Struggling to get your head around TNFD? Check out our guide to getting started.
Get the TNFD guide

Privacy Policy

1. Information we collect and how it is used

When browsing our website, submitting information via our contact form, registering with us for services online, registering interest in advertised job roles through our website, logging into our online services, engaging with our support and communication tools, and purchasing services from us, we collect personal information about you that may be combined, reviewed, logged, stored, or accessed for the following purposes:

  1. To enable you to customise or personalise your experience of our website;
  2. Responding to requests for more information about our products and services;
  3. Registering an account so that we can provide you with the services you have requested;
  4. Processing subscription payments;
  5. Responding to demo and onboarding session requests, and booking meetings;
  6. Facilitating login to the Earth Blox application using a registered Earth Blox account or third party corporate or social logins such as Google and Microsoft;
  7. Reviewing and responding to applications for advertised positions;
  8. Providing ongoing customer assistance and technical support by receiving, analysing, and responding to support requests;
  9. Facilitating the correct operation of our services by logging necessary transaction, event, and error data;
  10. Improving the service by running machine learning (ML) analysis on workflow parameters; 
  11. Communicating with you regarding changes and improvements to the Earth Blox application which are relevant to your service subscription;
  12. Providing necessary training materials and product information to you, our customers, by receiving and analysing your feedback and feature requests;
  13. Communicating with you for the purposes of marketing our products and services where we believe you have a legitimate interest in those products and services;
  14. Providing you with tools and localisation services to improve the interactivity and usability of our product for you;
  15. Analysis of application usage to help develop and improve our customer success programme; and
  16. Complying with any applicable laws and regulations.

1.1 Types of data collected

The specific types of personal data that we collect are:

  1. Contact data you supply, such as name, email, phone number, address.
  2. Employment information such as industry, company name, operational interest, organisation information.
  3. Authentication data consisting of email address, which is used for login to our service.
  4. Where corporate/social login (Single Sign On) is used to facilitate user authentication and access to the application, email address and display names may also be collected as part of the account verification process between the identity provider and our application.
  5. Recruitment data consisting of name, contact details, previous employment information, education and training.
  6. Personal data submitted via support requests which would typically contain contact data consisting of name, email address, and phone number, but may also include screenshots taken on your local devices.
  7. Log and access data which may include technical details about devices that you used and actions performed by you while logged into our services, including the statistics about the workflows run. Personally identifiable data is removed from log data wherever possible, but it may be possible to combine log data to personally identify persons using our services.
  8. Analytics data from our application consisting of user account information, organisation, geolocation, operating system used, browser, browser language, and session information.

2. Our legal basis for processing your personal data

The processing activities we perform are primarily carried out for our legitimate interest as a commercial company that is developing and selling software-as-a-service. We also process personal data in order to fulfil our contractual and service level obligations to you when you purchase these services from us.

When we process personal data in order to market our product, we do so based on your consent, and our legitimate interest. You may provide consent via voluntary submission of a contact request, demo booking request, support request, or onboarding session request following subscription to the service. You are entitled to withdraw this consent at any time by submitting a request as described in this policy. Where we process publicly available contact data as part of digital marketing campaigns, we may contact you for the purposes of demonstrating or selling existing or new products and services which we believe may be of legitimate interest to you. You have the right to object to any marketing communications, and we will 1) provide you with a suitable mechanism to do so as part of the campaign, and 2) cease processing your contact data for marketing purposes.

When you submit personal data to us by registering your interest in an advertised position, we process this data based on our legitimate interest.

3. Retention of your personal data

We keep your personal information only for as long as we need to, and delete this data when it is no longer required. The retention period is dependent on what your data is being processed for, in accordance with this policy. For example, if you have provided us with personal information as part of creating an account with us, we will retain this information for the duration your account exists on our system in order to provide services to you. Where you no longer subscribe to our services, your personal data will be deleted, or anonymised to the extent possible where it may need to be retained for legal and regulatory purposes. Derived data for analytic/statistical purposes will be anonymised.

4. Security of your personal data

When we collect and process personal data, and for the duration that we retain and store this data, we will protect it within commercially acceptable means to prevent loss and theft, and unauthorised access, disclosure, copying, use or modification. We do this primarily by:

  • Using industry standard encryption technology wherever possible to protect your data from the point of collection to the time that it is deleted;
  • By implementing access control mechanisms;
  • By ensuring data processing agreements are in place with relevant third parties;
  • By training our employees and contractors on the correct handling of your data.

However, we advise that no method of electronic transmission or storage is 100% secure and no one can guarantee absolute data security. For example, you are responsible for 1) the safe keeping and strength of any passwords you create to log into our services, and 2) for ensuring the security of your own information within the bounds of our services. Where your password can be easily guessed, or where you inadvertently divulge it to unauthorised users, we cannot ensure the confidentiality of the data held in your account with us.

5. Sharing of personal data with third parties

Your personal data will be shared with third parties that we use to help deliver our services to you, or where required to share it for legal or regulatory purposes. Categories of third parties would include:

  • Cloud-service providers contracted by us to provide required infrastructure and data centre services, which would include services such as data storage, processing, logging and monitoring, email, web services, networking, data backup, account authentication, load-balancing and capacity management, etc.;
  • Web hosting providers for hosting of our website and collection of contact form data and demo requests;
  • Data analytics providers for analysis of application data;
  • Application development platforms for the development and management of our application;
  • Meeting and calendar software providers for scheduling and carrying out online meetings; 
  • Contractors employed to carry out specific services on our behalf;
  • CRM services for recording and managing customer accounts, and tracking customer requests and feedback;
  • Contract processing services to supply contract sharing and signing capabilities;
  • Payment providers to process payment of your subscriptions;
  • Legal and regulatory authorities where required in connection with any actual or prospective legal proceedings, or in order to establish, exercise, or defend our legal rights;
  • Communication tool providers used to facilitate customer and prospect communications such as cloud-based phone systems, email support, support call and demo bookings;
  • Marketing tool providers used to legitimately sell our products and services to interested customers.

