Privacy and data protection policy
Last updated: 1 July 2023
Next review date: 1 Oct 2023
Basics
Movement is a software-as-a-service (SaaS) product operated by Movement Industries Ltd, a company limited by shares incorporated in England and Wales under company registration number 14266681.
Movement Industries Ltd is registered as a data controller with the Information Commissioner under registration number ZB509853. Confirmation of this registration can be found here. However, for Movement, we operate as a data processor, not a data controller.
Movement Industries Ltd operates in compliance with the laws of England and Wales, as well as the European Union’s General Data Protection Regulation (GDPR) as incorporated into law as part of the UK General Data Protection Regulation and the Data Protection Act of 2018.
Grounds for processing
Movement is a product used by a wide range of progressive organisations to contact their members or supporters. Organisations that are data controllers enter into a contract with Movement Industries Ltd to use Movement in order to do so.
Our basis for processing is therefore performance of a contract for processing data on behalf of these organisations. For more information on how these organisations store and process personal data, please refer to their own privacy policies.
However, Movement always allows individuals to opt out of receiving any further communications at any time. They can do this by replying STOP to SMS messages they receive, clicking on unsubscribe links provided, stating their wish not to be contacted on the phone, or by emailing us at privacy@movement.industries.
How we process your data
We only store and process data at the express request of customers according to the contract between us and them governing the use of the Movement platform. The Movement platform processes data in various ways, including but not limited to:
sending text messages or emails to data subjects and users of Movement
connecting telephone calls to and from data subjects
storing and updating information held on data subjects after or during calls or text messages
sending and receiving data through integrations to third-party CRMs as specified by the customer
analysing data held in Movement on behalf of the customer
Types of data we hold
Movement stores two categories of personal data.
First, data which is uploaded by customers of Movement. This is provided and uploaded by the organisations, who contractually warrant to Movement Industries Ltd that they have the right to hold, process, and assign the processing to sub-processors for this data.
Second, data we collect ourselves. This is strictly limited to data we collect on users of the Movement service to ensure security. This is currently exclusively limited to IP addresses, which are stored in order to detect and prevent abuse of the system.
Security by design
The Movement platform is designed with the protection and minimisation of personal data in mind, and our process for further developing the platform includes taking this into account while making decisions about the platform. Here are two examples:
Movement is designed such it is impossible for any caller to ever see a callee's full name or phone number
Two-factor authentication is required for all users, both normal callers and administrators
Data storage and retention
Data will be retained while it is still in use and performing a purpose for the functioning of Movement, either for the individual themselves or for other users of Movement.
When personal data is deleted, it is immediately removed from the live view of the database. We keep back-ups for four weeks, after which point the data will be irretrievably deleted.
Data may be kept for statistical reasons, for example, to track trends in activity or report on usage for billing or financial purposes. In this case, deleted personal data will be anonymised in keeping with the GDPR principles of data minimisation and security.
Individuals’ data is also processed by the third party processors outlined in the appendix. It is possible that their own terms and privacy policies will govern their use of your information in doing so. That third party has a responsibility to ensure that it handles your messages in accordance with the GDPR and their privacy policies. For further details, please contact those organisations directly.
In some jurisdictions or specific industries we may also be required to keep some information for compliance or legal reasons.
You can read more about our technical operations, retention and security approach in our technical operations summary.
Individuals’ rights under the GDPR
The GDPR outlines a number of rights for data subjects. Where possible, we have built in the ability for users to exercise these rights themselves as part of Movement, and where not, we have put into place processes to ensure that any requests made under these rights are processed promptly and without delay.
We comply with these rights as follows:
To be informed
As part of this statement, we provide:
The name and contact details of the organisation processing their information
Why their information is being processed
The lawful basis of doing so
How long their data will be retained for
Information about their rights to access, withdraw consent, lodge complaints, and automated decision-making
To access
Any data subject can request a copy of the data on them held by the controller of their data. This can be done by filing a subject access request with the data controller directly. As a data processor, we can’t help with these requests.
To rectify
Any data subject can request data on them held by the controller of their data be updated. This can be done by filing a request with the data controller directly. As a data processor, we can’t help with these requests.
If you are not sure who your data controller is, then you can get in touch with us to ask on privacy@movement.industries.
To restrict processing or object
Any data subject can request we restrict the way we process their data at any time. One of the most common ways of doing this is unsubscribing from specific channels of communication (e.g.: SMS, phone calls, email, and so on). This is enabled directly through Movement at point of use, and subjects can exercise their right to this by either clicking on a link or stating it verbally.
To data portability
We always provide data in a machine-readable, portable manner. This can be done by filing a request with the data controller directly. As a data processor, we can’t help with these requests.
With respect to automated decision-making or profiling
Movement does not currently carry out any automated decision-making or profiling. Should we do so, we would carry out a Data Privacy Impact Assessment in advance to consider the risks before we consider beginning doing so.
If you are not sure who your data controller is, then you can get in touch with us to ask on privacy@movement.industries.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
APPENDIX: Third party processors
We work at all times to minimise any data that leaves the EEA/UK, and then only with suppliers and jurisdictions which have equivalent levels of data protection in place to protect Movement users and data subjects.
We use the following third party suppliers to provide the Movement service:
Amazon Web Services
Twilio
Render
Twilio Sendgrid
RedisLabs
More information about how these suppliers are used and information about their privacy policies can be found in the appendix of our technical operations summary.