Who are we?
We are Harmonise Technology Ltd. We own and operate FORTYEIGHT.
Harmonise Technology Ltd is a company registered in England (company number 12169607) with VAT number GB-333011853. Our registered office address is 35 Ballards Lane, London N3 1XW.
We are registered with the Information Commissioner’s Office with number ZA774064.
Our vision
We’re on a mission to help people understand the observations made about them by companies and their technology. Technology increasingly allows companies to know more about you, than you know about yourself. This inversion in the balance of knowledge does more than simply infringe your privacy; it begins to undermine many of your rights.
Our hope lies in transparency. Not only of the cause, but, more importantly, of the effect of how organisations are observing you and making decisions about you. By seeing the effect technology, and the companies who operate it, has on your life as a result of the observations they make, you will have a better ability to weigh the good with the bad, and to choose your own fate.
That is why we have created FORTYEIGHT; to empower you to understand the observations being made about you so that you can make informed decisions.
Terms we use in this Privacy Policy
When we use the words and phrases that are highlighted in bold below, they have specific meanings, as explained below.
identity
means an identifier that is linked to you. This includes things like your personal or business email address, IP address, advertising IDs, device ID, mobile and landline phone number, government issued documents and biometrics including visually identifiable features.
identity portfolio
means the portfolio of identities associated with you, that you can manage using FORTYEIGHT.
organisation
means a third-party organisation that makes observations about individuals.
personal information
means information that relates to you.
special category data
means information about your health, racial/ethnic origin, sexual orientation or sex life, political opinions, religious beliefs, trade union membership, genetic data and biometric data used to uniquely identify you.
we or us
means Harmonise Technology Ltd.
you
means an individual user of FORTYEIGHT.
How does FORTYEIGHT use my personal information?
We think it is easiest to explain how FORTYEIGHT works with some pictures:
So, in summary:
- Organisations make observations about you.
- If the organisation is signed up to FORTYEIGHT, they notify those observations to us. We hold those observations securely in what we call an “escrow account”.
- You can create a FORTYEIGHT account and provide us with “identities” that organisations may use to identify you. This could be an email, IP address, advertising ID etc. You can manage your identities within your identity portfolio by adding, deleting or amending identities at any time. Using confirmation links and verification codes, we may ask you to confirm these identities, but we will not request access to the associated accounts (for example the content of your inbox).
- We check to see whether any observations notified to us by organisations relate to any of the identities that you have in your identity portfolio. If they do, we inform you of the observations in your FORTYEIGHT account.
- You can use FORTYEIGHT to validate whether observations are correct if organisations have asked you to do so. You do not have to validate observations – it is entirely up to you.
- Organisations can also ask to access one or more of the observations held in FORTYEIGHT. You have complete control over whether or not you grant access.
- Organisations may also ask you to provide additional information about yourself. Again, you can choose whether you are happy to share more information.
- You can also use FORTYEIGHT to create new observations yourself. This allows you to upload information about observations that have been made about you, such as checking in to a venue or having your health status checked by an employer.
What role does Harmonise Technology Ltd play in the provision of these services?
When we hold observations in the escrow account, we do this on behalf of the organisation that has made the observation. We act as their processor, to store the information until we work out whether the observations relate to a user of FORTYEIGHT. This means that the organisation who made the observation is responsible for the personal information held in the escrow account, and if you wish to access it or correct it, you will need to contact the relevant organisation.
We also provide services to organisations such as event organisers, pubs and nightclubs to enable them to notify their customers of Covid-19 risks. For this service, you will be asked to enter a location code and your contact details when you enter a venue. We store these details on behalf of the venue so that they can contact you if they need to notify you of potential Covid-19 exposure. We store this information as a processor on behalf of the venue.
Once we have informed you of observations and those observations are stored in your FORTYEIGHT account, we are the controller of personal information within your account and we are responsible for that information. Observations will remain visible in your account and will not be deleted from your account when the information in the escrow account is deleted. We are also the controller of the personal information that you upload directly into the account. In the rest of this Privacy Policy, we explain how we use your personal information when we act as a controller.
You should also check the privacy policies of the organisations who make observations about you, as these privacy policies will detail how those organisations use your personal information.
What personal information do we collect and how do we use it?
The table below explains all the purposes for which we use your personal information. In each case, we explain the legal basis which permits us to use your personal information.
