This website is owned and operated by Open Blend Method Limited.
Who we are
We are a private limited company incorporated in England and Wales (registered company number 09283273). Our registered office is at Camburgh House, 27 New Dover Rd, Canterbury, CT1 3DN.
In this notice, "we", "us", "our" and "OBM" refer to Open Blend Method Limited.
We are the controller in respect of the processing of personal data described in this notice.
Data protection officer
Our data protection officer is Anna Rasmussen. She can be contacted at email@example.com.
Scope of this notice
This notice describes our processing of personal data relating to our website visitors and staff and representatives of our clients in connection with our business activities. We are the controller in respect of this processing, meaning that we determine why and how to carry out this processing.
[This notice does not describe our processing of personal data relating to people who apply for jobs with us. Our processing for recruitment purposes is set out in a separate notice addressed specifically to job applicants, and can be viewed on our ‘We’re hiring’ webpage. Neither does this notice describe our processing of personal data relating to our employees. Our processing for employment-related purposes is set out in a separate notice addressed and made available to our employees.
This notice does not describe our processing activities in connection with our OBM app which we provide to our clients as a service. Our processing in connection with our OBM app is set out in a separate notice available on the OBM app, addressed specifically to users of the app. If your personal data is processed using our OBM app, please refer to the OBM app privacy notice which you can find via a link on the OBM app login page and within your account settings.
Types of personal data we collect
• Business contact data: information relating to our clients’ or prospects staff and representatives that we obtain in connection with entering into and performing contracts for the provision of our products and services to clients, such as names, business email addresses, postal addresses, telephone numbers and job titles. This may be provided by the individuals themselves, by colleagues or resellers. We may also collect similar categories of data of staff or representatives from potential clients or prospects indirectly from publicly available sources such as Linked-in, industry bodies and licence data sets from reputable third parties such as Cognism (personal data acquired from Cognim includes name, job title, business phone and business email, linkedIn page, employment history and company name).
• Client Hub account data: information relating to our clients’ staff that we obtain in connection with setting up accounts to enable client’s staff members to access and use the Client Hub, including their business email addresses and access permissions. These details are provided to us by our clients.
• Enquiry data: information relating to website visitors who complete and submit forms on our website (such as our ‘Get in touch’, ‘Book a demo’ and ‘Request a call back’ forms), including name, email address, phone number, company name and any personal data included in the subject or message content and any metadata associated with the communication (such as time and date of submission). This information is provided to us by people who complete and submit forms on our website, and our website generates the communication metadata associated with the forms.
• Comment submission data: information relating to website visitors who submit comments on our ‘We’re hiring’ webpage, including any commenter’s name, email address and phone number and any personal data included in the comment, metadata about the submission such as the date and time of submission (generated by our website) and data about the submitter’s device such as its IP address, geographical location, browser type and version and operating system.
• Webinar registration data: information relating to people who register to join one of our webinars, including name, email address, company name, job title, country, discussion points in/leave times and technical data about the registering person’s device such as IP address, geographical location, browser type and version and operating system. We obtain this information when people complete and submit a registration form and our website automatically collects the technical data.
Social media plugin data: technical data about our website visitors’ devices such as its IP address, browser type and version and operating system. This is collected by the plugin buttons embedded in our website.
Correspondence data: information contained in or relating to any communications we receive, including any personal data contained in the communication content, address and contact details and any metadata associated with the communication such as the date and time of sending. We obtain this data when people contact us by email, phone, or via social media.
Why we use personal data
The purposes for which we normally use personal data, the types of personal data we use for those purposes and the legal bases for doing so are set out below. An explanation of what the different legal bases mean can be viewed below.
Purposes of processing: Providing our services to clients and communicating with clients in connection with providing those services
Types of personal data used: Business contact data
Legal bias: Our legitimate interests in keeping our Client Hub secure and limiting access and use to authorised users
Purposes of processing: Recognising and authenticating client users accessing our Client Hub.
Types of personal data used: Client Hub account data
Legal bias: Our legitimate interests in providing our services to clients.
Purposes of processing: Enabling people to comment on jobs we post and see updates to comment threads.
Types of personal data used: Comment submission data
Legal bias: Our legitimate interests in encouraging suitable people to apply for jobs with us.
Purposes of processing: Enabling people to participate in our webinars.
Types of personal data used: Webinar registration data
Legal bias: Our legitimate interests in demonstrating and promoting our expertise and engaging with clients and potential clients.
Purposes of processing: Enabling people to share content from our website via social media.
Types of personal data used: Social media plugin data
Legal bias: Our legitimate interests in promoting our business, services and expertise.
