Privacy Policy

This privacy policy provides information about our use of personal data that we collect from you when you visit any of our websites or portals.

This privacy policy provides information about our use of personal data that we collect from you when you visit (our Website), when you use our contract management and procurement solutions portal (our Portal) and when you contact us. Our Website and our Portal are referred to collectively in this privacy policy as our Platforms. It also sets out information about your rights in respect of your personal data and how to contact us. We last updated this privacy policy on 18 May 2018.

We, Curtis Fitch Limited, are committed to protecting your privacy and personal data. We provide contract management and procurement solutions known as the CF Suite (Software Products) which are accessible via our Portal.

Our legal status under UK data protection law is that of a controller for personal data we collect from you when you browse our Website, contact us, or create an account with us. A controller is a legal term used in data protection legislation to signify the person who controls what to do with any given personal data. As data controller we have registered with the Information Commissioner’s Office and our registration number is ZA087042.

However, we do not always act as a controller. If a person or company becomes a customer of ours by signing up for or purchasing one or more of our Software Products and uses our Software Products (via our Portal) to input or process personal data or material containing personal data (or asks its employees and business contacts to input personal data via our Portal), we simply use that personal data in accordance with that customers’ instructions and as is necessary to provide our Software Products to them. For personal data processed by us via our Portal, our status under UK data protection law is that of a processor. We are processing personal data on behalf of the customer of our Software Products.

If you are invited to use our Software Products by a company or person that is a customer of ours (for example, if you are a supplier or bidder or an employee of one of our Software Product customers and your are invited to sign into a Portal hosted or ‘powered by’ us), that company or person is the controller of any personal data you submit or input to our Portal. They will be responsible for giving you information about how they will use that personal data and if you have any questions about their use of your personal data (or personal data you submit) you should contact them directly. Their own privacy policies will apply to any personal data you input via our Portal and if you wish to exercise your rights under data protection law, you should contact them directly.

To contact us about our use of your personal data please use the details set out below.

Changes To This Privacy Policy

We may occasionally update this privacy policy. When we do, we will revise the “last updated” date at the top of this privacy policy and we will take reasonable steps to make you aware of any material changes to it. We also recommended that you revisit this page regularly to keep informed of our current privacy practices.

Collection of Information

The personal data we collect from you includes personal data you provide to us directly (for example by submitting an enquiry via our ‘Contact’ page) which may include your:

  • full name;
  • email address;
  • phone number;
  • address;

Not all of this information is mandatory, but if you do not provide information which we request from you, this may prevent us being able to provide our service to you.

We may also observe your use of our Platforms and derive certain information from this, for example through our use of cookies. Please see our cookie policy for more information.We might also collect details of your interactions with us through online or by using one of our apps.

For example, we collect notes from our conversations with you, details of any complaints or comments you make, details of purchases you made, web pages you visit and how and when you contact us.
• Details of your visits to our websites or apps, and which site you came from to ours.
• Information gathered by the use of cookies in your web browser.
• To deliver the best possible web experience, we collect technical information about your internet connection and browser as well as the country and telephone code where your computer is located, the web pages viewed during your visit, the advertisements you clicked on, and any search terms you entered.
• Your social media username, if you interact with us through those channels, to help us respond to your comments, questions or feedback.

How Is Your Personal Data Used?

Under data protection legislation we must have at least one lawful basis for each use of personal data. The reasons we use your personal data and the lawful bases we rely on to do so are as follows and as set out in the table below.

Where we have to collect personal data from you and/or use it in order to provide services under the performance of the contract we have with you, or which you have with our customers, our lawful basis is processing necessary for the performance of a contract with you (necessary for a contract).
Where our use of your personal data is a benefit to us or a third party and it does not cause you unjustified harm, our lawful basis is processing necessary for our (or a third party’s) legitimate interests (legitimate interests). You can learn about your right to object, in certain circumstances, to us continuing to use your personal data for this purpose
Where we ask for your permission to use your personal data in a certain way or you make clear by a positive action that you are agreeing to the use of your personal data for a particular purpose our lawful basis is consent (consent). If we request your consent and you do not give it, we will not use your personal data in that way. You have the right to withdraw any consent that you have given at any time. You can do that by contacting us, or by any other method we inform you of in this privacy policy or when we seek your consent.

