Gatenox Privacy Policy

Privacy

This privacy notice (“Privacy Notice”) describes how Gatenox collects and processes personal data relating to Users in relation to the services we provide. The data we process differs depending on your interactions with us, as detailed below. It also describes certain legal rights you may have, subject to applicable law, and how you can exercise them.

For purposes of this Privacy Notice, “personal data” means information about an identified or identifiable person, such as their name or email address, and includes any equivalent term under applicable data protection law. The personal data we process differs depending on your interactions with us, as detailed below.

The expression “User” (and “you”/”your”) in this Privacy Notice shall mean any person accessing the Gatenox website, using Gatenox products and services, or about whom we collect and use any information in the course of providing our products and services. Collectively, we describe our products and services, including the Gatenox website as our “Services.”

Where we act as a controller of personal data, the following items apply:
Details of the controller and data protection officer: the controller of the personal data we process is Gatenox Limited (trading as Gatenox) (referred to as “Gatenox”/“we”/“us”), having its registered office at Level 30,

Gatenox Limited
Leadenhall Building
122 Leadenhall Street
City of London
EC3V 4AB
United Kingdom

and which is registered with the UK Information Commissioner’s Office under number C1195785. Our data protection officer can be contacted by email at dpo@gatenox.com. Transfers outside of the EEA: As part of our group operations and to help us manage the personal data that We process, we transfer personal data of Users outside of the EEA subject to appropriate safeguards, including European Commission adequacy decisions and model clauses approved by the European Commission on the basis of Art. 26(4) of Directive 95/46/EC.

By using Gatenox’s Services, you confirm that you have agreed to the relevant Terms of Service applicable to your use, to the extent permitted by law, and have read and understood this Privacy Notice.

Your rights

You have various rights and choices related to our use of your personal data.
You can opt out of receiving our promotional emails at any time by following the instructions included in those emails. Please be aware that it may take up to 10 days for us to process your request, and you may continue receiving promotional communications from us during that period. If you opt-out of receiving such communications, please be aware that we may continue to send you non-promotional communications (such as emails related to our business relationship or emails about changes to our legal terms).

As a data subject, whose personal data we process, you have 7 potential rights under the privacy laws in which we operate. These rights are not absolute and may be limited, for example, if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. We may, if necessary, apply any available exemptions to these requirements.

1. The right to be informed – as a data controller, we must tell you what activities we carry out that include the processing of your personal data. This information is provided to you in this privacy notice and any other notices or communications that we may send you or make available to you.

2. The Right of Access – as a data subject, you can request copies of your personal data that we process, free of charge, unless the request is excessive or there is a valid exemption. If your request is upheld, we will supply you with copies of the data and inform you of the following:
a. The purpose of the processing activity.
b. The categories of personal data we process.
c. To whom we have disclosed personal data.
d. The time that we will continue to process the data for.
e. If we have obtained the personal data from other sources other than directly from you.

3. The Right to Rectification – You may request that we correct or complete data that you believe is inaccurate or incomplete about you, you may request this right alongside the right to restrict processing. This right will be upheld by us if we are the original source of the data, and that is does not reflect a representation that was believed to be accurate at the time of the original data creation e.g. media data. Our services provide our clients with an aggregation of data sets that have been made freely available and as we are not the original creators of the data you may need to raise your request with the data controller.

4. The Right to Erasure – We may have an overriding legal basis or legitimate reason to continue to process your personal data, however, where we do not have a valid lawful basis, you may request erasure of your personal data that we process.

5. Right to Restrict Processing – You have the right to request that we stop processing your data any further. This right may be exercised where you contest the accuracy of the data, claim that it is unlawful for us to process it, we no longer require the data other than for legal purposes or that there is a pending decision on a right to object.

6. The Right to Data Portability – You may request that we transfer your personal data to another controller or processor in a standard, machine readable format. This right is available if we process the personal data under the lawful basis of consent, the use automated means to process the data and the data is processed to fulfil a contractual obligation with you.

