Website Privacy Notice

1. Introduction

1.1 Mustard HR is a registered Data Controller with the Information Commissioner's Office (ICO)

1.2 This Privacy Notice sets out how we collect, store and use personal information in accordance with the UK General Data Protection Regulations (UK GDPR) and Data Protection Act of 2018.

1.3 It applies to all users of the Mustard HR website.

1.4 We reserve the right to amend this Privacy Notice at any time. It does not form part of any contract with us.

1.5 By using our website, you agree to the collection and use of information in accordance with this policy.

2. Data Controller Information

Company: Mustard HR Ltd
Contact Person: Lucy Feavearyear (Data Protection Officer)
Address: Norwich, Norfolk
Email: lucy@mustardhr.co.uk
Phone: 07809 227222

3. The information we store

3.1 We collect, store and use the following categories of personal information:

a) Basic contact information, such as names, titles, pronoun preferences, addresses, email, phone and other details.

b) Business Information such as company details, employee count, industry sector.

c) Payment details, financial and transaction data; usage and technical data – including website, products and services.

d) Marketing preferences, profile information, IP addresses, website and app user journey information.

e) Communication Data such as records of our correspondence, enquiry details, feedback.

4. How we collect this information

4.1 When you submit a website enquiry or sign up to our newsletter, the data that you have provided will be stored in our website database and emailed to us directly.

5. Information Automatically Collected

5.1 When you visit our website, we may automatically collect:

5.2 Technical Data such as IP address, browser type, operating system, device information.

5.3 Usage Data such as pages visited, time spent on pages, links clicked, referring website.

5.4 Our website may contain links to other websites of interest. However, once a user has left our site we have no control over their privacy and therefore cannot be responsible for their data. Such sites are not governed by this privacy statement.

6. How we use personal information

6.1 We only use personal information when the law allows us to. Most commonly, in the following circumstances:

a) In limited circumstances, with explicit written consent. For example, When you subscribe to our newsletter or request to receive marketing communications, with your explicit consent.

b) When we need to perform a contract we have entered into, or because we have been asked to take specific steps before entering into a contract.

c) When we need to comply with a legal obligation.

d) When it is necessary for legitimate interests pursued by us or a third party and the individual's interests and fundamental rights do not override those interests. For example, when you submit an enquiry form or contact us requesting information about our services, as this constitutes a request for us to take steps before entering into a contract or falls under our legitimate interests in responding to business enquiries.

e) Vital Interests, such as processing necessary to protect someone's life (rare in our context).

6.2 Some of the above grounds will overlap, and there may be several grounds which justify our use of personal information.

6.3 We use the information we collect for the following purposes:

a) Delivering HR consultancy and support services;

b) in order to make business decisions;

c) for the operation of client accounts;

d) managing client relationships and contracts

e) to provide and improve products and services;

f) for information updates and marketing purposes;

g) for dealing with queries, complaints or claims.

h) responding to enquiries and consultations;

i) sending service updates and important notices;

j) understanding how our website is used;

k) analysing service effectiveness;

l) developing new services and features;

m) ensuring website security and preventing fraud;

n) meeting regulatory requirements;

o) responding to legal requests;

p) protecting our legal rights and interests;

q) processing enquiry forms and initial consultations;

r) responding to requests for information about our services;

s) managing newsletter subscriptions and sending hr updates, insights and industry news (with your consent).

7. Change of purpose

7.1 We only use personal information for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that the reason identified is compatible with the original purpose.

8. Consent and withdrawing consent

8.1 In limited circumstances, when we will not rely on the grounds for collecting, processing and transfer set out in this Privacy Notice, we may approach individuals directly for written consent to allow us to process certain particularly sensitive data. Individuals do not have to agree to any request for consent from us.

8.2 Individuals who have provided written consent to the collection, processing and transfer of personal information for a specific purpose have the right to withdraw consent for that specific processing at any time.

9. Sharing data with third parties

9.1 We may share appropriate information with appointed Data Processors, such technical or administration support engaged by Mustard HR, with whom we have the appropriate agreements in place.

9.2 We will share your personal information with other third parties when required by law, when it is necessary to administer our working relationship with you or when we have another legitimate interest in doing so.

9.3 We will not transfer any personal data outside of the UK in order to perform a contract or otherwise, unless:

a) the transfer is to a country which provides an adequate level of protection for personal information consistent with and which respects the UK GDPR; or

b) there are appropriate safeguards or binding corporate rules in place; or

c) one of the derogations for specific situations in the applicable Data Protection Legislation applies to the transfer.

