Privacy Policy

1.0 What this policy covers

Your privacy is important to us - Changefirst (referred to in this policy as we, us or our), and so is being transparent about how we collect, use and share information about you. This Policy details our commitment to protecting the privacy of individuals who visit our Websites (as herein defined) (“Website Visitors”), who use our Products and Services, or who attend or register to attend a workshop. This policy is intended to help you understand:

  • What information we collect about you
  • How we use information we collect
  • How we share information we collect
  • How we store and secure information we collect
  • How to access and control your information
  • How we transfer information we collect internationally
  • Other important privacy information

This Policy covers the information we collect about you when you use our products or services, or otherwise interact with us (for example, by completing a form on our website, attending our events), unless a different policy is displayed.

In this Policy, personal information means information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.

Our Website may contain links to other websites and the information practices and the content of such other websites are governed by the privacy statements of such other websites. We encourage you to review the privacy statements of any such other websites to understand their information practices.

Clients of our Services are solely responsible for establishing policies for and ensuring compliance with all applicable laws and regulations, as well as any and all privacy policies, agreements or other obligations, relating to the collection of personal information in connection with the use of our Services by individuals with whom our Clients interact.
We may transfer personal information to companies that help us provide our Services. Transfers to subsequent third parties for these purposes are governed by the Service Agreements with our Clients. A list of sub-processors that Changefirst engage with to provide the Roadmap Pro service can be viewed at: info.changefirst.com/sub-processors

2.0 What information we collect about you

2.1 Information we collect automatically when you use the Services

Account and Registration Information:
We ask for and collect personal information about you such as your name and email address when you register for an account to access one or more of our Services (an “Account”).
We refer to any information described above as “Account Information” for the purposes of this Policy. By voluntarily providing us with Account Information, you represent that you are the owner of such personal data or are otherwise authorized to provide it to us.

Other Submissions:
We ask for and collect personal information from you when you submit web forms on our Websites or as you use interactive features of the Websites, including, participation in surveys, contests, promotions, requesting customer support, or communicating with us.

Event Information:
We ask for and collect personal information such as your name, email address and country when you register for/to attend a sponsored event or other events at which any member of the Changefirst participates/facilitates as part of our Services.

Your use of the Services:
We keep track of certain information about you when you visit and interact with any of our Services. This information includes the features you use; the links you click on; the type, size and filenames of attachments you upload to the Services; frequently used search terms; and how you interact with others on the Services. We also collect information about the teams and people you work with and how you work with them, for example - when a user of Roadmap Pro collaborates by sharing their plan with other users.

Device and Connection Information:
We collect information about your computer, phone, tablet, or other devices you use to access the Services. This device information includes your connection type and settings when you visit, access, update, or use our Website and Services. We also collect information through your device about your operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data. We use your IP address and/or country preference in order to approximate your location to provide you with a better Service experience. How much of this information we collect depends on the type and settings of the device you use to access the Services.

Cookies and Other Tracking Technologies:
We and our authorized partners use cookies and other information gathering technologies for a variety of purposes. These technologies may provide us with personal information, information about devices and networks you utilize to access our Website and Services; other information regarding your interactions with our Services. For detailed information about the use of cookies in our website and applications, our Cookie Policy can be viewed at: info.changefirst.com/cookie-policy.

Logs:
As is true with most websites and services delivered over the Internet, we gather certain information and store it in log files when you interact with our Website and Services. This information includes internet protocol (IP) addresses as well as browser type, internet service provider, URLs of referring/exit pages, operating system, date/time stamp, information you search for, locale and language preferences, and system configuration information. Occasionally, we connect personal information to information gathered in our log files as necessary to improve our Website and Services. In such a case, we would treat the combined information in accordance with this Policy.

Analytics:
We collect analytics information when you use our Website and Services to help us improve them. We may also share anonymous data about your actions on our Websites with third-party service providers of analytics services.

