Ekota® Privacy and Cookie Policy

Last update: 17 January 2024

Why and who?

The Cognition Company Group Ltd (company number11819777) (“CogCo”, “we”, “us”, “our”) is the Controller of all Personal Data listed in this Privacy Policy (the “Policy”).

CogCo cares about your privacy and is committed to protecting all Personal Data handled by us.

We typically collect your Personal Data when you communicate with us (whether through our Website or otherwise), use our Services or visit our Website.

This Policy describes how and why we use your Personal Data, the lawful bases on which we use your Personal Data, what we use it for, how long we keep it and what measures we take to protect it including where we might transfer it to another country. It also provides information on how to exercise your rights in connection with our Processing of Personal Data.

In this Policy, capitalised terms shall have the meanings ascribed to them in the Definitions section below.

Definitions

Applicable Law means any relevant legislation applicable to the Processing of Personal Data by us, including the UK GDPR, supplementary national legislation, as well as practices, guidelines and recommendations issued by the Commissioner or other relevant regulatory authority.

Commissioner means the Information Commissioner's Office (the UK regulator for data protection issues), the website for which can be found at www.ico.org.uk.

Controller is the company or other organisation that decides, alone or jointly with others, for what purposes and in what way Personal Data is to be processed.

Data Subject is the living, natural person whose Personal Data is being Processed.

Joint Controller means CocGo is jointly determining with another Controller the purposes and means of Processing the same Personal Data.

Personal Data is all information relating, directly or indirectly, to an identifiable natural person.

Process and Processing means any operation or set of operations which is performed on Personal Data, such as collection, storage, modification, review, analysis and transfer.

Processor is the company/organisation that processes Personal Data on behalf of the Controller in accordance with the instructions of the Controller and the Applicable Law.

Services means the use of the Ekota® platform to ask questions, share opinions and vote on the opinions of others whether by us acting as Controller, or by us acting as a Processor for another Controller or by us acting as a Joint Controller with another Controller.

UK GDPR means the General Data Protection Regulation ((EU) 2016/679) as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time).

Website means our website which is at www.ekotaspace.com.

Our role as a Controller

This Policy covers the Processing of your Personal Data in relation to the Services for which CogCo is the Controller or Joint Controller. When acting as a Controller for your Personal Data we are responsible to ensure that we Process it in accordance with Applicable Law.

The Policy does not describe how we Process Personal Data in the role of a Processor (i.e., when we process Personal Data on behalf of our customers who are the Controllers of such data). The Processing of such data is subject to the privacy policies of such Controllers. When we act as a Processor on behalf of another organisation acting as a Controller of your Personal Data, your Personal Data will be processed in accordance with the privacy policy of the Controller in question and you should refer to this policy for more information about their Processing of your data.

Legal bases

In order for us to be able to Process your Personal Data, Applicable Law requires that we have one or more legal bases for each Process. In our business, we Process your Personal Data mainly on the following grounds:

Consent - CogCo may Process your Personal Data after you have given your consent to the Processing in question. You may withdraw your consent at any time by notifying us in accordance with the procedure below.

Performance of a contract - The Processing is necessary for the performance of a contract entered between us and you, or to prepare for entering into an agreement with the Data Subject. This ground would apply when you choose to use our Services.

Legal Obligations - The Processing is necessary for compliance with a legal obligation to which we are subject. For example, we may need to disclose your Personal Data to third parties in order to fulfil obligations under Applicable Law or legally binding court orders or judgments.

Legitimate Interests - The Processing is necessary for our legitimate interests or those of a third party provided that such Processing does not conflict with your fundamental rights and freedoms. This ground might apply if we were to contact you to seek further information from you or to send you materials and other information about which we think you may be interested which relates to the Services we have provided to you. It may also apply when we Process your Personal Data to improve our Services, if we decide to transfer our business and assets to a third party or where we anonymise and /or aggregate your Personal data for the purposes of our business.

The Personal Data which we Process

The main purpose of the Processing of your Personal Data undertaken by us is to provide, carry out and improve our Services to you.

