided by Facebook Ireland Ltd

  Personal Data processed: Tracker; Usage Data.

  Place of processing: Ireland – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

  LinkedIn button and social widgets (LinkedIn Corporation)

  The LinkedIn button and social widgets are services allowing interaction with the LinkedIn social network provided by LinkedIn Corporation.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: United States – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

• Interaction with live chat platforms

  This type of service allows Users to interact with third-party live chat platforms directly from the pages of Hanco, in order to contact and be contacted by Hanco‘s support service.
  If one of these services is installed, it may collect browsing and Usage Data in the pages where it is installed, even if the Users do not actively use the service. Moreover, live chat conversations may be logged.

  Tidio Live Chat widget (Tidio Ltd)

  The Tidio Live Chat widget is a service for interacting with the Tidio live chat platform provided by Tidio Ltd.

  Personal Data processed: Data communicated while using the service; Tracker; Usage Data.

  Place of processing: United Kingdom – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

  Tidio Live Chat widget (Tidio Ltd)

  The Tidio Live Chat widget is a service for interacting with the Tidio live chat platform provided by Tidio Ltd.

  Personal Data processed: Data communicated while using the service; Tracker; Usage Data.

  Place of processing: United Kingdom – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

• Location-based interactions

  Geolocation (Hanco)

  Hanco may collect, use, and share User location Data in order to provide location-based services.
  Most browsers and devices provide tools to opt out from this feature by default. If explicit authorisation has been provided, the User’s location data may be tracked by Hanco.

  Personal Data processed: geographic position.

  Category of personal information collected according to CCPA: geolocation data.

• Managing contacts and sending messages

  This type of service makes it possible to manage a database of email contacts, phone contacts or any other contact information to communicate with the User.
  These services may also collect data concerning the date and time when the message was viewed by the User, as well as when the User interacted with it, such as by clicking on links included in the message.

  Sendgrid (Sendgrid)

  Sendgrid is an email address management and message sending service provided by Sendgrid Inc.

  Personal Data processed: company name; email address; first name; last name; phone number; Tracker; Usage Data.

  Place of processing: United States – Privacy Policy.

  Category of personal information collected according to CCPA: identifiers; commercial information; internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

• Managing data collection and online surveys

  This type of service allows Hanco to manage the creation, deployment, administration, distribution and analysis of online forms and surveys in order to collect, save and reuse Data from any responding Users.
  The Personal Data collected depend on the information asked and provided by the Users in the corresponding online form.

  These services may be integrated with a wide range of third-party services to enable the Owner to take subsequent steps with the Data processed - e.g. managing contacts, sending messages, analytics, advertising and payment processing.

  SurveyMonkey (SurveyMonkey Europe UC)

  SurveyMonkey is a survey builder and data collection platform provided by SurveyMonkey Europe UC.

  Personal Data processed: Data communicated while using the service.

  Place of processing: European Union – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

• Platform services and hosting

  These services have the purpose of hosting and running key components of Hanco, therefore allowing the provision of Hanco from within a unified platform. Such platforms provide a wide range of tools to the Owner – e.g. analytics, user registration, commenting, database management, e-commerce, payment processing – that imply the collection and handling of Personal Data.
  Some of these services work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.

  Google Play Store (Google Ireland Limited)

  Hanco is distributed on the Google Play Store, a platform for the distribution of mobile apps, provided by Google Ireland Limited.

  By virtue of being distributed via this app store, Google collects usage and diagnostics data and share aggregate information with the Owner. Much of this information is processed on an opt-in basis.

  Users may opt-out of this analytics feature directly through their device settings. More information on how to manage analysis settings can be found on this page.

  Personal Data processed: Usage Data.

  Place of processing: Ireland – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

  Apple App Store (Apple Inc.)

  Hanco is distributed on Apple's App Store, a platform for the distribution of mobile apps, provided by Apple Inc.

  By virtue of being distributed via this app store, Apple collects basic analytics and provides reporting features that enables the Owner to view usage analytics data and measure the performance of Hanco. Much of this information is processed on an opt-in basis.

  Users may opt-out of this analytics feature directly through their device settings. More information on how to manage analysis settings can be found on this page.

  Personal Data processed: Usage Data.

  Place of processing: United States – Privacy Policy.

  Category of personal information collected according to CCPA: internet information.

• Registration and authentication

  By registering or authenticating, Users allow Hanco to identify them and give them access to dedicated services.
  Depending on what is described below, third parties may provide registration and authentication services. In this case, Hanco will be able to access some Data, stored by these third-party services, for registration or identification purposes.
  Some of the services listed below may also collect Personal Data for targeting and profiling purposes; to find out more, please refer to the description of each service.

  Direct registration and profiling (Hanco)

  By registering or authenticating directly through Hanco, Users allow Hanco to identify them and give them access to dedicated services. The Owner may process Data collected when Users register or authenticate also for targeting and profiling purposes; to find out more, Users can contact the Owner using the contact details provided in this document.

  Personal Data processed: billing address; company name; country; county; data relating to the point of sale; email address; fax number; field of activity; first name; geographic position; number of employees; password; phone number; physical address; shipping address; state; Tax ID; Tracker; Usage Data; User ID; username; various types of Data; VAT Number; website; workplace; ZIP/Postal code.

  Category of personal information collected according to CCPA: identifiers; commercial information; internet information; geolocation data; employment related information; inferred information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

• Registration and authentication provided directly by Hanco

  By registering or authenticating, Users allow Hanco to identify them and give them access to dedicated services. The Personal Data is collected and stored for registration or identification purposes only. The Data collected are only those necessary for the provision of the service requested by the Users.

  Direct registration (Hanco)

  The User registers by filling out the registration form and providing the Personal Data directly to Hanco.

  Personal Data processed: billing address; city; company name; country; county; date of birth; email address; field of activity; first name; language; last name; password; phone number; physical address; prefix ; profile picture; state; Tax ID; Tracker; Usage Data; User ID; username; various types of Data; VAT Number; website; workplace; ZIP/Postal code.

  Category of personal information collected according to CCPA: identifiers; commercial information; internet information; sensorial information; employment related information; inferred information.

• Remarketing and behavioural targeting

  This type of service allows Hanco and its partners to inform, optimise and serve advertising based on past use of Hanco by the User.
  This activity is facilitated by tracking Usage Data and by using Trackers to collect information which is then transferred to the partners that manage the remarketing and behavioural targeting activity.
  Some services offer a remarketing option based on email address lists.
  Services of this kind usually offer the possibility to opt out of such tracking. In addition to any opt-out feature offered by any of the services below, Users may learn more on how to generally opt out of interest-based advertising within the dedicated section "How to opt-out of interest-based advertising" in this document.

  Google Signals

  Hanco uses Google Signals, a feature of Google Analytics, which will associate the visitation information that it collects from Hanco with Google information from accounts of signed-in Google-account users who have consented to this association for the purpose of ads personalisation. This Google information may include User location, search history, YouTube history and Data from sites that partner with Google – and is used to provide aggregated and anonymised insights into Users' cross device behaviours.

  If a User falls under the described association, they may access and/or delete such Data via My Activityprovided by Google.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: United States – Privacy Policy– Opt Out; Ireland – Privacy Policy– Opt Out.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

  Remarketing with Google Analytics

  Remarketing with Google Analytics is a remarketing and behavioural targeting service provided by Google LLC or by Google Ireland Limited, depending on the location Hanco is accessed from, that connects the tracking activity performed by Google Analytics and its Trackers with the Google Ads advertising network and the Doubleclick Cookie.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: United States – Privacy Policy– Opt Out; Ireland – Privacy Policy– Opt Out.

  Category of personal information collected according to CCPA: internet information.

  This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.

• Social features

  Inviting and suggesting friends (Hanco)

  Hanco may use the Personal Data provided to allow Users to invite their friends - for example through the address book, if access has been provided - and to suggest friends or connections inside it.

  Personal Data processed: various types of Data.

  Category of personal information collected according to CCPA: internet information.

• SPAM protection

  This type of service analyses the traffic of Hanco, potentially containing Users' Personal Data, with the purpose of filtering it from parts of traffic, messages and content that are recognised as SPAM.

  Google reCAPTCHA (Google Ireland Limited)

  Google reCAPTCHA is a SPAM protection service provided by Google Ireland Limited.
  The use of reCAPTCHA is subject to the Google privacy policyand
  This is the END of the document entitled ‟Privacy Policy”.

  Information on opting out of interest-based advertising

  In addition to any opt-out feature provided by any of the services listed in this document, Users may learn more on how to generally opt out of interest-based advertising within the dedicated section of the Cookie Policy.

   

  Further information about the processing of Personal Data

  • Selling goods and services online

    The Personal Data collected are used to provide the User with services or to sell goods, including payment and possible delivery.
    The Personal Data collected to complete the payment may include the credit card, the bank account used for the transfer, or any other means of payment envisaged. The kind of Data collected by Hanco depends on the payment system used.

  • Push notifications for direct marketing

    Hanco may send push notifications to the User for the purpose of direct marketing (to propose services and products provided by third parties or unrelated to the product or service provided by Hanco).

    Users may in most cases opt-out of receiving push notifications by visiting their device settings, such as the notification settings for mobile phones, and then changing those settings for Hanco or all of the apps on the particular device.

    Users must be aware that disabling push notifications may negatively affect the utility of Hanco.

    Besides applicable device settings, the User may also make use of the rights described under User rights in the relevant section of this privacy policy.

  • Browser Fingerprinting

    Browser Fingerprinting creates an identifier based on a device's unique combination of characteristics (e.g. IP address, HTTP header, browser properties etc.), that allows to distinguish the User from other Users, thereby enabling to track the User's browsing behaviour across the web. Browser Fingerprinting does not have an expiration date and cannot be deleted.

  • Personal Data collected through sources other than the User

    The Owner of Hanco may have legitimately collected Personal Data relating to Users without their knowledge by reusing or sourcing them from third parties on the grounds mentioned in the section specifying the legal basis of processing.
    Where the Owner has collected Personal Data in such a manner, Users may find specific information regarding the source within the relevant sections of this document or by contacting the Owner.

  • Preference Cookies

    Preference Cookies store the User preferences detected on Hanco in the local domain such as, for example, their timezone and region.

  • Pseudonymous use

    When registering for Hanco, Users have the option to indicate a nickname or pseudonym. In this case, Users' Personal Data shall not be published or made publicly available. Any activity performed by Users on Hanco shall appear in connection with the indicated nickname or pseudonym. However, Users acknowledge and accept that their activity on Hanco, including content, information or any other material possibly uploaded or shared on a voluntary and intentional basis may directly or indirectly reveal their identity.

