Privacy and Security

1. Overview

This Privacy Protection Policy outlines the principles and guidelines that Creatio Limited; Creatio Consulting Limited ("Creatio") are committed to complying to, in handling personal data in compliance with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

The policy applies to all employees, contractors, partners, and third parties who process personal data on behalf of Creatio Limited; Creatio Consulting Limited ("Creatio")

Looking after the personal information you share with us is very important to us, and we want you to be:

  • Aware of the data we collect on behalf of Creatio and/or our clients.
  • Confident that your personal data is kept safely and securely.
  • Aware of how we use the data we hold.
  • Aware of the options you have in relation to opting out of having your data stored.
  • Have confidence in that Creatio considers compliance with GDPR legislation and requirements during design when we consider developing new services and/or features.

If we make changes to this policy, we will publish the latest version on our company website and our client facing helpdesk service (called Transform) and in the footer of each version of the creatiogreen solution we provide to clients.

2. Information we collect for clients and why and how it may be used

Creatio offers a software solution – primarily to various education companies - which we call creatiogreen (each client calls their version of the software solution by a specific/different name) – we are considered the data "processors" and the client is the data 'controllers'.

The creatiogreen software solution is delivered under a contractual agreement with each client and the client is responsible and leads on the configuration of the software to meet their business operations and needs and therefore decides the data they collect and which we then hold on their behalf. The data collected by each client is done so in accordance with their data needs and they process it in accordance with their own specific data processing policies and arrangements.

Therefore, if you have any queries about the data collected on a version of the creatiogreen software then please contact the client direct or contact Creatio (contact details are at the end of this policy) and we will provide you with their contact details where relevant. We are not responsible for their data usage, privacy, or security practices, which may be different to the arrangements outlined in this policy.

The law states organisations must have one or more of these reasons for collecting personal data and these are:

  • Consent - the individual has given clear consent to process their personal data for a specific purpose. As outlined below each client using the creatiogreen software can configure the consent features to reflect their own wording and approach including outlining how consent can be withdrawn.
  • Contract - personal information is processed to fulfil a contractual arrangement. Creatio has a contractual agreement with each client, and we hold and process data in line with their configuration decisions.
  • Legal obligation - the processing is necessary for some of our clients to comply with various legislation requirements that apply to their business and operations – in the main a lot of our clients are subject to clear regulatory requirements that apply to their sector(s).
  • Vital interests - the processing is necessary to protect someone's life. This reason is unlikely to apply to our clients.
  • Public task - the processing is necessary for our clients to perform a task in the public interest or for their official functions, and the task or function has a clear basis in law. This reason may apply to some of our clients.
  • Legitimate interests - the processing is necessary for our client's legitimate interests or the legitimate interests of a third party they may use unless there is a good reason to protect the individual's personal data which overrides those legitimate interests. Also, this is the main reason Creatio holds personal data such as in relation to our staff and/or client's staff and contacts (e.g., name and contact details).

The following tables provides an indication of the typical data sets we hold for clients, staff and contractors and which are likely to contain personal data.

Main data sets we collect Our reason for collecting this information (legal basis) Client's possible use of the data – note this is a high-level summary of typical reasons we see/are aware of and you should contact each client for specific details on the way they may use the data they collect via the creatiogreen software
User details entered as part of setting up or maintaining a User Account. As a minimum this contains first name, last name, and email address per User.

Some clients may configure their version of the creatiogreen software to hold photos, CVs, certificate details and other personal details per User type such as home address.		 Fulfilling a contract requirement with our clients and a legitimate interest in delivering the creatiogreen software in accordance with the client's configuration requirements and needs.

Creatio does not use the data collected by our clients other than as part of the service we provide under the contract agreement with each client.		 As with most software solutions a User must be registered before they can use and access the system.

Each client can configure the fields and therefore the data they collect per User type and for assigning the relevant access rights in accordance with their business arrangements.

Also, each client can add a clear 'consent' related statement/field which Users should accept and agree to upon creating a User account – again the inclusion or not of this field and it's wording is the decided by each client.
Customer/organisation details – including contacts, staff, and other business premises (e.g., sites).