Purposes of processing: Communicating with people, e.g. in response to an enquiry made using contact details or a web contact form on this website.
Types of personal data used: Enquiry Data. Correspondence data.
Legal bias: Our legitimate interests in communicating with individuals that contact us.
Purposes of processing: Sending marketing communications to staff representatives of our clients and potential clients (see ‘Processing personal data for marketing purposes’ section below for further detail).
Types of personal data used: Business contact data. Enquiry data. Correspondence data.
Legal bias: Our legitimate interests in promoting our business and services, maintaining relationships with our clients, driving sales and sustaining and growing our business.
Purposes of processing: Client relationship management, including dealing with complaints, keeping records of our interactions with clients and other people and keeping in contact with clients and other people with whom we have interacted.
Types of personal data used: Correspondence data.
Legal bias: Our legitimate interests in providing a good quality service to clients, dealing effectively with complaints and maintaining relationships with clients.
Purposes of processing: Analysing use of our website, e.g. finding out how many people visit various parts of the site, so that we can assess how successful our website is and how it could be improved or developed.
Types of personal data used: Usage data
Legal bias: Our legitimate interests in monitoring, maintaining and improving our website.
Purposes of processing: Keeping our website secure and functional
Types of personal data used: Usage data
Legal bias: Our legitimate interests in protecting our website and ensuring it works effectively.
Processing personal data for marketing purposes
We send occasional emails containing information about our business and services. We only send these to individuals who are staff representatives of our clients and potential clients or who have previously enquired or corresponded with us about our services, for example by requesting to download promotional material on our website or receive our newsletter.
If you do not wish to receive such communications from us, you can tell us by using the unsubscribe link in any email we send to you
In addition to the purposes set out above, we may also process the personal data if and to the extent necessary for the following purposes:
Purpose: Establishing, exercising or defending legal claims
Legal bias: Our legitimate interests in defending legal claims
Purpose: Obtaining or maintaining insurance coverage, managing risks or obtaining professional advice
Legal bias: Our legitimate interests in protecting our business against risks
Purpose: Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator
Legal bias: Compliance with a legal obligation
Purpose: Protecting a person’s vital interests
Legal bias: Protection of vital interests
Explanation of legal bases
It is only lawful to process personal data if there is a legal basis for doing it. Below is an explanation of the legal bases referred to in this notice.
Legitimate interests: processing of personal data is necessary for the purposes of the legitimate interests of us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individuals to whom the personal data relate
Compliance with a legal obligation: processing of personal data is necessary for compliance with a legal obligation imposed by UK or EU law
Protection of vital interests: processing of personal data is necessary in order to protect the vital interests of any individual
Consent: the data subject has given consent to their personal data being processed for one or more specific purposes (a ‘data subject’ is an individual who can be identified from the data being processed).
Recipients of personal data
The personal data described in this notice may be shared with the following categories of recipients, where and to the extent necessary for the purposes described in this notice:
We use a number of service providers in connection with our website, services, communications and IT infrastructure, which involves those service providers processing some of the personal data described in this notice to the extent necessary to provide the relevant services. We currently use the following providers:
Nature of services: . Azure cloud data storage and back-up and hosting of the website Office 365 business software services
Type of personal data processed: All categories of personal data described in this notice except usage data
Salesforce UK Limited
Nature of services: . Provision of web forms on our website and processing of data submitted via web forms
Enquiry data Provision/hosting of Client Hub
Client Hub account data
Provision of comments submission and subscription functionality
Comment submission data Website analytics to analyse how our website is used
Usage data Marketing platform
Type of personal data processed: All categories of personal data described in this notice except usage data
Squarespace Ireland Ltd
Nature of services: Various marketing related software services:
Provision of web forms on our website and processing of data submitted via web forms
Provision/hosting of Client Hub
Provision of comments submission and subscription functionality
Website analytics to analyse how our website is used
Type of personal data processed:
Client Hub account data
Comment submission data
All types of data described in this notice except usage data
Zoom Video Communications, Inc.
Nature of services: . Registration and delivery of our webinars
Type of personal data processed: Webinar registration data
Nature of services: Google calendar function for our webinars
Website analytics to analyse how our website is used (Google Analytics)
Type of personal data processed: Usage data
Nature of services: Website analytics to analyse how our website is used (Hotjar tracking cookies)
Type of personal data processed: Usage data
Nature of services: Playback of videos on our website
Type of personal data processed: Usage data
Nature of services: . Email marketing
Type of personal data processed: Business contact data, Enquiry data, Correspondence data, Email tracking data
We have contracts with all our service providers to ensure that they treat the personal data they receive in compliance with applicable data protection laws, including that they only process the personal data described in this notice to the extent necessary to provide the services.