We mainly Process the following types of Personal Data for the following purposes:

  • Your personal and contact details to be able to confirm your identity, to verify such details and to be able to communicate with you.
  • Information on your use of the Services to analyse and improve the Services.
  • Your IP address to perform customer analysis and to enable content on our Website to be presented effectively to you and the device you use.
  • To analyse patterns of your use of the Services to be able to provide you with specific information including offers relating to the Services which we provide to you.

How do we collect your Personal Data?

We collect your Personal Data in a number of different ways. We mainly collect your Personal Data:

  • When you provide your Personal Data to us
  • Through our security systems
  • Through our logs
  • Through information created from data analysis

Your rights

Under Applicable Law, you are entitled to exercise various rights in relation to the Personal Data about you that we Process. These rights are briefly described below.

Access - You have the right to access the Personal Data which we are Processing about you and to receive certain information about the Processing of your Personal Data as set out in Applicable Law. We will only provide such information if we have been able to verify that it is you that is requesting this information.

Rectification - If you think that any of your Personal Data that we process is incorrect, you have the right to let us know and we will fix it.

Erasure - You have the right to obtain erasure of your Personal Data in the circumstances specified under Applicable Law which includes, for example, when the Processing of the Personal Data in question is no longer necessary for the purpose for which it was collected.

Objections – You have the right to object to the Processing of your Personal Data by us where the Processing is based on our legitimate interests or those of a third party. In such case, we will review our legitimate interest assessment. Of course, we add your objection to the balance and make a new assessment to see if we can still justify our Processing of your Personal Data on that or another basis. If you object to direct marketing, we will immediately delete your Personal Data without making an assessment.

Restriction - You can also ask us to restrict our Processing of your Personal Data:

  • Where you contest the accuracy of the Personal Data during the period in which we are assessing its accuracy;
  • If, instead of requesting erasure, you want us to limit the Processing of Personal Data for a specific purpose. For example, if you do not want us to send marketing information to you in the future, we still need to retain your name and contact details in order to ensure that we should not contact you; or
  • In cases where we no longer need your Personal Data in relation to the purpose for which it was collected but note that we have the right to retain it for the establishment. Exercise or defence of a legal claim.
  • Where you have objected to our Processing on the grounds that the legitimate interests basis does not apply while we reassess that basis.

Data portability – You have the right to receive your Personal Data that we are Processing and have the right to transfer that data to another Controller where we are Processing it on the basis or your consent or because we are performing our obligations to you under a contract. You will receive your information in a commonly used and machine-readable format that you can transfer to another personal data manager.

Withdraw consent - If you have given consent to the c Processing(s) of your Personal Data, you have the right to withdraw your consent at any time and thus ask us to terminate the Processing immediately. Please note that you can only withdraw your consent for future Processing of Personal Data and not for Processing that has already taken place. Please note that if you withdraw such consent, it may mean we are unable to provide you with some or all of the Services which we provide to you.

If you wish to exercise any of the rights set out above, please contact us at privacy@cogco.co.

Transfer of personal data to other countries

We always strive to Process your Personal Data within the UK or the EU/EEA but we may need to use Processors who operate in countries outside the UK and EU/EEA such as the USA. If we transfer your Personal Data to such a Processor, we will only do so in accordance with Applicable Law, for example on the basis of the Commissioner’s standard contractual clauses for data transfer to non-EU/EEA countries. If you require further information on this please contact us at privacy@cogco.co.

Our Processors

In order to run our business, we may need help from Processors who will process Personal Data on our behalf.

We have entered into Data Processing Agreements (DPAs) with all our Processors. The DPAs comply with Applicable Law. Each DPA sets out, amongst other things, how the Processor may process the Personal Data and what security measures are required for the Processing. Such Processors include IT suppliers for cloud storage, business systems and case/project management. For further information on what these companies do, please contact us at privacy@cogco.co.

Sharing your Personal Data with third parties

CogCo does not sell your Personal Data to third parties. However, we may need to share your Personal Data with selected third parties such as our clients in response to a survey or our service providers. If so, we make sure that the transfer happens in a secure way that protects your Personal Data and is compliant with Applicable Law. For example, we will share data with clients where we are acting as the Processor on their behalf or as a Joint Controller when collecting survey information for them. In both cases the survey will contain information identifying the Controller in question and a link to their privacy policy. In addition we will share your Personal Data with our service providers to enable our Website to function correctly in order to supply our Services to you.