  • Rights for registered California Users under the age of 18

    California's "Online Eraser" law, part of California's Business and Professions Code Sections 22580-22582, requires operators of certain websites and online services targeting minors to allow registered Users who are under the age of 18 and residents of California to request removal of content they post.

    If a registered User fits that description and posted content on Hanco, they may request removal of such content by contacting the Owner or its privacy policy coordinator at the contact details provided in this document.

    In response to this request, the Owner may make content posted by the registered User invisible to other registered Users and the public (rather than deleting it entirely), in which case the content may remain on the Owner's servers. It may also be publicly available elsewhere if a third party copied and reposted this content.

  • The Service is not directed to children under the age of 13

    Users declare themselves to be adult according to their applicable legislation. Minors may use Hanco only with the assistance of a parent or guardian. Under no circumstance persons under the age of 13 may use Hanco.

  • sessionStorage

    sessionStorage allows Hanco to store and access data right in the User's browser. Data in sessionStorage is deleted automatically when the session ends (in other words, when the browser tab is closed).

  The rights of Users

  Users may exercise certain rights regarding their Data processed by the Owner.

  In particular, Users have the right to do the following:

  • Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
  • Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.
  • Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.
  • Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
  • Restrict the processing of their Data. Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, the Owner will not process their Data for any purpose other than storing it.
  • Have their Personal Data deleted or otherwise removed. Users have the right, under certain circumstances, to obtain the erasure of their Data from the Owner.
  • Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the User's consent, on a contract which the User is part of or on pre-contractual obligations thereof.
  • Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.

  Details about the right to object to processing

  Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection.

  Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn, whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.

  How to exercise these rights

  Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month.

  Cookie Policy

  Hanco uses Trackers. To learn more, the User may consult the Cookie Policy.

  Additional information about Data collection and processing

  Legal action

  The User's Personal Data may be used for legal purposes by the Owner in Court or in the stages leading to possible legal action arising from improper use of Hanco or the related Services.
  The User declares to be aware that the Owner may be required to reveal personal data upon request of public authorities.

  Additional information about User's Personal Data

  In addition to the information contained in this privacy policy, Hanco may provide the User with additional and contextual information concerning particular Services or the collection and processing of Personal Data upon request.

  System logs and maintenance

  For operation and maintenance purposes, Hanco and any third-party services may collect files that record interaction with Hanco (System logs) use other Personal Data (such as the IP Address) for this purpose.

  Information not contained in this policy

  More details concerning the collection or processing of Personal Data may be requested from the Owner at any time. Please see the contact information at the beginning of this document.

  How “Do Not Track” requests are handled

  Hanco does not support “Do Not Track” requests.
  To determine whether any of the third-party services it uses honour the “Do Not Track” requests, please read their privacy policies.

  Changes to this privacy policy

  The Owner reserves the right to make changes to this privacy policy at any time by notifying its Users on this page and possibly within Hanco and/or - as far as technically and legally feasible - sending a notice to Users via any contact information available to the Owner. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom.
  
  Should the changes affect processing activities performed on the basis of the User’s consent, the Owner shall collect new consent from the User, where required.

  Information for Californian consumers

  This part of the document integrates with and supplements the information contained in the rest of the privacy policy and is provided by the business running Hanco and, if the case may be, its parent, subsidiaries and affiliates (for the purposes of this section referred to collectively as “we”, “us”, “our”).

  The provisions contained in this section apply to all Users who are consumers residing in the state of California, United States of America, according to "The California Consumer Privacy Act of 2018" (Users are referred to below, simply as “you”, “your”, “yours”), and, for such consumers, these provisions supersede any other possibly divergent or conflicting provisions contained in the privacy policy.

  This part of the document uses the term “personal information“ as it is defined in The California Consumer Privacy Act (CCPA).

  Categories of personal information collected, disclosed or sold

  In this section we summarise the categories of personal information that we've collected, disclosed or sold and the purposes thereof. You can read about these activities in detail in the section titled “Detailed information on the processing of Personal Data” within this document.

  Information we collect: the categories of personal information we collect

  We have collected the following categories of personal information about you: identifiers, commercial information, biometric information, internet information, geolocation data, sensorial information, employment related information and inferred information.

  We will not collect additional categories of personal information without notifying you.

  How we collect information: what are the sources of the personal information we collect?

  We collect the above mentioned categories of personal information, either directly or indirectly, from you when you use Hanco.

  For example, you directly provide your personal information when you submit requests via any forms on Hanco. You also provide personal information indirectly when you navigate Hanco, as personal information about you is automatically observed and collected. Finally, we may collect your personal information from third parties that work with us in connection with the Service or with the functioning of Hanco and features thereof.

  How we use the information we collect: sharing and disclosing of your personal information with third parties for a business purpose

  We may disclose the personal information we collect about you to a third party for business purposes. In this case, we enter a written agreement with such third party that requires the recipient to both keep the personal information confidential and not use it for any purpose(s) other than those necessary for the performance of the agreement.

  We may also disclose your personal information to third parties when you explicitly ask or authorise us to do so, in order to provide you with our Service.

  To find out more about the purposes of processing, please refer to the relevant section of this document.

  Sale of your personal information

  For our purposes, the word “sale” means any “selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic means, a consumer's personal information by the business to another business or a third party, for monetary or other valuable consideration”.

  This means that, for example, a sale can happen whenever an application runs ads, or makes statistical analyses on the traffic or views, or simply because it uses tools such as social network plugins and the like.

  Your right to opt out of the sale of personal information

  You have the right to opt out of the sale of your personal information. This means that whenever you request us to stop selling your data, we will abide by your request.
  Such requests can be made freely, at any time, without submitting any verifiable request, simply by following the instructions below.

  Instructions to opt out of the sale of personal information

  If you’d like to know more, or exercise your right to opt out in regard to all the sales carried out by Hanco, both online and offline, you can contact us for further information using the contact details provided in this document.

  What are the purposes for which we use your personal information?

  We may use your personal information to allow the operational functioning of Hanco and features thereof (“business purposes”). In such cases, your personal information will be processed in a fashion necessary and proportionate to the business purpose for which it was collected, and strictly within the limits of compatible operational purposes.

  We may also use your personal information for other reasons such as for commercial purposes (as indicated within the section “Detailed information on the processing of Personal Data” within this document), as well as for complying with the law and defending our rights before the competent authorities where our rights and interests are threatened or we suffer an actual damage.

  We will not use your personal information for different, unrelated, or incompatible purposes without notifying you.

  Your California privacy rights and how to exercise them

  The right to know and to portability

  You have the right to request that we disclose to you:

  • the categories and sources of the personal information that we collect about you, the purposes for which we use your information and with whom such information is shared;
  • in case of sale of personal information or disclosure for a business purpose, two separate lists where we disclose:
    • for sales, the personal information categories purchased by each category of recipient; and
    • for disclosures for a business purpose, the personal information categories obtained by each category of recipient.

  The disclosure described above will be limited to the personal information collected or used over the past 12 months.

  If we deliver our response electronically, the information enclosed will be "portable", i.e. delivered in an easily usable format to enable you to transmit the information to another entity without hindrance – provided that this is technically feasible.

  The right to request the deletion of your personal information

  You have the right to request that we delete any of your personal information, subject to exceptions set forth by the law (such as, including but not limited to, where the information is used to identify and repair errors on Hanco, to detect security incidents and protect against fraudulent or illegal activities, to exercise certain rights etc.).

  If no legal exception applies, as a result of exercising your right, we will delete your personal information and direct any of our service providers to do so.

  How to exercise your rights

  To exercise the rights described above, you need to submit your verifiable request to us by contacting us via the details provided in this document.

  For us to respond to your request, it’s necessary that we know who you are. Therefore, you can only exercise the above rights by making a verifiable request which must:

  • provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorised representative;
  • describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

  We will not respond to any request if we are unable to verify your identity and therefore confirm the personal information in our possession actually relates to you.

  If you cannot personally submit a verifiable request, you can authorise a person registered with the California Secretary of State to act on your behalf.

  If you are an adult, you can make a verifiable request on behalf of a minor under your parental authority.

  You can submit a maximum number of 2 requests over a period of 12 months.

  How and when we are expected to handle your request

  We will confirm receipt of your verifiable request within 10 days and provide information about how we will process your request.

  We will respond to your request within 45 days of its receipt. Should we need more time, we will explain to you the reasons why, and how much more time we need. In this regard, please note that we may take up to 90 days to fulfill your request.

  Our disclosure(s) will cover the preceding 12 month period.

  Should we deny your request, we will explain you the reasons behind our denial.

  We do not charge a fee to process or respond to your verifiable request unless such request is manifestly unfounded or excessive. In such cases, we may charge a reasonable fee, or refuse to act on the request. In either case, we will communicate our choices and explain the reasons behind it.

  Additional information about California privacy

  CCPA: Collection of personal information about consumers aged 13 to 16

  We collect personal information of consumers between the age of 13 and 16 and won't sell their data unless those consumers have opted-in.

  CCPA: Collection of personal information about consumers below the age of 13

  We collect personal information of consumers below the age of 13 and won't sell their data unless their parents or guardians have opted-in on behalf of those minors.

  CCPA: Collection of personal information about minors

  We do not knowingly collect personal information of consumers who are below the age of 16.

  Information for Users residing in Brazil

  This part of the document integrates with and supplements the information contained in the rest of the privacy policy and is provided by the entity running Hanco and, if the case may be, its parent, subsidiaries and affiliates (for the purposes of this section referred to collectively as “we”, “us”, “our”).
  The provisions contained in this section apply to all Users who reside in Brazil, according to the "Lei Geral de Proteção de Dados" (Users are referred to below, simply as “you”, “your”, “yours”). For such Users, these provisions supersede any other possibly divergent or conflicting provisions contained in the privacy policy.
  This part of the document uses the term “personal information“ as it is defined in the Lei Geral de Proteção de Dados (LGPD).

  The grounds on which we process your personal information

  We can process your personal information solely if we have a legal basis for such processing. Legal bases are as follows:

  • your consent to the relevant processing activities;
  • compliance with a legal or regulatory obligation that lies with us;
  • the carrying out of public policies provided in laws or regulations or based on contracts, agreements and similar legal instruments;
  • studies conducted by research entities, preferably carried out on anonymised personal information;
  • the carrying out of a contract and its preliminary procedures, in cases where you are a party to said contract;
  • the exercising of our rights in judicial, administrative or arbitration procedures;
  • protection or physical safety of yourself or a third party;
  • the protection of health – in procedures carried out by health entities or professionals;
  • our legitimate interests, provided that your fundamental rights and liberties do not prevail over such interests; and
  • credit protection.

   

  To find out more about the legal bases, you can contact us at any time using the contact details provided in this document.

  Categories of personal information processed

  To find out what categories of your personal information are processed, you can read the section titled “Detailed information on the processing of Personal Data” within this document.