Some clients may configure their version of the creatiogreen software to hold photos, CVs, certificate details and other personal details per record type.		 Fulfilling a contract requirement with our clients and a legitimate interest in delivering the creatiogreen software in accordance with the client's configuration requirements and needs.

Creatio does not use the data collected by our clients other than as part of the service we provide under the contract agreement with each client.		 The creatiogreen software can be configured to capture details for our clients in relation to their customers and their associated organisations and companies – including their key contacts, staff details and other venues. All these record types have the potential to contain personal details.

Each client can configure the fields and therefore data they collect per record type and adding a clear 'consent' statement/field which Users should accept and agree to upon creating a User account – again the inclusion or not of this field and it's wording is the decided by each client.

You would need to contact the relevant client to obtain the reason they collect the information they do and what they may do with the data once collected and how it's used with third party systems, they have asked us to interface/exchange data with under their agreement with us.
Learner details – including name, age, gender and possibly home and contact details and national learner number identifier details. Also details of the qualifications they have achieved/been registered against and details of the grades/outcomes of their education activities. Fulfilling a contract requirement with our clients and a legitimate interest in delivering the creatiogreen software in accordance with the client's configuration requirements and needs. The creatiogreen software supports various education bodies and depending on the modules they use within the software it can capture details of learners registered with our clients in relation to the qualifications and products they offer.

Each client can configure the fields associated to learners and adding a clear 'consent' statement/field in relation to the learner records – again the inclusion or not of this field and it's wording is the decided by each client.

You would need to contact the relevant client to obtain the reason they collect the information they do and what they may do with the data once collected and how it's used with third party systems, they have asked us to interface/exchange data with under their agreement with us.
Some clients may configure their version of the creatiogreen software to hold photos and other personal details. Creatio does not use the data collected by our clients other than as part of the service we provide under the contract agreement with each client. of this field and it's wording is the decided by each client.

You would need to contact the relevant client to obtain the reason they collect the information they do and what they may do with the data once collected and how it's used with third party systems, they have asked us to interface/exchange data with under their agreement with us.
Information that may be provided when completing a business process outlined by our clients and which is supported by the creatiogreen software – such as giving information or details when completing a client's online form or log in the software solution.

This may also include additional files you may upload when addressing requirements outlined by the client in the Form(s). Or comments Users may make in the Form(s) or pass in relation to information exchanged with the client organisation. This may include information or comments provided in relation to other staff, colleagues, Users or learners at your organisation – such as comments in relation to grading information or performance.		 Fulfilling a contract requirement with our clients and a legitimate interest in delivering the creatiogreen software in accordance with the client's configuration requirements and needs.

Creatio does not use the data collected by our clients other than as part of the service we provide under the contract agreement with each client.		 The creatiogreen software is a very flexible and configurable software solution which can be configured differently by different clients to support their operations and business processes. With clients specifying the scope of the system and the content and configuration of each form, log and product and other record templates in the system.

In relation to information entered in the creatiogreen software via forms or onscreen fields there are various reports in the system that will extract this data for the client – for Users they have authorised with such access rights.

Equally clients can configure forms to automatically update a customer's profile at the end of a transaction (e.g., automated processing).

You would need to contact the relevant client to obtain the reason they collect the information they do and what they may do with the data once collected and how it's used with third party systems, they have asked us to interface/exchange data with under their agreement with us. As well as understanding any automated decision processes they make with the data held in the system.

3. Information we collect and why and how it may be used

In relation to Creatio and the data we collect and hold for our business purposes it is important to note we are not interested in collecting every personal information and we do not make any automated decisions with the data we hold. Our main reason for collecting personal information is to provide and improve the service, products, and experiences that our staff and customers expect from us.

We hold personal details in relation to our staff for our legitimate business interests and activities and to comply with various legislation.

We collect personal information that you share with us when you contact us or interact with us through our website, email, phone, in person at meetings, stands and events, or other similar interactions. For example, you will provide information to us when you contact us and/or our staff, invite us to tender for a contract, place an order, complete a survey, competition, or questionnaire, update your preferences and account information, connect with us through our websites.

