Privacy Policy

Data Privacy Notice​

​

What is this and why should I read it?

At Skyline, we take the issue of your privacy very seriously, which is why we work diligently to ensure that we have policies and procedures in place, allowing us to continue our mission of helping create brilliant, engaging and bespoke marketing promotions for our customers. We want to know what appeals to them, so we can design fun, cutting-edge promotions, support our marketing strategy, and generate leads. For that, we need to know about people within the business – who makes the purchasing decisions, who is authorized to give instructions regarding the account, who should have access to the promotions platform to make changes or analyse audience data, and who pays the bills.

The following privacy policy was developed in accordance with the Data Protection Act 2018 and explains what personal information we collect or receive from you, how we process such personal information, and what we do to keep your personal information safe and secure.

Please carefully read the following to understand our views and practices regarding your personal information and how we will treat it.

​

What about audience data?

When we support our clients by powering their promotions, we inevitably have access to some end-user data (‘Audience Data’). But we’ve taken steps to protect their privacy and rights.

While details about the end-users who enter the promotions we power are extremely useful for you, we don’t need them. We are your Data Processors when it comes to data end-users provide, like name and contact, or information observed or derived from data about their activity and engagement (‘Audience Data’). That means we don’t decide what to do, how to collect it, or how to use it. You do. And we support you by following your instructions.

Put simply, we don’t use what we don’t need, and we’ve put controls in place to enforce this. That means:

• You can see the types of Audience Data you’ve selected from our templates and manage your settings. We can’t unless you instruct us to or give us temporary access for technical support.

• We use strict access controls and an encrypted database to prevent anyone other than authorized account holders (i.e., with administrator access) from accessing Audience Data. So Skyline won’t see your Personal Data except where necessary to support your campaign.

When you choose to run a promotion using a Skyline chatbot across various channels, e.g., Facebook messenger, the end-user using their own credentials gives it permission to share certain profile data or communicate with your promotions through Skyline using an API. Skyline doesn’t get that information. Users manage what information they want that platform to share with you through their privacy settings.

• If we do get access to Audience Data, we only access what we need (for example, to assist with an Erasure request or Data Subject Access Request), and only those within Skyline with a strict need-to-know get access. We can’t export any Audience Data. Only you can (if you have Administrator access).

• When the end-user signs into a promotion, a session cookie is generated that identifies the user so they can re-enter the promotion without having to re-enter the information.

And no, we’re not building profiles of your end-users. We’ve put in controls to ensure Audience Data for each promotion is held separately, which means we don’t mingle or match Audience Data across Skyline promotions.

So, what do you tell end-users in your mandatory Privacy Notice? Everything you’re supposed to tell them under the Data Protection Act 2018 (DPA 2018) and UK GDPR and, in particular, what you collect and how you use it. And when you need to tell them about third parties like Skyline, feel free to use some of the information below.

What if I have questions or concerns?

If you ever have any questions or concerns about how we handle your Personal Data, contact:

Email: Privacy@skylineinsurancequotes.com

​

Our commitment to your privacy (personal data processing principles)

Regardless of where, why, or how we obtain or Process your Personal Data, we comply with Data Protection Act 2018 (DPA 2018). The DPA 2018 protects ‘Data Subjects’ in the UK and EU (that’s you) by imposing stricter obligations on ‘Data Controllers’ (that’s us when it comes to our clients) and ‘Data Processors’ (that’s us when we power our clients’ promotions, and the vendors support our business) when we ‘Process’ ‘Personal Data’. These capitalized terms are DPA 2018/UK GDPR-speak. To decode them,  see our glossary below: ‘Personal Data,’ ‘Processing,’ ‘Controller,’ and ‘Processor’? What do all these terms mean?

This means that whenever we Process your Personal Data, we do so

• Lawfully: Only if we can justify it on one of the following Lawful Bases:

  • Consent
    You have given us permission, which you can withdraw at any time. We need your Explicit Consent to process sensitive data like health-related data (Special Data) or to transfer your Personal Data outside the EEA where we don’t have another basis for doing so or for any Automated Decision Making (‘ADM’) that has significant legal or other effects. We currently don’t process Special Data or conduct ADM

  • Legitimate Interests
    To help fulfill a legitimate business objective (see the ‘Why’ column of the Your Data At-a-Glance chart below) after confirming we’ve only used what’s reasonably necessary and proportionate to meet that objective and struck the right balance between our interests and yours (Legitimate Interests Assessment (LIA)). We have a Legitimate Interest in Processing Personal Data to operate our business, generate leads and sales, support our marketing campaigns, make sure our relationship with you runs smoothly, and protect the Personal Data and commercial data we hold by securing our network and information systems.

