Introduction

We are Allan Carton trading as Carton & Co (also referred to as “we”, “our”, “ours” or “us”). 

At Carton & Co, we are committed to lawful, fair and transparent processing of all personal information about our employees, clients, suppliers and other third parties at all times in accordance with applicable data protection laws. The main law governing data protection is the General Data Protection Regulation (Regulation (EU) 2016/679 of 27 April 2016) known as the “GDPR”.

We handle all personal information with great care and have policies in place to ensure that it is protected.  Your privacy is important to us and we understand how important it is to you. This privacy policy tells you about the type of information Inpractice collects and processes, what we do with it, how we keep your information secure, your rights and how to contact us. 

What this policy is: In the event that you become a client of Carton & Co, we would like you to know how we will process your personal data and any personal data you provide to us relating to anyone else. This policy (and any other documents referred to in it, together with our terms of business and any privacy notice displayed on our website) sets out the basis on which we will process any personal information about you or individuals generally.

Why you should read this policy : It is important that you read this policy, together with any other documents referred to in it, so that you are aware of how any personal information relating to you will be dealt with by us.

Changes To This Policy & To Your Information

We are continually improving our Data Protection policy and as a result this Privacy Policy will change from time to time. If we change our Privacy Policy we will update it by posting a new version on our website. Your continued use of the website, content or services or your continued dealing with us after we have notified you of the updated policy will amount to your acknowledgement of the amended privacy policy.   This policy was last updated on 28 October 2022.

It is important that personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.

Contact Us - Compliance Officer

Allan Carton is responsible for ensuring Inpractice’s compliance with Data Protection under GDPR and this policy. He may be contacted at acarton@cartonconsultants.com or by post addressed to: Mr A Carton, Carton & Co, 55 Cecil Road, Hale, Cheshire WA15 9NT.

Contact the ICO

For more information about any of your rights, please visit: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/ 

If you wish to exercise any of your rights concerning your personal data, please contact the Information Compliance Manager at Inpractice at the address shown above. If you are not satisfied with the response you receive you have the right to lodge a complaint with the supervisory authority. In the United Kingdom this is:  Information Commissioner's Office, Wycliffe House. Water Lane, Wilmslow, Cheshire, SK9 5AF  (t) 0303 123 1113 (e) casework@ico.org.uk

We would, however, appreciate the chance to deal with your concerns before you approach the Information Commissioner's Office, so please contact us in the first instance.

Collection of personal data

We collect personal data from you for one or more of the following purposes:

• To provide you with information that you have requested or which we think may be relevant to a subject in which you have demonstrated an interest;
• To initiate and complete commercial transactions with you, or the entity that you represent, for the purchase of products and/or services;
• To fulfil a contract that we have entered into with you or with the entity that you represent;
• To ensure the security and safe operation of our websites and underlying business infrastructure, and
• To manage any communication between you and us.

Lawful basis for the processing of personal data

We do not give, sell or exchange your information with other organisations for marketing purposes unless there is a lawful basis for doing so.

Our legal basis for processing your Personal Data:



• Legitimate interest – telemarketing, B2B/B2G email marketing
• Consent - email marketing based on individual opt-in (and please also see data sharing below)
• Contract - where we need to process information to perform our services for you.

Any legitimate interests pursued by us, or third parties we use or selected partners that we work with is to promote our products and services and those of selected business partners that would be of interest to your business, the sector you operate in or the job role you hold.

We do not collect or process special categories of Personal Data (as defined in GDPR) for marketing activities.

When we process on the lawful basis of legitimate interest, we apply the following test to determine whether it is appropriate:

• The purpose test – is there a legitimate interest behind the processing?
• Necessity test – is the processing necessary for that purpose?
  
• Balancing test – is the legitimate interest overridden, or not, by the individual’s interests, rights or freedoms?
  

Your rights as a data subject

As a data subject whose personal information we hold, you have certain rights. If you wish to exercise any of these rights, please email acarton@cartonconsultants.com. To process your request, we will ask you to provide two valid forms of identification for verification purposes. 

Your rights are as follows:

The right to be informed:  As a data controller, we are obliged to provide clear and transparent information about our data processing activities. This is provided by this privacy policy and any related communications we may send you.

The right of access: You may request a copy of the personal data we hold about you free of charge. Once we have verified your identity and, if relevant, the authority of any third-party requestor, we will provide access to the personal data we hold about you as well as the following information:

1. The purposes of the processing
   
2. The categories of personal data concerned
   
3. The recipients to whom the personal data has been disclosed
   
4. The retention period or envisioned retention period for that personal data
   
5. When personal data has been collected from a third party, the source of the personal data
   

If there are exceptional circumstances that mean we can refuse to provide the information, we will explain them. If requests are frivolous or vexatious, we reserve the right to refuse them. If answering requests is likely to require additional time or occasions unreasonable expense (which you may have to meet), we will inform you.

The right to rectification:  When you believe we hold inaccurate or incomplete personal information about you, you may exercise your right to correct or complete this data. This may be used with the right to restrict processing to make sure that incorrect/incomplete information is not processed until it is corrected.

The right to erasure (the ‘right to be forgotten’):  Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data. This includes personal data that may have been unlawfully processed. We will take all reasonable steps to ensure erasure.

The right to restrict processing:  You may ask us to stop processing your personal data. We will still hold the data, but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies you may exercise the right to restrict processing:

1. The accuracy of the personal data is contested
   
2. Processing of the personal data is unlawful
   
3. We no longer need the personal data for processing but the personal data is required for part of a legal process
   
4. The right to object has been exercised and processing is restricted pending a decision on the status of the processing
   

The right to data portability:  You may request your set of personal data be transferred to another controller or processor, provided in a commonly used and machine-readable format. This right is only available if the original processing was on the basis of consent, the processing is by automated means and if the processing is based on the fulfilment of a contractual obligation.

The right to object:  You have the right to object to our processing of your data where

1. Processing is based on legitimate interest;
   
2. Processing is for the purpose of direct marketing;
   
3. Processing is for the purposes of scientific or historic research;
   
4. Processing involves automated decision-making and profiling.
   

Our data protection principles

We are accountable for demonstrating compliance with the GDPR’s six principles of processing personal information. These provide that personal information we deal with must be

1. Processed fairly, lawfully and in a transparent manner;
   
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
   
3. Adequate, relevant and limited to what is necessary;
   
4. Accurate and, where necessary, kept up to date;
   
5. Not kept for longer than necessary; and
   
6. Processed securely, maintaining integrity and confidentiality.
   

We work exclusively for commerical enterprises, working and communicating with their owners and managers in their capacity within their business.  We will only use your personal information when the law allows us to do so and relying on a relevant basis for lawful processing in each instance. 

We rely on the following lawful bases of processing for processing your data:

Where we need to perform a contract we are about to enter into or have entered into with you.

• To provide you with information or services that you request from Carton & Co.
  
• To carry out our obligations arising from any contracts entered into between you and us including carrying out the instruction, communicating with you, forwarding documents as requested and taking payment for the work. 
  

Where it is necessary for our legitimate interests (or those of a third party, such as a client using our services). 
 

• To allow us to explore business opportunities to develop a commerical relationship.
• Where we have established an agreement with a client that allows us to retain Personal Data.
  
• To allow us to perform our obligations under any contract with our client.

Where we need to comply with a legal obligation .
 

• To retain basic transaction details for the purpose of tax reporting and auditing. 

Where you have consented to the processing.

You may need to provide your consent to processing in situations that are not covered by other lawful reasons for processing:

• To allow Inpractice to store your information to facilitate future instructions.
  
• To allow Inpractice to collect and process other sensitive personal information.

The limited personal information we may hold about you and your business will potentially comprise the following, which we maintain for the reasons stated above:

• Name
• Company name
• Geographic location
• Email address
• Gender
• Business sector
  
• Telephone number
• Personal contact information if provided through website forms or other means.
• Website and social media details generally available to the public.
• Any consents you provide us for processing your information.
• Bank account details provided to make or receive payments.
• Business profiles available through market research.