Insurers and professional advisers: such as lawyers, accountants and business and marketing consultants, but only if and to the extent necessary for them to carry out the work we engage them to assist us with, for example in relation to a legal claim made against us or obtaining insurance coverage.
Buyers/prospective buyers: if we propose to sell or do sell any of our business or assets, we may make personal data available to a prospective buyer for the purposes of pre-sale due diligence or to a buyer as information assets transferred as part of the sale – for example a prospective buyer may request details of any outstanding legal claim against us, or a buyer may acquire ownership of our business contacts/client databases.
There may also be circumstances in which we need to share personal data with other organisations or individuals, such as where disclosure is necessary for the purposes set out in the ‘Other processing purposes’ section above, including complying with legal obligations to disclose information.
In all cases, we will only share personal data with such recipients where and to the extent reasonably necessary for the relevant processing purpose and in accordance with applicable data protection law.
International transfers of personal data
The personal data we process is hosted and stored on servers situated in the United Kingdom (UK. We transfer some personal data to the service providers described in the ‘Recipients of personal data’ section above that are based in countries outside the UK and European Economic Area (EEA). Below we describe these transfers and the safeguards in place to protect personal data once it has been transferred.
Our use of Microsoft services involves a transfer of all types of personal data described in this notice to the U.S.A. or any other country in which Microsoft or its sub-processors operate. These transfers are governed by Microsoft’s Standard Contractual Clauses which can be viewed here
Microsoft Corporation also participates in the EU-U.S. Privacy Shield and its registration can be viewed here
Our use of Salesforce CRM services may involve a transfer of all types of personal data described in this notice except usage data outside the EEA to Salesforce affiliates and sub-processors in various countries around the world (see Salesforce Infrastructure and Sub-processors documentation for further detail: click here.
Any such transfers are governed by Salesforce’s Processor Binding Corporate Rules, available here
Our use of Squarespace services involves a transfer of enquiry data, client hub account data, comment submission data, usage data, business contact data, enquiry data, correspondence data and email tracking data to the U.S.A. and elsewhere outside the EEA. These transfers are governed by Squarespace, Inc.’s participation in the Privacy Shield – its registration can be viewed here
Our use of Zoom services involves a transfer of webinar registration data to the U.S.A. Zoom Video Communications, Inc. participates in the Privacy Shield and its registration can be viewed here
Our use of Google Analytics and calendar services involves a transfer of usage data outside the EEA–to Google LLC in the U.S.A. and to its sub-processors in the U.S.A. and elsewhere. Google LLC participates in the Privacy Shield and its registration can be viewed here
Our use of Vimeo services involves a transfer of usage data outside the EEA toVimeo, Inc. in the U.S.A and elsewhere.Vimeo, Inc.participates in the EU-U.S. Privacy Shield and its registration can be viewed here
In addition to the known transfers described above, it may become necessary to transfer personal data described in this notice to organisations based outside the European Economic Area in connection with the purposes described in the ‘Other processing purposes’ section above, such as to comply with a legal obligation or defend or bring a legal claim. If this happens, we would ensure that such a transfer complies with the conditions for transfers stipulated by applicable data protection law.
Explanation of international transfer terms referred to in this section:
Privacy Shield: this is an adequacy decision of the European Commission in respect of the transfer and subsequent processing of personal data to and by organisations in the U.S. who self-certify their compliance with the Privacy Shield Framework Principles contained in Annex II to the European Commission Implementing Decision (EU) 2016/1250 of 12 July 2016. Further information can be found on the Privacy Shield website: and in the ICO guidance.
Adequacy decision: this means an official decision adopted by the European Commission that a country (or a territory or specified sector within a country) or international organisation ensures an adequate level of protection for personal data.
Standard contractual clauses: these are standard data protection clauses for data transfers between EU and non-EU countries adopted by the European Commission pursuant to a decision of the European Commission that those clauses provide an adequate level of protection for personal data transferred between the parties to those clauses.
See the Europa website for more information on, and links to, the standard contractual clauses: Binding corporate rules: these are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises, which must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers, be legally binding and enforced by every member of the group. See the Europa website for more information on, and links to, the standard contractual clauses here.
Binding corporate rules: these are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises, which must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers, be legally binding and enforced by every member of the group. See the Europa website for more information on, and links to, the standard contractual clauses.
Security of personal data
We will take appropriate technical and organisational precautions to secure the personal data we process and prevent accidental or unlawful destruction, loss or alteration and unauthorised disclosure of, or access to, that personal data.
