GENERAL DATA PROTECTION REGULATION & PRIVACY POLICY

Mamatus Limited 

Company No. 4581402 

Registered Office: 

78 Mill Lane, 

London NW6 1JZ UK

Consent

Our company operates by personal recommendation and word of mouth. Most of our clients are businesses. We do not undertake pro-active marketing campaigns on our own behalf, do not solicit for personal information, and do not capture or retain personal information of any kind in any way except as described below. Because of this we assume that all personal information we hold on our clients has been submitted to us voluntarily and pro-actively as a consequence of commissioning or carrying out business with us, and therefore we have their consent to retain this data.

How you can contact us, and how those means of contact reveal your personal information to us and others

We assume you know your rights under the GDPR. If you wish to contact us to exercise your rights, please use one of the means of contact described below. Not all means of contact are made available on all of our websites, but at least one means of contact is provided, and your message will be acted upon.

If you contact us by any kind of digital medium you should assume that your personal information associated with that medium and the metadata of who contacted whom, and when, will be logged by a variety of 3rd parties. We have no control over this process, cannot be held responsible for it, and have no power to get your personal information removed from those logs. Almost everyone everywhere is in this position.

By letter: Please use the registered office address, above. If your letter to us is a business communication that must be retained as part of the documentation we are obliged by law to keep for 7 years, we will hold it for that time in a filing cabinet. If it is not, it will be shredded once it has been read and acted upon.

By email: Please click on the email links on our website. If you send an email to someone and they use an email application to receive it, that application will capture your email address and store it in a file to make it conveniently accessible should the recipient wish to write to you again. All modern email applications on all platforms include this function, and most users of these applications have no idea how this process works. On an Apple Macintosh the Mail application stores this information in the Previous Recipients file, found in its Window menu. This file can be edited and email addresses removed from it. If you want your address removed from this file, please say so in all emails to us. We do not remove addresses captured in this way as a matter of course; it is a manual operation which would be too time-consuming and error-prone to do for every email received.

We have no interest in our email server’s access logs. However, for various technical and legal reasons these logs are retained by our email hosting services and sent to us monthly. We delete them without reading them. If you don’t want your email address and your device’s IP address to be captured in our email server’s logs we suggest you use a VPN or Tor, send us webmail, and take steps to obfuscate or spoof your email address. If you do all of this, please don’t be surprised if our email server quarantines your email as spam and we never receive it.

By phone: Please use the phone numbers visible on our website. If you call anyone, anywhere, the call recipient’s phone company will make a record of your phone number and when you made the call. This might appear on their itemised phone bill. If the call recipient is running a business, their phone bill will be a business expense document, must be retained as such for 7 years, and will be sent along with all of their other business documents to their accountants for auditing. Copies might be retained by Companies House or HMRC. Also, don’t forget, the phone company must retain this metadata for anti-terrorism purposes, amongst others, and may be required to make it available to a wide variety of governmental agencies. This is beyond our control.

Unless you use a No Caller ID service, all mobile phones and many landline phones will display your number and retain it in a Calls Received log which may be backed up, along with the rest of the phone’s data, to a Cloud service hosted outside the UK or EU. If you want your phone number and call record to be deleted from this log at the end of your call to us, please say so. We do not remove phone numbers captured in this way as a matter of course.

By text: Please send texts to the mobile phone numbers visible on our website. The comments above apply equally to text messages. Text messages are not encrypted. Phone companies and others can read them in transit and capture your personal information from them. If your personal information is captured in this way by 3rd parties whilst you are communicating with us, this is beyond our control and cannot be our responsibility. Text messages may be backed up, along with the rest of the phone’s data, to a Cloud service hosted outside the UK or EU. If you want your text message to us to be deleted after it has been read, please say so. We do not necessarily delete text messages as a matter of course.