Through these interactions you may share with us: your name, address, e-mail address, contact number and company payment information. In some circumstances, we will need that information to be able to provide you with a product or service that you have asked us to deliver. For example, we need payment information when your organisation buys the creatiogreen software or consultancy service, and your address to meet you and your staff/colleagues to deliver the service. Or we need your details and/or those of your colleagues/staff to manage our relationship with you or your business or to develop new ways to meet our customers' needs and to grow our business and yours.

If you share details of other people with us (for example, your staff/colleagues), then you will need to check with that person that they are happy for you to share their personal information with us, and for us to use it in accordance with this privacy policy.

As well as the personal information you share with us about yourself via the creatiogreen software or our websites, we will collect and handle personal information related to you. For example, some named (e.g., User details) and anonymous, aggregate statistics from all visitors to our sites whether you actively provide us with that information or merely browse our websites or use our apps. The information we collect may include (how much of this information we collect depends on the type and settings of the device you use to access the creatiogreen software or our websites):

  • The internet protocol (IP) address of the device you are using.
  • The browser software you use.
  • The device you use (e.g., computer, phone, tablet).
  • Your operating system.
  • The date and time of access.
  • The internet address of the website from which you link through to our creatiogreen software/website(s).
  • Information on how you use our creatiogreen software and website(s) and the activities you undertook.
  • Crash data if an error occurred.

We collect and review data in relation to:

  • Our company websites so we can see how well our websites are working, how they are used and what users look at and importantly to respond to enquiries.
  • The creatiogreen software to better understand the conditions in which our creatiogreen software is used/accessed to:
    • To help us deliver on our contract obligations with our clients (e.g., they need your details to support their business activities).
    • Help us to optimise the performance of the system and services we offer.
    • Maintaining network and data security.
    • Deal with and fix bugs or to contact Users direct if a bug/issue has been reported and we need to understand the task they tried to undertake.
    • Review the usage of various parts of the software to inform future enhancements and upgrades to the software and service.
    • Prevent, detect, or investigate fraudulent activity or inappropriate and offensive use or behaviour and to identify violations of service policies.
    • Support – where required by law or where we believe it is necessary to protect our legal rights, interests, and the interests of others - use information about you in connection with legal claims, compliance, regulatory, and audit functions, and appropriate and legal disclosure requests. We reserve the right to disclose your personal information in such circumstances to protect our rights.

We collect User's first name, surname, and contact details via our client helpdesk to:

  • Support the delivery of our services.
  • Respond to queries/requests.
  • Notify clients about enhancements to our services, such as via our regular software updates.
  • Contact Users to undertake customer satisfaction surveys or invite them to provide product reviews or to inform market research activities.

We have CCTV installed at our offices and have signs to inform guests of these arrangements.

We may interact with you on social media. You may use social media to contact us about our creatiogreen software and services. We review publicly available social media and online sites to get a better understanding of what people are saying about us, and our products, technology, and services and to assist people who contact us through social media. The information we collect from social media and online sites sometimes includes personal information that has been put online and is publicly available. We make sure any information we use is done so in accordance with the arrangements in this policy and either properly credited to its source or is made anonymous. These online and social media sites typically have their own privacy policies explaining how they use and share personal information.

We hold details of non-client personal if they have provided us with their details to discuss possible future work together or have indicated they wish to be kept up to date with developments at Creatio and the services we offer.

We like to keep Users, clients and prospects and sector stakeholders updated on our latest product announcements, opportunities or upcoming events and would do this in various ways, including e-mail, post, SMS, social media platforms or by phone, but only if they are happy for us to do so. We therefore promise to:

  • Only send you marketing communications when you have told us it is ok to do so.
  • Never pass your personal information to anyone outside Creatio for them to use for their own marketing purposes unless you have given us your consent to do so.
  • Give you the option to stop receiving support or marketing communications at any time.

In relation to the data, we hold for Creatio for our own business purposes and activities, you can contact us direct if you wish to remove your consent and no longer want us to hold your personal contact data (our contact details are at the end of this policy).