9.4 We do not sell, trade, or rent your personal information. We may share your data with:

a) IT service providers and hosting companies.

b) Professional advisors (lawyers, accountants, insurers).

c) Payment processors.

d) Marketing and analytics providers (with your consent).

e) Business Transfers.

9.5 If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

10. Data storage and retention

10.1 We store personal information securely and have in place the appropriate technical and organisational measures to protect and - when required - remove, both electronic and any physical records we hold.

10.2 Our appointed Data Processors and any third parties will only process your personal information on our instructions and when they have agreed to treat the information confidentially and keep it secure.

10.3 We retain information as long as the stated purposes in this Privacy Notice still apply. We use our judgement, taking a proportionate approach to balance the needs of our organisation with the impact of retention on individual privacy.

10.4 In the event that a relationship with an individual or organisation comes to an end, or the information is no longer required, we review whether we need to retain all or some personal data and delete that which it is not deemed necessary. Generally, we deem it sufficient to retain enough information to confirm that the relationship existed – such as basic contact information and details of contracts (where applicable).

10.5 In addition, we undertake an annual data audit to review our data retention and remove any unnecessary personal data.

a) We review all prospect and enquiry data and delete records where there has been no engagement for the specified period.

b) We comply with applicable legal and regulatory requirements and professional guidelines relating to the retention of information for our business – for example, income and tax audit.

10.6 Upon review, we decide whether information should be erased (irretrievably deleted) or, in limited circumstances, anonymised so that it is no longer in a form which permits identification of data subjects.

10.7 The above processes mean that personal data which isn't in use or required to be retained for another stated reason, is not typically retained for longer than a maximum period of 24 months.

10.8 We will dispose of your information by irretrievably deleting it from the website database, email inboxes and our electronic and any physical storage systems.

10.9 We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including:

a) Client Records: up to 6 years after the end of our business relationship (where required for legal and tax purposes).

b) Marketing Contacts: Until you unsubscribe or request deletion.

c) Website Analytics: 26 months (Google Analytics default).

d) Web enquiry forms and initial consultations: 12 months from last contact (or until you request deletion), or 6 years if you become a client.

e) Newsletter subscriptions: Until you unsubscribe or request deletion.

f) Prospective client communications: 12-24 months from last contact (unless you request deletion or become a client).

11. Data Security

11.1 We implement appropriate technical and organisational measures to protect your personal data, including:

a) Encryption of data in transit and at rest

b) Regular security assessments and updates

c) Access controls and authentication measures

d) Training and guidance on data protection

e) Incident response procedures

11.2 However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

12. Rights in relation to personal data

12.1 Under data protection law, individuals have rights, including:

a) Right of access – the right to ask us for copies of personal information.

b) Right to rectification –the right to ask us to correct or delete personal information if believed to be inaccurate or incomplete.

c) Right to erasure –the right to ask us to delete personal information in certain circumstances.

d) Right to restriction of processing –the right to ask us to restrict the processing of personal information in certain circumstances.

e) Right to object to processing –the right to object to the processing of personal information in certain circumstances.

f) Right to request transfer –the right to ask that we transfer the personal information given to us by an individual or another person in certain circumstances.

g) Right to data portability - receive your data in a structured, machine-readable format.

h) Right to withdraw consent - where processing is based on consent.

12.2 To exercise any of these rights, please contact us using the details in the Data Controller Information section.

13. Children's Privacy

13.1 Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information.

14. Marketing Communications

14.1 We may send you marketing communications if you have:

a) Given us your consent, or

b) Purchased services from us and not opted out of marketing.

14.2 You can unsubscribe from marketing emails at any time by:

a) Clicking the unsubscribe link in any marketing email;

b) Contacting us directly

15. Changes to This Policy

15.1 We may update this Privacy Policy from time to time. We will notify you of any material changes by:

a) Posting the new Privacy Policy on this page.

b) Updating the "Last updated" date.

c) Sending you an email notification (for significant changes).

15.2 We encourage you to review this Privacy Policy periodically.

16. Contact

16.1 Our core activities do not require us to monitor or process personal data on a large scale and we are not a public authority or body, therefore we are not required to appoint a data protection officer (DPO).

16.2 Lucy Feavearyear, director, is responsible for data protection at Mustard HR. She may be contacted with any requests, queries or concerns regarding this Privacy Notice or any other data protection issue by emailing: lucy@mustardhr.co.uk

16.3 If you remain unhappy with how we've used your data after raising a complaint with us, you can raise your concerns with the ICO at the following address:

Information Commissioner's Office
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire
SK9 5AF

The ICO Helpline number is 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint