IMP Software Ltd (“we” or “us”) is committed to protecting and respecting your personal data and privacy.

We provide a suite of software products for schools and Multi Academy Trusts, including IMP Planner, IMP ICFP, and IMP Finance (together, “our services”). We act as a data processor under contracts with our customers, who are the data controllers in respect of the personal data they input into our services.

This privacy notice explains how we collect and use personal data when you use our services, enquire about or purchase our services, apply to work for us, or otherwise interact with us. It applies across all IMP Software Ltd products and services, including those to be launched in the future.

Our services are not intended for children under the age of 18 and we do not knowingly collect data relating to children.

Whenever you provide personal data, we are legally obliged to use your information in line with all applicable laws concerning the protection of personal data in force from time to time in the UK, including the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Data Protection Act 2018, and the UK GDPR, each as applied or varied by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations (together, “Data Protection Laws”).

This privacy notice forms part of our terms of business and is not intended to override them. This notice may be amended or updated from time to time and any revisions will be posted to our website, so please check back regularly.

1. For the purposes of the Data Protection Laws, the data controller is IMP Software Ltd. We are a private limited company registered in England and Wales under company number 11843421. Our registered office is at c/o Bishops Fleming, Brook House, Manor Drive, Clyst St. Mary, Exeter, United Kingdom, EX5 1GD.
2. If you want to request more information about our privacy practices or exercise any of your data protection rights, please contact our Data Protection Officer:
   
   

   FAO:	Zanna Patchett, Data Protection Officer
   Organisation:	IMP Software Ltd
   Address:	c/o Bishops Fleming, Brook House, Manor Drive, Clyst St. Mary, Exeter, EX5 1GD
   Email:	zanna.patchett@impsoftware.co.uk
   Telephone:	01392 573620

3. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

1. We collect and process personal data. Depending on your relationship with us, the personal data we collect and process may include:
   1. Identity Data: first name, last name, title, job title, date of birth, gender, and images.
   2. Contact Data: billing address, email addresses, and telephone numbers.
   3. Technical Data: internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our services.
   4. Profile Data: username and password, feedback and survey responses.
   5. Usage Data: information about how you use our website, products and services.
   6. Marketing and Communications Data: your preferences in receiving marketing from us and your communication preferences.
   7. Recruitment Data: CV and application information, employment history, qualifications, references, and outputs from third-party assessment processes used as part of our recruitment process.
   8. Service Interaction Data: the content of support tickets, service correspondence, feedback, survey responses, and records of your interactions with our support and customer service teams.

   We may collect and/or process other personal data from time to time as reasonably necessary.

2. We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as it will not directly or indirectly reveal your identity. However, if we combine aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used solely in accordance with this notice.
3. We do not collect Special Categories of Personal Data (including data about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, genetic data, biometric data, or detailed health data) for our own purposes as data controller, nor do we collect information about criminal convictions and offences.
4. As a data processor acting on behalf of our customers, we may process limited workforce data entered into our systems by our customers, including data relating to staff absence (such as whether a member of staff is on sick leave, maternity leave, or paternity leave) for the purposes of budget setting. Our customers, as data controllers, are responsible for ensuring they have appropriate lawful bases to process this data.
5. We only collect data from you directly or via third parties (see Section 8 below).

1. We collect data from and about you through the following methods:
   1. Direct interactions: you may provide your personal data to us directly by filling in forms, corresponding with us by post, phone, email, or messaging services, or by applying for a role with us.
   2. Automated technologies or interactions: as you interact with our website or services, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. Please see our cookie policy, available on the relevant product platform, for further details.
   3. Third parties or publicly available sources, including:
      1. Technical Data from analytics providers, advertising networks, and search information providers.
      2. Identity and Contact Data from data brokers or aggregators, including trade organisations or event organisers.
      3. Identity and Contact Data from publicly available sources such as Companies House.

