Let's talk
Let's talk

Datatonic

Website Privacy Notice

Who We Are and Scope of this Policy

This Privacy Notice is issued on behalf of Datatonic Holdings Limited and all entities owned or controlled by it, including Datatonic Ltd (London, UK), Montréal Analytics Inc. (Montreal, Canada), Datatonic Sarl (Switzerland), and Datatonic Nordics AB (Sweden), collectively referred to as the “Datatonic Group,” “we,” “us,” or “our.” As a global organisation, the specific entity responsible for processing your personal data (the “Data Controller” or “Enterprise”) will be the group member with whom you directly engage for services or whose website you are visiting. In this Notice, any website visitor, user of our services, or individual interacting with our business is referred to as “you.”

Datatonic Ltd, registered in London, United Kingdom, is the primary Data Controller and responsible entity for personal data collected through this website (https://www.datatonic.com). For engagements involving our international offices, the relevant local Group entity acts as the Controller for those specific services.

If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact our privacy team:

  • Attn: Angelene Chester – Legal Counsel & Data Protection Lead
  • Privacy Officer (Quebec): Angelene Chester
  • Email: legal@datatonic.com
  • Postal Address: Level 45, One Canada Square, Canary Wharf, London, E14 5AB, United Kingdom
  • Web Form: https://datatonic.com/security-contact/

Datatonic takes your privacy and security of personal data very seriously. We have provided and will continue to provide a secure environment for the information that you share with us and this Privacy Notice describes the ways your information is used and protected by us and the limited access third parties have to such information. It also explains the rights you have in connection with your personal data, including how to contact us or to make a complaint. We ask that you read it carefully.

This Notice applies to website visitors and customers. Our Employee Privacy Notice, which governs how we handle the personal data of our staff, is available to all employees via the Intranet.

If you apply for a position with Datatonic, our Candidate Privacy Notice applies to the processing of your application. A copy of this notice is provided to all applicants at the time of application through our recruitment platform, or it can be requested by contacting legal@datatonic.com.

Please note that our website and services are not intended for children and we do not knowingly collect data relating to children. If we learn we have inadvertently collected such data, we will take steps to delete it immediately.

Legal Status and Applicable Laws

Depending on your location, different data protection laws apply to our processing of your personal data. Under these laws, the relevant entity in the Datatonic Group acts as the primary decision-maker regarding your information:

  • UK and EEA: under the UK GDPR and the EU General Data Protection Regulation (GDPR), we operate as a “Data Controller.” This means we determine the purposes and means of processing your personal data.
  • Switzerland: under the Swiss Federal Act on Data Protection (nFADP), we are the “Controller” responsible for your data.
  • Quebec, Canada: under the Act Respecting the Protection of Personal Information in the Private Sector (the “Quebec Privacy Act” or Law 25), Datatonic is considered an “Enterprise.” 
  • Canada (Federal): under the Personal Information Protection and Electronic Documents Act (PIPEDA), Datatonic is an “Organization.”

What is “Processing”? Regardless of the specific terminology used in your jurisdiction, when we refer to “processing” in this Notice, we mean any operation or set of operations performed on your personal data (or “personal information”), including its collection, use, storage, disclosure, transfer, or destruction.

The Personal Data We Collect

Personal data (or “personal information”) means any information about an individual from which that person can be identified. 

We collect, use, and store different categories of data depending on how you interact with our website:

1. Data You Provide Directly

  • Identity & Professional Data: includes your first name, last name, job title, and company name. We collect this primarily when you register for an event, download a whitepaper, or submit an inquiry.
  • Contact Data: includes your business email address and telephone number.
  • Marketing & Communications Data: includes your preferences in receiving insights from the Datatonic Group and our third-party partners (such as Google Cloud), and your preferred methods of communication.

2. Data Collected Automatically

As you navigate our website, we automatically collect data regarding your device and browsing patterns:

  • Technical Data: includes your Internet Protocol (IP) address, location and whether you are accessing via desktop or mobile.
  • Usage Data: includes information about how you use our website, products, and services, such as the specific blogs or case studies you view or the duration of your visit.
  • Attribution Data: we may collect data regarding the source that referred you to our website (e.g., a LinkedIn advertisement or a search engine query) to measure the effectiveness of our outreach.