Please note that some of the observations that we receive from organisations may contain your special category data. We need your consent to process your special category data. By creating your account you provided us with your consent. If you would like to withdraw your consent, you can do so by closing your account at any time.
Purpose:
To create your account.
Personal information:
Email address and IP address
Legal basis:
Contractual necessity.
If you do not provide this Personal Data we cannot provide the Service to you.
Purpose:
To store and inform you of observations.
Personal information:
Identities and information contained in observations.
Legal basis:
Contractual necessity for non-special category data.
We rely on your consent to process any special category data that is contained in observations
Purpose:
To create transparency alerts.
Personal information:
Name and details of the observation that you upload to FORTYEIGHT.
Legal basis:
Contractual necessity for non-special category data.
We rely on your consent to process any special category data that is contained in observations.
Purpose:
To store details of information that you have validated or agreed to share with organisations so that you can see this within FORTYEIGHT.
Personal information:
Validation information relevant to the observation. For example, if an organisation has observed that you are interested in travel, the validation might be a Yes/No confirmation.
Additional information that you have agreed to provide to, or share with, an organisation.
Legal basis:
Contractual necessity for non-special category data.
We rely on your consent to process any special category data that is contained in observations.
Purpose:
To send you service messages.
Personal information:
Name, email address, phone number and push notification tokens.
Legal basis:
It is in our legitimate interests to contact you with service messages about FORTYEIGHT.
Purpose:
To respond to enquiries and complaints.
Personal information:
Name and contact details and information contained in correspondence.
Legal basis:
It is in our legitimate interests to respond to enquiries and complaints from our users.
Purpose:
To prevent and detect fraud and mis-use of our service.
Personal information:
Name, contact details, identities and information about how you are using FORTYEIGHT.
Legal basis:
It is in our legitimate interests to prevent our service from being used for fraudulent purposes or in breach of our Terms of Use.
Purpose:
Analysis to improve our services and the features available in the Fortyeight product.
Personal information:
Identities and information about how you are using FORTYEIGHT, including which services, features and functionality you engage with.
Legal basis:
It is in our legitimate interests to improve our products and services.
Purpose:
To invite you to take part in user research.
Personal information:
Name and email address.
Legal basis:
It is in our legitimate interests to carry out market research to improve and expand our products and services.
Purpose:
Marketing our services
Personal information:
Name, email address and push notification tokens.
Legal basis:
It is in our legitimate interests to send you information about our products and services to increase engagement.
Purpose:
To manage marketing preferences.
Personal information:
Name and details of marketing preferences.
Legal basis:
Legal obligation.
Purpose:
To assist us with defending legal claims or exercising our legal rights.
Personal information:
This could include any personal information that we hold, depending on the nature of the legal claim/legal right.
Legal basis:
It is in our legitimate interests to defend legal claims or pursue our legal rights.
Purpose:
To notify law enforcement agencies or supervisory authorities of wrong-doing.
Personal information:
Name, contact details and information about alleged wrong-doing.
Legal basis:
It is in our legitimate interests to report suspected criminal activities to law enforcement agencies and other supervisory authorities to enable action to be taken to prevent recurrence and to deter such activity.
In some cases, we may have a legal obligation to report wrong-doing.
Purpose:
To facilitate business restructuring or sale of our business. Please note that if we accept an offer to acquire our business, the acquirer will only be permitted to use your personal information to continue to provide FORTYEIGHT services to you.
Personal information:
This could include any personal information we hold.
Legal basis:
It is in our legitimate interests to enable flexibility in how we structure our business and to enable the sale of our business.
How do we collect your personal information?
We collect personal data directly from you when you create your account or when you upload information to your account. We also receive personal information from organisations who are signed up with FORTYEIGHT when they notify us of observations.
With your consent, we will also collect information about identities that are used on your devices, such as cookie IDs or advertising IDs that are placed on your devices by third parties.
Do you share my personal information with anybody else?
We share your personal information with third parties that we use to help deliver our services and run our business. We use these third parties to support us with services such as:
- Email and phone number verification
- Messaging and communication
- Analytics
- Hosting of data
When we use third parties to provide services, we only choose third parties who guarantee that your personal information will be kept securely, and they are only permitted to use your personal information for the purpose of providing services to us.
