PeteFinnigan.com Limited Privacy StatementEFFECTIVE FROM: 25-May-2018
This policy applies to petefinnigan.com and all sub-domains, petefinnigan.co.uk, petefinnigan.net and also to pfclscan.com, pfclobfuscate.com and pfclsupport.com
PeteFinnigan.com Limited Privacy Statement
PeteFinnigan.com Limited is strongly committed to ensuring that your privacy is protected. Should we ask you to provide certain personal information by which you can be identified when using this website or by doing business with us, then you can be assured that it will only be used in accordance with this privacy statement and for the purpose that you provide consent. PeteFinnigan.com Limited may change this policy from time to time by updating this page but we will not change the purpose that we agreed to use your personal data unless we ask for your consent first.
One of the new overriding features of GDPR is that we don't baffle you with legal speak. This policy has been written in plain English to outline in clear and consise ways how we deal with your personal data in a secure way.
Who Are We?
PeteFinnigan.com Limited is a British company registered in England and Wales (Reg Number: 4664901); our address is Tower Court, 3 Oakdale Road, York, YO30 4XL, UK.
PeteFinnigan.com Limited provides services, training and software products to help customers secure the data held in their Oracle databases. We do this by providing consulting in the areas of security audits, help designing systems, training classes and also by selling licenses to our database scanner and our PL/SQL obfuscator.
What do we use Your Personal Data for
PeteFinnigan.com Limited will not collect any personally identifiable information about individuals except where such information is volunterily submitted by the individual and is necesary to complete or further support a business transaction. We recognise that websites and other elements of running a business quite often involve collecting what is now deemed to be personal data by the GDPR. Personal data in the context of the GDPR means any one or more peices of information that will on their own or together can indetify a person directly or when combined with other information could do so. An example (This is a general example and not related to our business) could be that a Pensions company may use your National Insurance number as a policy identifier (This is a UK piece of data). This identifier on its own when queried against the UK HMRC database would uniquely identify a person - i.e. it is unique to each person. A second example may be a web IP Address. On its own this IP address cannot identify a person and it is common for websites to collect these in many ways and this identifier is one that in GDPR is classed as personal data because if this IP Address were combined with an ISP logs and accounting system it could be used to uniquely identify someone.
We have spent a lot of time to ensure that our websites do not now collect personal data. Some of these types of personal data are discussed next and what we have done to not collect this data. We do not do direct marketing via emails. So we do not contact people using their personal details other than for legitimate business. We have spent considerable effort to remove personal details from our business and website. We believe we have remove it all but we are not infalable and we may have missed something; if you spot something please let us know and we will remove it. Our goal to comply with GDPR is to only keep personal details necessary to do business and for the length of that business; we have decided to stop any direct marketing such as email as its then its clearer with GDPR. Here are some examples of personal data:
- Buying something: If you license something from us such as a PFCLScan license or book a place on a training course or ask us to perform an audit then as part of setting up the license we will ask you for basic personal contact details such as your name and email address and company address. These details are used only to fullfill the peice of work and may be included in our license database or occasionally in an invoice. In general we try and avoid including personal details unless absolutely necesary. We do not need consent for this as this is required in UK law for accounting and providing a service. This link gives details.
- Website Forum: Our forum previously included a lot of resistered users; their names, email addresses and IP addresses. We have reviewed the forum and closed it to registered users; the logon has been removed completely. We have changed all instances of personal details (names, emails, IP addresses) to be Pete Finnigan and email@example.com and dummy IP addresses such as 127.0.0.1. Pete Finnigans details are visible in the public domain anyway. This means that all posts now look like they were made by Pete Finnigan but this removes the need to protect this personal data
- Social Media Links: All social media links are just that, links. We do not embed social media so that these do not create cookies on our websites as this is classed as personal data so there is no privacy issue in this respect for our users
- Cookies: After the Cookie law was introduced in 2012 we audited all of our websites for Cookies and reduced them to the minimum. In recent weeks we have audited all of our websites for Cookies for GDPR and we have removed all cookies that were located. Our websites do not set cookies so do not need to comply with GDPR in this respect as there is no privacy issue to users.
- Web Server Logs: Websites generally produce many logs such as the webserver log, error log, security logs and more that could show IP addresses of the visitor and username if they were logged in or URLs that brought the visitor to our site; these may contain personal data. These logs are generally not looked at often and are used to track security incidents or to give high level statistics of website visits. Because consent to record this data is virtually impossible to get for GDPR we decided to disable this for now. We dont record your personal details in weblogs or server logs
- Visitors Online: We have a small indicator at the top of most pages in this site that shows number of visitors on line. This was previously driven by storing IP Addresses of all visitors and then checkig the number of distinct visits over a short period. Because the IP address is classed as personal data we now instead store a hashed value that cannot be tracked back to the original visitor os IP Address; so we dont store your personal data in this area either.
- Mailing List: Our website has past copies of our newsletter. We had a few thousand email subscribers. Rather than get consent we have decided to not do email marketing so the email list has been deleted
- Website Comments: Our websute blogs previously included almost 300 comments on blog posts made by the websites visitors. Becausethese posts included personal details in the form of names, emails, IP addresses and websites we have decided to remove all of the personal details from the comments to avoid the need to store peoples personal details on our website. This means that all blog comments now have Pete Finnigans details as the author, his email address and the PeteFinnigan.com website and a dummy IP Address. Pete Finnigans details are in the public domain already in his website so this is not a personal data breach. Unfortunately this makes ever comment look like it was made by Pete Finnigan when it was not but this removes any risk of personal data breach in this area. Comments are now disabled in this website to prevent the collection of personal data
- Third Parties: We only use PayPal for credit card payments where the customer has requested to pay by card. We create a PayPal invoice that only includes the customers contact email address. We do not see or hold or process credit card or banking details in this case.
So in summary we may collect personal details in the form of email address, name and sometimes address (normally we usually only deal with B2B business but sometimes a customer may book training personally rather than through his/her employer. We may collect your email, name and sometimes address if you:
- Request a proposal for services
- Engage PeteFinnigan.com Limited for instance to provide training or consulting services
- Contact PeteFinnigan.cok Limited by phone or email (for instance to enquire about services)
The kind of information that we hold on you could include the following:
- Your personal details such as your name and address
- Details of contact, such as email address and name
- Details of services in the form of proposals or invoices - these may or may not contain personal details
- My correspondance with you such as emails or letters
We process your data only to complete business transactions and record and account keeping necessary to run a UK limited company. We may pass your personal data to third parties such as PayPal where you have elected to pay by credit card but this personal data is limited to your email address and amount to be paid and our invoice number.
We do not use personal data for marketing
We may process your data prior to a contract or license sale being agreed in order to communicate with you (email and name)
When assessing how long we need to keep your personal data we take into account the following aspects:
- The requirements of the business and services and products that we provide
- Any statuatory legal obligations
- The purpose for which your personal data was originally collected
- The lawful grounds on which the processing is based
- The amount of data and categories
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical (for paper copies of invoices etc), electronic and managerial procedures to safeguard and secure the information we collect online or that is given directly to us for us to satisfy your license or work.
We have security policies for our company generally to cover data security; we also have a data security policy and also an access and use policy
we use password protected computer equipment and your personal data is stored encrypted. We also use encrypted file systems that are not automatically mounted. In the case of paper copies where personal data is included (invoice where the customer was personal B2C not B2B) then we have redacted the name and address on the printed copy. The paper copies are also stored securely.
Links to other websites
Our website may contain links to enable you to visit other websites of interest easily. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement.
You should exercise caution and look at the privacy statement applicable to the website in question.
Your Rights over your personal information
We will not sell, distribute or lease your personal information to third parties ever.
You may request details of personal information which we hold about you under the GDPR. If you would like a copy of the information held on you please write to firstname.lastname@example.org. We will provide the data in a portable format - The GDPR have not defined what this is but we are able to provice data in a suitable format
If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the email address above or the address on our contact page. We will promptly correct any information found to be incorrect.
GDPR also provides for the right to be forgotten or the right to Erasure. If you would like any personal details deleted then please contact us and we will delete records as soon as possible; often in one or two days and well in advance of the required time by law. Please note that we aim only to keep personal details for business transactions and it may not be possible to delete some data if it is required by UK law for records that must be retained for a UK Limited company. We will advise you either way.
PeteFinnigan.com Limited also has a data breach policy and in the event of a data breach we will implement this process and inform the ICO if necessary and also persons whose data has been breached again if necessary.