More details about how we use personal information:

1) We may process your personal information for more than one lawful basis. Please contact our Compliance Officer if you need details about the specific legal basis we are relying on to process your personal information – contact details can be found near the beginning of this document. 

2) We will only use your personal information for the purposes for which we collected it (or were asked to process it on behalf of one of our clients, where you have not provided the information to us directly), unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. Please contact us if you would like further details of any additional purposes of processing. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis that allows us to do so.

3) Where we need to collect personal information by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contact we have or are trying to enter into with you (for example, to provide you with services). If this happens, we may have to cancel, or be unable to provide, any services you have requested.

4) We may process your personal information without your knowledge or consent where we are required to do so by law.

How We Use Personal Information 

In this policy, where we have referred to needing your consent for any processing, we will make sure that the consent is:

• Specific consent for one or more specified purposes; and,
• Given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of your agreement to the relevant processing of personal information at the time your information is collected from you.
• Retained with the information to which the consent relates.
  

We may use your personal information to:

• Administer our website and business;
• Personalise our website for you;
• Enable your use of the services available on our website and more generally;
• Send you goods purchased through our website;
• Supply to you services purchased through our website;
• Send statements, invoices and payment reminders to you, and collect payments from you;
• Send you non-marketing commercial communications;
• Send you email notifications that you have specifically requested;
• Send you our email newsletter, if you have requested it. You can inform us at any time if you no longer require the newsletter;
• Send you marketing communications relating to our business or the businesses of carefully-selected business partners which we think may be of interest to you, by post or, where you have specifically agreed to this, by email or similar technology you can inform us at any time if you no longer require marketing communications;
• Provide third parties with statistical information about our users but those third parties will not be able to identify any individual user from that information;
• Deal with enquiries and complaints made by or about you relating to our website;
• Keep our website secure and prevent fraud; and
• Verify compliance with the terms and conditions governing the use of our website including monitoring private messages sent through our website private messaging service.
  

Marketing & Our Website

We will only send marketing information by email on the basis of "legitimate interest" or "Consent" but every marketing email we send will provide an option to opt out of receiving future messages if you wish.   You may, at any time, opt out of receiving marketing information from Carton & Co by contacting us via post or emailing us at solutions@cartonconsultants.com

The Personal Data we collect from Clients, Marketing Leads and Prospective Clients will be used for the following purposes:

• Direct Marketing
• Updates regarding products and services 
• Providing our products and services via our selected business partners
• Event Invites
• Surveys 

We collect and use your Personal Data to provide you with information and advice about products or services that you may request using the Contact Forms on our website. We also use cookies (see more detail on these below) to help us provide you with a personalised service, and to help make our websites, applications and services better for you. 

We may also collect non-personally identifying information about your visit to our websites based on your browsing activities. This information may include the pages you browse and products and services viewed. This helps us to better manage and develop our sites, to provide you with a more enjoyable, customized service and experience in the future, and to help us develop and deliver better products and services tailored to your individual interests and needs.

How We Share Your Data 

Transfer of personal information outside of the EEA: We may, with your prior approval, transfer your information to a country outside the EEA for processing if we are required to do so by a IT provider or for other reasons. If we need to do this, we will ensure that we explain the reasons for doing so and one of the following will apply:

• You have provided your consent to do this; or
• The transfer is covered by one of the derogations set out in the GDPR, including the performance of a contract between you and us, or to protect the vital interests of individuals; or
• We transfer your personal information to a country that has been deemed to provide an adequate level of protection for personal data by the European Commission. For further details search “European Commission: Adequacy of the protection of personal data in non-EU countries”; or
• Where we use non-EEA based service providers we may use specific contracts approved by the European Commission that provide personal information with the same protection as in Europe. For further details search “European Commission: Model contracts for the transfer of personal data to third countries.”
  