  Why we process your personal information

  To find out why we process your personal information, you can read the sections titled “Detailed information on the processing of Personal Data” and “The purposes of processing” within this document.

  Your Brazilian privacy rights, how to file a request and our response to your requests

  Your Brazilian privacy rights

  You have the right to:

  • obtain confirmation of the existence of processing activities on your personal information;
  • access to your personal information;
  • have incomplete, inaccurate or outdated personal information rectified;
  • obtain the anonymization, blocking or elimination of your unnecessary or excessive personal information, or of information that is not being processed in compliance with the LGPD;
  • obtain information on the possibility to provide or deny your consent and the consequences thereof;
  • obtain information about the third parties with whom we share your personal information;
  • obtain, upon your express request, the portability of your personal information (except for anonymised information) to another service or product provider, provided that our commercial and industrial secrets are safeguarded;
  • obtain the deletion of your personal information being processed if the processing was based upon your consent, unless one or more exceptions provided for in art. 16 of the LGPD apply;
  • revoke your consent at any time;
  • lodge a complaint related to your personal information with the ANPD (the National Data Protection Authority) or with consumer protection bodies;
  • oppose a processing activity in cases where the processing is not carried out in compliance with the provisions of the law;
  • request clear and adequate information regarding the criteria and procedures used for an automated decision; and
  • request the review of decisions made solely on the basis of the automated processing of your personal information, which affect your interests. These include decisions to define your personal, professional, consumer and credit profile, or aspects of your personality.

   

  You will never be discriminated against, or otherwise suffer any sort of detriment, if you exercise your rights.

  How to file your request

  You can file your express request to exercise your rights free from any charge, at any time, by using the contact details provided in this document, or via your legal representative.

  How and when we will respond to your request

  We will strive to promptly respond to your requests.
  In any case, should it be impossible for us to do so, we’ll make sure to communicate to you the factual or legal reasons that prevent us from immediately, or otherwise ever, complying with your requests. In cases where we are not processing your personal information, we will indicate to you the physical or legal person to whom you should address your requests, if we are in the position to do so.

  In the event that you file an access or personal information processing confirmation request, please make sure that you specify whether you’d like your personal information to be delivered in electronic or printed form.
  You will also need to let us know whether you want us to answer your request immediately, in which case we will answer in a simplified fashion, or if you need a complete disclosure instead.
  In the latter case, we’ll respond within 15 days from the time of your request, providing you with all the information on the origin of your personal information, confirmation on whether or not records exist, any criteria used for the processing and the purposes of the processing, while safeguarding our commercial and industrial secrets.

  In the event that you file a rectification, deletion, anonymization or personal information blocking request, we will make sure to immediately communicate your request to other parties with whom we have shared your personal information in order to enable such third parties to also comply with your request – except in cases where such communication is proven impossible or involves disproportionate effort on our side.

  Transfer of personal information outside of Brazil permitted by the law

  We are allowed to transfer your personal information outside of the Brazilian territory in the following cases:

  • when the transfer is necessary for international legal cooperation between public intelligence, investigation and prosecution bodies, according to the legal means provided by the international law;
  • when the transfer is necessary to protect your life or physical security or those of a third party;
  • when the transfer is authorised by the ANPD;
  • when the transfer results from a commitment undertaken in an international cooperation agreement;
  • when the transfer is necessary for the execution of a public policy or legal attribution of public service;
  • when the transfer is necessary for compliance with a legal or regulatory obligation, the carrying out of a contract or preliminary procedures related to a contract, or the regular exercise of rights in judicial, administrative or arbitration procedures.

   

  Definitions and legal references

  Personal Data (or Data)

  Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.

  Usage Data

  Information collected automatically through Hanco (or third-party services employed in Hanco), which can include: the IP addresses or domain names of the computers utilised by the Users who use Hanco, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilised to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilised by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.

  User

  The individual using Hanco who, unless otherwise specified, coincides with the Data Subject.

  Data Subject

  The natural person to whom the Personal Data refers.

  Data Processor (or Data Supervisor)

  The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as described in this privacy policy.

  Data Controller (or Owner)

  The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of Hanco. The Data Controller, unless otherwise specified, is the Owner of Hanco.

  Hanco (or this Application)

  The means by which the Personal Data of the User is collected and processed.

  Service

  The service provided by Hanco as described in the relative terms (if available) and on this site/application.

  European Union (or EU)

  Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.

  Cookie

  Cookies are Trackers consisting of small sets of data stored in the User's browser.

  Tracker

  Tracker indicates any technology - e.g Cookies, unique identifiers, web beacons, embedded scripts, e-tags and fingerprinting - that enables the tracking of Users, for example by accessing or storing information on the User’s device.

  ---

  Legal information

  This privacy statement has been prepared based on provisions of multiple legislations, including Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation).

  This privacy policy relates solely to Hanco, if not stated otherwise within this document.

  Latest update: 9 February 2022

  
  This is the END of the document entitled ‟Privacy Policy”.

   

  Top

  Cookies policy

  Cookie Policy of Hanco

  This document informs Users about the technologies that help Hanco to achieve the purposes described below. Such technologies allow the Owner to access and store information (for example by using a Cookie) or use resources (for example by running a script) on a User’s device as they interact with Hanco.

  For simplicity, all such technologies are defined as "Trackers" within this document – unless there is a reason to differentiate.
  For example, while Cookies can be used on both web and mobile browsers, it would be inaccurate to talk about Cookies in the context of mobile apps as they are a browser-based Tracker. For this reason, within this document, the term Cookies is only used where it is specifically meant to indicate that particular type of Tracker.

  Some of the purposes for which Trackers are used may also require the User's consent. Whenever consent is given, it can be freely withdrawn at any time following the instructions provided in this document.

  Hanco uses Trackers managed directly by the Owner (so-called “first-party” Trackers) and Trackers that enable services provided by a third-party (so-called “third-party” Trackers). Unless otherwise specified within this document, third-party providers may access the Trackers managed by them.
  The validity and expiration periods of Cookies and other similar Trackers may vary depending on the lifetime set by the Owner or the relevant provider. Some of them expire upon termination of the User’s browsing session.
  In addition to what’s specified in the descriptions within each of the categories below, Users may find more precise and updated information regarding lifetime specification as well as any other relevant information – such as the presence of other Trackers - in the linked privacy policies of the respective third-party providers or by contacting the Owner.

  To find more information dedicated to Californian consumers and their privacy rights, Users may read the privacy policy.

  Activities strictly necessary for the operation of Hanco and delivery of the Service

  Hanco uses so-called “technical” Cookies and other similar Trackers to carry out activities that are strictly necessary for the operation or delivery of the Service.

  First-party Trackers

  • Further information about Personal Data

    Browser Fingerprinting (Hanco)

    Browser Fingerprinting creates an identifier based on a device's unique combination of characteristics (e.g. IP address, HTTP header, browser properties etc.), that allows to distinguish the User from other Users, thereby enabling to track the User's browsing behaviour across the web. Browser Fingerprinting does not have an expiration date and cannot be deleted.

    Personal Data processed: Tracker.

    Preference Cookies (Hanco)

    Preference Cookies store the User preferences detected on Hanco in the local domain such as, for example, their timezone and region.

    Personal Data processed: Tracker.

    sessionStorage (Hanco)

    sessionStorage allows Hanco to store and access data right in the User's browser. Data in sessionStorage is deleted automatically when the session ends (in other words, when the browser tab is closed).

    Personal Data processed: Tracker.

  • Registration and authentication provided directly by Hanco

    By registering or authenticating, Users allow Hanco to identify them and give them access to dedicated services. The Personal Data is collected and stored for registration or identification purposes only. The Data collected are only those necessary for the provision of the service requested by the Users.

    Direct registration (Hanco)

    The User registers by filling out the registration form and providing the Personal Data directly to Hanco.

    Personal Data processed: billing address, city, company name, country, county, date of birth, email address, field of activity, first name, language, last name, password, phone number, physical address, prefix , profile picture, state, Tax ID, Tracker, Usage Data, User ID, username, various types of Data, VAT Number, website, workplace and ZIP/Postal code.

  Other first-party Trackers

  Storage duration: indefinite

  Third-party Trackers

  • Collection of privacy-related preferences

    This type of service allows Hanco to collect and store Users’ preferences related to the collection, use, and processing of their personal information, as requested by the applicable privacy legislation.

    iubenda Consent Solution (iubenda srl)

    The iubenda Consent Solution allows to store and retrieve records of Users’ consent to the processing of Personal Data, and information and preferences expressed in relation to the provided consent.
    In order to do so, it makes use of a Tracker that temporarily stores pending information on the User’s device until it is processed by the API. The Tracker (a browser feature called localStorage) is at that point deleted.

    Personal Data processed: Data communicated while using the service and Tracker.

    Place of processing: Italy – Privacy Policy.

    Storage duration:

    • ConS JS library localStorage (IUB_DATA): indefinite

     

    iubenda Cookie Solution (iubenda srl)

    The iubenda Cookie Solution allows the Owner to collect and store Users’ preferences related to the processing of personal information and in particular to the use of Cookies and other Trackers on Hanco.

    Personal Data processed: Tracker.

    Place of processing: Italy – Privacy Policy.

    Storage duration:

    • _iub_cs-*: 1 year
    • _iub_cs-*-granular: 1 year
    • euconsent-v2: 2 years
    • usprivacy: 1 year

     

  • Infrastructure monitoring

    This type of service allows Hanco to monitor the use and behaviour of its components so its performance, operation, maintenance and troubleshooting can be improved.
    Which Personal Data are processed depends on the characteristics and mode of implementation of these services, whose function is to filter the activities of Hanco.

    Pingdom (Pingdom AB)

    Pingdom is a monitoring service provided by Pingdom AB.

    Personal Data processed: Tracker and Usage Data.

    Place of processing: Sweden – Privacy Policy.

    Web Performance (Web Performance, Inc.)

    Web Performance is a monitoring service provided by Web Performance, Inc.Web Performance is a monitoring service provided by Web Performance, Inc.

    Personal Data processed: Tracker and Usage Data.

    Place of processing: United States – Privacy Policy.

  • SPAM protection

    This type of service analyses the traffic of Hanco, potentially containing Users' Personal Data, with the purpose of filtering it from parts of traffic, messages and content that are recognised as SPAM.

    Google reCAPTCHA (Google Ireland Limited)

    Google reCAPTCHA is a SPAM protection service provided by Google Ireland Limited.
    The use of reCAPTCHA is subject to the Google privacy policy and terms of use.

    Personal Data processed: answers to questions, clicks, keypress events, motion sensor events, mouse movements, scroll position, touch events, Tracker and Usage Data.

    Place of processing: Ireland – Privacy Policy.