2.2 Information we receive from other sources

Other users of the Services:
Other users of our Services may provide information about you when they submit content through the Services. For example, you may be mentioned in a Roadmap Pro task created by someone else. We also receive your email address from other Service users when they provide it to invite you to the Services. Similarly, an administrator may provide your contact information when they designate you as the billing or technical contact on your company's account.

Other services you link to your account:
We receive information about you when you or your administrator integrate or link a third-party service with our Services. For example, if you create an account or log into the Services using your organization’s federated logon, we receive your name and email address as permitted by your organization’s profile settings to authenticate you. You or your administrator may also integrate our Services with other services you use, such as to allow you to access, store, share and edit certain content from a third-party through our Services. For example, you may authorize our Services to access, display and store files from a third-party document-sharing service within the Services interface. Or you may authorize our Services to connect with a third-party calendaring service so that your meetings and connections are available to you through the Services. You may authorize our Services to sync a contact list or address book so that you can easily connect with those contacts within the Services or invite them to collaborate with you on our Services. The information we receive when you link or integrate our Services with a third-party service depends on the settings, permissions and privacy policy controlled by that third-party service. You should always check the privacy settings and notices in these third-party services to understand what data may be disclosed to us or shared with our Services.

Changefirst Partners:
We work with a global network of partners and affiliates who provide consulting, implementation, training around our products and services. Some of these partners also help us to market and promote our products, generate leads for us; resell our products and services and affiliate network. We share with and receive information from these partners, such as profile information, billing and technical contact information, company name, what Changefirst products and services you have purchased or may be interested in, evaluation information you have provided, what events you have attended; what country you are located in.

Event Information:
We receive information such as your name, email address and country location when you register for/to attend a sponsored event or other events at which any member of the Changefirst Partners participates/facilitates as part of their Services.

Other Partners:
We receive information about you and your activities on and off the Services from third-party partners, such as marketing service providers who provide us with information about your interest in and engagement with our Services and online content; promotional activity.

Social Media Widgets:
Our Websites may contain social media features, such as the Facebook Like button, and widgets, such as the Share This button or interactive mini-programs that run on our Websites. These features may collect your IP address, which page you are visiting on the Websites, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on the Websites. Your interactions with these features are governed by the privacy statement of the company providing it.

3.0 How we use information we collect

3.1 General Uses:

We use the information we collect about you (including personal data, to the extent applicable) dependent on which Services you use, how you use them and any preferences you have communicated to us. Below are the specific purposes for which we use the information we collect about you:

  • provide, operate, maintain, improve, and promote the Services;
  • enable you to access and use the Services;
  • process and complete transactions, and send you related information, including purchase confirmations and invoices;
  • identify purchases made through shop.changefirst.com via our affiliate marketing program;
  • send transactional messages, including responses to your comments, questions, and requests; provide customer service and support; and send you technical notices, updates, security alerts, and support and administrative messages;
  • send promotional communications, such as providing you with information about products and services, features, surveys, newsletters, offers, promotions, contests, and events; and provide other news or information about us and our partners. You can selectively manage your personal preferences for the type of marketing communications you would like to receive in our Marketing Preference center. Click the email preferences link at the bottom of any of our email communications and follow the instructions to make changes. There is also a link to unsubscribe from all marketing communications. Or you can also opt-out of receiving marketing communications from us by contacting us at: privacy@changefirst.com.
  • monitor and analyze trends, usage, and activities in connection with the Websites and Services and for marketing or advertising purposes;
  • investigate and prevent fraudulent transactions, unauthorized access to the Services, and other illegal activities;
  • for other purposes for which we obtain your consent.
  • to resolve technical issues you encounter, to respond to your requests for assistance, to analyze crash information, and to report and improve the services.
  • where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.

3.2 Legal bases for processing (for EEA users):

If you are an individual in the European Economic Area (EEA), we collect and process information about you only where we have legal bases for doing so under applicable EU laws. The legal bases depend on the Services you use and how you use them. This means we collect and use your information only where:

  • We need it to provide you the Services, including to operate the Services, provide customer support and personalized features and to protect the safety and security of the Services;
  • It satisfies a legitimate interest (which is not overridden by your data protection interests), details can be found under Further information on legitimate interest below;
  • You give us consent to do so for a specific purpose; or
  • We need to process your data to comply with a legal obligation.

