Safedrop is a file sharing service maintained by OD consultancy Limited, a UK based Company.
If you contact us for information or for support via the www.safedrop.com site then we will keep your information on file. Just let us know if you would like us to delete it.
Full details below, we’ve done our best to keep this simple, if you’d like to discuss any aspect of this, please email firstname.lastname@example.org and we’ll talk you through things.
OD Consultancy Ltd trading as PROJECTFUSION (“we”,”us”, or “our”) provide cloud and customer hosted Data Rooms & safedrop services that allow our clients to share files in a secure environment for business processes, including due diligence, corporate governance, regulatory compliance, court bundles, ligation, procurement and HR (“Service).
Here are the details that the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data, known as the General Data Protection Regulation (GDPR) says we have to give you as a ‘data controller’:
Our company name is:OD Consultancy Ltd, trading as Projectfusion
Our registered address is: Innovation Reception Innovation Way, Discovery Park, Sandwich, Kent, England, CT13 9FF
Our registered number is 3389226
Our nominated representative is: Angus Bradley and they can be contacted at +44 207 739 4252.
This document was substantially updated in June 2020.
Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
Customer: a legal entity with whom Projectfusion has an Agreement to provide the Service
Customer Data: data stored in and generated through the use of our Service, including Materials, User Account Information, Metadata , and logs.
Materials: documents, images, video and any other material that is stored in our Service
User: an individual authorised by the Customer to access our Service.
User Support Information: name, email address and sometimes IP address of a User who has contacted us for support.
Website Visitor Information: name, email address and sometimes IP address of a Website Visitor.
The following terms are used as defined in the EU General Data Protection Regulation (GDPR):
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Personal Data: any information relating to an identified or identifiable natural person (“Data Subject”)
Processor: a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller
Third Party: a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorized to process Personal Data
Data We Process & Retention periods.
We may collect and process the following types of Customer Data in order to provide and support the Service:
User Account Information: The Service requires minimal information from Users for the purpose of authentication and communication. Personal Data is limited to the name, email address, and IP address. User Account Information is required for users with accounts on the Service. User Account Information is not stored for users with no accounts - safedrop recipients or safedrop users using reply-to or inbox features.
Retention: User Account Information is controlled by the Customer, and will be stored until either the Customer terminates the Service, or the Customer deletes the User Account Information.
Metadata: User activity within the Service is automatically logged, e.g. username, email address, login time, location, Materials accessed. These logs are available to the Customer via the administrator portal for the purpose of monitoring behaviour and investigations.
safedrop Metadata is controlled by the Customer, and will be stored until either the Customer terminates the Service, or the Customer deletes the safedrop Metadata.
Retention: Data Room
Once a Data Room has closed we become a Data Controller in common with respect to the Metadata. We keep Metadata for up to 7 years in encrypted storage in case it is required for security breach analysis. We will delete Metadata on Customer request.
We may keep anonymised Metadata for internal analysis purposes. anonymised Metadata contains no personal data.
Materials: The Materials uploaded to the Service by Users may contain Personal Data. We do not access information within the Materials except in limited circumstances upon the Customer’s explicit and specific request for support, and with Customer permission.
Retention: Materials are controlled by the Customer. When Materials are deleted they are kept on our backup servers for up to 8 weeks. When safedrops expire, they are deleted immediately with no backup.
Purposes for Processing
We process Customer Data for the following purposes:
With regard to Customer Data, PROJECTUSION acts as a Processor on behalf of Customers.
Control and processing of User Support Information
We are a Controller of User Support Information. We process this information to provide support for the Service.
Under GDPR PROJECTFUSION will ensure that your Personal Data is processed lawfully, fairly and transparently, without adversely affecting your rights. We will only process your Personal Data where it is necessary for the performance of a contract to which you are a party or for the purposes of the legitimate interests pursued by us or a third party, or where another of the lawful bases set out under GDPR applies and only in the following circumstances:
a) you use or attempt to use a the Service
b) you view a safedrop
c) you contact us for support
d) your Personal Data is contained within Customer Data.
If you do not want PROJECTFUSION to use the User Support Information for any of the reasons set out above, please let us know by contacting email@example.com, and we will delete you Personal Data from our systems. You will no longer be able to use the Service after this.
Control and processing of Website Visitor Information
We are a Controller of Website Visitor Information. We process this information to for the following purposes:
Under GDPR we will ensure that your Personal Data is processed lawfully, fairly and transparently, without adversely affecting your rights. We will only process your Personal Data where it is necessary for the performance of a contract to which you are a party or for the purposes of the legitimate interests pursued by us or a third party, or where another of the lawful bases set out under GDPR applies and only in the following circumstances:
If you do not want PROJECTFUSION to use the Website Visitor Information for any of the reasons set out above, please let us know by contacting firstname.lastname@example.org, and we will delete you Website Visitor Information from our systems. You will no longer be able to use the Service after this.