    Storage duration:

    • _GRECAPTCHA: duration of the session
    • rc::a: indefinite
    • rc::b: duration of the session
    • rc::c: duration of the session

     

  Other Trackers

  • Infrastructure monitoring

    This type of service allows Hanco to monitor the use and behaviour of its components so its performance, operation, maintenance and troubleshooting can be improved.
    Which Personal Data are processed depends on the characteristics and mode of implementation of these services, whose function is to filter the activities of Hanco.

    Imunify 360

    Tracking of Brute Force attacks, phishing, and normal firewall activities to secure client accountsImunify 360 protects linux based web servers and all hosted websites against malware infections, web attacks, vulnerability exploitation and all other threats.

    UTMStack

    UTMStack (branded as "Hanco CyberShield™ for clients) delivers log management and correlation (SIEM), with optional modules for Identity, compliance and vulnerability management, Incident response, and threat intelligence. All features are fully integrated and report to a central database, facilitating daily tasks such as monitoring and investigations.

    Storage duration: indefinite

  • Hosting and backend infrastructure

    This type of service has the purpose of hosting Data and files that enable Hanco to run and be distributed as well as to provide a ready-made infrastructure to run specific features or parts of Hanco.

    Some services among those listed below, if any, may work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.

    Hanco Global Europa SRL

    Website hosting and management using WHM, WHMCS and cPanel components for client use.

  Other activities involving the use of Trackers

  Basic interactions & functionalities

  Hanco uses Trackers to enable basic interactions and functionalities, allowing Users to access selected features of the Service and facilitating the User's communication with the Owner.

  • Interaction with live chat platforms

    This type of service allows Users to interact with third-party live chat platforms directly from the pages of Hanco, in order to contact and be contacted by Hanco‘s support service.
    If one of these services is installed, it may collect browsing and Usage Data in the pages where it is installed, even if the Users do not actively use the service. Moreover, live chat conversations may be logged.

    Tidio Live Chat widget (Tidio Ltd)

    The Tidio Live Chat widget is a service for interacting with the Tidio live chat platform provided by Tidio Ltd.

    Personal Data processed: Data communicated while using the service, Tracker and Usage Data.

    Place of processing: United Kingdom – Privacy Policy.

    Tidio Live Chat widget (Tidio Ltd)

    The Tidio Live Chat widget is a service for interacting with the Tidio live chat platform provided by Tidio Ltd.

    Personal Data processed: Data communicated while using the service, Tracker and Usage Data.

    Place of processing: United Kingdom – Privacy Policy.

  • Registration and authentication

    By registering or authenticating, Users allow Hanco to identify them and give them access to dedicated services.
    Depending on what is described below, third parties may provide registration and authentication services. In this case, Hanco will be able to access some Data, stored by these third-party services, for registration or identification purposes.
    Some of the services listed below may also collect Personal Data for targeting and profiling purposes; to find out more, please refer to the description of each service.

    Direct registration and profiling (Hanco)

    By registering or authenticating directly through Hanco, Users allow Hanco to identify them and give them access to dedicated services. The Owner may process Data collected when Users register or authenticate also for targeting and profiling purposes; to find out more, Users can contact the Owner using the contact details provided in this document.

    Personal Data processed: billing address, company name, country, county, data relating to the point of sale, email address, fax number, field of activity, first name, geographic position, number of employees, password, phone number, physical address, shipping address, state, Tax ID, Tracker, Usage Data, User ID, username, various types of Data, VAT Number, website, workplace and ZIP/Postal code.

  Experience enhancement

  Hanco uses Trackers to provide a personalised user experience by improving the quality of preference management options, and by enabling interaction with external networks and platforms.

  • Displaying content from external platforms

    This type of service allows you to view content hosted on external platforms directly from the pages of Hanco and interact with them.
    This type of service might still collect web traffic data for the pages where the service is installed, even when Users do not use it.

    Font Awesome (Fonticons, Inc. )

    Font Awesome is a typeface visualisation service provided by Fonticons, Inc. that allows Hanco to incorporate content of this kind on its pages.

    Personal Data processed: Tracker and Usage Data.

    Place of processing: United States – Privacy Policy.

    Fonts.com Web Fonts (Monotype Imaging Inc.)

    Fonts.com Web Fonts is a typeface visualisation service provided by Monotype Imaging Inc. that allows Hanco to incorporate content of this kind on its pages.

    Personal Data processed: Tracker and Usage Data.

    Place of processing: United States – Privacy Policy.

    Google Fonts (Google Ireland Limited)

    Google Fonts is a typeface visualisation service provided by Google Ireland Limited that allows Hanco to incorporate content of this kind on its pages.

    Personal Data processed: Tracker and Usage Data.

    Place of processing: Ireland – Privacy Policy.

    Google Maps widget (Google Ireland Limited)

    Google Maps is a maps visualisation service provided by Google Ireland Limited that allows Hanco to incorporate content of this kind on its pages.

    Personal Data processed: Tracker and Usage Data.

    Place of processing: Ireland – Privacy Policy.

    Video Vimeo (Vimeo, LLC)

    Vimeo is a video content visualisation service provided by Vimeo, LLC that allows Hanco to incorporate content of this kind on its pages.

    Personal Data processed: Tracker and Usage Data.

    Place of processing: United States – Privacy Policy.

    Storage duration:

    • player: 1 year
    • vuid: 2 years

     

    YouTube video widget (Google Ireland Limited)

    YouTube is a video content visualisation service provided by Google Ireland Limited that allows Hanco to incorporate content of this kind on its pages.

    Personal Data processed: Tracker and Usage Data.

    Place of processing: Ireland – Privacy Policy.

    Storage duration:

    • PREF: 8 months
    • VISITOR_INFO1_LIVE: 8 months
    • YSC: duration of the session

     

  • Interaction with external social networks and platforms

    This type of service allows interaction with social networks or other external platforms directly from the pages of Hanco.
    The interaction and information obtained through Hanco are always subject to the User’s privacy settings for each social network.
    This type of service might still collect traffic data for the pages where the service is installed, even when Users do not use it.
    It is recommended to log out from the respective services in order to make sure that the processed data on Hanco isn’t being connected back to the User’s profile.

    PayPal button and widgets (PayPal Inc.)

    The PayPal button and widgets are services allowing interaction with the PayPal platform provided by PayPal Inc.

    Personal Data processed: Tracker and Usage Data.

    Place of processing: See the PayPal privacy policy – Privacy Policy.

    Storage duration:

    • akavpau_ppsd: duration of the session
    • ts: duration of the session

     

    Facebook Like button and social widgets (Facebook Ireland Ltd)

    The Facebook Like button and social widgets are services allowing interaction with the Facebook social network provided by Facebook Ireland Ltd

    Personal Data processed: Tracker and Usage Data.

    Place of processing: Ireland – Privacy Policy.

    Storage duration:

    • _fbp: 3 months

     

    LinkedIn button and social widgets (LinkedIn Corporation)

    The LinkedIn button and social widgets are services allowing interaction with the LinkedIn social network provided by LinkedIn Corporation.

    Personal Data processed: Tracker and Usage Data.

    Place of processing: United States – Privacy Policy.

    Storage duration:

    • AnalyticsSyncHistory: 1 month
    • UserMatchHistory: 1 month
    • bcookie: 2 years
    • bscookie: 2 years
    • lang: duration of the session
    • lidc: 1 day
    • lissc: 1 year

     

  Measurement

  Hanco uses Trackers to measure traffic and analyse User behaviour with the goal of improving the Service.

  • Analytics

    The services contained in this section enable the Owner to monitor and analyse web traffic and can be used to keep track of User behaviour.

    Google Analytics (Google Ireland Limited)

    Google Analytics is a web analysis service provided by Google Ireland Limited (“Google”). Google utilises the Data collected to track and examine the use of Hanco, to prepare reports on its activities and share them with other Google services.
    Google may use the Data collected to contextualise and personalise the ads of its own advertising network.

    Personal Data processed: Tracker and Usage Data.

    Place of processing: Ireland – Privacy Policy – Opt Out.

    Storage duration:

    • AMP_TOKEN: 1 hour
    • __utma: 2 years
    • __utmb: 1 hour
    • __utmc: duration of the session
    • __utmt: 1 hour
    • __utmv: 2 years
    • __utmz: 7 months
    • _ga: 2 years
    • _gac*: 3 months
    • _gat: 1 hour
    • _gid: 1 day

     

  Targeting & Advertising

  Hanco uses Trackers to deliver personalised marketing content based on User behaviour and to operate, serve and track ads.

  Some of the advertising services used by the Owner adhere to the IAB Transparency and Consent Framework, an initiative that facilitates responsible privacy practises across the digital advertising industry - providing Users with enhanced transparency and control over how their data are used for advertising tracking purposes. Users can customise their advertising preferences at any time by accessing the advertising preferences panel from within the cookie notice or via the relevant link on Hanco.

  Hanco participates in the IAB Europe Transparency & Consent Framework and complies with its Specifications and Policies. Hanco uses iubenda (identification number 123) as a Consent Management Platform.

  • Managing contacts and sending messages

    This type of service makes it possible to manage a database of email contacts, phone contacts or any other contact information to communicate with the User.
    These services may also collect data concerning the date and time when the message was viewed by the User, as well as when the User interacted with it, such as by clicking on links included in the message.

    Sendgrid (Sendgrid)

    Sendgrid is an email address management and message sending service provided by Sendgrid Inc.

    Personal Data processed: company name, email address, first name, last name, phone number, Tracker and Usage Data.

    Place of processing: United States – Privacy Policy.

  • Remarketing and behavioural targeting

    This type of service allows Hanco and its partners to inform, optimise and serve advertising based on past use of Hanco by the User.
    This activity is facilitated by tracking Usage Data and by using Trackers to collect information which is then transferred to the partners that manage the remarketing and behavioural targeting activity.
    Some services offer a remarketing option based on email address lists.
    Services of this kind usually offer the possibility to opt out of such tracking. In addition to any opt-out feature offered by any of the services below, Users may learn more on how to generally opt out of interest-based advertising within the dedicated section "How to opt-out of interest-based advertising" in this document.

    Google Signals

    Hanco uses Google Signals, a feature of Google Analytics, which will associate the visitation information that it collects from Hanco with Google information from accounts of signed-in Google-account users who have consented to this association for the purpose of ads personalisation. This Google information may include User location, search history, YouTube history and Data from sites that partner with Google – and is used to provide aggregated and anonymised insights into Users' cross device behaviours.

    If a User falls under the described association, they may access and/or delete such Data via My Activity provided by Google.

    Personal Data processed: Tracker and Usage Data.

    Place of processing: United States – Privacy Policy – Opt Out; Ireland – Privacy Policy – Opt Out.