If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your information because we or a third party (e.g., your employer) have a legitimate interest to do so, you have the right to object to that use though, in some cases, this may mean no longer using the Services.

Further information on legitimate interest
“Legitimate Interests” means the interests of our company in conducting and managing our business to enable us to give you the best service.
For example, we have an interest in making sure our marketing is relevant for you, so we may process your information to send you marketing that is tailored to your interests and attendance at our events.
We process personal information for certain legitimate business purposes, which include some or all of the following:

  • where the processing enables us to enhance, modify, personalize or otherwise improve our services / communications for the benefit of our customers
  • to better understand how people interact with our websites
  • to determine the effectiveness of promotional campaigns and advertising

When we process your personal information using legitimate interest as the legal basis, we make sure to consider and balance any potential impact on you (both positive and negative), as well as your rights under data protection laws. Our legitimate business interests do not automatically override your interests - we will not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

4.0 How we share information we collect
4.1 Sharing with other Service users

When you use the Services, we share certain information about you with other Service users.

For collaboration:
You can create content, which may contain information about you, and grant permission to others to see, share, edit, copy and download that content based on settings you or your administrator (if applicable) select. Some of the collaboration features of the Services display some or all of your profile information to other Service users when you share or interact with specific content. For example, when you share a plan with another user in your organization that user will see the name and email address of the person they are collaborating with or that owns the plan.

Managed accounts and administrators:
If you register or access the Services using an email address with a domain that is owned by your employer or organization, and such organization wishes to establish an account or site, certain information about you including your name, contact info, content and past use of your account may become accessible to that organization’s administrator and other Service users sharing the same domain. If you are an administrator for a particular site or group of users within the Services, we may share your contact information with current or past Service users, for the purpose of facilitating Service-related requests.

4.2 Sharing with third parties
We share information with third parties that help us operate, provide, improve, integrate, support and market our services.

Service Providers:
We share information, including personal information, with our third-party service providers that we use to provide hosting for and maintenance of our Websites, application development, backup, storage, payment processing, analytics and other services for us. These third-party service providers may have access to or process your personal data for the purpose of providing these services for us. We do not permit our third-party service providers to use the personal data that we share with them for their marketing purposes or for any other purpose than in connection with the services they provide to us.

Changefirst Partners:
We work with third parties who provide consulting, sales, and technical services to deliver and implement customer solutions around the Services. We may share your information with these third parties in connection with their services, such as to assist with billing and collections, to provide localized support, and to provide customizations. We may also share information with these third parties where you have agreed to that sharing.

Third-Party Apps:
You, your administrator or other Service users may choose to add new functionality or change the behavior of the Services by installing third-party apps within the Services. Doing so may give third-party apps access to your account and information about you like your name and email address, and any content you choose to use in connection with those apps. If you are a technical or billing contact listed on an account, we share your details with the third-party app provider upon installation. Third-party app policies and procedures are not controlled by us, and this privacy policy does not cover how third-party apps use your information. We encourage you to review the privacy policies of third parties before connecting to or using their applications or services to learn more about their privacy and information handling practices. If you object to information about you being shared with these third parties, please uninstall the app.

Links to Third-Party Sites:
Our Websites and Services may include links that direct you to other websites or services whose privacy practices may differ from ours. If you submit information to any of those third-party sites, your information is governed by their privacy policies, not this one. We encourage you to carefully read the privacy policy of any website you visit.

Social Media Widgets:
Our Websites Services may contain links that direct you to other websites or services whose privacy practices may differ from ours. Your use of and any information you submit to any of those third-party sites is governed by their privacy policies, not this one.

