Like most businesses, from the moment you first land on our website we start collecting data about you. In this privacy notice you'll understand exactly what information we collect and why. We'll also tell you about who we share your information with and explain your rights.
Who are “we”?
We are Brandfire Ltd. We’re a cyber security and data protection business based in Campbeltown and Glasgow – and are a Data Controller in respect of your personal data.
| 105 Longrow Campbeltown PA28 6EX |
[email protected] |
When and how we collect your data
| When you visit our website When you visit our website, our network security provider Cloudflare places a cookie (a small text file) onto your device to uniquely identify it. This allows them to separate trusted web traffic from malicious traffic. This information is anonymous and is processed in a way which does not identify anyone. See the section on cookies for more information. Our website is hosted in the UK and logs information about our visitor traffic including IP address, browser type, device used, pages accessed and date / time of access. |
|
| The purpose of this processing is to maintain and monitor the performance and security of our website, and to help us understand and improve the features of the website. The legal basis we rely on is Article 6(1)f – necessary for our legitimate interests. We retain our website traffic logs for 12 months. |
|
| When you visit our Facebook company page Facebook Ireland uses cookies to track visitors to our company page. These cookies are set regardless of whether or not you have a Facebook account and will also track your Internet activities on and off Facebook. Although we cannot access the data from these cookies, by setting up the page we are responsible for their existence (as a joint data controller) and we can benefit indirectly from ‘insights’ into our customer demographic which are only made possible through the existence of these cookies – see CJEU ruling C-210/16 dated 5th June 2018 for more information. |
|
| The purpose of this processing is to operate and monitor the Facebook page we use to promote the business. The legal basis we rely on is Article 6(1)f – necessary for our legitimate interests. Facebook retains this information for two years. |
|
| When you contact us We record your name, e-mail address and specific information relating to your enquiry from data entered into enquiry forms on our website or sent in to us directly via e-mail. |
|
| The purpose of this processing is so that we can respond to your question or enquiry. The legal basis we rely on is Article 6(1)a of the GDPR – consent. We retain this information until six months after your enquiry was answered. |
|
| When we do work for you We record your full name, postal address, and e-mail address, along with information relating to your business. We also collect payment information such as bank details if you pay us by direct debit. |
|
| We process this data for the purpose of fulfilling our contract with you. The legal basis we rely on is Article 6(1)b of the GDPR – necessary to fulfil a contract. We retain all of this information until six years after our contract has ended. |
|
| When you sign up for Marketing We record your name, e-mail address and social media handle, if provided. |
|
| The purpose of this processing is to provide direct marketing and promote the company via social media. The legal basis we rely on is Article 6(1)a of the GDPR – consent. We retain this information for no more than 72 hours after you withdraw your consent. |
|
| When we communicate with existing customers We record your name and e-mail address. |
|
| The purpose of this processing is to provide information on related products and services. The legal basis we rely on is Article 6(1)f of the GDPR – necessary for our legitimate interests. This information is sent electronically in accordance with the Privacy and Electronic Communications Regulations 2003 and you are offered the option to opt-out of marketing in every communication we make with you. Your right to object to processing is absolute. |
|
| When you receive direct marketing from us We use industry standard tools to record when e-mails have been opened and when links inside e-mails have been clicked. In addition, your IP address, browser type, device used, links accessed and date / time of access are recorded. |
|
| The purpose of this processing is to measure the effectiveness of our direct marketing. The legal basis we rely on is Article 6(1)f of the GDPR – necessary for our legitimate interests. We retain this information for six months. |
|
| When you use our WiFi connection at our office We record your device (MAC) address and will assign your device an IP address. We will also record the websites you visit along with the date and time you visit them. |
|
| The purpose of this processing is to provide you access to our Internet connection during your visit, and to ensure the security of our network. The legal basis we rely on is Article 6(1)f of the GDPR – necessary for our legitimate interests. We retain this information for one month. |
|
How do we process your data?
Your data are not subject to automatic decision procedures. We follow strict security procedures to ensure that your personal information is not damaged, destroyed, or unlawfully disclosed to a third party, and to prevent unauthorised access. The computers storing personal data are kept in a secure environment with restricted physical access.