Where we need to collect personal data by law or under the terms of a contract we have with you or your organisation, and you fail to provide that data when requested, we may not be able to provide all or part of the service. We will notify you if this is the case at the time.

1. We use information held about you to:
   1. carry out and provide our services, including any third-party services we make available to you;
   2. manage our relationship with prospective customers, including responding to enquiries and managing our sales pipeline;
   3. carry out feedback and research on our services;
   4. notify you about changes to our services; and
   5. improve our products, services, and internal operations, including through the use of AI-powered tools to analyse trends, service quality, product performance, and the effectiveness of our sales and marketing activity. We do not use AI to make automated decisions that produce legal or similarly significant effects on individuals.
2. We never sell your data to third parties.
3. We share your data with third parties only where there is a legal obligation for us to do so, or where we have identified a valid lawful basis as set out in Section 7 below. We may process your personal data without your knowledge or consent where this is required or permitted by law.
4. The table below sets out all the ways we plan to use your personal data and the lawful bases we rely on to do so. We may process your personal data on more than one lawful basis depending on the specific purpose.
   
   

   Purpose / Activity	Type of Data	Lawful Basis for Processing
   To provide our services and process related transactions and engagement.	Identity Contact Usage Marketing & Comms	Contractual obligation (processing carried out as a data processor on instruction from the relevant data controller).
   To administer and protect our business, services and website (troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting).	Identity Contact Technical	Legitimate interests (running our business, IT services, network security, fraud prevention). Legal obligation.
   To use data analytics to improve our website, services, marketing and customer relationships.	Technical Usage Profile	Consent.
   To manage sales enquiries, prospective customer relationships and marketing communications.	Identity Contact Marketing & Comms	Legitimate interests (to grow our business and manage prospective customer relationships). Consent (for direct marketing).
   To process and respond to support requests and customer service enquiries.	Identity Contact Usage	Contractual obligation. Legitimate interests (to maintain service quality and resolve issues).
   To analyse data (including support tickets, service correspondence, feedback, usage data, sales pipeline and prospect engagement data, and marketing performance data) using AI-powered tools to identify trends and issues, improve our products, services and customer support, prioritise sales and account management activity, assess marketing effectiveness, and optimise and automate our internal business processes.	Identity Contact Usage Profile Marketing & Comms Service Interaction	Legitimate interests (to improve our products, services and operational efficiency, and to grow our business). Contractual obligation.
   To manage job applications and recruitment processes.	Identity Contact Recruitment Data	Legitimate interests (to assess suitability for employment). Consent.

1. We only process your data where we have identified a valid lawful basis to do so:
   1. Contractual obligation: processing necessary to comply with our obligations under a contract with a data controller or, where we are the controller, under a contract with you directly.
   2. Legitimate interests: processing that is in the legitimate interest of our business in conducting and managing our operations to enable us to deliver the best service and most secure experience. We consider and balance any potential impact on you and your rights and freedoms before relying on this basis. We will only rely on legitimate interests where our processing is necessary and proportionate and is not overridden by your rights and freedoms.
   3. Legal obligation: processing necessary to comply with our legal obligations.
   4. Consent: we will seek your consent to process your data in circumstances outside our contractual obligations where we have not identified a legitimate interest basis, and for any special category data. You may withdraw consent at any time — see clause 13.1.9 below.

1. We will keep your information within the organisation except where disclosure is required or permitted by law, or where we use third-party service providers (data processors) to supply and support our services. We have data processing agreements in place with all our processors. This means they cannot do anything with your personal data unless we have instructed them to do so, they will not share your personal data with any other organisation without our authorisation, and they will hold it securely for the period we instruct.
2. The categories of third-party service providers who may receive your personal data are set out below.

