Legal

Data Processing Statement

How we process personal data on behalf of our customers - and the security controls that protect it.

Aptiq Works Ltd. is a Data Processor, acting on behalf of our customers in both public and private sector organisations who are the Data Controllers. The individuals whose data we process are their employees, not customers, service users or the public.

Trickle is a communication and continuous improvement platform that supports open dialogue, staff engagement, and real-time feedback. We process data solely for providing and maintaining this service, under contract and instruction from our customers.

Purpose & Lawful Basis

Our processing is lawful under UK GDPR Article 6(1)(b): Performance of a Contract. The lawful basis is set out in our subscription agreements. Trickle acts as a data processor - it is our customer's responsibility to ensure they have the right lawful basis for processing users' data.

Categories of Data Processed

We only collect the minimum data required to operate the platform:

Users can choose to post feedback anonymously.

No Special Category Data

We do not process special category data as defined by UK GDPR (e.g. health information, racial or ethnic origin), sensitive personal data relating to individuals in public or private sector roles, or home addresses, personal records, or other personally identifiable information beyond those listed above.

Data Collection, Retention & Storage

Security & Compliance

We implement robust organisational and technical controls across the platform.

Certification Cyber Essentials Plus Independently assessed and certified to the UK Government's Cyber Essentials Plus standard.
NHS Compliance DSPT Standards Met Data Security and Protection Toolkit status: Standards Met (ODS code: SP443).
Encryption at rest
AES-256
Encryption in transit
TLS 1.2+
Authentication
SSO via SAML 2.0 / OIDC
Access control
Role-based (RBAC)
DDoS protection
Cloudflare WAF
Backups
3-layer across AWS & Azure

Staff Awareness & Controls

Supporting Data Subject Rights

As a Data Processor, we assist customers in fulfilling their responsibilities under GDPR. This includes:

Transparency and User Control

Contact

If you're a Trickle user with questions about how your data is processed, please contact your employer (the Data Controller). We also support data-related enquiries at [email protected].

The different ways we store personal data

When we work with our customers

What personal data do we collect, why do we collect it, and what legal basis do we rely on?

Personal data is anything that can identify an individual, either on its own or through combining it with other factors that could eventually identify an individual.

When you sign as a customer, we collect your company name, details of your primary contact and any other relevant key contacts, payment details, and a signature. The legal basis we rely on for this processing is Article 6(1)(b) of the GDPR - Contract.

To keep in touch with you and manage your account we use your key contact name, email address, phone number and company name. The legal basis we rely on for this is Article 6(1)(f) of the GDPR - Legitimate Interest.

To collect payments for our service we require your company name and address, key contact name, and VAT number. The legal basis we rely on for this processing is Article 6(1)(b) of the GDPR - Contract.

We may use call recording and note-taking software during our meetings which we sometimes use for preparation and training purposes, and to gain insights so we could identify new business prospects and improve our services. The legal basis we rely on for this is Article 6(1)(f) of the GDPR - Legitimate Interest.

Where do we store it?

We use applications that store data in the UK or EEA GDPR zone, or countries deemed 'adequate' under GDPR. When we use an application that stores data outside of the UK (or EEA), we will use appropriate measures to secure the transfer, including the new US-UK Privacy Framework, Standard Contractual Clauses (SCCs) and the UK Addendum where appropriate, or the UK International Data Transfer Agreement (IDTA). Any necessary Transfer Risk Assessments will be undertaken.

How long do we keep it?

We will retain your personal data while you are a customer of ours and for up to 12 months after you leave, in line with our business needs. We keep financial data for a minimum of 6 years, in line with UK law.

When you book a demo or use our contact us form

What personal data do we collect, why do we collect it, and what legal basis do we rely on?

When you get in touch to book a demo, we ask for your name, email address, phone number, company name, company headcount, and we ask how you heard about us. We use this information to book a demo call with you and provide you with further information about our services. We record demo calls for training and reference purposes. The legal basis we rely on for this processing is Article 6(1)(f) of the GDPR - Legitimate Interest or Article 6(1)(a) of the GDPR - Consent.

Where do we store it?

We use a US based Customer Relationship Management (CRM) and a US based pop-up tool on our website to host our 'book a demo' form, collect your personal details, manage communications with you, and schedule calls. We use calendar, video call, recording and transcribing tools for meeting bookings. When we use an application that stores data outside of these zones, we will use appropriate measures to secure the transfer such as Standard Contractual Clauses (SCCs) and the UK Addendum where appropriate, or the UK International Data Transfer Agreement (IDTA). Any necessary Transfer Risk Assessments will be undertaken.

How long do we keep it for?

We'll retain your name and email address on a marketing list, for 5 years from the date you last contacted us in line with our retention schedule unless you unsubscribe sooner. Anyone who unsubscribes will be transferred to our 'do not contact list'.

When we are onboarding users and managing the Platform on behalf of our customers

We are a Data Processor for user's personal data hence we only process this data as per instructions from the Customer. We support our customers in completing the necessary assessments and we rely on our customers to have obtained the necessary notices, lawful basis for processing or any other legal requirements.

What personal data do we process on behalf of our customers?

  • Employee identifiers (e.g., names, employee IDs)
  • Contact information (e.g., email addresses)
  • Job-related information (e.g., role, department)
  • Details of feedback, ideas or comments
  • Any other data our customers choose to collect through the platform

If you are a user and have questions regarding how your personal data is being processed, please contact your employer or the organisation that provided you access to our platform.

Where do we store it?

Data within our platform is stored within the European Economic Area. If this position changes, we will use appropriate measures to secure the transfer, including the new US-UK Privacy Framework, Standard Contractual Clauses (SCCs) and the UK Addendum where appropriate, or the UK International Data Transfer Agreement (IDTA). Any necessary Transfer Risk Assessments will be undertaken.

How long do we keep it?

We retain personal data only for as long as it is necessary to fulfil the purposes for which it was collected and processed on behalf of our customers, in line with their instructions and our contractual obligations. At the end of a contract, or if instructed by our customers, we will securely delete or anonymise personal data in accordance with applicable data protection laws.

When we raise awareness during events, webinars, or using our healthcheck quiz

What personal data do we collect, why do we collect it, and what legal basis do we rely on?

We may collect your name, company name, phone number, and work email address. We may use call recording and note-taking software during our meetings for preparation, training, and to improve our services. The legal basis we rely on for this is Article 6(1)(f) of the GDPR - Legitimate Interest.

We may collect your office address to send you gifts or marketing materials. The legal basis we rely on for this is Article 6(1)(f) of the GDPR - Legitimate Interest or Article 6(1)(a) of the GDPR - Consent.

Where do we store it?

We use applications that store data in the UK or EEA GDPR zone, or countries deemed 'adequate' under GDPR, with appropriate transfer safeguards where required.

How long do we keep it?

We'll retain your name, company name, phone number, and email address on a marketing list in line with our retention schedule unless you unsubscribe. Anyone who does not wish to be contacted will be transferred to our 'do not contact list'.

When you sign up to our newsletter

When you sign up to our newsletter, we collect your name, company name and email address. The legal basis we rely on for this processing is Article 6(1)(a) of the GDPR - Consent. We'll retain your name and email address for 5 years unless you unsubscribe sooner.

When you apply for a job with us

When you apply for a job with us, we will ask you for some information about yourself to manage the recruitment process, such as your name, contact details and CV. The legal basis we rely on for this is Article 6(1)(f) of the GDPR - Legitimate Interests. We keep your data during your interview process and remove it after 12 months, unless you are offered a role.

When you visit our website

See our cookies policy.

What are your rights?

Your personal data is yours and you have rights in relation to it granted by the UK GDPR, which include:

The right to be informed

You have the right to be informed about the collection and use of your personal data, the purposes for processing, the retention periods, and who it will be shared with.

The right of access

You have the right to ask us for copies of the data we hold about you and to receive confirmation of whether we are processing your personal information.

The right to object

You have the right to ask us to stop processing your personal information in some circumstances, such as where we rely on legitimate interests or for direct marketing purposes.

The right to rectification

You have the right to ask us to rectify inaccurate personal information or to complete information you think is incomplete.

The right to erasure

You have the right to ask us to erase your personal information in some circumstances, such as where we no longer need it or you withdraw your consent.

The right to restrict processing

You have the right to ask us to restrict the processing of your personal information for a period of time in some circumstances.

The right to data portability

You have the right to ask that we transfer the personal information you gave us to another organisation, or to someone else, in some circumstances.

You don't have to pay anything to exercise your rights. Please contact us at [email protected] if you wish to make a request; we have a calendar month to get back to you.

Who we share your personal data with

When acting as data controller, we might transfer your personal data if Trickle Data Insight Limited or its assets are acquired by or merged with another company. We may share your personal data during the fundraising process for venture capital and when we believe disclosure is necessary to comply with applicable law and legal processes or to enforce a contract with us.

When acting as a data processor, we only share users' personal data as per customers' instructions and when legally required.

How to contact us

We are Aptiq Works Limited (company number SC871412).

Email us at [email protected]

If you are not satisfied with our response or you are unhappy with how we have used your data, you can complain to the Information Commissioner's Office (ICO).

ICO Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
ICO Website: www.ico.org.uk

This Data Processing Statement was last reviewed in November 2024.