Security measures

CogCo has taken appropriate technical and organisational measures to ensure that your Personal Data is Processed securely and protected from loss, alteration and unauthorised use or access. Organisational measures are measures that are implemented in work methods and routines within our organisation. Technical measures are measures implemented through technical solutions. Where your Personal Data is shared with Processors, it is a requirement of our DPA with such a processor that your Personal Data will be appropriately protected so as to comply with Applicable Law. We list below examples of the security measures which we and our Processors use:

Organisational security measures:

  • Internal governance documents such as policies or instructions
  • Login and password management
  • Information security policy
  • Physical security (premises etc.)
  • Data protection impact assessments

Technical security measures:

  • Encryption
  • Pseudonymisation
  • Access control levels
  • Access logs
  • Firewalls
  • Data back-ups
  • Two-step verification

Cookies

A cookie is used to store a unique identifier that is associated with your IP address and technical information about your device. CogCo uses cookies and similar technologies to identify you as a unique user on the platform and to ensure the functioning of the Service including , for the purposes of ensuring the security of the platform. CogCo also uses certain analytics cookies to track how long you spend voting on opinions. By using the controls at the top of this page you can opt in or opt out of such analytics data collection.

Your unique identifier will become associated with your email address if you choose to register for optional updates or notifications for a space on the Ekota® platform.

Retention of your Personal Data

We will retain your Personal Data for so long as we need to do so to Process it in order to provide our Services to you or where we have a legitimate interest in doing so or where we are required by law to do so.

If we don't keep our promise

If you think that we are not Processing your Personal Data in accordance with Applicable Law please notify us at privacy@cogco.co. If you are not satisfied with our response or if you would prefer to complain direct to the Commissioner, you are always entitled to submit your complaint to the Commissioner. You can contact the Commissioner on 03031 231 113 or via email https://ico.org.uk/global/contact-us/email/.

More information about our obligations and your rights can be found at https://www.gov.uk/government/publications/data-protection-rights-for-data-subjects/data-protection-rights-for-data-subjects.

Changes to this policy

We reserve the rights to make changes to this Policy from time to time including to comply with Applicable Law. If so, we will promptly update this Policy on our Website and will highlight any material changes on our Website.

Contact

We have appointed a data protection officer who can answer questions about your rights and other questions about how we process your personal information.

Contact information for CogCo data protection officer:

Name: Edward Gardiner

Email: privacy@cogco.co

Country-specific provisions

United States of America

California Privacy Rights

This notice to California residents is provided under California law, including the California Consumer Privacy Act (CCPA), Cal. Civ. Code 1798.100, et seq. This notice supplements our Policy by explaining your California privacy rights if you are a California resident and provides certain mandated disclosures about our treatment of California residents’ information, both online and offline.

Right to Access

If you are a California resident, you have the right to request, up to two times each year, access to categories and specific pieces of personal information about you that we collect, use, disclose, and sell.

Right to Delete

If you are a California resident, you have the right to request that we delete personal information that we collect from you, subject to applicable legal exceptions.

Process to Make a CCPA Request

To make an access or deletion request, please email privacy@cogco.co. Before completing your request, we may need to verify your identity or the identity of your authorised representative. This may include a request for additional documentation or information solely for the purpose of verifying your identity. You have the right not to receive discriminatory treatment for the exercise of your privacy rights conferred by the CCPA.

Right to Opt Out of Sale of Personal Information

If you are a California resident, you have the right to “opt out” of the “sale” of your “personal information” to “third parties” (as those terms are defined in the CCPA).

Shine The Light Act

If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your personal information by CogCo to third parties for the third parties’ direct marketing purposes. Pursuant to California Civil Code Section 1798.83(c)(2), CogCo does not share users’ personal information with third parties for any direct marketing use unless you authorise us to do so. To make such a request, please send an email to privacy@cogco.co.

Removal of Content

If you are a California resident under the age of 18, and a registered user of any site where this policy is posted, California Business and Professions Code Section 22581 permits you to request and obtain removal of content or information you have publicly posted.

To make such a request, please send an email with a detailed description of the specific content or information to privacy@cogco.co. Please be aware that such a request does not ensure complete or comprehensive removal of the content or information you have posted and that there may be circumstances in which the law does not require or allow removal even if requested.