  • Contractual Necessity
    To enter into or fulfill our contract, including generating a quote.

  • Legal Obligation
    To comply with the law (e.g., tax reporting, DPA 2018, UK GDPR).

  • Vital Interests
    In rare instances where one of the others doesn’t apply, we need your Personal Data to protect your vital interests or those of another person. It’s highly unlikely we would ever need to rely on this Lawful Basis.

• Fairly and transparently: we strike the right balance between our interests and yours and tell you what we do with your Personal Data.

• For a specific purpose: we won’t use your Personal Data for another incompatible purpose unless the law permits or requires us to.

• Using the least amount reasonably necessary.

• Ensuring it is accurate, complete, and up-to-date.

• For a limited time: Only for as long as reasonably necessary, and then we either destroy it or de-identify it so it can’t be linked back to you.

• Securely: managing our people and designing our processes and technology to ensure end-to-end confidentiality, integrity, and availability.

• Within the US. we don’t transfer your Personal Data outside the USA except as permitted under DP Law. We use appropriate safeguards for consistent protection and ensure third parties we rely on do so as well.

• With your rights in mind: We make it easy for you to exercise your rights (see Your Rights below).

​

​

Your data at-a-glance

You have given us permission, which you can withdraw at any time. We need your Explicit Consent to process sensitive data like health-related data (Special Data) or to transfer your Personal Data outside the EEA where we don’t have another basis for doing so, or for any Automated Decision Making (‘ADM’) that has significant legal or other effects. We currently don’t process Special Data or conduct ADM.

To generate possible leads to support B2B marketing campaigns, deliver great promotions & get in touch

​

How do you strike the right balance when you rely on legitimate interests?

We conduct Legitimate Interests Assessments (LIAs) whenever we rely on Legitimate Interests and, where appropriate, Data Protection Impact Assessments (DPIAs).

For example, we do some limited profiling to target products and services that we’re quite confident your company will like and avoid bombarding you with those you won’t. To do this, we need to learn more about you and your preferences, your role in the company, and company data such as your energy needs. We ensure we have appropriate safeguards to prevent this information from being misused and ensure we strike the right balance:

• Only what we need… Then, we use Marketing & Communications and Customer Profile data (if you’re already a client) or other information you provide directly or indirectly to us, e.g., through an online chat on Slack, or a call to action to identify campaigns, products, and services that are likely to be of greatest interest to you, and determine when (or if) to contact you for business development purposes.

When we need it… and only by those who need it….

• Our Customer Service, Sales, and tech support teams only see what they need to answer your billing and customer service queries. We use granular access control to manage access to your platform centrally, Customer Profile information on Hubspot CRM, etc, to those with a need-to-know. We limit ‘superuser’ access to our CEO, COO, and CTO, who has an override and greater access, but we have implemented the following controls to ensure this is only used in appropriate circumstances

• We never let third parties use your information for their own purposes, and we prevent this by giving them only what they need and as little Personal Data as possible.

Click unsubscribe or manage your marketing preferences by clicking the unsubscribe link in our emails. Tell us you no longer want to receive marketing calls or emails, and we’ll remove you from our list immediately.

​

What about sensitive personal data (special data) and criminal records data?

Special Data requires higher levels of protection. We don’t need to Process this type of data for our business, but if we did, we would ensure it receives a greater level of protection as required under DP Law.

​

What about third-party links, plug-ins, content or cookies on your website:

If you click on a link to third-party content or like or share specific content, this will either take you to those third-party sites or applications (e.g., Twitter) or send your Personal Data to that third party related to your click. We have no control over their use of your Personal Data in this regard. However, we get aggregated data about clicks and shares that are not attributable to individual visitors. We encourage you to read the Data Privacy Notice of the websites you visit.

​

Who else can see my personal data?

Need-to-know is the default…

‍Within the company… Only those individuals within our company or the third parties listed under the ‘With Whom’ column of the At-a-Glance table can see or access your Personal Data, and they only Process the specific data they need to fulfill their tasks. We have implemented internal measures to enforce this need-to-know access and to ensure those who do Process it do so on our instructions and under a duty of confidentiality. These measures include:

• Granular access to tools: we use LastPass Vault (enterprise version) to control access to the tools and accounts used as a team. We can centrally disable an individual employee’s access once it’s no longer necessary to enforce a need-to-know. We can also see what they’ve accessed and when (audit logs) to address any unusual behavior.