3. Aggregated & Anonymised Data

We also collect, use, and share Aggregated Data, such as statistical or demographic information.

  • Status: aggregated Data is not considered personal data in law as it does not directly or indirectly reveal your identity.
  • Example: we may aggregate your Usage Data to calculate the percentage of users accessing a specific Generative AI insight page. However, if we combine Aggregated Data with your personal data so that it can identify you, we treat the combined data as personal data in accordance with this Notice.

Special Category Data: We do not knowingly collect any “Special Categories of Personal Data” about you (this includes details about your race, ethnicity, religious beliefs, or health data).

While our services are provided to businesses, we necessarily process the personal data of the individuals who represent those businesses (such as employees, contractors, or authorised signatories).

We collect, use, and store the following “Business Contact Information” to facilitate our professional relationship in the provision of our services:

  • Identity Data: includes your first name, last name, and job title.
  • Contact Data: includes your business email address, office or business mobile phone number, and your employer’s registered or operating address.
  • Account & Transaction Data: includes your professional username or similar identifier used to access our service portals, and details about services your organiation has engaged us for.

How is Your Personal Data Collected?

We use different methods to collect data from and about you, including through:

1. Direct Interactions

You may provide us with your Identity, Contact, and Professional Data by completing online forms or corresponding with us by post, phone, email, or in person. This includes personal data you provide when you:

  • inquire about or purchase our services;
  • register for or attend an event or webinar;
  • download whitepapers or access “gated” insights via The Hub;
  • subscribe to our newsletters or request marketing materials;
  • submit a job application via our recruitment platform; or
  • provide feedback or contact us via our Security/Contact Form.

2. Automated Technologies or Interactions

As you interact with our website, we automatically collect Technical and Usage Data about your equipment and browsing patterns. We collect this through:

  • Cookies and Pixels: small data files placed on your device. For full details on how to manage these, please see our [Cookie Policy].
  • Server Logs & Server-Side Tagging: our servers automatically record certain information (such as IP addresses) to ensure the security and performance of our website.
  • Identification & Profiling: in accordance with your preferences, we may use technologies that help us identify the organisation you represent or your professional interests to provide more relevant content.

3. Third Parties or Publicly Available Sources

We may receive personal data about you from various third parties and public sources:

  • Analytics Providers: such as Google Analytics (operating within the EEA or UK).
  • Lead Generation Partners: such as LinkedIn or specialised B2B data providers who help us identify professional leads.
  • Public Sources: we may verify professional information using publicly available records such as Companies House (UK) or professional networks like LinkedIn.

4. Physical Security & Media

CCTV: if you visit our physical offices (e.g., in London or Toronto), your image may be captured by CCTV systems for the purposes of safety and crime prevention.

Event Photography/Recording: if you attend a Datatonic event, we may record the session or take photographs for promotional purposes, provided we have notified you or obtained your consent where required.

How We Use Your Personal Data

Lawful Bases

The law requires us to have a valid lawful basis for every processing activity involving your personal data. We rely on the following:

  • Performance of a Contract: to fulfill our obligations under a contract we have with you (or your employer), or to take steps at your request before entering into such a contract.
  • Legitimate Interests: where it is necessary for our legitimate interests (or those of a third party), provided your interests and fundamental rights do not override those interests. We specifically use this for business development, network security, and service improvements.
  • Legal Obligation: where we must process data to comply with a legal or regulatory requirement (e.g., tax reporting or anti-fraud laws).
  • Consent: where you have given us clear, affirmative agreement for a specific purpose (e.g., subscribing to a newsletter).

We primarily engage in business-to-business (B2B) marketing. Where we contact you at your corporate business address, we rely on our Legitimate Interests to promote our professional services. 

Important for Canada (including Quebec): By interacting with us and providing your personal data, you provide implied or express consent for its collection, use, and disclosure as described in this Notice. 

Purposes for Processing

The following table outlines our specific uses of personal data and the legal grounds we rely on.

Purpose/ Use Type of Data Legal Basis 
B2B Onboarding: To register you as a new customer representative or supplier. Identity, Contact, Professional Performance of a contract
Service Delivery: Providing consultancy services, managing payments, and debt recovery. Identity, Contact, Financial, Transaction Performance of a contract; Legitimate Interests (debt recovery)
Relationship Management: Notifying you about terms changes or responding to inquiries. Identity, Contact, Profile, Marketing Performance of a contract; Legal Obligation; Legitimate Interests (record keeping)
Website Security: Troubleshooting, data analysis, testing, and system hosting. Identity, Contact, Technical Legitimate Interests (provision of IT services, network security, fraud prevention)
Content Optimisation: Delivering relevant website content/ads and measuring effectiveness. Identity, Contact, Technical, Usage Consent (via Cookie Banner); Legitimate Interests (to grow our business)
Product Improvement: Using analytics to improve our website, services, and customer experiences. Technical, Usage Legitimate Interests (to keep our website updated and relevant)
Direct Marketing: Making suggestions about goods or services that may interest your business. Identity, Contact, Usage, Profile Consent (Opt-in)
Recruitment: Managing your application for a role at Datatonic. Identity, Contact, Candidate Data Legitimate Interests (hiring); Legal Obligation; Performance of a contract

Marketing and Your Choices

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

Third-Party Marketing

We will obtain your express opt-in consent before we share your personal data with any third party for their own direct marketing purposes. Please note that while we work closely with partners like Google Cloud, we do not sell your personal data to them for their independent use.

Opting Out of Marketing

You can ask us to stop sending you marketing communications at any time through the following methods:

  • One-Click Unsubscribe: follow the “unsubscribe” or “opt-out” links at the bottom of any marketing email we send you.
  • Direct Request: email us at hello@datatonic.com with the subject line “Marketing Opt-Out.”
  • Web Form: use our Security & Contact Form to submit a preference change.

What happens when you opt out? Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a service purchase, service experience, or other essential transactions (such as project updates or security notices). These are “Service Communications” and are necessary for the performance of our contract with you.

Cookies and Tracking Technologies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies.

  • Consent by Default: in accordance with Quebec’s Law 25, all non-essential tracking (including analytical and marketing cookies) is disabled by default until you provide express consent via our cookie banner.
  • Managing Preferences: if you wish to change your settings or learn more about the specific pixels we use (such as LinkedIn Insight tags or Google Analytics), please see our Cookies Policy, available on the website.

Disclosures of Your Personal Data

We share your personal data with the specific categories of third parties listed below. We do not sell or rent your personal data to any third party for their own marketing purposes. We require all third parties to respect the security of your data and to treat it in accordance with the law; they are only permitted to process your data for specified purposes and in accordance with our strict instructions.

Personal Data Category Recipient Purpose of Processing
Identity, Contact Vercel & Google Cloud Hosting and technical infrastructure to ensure website performance and security.
Identity, Contact Google Workspace Professional email and communication services to facilitate our response to your inquiries.
Identity, Contact, Professional Salesforce CRM services to manage our relationship with you and store your professional preferences.
Identity, Contact, Technical Google Cloud & Stripe Management of event registrations and secure processing of service payments.
Identity, Contact, Candidate Data Ashby & Zinc Management of the recruitment lifecycle, including application storage and background verification.
Technical, Usage Google Analytics Provision of website analytics and user behavior insights via alphanumeric identifiers.

Internal and Group Sharing

As a global organisation, we may share your personal data within the Datatonic Group (including subsidiaries and our parent company) for internal administration, reporting, and to provide the services you have requested from a specific local office.

Legal and Strategic Disclosures

We may also disclose your personal data to third parties in the following limited circumstances:

  • Legal Compliance: to law enforcement, regulators, or public authorities where we are legally required to do so (e.g., in response to a court order or to meet national security requirements).
  • Business Protection: to investigate, prevent, or take action regarding illegal activities, suspected fraud, or potential threats to the safety of any person or our infrastructure (such as DDoS attacks).
  • Corporate Transactions: to third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. If a change happens to our business, the new owners must use your personal data in the same way as set out in this Privacy Notice.

International and Interprovincial Transfers

As a global organisation, we may transfer, store, and process your personal data in countries other than your own (including the United Kingdom, the EEA, Switzerland, and Canada). Some of these jurisdictions may have data protection laws that differ from those in your home country.