By Apple iMessage: Please send iMessages to the mobile phone numbers visible on our website. These messages are end-to-end encrypted and their contents cannot be read by anyone except for the recipient. That said, Apple retains the metadata of who sent which message to whom, when, and there are circumstances under which they might reveal it. iMessages may be backed up, along with the rest of the phone’s data, to a Cloud service hosted outside the UK or EU. If you want your iMessage to us to be deleted after it has been read, please say so. We do not necessarily delete iMessages as a matter of course.

By social media including Instagram, WhatsApp and Facebook: if you contact us via one of these mediums we assume that you have made contact voluntarily and pro-actively; understand that your data and metadata will be captured by the social media app; and that its logs will automatically be uploaded to servers not necessarily located in the UK or EU, owned by a corporation ultimately controlled by Mark Zuckerberg. There is nothing we can do about this. We assume that you know this, and by contacting us in this way you have given your consent for this process to take place. If you don’t want this to happen, don’t use these media.

We do not capture data from our website, which makes no use of cookies or analytics. We have no interest in and do not read our web access logs. However, for various technical and legal reasons these logs are retained by our hosting services, who may be required to make them available to a wide variety of governmental agencies. If you don’t want your device’s IP address captured in our hosting provider’s weblogs we suggest you use a VPN or Tor to access our website.

How we use your data

We use your data on the basis of Contract and Legitimate Interest.

Once you have made contact with us, if we agree to do business then as a matter of Contract we will retain your name, phone number, email address, postal address, and if you are located in the EU but outside the UK and have one, your VAT number. This is so that we can easily find your phone number or email address should we need to make contact with you as part of our business relationship; to let us know who you are if you contact us so that we can give you a personal greeting; to remind us of the work we have done and are doing for you so that we can be prepared for our conversation; to send you invoices and deliverables; to find our way to you should we agree to visit you; and if you’re in the EU but outside the UK, to enable us to fill in HMRC’s EC Sales List.

This data will be stored in our accounting software and in various spreadsheets and PDF files on our devices. It will also be stored in the Apple Contacts application. Some of it may also be stored in the Apple Calendar application, and might end up in the search logs of Apple Maps, Waze, or other satnav or public transit applications. All of this data is uploaded by those apps to their service providers who store, aggregate, and back it up. We have no control over what they do with this data and no practical way to ensure that they delete it if you ask us to.

If we do not proceed to a business relationship we will not store your data in any of these applications, although as we have said above, traces of your personal data will remain in call logs, email server logs, phone bills, etc., many of which are beyond our control, not in our power to edit, and some of which we must retain by law for 7 years.

All of these applications’ data are synchronised amongst our business devices by Apple’s iCloud service; encrypted copies are retained by Apple and stored on servers not necessarily located in the UK or EU; Apple makes its own backups of these servers, over which we have no control. Google and Microsoft cloud services operate in the same way. We use Apple services because we believe Apple has the least commercial reason to aggregate and resell this data.

Please be aware that we manage some social media channels for some of our clients, and for this reason some of our devices have Instagram, WhatsApp and Facebook apps installed. These apps all automatically upload the device’s complete Contacts database to a corporation ultimately controlled by Mark Zuckerberg. If we have a business relationship and of necessity add your personal information to our Contacts database, Mark Zuckerberg will also be in possession of it in short order. There is nothing we can do to stop this, and anyway you’re likely to find that Mark Zuckerberg already has all of this information, and more besides. He’ll do with it as he sees fit.

Your name, job title if you have one, postal address (which will be your business address; if you work from home this will also be your home address) and, if you are located in the EU but outside the UK your VAT number, will appear on our VAT invoices to you. By law we must retain copies of these invoices for 7 years. We retain paper copies, which live in a filing cabinet, and PDF copies which live on our computers and their backups. See below on how we secure these. We send the paper copies to our accountants for auditing, along with our other business documents, and have them returned to us when the accounting process for that financial year has been completed, just like everyone else.

We don’t keep any data we don’t need, and periodically we cull old and stale data from our Contacts database. We do not resell, make available to anyone else for their use, or in any other way commercialise or exploit the client data we retain. Many of our clients know each other. If we were deliberately to leak their personal data we would destroy our business. For this reason we are probably more confidential and trustworthy than your doctor.