4. AI Chatbot – Privacy Notice

We've added an AI-powered chatbot to help you work faster inside our application. You can use it to:

  • Summarise information already in the system
  • Help complete forms with suggested text
  • Get quick answers about using the platform

How it works

The chatbot runs on Microsoft's Azure OpenAI Service, hosted in secure UK/EEA data centres. When you use the chatbot, your question and any necessary context are sent securely to Azure OpenAI. The AI model processes your request and sends the answer back to you.

Your data

  • What we send: Only the text you type and the relevant information needed for your request. We've designed the chatbot so sensitive personal information (e.g. health, financial, or identifying data) is not sent.
  • Security: All data is encrypted in transit.
  • Storage: We don't keep a permanent copy of your conversation. Azure OpenAI does not use your data to train its models.
  • Accuracy: The chatbot may occasionally be wrong or incomplete. Please double-check important information before using it.

Your choice

Using the chatbot is optional. You can still complete all tasks in the application without it.

5. Use of Cookies

The creatiogreen system and company website(s) use cookies to collect and store certain information. These typically involve pieces of information or code that a website transfers to or accesses from your computer hard drive or mobile device to store and sometimes track information about you. Cookies allow us to create a unique device ID to enable you to be remembered when using that computer or device to interact with websites and online services and can be used to distinguish Users and manage a range of features and content, including storing searches and presenting personalised content to improve your experience.

It is important to note that most cookies we use expire when you close your browser or log out of the system. Others are used to remember you when you return to our system and will last for longer. We use these cookies on the basis that they are necessary for the performance of a contract with our clients, or because using them is in our legitimate interests (where we have considered that these are not overridden by your rights), and, in some cases, where required by law, where you have consented to their use.

We use the following types of cookies:

  • Strictly necessary cookies. These are cookies that are required for the operation of our creatiogreen system and website(s). They include, for example, cookies that enable you to log into secure areas of our website.
  • Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our creatiogreen system and website(s) when they are using it. This helps us for our legitimate interests of improving the way they work, for example, by ensuring that users are finding what they are looking for easily.
  • Functionality cookies. These are used to recognise you when you return to our creatiogreen system. This enables us to personalise content relevant to your User permissions.

Most web browsers automatically accept cookies, but if you prefer, you can change your browser to prevent that as outlined below. The effect of disabling cookies depends on which cookies you disable but, in general, our creatiogreen system will not operate properly if all cookies are switched off.

If you want to disable cookies, you need to change your website browser settings to reject cookies. How you can do this will depend on the browser you use. Further details on how to disable cookies for the most popular browsers are set out below:

For Google Chrome:

  • Choose Settings> Advanced
  • Under "Privacy and security," click "Content settings".
  • Click "Cookies"

For Safari:

  • Choose Preferences > Privacy
  • Click on "Remove all Website Data"

For Mozilla Firefox:

  • Choose the menu "tools" then "Options"
  • Click on the icon "privacy"
  • Find the menu "cookie" and select the relevant options

For Opera 6.0 and further:

  • Choose the menu Files"> "Preferences"
  • Privacy

6. Who do we share your personal info with?

We may share your personal information with companies that support our clients if the clients require us to interface or exchange data with them in accordance with the scope of the contractual agreement with Creatio to meet their business needs or data portability arrangements. You should therefore contact the client direct to understand the data they have requested to be shared and what they may do with this data (also note it is our client's responsibility to make it clear in their consent text and/or privacy policies how data you provide is used across different systems they use for their business purposes). Examples of other organisations/systems with whom such data may be shared:

  • Companies that provide financial software to our clients.
  • Companies that provide examination or e-portfolio systems to our clients.
  • Companies that provide certification, print and marketing materials to our clients.
  • Government bodies that require information from our clients (e.g., for regulatory reasons).
  • Clients' in-house systems to hold or process data they extract from the creatiogreen software and system.
  • Police and/or regulatory bodies to support a client involved in significant malpractice investigations.

Please note, the above type of organisations and systems have their own privacy policies explaining how they use and share your personal information. You should review those privacy policies to understand how your personal information is being used.

In relation to data Creatio holds for its own business purposes we do not share this with external parties with the exception of:

  • Government or pension bodies in relation to details we hold on our staff such as HM Revenue & Customs.
  • Other companies where you have given us permission to share the data/make an introduction (e.g., to another company/IT supplier in the sector who may be able to help you or your organisation).

All the data captured on:

  • creatiogreen software and system is hosted and stored in the UK through our hosting supplier.
  • Our company websites are hosted and stored on our website provider's servers in the European Economic Area ('EEA').
  • We use Gmail to support our corporate email arrangements.
  • The creatiogreen system sends system alert emails via UK servers only. Email servers retain only message header information, and the message information is not retained for more than 7 days.

7. How long do we keep your personal information?

For Users of the creatiogreen software and system we only keep your personal information for as long as we need to honour our contract obligations with client and use it for the reasons given in this privacy policy, and for as long as we are required to keep it by law. At the end of the agreement, we remove all personal details when we close the client's version of creatiogreen. However, there may be times where we hold the data for slightly longer if we need this information to establish, bring or defend legal claims (note in such circumstances we anticipate not using personal data but simply the details around the total number of Users, customers, transactions, and types of transactions undertaken in creatiogreen software and system)

For Creatio staff members we hold personal details for our business purposes for 5 years after a staff member has left our organisation.

For Users of our website(s) we only keep the details you provided to respond to your online enquiry and if this does not lead to a new contract, we delete the details within 5 years or earlier if they contact us to remove the personal data we hold.

8. Your rights

In addition to the right to be informed (in a transparent manner that your data is being collected and used - and which we have outlined in this policy), under the new GDPR legislation you have certain other rights:

  • Subject Access Request (SAR) – to request access to your personal information and information about how it is processed/used.
  • Right to data portability - this gives individuals the right to the personal data they have provided to a data controller in a structured, commonly used, and machine-readable format. It also gives them the right to request that a controller transmits this data directly to another controller if relevant.

In relation to data, we process on behalf of a client in the creatiogreen software and system you will need to contact the client to understand the data they collect and how they use and process it (as each client can configure the software to meet their own specific needs as outlined earlier in this policy) and how it is shared with other organisations or systems. They are also able to provide you a copy of the personal data they hold on you (e.g., should you request details of your account information and any other relevant records they may hold on you).

In relation to personal data, we may hold on you, you can contact us and we will inform you of the personnel data we hold and how we have processed/used this data. If you are a User of our helpdesk service, you can see and modify the personal data we would hold. If you submit a request via our website(s) you decide on the amount of information you provide us, but again we can provide you with details of this if required.

  • Right to rectification – to have your personal information corrected if it is inaccurate and to have incomplete personal information completed.

In relation to data a client may process in the creatiogreen software and system you will need to contact the client to correct inaccurate or incomplete personal information concerning you in our software and in other systems they use, and which may have your data.

In relation to personal data, we may hold on you, you can contact us to amend our records if you believe it is incorrect. If you are a User of our helpdesk service, you can see and modify the personal data we would hold.

  • Right to erasure (also known as the Right to be Forgotten) – to have your personal information erased.

In relation to data a client may process in the creatiogreen software and system you will need to contact the client to request your data is deleted or forgotten. If the request should be actioned, they can do this themselves in various parts of the system, but if the data is locked as part of an audit trail feature, they can contact Creatio and request us to remove your personal data direct in our databases. The client is also responsible for informing other organisations which they have shared the information with (e.g., through an interface or data feed from our system) and for ensuring the request is acted upon in the other systems where relevant.

In relation to personal data, we may hold on you, you can contact us to delete personal information we may hold on you and we will act upon this request where the request is relevant. This may not be possible in all circumstances as outlined in the legislation such as we need to hold it to comply with a legal obligation or to establish or defend legal claims.

  • Right to restriction of processing – to restrict processing of your personal information in certain circumstances such as you contest the accuracy of your personal data or the accuracy of the data needs to verified; the data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and you oppose erasure and requests restriction instead; the personal data is no longer needed for an immediate purpose but needs to be kept it in order to establish, exercise or defend a legal claim or you object to the processing of your data under Article 21(1), and this request is under consideration. Note organisations have the right to charge a reasonable fee to act upon such requests if relevant (e.g., the request is manifestly unfounded or excessive).