Whenever we transfer your personal data across borders, we ensure a similar degree of protection is afforded to it by implementing at least one of the following safeguards:

  • Adequacy Decisions: we transfer your personal data to countries that have been deemed to provide an adequate level of protection by the relevant regulatory bodies (e.g., the UK Government, the European Commission, or the Swiss Federal Council).
  • Standard Contractual Clauses (SCCs): where we use service providers outside of “adequate” jurisdictions (such as certain US-based cloud providers), we use specific contractual clauses approved for use in the UK and EEA which ensure your data receives the same protection it has in Europe.
  • Quebec Privacy Impact Assessments (PIA): in compliance with Law 25, before any personal data leaves the province of Quebec, we conduct an “Assessment of Privacy-Related Factors.” This assessment ensures that the information will receive adequate protection in the destination jurisdiction, considering the sensitivity of the data and the legal framework of the recipient country.

Data Security and Governance

We have put in place robust security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered, or disclosed.

  • Access Control: we limit access to your personal data to those employees, agents, contractors, and other third parties who have a strictly defined “business need to know.” They process your data only on our instructions and are bound by strict duties of confidentiality.

 

  • Internal Governance: in accordance with our global data strategy and Quebec’s statutory requirements, we maintain:
    1. Retention & Destruction Framework: Policies governing the secure storage and eventual destruction or anonymisation of data.
    2. Roles and Responsibilities: A clear internal hierarchy defining who is accountable for data at every stage of its lifecycle.
    3. Incident Response: Procedures to manage any suspected personal data breach, including notifying you and the relevant regulator where we are legally required to do so.

Data Retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, or reporting requirements.

To determine the appropriate retention period, we consider:

  • the volume, nature, and sensitivity of the data;
  • the potential risk of harm from unauthorised use;
  • the purposes for which we process the data and whether those can be achieved through other means (such as Anonymisation); and
  • applicable statutory limitation periods.

Where data is no longer required, we securely delete it or anonymise it (so that it can no longer be associated with you) for statistical purposes, in which case we may use this information indefinitely without further notice to you.

Your Legal Rights

Depending on where you are located, you have specific rights regarding your personal data. At Datatonic, we extend these high standards of transparency to all our users.

Summary of Rights

  • Access: request a copy of the personal data we hold about you (a “Subject Access Request”).
  • Correction: ask us to rectify any inaccurate or incomplete data.
  • Erasure (“Right to be Forgotten”): request that we delete your data where there is no compelling reason for its continued processing.
  • De-indexation (Quebec): if you are in Quebec, you have the right to request that we cease disseminating your personal data or de-index any hyperlink attached to your name that provides access to your data.
  • Object to Processing: challenge our processing where we rely on “Legitimate Interests.” You have an absolute right to object to direct marketing.
  • Restriction: ask us to “freeze” the processing of your data while you contest its accuracy or our legal grounds for using it.
  • Data Portability: request the transfer of your data to you or another service provider in a structured, machine-readable format.
  • Withdraw Consent: where we rely on your consent (e.g., for newsletters), you may withdraw it at any time.

How to Exercise Your Rights

If you wish to exercise any of these rights, please contact our privacy team at legal@datatonic.com.

  • No Fee: you will not usually have to pay a fee. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.
  • Identity Verification: for your security, we may request specific information to help us confirm your identity before acting on a request.
  • Response Time: we aim to respond to all legitimate requests within 30 days (or sooner where required by local law). If your request is complex, we may extend this and will keep you updated.

Complaints and Oversight

We value the opportunity to resolve any concerns you have directly. However, you have the right to lodge a complaint with your local supervisory authority at any time:

Additional Information

Third-Party Links

Our website may include links to third-party websites or plug-ins (such as LinkedIn or Google Cloud). Clicking those links may allow third parties to collect or share data about you. We do not control these websites and encourage you to read their specific privacy notices when you leave our site.

Changes to this Notice

We update this Privacy Notice periodically to reflect changes in our practices or the law. Significant changes will be highlighted via a prominent notice on our website. It is important that the data we hold about you is accurate; please keep us informed of any changes to your professional contact details.

Version: March 2026