   Categories of Service Providers Who May Receive Your Personal Data
   IT support and infrastructure services
   Cloud hosting and storage providers
   Backup and disaster recovery providers
   CRM and customer support platform providers
   AI-powered productivity and service delivery tools
   Survey and feedback providers
   Secure document disposal services
   Legal advisers and solicitors
   Software and platform providers
   Feedback aggregators and collectors
   Marketing agencies and communication platforms

1. We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.
2. You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing.
3. We will always obtain your express opt-in consent before we share your personal data with any third party for marketing purposes.
4. You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you.

1. Personal data we hold is primarily stored within the UK or the European Economic Area (EEA). Our main CRM, customer support, and productivity platforms are configured to host data in the EEA. Limited transfers outside the UK and EEA may occur where we use service providers headquartered in other jurisdictions.
2. We only transfer personal data outside the UK where appropriate safeguards are in place under the UK GDPR and the Data Protection Act 2018. These include:
   1. transfers to recipients in countries the UK has formally recognised as providing an adequate level of protection;
   2. transfers to recipients certified under the UK Extension to the EU-US Data Privacy Framework (the UK-US Data Bridge), where applicable;
   3. transfers made under the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the European Commission’s Standard Contractual Clauses, together with any supplementary measures identified through a transfer risk assessment.
3. You may request a copy of the safeguards in place for any specific transfer by contacting our Data Protection Officer using the details in Section 2.

1. We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered or disclosed. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know, and they are subject to a duty of confidentiality.
2. We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

1. We will only retain your personal data for as long as reasonably necessary to fulfil the purposes for which we collected it, including to satisfy any legal, regulatory, tax, accounting or reporting requirements. We may retain personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation.
2. In determining the appropriate retention period, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it, and applicable legal or regulatory requirements.
3. We retain basic information about our clients (including Contact, Identity, Financial and Transaction Data) for six years after they cease being clients, in line with statutory record-keeping and limitation periods.
4. We may anonymise your personal data for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

1. Under the Data Protection Laws, you have the following rights:
   1. To be informed: we must make this privacy notice available to you and be transparent about how we process your data.
   2. Access: you are entitled to know what personal data we hold about you and why. You can find out by making a formal request under the Data Protection Laws using the contact details in Section 2. We will confirm whether we hold data about you and, if so, provide a copy.
   3. Rectification: you have the right to require us to correct or update your personal data without undue delay. Requests should be made in writing using the contact details in Section 2.
   4. Erasure: you have the right to request that we erase your personal data in certain circumstances (the right to be forgotten). Requests will be considered on a case-by-case basis and should be submitted in writing.
   5. Restriction of processing: you have the right to request that we restrict or suspend the processing of your personal data in certain circumstances.
   6. Portability: you have the right to receive the personal data you have provided to us in a structured, commonly used, machine-readable format, and to reuse it with a different provider.
   7. Object: you have the right to object to our processing of your personal data in certain circumstances. You have an absolute right to object to your data being used for direct marketing purposes. In other circumstances, we may continue to process your data if we can demonstrate compelling legitimate grounds.
   8. Automated decision-making and profiling: we do not use automated decision-making.
   9. Withdraw consent: where you have given consent to our processing of your personal data, you may withdraw that consent at any time through the opt-out links in electronic communications or by updating the relevant preferences where available. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal.
2. You may need to provide proof of identity when exercising any of the above rights.
3. Where possible, we will try to deal with requests informally. Please contact us in the first instance using the details in Section 2.

1. If you apply to work for us (directly or indirectly) in any role, we will collect and process personal data about you for the purposes of assessing your suitability for the position. This may include: identity and contact data provided in your application; employment history, qualifications, and references; and data generated during the interview and assessment process.
2. We rely on legitimate interests as our lawful basis for processing recruitment data, where that processing is necessary to assess suitability for employment.
3. At the end of the recruitment process, you may give permission for us to retain your details on our applicant tracking system so that we can consider you for future opportunities. This permission lasts for 12 months, after which you will be asked whether you wish to extend it. If you choose not to extend your permission, or if you request removal of your details at any time, your data will be automatically deleted from our records.