Privacy notice
Last update: 20 January 2025
This Privacy Notice of Ciphr Limited forms part of the terms and conditions for use of this site. Please read the Privacy Notice carefully. By using this site, you will be deemed to have accepted these terms of use. If you do not accept the terms of this Privacy Notice, please do not use this site.
You can contact Ciphr’s data protection officer by emailing dpo@ciphr.com, by calling 01628 814 000 or by post to DPO, Ciphr Ltd, 3rd Floor, 33 Blagrave Street, Reading, RG1 1PW
Please select your option, for further assistance mail us privacy@ciphr.com.
- Privacy Notice
- Who we are
- How to contact us
- Our different data processing roles
- What personal information we collect
- How we collect personal information
- How we use your data
- Legal basis for processing
- Data sharing
- Security of your personal information
- Data retention
- Restricted international transfers
- Your rights
- Cookies
- Contact us
- Changes to this privacy notice
- Review of this notice
Privacy Notice
We want you to feel secure when visiting our site and are committed to maintaining your privacy when doing so. This Privacy Notice outlines how we may obtain and use any personal data about you and the ways in which we protect and treat such information that we collect when you are on our site or when you use our services. This privacy notice also applies to any personally identifiable information about you that our business partners may share with us. This notice does not apply to the practices of companies that we do not own or control or to people that we do not employ or manage.
Who we are
Ciphr Group offers Software-as-a-Service (SaaS) HR, Payroll, Recruitment, Benefits, and Learning Management solutions, eLearning content, and diversity and inclusion consultancy services. Our registered office is at Ciphr Ltd, 3rd Floor, 33 Blagrave Street, Reading, RG1 1PW. This privacy notice applies to all Ciphr Group companies, including Marshall eLearning (now Ciphr eLearning), Marshalls, Payroll Business Solutions, Digits and Shape.
How to contact us
For any data protection queries, you can contact us at dpo@ciphr.com.
We have appointed a Data Protection Officer (DPO) who you can contact by emailing dpo@ciphr.com, by calling 01628 814 000 or by post to DPO, Ciphr Ltd, 3rd Floor, 33 Blagrave Street, Reading, RG1 1PW.
Our different data processing roles
When you are interacting with Ciphr as a customer or potential customer, including visiting our website, we act as a Controller of personal data. This Privacy Notice covers these activities.
If you are a user of one of our platform services, typically as an employee of a customer, then we act as a Processor of your personal data. This notice does not cover that activity, and you should approach your employer for more information about how your personal data is processed. They will be acting as a Controller.
What personal information we collect
At different times, we will collect and process the following data about you:
- Name and basic contact details (eg email address)
- General communications and records of interactions (eg emails, support tickets, CRM records)
- Professional working context (eg your employer, job title and role)
- Technical information (eg session ID, IP address/es – often stored in cookies)
- Usage data information about how you use our website, products, and services.
- Video and images (eg CCTV, if you were to visit our head office)
How we collect personal information
In most cases, we will collect personal data directly from you as you interact with Ciphr. In some cases, we may get data via a third party, for example if a current customer makes a referral. In these cases, we will provide a link to this privacy notice on our first communication.
When we identify potential new customers, we may use basic information that has previously been made public, for example on corporate websites or other networking platforms such as LinkedIn.
How we use your data
We use your data to:
- Provide and manage your access to our website.
- Personalise and tailor your experience on our website.
- Identify and contact potential new customers.
- Supply our services to you.
- Market and sell our services.
- Manage our relationship with you.
- Improve our website, products, and services.
- Comply with our legal obligations.
Legal basis for processing
We process your data based on the following legal grounds:
- For our sales and marketing activities, including direct email marketing, we rely on legitimate interests for our processing activities
- Where we are interacting with you as a customer, or potential customer, the legal basis is because it is necessary for the performance of a contract
- In very limited circumstances we will obtain consent for some processing (eg to place certain website cookies). In these circumstances, we will make that clear at the time
- Some business records, which may include personal data, must be kept for legal reasons (eg financial records). In these cases, the legal basis is that the processing is necessary for compliance with a legal obligation
Data sharing
We engage:
- Typical IT service providers: who act as data processors to Ciphr. These include companies like Microsoft and Hubspot. All processors have a written data processing agreement in place
- Legal authorities: if required by law or to protect our legal rights
- Business transfers: in the event of a merger, acquisition, or sale of assets
Security of your personal information
We implement appropriate technical and organisational measures to protect your data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Ciphr uses ISO27001 as an Information Security Management System and is externally audited.
Data retention
We retain your personal data only for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Where there is no specific retention requirement the general periods apply:
- Non-customer data: is deidentified after seven years of no contact
- Customer data: is maintained for the duration of the contract and then for seven years
Restricted international transfers
All core IT systems have data resident in the UK or EEA. Where a transfer is made outside the EEA, appropriate safeguards will be put in place compliant with Article 46 of the UK GDPR. This is typically the UK-US Data Privacy Framework (for the US), or International Data Transfer Agreement and Transfer Risk Assessments otherwise.
Your rights
Under the UK GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate or incomplete data
- Erase your personal data
- Restrict the processing of your data
- Object to the processing of your data
- Data portability
- Withdraw consent at any time (where processing is based on consent)
If you wish to exercise any of these rights, email dpo@ciphr.com. To object to legitimate interest processing (for example, direct marketing), you can also use the email preference controls that appear in all our email communications.
Cookies
We use cookies for the operation and monitoring of our website and for delivering sales and marketing. You can see the cookie that we use and give and remove consent using the cookie control tool on our website, or by visiting ciphr.com/cookies.
Contact us
If you have any questions about this privacy notice or our data protection practices, please contact us at dpo@ciphr.com.
Changes to this privacy notice
We may update this privacy notice from time to time. Any changes will be posted on this page, and, where appropriate, notified to you by email.
Review of this notice
This notice is regularly reviewed. It was last updated on 20 January 2025.