Privacy policy
Fusions PIM Limited (’Fusions’) only have customer contracts with businesses, not individuals
Privacy
We balance security, business needs, usability and legal regulations — such as the EU’s General Data Protection Regulation (GDPR) — to respect the privacy of individuals who interact with our company/software via our customers.
Our website (www.fusionspim.com) doesn’t use cookies, but our software (typically customer-id.fusionspim.com) does — in order to function and be secure.
Data Processor
We help our customers meet their legal obligations where they use Fusions software as a data processor of their user accounts, which are made up of:
- First and last name
- Email address (expected to be owned by the customer, not the individual)
- Password (securely hashed)
- IP address at login (expected to be owned by the customer, not the individual)
Customers may (at any time) use the software to:
- Correct the name and email address for a user
- Delete a user’s details (providing this would not leave audit trail data incomplete)
- Redact the name and email address for a user (if deleting is not an option)
- Opt-in/out users to receive non-marketing email alerts (sent automatically when significant errors or issues occur)
Since ‘an employer does not need consent to use your work email address’, we do not gather explicit consent for email alerts, or other system/transactional emails such as password resets.
Users (individuals) may (at any time) use the software to:
- View their name and email address (with guidance on amending)
- Amend their password
- Opt-in/out to email alert notifications
As data processors, we do not provide users with direct access to view/export data associated with their account. Our customers, as data controllers, are expected to consider any such request and instruct Fusions via standard support mechanisms.
User data (including prior to amending/deleting) will be retained in backups until automated expiry policies delete the data permanently.
Data Controller
To do business with our customers, we are a data controller for limited information relating to their employees and suppliers, including:
- Analytics — names, email addresses, web browsers, IP addresses, click history and screenshots are mandatorily and automatically captured while using our software (and our website, but without names or email addresses) and retained for one month (to aid with support queries)
- Communications — email and GitHub/Jira/Slack discussions are retained indefinitely
- Holidays and birthdays — key customer employees may be invited to share their personal holiday calendar to help manage support needs (this invite may be declined and entering a birthday is optional) and this calendar will be retained indefinitely
- Internal notes — these are necessary to ensure a record of decisions and agreements is accurately maintained (retained indefinitely)
- Invoices and billing information — to satisfy legal requirements (retained indefinitely)
- Newsletters — we do not currently send marketing emails or newsletters
- Social media — we only use X (formerly Twitter), and any individuals we follow can manage the privacy of their own account
Subprocessors
A subprocessor is a third-party data processor engaged by Fusions which has access to personal data. We provide notice of any new subprocessor by posting such updates here, so please check back frequently.
Fusions use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed subprocessors. The adequacy of each subprocessor used is demonstrated in the notes beside each entity listed:
- AWS — GDPR, ISO 27001 and Privacy Shield
- Dropbox — GDPR
- Fortrabbit — GDPR and Privacy
- FreeAgent — GDPR
- GitHub — Privacy Shield
- Google — GDPR, ISO 27001 and Privacy Shield
- Hotjar — Commitment to the GDPR
- JAM — Privacy
- Jira — GDPR and Privacy Shield
- MailPace — DPA
- Mezmo — DPA
- PC2Paper — Privacy
- PingPing — Privacy
- ScaleGrid — Privacy and Subprocessors
- Slack — GDPR and Privacy Shield
- Timetastic — GDPR
Queries
Please direct any queries to privacy@fusionspim.com. Fusions is not required under GDPR to have a Data Processing Officer.