• Centralized security policy enforcement: we can centrally enforce secure access by our employees, for example, to monitor and enforce our password policy or suspend access if training isn’t up to date.

• Data Leakage Protection: What goes into Hubspot stays in Hubspot. We’ve blocked our team (other than the senior team) from exporting or downloading data from Hubspot CRM.

• Optional two-factor authentication: To further protect your account, you can enable two-factor authentication. This prevents individuals who may have obtained your credentials from logging into your account without additional authentication (e.g., a single-use code).

• Technical Data: is used to prevent multiple logins (e.g., if someone else tries to log in from another IP address or on a different device in a different city).

With our service providers and vendors… We do not allow our third-party service providers to use your Personal Data for their own purposes. Moreover, we’re selective. We’ve chosen providers that offer strong security and who understand their obligations when it comes to your privacy. For example, Slack has several third-party security certifications that provide additional assurance. You can learn about our key vendors by clicking the links in the chart under the heading ‘ The types of Personal Data we Process about you… ‘

Wherever we Process your Personal Data jointly with another Controller (Joint Controller), we establish clear lines of accountability to ensure your rights are respected and our obligations are met. We adhere to the abovementioned principles and approach to minimize how much Personal Data we use.

In all cases, wherever possible, we require third parties to respect the security of your Personal Data and treat it according to DP Law through binding contracts. We minimize how much of your Personal Data needs to be transferred to ensure this objective is met.

We work with the following third parties and share your personal information with them to help us deliver the best possible service to you:

• Amazon Web Services (AWS), a secure cloud services platform. For more, see here: https://aws.amazon.com/privacy/

• Xero is a secure cloud-based accounting software platform. For more, see here: https://www.xero.com/uk/about/legal/privacy/

• Google Workspace (formerly G-Suite) is a collection of collaboration and productivity apps. For more, see here https://policies.google.com/privacy

• Hubspot is a messaging and CRM platform that allows us to communicate with prospective and existing Skyline customers. For more, see here: https://legal.hubspot.com/privacy-policy

• Posthog is an analytics platform providing insights into customer website usage. For more, see here https://posthog.com/privacy

• ProfitWell is an analytics platform allowing us to analyze subscription data. For more, see here https://www.profitwell.com/privacy-policy.

• Chargify is a billing and subscription management platform. For more, see here https://www.chargify.com/privacy-policy/

• Stripe is the payment processing platform that enables us to accept and manage payments for Skyline. For more, see here https://stripe.com/en-gb/privacy

• Typeform is an online tool we use to create surveys and forms for our platform. For more, see here https://admin.typeform.com/to/dwk6gt.

• Zoom a cloud-based video communications platform. For more, see here https://zoom.us/privacy

• Slack is a communication platform we use to chat with existing customers securely. For more, see here https://slack.com/intl/en-gb/trust/privacy/privacy-policy.

• LinkedIn is the social media platform we use for outreach and marketing. For more, see here https://www.linkedin.com/legal/privacy-policy.

• Just call, a cloud-based phone system for sales, support, and report teams. For more, see here https://justcall.io/privacy

​

Do you share my personal data with other third parties?

If we sell or restructure all or part of the business, we will share some of your Personal Data with other third parties in the transaction’s context. In this situation, we will, as far as possible, share anonymized data with the other parties before the transaction completes. Once the transaction is completed, we will share your Personal Data with the other parties if and to the extent required under the terms of the transaction and on the basis of Legitimate Interests. This ensures seamless service for you, regardless of who owns the business, and data due diligence by us. We will notify you in such circumstances, and you may object to this transfer.

We may also need to share your Personal Data with a regulator or otherwise comply with the law. This may include making returns to HMRC, disclosures to financial services regulators, and disclosures to shareholders, such as directors’ remuneration reporting requirements.

​

Where we store and process your personal information

The personal information that we collect from you is stored on Amazon Web Service cloud servers within the United States.  All information you provide to us is stored on these secure servers, and any payment transactions are encrypted.  Where we have given you (or where you have chosen) a password that enables you to access certain parts of our website, you are responsible for keeping this password confidential.  We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our website; any transmission is undertaken at your own risk.  We have implemented appropriate security measures to prevent your personal information from being accidentally lost, used, or accessed unauthorizedly, altered, or disclosed.  In addition, we limit access to your personal information to those employees, agents, contractors, and other third parties who have a business need to know.  They will only process your personal information on our instructions and are subject to a duty of confidentiality.

​

Is my personal data secure?