The personal data described in this notice is hosted in Microsoft Azure data centres, providing a high level of security. Each data centre is designed to run 24x7 and employs various measures to protect operations from power failure, physical intrusion and network outages and industry standards for physical security and reliability.
Information submitted via our website is encrypted in transit using industry standard Secure Sockets Layer (SSL) with 256-bit AES encryption.
Data is stored in a Microsoft Azure SQL database. The data is backed up every 5 minutes and stored for 30 days. A geo-replicated copy of the database is also stored for disaster recovery purposes. We apply strict permission control over OBM staff access to the personal data described in this notice so that only those staff members who need to have access for specific purposes can gain access.
It is important that you keep your password for accessing the Client Hub secret at all times.
Unfortunately the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
We will notify affected individuals and any applicable regulator of any personal data breach where we are legally required to do so.
Retention and deletion of personal data
We will only retain the personal data described in this notice for as long as necessary to fulfil the processing purposes described in this notice.To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means, and applicable legal requirements.
Our retention periods and criteria
We will apply the following general retention periods and/or retention criteria to the personal data described in this notice:
• Business contact data: We keep this for the duration of the relevant client contract and for a period of 6 years after termination or expiry of the contract. However, we may keep some of this data for marketing purposes for a different period – see ‘Retention and deletion of personal data for marketing purposes’ section below.
• Client Hub account data: We keep this for 6 months after the client’s contract with OBM has ended or upon the client’s request if earlier.
• Enquiry data: The submitted web forms are stored for one year. We receive the data in the form of emails, which we store in accordance with our usual email archiving processes. However, we may keep some of this data for marketing purposes for a different period – see ‘Retention and deletion of personal data for marketing purposes’ section below.
• Comment submission data: Comments are stored for 6 months and email addresses given for the purpose of subscribing to the comment thread will be stored in accordance with our standard archiving processes in place from time to time. However, we may keep email addresses for marketing purposes for a different period – see ‘Retention and deletion of personal data for marketing purposes’ section below.
• Webinar registration data: Registration forms are stored for one year. However, we may keep names and email addresses for marketing purposes for a different period – see ‘Retention and deletion of personal data for marketing purposes’ section below.
• Social media plugin data: we do not store this data.
• Correspondence data: We store emails in accordance with our usual email archiving processes. Messages via social media are stored in accordance with the social media providers’ data storage policies. However, we may keep names and email addresses for marketing purposes for a different period – see ‘Retention and deletion of personal data for marketing purposes’ section below.
• Usage data: The statistical reports provided to us by Google are retained by us for 90 days; the reports provided to us by Hotjar are retained by us for 365 days and the reports provided to us by Squarespace are retained by us for 2 years. However, these contain only aggregated data that do not enable us to identify individual users.
• Email tracking data: this is stored in our Cognism account for 30 days after the tracked event
Retention and deletion of personal data for marketing purposes
We keep data relating to our clients’ staff representatives that is useful for marketing purposes (such as names, business email addresses, job titles and company details) for the purposes of sending marketing emails unless/until we receive an ‘unsubscribe’ request (in which case we will retain the details on a suppression list to ensure no further emails are sent) or until we receive an ‘undeliverable’ response (in which case we will delete the details from our records).
Retention and deletion of personal data for other purposes
These retention periods are subject to any longer retention periods that may be necessary for compliance with a legal obligation, protecting a person’s vital interests or the establishment, exercise or defence of legal claims
What is a cookie?
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by our web server to your web browser when you visit our website and is stored by your browser. The identifier is then sent back to our server each time your browser requests a page from our server.
Cookies are either "persistent" cookies or "session" cookies: a persistent cookie will be stored by your web browser and remain valid until its set expiry date, unless deleted by you before the expiry date; a session cookie, on the other hand, will expire when you close your web browser.
Cookies do not typically contain any information that personally identifies a website user, but we might theoretically be able to identify individuals by linking any personal data we already have with information stored in and obtained from cookies. We also use other similar storage technologies such as web beacons (also known as "tracking pixels" or "clear gifs"), from our email services provider Cognism, to collect or receive information about recipients’ interactions with our marketing emails. These are tiny graphics files that contain a unique identifier that allow us to measure the effectiveness of these emails by understanding the actions that people take in response to receiving them.
Third party analytics service providers
We use Google Analytics, Squarespace and Hotjar to analyse the use of our website. These services gather information about use of our website, such as the number of unique interactions that take place on our website and overall patterns of usage. This information is gathered using cookies and used to create aggregate statistics about the use of our website.