We use secure firewalls and other technical measures to restrict electronic access – in particular we operate separate networks for our internal computer and guest WiFi networks. Your data, whether held on our computers, on the computer networks of our data processors, or in transit is always encrypted.
All of the information we collect, or record is restricted to our business and the third parties we explicitly name in this privacy notice. Only members of staff who need to access your personal data are granted access to it. All members of staff with access to personal data receive training on network security and data protection before they are granted access to personal data.
We will explicitly ask you when we need information from you to identify you – for example, we may require you to co-operate with our security checks before we disclose information to you. This is to prevent others gaining access to your data and reduce the risk of identity fraud.
You can update the personal information that you give us at any time by contacting us directly at [email protected].
Who do we share your data with?
Who don’t we share it with?! Seriously, all businesses share your personal data with third parties – and under the GDPR businesses need to be honest about this. As part of our preparations, we carefully reviewed our suppliers (Data Processors) and made changes to improve the privacy and security of the data we hold.
| Name or class of processor | Data shared | Purpose of processing | Location of your data |
| Siteground | IP address, browser type, device used, pages accessed, date and time | We use Siteground to host our website and log visitors to it. | UK |
| Cloudflare | IP address, location, browser type, device used, pages accessed, date and time | To provide our website with enhanced protection against cyberattacks. | US – we rely on the Privacy Shield framework |
| Microsoft | Name, contact details, enquiry, business information | IT infrastructure and e-mail platform | Europe |
| Mailjet | Name, e-mail address | Direct marketing | Europe |
Your rights
 |
The right to access your data You can ask us to provide copies of all of the data we have about you – along with the reason why we have your data, who we have disclosed your data to, how long your data will be stored and information about your rights regarding our use of your data. |
 |
The right to withdraw your consent Where we rely on your consent to process your data, you have the right to withdraw that consent and it must be as easy to withdraw your consent as it is to give it. |
 |
The right to object to the use of your data Where we rely on legitimate interests to process your data, you can object to our processing it in some cases. If the purpose of the processing is for Direct Marketing, your right to object to processing is absolute. |
 |
The right to get your data corrected You can challenge the accuracy of the data we hold about you and get it corrected. |
 |
The right to have your data deleted You can ask us to delete the data we have about you, unless it is required for the purposes of fulfilling a contract between us or it is part of a legal obligation. We will normally keep a record of your e-mail address on a suppression list to ensure that we don’t accidentally add you to any direct marketing lists at some point in the future. |
 |
The right to restrict how we process your data If you have a query or concern about our use of your data, you can prevent us from using it – and at the same time this prevents us from simply deleting it until your concerns have been addressed. |
 |
The right to data portability You can ask us to give your data to you in an electronic format which can then be used to transfer your data to another organisation. We will normally export this in .csv format. |
 |
The right to raise a concern You can contact us to raise a concern about our processing of your personal data at any time at [email protected]. If you are unhappy with our response, you can raise the matter with the Information Commissioner’s Office (www.ico.org.uk). You also have the right to claim compensation for damage incurred as a result of the unlawful processing. |
Cookies and other Tracking Technologies
The word ‘cookie’ is a catch-all to describe a range of technologies used by websites to help them process information about visitors. This could include cookies, which are small text files placed on your computer by the websites you visit, but there are other technologies such as local storage, web beacons, javascript tools and identifiers belonging to your device which allow organisations to track you and your behaviours as you browse the Internet.
A good example of this technology in action is when you chat about buying a garden spade with your friends on social media and suddenly every single website you visit bombards you with adverts for spades. It’s not magic – it’s just your personal data being used to provide targeting adverts, and sometimes in ways you might not expect.
We do not use any tracking cookies on our website
Technologies that are strictly necessary to make websites work properly are called ‘essential’. Technologies that are not strictly necessary are called ‘non-essential’. The table below explains the cookie that we use on our website.
| Cookie | Name | Purpose | Type |
| Cloudflare | __cfduid | This cookie is set to allow our security provider to provide our website with enhanced protection against Distributed Denial of Service (DDoS) attacks. | Essential |