We’ve implemented measures to prevent your Personal Data from accidental loss, unauthorized use, access, alteration, or disclosure, some of which we’ve already discussed. We’ve implemented procedures and safeguards to deal with suspected data security breaches. We will notify you and any applicable regulator of a suspected breach where legally required to do so. Details of these measures are available upon request.

​

​

How long will you use my personal data?​

We will only retain your Personal Data for as long as necessary to fulfill the purposes we mentioned in our At-a-Glance table and satisfy any legal, accounting, or reporting requirements. This will vary according to the Personal Data involved and the purpose.

We consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we use it, whether we can achieve those purposes through other means, and the applicable legal requirements. To illustrate:
 

• We generally hold onto Financial Data for 7 years to satisfy tax and corporate reporting requirements.

• We generally hold onto identifiable Prospects and Marketing Data for 6 months to align with the sales cycle.

• We retain our suppression lists (do-not-call / unsubscribe) because we have an ongoing legal obligation under Direct Marketing rules.

• We keep customer records and contact details in our CRM for the duration of our relationship and for 7 years after our relationship to resolve any contractual disputes and, unless you object, for 24 months based on Legitimate Interests in case we restart our business relationship.

In some circumstances, we may aggregate or anonymize your Personal Data so that it can no longer be associated with you, in which case we may use it without further notice to you. We do this for purchasing statistics, historical operations data, or to analyze sales and marketing trends. See the Your Data At-a-Glance Chart for a list of retention periods.

​

What rights do I have over my personal data?

​

You have various rights with respect to your Personal Data:

Access

Receive a copy of the Personal Data we hold about you and confirm we’re lawfully Processing it by making a Data Subject Access Request (DSAR). It’s free of charge unless your request is clearly unfounded or excessive.

Rectification

Ask us to update, complete, or correct your Personal Data at any time if you detect an inaccuracy. In fact, we encourage you to do so.

Portability

Get any Personal Data you’ve given us in an electronic form based on Consent or Contractual Necessity in a common machine-readable format. We can also transfer it to a third party if you ask.

Erasure

Ask us to delete or remove Personal Data where there is no good reason or Lawful Basis for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to Objection. We can refuse in certain circumstances. Find out more here.

Objection

Object to any Processing we do based on Legitimate Interests. You also have the right to object where we are processing your Personal Data for direct marketing purposes.

Automated processing

Not to be subject to automated decision-making without human intervention that has significant legal or other effects.

Restriction

Suspend the Processing of some of your Personal Data, for example, if you want us to establish its accuracy or the reason for processing it.

Withdrawal of consent

Withdraw consent at any time and we will stop Processing it unless we have another legitimate basis for doing so in law. Where we rely on your consent, we also explain how you can easily withdraw it.

We will need to confirm your identity to confirm your right to access the information or exercise any of your other rights. This is to prevent Personal Data being disclosed to anyone who has no right to receive it.
You can find out more about your rights by visiting the Information Commissioner’s Office website.

​

How can I make a complaint?

If you are unhappy with the way we handle your personal data, we encourage you to contact Privacy@skylineinsurancequotes.com

​

Cookie Policy​

​

Digital Cookie Notice

Skyline uses cookies and similar tracking technologies such as pixel tags (“pixels”), device identifiers and local storage (collectively, “Tracking Technologies”) to provide an optimized and secure experiences to our website visitors. This notice provides you with information about how we use these technologies and how to control them for this website.

​

What are Cookies and Similar Tracking Technologies?

Cookies are small text files that a web browser uses to store data to make a website experience easier and faster. This technology only stores certain data, such as your website behavior, browser information and your perceived interests. Cookies are the primary technology that enables our advertising partners to display relevant ads to you. There are different types of cookies, and they support a range of business needs. Important characteristics of cookies include the following:

​

First party cookies are cookies that are placed by Skyline when you visit our website.

​

Third party cookies are placed by a someone other than Skyline. Please note that we do not control the collection or further use of data by third parties.

Session cookies are temporary cookies that are erased once you close your browser while persistent or permanent cookies stay on your device until you manually delete them or until your browser deletes them based on the duration period specified in the persistent cookie file.

Strictly Necessary cookies are necessary to allow the technical operation of our website (e.g., they enable you to browse around our website and to use its rich features), and other critical operations such as security and consent management.

Performance cookies collect data on the performance of our website such as the number of visitors, the time spent on the website and error messages.

Functional cookies increase the usability of our website by remembering your choices (e.g. language, region, login, and so on).