Third-Party Widgets:
Our Website and some of our Services contain widgets and social media features, such as the Twitter "tweet" button. These widgets and features collect your IP address, which page you are visiting on the Services, and may set a cookie to enable the feature to function properly. Widgets and social media features are either hosted by a third-party or hosted directly on our Services. Your interactions with these features are governed by the privacy policy of the company providing it.

Compliance with Laws and Law Enforcement Requests; Protection of Our Rights:
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may disclose personal data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information if we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Service Agreement, or as otherwise required by law.

Testimonials:
From time to time, we may post testimonials on the Websites that may contain personal information. We obtain your consent to post your name along with your testimonial. If you wish to update or delete your testimonial, you can contact us at: privacy@changefirst.com.

Community Forums:
The Websites may offer accessible blogs, community forums, comments sections, discussion forums, or other interactive features (“Interactive Areas”). You should be aware that any information that you post in an Interactive Area might be read, collected, and used by others who access it. To request removal of your personal information from an Interactive Area, contact us at: privacy@changefirst.com. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.

Changefirst Group Sharing:
We may share information, including personal data, with any member of the Changefirst Group.

Business Transactions
We may assign or transfer this Policy, as well as your account and related information and data, including any personal data, to any person or entity that acquires all or substantially all of our business, stock or assets, or with whom we merge.

5.0 How we store and secure information we collect

5.1 Information storage and security
The security of your personal data is important to us. We are ISO 27001 certified and follow accepted standards to protect the personal data submitted to us, both during transmission and once it is received.

We use data hosting service providers in Ireland to host the information we collect, and we use technical measures to secure your data. For more information: information security policy.

While we implement safeguards designed to protect your information, no security system is impenetrable and due to the inherent nature of the Internet, we cannot guarantee that data, during transmission through the Internet or while stored on our systems or otherwise in our care, is absolutely safe from intrusion by others.

5.2 How long we keep information
How long we keep information we collect about you depends on the type of information, as described in further detail below. After such time (as stated in our retention schedule), we will either delete or anonymize your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible.

Account information:
We retain your account information for as long as your account is active and a reasonable period thereafter in case you decide to re-activate the Services. We also retain some of your information as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations and to continue to develop and improve our Services. Where we retain information for Service improvement and development, we take steps to eliminate information that directly identifies you. We only use the information to uncover collective insights about the use of our Services, not to specifically analyze personal characteristics about you.

Information you share on the Services:
If your account is deactivated or disabled, some of your information and the content you have provided will remain to allow your team members or other users to make full use of the Services. For example, we continue to display messages you sent to the users that received them and continue to display content you provided in a plan you contributed to.

Managed accounts:
If the Services are made available to you through an organization (e.g., your employer), we retain your information if required by the administrator of your account and in accordance with the information outlined in Account information above.

Marketing information:
If you have elected to receive marketing emails from us, we retain information about your marketing preferences for a reasonable period of time from the date you last expressed interest in our Services, such as when you last opened an email from us or ceased using your Changefirst account. We retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created.

6.0 How to access and control your information

6.1 Communications Preferences
You can selectively manage your personal preferences for the type of marketing communications you would like to receive in our Email Preference center. Simply click the email preferences link at the bottom of any of our email communications and follow the instructions. There is also a link to unsubscribe from all marketing communications. Or you can also opt-out of receiving marketing communications from us by contacting us at: privacy@changefirst.com.

6.2 Correcting, Updating and Removing Your Information
If you are a User or otherwise provide us with personal data in connection with your use of our Website or Services, we will destroy this information upon your request, provided that, notwithstanding such request, this information may be retained for as long as you maintain an account for our Services, or as needed to provide you with our Services, comply with our legal obligations, resolve disputes and enforce our agreements. Please also see Notice to End Users, in relation to those Users who access our Services through use by their employer.

Upon request we will:

  • Provide access to the personal information about whether we hold, or process on behalf of a third party, any of your personal information.
  • Update or change their Account Information by editing their profile or organization record, subject to licensing terms with your organization.
  • Have personal information maintained by us returned to you or removed.