    Remarketing with Google Analytics

    Remarketing with Google Analytics is a remarketing and behavioural targeting service provided by Google LLC or by Google Ireland Limited, depending on the location Hanco is accessed from, that connects the tracking activity performed by Google Analytics and its Trackers with the Google Ads advertising network and the Doubleclick Cookie.

    Personal Data processed: Tracker and Usage Data.

    Place of processing: United States – Privacy Policy – Opt Out; Ireland – Privacy Policy – Opt Out.

    Storage duration:

    • _gac*: 3 months
    • _gcl_: 3 months

     

  How to manage preferences and provide or withdraw consent

  There are various ways to manage Tracker related preferences and to provide and withdraw consent, where relevant:

  Users can manage preferences related to Trackers from directly within their own device settings, for example, by preventing the use or storage of Trackers.

  Additionally, whenever the use of Trackers is based on consent, Users can provide or withdraw such consent by setting their preferences within the cookie notice or by updating such preferences accordingly via the relevant consent-preferences widget, if available.

  It is also possible, via relevant browser or device features, to delete previously stored Trackers, including those used to remember the User’s initial consent.

  Other Trackers in the browser’s local memory may be cleared by deleting the browsing history.

  With regard to any third-party Trackers, Users can manage their preferences and withdraw their consent via the related opt-out link (where provided), by using the means indicated in the third party's privacy policy, or by contacting the third party.

  Locating Tracker Settings

  Users can, for example, find information about how to manage Cookies in the most commonly used browsers at the following addresses:

  • Google Chrome
  • Mozilla Firefox
  • Apple Safari
  • Microsoft Internet Explorer
  • Microsoft Edge
  • Brave
  • Opera

  Users may also manage certain categories of Trackers used on mobile apps by opting out through relevant device settings such as the device advertising settings for mobile devices, or tracking settings in general (Users may open the device settings and look for the relevant setting).

  How to opt out of interest-based advertising

  Notwithstanding the above, Users may follow the instructions provided by YourOnlineChoices (EU), the Network Advertising Initiative (US) and the Digital Advertising Alliance (US), DAAC (Canada), DDAI (Japan) or other similar services. Such initiatives allow Users to select their tracking preferences for most of the advertising tools. The Owner thus recommends that Users make use of these resources in addition to the information provided in this document.

  The Digital Advertising Alliance offers an application called AppChoices that helps Users to control interest-based advertising on mobile apps.

  Owner and Data Controller

  Hanco Global Solutions Ltd.
  Technology House, 151 Silbury Boulevard Milton Keynes MK9 1LH United Kingdom
  Contact us here for account-related issues

  Owner contact email: webmaster@hanco.global

  Since the use of third-party Trackers through Hanco cannot be fully controlled by the Owner, any specific references to third-party Trackers are to be considered indicative. In order to obtain complete information, Users are kindly requested to consult the privacy policies of the respective third-party services listed in this document.

  Given the objective complexity surrounding tracking technologies, Users are encouraged to contact the Owner should they wish to receive any further information on the use of such technologies by Hanco.

  Definitions and legal references

  Personal Data (or Data)

  Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.

  Usage Data

  Information collected automatically through Hanco (or third-party services employed in Hanco), which can include: the IP addresses or domain names of the computers utilised by the Users who use Hanco, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilised to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilised by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.

  User

  The individual using Hanco who, unless otherwise specified, coincides with the Data Subject.

  Data Subject

  The natural person to whom the Personal Data refers.

  Data Processor (or Data Supervisor)

  The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as described in this privacy policy.

  Data Controller (or Owner)

  The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of Hanco. The Data Controller, unless otherwise specified, is the Owner of Hanco.

  Hanco (or this Application)

  The means by which the Personal Data of the User is collected and processed.

  Service

  The service provided by Hanco as described in the relative terms (if available) and on this site/application.

  European Union (or EU)

  Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.

  Cookie

  Cookies are Trackers consisting of small sets of data stored in the User's browser.

  Tracker

  Tracker indicates any technology - e.g Cookies, unique identifiers, web beacons, embedded scripts, e-tags and fingerprinting - that enables the tracking of Users, for example by accessing or storing information on the User’s device.

  ---

  Legal information

  This privacy statement has been prepared based on provisions of multiple legislations, including Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation).

  This privacy policy relates solely to Hanco, if not stated otherwise within this document.

  Latest update: 9 February 2022

  iubenda hosts this content and only collects the Personal Data strictly necessary for it to be provided.

  Show the complete Privacy Policy

   

  
  This is the END of the document entitled ‟Cookies policy”.

   

  Top

  Hanco Data Retention Policy

  Owner	Data Protection Officer
  Version Number	5.0
  Primary Audience	All staff
  Document Location	Intranet
  Objective
  To ensure data retention periods are observed and records are disposed of in a controlled and compliant manner.

   

  1. Context

   

  1. Introduction

  This document is the Data Retention Policy (‘Policy’) of Hanco Global Solutions Limited (“Hanco”) which sets out Hanco Policy on data retention. It applies to companies where a Hanco company has a majority shareholding.

   

  • Business Context - Hanco Global Solutions Limited and a number of its subsidiary companies are Data Controllers (registered with the Information Commissioner’s Office) and process both personal and non- personal data. The data processed relates to customers and employees so it is important that they can be confident their data is treated in the right way by Hanco.
  • Legal and Regulatory Context - The UK General Data Protection Regulations (UK GDPR) came into effect on 1st January 2021 and replaced the General Data Protection Regulation (GDPR). Data Controllers must ensure that data is processed in accordance with the UK GDPR. To this end, Hanco will take all necessary steps to ensure data held about its employees, customers, suppliers and all other individuals is processed fairly and lawfully and is retained for no longer than is absolutely necessary.

  The Information Commissioner’s Office (ICO) can prosecute Data Controllers, issue fines and ultimately remove their right to hold personal data. The Financial Conduct Authority also has the right to impose sanctions including fines for the inappropriate handling of personal data.

  2. Scope

  The Data Retention Policy covers:

  • Everyone working for or associated with Hanco, including Executive and Non-Executive Directors, Managers, employees (including those that are home-based), contractors, interim or temporary employees and third parties;
  • All data processed by Hanco, or on behalf of Hanco, including data outsourced to third parties; and
  • All records and documentation irrespective of whether they are held electronically or retained physically within Hanco.
  • This policy sets the high-level requirements; however, departments should define more detailed retention schedules where there are local requirements.

   

   

  2. Mandatory Requirements

   

  1. Responsibilities

  All staff must:

  • Ensure that personal data and non-personal data is processed in accordance with this Policy, ensuring data is processed securely, is not shared externally and is retained in accordance with the retention periods shown in this Policy; and
  • Complete all relevant UK GDPR training and testing that is made available to them.

  All Managing Directors of subsidiaries and Heads of Function must:

  • Make staff in their business area aware of the Data Retention Policy.
  • Ensure this policy is implemented in their business area
  • Define, in consultation with the Data Protection Team, more detailed schedules as appropriate
  • Ensure that, where personal data is passed to third parties, contracts / agreements are in place and contain data retention measures that reflect this Policy.

  The Data Protection Officer must:

  • Review and update this Policy regularly (at least annually);
  • Ensure all staff receive appropriate training and annual testing in Data Protection;
  • Keep staff up to date with changes to this Policy; and

  Hanco Global Solutions Ltd must:

  • Approve the Data Retention Policy.

   

   2. Policy Application

  This Policy relates to both electronic records and physical records, is relevant to all business functions within Hanco and should be applied as outlined below and in accordance with the data retention periods listed in Appendix 1:

   

  1. Electronic records

  Electronic records are those records that are generated with and used by information technology devices.

   

  1. I.T. Applications

  Electronic records that have been categorised as personal data and personal sensitive data and are stored

   

   

   

  in Hanco in-house business applications must be subject to an automated anonymisation routine. This means that once a record reaches an agreed retention period for that business application, the record will be anonymized.

   

  Third party applications must have an automated anonymization routine implemented, and anonymization retention periods must be in-line with the retention periods shown in Appendix 1.

   

  1. Network drives

  A review of folders used in network drives, including SharePoint must be undertaken every 6 months by staff.

   

  Data records identified as having passed any of the retention periods shown in Appendix 1 must be deleted. However, there may be exceptions to this rule, for example agreed templates, process and procedural documentation used for day-to-day business needs. (Please refer to the end of this document for further information)

   

  1. Local drives

  In accordance with the IT Acceptable Use Policy, Hanco confidential data and (any) customer data must not be stored on local drives.

   

  1. Email

  Emails and mailboxes will be automatically archived as set out in Appendix 1.

   

  1. Storage and mobile devices

  Computers and mobile devices (e.g., laptops, smartphones, tablets and mobile phones) used for business purposes must be reviewed every 6 months. Any data records saved locally and identified as having passed any of the retention periods shown in Appendix 1 should be deleted.

   

  Unless approved by a member of the Hanco Global Solutions Ltd via an appropriately approved IT Request Form, storage devices such as USB keys, memory cards, portable hard drives, CD / DVD drives and other removable storage must not be used to store Hanco confidential data or (any) client data. Where use has been granted, a review of all storage media must be undertaken every 6 months. Data records identified as having passed any of the retention periods shown in Appendix 1 should be deleted.

   

  1. File sharing sites

  Unless the use of external file sharing sites has been approved by a member of the Hanco Global Solutions Ltd via an appropriately approved IT Request Form, then storing or sharing Hanco confidential data or (any) client data, files and / or documents is prohibited.

   

   

   

  Where use has been granted, a review of all shared data records must be undertaken every 6 months. Data records identified as having passed any of the retention periods shown in Appendix 1 should be deleted.

   

  1. Physical Records

  Physical records are those records, files and / or documents that can be touched and which take up physical space.

   

   

  Branch Offices

  When vacating a property – It is the responsibility of the Area Manager to ensure all files are sorted and dispose of personal data, securely based on retention periods. They must ensure that no personal data is left unsecured in an unoccupied building. The assigned confidential waste removal company must be contacted to destroy, archive, or move the data to another branch.

   

  Branches must ensure all paper records kept on site are within retention periods and kept secure at all times. Once the files are outside of retention, they must be disposed of using the relevant confidential waste disposal process. Paper files and records must be locked away when unattended and overnight.