Targeting/advertising and social network cookies enable us to promote our brand and products, and to engage in personalized marketing and advertising.

​

Tags, also known as “pixels”, “web beacons” or “clear GIFs”, are pieces of code or small electronic images (1×1), that are ordinarily not visible to website visitors and email recipients and may be associated with cookies on the visitors’ browser or device. Pixel tags allow us to count users who have visited certain pages of the Site, to deliver branded services, to provide online advertising, and to help determine the effectiveness of promotional or advertising campaigns.

​

Mobile device identifiers, also known as a universally unique ID or “UUID” are strings of characters that are incorporated into a device by its manufacturer and can be used to uniquely identify that device (for example an Advertising ID assigned to a tablet running the Android operating system). Different device identifiers vary in how permanent they are, whether they can be reset by users, and how they can be accessed. A given device may have several different unique device identifiers. Unique device identifiers can be used for various purposes, including security and fraud detection, syncing services such as a user’s email inbox, remembering the user’s preferences and providing relevant advertising.

Local storage enables websites to store and retrieve data in a browser on a device. When used in “local storage” mode, the browser or device enables data to be stored across sessions (for example, so that the data are retrievable even after the browser has been closed and reopened). One technology that facilitates web storage is HTML 5.

​

How do we use Tracking Technologies on our website?

Skyline or our service providers use cookies, pixel tags and similar technologies to identify your browser or mobile device. Like many services, we use these technologies to track visits to and across our website, analyze trends, gather demographic information about our website visitors (such as age range or postal code), and administer our website. We may also use these technologies in connection with our business communications and promoting our brand on other websites.

Most web browsers automatically accept cookies, but, if you prefer, you can usually modify your browser setting to disable or reject cookies. If you delete your cookies or if you set your web browser to decline cookies, some features of the website and/or online services that you are using may not work or may not work as designed.

​

How do we use Tracking Technologies with Mobile Devices?

Tracking Technologies may be used for similar purposes on platforms where cookies are not available or applicable, such as mobile device identifiers for advertising. Most modern mobile devices running Apple, Android, and Windows operating systems provide mobile advertising identifiers. For example, we may use an advertising identifier such as the Identifier Advertiser (“IDFA”) on iOS devices and the Advertising ID on Android devices where cookies are not available.

​

In addition to mobile device identifiers we may also collect standard device-specific information such as your operating system, hardware version, device settings, file and software names and types, and unique device identifiers. This helps us measure how the website is performing and improve the usability of the website on your particular device.

​

Why do we use Tracking Technologies?

We use Tracking Technologies for a variety of reasons, such as allowing us to show you content that’s most relevant to you, measurement and customization, improving our products and services, and helping to keep our website secure. While specific names of the Tracking Technologies that we use may change from time to time as technologies evolve or we update our website, our use generally falls into the below categories:

• Security and integrity. Security is important to us. We use technologies which help keep our website safe for our employees and online visitors by supporting and enabling security features. For example, we use security cookies to authenticate users, prevent fraudulent use of login credentials with our product portals, protect user data from unauthorized parties and to help us fight spam and phishing attacks.

• B2B sales enablement. We are a business-to-business company and use technologies that help us engage our prospective clients and help move our sales process along.

• Content personalization. We use features which help us deliver personalized content and change the way the site behaves or looks based on your expressed preferences and interactions with certain content on our pages.

• Embedded media. We use embedded content, such as for online chat, streaming videos, or for job applications. Embedded content providers may use their own pixels and cookies. We do not have control over the placement of cookies on other websites and platforms, even if you are directed to them from our website.

• Performance management. We use cookies and like technologies to ensure our website is performing at a high level, such as by understanding how quickly our Site loads for different users. For example, performance cookies help us route traffic between servers and understand how quickly certain pages load for different people and if they receive error messages from certain pages.

• Measurement and analytics. We use analytics cookies to understand how our website visitors use and engage with Skyline, and to help us optimize the website experience. For example, by letting us know which pages are most popular. At times we may work with third parties to track and analyze usage and volume statistical information from individuals who interact with us online or download our promotional content. The cookies we use to collect information and report website usage statistics do not directly identify individual visitors unless that individual has voluntarily fills out a contact form, subscribes to our marketing communications, or otherwise provides us with their contact details which we may associate to analytics data.

• B2B marketing and advertising. From time to time, we may partner with third parties to show you ads for Skyline products and services on our website and on third-party sites, and to track the performance of our advertising efforts. Our service providers may use cookies or similar technologies in order to provide you advertising based upon your browsing activities and interests.

​

​