Privacy Policy

This Privacy Policy was last updated on 03 Oct 2022. Please review it again if you have not done so since this date. This is the only notice you will receive of changes to this policy.

Please also read the Terms of Use:

  • They contain definitions (clause 1) referred-to in this Privacy Policy.
  • They make reference (clause 5) to this Privacy Policy.
  • Acceptance of them is taken to also confirm acceptance of this Privacy Policy.

(Note that in the event of any conflict or disagreement between this Privacy Policy and the Terms of Use, the Terms of Use will take precedence.)

This Privacy Policy explains how information associated with Your use of the Service is collected and handled:

  1. Service security – technical measures taken to protect Your information.
  2. Financial information – the handling of credit card payments.
  3. Confidential information – how private information is used and how it can’t and won’t be used, including Your rights.
  4. Information about Your access and use of the Service – what “meta” information is collected and how it can and can’t be used.

NIP will only use this information lawfully, in accordance with (i) the General Data Protection Regulation (‘GDPR‘) EU Regulation 2016/679, (ii) the European Union (Withdrawal) Act 2018, which transposed GDPR into UK law (‘UK GDPR‘), (iii) the California Consumer Privacy Act (‘CCPA‘) – together the ‘Data Protection Laws‘ – and (iv) NIP‘s Privacy Impact Assessment and Data Protection Standard Operating Procedure (‘Data Protection SOP‘, which You are entitled to request details about, but where You accept that NIP may provide only extracts that it in its sole discretion deems relevant and appropriate to disclose, i.e. to protect information about NIP‘s business and other customers).

1. Service security

a. Data storage and transmission

All Data and Personal Data is stored securely on cloud servers managed by NIP – more information is available on request.

The Websites through which the Service is provided have SSL/TLS Certificates, so all Data and Personal Data transferred between You and the Service is encrypted. However, You are responsible for ensuring that Your browser supports the encryption security used in connection with the Service.

b. Service access

Access to the Service is only possible with a valid Login and NIP has implemented several additional defensive measures:

  • Any attempt to navigate directly to a page when not logged-in results in the login screen being presented.
  • Failed login attempts are logged – along with the originating IP address – to a file on the server, which is regularly monitored.
  • To mitigate against the risk of malicious attempts to guess a valid Login, the Service deliberately uses ambiguous error messages, regardless of whether the username or password is incorrect (or both).
  • Attempts to manually alter URLs to gain access to other parts of the Service are prevented (as well as also being forbidden by clause 3b of the Terms of Use) and an error message presented.

c. Password security

All passwords associated with Logins are hashed, not known to NIP, and cannot be retrieved by NIP.

d. Cookies

It is not possible for NIP to provide the Service to You without the use of cookies, which are small bits of data stored on the device(s) You use to access the Service and the Website.

Each cookie expires after a certain period of time, depending on what it is used by NIP for, i.e.:

  • To authenticate Your identity, such as confirming whether You are currently logged-in to the Service.
  • To improve the Service, by measuring Your usage and tracking referral data.
  • By using the Service and agreeing to this Privacy Policy, you expressly consent to the use of cookies as here described.

2. Financial information

NIP uses WooCommerce and Stripe to collect/process the Billing Details and transaction information.

Please see WooCommerce’s Privacy Policy and Stripe’s Privacy Policy for further information.

3. Confidential Information

Further to the Data Protection Laws, both of The Parties will take all steps as shall from time to time be necessary to protect the Confidential Information of the other.

To provide You with the Service, You grant NIP (and permitted sub-contractors or agents) the rights to:

  • Use Personal Data in the creation of Logins for the Purchaser, Administrator and Respondents to access the relevant aspect(s) of the Service;
  • Use, copy, transmit, store, and back-up the Data and Personal Data for the purposes of enabling You to access and use the Service;
  • Access Personal Data and Data as part of regular management of the Service; and
  • Use Personal Data to contact You in connection with Your use of the Service (for the Administrator and Respondents, this will only be by email; the Purchaser may be contacted using other Personal Data they supply should there be an issue with any attempt to make contact with them by email).

