Eagle Point Partners End User Privacy Policy - Eagle Point Partners

Eagle Point Partners End User Privacy Policy

At Eagle Point Partners, we are committed to protecting and respecting data protection and privacy rights. Please take a moment to read this Privacy Statement to find out more about why and how we collect, process and use personal information.

Who we are

Corbett Quilty Limited trading as Eagle Point Partners (“Eagle Point Partners”) and located at no. 1 Maritana Gate, Canada Street, Waterford.

When processing personal data, Eagle Point Partners acts as a data processor for companies (our “Clients”) that request Eagle Point Partners to provide them with Services. Our Clients provide products and services to their customers, being living individuals or data subjects (the “End Users”). Our Clients are the data controllers of the End Users’ personal data.

Data we process

As a data processor, Eagle Point Partners processes the personal data which is provided to us by our Clients. Depending on the specific nature of the Services being provided, we will process the following personal information on behalf of our Clients:

  • End User / Customer IDs from web analytics platforms like Google Analytics. These IDs are numeric or alphanumeric IDs and on their own cannot identify a person.
  • Device Fingerprint IDs from web analytics platforms like Google Analytics.
  • End User / Customer IDs from Payment / CRM / E-commerce platforms. These IDs are numeric or alphanumeric IDs and on their own cannot identify a person.
  • End User / Customer names from Payment / CRM / E-commerce platforms.
  • End User / Customer email addresses from Payment / CRM / E-commerce platforms.
  • End User / Customer physical addresses from Payment / CRM / E-commerce platforms.
  • (collectively the “End User Data”).

Why we process personal data

Eagle Point Partners uses End User Data to provide insights at an aggregated level for Clients. The End User Data is processed by Eagle Point Partners only for the purpose of providing services to our Clients, including:

  • cleaning, formatting and joining End User Data in order to build dashboard insights for Clients;
  • providing aggregated data insights such as
    • Total marketing costs
    • Total revenue
    • Number of website sessions
    • Number of transactions
    • Website conversion rate by device
    • Marketing ROI by channel, campaign and device
    • Cost per transaction / cost per acquisition by channel, campaign and device
    • Long term value by channel
    • New .v. existing customer transaction volume
  • device fingerprinting (as explained below under the heading “Fingerprint IDs”).
  • (collectively the “Services”).

Fingerprint IDs

On certain projects, we may process device and browser fingerprinting IDs on behalf of our clients. Device and browser fingerprinting uses information such as device screen resolution, timezone and browser version to assign a unique ID to website or app visitors.  We use this information to help us more effectively measure the performance of different marketing channels for our Clients.

 

You can find more information about this open-source technology here, and about Eagle Point Partners’s use of fingerprinting technology on its own website, here.

Fingerprint IDs and End User Data

Fingerprint IDs do not, on their own, identify a person. However, combined with other data (eg. CRM data), it is possible to link a Fingerprint ID to an End User, and thus, Fingerprint IDs may constitute Personal Data in certain circumstances.

The GDPR offers six lawful bases for the processing of personal data, one of which is the legitimate interests of a data controller. The Data Protection Network has produced a guidance paper on the use of legitimate interests as a lawful basis for processing, and outlines a Legitimate Interests Assessment (LIA) for companies to use:

https://dma.org.uk/uploads/misc/59ca0f2e17ef3-dpn-li-guidance-publication_59ca0f2e17e5a.pdf

The UK Information Commissioner’s Office has expressed support for this approach. We expect that most of our Clients will seek to rely on their own legitimate interests in utilising our services. If an End Users wishes to object to such use of legitimate interests as a lawful basis for processing, they should contact the Client who is the controller of their data.

Eagle Point Partners does not process End User Data for any purpose other than the provision of the Services to Clients. In particular, Eagle Point Partners does not deliberately process End User Data for the purpose of identifying living individuals and, where possible, Eagle Point Partners endeavours to ensure that all End User Data that is processed remains anonymous.

The source of personal data

Eagle Point Partners accesses End User Data via Application Programming Interfaces (“APIs”), (for example, the Google Analytics API), to which Clients give Eagle Point Partners access in order to access the relevant End User Data. Eagle Point Partners shall only process the End User Data in accordance with the documented instructions of Clients and for the purpose of providing the Services described in this Privacy Statement to the Clients.  The documented instructions of our Clients is normally contained in the statement of work which we agree with them.

Sub-Processors

Eagle Point Partners from time to time instructs services providers to provide services to Eagle Point Partners. These service providers process End User Data on Eagle Point Partners’s behalf and are therefore the Clients’ sub-processors (“Sub-Processors”). For example, we use the following Sub-Processors to help us deliver our Services:

  • Amazon Web Services
  • Tableau Online

Sub-Processors are bound by the same or equivalent terms to which the Eagle Point Partners is bound with its Clients. Eagle Point Partners will inform its Clients of the Sub-Processors that process End User Data on behalf of Eagle Point Partners and Eagle Point Partners will inform its Clients of any intended changes concerning the addition to, or replacement of, the Sub-Processors.

 

Eagle Point Partners will give its Clients the opportunity to object to any changes to the Sub-Processors. Clients may reasonably object to Eagle Point Partners’s replacement of a Sub-Processor or use of a new Sub-Processor by notifying Eagle Point Partners in writing. Clients shall be deemed to have authorized the engagement of a Sub-Processor if the Client does not so object.