PurposeLawful basis
To provide you with personalised visits to our Platforms.Legitimate interests (of us, to provide a more a more engaging user experience).
To provide you with our services which you have signed up for.Necessary for a contract.
To recommend goods, services or promotions which may be of interest to you.Legitimate interests (sending our customers marketing is a commercial benefit to us and helps our customers keep up to date with other products they may be interested in). Our customers always have the right to opt-out of our use of their personal data for direct marketing purposes. This can be done for example by way of an unsubscribe link on marketing emails)
To develop our offers and the layout of our Platforms to ensure that they are as useful and enjoyable as possible.Legitimate interests (of us, so we can make our services as user-friendly as possible and offer products and services which match demand).
To communicate with you and answer your questions when you contact us.Necessary for a contract and legitimate interests (of us and you to ensure good customer service).
To benefit from the services and expertise of third party service providers.Legitimate interests (of us, for service efficiency and our users, so they experience a good quality of service).

In addition we will also use your information when we are required to do so by law. Where that is the case, our lawful basis is processing necessary for us to comply with a legal obligation that we are under.

For personal data inputted to our Portal, we simply act on our customers’ instructions and we process this personal data in order to provide our Software Products to them. They will have their own lawful bases for instructing us to process that personal data and you should contact them directly for more information on what lawful bases they rely on.

Here’s how we’ll use your personal data and why:

To respond to your queries or complaints. Handling the information you sent enables us to respond. We may also keep a record of these to inform any future communication with us and to demonstrate how we communicated with you throughout. We do this on the basis of our contractual obligations to you, our legal obligations and our legitimate interests in providing you with the best service and understanding how we can improve our service based on your experience.

• To protect our business and your account from fraud and other illegal activities. This includes using your personal data to maintain, update and safeguard your account. We’ll also monitor your browsing activity with us to quickly identify and resolve any problems and protect the integrity of our websites. We’ll do all of this as part of our legitimate interest.

• With your consent, we will use your personal data, preferences and details of your transactions to keep you informed by email, web, text, telephone about relevant products and services including tailored special offers, discounts, promotions, events, competitions and so on.
Of course, you are free to opt out of hearing from us by any of these channels at any time.

• To send you communications required by law or which are necessary to inform you about our changes to the services we provide you. For example, updates to this Privacy Notice, product recall notices, and legally required information relating to your orders. These service messages will not include any promotional content and do not require prior consent when sent by email or text message. If we do not use your personal data for these purposes, we would be unable to comply with our legal obligations.

• To display the most interesting content to you on our websites or apps, we’ll use data we hold about your favourite products, title topics and so on. We do so on the basis of your consent to receive app notifications and/or for our website to place cookies or similar technology on your device.
For example, we might offer you content recommendations based on the content you previously accessed and any other data you’ve shared with us.

• To administer any of our competitions which you enter, based on your consent given at the time of entering.

• To develop, test and improve the systems, services and products we provide to you. We’ll do this on the basis of our legitimate business interests.
For example, we’ll record your browser’s Session ID to help us understand more when you leave us online feedback about any problems you’re having.

• To comply with our contractual or legal obligations to share data with law enforcement.
For example, when a court order is submitted to share data with law enforcement agencies or a court of law

• To send you survey and feedback requests to help improve our services. These messages will not include any promotional content and do not require prior consent when sent by email or text message. We have a legitimate interest to do so as this helps make our products or services more relevant to you.
Of course, you are free to opt out of receiving these requests from us at any time by updating your preferences in your online account.

• To build a rich picture of who you are and what you like, and to inform our business decisions, we’ll combine data captured from across the third parties and data from publicly-available lists as we have described in the section ‘What Sort of Personal Data do we collect?’ We’ll do this on the basis of our legitimate business interest.
For example, by combining this data, this will help us personalise your experience and decide which content to share with you.

Combining your data for personalised direct marketing

We want to bring you products and content that are most relevant to your interests at particular times. To help us form a better, overall understanding of you as a customer, we combine your personal data gathered as described above, for example your browsing history.

With whom is your personal data shared?

We may disclose your personal data to our authorised payment provider, in order to take payment for our Software Products.

We may disclose personal data to service providers who may need to process personal data on our behalf (and in accordance with our instructions) in order to provide those services. Currently, we use third parties to provide data hosting services, data storage and customer helpdesk services. We may disclose depersonalised data (such as aggregated statistics) about the users of our Platforms in order to describe our sales, customers, traffic patterns and other site information to prospective partners, advertisers, investors and other reputable third parties and for other lawful purposes, but these statistics will include no personally identifying information.