Hotjar is contractually forbidden to sell any of the data collected on our behalf. Further information about Hotjar’s cookies is available here.
Squarespace records website visitor activity using cookies. Further information about the Squarespace cookies used on this website is available here .
We also use Cognism to analyse recipients’ interactions with our marketing emails. Cognism gathers information about email openings and clicks using various industry standard technologies including tracking pixels. The information gathered is used to create reports about recipients’ interactions with these emails and provide us with metrics on the deliverability of these emails.
Most computers and mobile devices automatically accept cookies by default, but you can change your browser settings to refuse to accept cookies, delete cookies or notify you when cookies are set. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:
• Chrome: https://support.google.com/chrome/answer/95647?hl=en
• Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
• Opera: http://www.opera.com/help/tutorials/security/cookies/
• Internet Explorer: https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-deletemanage-cookies
• Safari: https://support.apple.com/en-gb/HT201265
• Edge: https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy
You can learn more about cookies by visiting www.allaboutcookies.org which includes useful information on cookies and how to block them using different types of browser.
You can block Google Analytics by downloading and installing the Google opt-out browser add-on available here or by blocking third party cookies in your browser options. Hotjar provide information on blocking Hotjar cookies here: https://www.hotjar.com/privacy/donot-track/.
Please note that if you block all cookies including those necessary to enable you to use and navigate the website, you may not be able to take full advantage of the functionality of the website.
You have a number of different rights you might be able exercise against us in relation to personal data about you that we process. These are rights to:
• access your personal data
• obtain rectification or erasure of your personal data
• restrict and/or object to processing of your personal data • have your personal data ‘ported’ to you or another organisation
• complain to a supervisory authority about our processing of your personal data
• withdraw consent to our processing of your personal data (where you have given consent) The availability of these rights varies depending on the legal basis that we rely on for processing the relevant personal data. Below we have summarised these rights and explained how you can request to exercise them.
Access: You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing that the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.
Rectification: You have the right to have any inaccurate personal data about you corrected and, taking into account the purposes of the processing, to have any incomplete personal data about you completed. We may need to verify the accuracy of the new data you provide to us.
Erasure: You have the right to the erasure of your personal data without undue delay where the personal data are no longer necessary in relation to the purposes for which we collected or otherwise processed them, you successfully object to our processing, you object to our use of your personal data for direct marketing purposes, we have processed your personal data unlawfully, or an applicable law requires the relevant personal data to be erased. However, there are exclusions to the right to erasure, including where we have overriding legitimate grounds to continue processing the relevant personal data or are required to do so by applicable law or where we need it to establish, exercise or defend a legal claim.
Restriction: You have the right to restrict our processing of your personal data where you contest the accuracy of the personal data, our processing is unlawful, we no longer need the personal data for our purposes but you require it to establish, exercise or defend a legal claim, or you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it to establish, exercise or defend a legal claim, to protect the rights of another natural or legal person or for reasons of important public interest or with your consent.
Object: You have the right to object to our processing of your personal data where we rely on legitimate interests as the legal basis for the processing. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
Object to processing for direct marketing purposes: You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes).
Data portability: where processing of your personal data is based on performance of a contract or your consent and is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
Complain to a supervisory authority: If you consider that our processing of your personal data infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
Withdraw consent: where any processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
How to exercise these rights against us: You can exercise any of your rights in relation to your personal data that require any action by us by emailing your request to firstname.lastname@example.org, in addition to any other contact methods specified in this notice. Please be aware that if your request relates to any processing that we carry out as a processor on behalf of your employer, we will inform you this and advise you to make the request to your employer, because they will be the controller in relation to that processing who is responsible under data protection laws for responding to your request.
How to complain to a supervisory authority: To make a complaint to a supervisory authority, you may contact the supervisory authority of your choice using contact details made available by that supervisory authority. Relevant contact details for the UK supervisory authority, the ICO, can be found here: https://ico.org.uk/concerns/.
Open Blend Method Limited is a private limited company incorporated in England and Wales (registered company number 09283273). Our registered office is at 90a High Street, Berkhamsted, Hertfordshire, England, HP4 2BL. We are registered as a fee payer with the UK Information Commissioner's Office. Our data protection registration number is ZA244609.
For enquiries relating to this notice or our processing of personal data, please contact our data protection officer at email@example.com. You can also contact us using the web contact form or any of the contact details published on the ‘Contact’ page of our website from time to time.
Changes to this notice
We may update this notice from time to time by publishing a new version on our website and, where any changes materially affect you, we will also make reasonable efforts to notify you.