 

Data Retention

 

In accordance with data protection principles, Eagle Point Partners will not keep or store End User Data for any longer than is necessary. A core element of Eagle Point Partners’s Services involves the comparison of current performance with historical performance. Eagle Point Partners retains the underlying data needed to generate these comparisons and insights for the duration of Eagle Point Partners’s commercial relationship with our Clients, unless directed otherwise by our Clients.

 

Data Subject Rights

 

Eagle Point Partners will notify Clients without undue delay if it receives:

 

  • a complaint or request from an End User or data subject relating to the Client’s data protection obligations; and / or
  • any other communication from End Users or data subjects relating directly or indirectly to the processing of End User Data on behalf of the Client; and / or
  • any communication from a data protection regulatory body relating to End User Data processed by Eagle Point Partners on behalf of the Client.

 

Data Security

 

Data security is of paramount importance for us. Eagle Point Partners will always access End User Data via an encrypted connection, and the End User Data which Eagle Point Partners accesses is stored on Amazon AWS servers located in Dublin, Ireland. While Amazon, as a leading cloud services provider, has security safeguards put in place, Eagle Point Partners has implemented its own additional data and security safeguards, including:

 

  • Restricted network access to those databases, so they are not publicly reachable;
  • Encryption of specific End User Data in the database where necessary;
  • Encryption of the server disks themselves hosting the database using Advanced Encryption Standard (AES) 256 encryption provided by Amazon Relational Database Service (“RDS”); and
  • Access to Eagle Point Partners’s servers only by Secure Shell (“SSH”) using RSA key encryption.
  • Ensuring that Eagle Point Partners’s employees or personnel are authorised to process the End User Data and that they have committed themselves to maintaining the confidentiality of the End User Data and are under an appropriate statutory obligation of confidentiality in relation to such End User Data.

 

International Data Transfers

 

In some cases the personal data we collect from you might be processed outside the European Economic Area (“EEA”). These countries may not have the same protections for your personal data as the EEA has. However, we are obliged to ensure that the personal data that is processed by us and our suppliers outside of the EEA is protected in the same ways as it would be if it was processed within the EEA. There are therefore certain safeguards in place when your data is processed outside of the EEA.

 

We ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

 

  • your personal data is transferred to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
  • where your personal data is transferred to third party providers based in the US, data may be transferred to them if they have self-certified under the Privacy Shield framework in relation to the type of data being transferred, which requires them to provide similar protection to personal data shared between the EU and the US; and/or
  • appropriate derogations prescribed in data protection laws.
  • Please contact us using the contact details at the bottom of this document if you want further information on the countries to which personal data may be transferred and the specific mechanism used by us when transferring your personal data out of the EEA.

 

Data Breaches

 

A data breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, End User Data transmitted, stored or otherwise processed by Eagle Point Partners (a “Data Breach”). Eagle Point Partners has implemented appropriate and technical measures in order to prevent the occurrence of any Data Breach. In the event however that a Data Breach does occur, Eagle Point Partners shall take the following steps:

 

  1. Discovery and Investigation of a Data Breach

 

When Eagle Point Partners becomes aware of an actual or potential Data Breach, Eagle Point Partners shall immediately implement its Data Breach Response Plan. In this regard, Eagle Point Partners shall begin an investigation into the Data Breach.

 

As part of this investigation, a Eagle Point Partners investigator will be responsible for the management of the Data Breach investigation, completion of a risk assessment, and coordinating with others in the organization as appropriate (e.g., administration, security incident response team, human resources, risk management, public relations, legal counsel, etc,). As part of the investigation, the investigator will conduct a risk assessment, and based on the results of the risk assessment, will begin the process of notifying any Clients affected by the Data Breach.

 

  1. Notification to Clients

 

When Eagle Point Partners becomes aware of a Data Breach, Eagle Point Partners shall without undue delay notify any affected Clients of the Data Breach. Eagle Point Partners will notify any affected Clients of the Data Breach via email and / or telephone.

 

  1. Record of Data Breach

 

In respect of any Data Breach of which Eagle Point Partners becomes aware, Eagle Point Partners shall keep a record of the occurrence of that breach. Such record will contain:

 

  • A brief description of what happened, including the date of the Data Breach and the date / time of the discovery of the Data Breach, if known;
  • A description of the categories of personal data and categories of data subjects that were involved, if known;
  • Any effect the Data Breach may have on End Users and any steps End Users may need to take in order to protect them from potential harm resulting from the Data Breach; and
  • A brief description of the investigation carried out by Eagle Point Partners and any remedial actions taken in order to mitigate harm to End Users, and to protect against further Data Breaches occurring in the future.

 

Changes to this Privacy Statement

 

This Privacy Statement was last updated on 22nd May 2018.  Eagle Point Partners may from time to time revise or amend this Privacy Statement. If any change to this Privacy Statement materially affects Clients or End Users, Eagle Point Partners will send a notice to Clients to advise of such changes and allow Clients a reasonable time before any proposed changes take effect.

 

Contact us

 

Ronan McDonnell is our Head of Privacy. Any requests, queries or complaints in respect of Eagle Point Partners’s processing of End User Data or in respect of this Privacy Statement can be directed to privacy@eaglepoint.partners

 

 

Eagle Point Partners