The scope of this privacy policy is for the BOSS cloud software and related services and sets out how we collect, process and store information that you provide us when you visit or use any domain or subdomain of bossapp.global.
This privacy policy aims to inform you about how we collect and process any information that we collect from you, or that you provide to us. It covers information that could identify you (“personal information”) and information that could not. In the context of the law and this notice, “process” means collect, store, transfer, use or otherwise act on information. It tells you about your privacy rights and how the law protects you.
We are committed to protecting your privacy and the confidentiality of your personal information and of any information entered into the system. Our policy is not just an exercise in complying with the law, but a continuation of our respect for you and your personal information.
We undertake to preserve the confidentiality of all information you provide to us. Our policy complies with the Data Protection Act 2018 (Act) accordingly incorporating the EU General Data Protection Regulation (GDPR).
The law requires us to tell you about your rights and our obligations to you regarding the processing and control of your personal data.
Except as set out below, we do not share, sell, or disclose to a third party, any information collected through this website.
DRP UK Ltd, company registration number 03653794 and is registered in England and Wales, is the organisation behind BOSS.
You can contact us at our registered address:
Head office
Studio 212
Ikon Estate
Droitwich Road
Hartlebury
DY10 4EU
Tel: +44 (0) 1299 250531
DRP UK Ltd has appointed a data protection officer (DPO) who is responsible for ensuring this policy is followed. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact dpo@drpgroup.com or via our postal address and mark the envelope ‘Data Protection Officer’.
We adopt the meaning from the General Data Protection Regulations (GDPR) which is in force from May 25th 2018. We may collect, use, store and transfer different kinds of personal data about you.
We have collated these into groups as follows:
Your contact information includes information such as email address, telephone numbers and any other information you have given to us for the purpose of communication or meeting.
Your profile includes information such as your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
Technical data includes your internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
We may aggregate anonymous data such as statistical or demographic data for any purpose. Anonymous data is data that does not identify you as an individual. Aggregated data may be derived from your personal data but is not considered personal information in law because it does not reveal your identity.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter with you (for example, to provide you with support for BOSS). In this case, we may be relieved of that specific contractual obligation or choose not to proceed with a request but we will notify you if this is the case at the time.
When you visit our website or use our services, we collect personal data. The ways we collect it can be categorised into the following:
Provided by you – for example by completing our website form for a demo, using the chat service to ask questions, signing up for our content downloads, completing your profile in BOSS or by contacting us for support. We only ask for the minimum required personal data to benefit from the services. If you choose not to share the relevant personal data, you understand that might mean we cannot provide the services.
Collected automatically – we collect information such as IP address, device type, pages you visited and what links you clicked on. For our website and marketing work this means we can get a better understanding of user journeys and areas of interest, so we can keep providing great experiences and personalising content where appropriate. For BOSS user activity, we collect similar information to ensure the service is optimised, and for performing some of our contract obligations to customers, such as keeping audit logs and forensic histories of work done. Some of this information is collected through the use of cookies and related tracking technologies, including google ads.
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our services may become inaccessible or not function properly. Our cookie policy explains that in more detail.
Information added by customers – a registered user of a customer or partner on the BOSS platform may add personal data into the secure cloud service as part of their purpose for using the platform. We have contractual obligations to those customers in our role as a data processor and those customers are responsible for that data and providing their own privacy notice to individuals about that data.
Important note – If you’re someone who doesn’t have a relationship with us but believes that a BOSS user has entered your personal data into our platform, you’ll need to contact that user’s organisation for any requests. They will be the data controller in that instance, and we are the data processor. This includes where you want to access, correct, amend, or request that the user delete your personal data, or address any other individual’s rights. If you did still contact us, we will attempt to redirect you to contact the organisation you think may have entered the data.
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity including geographical information.
In addition to this, if you go on to a web page on our site that contains embedded content, for example a video from YouTube, you may be sent cookies from these websites. We don't control these cookies, so we suggest you check the third-party websites for more information about their cookies and how to manage them.