However, except as permitted or contemplated hereunder, neither You nor NIP (and permitted sub-contractors or agents) shall at any time, for any reason whatsoever, disclose to any third party (or permit the disclosure of to any third party) the other’s Confidential Information, in whole or part.

This obligation of confidentiality shall not apply to any Confidential Information which shall have come into the public domain without fault on the part of either party or which is disclosed to either party or is known to or recorded by either party prior to it entering into the Agreement.

Otherwise, though, no disclosure shall be made to any third party (other than to permitted sub-contractors or agents) by one party of the other party’s Confidential Information without that other party’s explicit consent, except:

  • To any person having a legal right or duty to obtain or require such Confidential Information (e.g. a verified request by law enforcement or other government officials); or
  • To any professional adviser, or other third party to whom it is essential that such Confidential Information be disclosed in, or for the purpose of, any legal proceedings or arbitration involving either party to the Agreement, or for normal accounting purposes; or.
  • To any person that takes over the business either of the parties to use the Confidential Information on the same basis.

As detailed in clause 2b of the Terms of Use, cancellation of the Service – howsoever occasioned – will result in NIP deleting Personal Data and Data after twenty-eight (28) days (although note that residual copies of Personal Data and Data may remain on offsite backup media for up to approximately twelve (12) months afterwards, or as required by law for accountancy purposes).

In keeping with Data Protection Laws:

  • NIP will inform You within seventy-two (72) hours if we have reason to believe or suspect that any Personal Data or Data has been (or may have been) compromised. NIP will also inform You of the measures taken to remedy the situation and, where applicable, to prevent its recurrence.
  • Unless otherwise agreed between The Parties, Personal Data and Data will be retained for a period of twelve (12) months following the completion of an Assessment and then removed and deleted (except as required by law for accountancy purposes).
  • You are entitled to request that NIP:
    • Confirm to You within 48 hours what Personal Data we hold about You and for what purposes, and optionally provide You with a copy of that data in a convenient format (e.g. CSV).
    • Correct or remove Personal Data we hold about You within 48 hours, subject always to:
      • There being no overriding regulatory and/or legal and/or contract requirements that prevent us from doing so (and which NIP will inform You of); and
      • That NIP may require proof of Your identify for security purposes before proceeding with any request, and the 48 hours for complying with Your request will not commence until NIP is satisfied that Your identity has been verified.

4. Information about Your access and use of the Service

As You access and use the Website and Service, various pieces of “meta” information are collected:

  • Information about how You access the Service, including (but not limited to):
    • Your originating IP address (from which it may be possible to infer Your geographic location).
    • The operating system and browser used.
  • Information about Your interaction with the Service, including (but not limited to):
    • The source that referred You (e.g. a link on a website or in an email).
    • Which pages You access and for how long.
    • When You perform actions (such as accessing and submitting an Assessment).
  • Information about Your interactions with an Assessment Template in undertaking an Assessment (in particular any scores given, which may be used in conjunction with those from other Respondents to generate unattributable and anonymised summary and benchmarking data, e.g. averages).

To collect this information, NIP may use a combination of (i) third party tracking services that employ cookies and page tags (e.g. Google Analytics), (ii) a web server log file that records each time a device accesses the Website and the Service, and (iii) a management interface to the Service.

NIP (and permitted sub-contractors or agents) uses such information as follows:

  • To manage the Service (e.g. your IP address will be included in the password reset email for the Purchaser).
  • To better understand our customers’ requirements and usage patterns, such that we can further develop the Service.
  • To contribute to aggregate statistics about:
    • Use of a particular Assessment Template, either across all Respondents or a specific subset of Respondents as described above (i.e. to produce anonymised summary and benchmarking data, but from which no Respondent or Assessment can be identified).
    • The Service – e.g. numbers of users, average time taken to complete an Assessment, etc – which are only indirectly derived from Your use of the Service (along with other users of the Service) and that will never be presented to third parties in a way that can be used to identify You.