Requests to access, update, or remove your information should be sent to privacy@changefirst.com and will be handled within 28 days (or extensive requests may take longer and this will be declared as soon as possible).

An individual who seeks access to, or who seeks to correct, amend, or delete inaccuracies in personal data stored or processed by us on behalf of a User (the data subject) should direct his/her query to the User (the data controller).

We will retain personal information that we store and process on behalf of our Customers for as long as needed to provide the Services to our Customers. If you access our Services through your company/organization email address, please also review the section on other important privacy information below.

7.0 How we transfer information internationally
We store personal data about Website Visitors and Subscribers within the European Economic Area (the “EEA”), the United States and in other countries and territories. To facilitate our global operations, we may transfer and access such personal data from around the world, including from other countries in which the Changefirst has operations.

If you are visiting our Websites from the EEA or other regions with laws governing data collection and use, please note that you are agreeing to the transfer of your personal information to the United Kingdom and other jurisdictions in which we operate. By providing your personal information, you consent to any transfer and processing in accordance with this Policy.

We ensure protection for the rights of data subjects by having data processing agreements (that include Standard Contractual Clauses (SCCs)) in place with our third-party suppliers and using organizations that implement appropriate technical and organisational security measures.

8.0 Other important privacy information

8.1 Notice to End Users

Many of our products are intended for use by organizations. Where the Services are made available to you through an organization (e.g., your employer), that organization is the administrator of the Services and is responsible for the accounts and/or Service sites over which it has control. If this is the case, please direct your data privacy questions to your administrator, as your use of the Services is subject to that organization's policies. We are not responsible for the privacy or security practices of an administrator's organization, which may be different than this policy.

Administrators can:

  • require you to reset your account password;
  • restrict, suspend or terminate your access to the Services;
  • access information in and about your account;
  • access or retain information stored as part of your account;
  • install or uninstall third-party apps or other integrations.
  • In some cases, administrators can also:
  • restrict, suspend or terminate your account access;
  • change the email address associated with your account;
  • change your information, including profile information;
  • restrict your ability to edit, restrict, modify or delete information.

Even if the Services are not currently administered to you by an organization, if you use an email address provided by an organization (such as your work email address) to access the Services, then the owner of the domain associated with your email address (e.g., your employer) may assert administrative control over your account and use of the Services at a later date. You will be notified if this happens.

If you do not want an administrator to be able to assert control over your account or use of the Services, use your personal email address upon purchase, to register for or access the Services. Once an administrator asserts control over your account or use of the Services, you will no longer be able to change the email address associated with your account without administrator approval.

Please contact your organization or refer to your administrator’s organizational policies for more information.

9.0 Children’s Personal Information
We do not knowingly collect any personal information from children under the age of 13. If you are under the age of 13, please do not submit any personal data through our Website or Services. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce this Policy by instructing their children never to provide personal data through the Websites or Services without their permission. If you have reason to believe that a child under the age of 13 has provided personal data to us through the Websites or Services, please contact us at: privacy@changefirst.com, and we will use commercially reasonable efforts to delete that information.

10.0 Changes to This Policy
If there are any material changes to this Policy, you will be notified by our posting of a prominent notice on the Websites prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices. Your continued use of the Websites or the Services constitutes your agreement to be bound by such changes to this Policy. Your only remedy, if you do not accept the terms of this Policy, is to discontinue use of the Websites and the Services.

11.0 Contacting Changefirst
Your information is controlled by Changefirst Limited. If you have any questions, or concerns or complaints about how your information is handled, or regarding this Policy, please direct your enquiry to privacy@changefirst.com and we will seek to respond to you within 28 days if not sooner.

If you are dissatisfied with how Changefirst have used your personal information you have a right to complain with the Information Commissioner's Office (ICO).

Changefirst Ltd
Basepoint Business Centre,
Metcalf Way,
Crawley,
RH11 7XX, U.K.

Last updated: 15 May 2022.