7. The Right to Object – You have the right to object to us processing your personal data if we are processing it under the following circumstances:
a. The processing involves automatic decision making and profiling
b. The processing is for the purpose of marketing
c. We process using the lawful basis of legitimate interest (without exemptions)
d. Processing is for scientific or historic research
In many cases, the most effective way to exercise these rights will be to mail our dedicated inbox atsubjectaccess@Gatenox.com. We may ask you for two valid forms of identification to ensure your rights are protected.If you are concerned that we are handling your personal data improperly, you also have the right to make a complaint to our data protection regulator, the UK Information Commissioner’s Office. https://ico.org.uk/global/contact-us/
However, we invite you to contact us with any concern, as we would be happy to try to resolve it directly.

Information collection and use

The information we collect, and the ways in which we use it, vary in line with the use cases below (click the headings to view the relevant portions of the policy):
• Visitors to Gatenox.com
• When you provide us with information by completing forms
• Candidates for jobs with Gatenox
• Our anti-money laundering, sanctions and adverse media data
• Business contacts
• Information we collect from publicly available sources

Visitors to Gatenox.com

When you browse this website

What we collect

Data on how you use the site
The pages you visit, the means you use to visit (browser version, time zone, operating system, etc.), how long your visit and pageviews last, the frequency of your visits, and information on how you navigate the site.

Data that identifies you
Your IP address, unique identifiers tied to cookies.

What we do with your data

Site optimisation
Analysing aggregated data to update our site’s content and layout to improve relevance for visitors.

Our basis for processing this data

Legitimate interests
Using insights from visitor behaviour to improve the way we market our services.

How long we hold this data

Data holding periods are determined by cookie expiry times.

Recipients of data

Within Gatenox group companies
Personal information will be available for our global marketing teams, and other Gatenox personnel who have a need to access this data for the purposes set out above.

Outside of Gatenox
CRM and marketing automation providers
Website analytics vendors

What we collect
Data on how you use the site
The pages you visit, the means you use to visit (browser version, time zone, operating system, etc.), how long your visit and pageviews last, the frequency of your visits, and information on how you navigate the site.

Data that identifies you
Your IP address, unique identifiers tied to cookies.
What we do with your data
Site optimisation
Analysing aggregated data to update our site’s content and layout to improve relevance for visitors.
Our basis for processing this data
Legitimate interests
Using insights from visitor behaviour to improve the way we market our services.
How long we hold this data
Data holding periods are determined by cookie expiry times.
Recipients of data
Within Gatenox group companies
Personal information will be available for our global marketing teams, and other Gatenox personnel who have a need to access this data for the purposes set out above.

Outside of Gatenox
CRM and marketing automation providers
Website analytics vendors

When you provide us with information by completing forms (including on third-party platforms), subscribing for email updates, registering for events hosted by us or when requesting demos.

What we do with your data

We use this information to contact you for the purpose specified in the form and in accordance with any marketing preferences you submit to us.This information is added to and managed through our contact database. A member of our sales team may contact you if we determine through your submission that you may be interested in our services. We analyse our contact database data to understand, track, and improve how we market and sell our services.

Our basis for processing this data

Taking steps at your request prior to entering into a contract
If you request that we contact you to provide more information on our services to you, we’ll process your data and contact you on this basis.

Legitimate interests
We will send you our email newsletters being necessary for our legitimate interests to give you information about our products and services (unless you have opted-out). We’ll also retain and analyse information gained from our interactions with you as part of understanding, tracking and improving how we market and sell our service. We retain a record of your marketing preference choices in order to demonstrate our historic compliance with data protection law.

Consent:
We may ask you for your consent to process your personal data, for example to send you marketing communications when you sign up to receive one of our industry reports. You are able to revoke this consent at any time by unsubscribing using the automated unsubscribe button in our emails, or by emailing dpo@Gatenox.com.

How long we hold the data

Email newsletters
We’ll keep your details on this list until you unsubscribe, at which point we’ll move your details to an opted-out list to ensure that we don’t send you marketing emails from other sources in future.

Sales process
We retain information relating to our sales interactions with you for up to five years following our determination that we’re not an appropriate sales fit. We use this period as service contracts in our industry often last for 5 years, so a new opportunity may arise during the retention period.

