Privacy Policy
Privacy Notice
The following Notice applies from 8th November 2024.
Every hour of every day, we create data about ourselves – from websites we visit and products and services we buy online, through to taxis we hail and photos we share on social networks.
Companies and organisations ask permission to gather data about us, usually in long and complicated privacy statements. They invite us to click a button to allow them to use tracking cookies, small pieces of computer code that record our online activities.
We exist to unlock the positive power of financial data to improve people’s lives – whether that’s to tackle climate change, create fairer economic policies, fast-track the progress of financial technology, or improve access to finance for people who struggle to. We cannot do so without the trust and goodwill of the people whose lives we want to improve.
We have a responsibility to do the right thing with the data we hold. We’ll always be 100% clear with you on how we use your data to further improve people’s lives. That’s why we’re setting out our privacy policy in plain language, so everyone can understand it.
Who we are
“We” are ‘Smart Data Foundry’, a not-for-profit private limited company by guarantee, registered in Scotland and a wholly owned subsidiary of the University of Edinburgh, with company number SC709914 and VAT Registration Number GB 592 9507 00. We are based in Ward 2C, Edinburgh Futures Institute, 1 Lauriston Place, Edinburgh, EH3 9EF. We are registered with the Information Commissioner’s Office (ICO) with registration number ZB326175, and we have a Data Protection Officer.
The University of Edinburgh is a charitable body registered in Scotland, with registration number SC005336, VAT Registration Number GB 592 9507.
“EPCC” is part of the University of Edinburgh and provides the data infrastructure that Smart Data Foundry uses to host data used for research purposes.
What personal data do we collect and how do we use it?
We use the data shared with us to perform our functions – enable research on deidentified financial data, and provide synthetic data to technology users.
Our role | Source | Type of data | How we use it | Legal basis | Onward processing or sharing | Retention |
|---|---|---|---|---|---|---|
Data controller | Direct from individual | Name and job title; Company or organization; Contact information, including email address and telephone number(s); Demographic information such as postcode. | To communicate with you during business operations or reply to your enquiry. Also, to prospect for new leads and to drive our marketing campaign initiatives. | Legitimate interest | We use Microsoft Office 365, HubSpot, as | 2 year with records routinel cleansed and aligned to data subject rights. |
Data controller | Direct from individual | Name and job title; Company or organization; Contact information, including email address and telephone number(s); Demographic information such as postcode or preferences. | While running our organization and fulfilling contractual obligations, or on an ad hoc basis to fulfil Research and Innovation functions described above. There will also be a contractual agreement as part of this. | Contract | We use Microsoft Office 365 as | 1 year with records routinelycleansed and aligned to data subject rights.
|
Data controller | Direct from individual. | Rich media: identifiable images or video content. | On our external communication platforms, such as our websites.. | Legitimate interest. | We utilise social media platforms and our own website. | 1 year with records routinel cleansed and aligned to data subject rights.
|
Data controller | Direct from individual | Name, contact and professional information (within CVs). | We limit processing to relevant vacancies, we do no hold CVs on file speculatively. | Legitimate interest | We use Microsoft Office 365 to securely store files and communicate with prospective employees and | 2 years after vacancy closing date.
|
Independent data controller | Indirectly from Data providers | De-identified financial data which has been effectively anonymized by data providers and validated by our data operations team. | We use adequately anonymized data | Legitimate interest | The EPCC are our Data Processor; the EPCC are an accredited Data Processor under the Digital Economy Act 2017. The EPCC’s secure infrastructure is securely hosted in the UK. | In alignment with the Data Sharing Agreement termination period, and no longer than 3 months following this period. |
Cookies
Cookies are small pieces of computer code placed onto your computer, laptop, tablet, or phone by the websites that you visit. They are used widely to make websites work, or work more efficiently, as well as providing information to the owners of the site. You can disable basic ‘functional’ cookies by changing your browser settings, but this might affect your access to the website.
When you first visited SDF’s website, or SDF’s portal website, myFoundry, we asked if we could place a cookie on your device to help us improve our website by collecting and reporting information on how you use it. We would like to set Google Analytics and HubSpot cookies to help us to improve our website by collecting and reporting information on how you use it.
More information on the cookies we use is below.
consent
This functional cookie is used to remember not to ask the visitors to accept cookies again and is set when visitors opt in or out of cookies.
It expires in 1 year.
Google Analytics
Google Universal Analytics cookies are used to collect information about how visitors use our website. We use the information to compile insight reports and to help us improve the website. The cookies collect information in a way that does not directly identify anyone. Read more from Google.
_ga
This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session, and campaign data for the site's analytics reports.
It expires in 1 year.
_gali
This cookie is used to improve the accuracy of the Enhanced Link Attribution feature in Google Analytics. It helps to identify which link was clicked on a page.
It expires in 30 seconds.
_gat
This cookie is used to throttle the request rate, limiting the collection of data on high-traffic sites. It helps to manage the rate at which requests are made to Google's servers.