   

   

  1. General housekeeping, review and disposal

  To ensure every business function, office or branch comply with this Policy, there needs to be regular general housekeeping activities. This will ensure historical data records are not retained for longer than necessary and help to keep paper storage to a minimum. A review of all physical records must be undertaken every 6 months. Data records identified as having passed any of the retention periods shown in Appendix 1 must be removed and securely disposed of. Recommended practice for secure disposal is as follows:

   

  Shredders: Every office or branch should have a cross-cut shredder (cross-cut shredders are security level 3 and are the current minimum requirement for an office) or use shredding sacks / secure disposal as described below. Any records shredded in a cross-cut shredder can be recycled or placed in normal office trade waste. Any records containing personal data must be shredded. If an office or branch does not have a crosscut shredder, they should contact Purchasing at purchasing@hancoglobal.com;

  Shredding Sacks:

   

  Former Hanco Companies

  Restore Ltd provide shredding sacks which can be filled and collected directly from an office or branch. The minimum collection amount is 10 sacks. If an office or branch requires this service to be set-up then contact Purchasing at purchasing@hancoglobal.com and provide full office address, cost centre and amount

   

   

  of sacks required. Once Purchasing have set-up an account the office or branch will be able to liaise directly with Restore Ltd to arrange future collections.

   

  There may be other local arrangements in addition to above. Please confirm with your line manager.

   

  Former Companies

  Shredding sacks can be ordered through the PA for each territory. Bates will take 20 bags free of charge to dispose of confidential waste per visit.

   

   

  2.3 Third Parties

  Where data is shared with a third party, there is an expectation that the third party will have their own data retention policy which reflects the data retention measures contained within this Policy. Where this is not the case then this will need to be referred to Hanco’s Data Protection Officer in the first instance.

  4. Measurement of Effectiveness

  The effectiveness of this policy will be measured by:

  • External / Independent review of controls and work practices;
  • Feedback from internal stakeholders;
  • Internal monitoring and audit outcomes.

  5. Monitoring & Reporting

  The primary methods of monitoring and reporting are:

  • Routine workplace monitoring by Line Managers, Team Leaders etc;
  • Monitoring and reporting on the application of this Policy through Internal Audit and Compliance Monitoring activity.

  6. Record Keeping

  A record of data record-keeping and disposal requirements awareness communications to the business will be maintained.

  3. Supporting Material

  Process documents, examples, templates, external materials etc.

  This Policy should be read in conjunction with the following Hanco policies which are available on the Intranet: Hanco Data Protection Policy Hanco Information Security Policy Hanco IT Acceptable Use Policy

   

  4. Contact Points for Queries or Guidance:

   

  Name	Contact Details
  Harshad Kamble, Data Protection Officer	dpo@hancoglobal.com

   

  Review and Approval

   

  Sign Off
  Neil Westerby	24 November 2022
  Hanco Global Solutions Ltd	26 January 2023
  Next Review Date
  This Policy should be reviewed at least annually from the date of implementation or when a significant change occurs to the Policy subject matter. The next review date for this Policy is January 2024.

   

   

  
  This is the END of the document entitled ‟Hanco Data Retention Policy”.

   

  Top

  Data Protection Policy

   

  Owner	Hanco Data Protection Officer
  Version Number	5.0
  Primary Audience	All staff
  Document Location	Intranet
  Objective
  To set out the minimum standards to achieve compliance with the UK General Data Protection Regulation (UK GDPR) and ensure that personal data is treated in accordance with all relevant laws and regulations.

   

  Context

  1. Introduction

  This is the Data Protection Policy (“Policy”) of

  • Hanco Global Solutions Limited,
  • Hanco Global Europa SRL,
  • Hanco Global Solutions Pvt. Ltd. (India)
  • Hanco Global Solutions, Inc. (USA)

  (the entities listed above jointly and severally defining “Hanco”) which sets out Hanco’s policy on data protection.

  Hanco is committed to conducting its business in accordance with all applicable Data Protection laws and regulations and in line with the highest standards of ethical conduct.

  This policy sets forth the expected behaviours and obligations of Hanco, Hanco employees and third parties in relation to the collection, use, retention, transfer, disclosure, and destruction of any Personal Data relating to candidates, clients and employees of Hanco who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (“Data Subjects”) under current:

  • UK data protection legislation including the General Data Protection Regulation (UK GDPR) supplemented by the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003; and
  • EU data protection regulations, including the 2016/679 General Data Protection Regulation (“GDPR”) (Collectively “Regulations”)

  This Policy sets Hanco’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must always be followed by Hanco, its employees, agents, contractors, or other parties working on behalf of Hanco.

  Hanco is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.

  Personal Data is any information (including opinions and intentions) which relates to an identified or Identifiable Natural Person. Personal Data is subject to certain legal safeguards and other regulations, which impose restrictions on how organisations may process Personal Data. An organisation that handles Personal Data and makes decisions about its use is known as a Data Controller. Each Hanco company, as a Data Controller, is responsible for ensuring compliance with the Data Protection requirements outlined in this policy. Non-compliance may expose Hanco to complaints, regulatory action, fines and/or reputational damage.

  Hanco’s leadership is fully committed to ensuring continued and effective implementation of this policy and expects all Hanco Employees and Third Parties to share in this commitment. Any breach of this policy will be taken seriously and may result in disciplinary action or business sanction.

  Business Context

  Hanco Global Solutions Limited and a number of its subsidiary companies are Data Controllers (registered with the Information Commissioner’s Office) and process personal data relating to customers and staff. It is important that customers and staff are confident that their personal data is treated in an appropriate manner by Hanco.

  Data Subjects can seek compensation for any contravention causing them harm or distress.

  2. Scope

  This Policy applies to everyone working for or associated with Hanco, including executive and non- executive directors, managers, employees, contractors, and interim/temporary employees. This policy applies to all activities conducted by Hanco, or on behalf of Hanco, including those outsourced to third parties.

  This policy applies to all Hanco Entities where a Data Subject’s Personal Data is processed:

  In the context of the business activities of the Hanco Entity.

  For the provision or offer of goods or services to individuals (including those provided or offered free-of-charge) by a Hanco Entity.

  To actively monitor the behaviour of individuals.

  Monitoring the behaviour of individuals includes using data processing techniques such as persistent web browser cookies or dynamic IP address tracking to profile an individual with a view to: Taking a decision about them.

  Analysing or predicting their personal preferences, behaviours, and attitudes.

  This policy applies to all Processing of Personal Data in electronic form (including electronic mail and documents created with word processing software) or where it is held in manual files that are structured in a way that allows ready access to information about individuals.

  3. Governance

  Data Protection Team To demonstrate our commitment to Data Protection, and to enhance the effectiveness of our compliance efforts, Hanco has established a Data Protection Team. The Team operates with independence and is staffed by suitability skilled individuals granted all necessary authority. The Data Protection Team reports to Hanco Risk and Compliance Director who has direct access to the Hanco Board of Directors. The Data Protection Team additionally provides 2^nd line support and guidance.

  Duties include:

  Informing and advising Hanco and its Employees who carry out Processing pursuant to Data Protection regulations, national law or Union based Data Protection provisions;

  Ensuring the alignment of this policy with Data Protection regulations, national law or Union based Data Protection provisions;

  Providing guidance with regards to carrying out Data Protection Impact Assessments (DPIAs);

  Acting as a point of contact for and cooperating with Data Protection Authorities (DPAs);

  Making and keeping current notifications to one or more DPAs as a result of Hanco’s current or intended Personal Data processing activities;

  Providing Hanco-wide mandatory training content

  Informing senior managers, officers, and directors of Hanco of any potential corporate, civil and criminal penalties which may be levied against Hanco and/or its Employees for violation of applicable Regulations.

  Policy Dissemination & Enforcement

  The management team of each Hanco Entity must ensure that all Hanco Employees responsible for the Processing of Personal Data are aware of and comply with the contents of this policy.

  In addition, each Hanco Entity will make sure all Third Parties engaged to Process Personal Data on their behalf (i.e., their Data Processors) are aware of and comply with the contents of this policy.

  Assurance of such compliance must be obtained from all Third Parties, whether companies or individuals, prior to granting them access to Personal Data controlled by Hanco.

  4. Mandatory Requirements and Responsibilities

  All staff must:

  • Ensure that all personal data is processed in accordance with the seven principles of good practice, including applying the Data Retention Policy (set out in section 2, Policy Application);
  • Ensure files containing personal information are disposed of securely and in line with the Data Retention Policy;
  • Only to share information with Third Parties where there is an authorised and lawful basis to do so;
  • Refer Data Subject Rights Requests to the appropriate department as follows;
  • Former Hanco Companies;
  • Data Subject Access Requests immediately to Hanco Legal Services;
  • Right to be Forgotten Requests to IT Helpdesk
  • Report breaches of this policy and the DPA using the Risk Event and Breach Reporting procedure (available on the Risk & Compliance section of the Intranet); and
  • Complete Data Protection training and pass testing that is made available to them.

   

  All Managing Directors of subsidiaries and Heads of Function must:

  • Make staff in their area aware this policy.
  • Ensure suitable training or procedural guidance is available for staff concerning the business approach to Data Protection requirements
  • Hanco Data Protection Officer must:
  • Review and update this policy regularly (at least annually);
  • Have oversight of breaches, and ensure any material incident requiring notification to ICO is reported to Hanco Global Solutions Ltd;
  • Have oversight of ensuring all staff receive appropriate training and annual testing;
  • Advise staff on data protection law and queries;
  • Keep staff up to date with changes in law and enforcement; and
  • Renew data protection registrations with the ICO on an annual basis and set up new registrations where required.

  Hanco must:

  • Co-ordinate and respond to Data Subject Access Requests for former Hanco Companies

  IT Helpdesk must:

  • Co-ordinate and respond to Right to be Forgotten Requests for former Hanco Companies

  HR Privacy Team

  • Support first line information rights and data breaches in former companies and ensure where these are dealt with locally the request reaches to relevant department
  • Heads of Department with Data Protection Rights and Breach delivery responsibilities
  • Ensure rights and delivery are dealt with in line with Hanco Legal responsibilities, escalating to the Data Protection Team when relevant.

  Subsidiary Boards must:

  • Provide oversight and challenge over the key risks and controls in relation to data protection and oversee actions relating to data protection issues; and
  • Review material breaches to ensure that the causes are understood, any potential customer detriment is identified, and appropriate and timely actions are taken to address such issues.

  Data Privacy Steering Committee must:

  • Provide oversight of Data Privacy arrangements.
  • Receive reporting on material breaches and actions taken to resolve them.
  • Consider and review any risk accepted approaches to data protection compliance.

  Hanco Global Solutions Ltd must:

  • Approve the Data Protection Policy;

  5. Policy Application

  Hanco will implement and comply with the UK GDPR and the applied Regulations in relation to processing personal information. Hanco will ensure that it complies with the principles which govern its collection, use, retention, transfer, disclosure, and destruction of Personal Data:

  Principle 1: Lawfulness, Fairness and Transparency

  Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject. This means, Hanco must tell the Data Subject what Processing will occur (transparency), the Processing must match the description given to the Data Subject (fairness), and it must be for one of the purposes specified in the applicable Data Protection regulation (lawfulness).

