Safedrop is a file sharing service maintained by OD Consultancy Limited, a UK based Company.
OD Consultancy Ltd (“OD”“we”,”us”, or “our”) provide cloud and customer hosted data rooms and other services that allow our clients to share files in a secure environment for business processes, including due diligence, corporate governance, regulatory compliance, court bundles, litigation, procurement and HR (“Service).
Our company name is: OD Consultancy Ltd, trading as projectfusion and safedrop
Our registered address and mailing address is: Innovation Reception Innovation Way, Discovery Park, Sandwich, Kent, England, CT13 9FF
Our registered company number is 3389226
Our nominated representative is: Angus Bradley who can be contacted at +44 207 739 4252.
This document was updated in October 2021.
Cookies are small files that are placed on your computer, mobile device or any other device by a website, containing the details of your browsing history on that website among its many uses.
Customer: a legal entity with whom we have an agreement to provide the Service
Customer Data: data stored in, and generated through, the use of our Service, including Materials, metadata, and logs. This includes details of users added to our Service,
Materials: documents, images, video and any other material that are stored by as part of the provision of the Service
User: an individual authorised by the Customer to access our Service.
User Support Information: name, email address and sometimes IP address of a User who has contacted us for support.
Website Visitor Information: name, email address and sometimes IP address of a Website Visitor.
The following terms are used as defined in the EU General Data Protection Regulation (GDPR):
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Personal Data: any information relating to an identified or identifiable natural person (“Data Subject”)
Processor: a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller
Third Party: a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorized to process Personal Data
Data We Process
We may collect and process the following types of Customer Data in order to provide and support the Service:
User Support Information including Identity and Contact Data: The Service requires minimal information from Users for the purpose of authentication and communication. Personal Data is limited to the name, email address, and IP address.
Metadata: User activity within the Service is automatically logged, e.g. username, email address, login time, location, Materials accessed, internet protocol (IP), browser type and version, time zone setting and location, browser plug in types and versions, operating systems and platform and other technology on the devices you use to access the relevant website and our Services. These logs are available to the Customer via the administrator portal for the purpose of monitoring, and investigations.
Safedrop metadata is controlled by the Customer, and will be stored until either the Customer terminates the Service, or the Customer deletes the safedrop Metadata. For this Service the Customer is the Controller and we are the Processor.
Data Room when a data room has closed we become Controller in common with the Customer in respect of the Metadata.
Materials: The Materials uploaded to the Service by Users may contain Personal Data. We do not access information within the Materials except in limited circumstances upon the Customer’s explicit and specific request for support, and with Customer permission.
Technical Data includes (internet protocol IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the website and our Services
Usage Data includes username and password and orders placed by you and any feedback and survey responses
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
Financial Data including bank account and payment card details
Purposes for Processing
We have set out below, in table format, a description of all the ways we may use your personal data, and which of the legal bases we rely on to do so in compliance with the GDPR. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data:
Type of data
Lawful basis for processing including basis for legitimate interest
To register you as a new customer
1. Performance of the contract with you
To process and deliver the Services including management of payments fees and charges
1. Performance of a contract with you
1. Performance of the contract with you
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance , support, reporting and hosting data
1. Necessary for our legitimate interests for running our business, provision of administration and IT Services, network security, to prevent fraud
To use data analytics to improve our website, products/services marketing, customer relationships and experiences
1. Necessary for our legitimate interest (to define types of customers and services and to keep our website updated and relevant, to develop our business and to inform our marketing strategy
We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.
To determine the appropriate retention period of Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, the purpose for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
In some circumstances we will anonymise your Personal Data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Control and processing of User Support Information
When the Services includes the provision of User Support Information we are the Controller. We process this information to provide support for the Service.
We will ensure that your Personal Data is processed lawfully, fairly and transparently, without adversely affecting your rights. We will only process your Personal Data where it is necessary for the performance of a contract to which you are a party or for the purposes of the legitimate interests pursued by us or a third party, or where another of the lawful bases set out under GDPR applies and only in the following circumstances:
If you do not want us to use the User Support Information, please let us know by contacting firstname.lastname@example.org, and we will delete your Personal Data from our systems. You will no longer be able to use the Service after this.
Control and processing of Website Visitor Information
We act as Controller of Website Visitor Information. We process this information for the following purposes:
- To provide You with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about, unless You have opted not to receive such information.
- To manage Your requests: To attend and manage Your requests to Us.
Tracking Technologies and Cookies
You can instruct your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if you do not accept Cookies, You may not be able to use some parts of our Service.
Cookies can be “Persistent” or “Session” Cookies. Persistent Cookies remain on your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close your web browser. Learn more about cookies in the “What Are Cookies” article.