General
We retain historic information relating to any marketing preference choices that you provided, or other bases for processing that have since lapsed, for six years from the date that the basis for processing lapsed.

Recipients of data

Within Gatenox
Personal information will be available for our marketing and sales personnel, as well as customer success and other teams as necessary to fulfil the purposes set out above.

Outside of Gatenox
Our cloud storage providers, customer database, and marketing providers.

Job candidates

Recruitment information you provide to us

What we do with your data

We use your data to:
• contact you in relation to your candidacy
• assess suitability for future vacancies
• assess your suitability for the vacancy you applied for
• monitor the impact of our diversity and inclusion programme and to make improvements

Our basis for processing this data

Taking steps at your request prior to entering into a contract:
If you send us your personal information in response to a vacancy advertised by us, we need to process it in order to consider your application.

Legitimate interests:
We want to build the best team we can, and we carry out this processing as part of the hiring process that enables this.

Compliance with a legal obligation
For roles where we conduct a resident labour market test to enable us to apply for visas, and subsequently hire someone who needs a visa on this basis, we retain unsuccessful applicant information as part of the related record-keeping requirements.

Consent:
Where you have voluntarily provided information this is on a consent basis, and may be revoked (e.g. information relating to your race or ethnicity).

How long we hold the data

General
Your information is stored in our applicant tracking system for up to 24 months after you have been notified your application has been unsuccessful. Successful candidates’ information becomes subject to our employee privacy policy.

Legal record-keeping
If we hire someone subject to a resident labour market test for a role you applied for, we’ll retain your personal data until the expiry of the applicable record-keeping requirement (currently one year following the end of our sponsorship of the visa in question).

Recipients of data

Within Gatenox
Personal information will be available for the hiring and recruitment teams.

Outside of Gatenox
• Our applicant tracking system
• Providers of any aptitude testing systems used as part of the hiring process
• Third party background check providers
• Recruitment agencies

Recruitment information you provide to us

The data we process

• Publicly available information relevant to your potential suitability to work with Gatenox
• Any information provided by someone else about you to us.
• Feedback from interviews and assessments.

What we do with your data

We use your data to:
• contact you in relation to current vacancies
• assess your suitability for vacancies

Our basis for processing this data

Legitimate interests
• Assessing the current labour market and your suitability for available roles.
• To hold as a reference point should you make any further applications within the retention period.

Compliance with a legal obligation
If you are actively involved in our recruitment process for roles where we conduct a resident labour market test and subsequently hire someone who requires a sponsored visa, we retain unsuccessful applicant information as part of the related record-keeping requirements.

How long we hold this data

Your information is stored in our applicant tracking system for up to 24 months after you have been notified your application has been unsuccessful, or subject to our legal record-keeping requirements if needed for our compliance with immigration law.

Recipients of data

Within Gatenox
• Personal information will be available for the hiring team and our recruitment personnel.

Outside of Gatenox
• Our applicant tracking system
• Providers of any aptitude testing systems used as part of the hiring process
• Our cloud file storage systems
• External recruiters with whom you dealt as part of the recruitment process
• Government and legal service providers involved in the visa application process
• Third party background check providers

Our anti-money laundering, sanctions and adverse media data

The data we process

Sanctions, warnings, fitness & probity
Information related to and available on publicly available government lists covering sanctions, the prevention and detection of unlawful acts, and other protective functions. This will generally include a full name, a year or date of birth, nationality, reasons for appearing on the list, and the period covered by the data subject’s appearance on the list, but this depends on the information contained in the list.

Politically exposed persons
We collect publicly available information relating to individuals in prominent public positions, and their family members, close associates, and business interests. Names, dates or years of birth, position(s) held or connection(s) that we think may give rise to a PEP designation, country of nationality, residence and service, photographs (if available) and the period for which that designation would have been active (e.g. active service dates).

Adverse media
We collect links to publicly available news articles that our systems determine to name individuals in connection with financial crime, terrorist financing, other relevant unlawful acts, improper conduct, dishonesty, etc. We will also extract information relating to age from these articles to determine approximate years of birth.

Corporate registry information
We collect data from publicly available corporate registries or from third parties, relating to individuals’ shareholdings and directorships (or such analogous positions).

What we do with your data

Consolidated profiles:
We structure the data collected into profiles consolidating the information outlined above.

Sharing with clients:
Where one of our clients searches for a name on our database, we share with that customer any profiles that match the given search parameters.

Partners:
We will also share this data with partners that resell the data to clients seeking AML and sanctions compliance tools.

Our basis for processing this data

Legitimate interests
Our existing and prospective clients have legitimate interests in gaining access to high-quality and easily manageable data of the type we process in order to optimize compliance with obligations concerning sanctions, anti-money laundering, know-your-client and counter-terrorist financing. We also pursue our own legitimate interests in developing and improving products and services to serve this market.

How long we hold this data

AML Database:
We retain the information in our AML databases indefinitely.

Backups
Where we remove personal data from this database (for example, where we become aware that the information is not, or is no longer, relevant), it will remain in our backups for 30 days.

Recipients of data

• Other data controllers on whose behalf we act as processors, who search for information matching given profiles
• Partners who are reselling our services to data controllers, on whose behalf we act as subprocessors
• Gatenox group employees
• Our hosting and cloud storage providers
• Vendors we use to monitor the accuracy and performance of the data

Business contacts

Information we receive from you (e.g. business cards, correspondence during the sales process)

What we do with your data

A member of our sales team may contact you if we determine through your submission that you may be interested in our products and services.
This information – along with details of our interactions including phone calls and correspondence – is added to, and managed through, our CRM. We analyse our CRM data to understand, track, and improve how we market and sell our services. We save some correspondence to provide precedents and examples to other members of the team, and add your personal information to our e-signing and billing systems if appropriate.
We may make recordings of telephone calls with clients and prospective clients.
We may send you questionnaires or forms asking for feedback on our services, which are used to help improve the services we provide.

Our basis for processing this data

Taking steps at your request prior to entering into a contract:
If you request that we contact you to provide more information on our services to you, we’ll process your data and contact you on this basis.

Legitimate interests
We’ll retain and analyse information gained from our interactions with you as part of understanding, tracking and improving our services and how we market and sell our services.
We process data in relation to billing and contracting in order to operate the legal and financial elements of our business.
We retain records of consent-based and other processing in order to demonstrate our historic compliance with data protection law.

How long we hold the data

Email newsletters:
We’ll keep your details on this list until you unsubscribe, at which point we’ll move your details to an opted-out list to ensure that we don’t send you marketing emails from other sources in future.

Sales process
We retain information relating to our sales interactions with you for up to five years following our determination that we’re not an appropriate sales fit. We use this period as service contracts in our industry often last for 3-5 years, so a new opportunity may arise during the retention period.

General
We retain historic information relating to any consent you provided, or other bases for processing that have since lapsed, for six years from the date that the basis for processing lapsed.

Recipients of data

Within Gatenox
Personal information will be available for our marketing and sales personnel, as well as customer success and other teams as necessary to fulfil the purposes set out above.

Outside of Gatenox
Our cloud storage providers, CRM, sales and marketing automation tools, third party providers of online forms, customer support/servicing tools, debt collection service providers.

Information we collect from publicly available sources

The data we process

• Name, contact details, professional activity
• Publicly available information relevant to your position in your organisation, and industry events you’re attending.
• Bought in data from third party providers (containing the above mentioned data)

What we do with your data

We use this data to generate sales leads and to run marketing campaigns.

A member of our sales team may contact you to understand more information about your organisation’s anti-money laundering and sanctions compliance operations, and gauge your organisation’s potential interest in our services.

This information – along with details of our interactions including phone calls and correspondence – is added to, and managed through, our contact database. We analyse our contact database data to understand, track, and improve how we market and sell our services.

Our basis for processing this data

Taking steps at your request prior to entering into a contract:
If you subsequently request that we contact you to provide more information on our services to you, we’ll process your data and contact you on this basis.

Legitimate interests:
• Identifying stakeholders in organisations with requirements for software similar to that provided by Gatenox
• To hold as a reference point should you make any further applications within the retention period.
• We’ll retain and analyse information gained from our interactions with you as part of understanding, tracking and improving how we market and sell our services.

How long we hold this data

Sales process
We retain information relating to our sales interactions with you for up to five years following our determination that we’re not an appropriate sales fit. We use this period as service contracts in our industry often last for 3-5 years, so a new opportunity may arise during the retention period.

General
We retain historic information relating to any consent you provided, or other bases for processing that have since lapsed, for six years from the date that the basis for processing lapsed.

Recipients of data

Within Gatenox:
Personal information will be available for our marketing and sales personnel, as well as customer success and other teams as necessary to fulfil the purposes set out above.

Outside of Gatenox:
Our cloud storage providers, CRM, sales and marketing automation tools, and customer support/servicing tools.

Supplier information

The data we proceWhat we do with your datass

We will use publicly available contact information in order to approach you or your employer for services, or to respond to an approach.

We may make recordings of telephone calls with suppliers and prospective suppliers.

We may send you questionnaires or forms asking for further information on how you or your employer provide services, which are used to facilitate our supplier management and to comply with our governance obligations.

As part of receiving services from you or your employer, we will process personal data concerning employees of the supplier, that are necessary for assessing the suitability of the supplier, or for the purposes of receiving the services.

Our basis for processing this data

Processing is necessary for the performance of a contract/taking steps prior to entering into a contract:
We’ll process your data as part of considering if we wish to enter into a supplier relationship with you/your employer, and subsequently to facilitate the receipt of services from the supplier, to comply with our ongoing supplier governance processes and processing invoices.

How long we hold the data

We retain information relating to the supply of services for six years from the date that the contract for the provision of the services is terminated.

Recipients of data

Within Gatenox:
Personal information will be available for personnel, as necessary to fulfil the purposes set out above.

Outside of Gatenox:
• our cloud storage providers,
• CRM,
• finance tools (for example to generate Purchase Orders),
• third party providers of online forms,
• ticketing systems, and
• file and office management tools.

Business Transfers

In addition to the circumstances described above, we may also share personal data with another company in connection with or during negotiations of any merger, acquisition, financing, re-organization, bankruptcy, sale of all or a portion of our assets, or transition of services to another provider.Your personal data may be processed outside of the UK. We will only transfer your data if there is a legal mechanism in place to ensure that your data is safeguarded.

Minors

Our Services are intended for adults and we do not knowingly collect Personal Information from children below the age of 16. If you are a parent or legal guardian and think your child has given us personal data without your consent, please contact us at dpo@Gatenox.com

Links to Other Websites and Third-Party Content

We may provide links to third-party websites, services, and applications that are not operated or controlled by Gatenox. This Privacy Notice does not apply to the privacy practices of those third parties. The fact that we link to a website, service, or application is not an endorsement, authorization, or representation of our affiliation with that third party. We encourage you to review the privacy policies of any third-party service before providing any personal data to or through them.

Security

Gatenox uses generally accepted administrative, physical, and technical safeguards we believe are appropriate to protect the confidentiality, integrity and availability of your personal data. Although we make reasonable efforts to protect personal data from loss, misuse, or alteration by third parties, you should be aware that there is always some risk involved in transmitting information over the internet and storing information electronically. Gatenox cannot and does not guarantee absolute security.

Changes to Our Privacy Notice

We may change this Privacy Notice from time to time to reflect changes in our practices or in the law. If we make changes, we will post the updated Privacy Notice on our website and indicate when it was last revised. You are advised to review this Privacy Notice periodically, to stay informed of our practices. If we make material changes, we may provide you with additional notice, such as posting a statement on our homepage or sending you an email notification, if we have your email address on file. Your continued use of the Services after the revised Privacy Notice has become effective indicates that you have read, understood, and agreed to the current version of this Privacy Notice, to the extent permitted by law. If you have any queries, complaints, or would like to request a data subject right please contact our DPO dpo@catenox.com