Tracking Technologies and Cookie
You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, You may not be able to use some parts of our Service.
Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close your web browser. Learn more about cookies in the "What Are Cookies" article.
For more information about the cookies we use and your choices regarding cookies, please visit our Cookies Policy - https://www.safedrop.com/pages/cookie-policy
How we protect data
PROJECTFUSION has been in continual development since 1999. As a result, it is a proven system that has helped facilitate thousands of secure ﬁle shares. We are regularly audited by a UK government approved auditor, and have been accredited to the SO27001 security standard. This means we have lots of security protocols, including staff screening, standardised rollout/testing, regular threat assessments and reviews, and a well maintained Risk Register.
The highest levels of security are applied to all PROJECTFUSION servers, including regular 3rd party audits, IDS (Intrusion detection), regular nessus scans, strict server access restrictions, and 128-bit SSL encryption for all data transfers.
All Customer Data is encrypted at rest and in transit at all times, and for European Customers is stored in Europe at all times (unless they have specified another location) All access to Personal Data is protected by a minimum of username/password, two factor authentication (“2FA”) and IP restrictions, backed by tamperproof audit trails that record all administrator activity.
User Support Information is encrypted in transit, and stored with Intercom.io and Zendesk.co.uk. Both are US based entities certifed under the EU-US Privacy Shield for data transfers (https://www.privacyshield.gov/list). All access to information stored on intercom and Zendesk is protected by a minimum of username/password and 2FA.
Website Visitor Information is encrypted in transit, and stored with HighriseHQ.com and Sharpspring.com. Both are US based entities certifed under the EU-US Privacy Shield for data transfers (https://www.privacyshield.gov/list). All access to information stored on HighriseHQ.com and Sharpspring.com is protected by a minimum of username/password and 2FA.
We restrict access to personal information to PROJECTFUSION employees who need to know that information in order to operate, develop or improve our services. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.
We will only keep User Support Information & Website Visitor Information for as long as we need to, in order to use it as described above, and/or for as long as we have your permission to keep it. In any event, PROJECTFUSION will conduct an annual review to ascertain whether we need to keep User Support Information & Website Visitor Information. User Support Information & Website Visitor Information will be deleted if we no longer need it.
We are allowed to disclose your data in the following circumstances:
We may contract with third parties to provide services to you on our behalf. These may include payment processing, search engine facilities, advertising and marketing. In some cases the third parties may require access to some or all of your data. These are the third parties that have access to your data: [Intercom (intercom.com), zendesk (zendesk.com), stripe (if you pay online).
Where any of your data is required for such purpose, we will take all reasonable steps to ensure that your data will be handled safely, securely and in accordance with your rights, our obligations and the obligation of the third party under GDPR and the law
Data Subject Rights
PROJECTFUSION acts as a data Processor on behalf of Customers. Customers have primary responsibility for interacting with you with regards to Personal Data, and the role of PROJECTFUSION is generally limited to assisting Customers as needed.
Access, Correction, Amendment or Deletion Requests: PROJECTFUSION shall promptly notify a Customer if PROJECTFUSION receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. PROJECTFUSION shall not respond to any such Data Subject request without the Customer’s prior written consent except to confirm that the request relates to that Customer. In the case of a Data Subject requesting access to, correction, amendment or deletion of that person’s Personal Data stored in User Support Information we respond promptly and facilitate the request.
Handling of Complaints: Data Subjects may lodge a complaint about processing of their respective Personal Data by contacting the relevant Customer or the PROJECTFUSION Privacy department at the email address email@example.com. PROJECTFUSION shall promptly communicate the complaint to the Customer to whom the request relates.
Customers shall be responsible for responding to all Data Subject complaints forwarded by Projectfusion , except in cases where a Customer has disappeared factually or has ceased to exist in law or become insolvent. Where PROJECTFUSION is aware of such a case, it undertakes to respond directly to Data Subjects’ complaints within thirty (30) days, including the consequences of the complaint and further actions Data Subjects may take if they are unsatisfied by the reply.
Regulatory Inquiries and Complaints: PROJECTFUSION shall, to the extent legally permitted, promptly notify a Customer if it receives an inquiry or complaint from a data protection authority in which that Customer is specifically named. Upon a Customer’s request, PROJECTFUSION shall provide the Customer with cooperation and assistance in relation to any regulatory inquiry or complaint involving PROJECTFUSION’s processing of Personal Data.
Changes to this Statement
We may change this statement from time to time, and if we do we will post any changes on this page. If you continue to use the Service after those changes are in effect, you agree to the revised policy. This document was last updated in June 2020.
Please feel free to contact us if you have any questions about our data protection commitments or practices. You may contact us at firstname.lastname@example.org, email@example.com or at our mailing address below: