Get in touch
Person typing on a keyboard - to illustrate a privacy notice

Privacy Notice

Last Updated: November 2024

Privacy Notice

Contents

  1. INTRODUCTION
  2. PERSONAL DATA WE COLLECT
  3. PURPOSES & BASIS FOR PROCESSING
  4. COOKIES, SIMILAR TECHNOLOGIES & SOCIAL MEDIA LINKS
  5. SHARING YOUR DATA
  6. HOW LONG WE KEEP YOUR DATA
  7. YOUR RIGHTS
  8. CONTROLAR SERVICE
  9. HOW TO CONTACT US
  10. INDIVIDUALS IN BRAZIL
  11. ACHILLES COMPANIES

1. INTRODUCTION

Achilles Information Limited and its affiliates (“Achilles” and “we”) provide supply chain assurance services to buyer and supplier organisations globally. When providing our services, we collect and process personal data about individuals (“you” and “your”). We do this for our own business purposes as a data controller. We also do it on behalf of our customers, acting on their instructions, as their data processor.

This privacy notice explains what personal data we collect about you as a data controller, including the source of your data, how we use it and what rights you have. A full list of the Achilles entities covered by this privacy notice can be found at section 11. You can contact us about any aspect of this privacy notice, or to exercise your rights using the contact details provided below.

If we have collected your personal data for a customer as part of our Controlar service, we will be a data processor acting on instructions from the customer. You can learn more about the personal data we process when providing our Controlar service at section 8 of this privacy notice.

If you have applied for a job with Achilles, we process your personal data as set out in our Recruitment Privacy Notice.

As an information led business, we place great importance in ensuring the quality, confidentiality, integrity and availability of the data we hold, and in meeting our data protection obligations where we process personal data. Achilles is committed to protecting the security of your personal data. We use a variety of technical and organisational measures to help protect your personal data from unauthorised access, use or disclosure.

The terms of this notice cover Achilles operations worldwide. Additional information for individuals located in Brazil is set out at section 10 of this privacy notice.

We update this privacy notice from time to time in response to changes in applicable laws and regulations, to our processing practices and to products and services we offer. When changes are made, we will update the ‘Last Updated’ date at the top of this page. Please review this privacy notice periodically to check for updates.

2. PERSONAL DATA WE COLLECT

The personal data we collect about you depends on our relationship with you or the organisation you work. In most cases we will process your personal data because you work for one of our buyer or supplier customers, including organisations that our buyer customers ask us to invite to become a supplier customer.

We may also process your personal data if you work for an organisation that is a sales prospect or target of ours; if you have subscribed for our insight emails or other marketing communications; if you register for our webinars or events; or if you otherwise contact us and when you visit our website.

Individuals at Supplier Organisations

If you work for one of our supplier customers and you are a key contact or senior business stakeholder, your organisation may provide us with your personal data in connection with the services provided to them by Achilles. The information is provided to us using our supplier onboarding questionnaires and will include your name, job title, business email, business telephone and office address.

We may also collect your personal data from one of our buyer customers if they want us to contact you to invite your organisation to become one of our supplier customers for the purpose of supplying or continuing to supply the buyer organisation. Where this applies, we will typically be provided with your name, business email address and business telephone number.

Where your organisation has provided your information to us when signing up to become an Achilles supplier customer, we may also collect information about you from risk screening and financial screening service providers and combine this with the information provided to us by your organisation. We use Refinitiv World-Check service to gather risk screening information. Their privacy notice can be viewed here. We use CreditSafe to gather financial screening information. Their privacy notice can be viewed here.

If you pay for services on behalf of your supplier organisation using a payment card in your name, we will collect your payment card information when you provide it to us for payment.

Individuals at Buyer Organisations

If you work for one of our buyer customers and you are a key relationship contact, we will collect your personal data in connection with the services provided to them by Achilles. The personal data we collect will be your name, job title, business email address, business telephone number and office address.

We will also collect your name and email address and process the password you set if we are asked by a buyer customer to provide you with user access to our online supply chain management platform.

We may also process your personal data if you work for a buyer organisation that is a sales target or prospect, and we wish to contact you to build a sales relationship or provide you with information and marketing communication that you may find interesting.

We collect prospecting information from publicly available sources, from referrals and from providers of business decision maker contact information.

Marketing Subscribers & Event Registrants

If you subscribe for our insight emails or other marketing communications, we will collect your name, email address and, if you use a corporate email address, the name of the organisation you work for.

If you register for one of our webinars or another event, we will collect the registration information you provide to us, including your name, email address, job title and the name of the organisation you work for.

You can unsubscribe from our marketing emails at any time using the link provided in the messages we send. Alternatively, you can withdraw your consent or object to our marketing communications by emailing us at dataprivacy@achilles.com.

Individuals Contacting Us

If you contact us using the forms on our website, by email or through our social channels (such as Twitter or LinkedIn) we collect the information you provide to us. This typically includes your name, job title, employer business address, business email and any additional information you include in your message.

Website Visitors

When you visit our website, we may automatically collect limited personal data by the use of cookies and similar technologies on our website. For more information, please refer to the Cookie Notice

We may also automatically collect information including your IP address, details about the device and software you are using to visit the site, your country and continent and your web page viewing path including page response times and download times. This information will not include directly identifiable personal data.

3. PURPOSES & BASIS FOR PROCESSING

The purposes and lawful bases for which we process your personal data, depends on our relationship with you, as follows:

Individuals at Supplier Organisations

Purpose Lawful Basis for Processing
Contacting you at the request of buyer organisations: Including contacting you to invite you to register your organisation with Achilles as a supplier organisation. -Our legitimate interest to invite your organisation to sign up for our services at the request of a buyer organisation.
-Your organisation’s legitimate interest to remain or become a supplier to the buyer organisation which has provided Achilles with your contact information.
-The buyer organisation’s legitimate interest to procure services from your organisation based on pre-qualification services provided to it by Achilles.
Onboarding your organisation as a supplier customer: Including collecting your details and other organisational information using our supplier onboarding questionnaires and setting your organisation up as a customer on our systems. Our legitimate interest to process the personal data about you provided to us by your organisation for the purposes of the services we have agreed to provide to them.

 

Adding supplier information to our online supply chain management platform: Including adding personal data provided to us by suppliers during registration. Once on the platform, your personal data will be visible to:
(i) buyer organisations in the Achilles community your organisation has agreed to join; and/or
(ii) where your organisation has agreed to allow access of your information to a specific buyer organisation only, that specific buyer organisation.
Our legitimate interest to process the personal data about you provided to us by your organisation for the purposes of the services we have agreed to provide to them.

 

Providing our services to your organisation: Including setting up your user access to our online supply chain management platform, authenticating your ongoing access, providing you with user support and arranging and carrying out supply chain audits of your organisation. Our legitimate interest to process the personal data about you provided to us by your organisation for the purposes of the services we have agreed to provide to them.
Developing our business relationship with your organisation: Including sharing information about using our services, providing training and support, sending you insight emails and other marketing communication and inviting you to our webinars and other events. – Our legitimate interest to develop our relationship with you and your organisation, to provide you with information about how to use the services we provide and to send you related marketing information and event invites.
– You consent when you sign up for our insight emails, for information about our events or our other marketing communications.
Seeking customer feedback and monitoring customer satisfaction: Including sending you customer satisfaction surveys and requesting input on services. Our legitimate interest to request feedback from you about the services we provide to your organisation and to assess your customer satisfaction.
Account management and contract renewals: Including contacting you to ensure we hold up to date information about your organisation, advising you when your contract with Achilles is due to expire and providing renewals quotes. Our legitimate interest to update the information we hold about you and your organisation as an Achilles supplier customer, to advise you when your organisation’s contract with Achilles is expiring and to seek to retain your organization as a customer.
Taking payment for the services provided to your organisation: Including processing details of payments cards in your name used to pay on behalf of your organisation. Our legitimate interest to process payment card information you provide to us to pay for services we provide to your organisation.

 

Individuals at Buyer Organisations

Purpose Lawful Basis for Processing
Building a sales relationship with your organisation: Including contacting you by telephone or email or sending marketing communications to promote our services. Our legitimate interest to contact you to introduce our business, promote our services and to build a sales relationship with your organisation.
Providing our services to your organisation: Including setting up your user access to our online supply chain management platform, authenticating your ongoing access and providing you with user support. Our legitimate interest to process the personal data about you provided to us by your organisation for the purposes of the services we have agreed to provide to them.
Managing and developing our business relationship with your organisation: Including account management, sharing information about our services, providing training and support, sending you insights emails and other marketing communications, and inviting you to our webinars and other events. -Our legitimate interest to develop our relationship with you and your organisation, to provide you with information about how to use the services we provide and to send you related marketing information and event invites.
-Your consent when you sign up for our insight emails, for information about our events or our other marketing communications.
Seeking customer feedback and monitoring customer satisfaction: Including sending you customer satisfaction surveys and requesting input on our products and services. Our legitimate interest to request feedback from you about the services we provide to your organisation and to assess your customer satisfaction.

 

Marketing Subscribers & Event Registrants

Purpose Lawful Basis for Processing
Sending you marketing communications: Including insight emails, information about Achilles’, invites to webinars and events and other marketing information. -Our legitimate interest to send you marketing communications, including invites to webinars and events we hold or attend.
-Your consent when you sign up for our marketing communications, including invites to webinars and events we hold or attend.
Event management: Including providing you with access to the event and recording your attendance. Our legitimate interest to administer and manage events and webinars to which to you signed up to attend.

 

Individuals Contacting Us & Website Visitors

Purpose Lawful Basis for Processing
Responding to your enquiry: Including by email, telephone or using the social media channel you have used to contact us. Our legitimate interest to respond to your enquiry or communication.
Improving our website: Including your visitor experience by using cookies and similar tools to remember your preferences and display content that is more relevant to you. Your consent, when you agree to cookies and similar technologies used by our website.
Measuring website engagement: Including monitoring use of our website and measuring the success of our marketing campaigns using cookies and similar analytics technologies. Your consent, when you agree to cookies and similar technologies used by our website.

 

In all cases, we may also process your personal data for the following purposes and on the following lawful bases:

Purpose Lawful Basis for Processing
Internal management, administrative and organisational purposes: Including maintaining internal records and carrying out other business administration tasks. Our legitimate interest to process your personal data in order to manage our business processes.
Sharing data with group companies: Including Achilles employees in overseas offices for the purposes of processing set out in this privacy notice. Our legitimate interest to make your data available to Achilles employees in other locations to provide our services and meet our business objectives.
Sharing data with other third parties: Including third parties who process personal data on our behalf as data processors. Our legitimate interest to share your data with trusted suppliers who provide us with services relevant to our provision of services to your organisation, including cloud software, hosting and IT service providers.

 

4. COOKIES, SIMILAR TECHNOLOGIES & SOCIAL MEDIA LINKS

Achilles uses cookies, website analytics and similar technologies on our website and online supply chain management platform. Marketing emails we send may also include tracking pixels to monitor email receipt, opens and clicks.

Cookies are small text files and web beacons are small graphic images. They are downloaded to your device when you visit a website or receive certain emails unless you have set your browser or email application to stop them.

We use cookies to remember your preferences, display content that is more relevant to you and improve your overall experience on our site. Our email marketing platform uses pixels to track engagement with the emails we send and measure the success of our marketing campaigns. Website analytics are used to measure engagement and monitor issues to help us identify opportunities to improve our website and platforms.

To learn more about our use of cookies and similar technologies, please view our Cookie Notice.

Our website includes social media sharing buttons and links to enable you to share our content through your preferred social media site or by email directly from one of our web pages. These features may collect your IP address and the page you are visiting on our website and may set a cookie on your device if you use the buttons.

When you use one of these sharing buttons or links, you are sharing information to another website or service (such as Twitter, LinkedIn or Facebook) and this privacy notice will no longer apply. Please read the privacy notices provided by the particular social media website you are sharing through before posting any personal data using these links.

5. SHARING YOUR DATA

Achilles is a global business and to respond properly to your enquiry, or for the purpose of delivering our services, it is possible that we will share your data with our group companies, including those in countries outside the UK and European Economic Area (the “EEA”) where the data protection laws are not equivalent to those within the UK or EEA. We do so using Standard Contractual Clauses approved by the European Commission and/or the International Data Transfer Agreement (IDTA) approved by the UK Parliament (as applicable) which contractually oblige our group companies in those countries to the standard expected within the EEA and/or the UK.

We may also share your personal data with trusted suppliers who provide us with services relevant to our provision of services to your organisation, including cloud software, hosting and IT service providers. In such cases, our suppliers are data processors and may only use the data in line with our instructions and not for any other purpose. This and other obligations are agreed in the contract we enter into with them.

If your details have been provided to us by a supplier customer because you are one of their key contacts or senior business stakeholders, your details will be added to our online supply chain management platform from where it will be accessible to buyers in the same Achilles community that your organisation has agreed to join. This may include buyers located outside the UK or EEA where the data protection laws are not equivalent to those within the UK or EEA.

Where a buyer organisation accesses your personal data via our online supply chain management platform as you are a key contact or senior business stakeholder at a supplier organisation, the buyer organisation will do so as an independent controller.

It is possible that we may be required to share your data to comply with applicable laws or with valid legal processes, such as in response to a court order or with government or law enforcement agencies.

6. HOW LONG WE KEEP YOUR DATA

The period for which we will retain your personal data depends on the purposes for which we process it. We will retain your personal data for as long as is necessary to provide you with our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations and to deal with complaints and claims. At the end of the retention period, your personal data will be securely deleted or anonymised, for example by aggregation with other data, so that it can be used in a non-identifiable way for statistical analysis and business planning.

We do not retain credit or debit card information once payment has been made.

Please note we need to hold contact details for individuals at supplier and buyer organisations for the performance of the service and the contract we have entered into with your organisation. If you no longer want us to hold your personal data and we have an ongoing contract with your organisation, we will require alternative contact details or we will be unable to continue providing your organisation with the relevant service.

7. YOUR RIGHTS

The rights you have in respect of your personal data depend on factors including the laws of the country in which you are located. Where you are in scope of application of the data protection laws of the United Kingdom or the European Union/European Economic Area you have the following rights:

  • You have the right of access to your personal data and can request copies of it and information about our processing of it.
  • If the personal data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it.
  • Where we are using your personal data with your consent, you can withdraw your consent at any time.
  • Where we are using your personal data because it is in our legitimate interests to do so, you can object to us using it this way because you feel it impacts on your interests, rights and freedoms.
  • Where we are using your personal data for direct marketing, including profiling for direct marketing purposes, you can object to us doing so.
  • You can ask us to restrict the use of your personal data if:
    • It is not accurate.
    • It has been used unlawfully but you do not want us to delete it.
    • We do not need it any-more, but you want us to keep it for use in legal claims; or
    • You have already asked us to stop using your data but you are waiting to receive confirmation from us as to whether we can comply with your request.
  • In some circumstances you can compel us to erase your personal data.
  • In some circumstances you can request a machine-readable copy of your personal data to transfer to another service provider.
  • You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

If you wish to exercise your rights, we may need to request specific information from you to help us confirm your identity, especially if you are exercising your right of access.

If you wish to exercise your rights, please contact us at dataprivacy@achilles.com

You can also lodge a complaint with your local data protection supervisory authority. In the UK, this is the ICO (https://ico.org.uk/make-a-complaint/). In the EEA, there are national and regional data protection authorities (a list is available here: https://edpb.europa.eu/about-edpb/about-edpb/members_en).

8. CONTROLAR SERVICE

When providing our Controlar service, we are a data processor, acting under the instructions of our buyer customers. If we have collected your personal data when providing this service, your rights will be facilitated by the buyer organisation (that has engaged the supplier organisation you work for) because they are the controller of your personal information.

The rights available to you depend on the laws of the country in which you are located or in which the controller is established and processes your personal information. You should contact the data controller to exercise your rights. If you are unsure who the data controller is, you can contact us at dataprivacy@achilles.com and ask for the controller’s contact details.

9. HOW TO CONTACT US

You can contact Achilles in relation to data protection and this privacy notice by writing to:

General Counsel
Achilles
30 Western Avenue
Milton
Abingdon
OX14 4SH
United Kingdom

Alternatively, you can email us at dataprivacy@achilles.com

10. INDIVIDUALS IN BRAZIL

If you are located in Brazil, this section 10 provides you with additional information which we are required to share with you in accordance with the Lei Geral de Proteção de Dados No. 13,709/2018 (“LGPD”).

When we refer to ‘data processor’ we are referring to ‘operator of personal data’ under LGPD.

If the LGPD applies, you have the following rights in respect of your personal data:

  • You have a right to confirm if Achilles processes your personal data.
  • If we do have your personal data, you have the right to have access to the data and request a copy of it.
  • You have the right to ask us to correct incomplete, inaccurate or outdated data.
  • You have the right to ask us to anonymise, block or delete any unnecessary or excessive personal data, or any personal data processed in non-compliance with LGPD.
  • In some circumstances, you can request us to transfer a copy of your personal data to another service provider, in accordance with the ANPD regulations, as long as commercial and industrial secrecy are respected, and except for data that has been anonymised by us.
  • You have the right to receive information about the public and private entities with which we have shared your personal data.
  • If we are processing your personal data on the basis of your consent, you also have the right to (i) be informed about the possibility of denying consent and the consequences of the denial, (ii) revoke your consent, and (iii) ask us to delete your personal data, subject to our rights to retain data as provided by LGPD.

 

You can also lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) (https://www.gov.br/anpd/pt-br).

You can also file a lawsuit regarding your individual data protection rights or that of a group of people in accordance with applicable Brazilian legislation, before the competent court.

To exercise your rights regarding your personal data, you can contact us at dataprivacy@achilles.com, free of charge. We will respond to your request within the legal period of 15 days from receipt of your request.

11. ACHILLES COMPANIES

The Achilles companies covered by this privacy notice are Achilles Information Limited, Achilles Procurement Services Limited, Achilles Information AS, Achilles Information AB, Achilles Information Aps, Achilles Information GmbH, and Achilles South Europe S.L