  Principle 2: Purpose Limitation

  Personal Data shall be collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes. This means Hanco must specify exactly what the Personal Data collected will be used for and limit the Processing of that Personal Data to only what is necessary to meet the specified purpose.

  Principle 3: Data Minimisation

  Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed. This means Hanco must not store any Personal Data beyond what is strictly required.

  Principle 4: Accuracy

  Personal Data shall be accurate and, kept up to date. This means Hanco must have in place processes for identifying and addressing incorrect, incomplete and / or out-of-date Personal Data.

  Principle 5: Storage Limitation

  Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is Processed. This means Hanco must, wherever possible, store Personal Data in a way that limits or prevents identification of the Data Subject.

  Principle 6: Integrity & Confidentiality

  Personal Data shall be Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing, and against accidental loss, destruction or damage. Hanco must use appropriate technical and organisational measures to ensure the integrity and confidentiality of Personal Data is maintained at all times

  Principle 7: Accountability

  The Data Controller shall be responsible for and be able to demonstrate compliance. This means Hanco must demonstrate that the six Data Protection Principles (outlined above) are met for all Personal Data for which it is responsible.

  Data Collection Data Sources

  Personal Data should be collected only from the Data Subject unless one of the following apply:

  • The nature of the business purpose necessitates collection of the Personal Data from other persons or bodies.
  • The collection must be carried out under emergency circumstances in order to protect the vital interests of the Data Subject or to prevent serious loss or injury to another person.

   

  If Personal Data is collected from someone other than the Data Subject, the Data Subject must be informed of the collection unless one of the following apply:

  • The Data Subject has received the required information by other means.
  • The information must remain confidential due to a professional secrecy obligation
  • A law expressly provides for the collection, Processing or transfer of the Personal Data.

  Where it has been determined that notification to a Data Subject is required, notification should occur promptly, but in no case later than:

  • One calendar month from the first collection or recording of the Personal Data
  • At the time of first communication if used for communication with the Data Subject
  • At the time of disclosure if disclosed to another recipient.

  Data Subject Consent

  Each Hanco Entity will obtain Personal Data only by lawful and fair means and, where appropriate with the knowledge and Consent of the individual concerned. Where a need exists to request and receive the Consent of an individual prior to the collection, use or disclosure of their Personal Data, Hanco is committed to seeking such Consent.

  Data Subject Notification

  Each Hanco Entity will, when required by applicable law, contract, or where it considers that it is reasonably appropriate to do so, provide Data Subjects with information as to the purpose of the Processing of their Personal Data.

  When the Data Subject is asked to give Consent to the Processing of Personal Data and when any Personal Data is collected from the Data Subject, all appropriate disclosures will be made, in a manner that draws attention to them, unless one of the following apply:

  • The Data Subject already has the information
  • A legal exemption applies to the requirements for disclosure and/or Consent.
  • The disclosures may be given orally, electronically or in writing.

  External Privacy Notices

  Each external website provided by a Hanco Entity will include an online ‘Privacy Notice’ and an online ‘Cookie Notice’ fulfilling the requirements of applicable law. All Privacy and Cookie Notices must be approved by the Office of Data Protection prior to publication on any Hanco external website.

  6. Data Use

  Data Processing

  Hanco uses the Personal Data of its Contacts for the following broad purposes:

  • The general running and business administration of Hanco Entities.
  • To provide services to Hanco customers
  • The ongoing administration and management of customer services.

  The use of a Contact’s information should always be considered from their perspective and whether the use will be within their expectations or if they are likely to object. For example, it would clearly be within a Contact’s expectations that their details will be used by Hanco to respond to a Contact request for information about the products and services on offer. However, it will not be within their reasonable expectations that Hanco would then provide their details to Third Parties for marketing purposes.

  Each Hanco entity will process Personal Data in accordance with all Regulations and applicable contractual obligations. More specifically, Hanco will not Process Personal Data unless at least one of the following requirements are met:

  • The Data Subject has given Consent to the Processing of their Personal Data for one or more specific purposes.
  • Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.
  • Processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
  • Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
  • Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a Third Party (except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject, in particular where the Data Subject is a child).

  There are some circumstances in which Personal Data may be further processed for purposes that go beyond the original purpose for which the Personal Data was collected. When making a determination as to the compatibility of the new reason for Processing, guidance and advice must be obtained from the Office of Data Protection before any such Processing may commence.

  In any circumstance where Consent has not been gained for the specific Processing in question, Hanco will address the following additional conditions to determine the fairness and transparency of any Processing beyond the original purpose for which the Personal Data was collected:

  • Any link between the purpose for which the Personal Data was collected and the reasons for intended further Processing.
  • The context in which the Personal Data has been collected, in particular regarding the relationship between Data Subject and the Data Controller.
  • The nature of the Personal Data, in particular whether Special Categories of Data are being Processed, or whether Personal Data related to criminal convictions and offences are being processed.
  • The possible consequences of the intended further Processing for the Data Subject.
  • The existence of appropriate safeguards pertaining to further Processing, which may include Encryption, Anonymisation or Pseudonymisation.

  Special Categories of Data

  Hanco will only Process Special Categories of Data (also known as sensitive personal data) where the Data Subject expressly consents to such Processing or where one of the following conditions apply:

  • The Processing relates to Personal Data which has already been made public by the Data Subject.
  • The Processing is necessary for the establishment, exercise, or defence of legal claims.
  • The Processing is specifically authorised or required by law.
  • The Processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving consent.

  Further conditions, including limitations, based upon national law related to the Processing of genetic data, biometric data or data concerning health.

  Special Categories of Data

  In any situation where Special Categories of Data are to be Processed, prior approval must be obtained from the Office of Data Protection and the basis for the Processing clearly recorded with the Personal Data in question.

  Where Special Categories of Data are being Processed, Hanco will adopt additional protection measures. Each Hanco Entity may also adopt additional measures to address local custom or social expectation over the Processing of Special Categories of Data.

  Children’s Data

  Children are unable to Consent to the Processing of Personal Data for information society services. Consent must be sought from the person who holds parental responsibility over the child. However, it should be noted that where Processing is lawful under other grounds, Consent need not be obtained from the child or the holder of parental responsibility.

  Should any Hanco Entity foresee a business need for obtaining parental consent for information society services offered directly to a child, guidance and advice must be obtained from the Office of Data Protection before any Processing of a child’s Personal Data may commence.

  Data Quality

  Each Hanco Entity will adopt all necessary measures to ensure that the Personal Data it collects and Processes is complete and accurate in the first instance and is updated to reflect the current situation of the Data Subject. The measures adopted by Hanco to ensure data quality include:

  Correcting Personal Data known to be incorrect, inaccurate, incomplete, ambiguous, misleading, or outdated, even if the Data Subject does not request rectification.

  Keeping Personal Data only for the period necessary to satisfy the permitted uses or applicable statutory retention period.

  The removal of Personal Data if in violation of any of the Data Protection principles or if the Personal Data is no longer required.

  Restriction, rather than deletion of Personal Data, insofar as: a law prohibits erasure.

  erasure would impair legitimate interests of the Data Subject.

  the Data Subject disputes that their Personal Data is correct, and it cannot be clearly ascertained whether their information is correct or incorrect.

  Profiling & Automated Decision-Making

  Hanco will only engage in Profiling and automated decision-making where it is necessary to enter into, or to perform, a contract with the Data Subject or where it is authorised by law.

  Where a Hanco Entity utilises Profiling and automated decision-making, this will be disclosed to the relevant Data Subjects. In such cases the Data Subject will be given the opportunity to:

  • Express their point of view.
  • Obtain an explanation for the automated decision.
  • Review the logic used by the automated system.
  • Supplement the automated system with additional data.
  • Have a human carry out a review of the automated decision.
  • Contest the automated decision.
  • Object to the automated decision-making being carried out.

  Each Hanco Entity must also ensure that all Profiling and automated decision-making relating to a Data Subject is based on accurate data.

  Marketing

  As a general rule Hanco will not send promotional or direct marketing material to a Hanco Contacts through digital channels such as mobile phones, email and the Internet, without first obtaining their consent. Any Hanco Entity wishing to carry out a digital marketing campaign without obtaining prior Consent from the Data Subject must first submit a Legitimate Interest Assessment to the Office of Data Protection.

  Where Personal Data Processing is approved for digital marketing purposes, the Data Subject must be informed at the point of first contact that they have the right to object, at any stage, to having their data Processed for such purposes. If the Data Subject puts forward an objection, digital marketing related to the processing of their Personal Data must cease immediately and their details should be kept on a suppression list with a record of their opt-out decision, rather than being completely deleted.

  Data Retention

  To ensure fair processing, Personal Data will not be retained by Hanco for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further Processed.

  The length of time for which Hanco Entities need to retain Personal Data is set out in the Hanco Data Retention Policy. This considers the legal and contractual requirements, both minimum and maximum, that influence the retention periods set forth in the schedule. All Personal Data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.

  Each Hanco Entity will adopt physical, technical, and organisational measures to ensure the security of Personal Data. This includes the prevention of loss or damage, unauthorised alteration, access or Processing, and other risks to which it may be exposed by virtue of human action or the physical or natural environment.

  The minimum set of security measures to be adopted by each Hanco Entity is provided in the Hanco ‘Information Security Policy’. A summary of the Personal Data related security measures is provided below:

  Prevent unauthorised persons from gaining access to data processing systems or stored data in which Personal Data are processed.

  Prevent persons entitled to use a data processing system from accessing Personal Data beyond their needs and authorisations.

  Ensure that Personal Data in the course of electronic transmission during transport cannot be read, copied, modified or removed without authorisation.

  Ensure that Personal Data is protected against undesired destruction or loss.

  Data Subject Access Requests

  Hanco Legal Services will establish a system to enable and facilitate the exercise of Data Subject rights.

  If an individual makes a request relating to any of the rights listed above, Hanco will consider each such request in accordance with all Regulations. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be unnecessary or excessive in nature.

  Data Subjects are entitled to obtain, based upon a request made in writing to Hanco Legal Services and upon successful verification of their identity, the following information about their own Personal Data:

  • The purposes of the collection, Processing, use and storage of their Personal Data.
  • The source(s) of the Personal Data, if it was not obtained from the Data Subject.
  • The categories of Personal Data stored for the Data Subject.
  • The recipients or categories of recipients to whom the Personal Data has been or may be transmitted, along with the location of those recipients.
  • The envisaged period of storage for the Personal Data or the rationale for determining the storage period.
  • The use of any automated decision-making, including Profiling.

  The right of the Data subject to: Object to Processing of their Personal Data, lodge a complaint with the Data Protection Authority, request rectification or erasure of their Personal Data or request restriction of Processing of their Personal Data.

