Last Updated On: 2018-04-25
Our Commitment to GDPR
We are firmly committed to GDPR compliance – please see our GDPR Statement for further in-depth details.
The Purpose Of This Document
The main purpose of this document is to outline what data we typically collect, why we collect it, what we do with it, and with which organisations we share it.
Primary Data We Collect
The main data that we collect are:
- Email address
- IP address
Purpose of Primary Data Collection
We identify user accounts on all our systems primarily by email address. This ensures unique IDs and a standard medium of communication between us and our customers.
We require a valid email address for the purposes of identification of users for account access and to allow communication.
We also request a name so as to make the exchange more personal. It is not a requirement to have the accurate name and if we have an inaccurate name, it is because this is what was provided by the user. We don’t guess names.
The IP Address of users is collected and tracked for the purposes of maintaining user sessions and authentication and for security purposes and auditing.
Receipt and Sharing of Primary Data
Fernleaf Systems Limited never shares or sells your information with any 3rd parties.
We do use other 3rd party services for the purposes of accounting, user data management, and marketing, but they are custodians of the data only.
Non-Primary Data Collection
Data We Collect
There are times when we collect other identifiable information, or at least request it. This includes:
- Address (at least Country/Region/State)
- VAT/TAX number
- Registered Business name
- IP address
Purposes of Data We Collect
The main role of non-primary data is for billing purposes. We will only require information if it is required by us, for legal and accounting purposes.
We are a UK-registered Limited Company and are required by law to maintain accurate records for accounting and legal purposes.
At the point of purchase we will request information, and require it where appropriate.
An example of this is VAT in the E.U. We are required to collect certain pieces of data to ensure that we are charging VAT/Taxes appropriately. We must then retain this data for accounting purposes and future audits.
Receipt and Sharing of Non-Primary Data
In the case of billing, while we collect important information for the purposes of accounting, we do not receive any credit card or billing information.
All billing information is received, stored and processed with our 3rd party providers.
These currently include:
- Stripe, Inc.
Important: At no stage does Fernleaf Systems Limited ever receive credit card information.
Statistics Data Collection
Periodically, our services gather statistics about usage patterns and behaviours within our software, this would include, for example, operational statistics from our Shield Security plugin.
All types of statistics data is collected in an wholly anonymous manner. We may create a unique ID per installation in order to group statistics records that have been gathered, but this ID is not tied to any personal or otherwise identifiable information.
As this data is not considered sensitive (since it is entirely anonymous), this data may be retained indefinitely and may not be deleted upon request. It may not be deleted since the information is not attributable in any way to any person, site, or other piece of data that may be used directly, or indirectly, to identify the source.
Data Retention Period For Legal & Accounting Purposes
Fernleaf Systems Limited retains customer information for at least 10 years after the most recent purchase.
If for any reason information is deemed to be necessary to retain for any potential legal purposes, or we are required to do so by law, we may not be able to honour certain requests to erase information. Regardless, you will be notified of the result.
Data Retention Period For Any Other Purpose
If there is no requirement by law or any other compliance or legal regulations, we may retain information on our customers or users for no longer than 13 months following our most recent interaction with the user.
Note that while we may need to retain your data for accounting & legal purposes etc as mentioned above, this does not apply to cases where we have any other data about you. You may of course request at any time that we erase any data about you that is not required to be retained.