For more information about the cookies we use and your choices regarding cookies, please visit our Cookies Policy – https://www.safedrop.com/pages/cookie-policy
How we protect your data
OD’s websites and software has been in continual development since 1999. As a result, it is a proven system that has helped facilitate thousands of secure ﬁle shares. We are regularly audited by a UK government approved auditor, and have been accredited to the SO27001 security standard. This means we have lots of security protocols, including staff screening, standardised rollout/testing, regular threat assessments and reviews, and a well maintained Risk Register.
The highest levels of security are applied to all OD servers, including regular 3rd party audits, IDS (Intrusion detection), regular nessus scans, strict server access restrictions, and 128-bit SSL encryption for all data transfers.
All Customer Data is encrypted at rest and in transit at all times, and for European Customers is stored in Europe at all times (unless they have specified another location) All access to Personal Data is protected by a minimum of username/password, two factor authentication (“2FA”) and IP restrictions, backed by tamperproof audit trails that record all administrator activity.
We restrict access to personal information to OD employees who need to know that information in order to operate, develop or improve our services. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.
We may disclose your data in the following circumstances:
- If we want to sell our business, or our company, we can disclose it to a potential buyer;
- We can disclose it to other businesses in our group;
- We can disclose it if we have a legal obligation to do so, or in order to protect other people’s property, safety or rights;
- We can exchange information with others to protect against fraud or credit risks.
We may contract with third parties to provide services to you on our behalf. These may include payment processing, search engine facilities, advertising and marketing. In some cases the third parties may require access to some or all of your data.
User email addresses and names are encrypted at rest and in transit at all times. This data is hosted by OVH.com and memset.com, unless other providers are specified in the contract. For European customers this is stored in Europe at all times (unless they have specified another location)
All Customer Data is encrypted at rest and in transit at all times. Customer data is hosted on servers managed by OVH.com and memset.com, unless other providers are specified in the contract. For European customers this is stored in Europe at all times (unless they have specified another location)
User Support Information is created when Users contact us directly for support and is stored with Intercom.io and Zendesk.co.uk. Both are US based entities certified under the EU-US Privacy Shield for data transfers (https://www.privacyshield.gov/list). All access to information stored on intercom and Zen desk is protected by a minimum of username/password and 2FA.
Website Visitor Information is encrypted in transit, and stored with Intercom.io, HighriseHQ.com & Ontraport.com. These are US based entities certified under the EU-US Privacy Shield for data transfers (https://www.privacyshield.gov/list). All access to information stored is protected by a minimum of username/password and 2FA.
Where any of your data is required for such purpose, we will take all reasonable steps to ensure that your data will be handled safely, securely and in accordance with your rights, our obligations and the obligation of the third party under GDPR and the law.
International Transfers of Customer Data
Processing of your Customer Data may, in some instances involve transferring your Personal Data outside of the UK or the EEA.
Whenever we transfer your Personal Data outside the UK or the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Government or the European Commission. For further details see European Commission: Adequacy of the protection of personal data in non-EU countries.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which giver personal data the same protection it has in Europe and the UK. For further information please see European Commission: Model contracts for the transfer of personal data to third countries.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US. For further details see: European Commission: EU-US Privacy Shield.
Data Subject Rights
When providing some of the Services OD may act as a Processor on behalf of its Customers. Customers have primary responsibility for interacting with Users with regards to Personal Data, and the role of OD is generally limited to assisting Customers as needed.
Access, Correction, Amendment or Deletion Requests: Where OD acts as a Processer we shall promptly notify a Customer if we receive a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. OD shall not respond to any such Data Subject request without the Customer’s prior written consent except to confirm that the request relates to that Customer. In the case of a Data Subject requesting access to, correction, amendment or deletion of that person’s Personal Data stored in User Support Information we respond promptly and facilitate the request.
Handling of Complaints: Data Subjects may lodge a complaint about processing of their respective Personal Data by contacting the relevant Customer or the OD at the email address email@example.com. OD shall promptly communicate the complaint to the Customer to whom the request relates.
Customers shall be responsible for responding to all Data Subject complaints forwarded by OD, except in cases where a Customer has disappeared factually or has ceased to exist in law or become insolvent. Where OD is aware of such a case, it undertakes to respond directly to Data Subjects’ complaints within thirty (30) days, including the consequences of the complaint and further actions Data Subjects may take if they are unsatisfied by the reply.
Regulatory Inquiries and Complaints: OD shall, to the extent legally permitted, promptly notify a Customer if it receives an inquiry or complaint from a data protection authority in which that Customer is specifically named. Upon a Customer’s request, OD shall provide the Customer with cooperation and assistance in relation to any regulatory inquiry or complaint involving OD’s processing of Personal Data.
Changes to this Statement
We may change this statement from time to time, and if we do we will post any changes on this page. If you continue to use the Service after those changes are in effect, you agree to the revised policy. This document was last updated 12th October 2021.
Please feel free to contact us if you have any questions about PROJECTFUSION’s data protection commitments or practices. You may contact us at firstname.lastname@example.org or at our mailing address below: