Talk to us!

Privacy Statement

Acorn Compliance ("we", "our", "us") has made a commitment to keeping website user data secure and private. This is because this Website collects some Personal Data from its Users. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website or use our services.

Legal Information

This privacy statement has been prepared in accordance with multiple legislations, including Articles 13 and 14 of Regulation (EU) 2016/679 (General Data Protection Regulation) and the UK GDPR. Unless stated otherwise, this Privacy Policy relates solely to this Website and the services we provide.

Who We Are
Data Controller (Owner): Value Associates Limited (trading as Acorn Compliance)
Company Number: 05770395
‍Registered Office: 7 Bell Yard, London, WC2A 2JR, UK
‍Owner contact email: info@acorncompliance.com

If you have concerns about how your data is handled, you can also raise them with the Information Commissioner’s Office (ICO) at www.ico.org.uk. 

Definitions

• Personal Data (or Data): Any information that directly or indirectly allows for the identification of a natural person.
• Usage Data: Information collected automatically through this Website (e.g. IP address, browser type, device information, pages visited).
• User: The individual using this Website.
• Data Subject: The natural person to whom the Personal Data refers.
• Data Processor: A party that processes Personal Data on behalf of the Controller.
• Data Controller (or Owner): The entity determining purposes and means of processing (here: Value Associates Limited). The Data Controller, unless otherwise specified, is the Owner of this Website.‍
• This Website (or this Application): The means by which the Personal Data of the User is collected and processed.
• Service: The services provided by this Website and related platforms.
• Cookie/Tracker: Technology enabling the tracking of Users (e.g. Cookies, unique identifiers, web beacons, embedded scripts, e-tags and fingerprinting).

Types of Data Collected

Among the types of Personal Data this Website collects, by itself or through third parties, there are:

• Contact information: first name, last name, email address, phone number, role.
• Account details: username, login credentials, subscription data.
• Payment details: as provided in the Order Form.
• Input and Output information processed through the Squirrel™ Platform‍
• Cookies and Usage Data (including logs of how the Platform is used, Inputs, Outputs, and parameters).
• Information provided through forms (e.g. enquiries, subscription requests).

Complete details on each type of Personal Data collected are provided in the dedicated sections of this privacy policy or by specific explanation texts displayed prior to the Data collection.

Users are responsible for any third party Personal Data obtained, published or shared through this Website and confirm that they have the third party's consent to provide the Data to the Owner.

Personal Data may be freely provided by the User or, in the case of Usage Data, collected automatically when using this Website.

Unless specified otherwise, all Data requested by this Website is mandatory and failure to provide this Data may make it impossible for this Website to provide its services.

In cases where this Website specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.
Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner.

Any use of Cookies or of other tracking tools by this Website or by the owners of third party services used by this Website serves the purpose of providing the Service requested by the User, in addition to any other purposes described in this document and in the Cookies Policy.

Methods of Processing

We take appropriate security measures to prevent unauthorised access, disclosure, modification, or destruction of Data. Processing is carried out using IT tools, under organisational procedures related to the purposes indicated.

In addition to the Controller, certain parties may have access to Data (e.g. administration, IT providers, hosting providers, analytics providers, payment processors, consultancy partners, Clinical Safety Officers) as Data Processors. An up to date list of these parties can be requested from us at any time.

Legal Basis of Processing

We may process Personal Data if one of the following applies:

• Contractual necessity: to perform our agreements (Order Form, Terms of Use, warranties).
• Legitimate interests: to maintain and improve services, monitor compliance, prevent misuse, and protect our rights.
• Legal obligations: to comply with UK regulatory and statutory requirements.
• Consent: where you have given explicit consent for one or more purposes.

Where consent is relied upon, you may withdraw it at any time.

Purposes of Processing

The Data concerning the User is collected to allow the Owner to provide its Service, comply with legal obligations, respond to enforcement requests, protect its rights and interests (or those of its Users or third parties), detect malicious or fraudulent activity, as well as the following:

• Provide access to and manage the Squirrel™ Platform.
• Fulfil our contractual obligations under the Order Form and Terms of Use.
• Manage subscriptions and payments.
• Deliver consultancy and support services (e.g. DTAC and ISO compliance).‍
• Operate and improve the services, including debugging, testing, accounting, security monitoring and performance.
• Communicate with you about renewals, cancellations, and legal notices.
• Analytics: monitoring website traffic and behaviour (via Google Analytics see below).
• Communications: responding to enquiries and requests.
• Marketing: where lawful and with consent.

Place

The Data is processed at the Owner's operating offices and in any other places where the parties involved in the processing are located.

Depending on your location, data transfers may involve transferring your Data to a country other than your own. To find out more about the place of processing of such transferred Data, see International Transfers below.

You are entitled to learn about the legal basis of Data transfers to a country outside the UK/EEA or to any international organisation governed by public international law (e.g. the UN), and the security measures taken by the Owner to safeguard your Data. If any such transfer takes place, you can find out more by checking the relevant sections of this document or by contacting us at info@acorncompliance.com.

Detailed Information on Processing

• Analytics (Google Analytics): Google Ireland Limited. Google utilizes the Data collected to track and examine the use of this Website, to prepare reports on its activities and share them with other Google services. Google may use the Data collected to contextualise and personalise the ads of its own advertising network. Data processed: Cookies, Usage Data. Place of processing: Ireland.
• Contact Form (this Website): By filling in the contact form with their Data, the User authorises this Website to use these details to reply to requests for information, quotes or any other kind of request as indicated by the form’s header. Personal Data processed: first name, last name, email address.
• Interaction with External Social Networks and Platforms: This service allows interaction with social networks or other external platforms directly from the pages of this Website. The interaction and information obtained are subject to the User’s privacy settings for each network. These services might still collect traffic data for the pages where the service is installed, even when Users do not use it. It is recommended to log out from the respective services to ensure that processed data on this Website isn’t connected back to the User’s profile.
• Approved Third Parties: We may share data with approved third party partners solely for delivering services under your Order Form, such as penetration testing providers, accessibility auditors, and Clinical Safety Officers (CSO). Where this happens, we ensure appropriate contractual and security safeguards are in place.

Retention Time and Data Storage

We retain Personal Data for as long as necessary for the purposes collected:

• Contract related Data: until completion of the contract or subscription.
• Legitimate Interest Data: as long as necessary to fulfil interests.
• Consent based Data: until consent is withdrawn.
• Legal/Regulatory obligations: as required.

The Owner may retain Personal Data for a longer period whenever the User has given consent (until withdrawn) or where required to comply with a legal obligation or to establish, exercise or defend legal claims.

Once the relevant retention period expires, Personal Data will be securely deleted. After deletion, certain rights (such as access and data portability) may no longer be exercisable in relation to the deleted Data.

International Transfers

If data is transferred outside the UK or EEA, we will ensure appropriate safeguards are applied, including the use of UK approved Standard Contractual Clauses or other valid transfer mechanisms. Copies can be requested by contacting us.

Security Measures

We implement technical and organisational measures such as:

• Encryption in transit and at rest.
• Access controls and authentication.
• Logging and monitoring.
• Regular security reviews.

Details About the Right to Object to Processing

Where Personal Data is processed for a public interest, in the exercise of official authority vested in the Owner, or for the purposes of the Owner’s legitimate interests, you may object to such processing by providing a ground related to your particular situation to justify the objection.

If your Personal Data is processed for direct marketing purposes, you may object at any time without providing any justification. To learn whether we process Personal Data for direct marketing purposes, please refer to the relevant sections of this document.

Rights of Users

You may exercise the following rights:

• Withdraw consent at any time.
• Access your Data.
• Rectify inaccurate Data.
• Erase Data (right to be forgotten).
• Restrict processing.
• Object to processing.
• Data portability.
• Lodge a complaint with the ICO.

How to Exercise These Rights

Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document.

Requests can be made to info@acorncompliance.com. These requests are free of charge (unless manifestly unfounded or excessive) and will be addressed as early as possible and always within one month (extendable by two months in complex cases).

Do Not Track

This Website does not support "Do Not Track" requests. To determine whether any of the third party services it uses honour the "Do Not Track" requests, please read their privacy policies.

Children

Our services are not directed at children. If we learn we have collected Data from a child, we will delete it promptly.

Changes to this Privacy Policy

We reserve the right to make changes to this Privacy Policy at any time by notifying Users on this page and, where technically and legally feasible, within this Website and/or by sending a notice via any contact information available to us. It is strongly recommended to check this page often and refer to the "Last updated" date at the top.

Should the changes affect processing activities performed on the basis of the User’s consent, we will collect new consent from the User where required.

Legal Action

Personal Data may be used for legal purposes, including in court or in stages leading to possible legal action from misuse of this Website or services. We may be required to disclose Data by public authorities.

Additional Information about User's Personal Data

For operation and maintenance purposes, this Website and any third-party services may collect files that record interaction with this Website (System logs) and use other Personal Data (such as the IP Address) for this purpose.

System Logs and Maintenance

For operation and maintenance, this Website and third-party services may collect system logs (including IP addresses) and related Data.

Information Not Contained in this Policy

Additional details concerning the collection or processing of Personal Data may be requested at any time via info@acorncompliance.com. Please see the contact information at the beginning of this document.