We will also share your personal information with your consent in the following circumstances:
- If an organisation asks you to validate an observation and you choose to do so, we will pass the validation information that you provide back to the relevant organisation.
- If an organisation asks you to provide additional information to them and you agree, we will pass the information that you provide to the relevant organisation.
- If a third party asks to see one or more of your observations, or part of an observation, and you agree to share your information, we will pass details of the observations to the relevant third party.
We may disclose and exchange information with law enforcement agencies and regulatory bodies if we have a legal or regulatory obligation to do so, or if we suspect criminal activity.
We may also share your personal information with:
- any person or entity to whom we are required or requested to make such disclosure by any court of competent jurisdiction or by any governmental, taxation or other regulatory authority, law enforcement agency or similar body;
- our professional advisers or consultants where this is necessary for us to receive their services, including lawyers, bankers, auditors and insurers providing consultancy, legal, banking, audit or insurance services to us;
- financial institutions providing finance to us;
- external auditors who carry out independent checks as part of our accreditations.
We may also need to share personal information with other parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, information will be anonymised but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.
Do we send your personal information outside of the UK and the EU?
To deliver services to you, it is sometimes necessary for us to share your personal information outside the UK and/or European Economic Area (EEA), e.g.:
- with third parties (as set out in this Privacy Policy) located outside the UK/EEA;
- if you are based outside the UK/EEA; or
- if an organisation that you have agreed to share personal information with is based outside the UK/EEA.
These transfers are subject to special rules under European and UK data protection law.
Non-UK/EEA countries do not have the same data protection laws as the UK and EEA. We will, however, ensure the transfer complies with data protection law and all personal information will be secure. If a country to which we are transferring personal information is not recognised by the European Commission as having adequate data protection laws, our standard practice is to use standard controller to controller data protection contract clauses that have been approved by the European Commission. You can obtain a copy of the clauses here. Alternatively, if an organisation is based in the US and they are Privacy Shield certified, then we may rely on the Privacy Shield certification. You can find out about the Privacy Shield here.
If you would like further information please contact us (see ‘How to contact us’ below).
For how long do we keep your personal information?
We keep your personal information for as long as you have an account with us. Once your account is closed, we will delete your information from the live database. We will keep some of your personal information where we need to do so for legal or regulatory purposes. This information will be kept in an archive and will only be used for those legal or regulatory purposes. When information is no longer required, it will be deleted.
Your rights
You have the following rights in relation to your personal information:
- Right to request access to your personal information. This enables you to receive a copy of the personal information we hold about you.
- Right to request correction of the personal information that we hold about you. You have the right to have any incomplete or inaccurate information we hold about you corrected. Please note that in relation to observations that we display in your Fortyeight account, if you dispute the accuracy of the observation, you can flag this within your account. However, as we are solely informing you of observations that other organisations have made about you, if you wish to have the underlying observation corrected, you will need to contact the relevant organisation directly.
- Right to object to processing of your personal information. This right exists where we are relying on a legitimate interest as the legal basis for our processing and there is something about your particular situation, which makes you want to object to our processing of your personal information on this ground.
- Right to ask us to stop processing your personal information for direct marketing purposes at any time.
- Right to request erasure of your personal information. You have the right to ask us to delete or remove personal information when there is no good reason for us to continue processing it.
- Right to request the transfer of your personal information. We will provide to you, or to a third-party you have chosen, your personal information in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Right to withdraw your consent. Where we rely on your consent to process your personal information, you have the right to withdraw your consent at any time.
You may exercise your rights by contacting us at hello@fortyeight.ai. You can also delete identities and observations from within your FORTYEIGHT account at any time.
Please note that we may ask you to verify your identity before responding to requests. If you make a request, we will try our best to respond to you as soon as possible.
Right to complain
If you are not happy about how we are processing and using your personal information, please get in touch via email at hello@fortyeight.ai so that we can try to resolve the issue.
If you are still not happy, you have the right to complain to a Data Protection Authority about our collection and use of your personal information. In the UK, you can contact the Information Commissioner’s Office (www.ico.org.uk). If you are in another country in the EEA, you can also contact your local Data Protection Authority.
How to contact us
If you have any feedback for us, we would love to hear from you. Please let us know what we are doing right, how we can improve and if you have any questions. You can contact us by email at hello@fortyeight.ai.
You can contact our data protection officer by emailing us at dpo@fortyeight.ai.