  If Hanco cannot respond fully to the request within 30 days, Hanco Legal Services shall nevertheless provide the following information to the Data Subject, or their authorised legal representative within the specified time:

  • An acknowledgement of receipt of the request.
  • An estimated date by which any remaining responses will be provided.
  • The name and contact information of the Hanco individual who the Data Subject should contact for follow up.

  It should be noted that situations may arise where providing the information requested by a Data Subject would disclose Personal Data about another individual. In such cases, information must be redacted or withheld as may be necessary or appropriate to protect that person’s rights.

  Law Enforcement Requests & Disclosures

  In certain circumstances, it is permitted that Personal Data be shared without the knowledge or Consent of a Data Subject. This is the case where the disclosure of the Personal Data is necessary for any of the following purposes:

  • The prevention or detection of crime.
  • The apprehension or prosecution of offenders.
  • The assessment or collection of a tax or duty.
  • By the order of a court or by any rule of law.

  If a Hanco Entity Processes Personal Data for one of these purposes, then it may apply an exception to the Processing rules outlined in this policy but only to the extent that not doing so would be likely to prejudice the case in question.

  If any Hanco Entity receives a request from a court or any regulatory or law enforcement authority for information relating to a Hanco Contact, you must immediately notify Hanco Financial Crime Prevention Department who will provide guidance.

  Data Protection Training

  All Hanco Employees that have access to Personal Data will have their responsibilities under this policy outlined to them. In addition, each Hanco Entity will provide regular Data Protection training and procedural guidance for their staff. The training and procedural guidance set forth will consist of, at a minimum, the following elements:

  The Data Protection Principles set forth above.

  Each Employee’s duty to use and permit the use of Personal Data only by authorised persons and for authorised purposes.

  The need for, and proper use of, the forms and procedures adopted to implement this policy.

  The correct use of passwords, and other access mechanisms.

  The importance of limiting access to Personal Data, such as by using password protected screen savers and logging out when systems are not being attended by an authorised person.

  Securely storing manual files, print outs and electronic storage media.

  Proper disposal of Personal Data.

  Any special risks associated with particular departmental activities or duties.

  As set out in the Conditions of Employment all employees must pass such training within the first 3 months of employment.

  Data Transfers

  Hanco Entities may transfer Personal Data to internal or Third-Party recipients located in another country where that country is recognised as having an adequate level of legal protection for the rights and freedoms of the relevant Data Subjects. Where transfers need to be made to countries lacking an adequate level of legal protection (i.e., Third Countries), they must be made in compliance with an approved transfer mechanism

  Hanco Entities may only transfer Personal Data where one of the transfer scenarios lists below applies:

  • The Data Subject has given Consent to the proposed transfer.
  • The transfer is necessary for the performance of a contract with the Data Subject.
  • The transfer is necessary for the implementation of pre-contractual measures taken in response to the Data Subject’s request.
  • The transfer is necessary for the conclusion or performance of a contract concluded with a Third Party in the interest of the Data Subject.
  • The transfer is legally required on important public interest grounds.
  • The transfer is necessary for the establishment, exercise, or defence of legal claims.
  • The transfer is necessary in order to protect the vital interests of the Data Subject.

  Transfers between Hanco Entities

  In order for Hanco to carry out its operations effectively across its various Entities, there may be occasions when it is necessary to transfer Personal Data from one Hanco Entity to another. Should this occur, the Hanco Entity sending the Personal Data remains responsible for ensuring protection for that Personal Data.

  Transfers to Third Parties

  Each Hanco Entity will only transfer Personal Data to, or allow access by, Third Parties when it is assured that the information will be Processed legitimately and protected appropriately by the recipient. Where Third Party Processing takes place, each Hanco Entity will first identify if, under applicable law, the Third Party is considered a Data Controller or a Data Processor of the Personal Data being transferred.

  Where the Third Party is deemed to be a Data Controller, the Hanco Entity will enter into an appropriate agreement with the Controller to clarify each party’s responsibilities in respect to the Personal Data transferred.

  Where the Third Party is deemed to be a Data Processor, the Hanco Entity will enter into an adequate Processing agreement with the Data Processor. The agreement must require the Data Processor to protect the Personal Data from further disclosure and to only Process Personal Data in compliance with Hanco instructions. In addition, the agreement will require the Data Processor to implement appropriate technical and organisational measures to protect the Personal Data as well as procedures for providing notification of Personal Data Breaches. Hanco has a Data Processing Agreement document that should be used.

  Data Protection by Design

  To ensure that all Data Protection requirements are identified and addressed when designing new systems or processes and/or when reviewing or expanding existing systems or processes, each of them must go through an approval process before continuing.

  Each Hanco Entity must ensure that a Data Protection Impact Assessment (DPIA) is conducted, in cooperation with the Office of Data Protection, for all new and/or revised systems or processes for which it has responsibility. Where applicable, the Information Technology (IT) department, as part of its IT system and application design review process, will cooperate with the Office of Data Protection to assess the impact of any new technology uses on the security of Personal Data.

  3. Measurement of Effectiveness

  • The effectiveness of this policy will be measured by:
  • Reviewing breaches regularly; and
  • Audit and compliance monitoring outcomes.

  In order to confirm that an adequate level of compliance that is being achieved by all Hanco Entities in relation to this policy, the Office of Data Protection in conjunction with other relevant departments will carry periodic Data Protection reviews for all such Entities. Each review will, as a minimum, assess:

  Compliance with Policy in relation to the protection of Personal Data, including:

  • The assignment of responsibilities.
  • Raising awareness.
  • Training of Employees.
  • The effectiveness of Data Protection related operational practices, including:
  • Data Subject rights.
  • Personal Data transfers.
  • Personal Data incident management.
  • Personal Data complaints handling.
  • The level of understanding of Data Protection policies and Privacy Notices.
  • The currency of Data Protection policies and Privacy Notices.
  • The currency of the submitted Register of Processing Activity (ROPA)
  • The accuracy of Personal Data being stored.
  • The conformity of Data Processor activities.
  • The adequacy of procedures for redressing poor compliance and Personal Data Breaches.

  The Office of Data Protection, in cooperation with key business stakeholders from each Hanco Entity, will devise a plan with a schedule for correcting any identified deficiencies within a defined and reasonable time frame. Any major deficiencies identified will be reported to and monitored by the Hanco Global Solutions Ltd.

  Supporting Material

   

  Process documents, examples, templates, external materials etc.

  This Policy should be read in conjunction with the following Hanco policies which are available on the Intranet: Hanco Data Retention Policy Hanco Information Security Policy Hanco IT Acceptable Use Policy

   

  Contact Points for Queries or Guidance:

  Name	Contact Details
  Harshad Kamble, Data Protection Officer	dpo@hancoglobal.com

   

  Review and Approval

  Sign Off
  Neil Westerby	24 November 2022
  Hanco Global Solutions Ltd	26 January 2023
  3.0 Neil Westerby 20/01/2021 Annual review of the policy. Updated to refer to UK GDPR. Responsibilities updated: the second line will provide Hanco wide mandatory training and business area heads must provide training or guidance to staff concerning their business approach to data protection. The Data Privacy Steering Committee will review risk accepted approaches to data protection compliance. Approved by Hanco Global Solutions Ltd on 20 January 2021. 4.0 Neil Westerby 18/01/2022 Annual Review of the Policy. Updates to Section 3 Governance: Office of Data Protection team changed to be Data Protection Team. Section B1 Responsibilities: Amended responsibilities in line with acquisition; inclusion of responsibilities for the HR Privacy Team and for Heads of Department with Data Protection Rights and Breach delivery. Approved by Hanco Global Solutions Ltd on 18 January 2022. 5.0 Neil Westerby 26/01/2023 Annual Review of the Policy. No changes. Approved by Hanco Global Solutions Ltd on 26 January 2023. Next Review Date
  This policy should be reviewed at least annually or when significant change occurs to the policy subject matter. The next review date for this policy is January 2024.

  Glossary
  (should include explanations of all abbreviations and key technical terms used)

  Data Controller

  A person or organisation which determines the purposes for which, and the manner in which, Personal Data, is processed. They have a responsibility to establish practices and policies in line with the Act. Hanco Global Solutions Limited or its subsidiary will be the data controller for amongst other data, its customer and employee Personal Data. This makes Hanco primarily liable for this Personal Data. Hanco cannot contract out of this liability even if someone else holds the Personal Data.

  Data Subject

  All living individuals about whom Hanco holds personal data. Therefore, companies and other unincorporated bodies are not considered to be Data Subjects.

  DPA or DPA18

  Data Protection Act 2018

  FCA

  Financial Conduct Authority

  UK GDPR

  United Kingdom General Data Protection Regulation

  GDPR

  General Data Protection Regulation

  ICO

  The Information Commissioner’s Office is the regulator of data protection issues.

  Personal Data

  Data relating to a living individual who can be identified from that data. Personal Data can be factual (such as a name, address or date of birth) or it can be an expression of an opinion (such as a performance appraisal). It can be stored electronically or in paper files stored in a structured manner.

  Sensitive Personal Data

  Information of a private nature such as an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. A higher standard of care is attached to sensitive personal data. The presumption is that because information about these matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with greater care than other Personal Data.

  Employee

  An individual who works part-time or full-time for Hanco under a contract of employment, whether oral or written, express or implied, and has recognised rights and duties. Includes temporary employees and independent contractors.

  Third Party

  An external organisation with which Hanco conducts business and is also authorised to, under the direct authority of Hanco, Process the Personal Data of Hanco Contacts.

  Personal Data

   Any information (including opinions and intentions) which relates to an identified or Identifiable Natural Person.

  Contact

  Any past, current or prospective Hanco customer.

  Identifiable Natural Person

  Anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  Data Controller

  A natural or legal person, Public Authority, Agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

  Hanco Entity

  A Hanco establishment, including subsidiaries and joint ventures over which Hanco exercise management control.

  Data Subject

  The identified or Identifiable Natural Person to which the data refers.

  Process, Processed, Processing

  Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means. Operations performed may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  Data Processors

  A natural or legal person, Public Authority, Agency or other body which Processes Personal Data on behalf of a Data Controller.

  Consent

  Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.

  Special Categories of Data

  Personal Data pertaining to or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data

  PECR

  Privacy and Electronic Communications Regulations

  Profiling

  Any form of automated processing of Personal Data where Personal Data is used to evaluate specific or general characteristics relating to an Identifiable Natural Person. In particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement.

  Personal Data Breach

  A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed

  Encryption

  The process of converting information or data into code, to prevent unauthorised access.

  Pseudonymisation

  Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) without a “key” that allows the data to be re-identified.

  Anonymisation

  Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) by any means or by any person.

  
  This is the END of the document entitled ‟Data Protection Policy”.

  Solutions descriptions are Copyright © 2024,
  Hanco, All Rights Reserved.