In relation to data a client may process in the creatiogreen software and system you will need to contact the client if you want to restrict how they use your data. They have the ability in the system to edit your profile or configure the solution to alter the way information is collected and used. They will need to consider your request and decide upon the how to action or reject it in accordance with their business needs and purposes and in line with their data privacy arrangements. The client is also responsible for informing other organisations which they have shared the information with (e.g., through an interface or data feed from our system) and for ensuring the request is acted upon in the other systems where relevant.

In relation to personal data, we may hold on you, you can contact us to restrict how we use the personal data we may hold on you and we will act upon this request where the request is relevant.

  • Right to object - to object to processing of your personal information in certain circumstances and if you can provide a compelling reason to do so (e.g., if used for direct marketing and you no longer want to receive such information). For example, if the personal data is no longer necessary for the purpose which it was originally collected or processed for; you have withdrawn consent for the data to be held/used; there is no overriding legitimate interest to continue processing the data or it has been processed unlawfully you have to do it needs to be deleted to comply with a legal obligation.

In relation to data a client may process in the creatiogreen software and system you will need to contact the client if you want to object to how they use your data both within their company and with other organisations they share the data with or to change the consent you originally provided.

In relation to personal data, we may hold on you, you can contact us to if you want us to no longer use the data for marketing purposes and we will act upon this request (e.g., you opt out of receiving future updates).

  • Rights with regards to automated individual decision making, including profiling – is the right to know how, if used, automated decision making, including profiling is carried out with your data.

In relation to data a client may process in the creatiogreen software and system you will need to contact the client if you want to understand if they undertake any automated decision making or profiling based on the data you provide them.

In relation to personal data, we may hold on you, we do not undertake any automatic decision making or profiling.

9. Security

The security of your personal information is important to us and we implement a range of measures to protect your data as best as we can. However, as you are aware no method of transmission over the Internet, or method of electronic storage, is 100% secure and Users may not robustly protect their User passwords or use unsecure networks. Therefore, we cannot guarantee its absolute security. If you have any questions about security, then please contact us (details at the end of this policy).

Some of the controls we have in place include:

  • When you enter information in the creatiogreen software and system we encrypt the transmission of that information using secure socket layer technology (SSL).
  • We use a very reputable hosting provider – iomart - with a range of security arrangements in place (https://www.iomart.com/about-us/) and our databases are being encrypted to provide an even stronger level of security.
  • We and our hosting provider use various software to detect and prevent suspected malicious activity.
  • We follow software development good practices to protect the personal information submitted to us, both during transmission and once we receive it. Access to the system is controlled by a robust authentication and authorisation system.
  • We have ISO27001 accreditation status (the internationally renowned IT security standard), and our auditors are BSI and we are subjected to audits throughout the year to review our approach to data security.
  • We commission an independent CREST registered company every year to undertake a penetration test of the creatiogreen software and system to help us continually review and enhance our security arrangements.

10. How to make a complaint

You have the right to lodge a complaint with a data protection regulator - the Information Commissioner's Office (ICO), the data protection regulator in the UK (www.ico.org.uk).

However, we encourage you to contact us first before making any complaint and we will seek to resolve any issues or concerns you may have. Our contact details are below.

11. Policy review arrangements

We will review the policy annually and revise it as and when necessary, in response to feedback, changes in our practices or changes to relevant legislation.

If we make changes to this notice, we will publish the latest version on our company websites and our client facing helpdesk service (called Transform) and in the footer of each version of the creatiogreen solution we provide to clients.

12. Contact details

Should you wish to speak to us about the arrangements outlined in this policy then please email us at info@creatio.org.uk and a relevant member of our team will get back to you.

Document Information:
Title: Creatio Privacy Protection Policy
Version & Status: 11.0 Final
Date of Issue: 2nd August 2024
Author: Rose Ahmed
Confidentiality: Protected document/Internal access only

Copyright in this document remains vested in Creatio Ltd. All rights reserved. The information within this document is not intended for any public circulation nor to be referenced in full or part in any public communication without the prior consent and approval of Creatio. The contents, features, services outlined and referenced within are confidential and must not be disclosed to other competing - or potentially completing companies - and should not be reversed engineered. To do either would be a breach of Copyright and/or IPR and would result in the matter being referred to our legal representatives to take forward accordingly.