When we might contact you

As a matter of Contract we will contact you in the course of the normal communications required for fulfilling the task you have commissioned us to do for you.

Among the services we offer is Apple Macintosh technical support. Most of our clients rely on us to be available at short notice should they have technical problems. For this reason, as a matter of Legitimate Interest we may contact you as part of a bulk email to inform you if we will not be available for a while, such as when away on vacation. We do this as a customer service, not to harass you. Occasionally, very serious security problems or other faults are found with computer software that require immediate action to ameliorate their effects. If we judge the problem to be sufficiently severe, as a matter of Legitimate Interest  we will email you with information, advice, and steps to follow. This happens rarely. We do this as a customer service, not to harass you. Most of our clients tell us they appreciate these services.

Also as a matter of Legitimate Interest we may send you an email Christmas card. We do this in the spirit of the season, not to market to you or harass you. We don’t think most people regard Christmas cards as being intrusive, but if you do, we assume you are familiar with your email application’s Delete function and recommend you use it if our or anyone else’s email Christmas cards annoy you. Alternatively, please let us know if you do not wish to receive a Christmas card.

How we secure data

  • We use iPhones, which are known to be strongly encrypted and relatively secure. We use 6-digit pass codes at minimum, and the phones are always locked when not actively being used. It is well known that a locked iPhone is extremely difficult to break into. The phones can be remote-wiped and their data rendered completely inaccessible if they are lost or stolen.
  • We synchronise data between our devices using Apple iCloud. Data is encrypted in transit and on Apple’s servers. We use strong passwords and Apple 2-Factor Authentication to secure access to our iCloud accounts.
  • Our laptops are always turned off when not actively in use. They are secured by strong user account passwords. Their storage is encrypted with Apple FileVault. They are for all practical purposes completely inaccessible when not actively being used.
  • We do not use easily-lost ‘USB sticks’ or similar for temporary data storage. We have never lost CDs containing millions of National Insurance numbers down the back of the sofa.
  • We back up our data in various ways. All backups are encrypted: some are stored on our premises; some on servers in the USA.
  • Our iPhones back up their data to our laptops. Our laptops use Apple Time Machine software to back up their data to hard disks. These backups are encrypted and protected by strong passwords. The hard disks are backed up to servers in the USA operated by a backup service called Backblaze. Those backups are themselves encrypted with strong passwords, so data backed up offsite to the USA is double-encrypted.
  • We use secure password management software to store website, account password, and other login details. This data is encrypted and stored on the laptops’ encrypted storage.
  • We use secure VPN tunnels when attached to any network we do not own and administer ourselves.
  • Our own network is secured by strong passwords and encryption.
  • None of the above systems is perfect: there is no such thing as total security. It remains possible that your data could be lost or made public as a result of a security failure in one of the systems we rely upon. Everyone everywhere is in this position, including you.

Deleting your personal data

If you want us to remove all traces of your personal information from our systems we will make our best efforts to do so from all media under our control, apart from those records we are obliged by law to retain for 7 years such as invoices we have issued to you. Be aware though that it can be extremely difficult - in practice, impossible - to ensure that all traces have been removed from incremental data backups. Apple makes backups of our iCloud data, and we cannot delete data from them. We have no control over these backups. Neither does anyone else, anywhere, who uses comparable services in a similar way to us. You are almost certainly in the same position as us regarding the personal information you store. So, before going off on one, we’d appreciate it if you would consider that first. Thank you.

We may change our privacy policy from time to time, if for example we decide to carry out pro-active marketing, or when case law clarifies vagueness in the GDPR.

Remember: we are a micro-business. The GDPR deems our business contact details to be ‘personal information’. If you have any kind of relationship with us, you also hold and control copies of our personal information. We could get stroppy too; GDPR cuts both ways. Alternatively, let’s be agreeable, civil, and practical.