We may occasionally be required by law, court order or governmental authority to disclose certain types of personal data. Examples of the type of situation where this would occur would be:

  • in the administration of justice; or
  • where we have to defend ourselves legally.

Finally, in the event of a reorganisation, sale or takeover we may need to disclose personal information to new entities within the group or potential acquirers and their advisers.To help personalise your journey through our website we currently use the following companies, who will process your personal data as part of their contracts with us:

  • LinkedIn
  • Twitter
  • Facebook
  • Google
  • HubSpot
  • Pingdom
  • Intercom
  • MailChimp
  • Rackspace
  • Mailgun
  • Fullstory
  • Zendesk
  • Referral Hero

The Requirements of Data Protection Laws

We regard the lawful and correct treatment of your personal data by us as very important to our successful operation, and to maintaining confidence between us and our users. We ensure that our organisation treats personal data lawfully and correctly. To this end we fully endorse and adhere to our obligations under data protection legislation. In particular:

  • we will not use your personal data for any purpose that is incompatible with this privacy policy;
  • we will only collect sufficient personal data for the uses set out above;
  • we will endeavour to keep your personal data up-to-date;
  • we will not retain your personal data longer than necessary unless required to do so by law;
  • we will operate appropriate technical and organisational processes to protect your personal data against unauthorised or unlawful access or processing and against accidental loss or destruction. The measures we take are described elsewhere in this privacy policy; and
  • we will not transfer your personal data to a country outside the European Economic Area (EEA) unless safeguards are in place to protect your personal data to the standards that apply within the EEA, as explained below.

Transferring your personal data outside the EEA

Some service providers acting our behalf (such as data storage providers and our helpdesk services providers operate outside the EEA, currently in the USA. We may need to transfer personal data to them in connection with the provision of their services.

If personal data is transferred outside the EEA there is a risk that it will not be protected to an equivalent standard as in this country. So, before transferring your personal data we will put in place measures to ensure your personal data is protected to an equivalent standard. We will usually do this by standard contractual clauses or by a scheme approved by our data protection regulator as providing adequate protection (such as a scheme known as Privacy Shield, for transfers to US companies).

Use of Cookies

We use cookies on our Platforms in accordance with our cookie policy.


We are committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorised access, use, or disclosure.

For example, we store the personal data you provide on computer systems with limited access that are located in facilities to which access is limited.

It is your responsibility to ensure the security of your password and not to reveal this information to others.

Access to your personal data is password-protected.

Your Rights

Under certain circumstances, by law, you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground and where we do not have compelling legitimate interests to override such objection. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you are a user of our Portal, if you wish to exercise your rights, in the first instance you should contact the business which invited you use our Portal.

If you are user of our Website and wish to exercise your rights, please use our contact details below.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. We (or our customers) may take steps to verify your identity before providing you access to your personal data or may ask that you clarify your request.

Please be aware that the rights above are not absolute and there may be circumstances where we (or our customers) are unable to comply with your request, or only able to comply with it in part.

How long we keep your personal data

We will retain your personal data for the period necessary to fulfil the purposes outlined in this privacy policy unless a longer retention period is required or permitted by law. Accordingly, your personal data shall be maintained for up to seven years following the end of the services we provide to you / your last contact with us. This retention period may be extended if any applicable statutory or regulatory obligation requires us to hold information for a longer period. We will endeavour to delete any personal data sooner where it is not necessary for us to hold this.

At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.

For personal data submitted via our Portal that we process on behalf of a customer, we will hold that personal data for the period our customer instruct us to and return or delete it at the end of our agreement with them.

Help us keep your details up to date

You can help us to maintain the accuracy of your information by notifying us of any change.

Children’s Information

We do not knowingly collect information from children and we do not target or direct our Platforms to children.

Links To Other Services

Our Platforms may contain links to other services. While we try to link only to services that share our high standards and respect for privacy, we are not responsible for the content, security, or privacy practices employed by operators of those other services. We encourage you to carefully review those services’ own privacy policies so that you know how they will collect, use, and share your information.

How To Contact Us

If you have questions regarding this privacy policy or our handling of your personal data, please contact us by emailing Alternatively you can write to Data Protection, Curtis Fitch Ltd, Formal House, 60 St Georges Place, Cheltenham, Gloucestershire, GL50 3PN. We will promptly address your concern and strive to reach a satisfactory resolution.

If you have any concerns about how we use your personal data, we ask that you contact us in the first instance using the contact details above. We’ll do our best to resolve the matter. However, you do also have the right to