Thinking Machine Systems Ltd (“TMS” or “we/our/us”) respect your privacy and are committed to safeguarding and protecting your privacy in connection with the recording, organization, structuring, storage, adaptation, alteration, retrieval, collection, consultation, use disclosure, dissemination, restriction, erasure or destruction (“processing”) of your Personal Data. We may process your Personal Data for a variety of reasons and in a variety of ways

This privacy statement (“Statement”) contains important information regarding our privacy practices and the choices we offer you with respect to your Personal Data. If you choose to provide us with your Personal Data, you are telling us that you have read, fully understand, and accept the privacy practices summarized in this Statement. We strongly encourage you to read this Statement in its entirety to understand our privacy practices before submitting any Personal Data to us.

If you have any questions about this Statement and/or the processing of your Personal Data, please do not hesitate to contact our Privacy Manager at privacy@thinkingmachine.co

This Statement will inform you about:

• GDPR
• Scope of this Statement
• How We Collect Your Personal Data
• Who Has Access to Your Personal Data
• International Transfers of Your Personal Data
• Legal Ground(s) for Processing Your Personal Data
• Purposes for Which We Process Your Personal Data
• Your Rights with Respect to Your Personal Data
• Protection of Your Personal Data
• Retention of Your Personal Data
• Revisions to this Statement
• Our Privacy Concern Handling Process
• Our Contact Information

Scope of this Statement

This Statement applies to our processing of the Personal Data of our business contacts, vendors, directors, agents, and customers (including their representatives and service providers), when the General Data Protection Regulation (EU 2016/679) applies to such Personal Data.

Personal Data is any information that relates to an identified or identifiable natural person and is sufficient to enable such person to be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, or an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. We act as a data processor for purposes of these processing activities. In this Statement, we use the word “you” to refer to anyone within the scope of this Statement.

How We Collect Your Personal Data

We use Personal Data on a day-to-day basis to run our business, provide our services, enter into contracts, and to protect our interests. We collect Personal Data from you when you provide it to us, or when we collect it from you, for instance, in the course of your dealings with us, because you use certain services (such as our online reporting tools), or because your Personal Data is included in our customer’s invoices, documentation, files, or systems.

Depending on the processing activity, the Personal Data we process in relation to you may include, without limitation:

1. First and last name;
2. Phone number;
3. E-mail address;
4. Address;
5. Data regarding your equipment, such as an IP address;
6. Data regarding your use of our IT systems; and
7. Information regarding your employer, your employment, or our client.

It is necessary to provide us with certain Personal Data in order for us to be able to provide you with our services, as applicable. In certain situations, if you do not provide us with your Personal Data, we may be unable to provide you with our services.

Who Has Access to Your Personal Data

Access to Personal Data relating to you is limited. It is our policy that persons within the organization should only have access to Personal Data on a need-to-know basis.

Under certain circumstances, we may share your Personal Data with third parties:

• We may also disclose your Personal Data to our agents, such as suppliers and service providers, acting on behalf of or for us under our instructions for the limited and specific purpose of assisting us with our normal business operations. In no event will that limited and specific purpose be inconsistent with this Statement. In all cases, these agents may only use this information in connection with providing support for or services to us.

• In the context of establishing and maintaining a customer relationship with you, we may disclose your Personal Data to your service providers.

• Sometimes a directive, law, regulation, court order, or other judicial, regulatory, or supervisory process requires us to provide Personal Data to a governmental body or party to a private lawsuit.

• Finally, we may disclose certain Personal Data if TMS is involved in a merger, acquisition, or sale of all or a portion of its assets, or we are required to bring or defend against litigation or any regulatory proceeding between, or relating to, you and us, or we have reason to believe that disclosing such information is necessary to identify, contact, or bring legal action against someone who may be causing injury to or interference with (either intentionally or unintentionally) our rights, our property, our customers, or anyone else who could be harmed by such activities.

We will only transfer your Personal Data to the above mentioned third parties for the purposes stated in this Statement, and only to the extent that is permitted under the applicable data protection law.

Third parties to whom we transfer your Personal Data are themselves responsible for compliance with applicable data protection law. We are neither responsible nor liable for the processing of your Personal Data where we do not determine the purposes and means of the processing of that Personal Data.

International transfers of Personal Data

We do not transfer your personal data outside the European Economic Area (EEA).