It expires in 1 minute.
_gid
This cookie is used to distinguish users. It stores and updates a unique value for each page visited.
It expires in 24 hours.
HubSpot Analytics
HubSpot cookies to collect information about how visitors use our website and services. We use the information to compile insight reports and monitor usage to help us improve the website and services. Read more from HubSpot. These cookies are completely optional and are opt-in.
__hstc
The main cookie for tracking visitors.
It contains the domain, hubspotutk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
It expires in 6 months.
hubspotutk
This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
It contains an opaque GUID to represent the current visitor.
It expires in 6 months.
__hssc
This cookie keeps track of sessions.
This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
It expires in 30 minutes.
__hssrc
Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser.
If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
It contains the value "1" when present.
It expires at the end of the session.
__cfuvid
This cookie is set by HubSpot’s CDN provider because of their rate limiting policies.
It expires at the end of the session.
myFoundry
Our platform myFoundry requires functional cookies for operation of the service. Functional cookies are used to authenticate the user and maintain their session across different requests.
__Host-next-auth.csrf-token
Cross-Site Request Forgery Token (CSRF Token) is required to make requests that changes state. (e.g. signing in or out, or updating the session).
It expires at the end of the session.
__Secure-next-auth.callback-url
This cookie stores the URL to which the user should be redirected after signing in. It ensures that the user is redirected to the correct page after authentication.
It expires at the end of the session.
__Secure-next-auth.session-token.0
This cookie stores the session token and identity for the authenticated user. It is used to maintain the user's session across different requests.
It expires in 30 days.
__Secure-next-auth.session-token.1
This cookie is similar to __Secure-next-auth.session-token.0 and is used to store the rest of the session data.
It expires in 30 days.
How private and secure is my data?
SDF was set up with privacy at its heart. We will always protect and respect your privacy, and we are committed to security when it comes to your information.
We promise that when we collect, process, store and share personal data we will do so safely and securely and on the basis of a Privacy by Design-driven approach. If we ever share your de-identified data with third parties, such as with government bodies for the purposes of research, this data will be statistically aggregated and effectively anonymised. We implement security guidelines on our research data in line with Turing Institute guidance – a summary of which can be found here.
When we refer to ‘de-identified data’, we mean data shared with us that has had personal data (sometimes referred to as ‘personal identifiable information’ or ‘PII’) removed before we receive it, so we are unable to identify an individual from that data. This type of data is also referred to as ‘pseudonymised data’ or ‘adequately anonymised data’. It is not accurate to refer to it as ‘fully anonymised data’, as although Smart Data Foundry is unable to link the data back to an individual, the organisation that shared the data with us in de-identified form has the ability to match it back to an individual, and it is therefore not truly anonymised.
Do you share my data?
We share aggregated data – such as tables and graphs - with our partners for research, such as government bodies and financial services companies, like banks and insurers.
We do not sell personal data and if we ever share insights about your data with third parties, such as with government bodies for the purposes of research, we will anonymize data.
How do you store data about me and for how long do you keep it?
We will only store your data for as long as we need it, and the maximum times are set out in the table above.
Your rights
You have certain rights in relation to personal information we hold about you as established by the UK GDPR and the Data Protection Act within the UK. Here are some details as to how you will be able to enact these rights:
Right of access: You can ask us at any time for a copy of the information that we hold about you, and for details about how this information is used.
Right of correction or completion: If the information we hold about you is inaccurate, incomplete, or out of date then you can tell us to correct it, complete it, or update it.
Right of erasure: In certain circumstances, you can ask us to delete the data we hold about you; for example, if it’s no longer necessary for us to hold the information or if there are no legal grounds for us to hold the information.
Right to restrict or object to processing: In certain circumstances, you can tell us to stop using your information, including for direct marketing.
Right of data portability: In certain circumstances, you can tell us to send you any information that we hold about you in a structured, commonly-used format that can be read by a computer or other digital device.
Right to complain: If you want to complain about the way we handle your data then you can contact the UK’s data regulator, the Information Commissioner’s Office (ICO), by calling 0303 123 1113, visiting www.ico.org.uk, or writing to: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.
Most of the rights given to you by the UK GDPR have limits and exceptions, so if we can’t handle your request then we’ll explain our reasons to you. A common one may be on de-identified data used for research - we likely cannot act on this request as we receive the data in a pseudonymised form where we cannot identify individuals within the data already.
We will need you to prove your identity before we can handle your request, and we cannot handle requests that relate to other people without their consent.
You can exercise any of the above rights by contacting us at the address or email address set out below.
How to get in touch
If you want to find out what information we collect and hold about you – or to exercise any of your rights set out in the section above – then please email ig@smartdatafoundry.com with “FAO: Privacy team” in your subject line, or please write to us at: Privacy team, Ward 2C, Edinburgh Futures Institute, 1 Lauriston Place, Edinburgh, EH3 9EF