Our primary third parties are detailed in the Approved Sub-processors Appendix.

6. International transfers of personal data

The personal data we collect is primarily stored and processed within the EU and the UK. Third parties that we contract for services may use processing facilities outside of the EU where necessary for the fulfilment of certain services, for redundancy, and for the purposes of providing support services. Where this is the case, and the country does not have equivalent data protection laws to that of the EU, we will ensure:

  1. ‍Any transfers of data are performed in accordance with the requirements of applicable law; and
  2. The data transferred is protected in accordance with this policy.

Typically, we will do this by ensuring Standard Contractual Clauses (SCC) published by the European Commission are in place with relevant third parties as part of our ISO/IEC 27001 supplier due diligence programme prior to any transfers. Where this is not possible, we will ensure that transfers will only take place based on your informed consent.

7. Children's privacy

We do not aim any of our products or services directly at children under the age of 18 and we do not knowingly collect personal information about children under 18.

8. Cookies

We use cookies to collect information about the use of our application as mentioned in section 1 of this policy. A cookie is a small piece of data that our application stores on your computer when you login using your authorised Earth Blox account. This data helps us to understand how the application is used, identify possible issues or malicious activity, and set your application preferences.

‍Please refer to our Cookie Policy for more information.

9. Your data protection rights

Under data protection law, you have certain rights which you are entitled to exercise and which we are required to make you aware of. These include:

9.1 The right to access

You may request that we provide you with copies of any personal data that we hold about you.

9.2 The right to rectification

If you believe that any personal data we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, please contact us using the details provided in this privacy policy. We will take reasonable steps to correct any information found to be inaccurate, incomplete,  misleading, or out of date.

9.3 The right to erasure

You have the right to request that we erase any personal data we hold about you. However, where we are required to process your data for a legal basis such as compliance with a legal obligation, or where the data must be processed to continue to deliver contracted services to you, it may not be possible to erase your personal data.

9.4 The right to restrict processing

You have the right to request that we restrict the processing of your personal data if (i) you are concerned about the accuracy of your personal data; (ii) you believe your personal data has been unlawfully processed; (iii) you need us to maintain the personal data solely for the purpose of a legal claim; or (iv) we are in the process of considering your objection in relation to processing on the basis of legitimate interests.

9.5 The right to object to processing

You have the right to object to processing of your personal data where (i) the processing is carried out based on our legitimate interests, (ii) carried out in the public interest such as for research purposes; or (iii) the processing relates to direct marketing. Where the processing is based on our legitimate interests or in public interest, you must clearly submit your grounds for objection in a request in accordance with this privacy policy.

9.6 The right to data portability

You have the right to request that your personal data be transferred to you, or another data controller of your choice, in a structured and machine-readable form so that the personal data can be reused. An example of this may be if you choose to transfer services to another service provider.

9.7 Consent

As mentioned in section 2 of this policy, you have the right to withdraw consent of the processing of your personal data at any time, subject to certain conditions. To unsubscribe from our email database or opt out of communications (including marketing communications), please contact us using the details provided below, or opt out using the opt-out facilities provided in the communication. We may need to request information from you to help us confirm your identity.

9.8 Lodging a complaint with a supervisory authority

You have the right to lodge a complaint regarding our processing of your personal data with a supervisory authority. In the United Kingdom, the supervisory authority is the Information Commissioner's Office, and you can submit a complaint via webform or phone as directed on their website: https://ico.org.uk/make-a-complaint/. Please note that the information linked is maintained by a third party, and may be moved, deprecated, or redirected by that third party at any time.

10. Contacting us

The personal data that we process about you is controlled by Quosient Ltd, 5 South Gyle Crescent Lane, Scotland, Edinburgh, EH12 9EG, United Kingdom.. For any queries or requests regarding your personal data, or if you believe that we may be in breach of relevant data protection law, please contact: dpo@earthblox.io. Where you prefer to make a request verbally via phone call, please let us know and we will arrange a call back.

Where you submit a data subject access request to us, we will respond without undue delay in writing, unless specifically requested otherwise, within 1 month of receiving your request, in line with current data protection law.

11. Changes to this policy

We may periodically make changes to this privacy policy to reflect updates to our business processes, or legislative or regulatory changes. We will post the changes here on our website, at the same link by which you are accessing this policy.

If the changes are significant, or if required by applicable law, we will contact you (based on your selected preferences for communications from us) and all our registered users with the new details and links to the updated or changed policy.

If required by law, we will get your permission or provide you with the facility to opt in to or opt out of, as applicable, any new uses of your personal information.

Appendix 1 – Approved Sub-processors

Sales and Marketing:

  • Webflow
  • Pandadocs
  • Freshworks Freshdesk
  • LinkedIn Sales Navigator
  • Zoom

Enterprise SaaS Agreement:

  • Google Cloud Platform (including Firebase and Google Earth Engine)
  • Hubspot
  • Atlassian Jira
  • GitHub
  • Google Workspace
  • Google Analytics
  • Ageoce Solutions SAS (SIREN number 922473962 and having its Registered Office at 41 Cours de la Liberté, 69003, Lyon, France)

Additional sub-processors required for provision of Individual SaaS Agreement

  • Stripe