Legal Ground(s) for Processing Personal Data

Under applicable data protection law, we are allowed to process Personal Data only if we can rely on one or more of the legal grounds for processing. The legal grounds we are most likely to rely on for processing Personal Data in relation to you are:

• Consent – In exceptional situations we may rely on your consent.
• Contract –The processing is necessary for performance of a contract with you/your company or to take steps at your request to enter a contract.
• Legal Obligation – The processing is necessary to ensure we comply with our legal and regulatory obligations. For example, to comply with our social insurance and tax-related obligations.
• Legitimate interests – The processing is necessary for our or a third party’s legitimate interests. We, as a service provider, or a third party on our behalf, may have legitimate interests in carrying on, managing, and administering our normal business operations and may need to process your Personal Data in connection with the same. Your Personal Data will not be processed on this basis if our or a third party’s legitimate interests are overridden by your own interests, rights, and freedoms.
• Vital interests – Where processing is needed to protect your vital interests (or someone else’s interests) and you are not capable of giving your consent. For example, in the case of a medical emergency.

Purposes for Which We Process Your Personal Data

We process your Personal Data for certain purposes described below. As explained above, processing in this context might include transfers to third parties and/or transfers outside of the EEA. From time to time, we may publish specific notices setting out details regarding particular processes or programs being adopted by us.

• Customer Relationship – We may process your Personal Data for the purpose of establishing and maintaining a customer relationship with you and/or your service providers.

• Legal Rights and Compliance Obligations – We may process your Personal Data for the purpose of meeting or complying with our legal, regulatory, or supervisory obligations or for the establishment, exercise, defense, or resolution of legal claims by or against you or a third party.

• Normal Business Operations – We may process your Personal Data for the purpose of meeting our day-to-day business operations.

Your Rights with Respect to Your Personal Data

Under applicable data protection law, you may have the following rights:

• To obtain access to the Personal Data that we hold about you;
• To object on grounds relating to your particular situation to our processing activities where you feel they have a disproportionate impact on your interests, rights, and freedoms;
• To request to review, revise, correct, or update any of the Personal Data we may have about you free of charge, if you believe that your Personal Data that we possess is, or has become, incorrect or is incomplete;
• To request that we restrict the processing activities related to your Personal Data (and, where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal);
• To request that we erase your Personal Data;
• To have Personal Data, which you have voluntarily provided to us, produced in a structured, commonly used, and machine-readable format, including for the purpose of transmitting it to another party; and
• To object to the processing of your Personal Data for direct marketing purposes.

Please note that the above individual rights are not absolute, and we may be entitled to refuse requests where certain exceptions apply. If you have given your consent and you wish to withdraw it, please contact our Privacy Manager at privacy@thinkingmachine.co.

Please note that where our processing of your Personal Data relies on your consent and where you then withdraw that consent, we may not be able to provide all or some aspects of our services to you and/or it may affect the provision of those services. If you have any questions about your rights regarding your Personal Data, please contact our Privacy Manager at privacy@thinkingmachine.co, where you may initiate a request to access, reject, correct, restrict, or erase your Personal Data, or where you may initiate a request for transfer of your Personal Data or initiate a request that we refrain from sending you marketing information.

Protection of Your Personal Data

We take reasonable and appropriate physical, administrative, and technical measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.

Retention of Your Personal Data

We will retain your Personal Data only for as long as is necessary for the purposes set out in this Statement. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (such as, if we are required to retain your information to comply with applicable tax/revenue laws, resolve disputes, and enforce our agreements).

Where we rely on legitimate interests as a reason for retaining your Personal Data, we have carefully considered whether or not those interests are overridden by your rights and freedoms and have concluded that they are not.

Please note that for corporate law and tax purposes in the UK, we are required to keep certain data, which might include Personal Data we hold about you (whether directly or indirectly), for a period of six (6) years after the information has lost its relevance. In certain limited cases, local legal requirements in the UK may result in the preservation or retention of Personal Data for longer periods of time.

Revisions to this Statement

We reserve the right, at its sole discretion, to change, modify, add, remove, or otherwise revise portions of our policies and this Statement at any time, consistent with the requirements of applicable law. If we change the Statement in a material way, we will provide appropriate notice to you. The “Effective Date” at the top of this Statement reflects the data of the most recent revisions.

Our Privacy Concern Handling Process

We are committed to resolving concerns about your privacy and our processing of your Personal Data. Individuals with inquiries or concerns regarding this Statement should first contact our UK Privacy Manager at privacy@thinkingmachine.co. In the event that resolution cannot be reached, individuals may also contact their local data protection authority (“DPA”), which may investigate your concern further.

UK
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
(+44) 0303 123 1113

Our Contact Information

If you have any questions or comments about this Statement and/or the processing of your Personal Data, please contact us at privacy@thinkingmachine.co.

You may also write us at:

Thinking Machine Systems Ltd
Privacy Manager
1 E Poultry Ave
Farringdon, London EC1A 9PT