You can set your browser not to accept cookies and obtain up-to-date information about blocking and deleting cookies via the below website.
We use cookies in the following ways:
For further information visit www.aboutcookies.org
We will not sell or lease your personal information to third parties unless we have your permission or are required by law to do so.
We may send you email communication which may be of interest to you from time to time for the duration of your subscription to inform you of updates or new features.
We will not share your information with any third parties other than the specified Data Controller and will not use any information for direct marketing.
We may use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
| Name | Description of Service | Country | Data Stored | GDPR Compliance |
|---|---|---|---|---|
| Syntiro Associates | Sustainability advisory and consultancy services, and BOSS platform support | United Kingdom | Full Name, E-mail address | Visit |
| Amazon Web Services | Cloud Infrastructure and Hosting Platform | United Kingdom | Operational instance of bossapp.global, logging and backups that contain PII stored in the BH application | Visit |
| Pendo | Collection of site statistics | USA / United Kingdom | Anonymised Statistics | Visit |
| Cookiebot | Cookies | Denmark | IP address, Browser Details | Visit |
The law requires us to determine under which of six defined bases we process different categories of your personal information, and to notify you of the basis for each category.
If a basis on which we process your personal information is no longer relevant, then we shall immediately stop processing your data.
If the basis changes then if required by law we shall notify you of the change and of any new basis under which we have determined that we can continue to process your information.
We rely on one or more of the following processing conditions:
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
You have the right to ask us to erase your personal information in certain circumstances
You have the right to ask us to restrict the processing of your information in certain circumstances
You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests.
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you.
If you would like to exercise these rights or understand if these rights apply to you, please contact us by sending an email dpo@drpgroup.com
We do not provide services directly to children or proactively collect their personal information. However, as in this case we are sometimes given information about. The information in the relevant parts of this notice applies to children as well as adults.
Except as otherwise mentioned in this privacy notice, we keep your personal information only for as long as required by us and:
Our website may contain links to other websites provided by third parties not under our control.
When following a link and providing information on that link please be aware that we are not responsible for the data provided to that third party.
This privacy policy only applies to this website so when you link to other websites you should read their own privacy policies.
We have implemented robust measures to ensure the confidentiality, integrity, and availability of your personal data. This includes achieving UKAS-certified ISO 27001:2013 certification. As a responsible supplier, we strive to prevent your personal data from being accidentally lost, misused, accessed without authorisation, altered, or improperly disclosed.
Access to your personal data is restricted to employees, agents, contractors, and other third parties who have a legitimate business need to know. They will process your personal data strictly according to our instructions and are bound by confidentiality obligations, reinforced through relevant contractual agreements.
Additionally, we have established procedures to address any suspected personal data breaches. We will notify you and any applicable regulators of a breach, as required by law, aiming to do so within 24 hours or as soon as we become aw.
We use Secure Sockets Layer (SSL) certificates to verify our identity to your browser and to encrypt any data you give us.
Whenever information is transferred between us, you can check that it is done so using SSL by looking for a closed padlock symbol or other trust mark in your browser’s URL bar or toolbar.
Our privacy policy has been compiled to comply with the law of every country or legal jurisdiction in which we aim to do business. If you think it fails to satisfy the law of your jurisdiction, we should like to hear from you.
If you are not happy with our privacy policy or if you have any complaint, then you should tell us.
If you are in any way dissatisfied about how we process your personal information, you have a right to lodge a complaint with the Information Commissioner's Office (ICO).
This can be done at https://ico.org.uk/make-a-complaint/. We would, however, appreciate the opportunity to talk to you about your concern before you approach the ICO.
We may update this privacy notice from time to time as necessary. The terms that apply to you are those posted here on the. Where a change is significant, we'll make sure to let you know, usually by email or by alerting you from within the platform itself.