Sharing of your personal information with third parties:  We may pass your personal information to third parties in the following circumstances:

• To our selected business partners in the course of dealing with you.  Any third parties that we may share your data with are obliged to keep your details securely, and to use them only to contact you for marketing purposes that you have either consented to or that we or they have a legitimate interest. When you opt out , they will dispose of the Personal Data in line with our procedures. If we wish to pass your sensitive Personal Data (as defined in the GDPR) on to a third party we will only do so once we have obtained your consent, unless we are legally required to do otherwise.
• Auditors and other professional advisers.
• To law enforcement or other government and regulatory agencies or to other third parties where we are required to do so under a duty to do so in order to comply with any legal obligation, for the purposes of fraud protection or credit risk reduction.
• When we have your consent to do so.

Automated Decision-Making

We do not carry out automated decision-making or profiling at present, however we will notify you in writing and update this privacy notice if this position changes.

Security measures

We have what we believe are appropriate security controls in place to protect personal data. We do not, however, have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many information security risks that exist and take appropriate steps to safeguard your own information. We accept no liability in respect of breaches that occur beyond our sphere of control.

Links to Other Websites

Our website may, from time to time, contain links to information and articles hosted by third-party websites. We are unable to accept responsibility or liability for content of these sites or the privacy policy or security operated by these websites. Please check the relevant policy before you submit any personal information to these websites.

Cookies

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer or device if you agree. Cookies contain information that is transferred to your computer or device. We use the following categories of cookies: 

• Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website. 

• Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. 

• Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you and remember your preferences (for example, your choice of language or region)

• Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and any advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
  

More information about the individual cookies we use and the purposes for which we use them is set out below:

1) Carton & Co Analytical/Performance cookies : Used for website tracking / analytical cookies that do not identify individuals. The website will continue to operate correctly with cookies disabled within your browser settings 

• JSESSIONID 
• A random session number created at the start of a website visit. 
• Deleted when the browser session is closed.
• sp_id.e5b3
• A cookie that creates a 64-bit hexadecimal number for tracking long-term visits to the website.
• Deleted after 730 days (2 years).
• _sp_ses.e5b3 
• A short-term cookie that stores a unique 13-digit number specific to the session that isused to track movement within the website. 
• Deleted 30 minutes from start of session.
• Dm_last_page_view
• A long-term cookie that stores the last page visited in 13-digit numeric format. 
• Valid for 1 year from last update.
• dm_last_visit
• A long-term cookie that stores the last page visited in 13-digit numeric format. 
• Valid for 1 year from last update.
• dm_this_page_view
• A long-term cookie that stores the last page view information in 13-digit format. 
• Expires after 365 days.
• dm_timezone_offset
• A numeric value that is the offset in minutes to GMT. 
• Expires after 365 hours from last website access.
• dm_total_visit
• A cookie that is used to store a number that represents how many separate visits have occurred in the year from the first visit. 
• Expires one year from the date/time of creation.
• Local storage
• The size occupied by the cookies on disk. (91 bytes)

2) Google Analytics cookies: Used to record how many people are using the website and how they move around the site once they’ve arrived. They will not store any details that can be linked to individuals. The website will operate correctly with cookies disabled by browser.
 

• _utma
• Stores each user’s number of visits, time of the first visit, the previous visit and the current visit
• Expires 2 years after last visit to website.
• _utmb 
• Checks how long a visitor stays on the site: when a visit starts and ends
• Expires 30 minutes after last visit, or after 30 minutes of inactivity.
• _utmc 
• Checks how long a visitor stays on the site: when a visit starts and ends
• Expires when the browser is closed.
• _utmz
• Tracks where a visitor came from (search engine, search keyword, link)
• Expires 6 months after it was last set.
• _utmv and _utmd
• Track visitor journeys through the site and classifies them into groups
• Are not set and expire immediately.

Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.

You may block cookies by activating the setting on your browser or mobile device that allows you to refuse the setting of all or some cookies. The Inpractice website will continue to operate correctly without cookies.

Retaining personal information

Personal information that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.  Notwithstanding the other provisions of this Section, we will retain documents (including electronic documents) containing personal data:

• To the extent that we are required to do so by law;

• If we believe that the documents may be relevant to any ongoing or prospective legal proceedings; and

• In order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk).