Privacy - Storm

Storm Intelligent Communication Limited’s Privacy Policy

1. Introduction and Scope

Storm Intelligent Communication Limited (“Storm”, “we”, “us” or “our”) recognises that the privacy of the personal information that our clients provide to us is critically important. We take the privacy and security of personal information very seriously. We are committed to complying with our legal obligations under the General Data Protection Regulation (“GDPR”), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“UK Data Protection Laws”) and other data protection laws around the world.

This Privacy Policy explains what types of personal information we collect, what we do with that personal information, the legal basis for our processing of it, what rights individuals have in relation to any personal information we process about them and how they can exercise those rights. It also explains how we keep personal information safe and secure.

This privacy policy doesn’t apply to personal information about our employees or shareholders. It also doesn’t fully explain how our clients may use and deal with personal information which they collect whilst using certain of our products and services to supply services to end users. If you are a user of a Push To Talk system operated by one of our clients, then you should check that client’s privacy policy (usually located on an intranet or website operated by the client) or contact their data protection personnel to find out more about how that client uses and manages personal information which they collect whilst using our Push To Talk system

2. Who are Storm Intelligent Communication Limited?

Storm Intelligent Communication Limited is a company, registered in England and Wales under No. 07455436, whose registered office is at Cardale House Cardale Court, Beckwith Head Road, Harrogate, North Yorkshire, HG3 1RY. Storm has been trading since early 2011. The business of Storm is that of a reseller of Push To Talk over Cellular and Wi-Fi products and services, developed by Mobile Tornado Group plc (“MTG”), which is a company, registered in England and Wales under No. 05136300, whose registered office is at Cardale House Cardale Court, Beckwith Head Road, Harrogate, North Yorkshire, HG3 1RY. MTG’s technology enables our clients to offer Push To Talk, Push To Message, Push To Alert and Push To Locate services to their userbases, (altogether “PTT Services”). These technologies facilitate two way communication between users. Push To Talk, for example, allows users to exchange real time voice messages between mobile phones and/or personal computers. Push To Message, for example, allows users to message individuals in their contact list one-on-one, or broadcast to a larger group of contacts (one-to-many).

The PTT Services we sell are delivered via an internet protocol radio service (IPRS) platform (“IPRS Platform”). The key elements of the IPRS Platform include a PTT server (which controls the delivery of our PTT Services), load balancers and firewalls, together with various layers of software and client side applications. The IPRS Platform is connected to third party cellular networks via standard Gateway GPRS Support Nodes (GGSN’s). Much of the hardware that comprises the IPRS Platform is owned and/or operated by MTG, but for simplicity we refer to that hardware in this policy as if it were owned and/or operated by us. Because of this, some references in this privacy policy below to Storm should be understood as referring to either Storm and/or MTG.

Storm is registered with the Information Commissioner’s office under Registration No. A8789201. MTG is also registered with the Information Commissioner’s office under Registration No. ZA800391.

Storm operates a website, which provides more information about who we are and what we do, which can be viewed at https://www.storm.co.uk/ (“the Website” or “our Website”). MTG also operates its own website at https://www.mobiletornado.com, which provides further information about its business and operations. MTG’s privacy policy can be viewed at https://www.mobiletornado.com/privacy.

Our clients are public and private sector organisations and service providers (such as mobile phone operators who offer PTT Services), rather than individuals.

3. Contacting Storm

There are three ways to contact Storm to discuss any data protection issues you may have:-

In writing

The Data Protection Officer
Storm Intelligent Communications Limited
Cardale House Cardale Court
Beckwith Head Road
Harrogate, HG3 1RY

By email: gdpr@storm.co.uk

By phone: +44 (0)1423 513335 and ask for the data protection officer.

4. Who is responsible for the management of data protection at Storm

We have appointed Marcus Emptage as the Data Protection Officer for Storm. The Data Protection Officer is responsible for managing data protection at Storm and ensuring that we comply with our legal obligations relating to personal information. The Data Protection Officer can be contacted using the contact details given in section 3 above.

5. What types of personal data does Storm process?

Under data protection laws, personal data is any information relating to an individual from which that person can be identified. It does not include data from which the identity of an individual cannot be identified (which is anonymous data).

Storm processes two main categories of personal data: personal data relating to the users of our PTT Services and personal data relating to people who work for or represent our current and prospective clients or who are, work for or represent suppliers to Storm. In this privacy policy we deal with the former category of personal data in sections 6 – 10 below and the latter category of personal data in sections 11 – 17 below.

6. The Personal data Storm processes relating to users of our PTT Services

How our clients use our PTT Services determines what types of personal data Storm itself processes. Some of our clients procure their own PTT server and manage it themselves, via a private or public network, whilst other of our clients access, over the internet, a PTT server owned and operated by Storm on a Software as a Service (SaaS) model.

Where our clients use a Storm server on a SaaS model then certain types of personal data about end users of our PTT Services may be stored in a database that sits on the Storm server. End users (“Subscribers”) are mobile users, who either use a client app on their smart phones or use a rugged/dedicated device or a computer. Such personal data may for the Push To Talk product typically include the following:-

Usernames and passwords for organization managers that subscribe to our PTT Services
Contact details of the organisation managers (email, phone, address)
Names, phone numbers, user names, passwords and nicknames of Subscribers
Call logs of Subscribers (time & duration of PTT call, call initiator, call participants list, clients’ IP address)
The type of device that Subscribers are using
The time of the last sign-in of a Subscriber

The types of personal data, listed above, are relevant to the provision of the PTT Services and are used by organisations or Subscribers to better manage their operations.

For any particular Storm client the types of personal data processed and stored on our IPRS Platform are determined by that client and not by Storm. Our clients have full control over how much personal data will be kept on the IPRS Platform and have the option not to provide any data that personally identifies any particular Subscriber. For example, the full name and display name of a Subscriber is a field that can be filled with any data and is not verified or checked by Storm. Similarly, the phone number of a Subscriber can be replaced with an artificial identifier which is defined by the client. Location tracking can be turned off by the client or generally by an individual Subscriber: where that is the case the location coordinates are not transmitted from the PTT application to the PTT server. Similarly, the client can disable the ability to raise alarms for particular Subscribers. Storm can generally access call initiator and call participants data.

Under UK Data Protection Laws sensitive personal data is information relating to someone’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

None of the types of personal data listed above (and which are typically collected by our clients) will constitute sensitive personal data, with the possible exception of certain Subscriber names and addresses. However, as noted above, Subscriber personal identifiers, such as names and addresses, are optional and their collection is solely dictated by the client.

Storm does not record the voice traffic processed by the IPRS Platform. Storm personnel have no way to retrieve the content of Subscriber discussions conducted over the IPRS Platform. Our clients typically appoint a controller/dispatcher to manage the Subscribers in their organization. They do this via a despatch console installed in a Windows environment on a PC typically located at the client’s premises. The despatch console communicates with the IPRS Platform over the Internet. Voice recording is a feature that can be enabled on the despatch console and is automatically enabled during a Push To Alert event (see further below). Through the despatch console, a controller/dispatcher can record, retrieve and playback audio communications made by Subscribers. The recordings are stored only locally on the computer on which the despatch console is running. The despatch console is capable of:

searching and retrieving recorded sessions based on users groups, dates and time of calls
displaying call details (session name, call type, start/end time)
locating specific voice-bursts or listening to entire session in sequential mode
saving recorded PTT comms to the client’s local storage in .wav format.

An important feature of Storm’s IPRS Platform is the Push To Alert functionality. This allows Subscribers at risk to send a notification from their devices to control rooms, dispatchers and dedicated groups, by pressing an SOS button. Whenever the dedicated SOS button is clicked, a notification is sent to the relevant PTT server (which notification Storm can access) and from there it is forwarded to the control rooms or emergency groups of the relevant client. All steps in delivery, approval, and treatment are monitored and recorded for later debriefing. Once the emergency alert notification is received by the IPRS Platform then a number of processes are automatically triggered:

The despatch consoles receive up-to-date location information
Ambient listening is turned on upon dispatchers request
The voice recording system turns on automatically
The system logs the entire emergency session
The dispatcher traces the event until closure
All interested parties are alerted in real-time

A further important feature of our IPRS Platform is the Push To Locate functionality. This allows for the tracking of individual Subscribers who carry a GPS-enabled device. Storm software installed on the GPS-enabled device automatically attempts to derive its location at pre-defined update intervals. Controllers/dispatchers can also request a location update, set and track geo-fencing events, and initiate location based group calls. The precise details of how the Push To Alert function operates for any of our clients are determined by the relevant client. In many instances Storm personnel will be able to ascertain where a given Subscriber is.

Where our clients use their own PTT server (and in effect only license software from Storm) then Storm will generally not itself process any Subscriber personal data during the ordinary operation of the IPRS Platform. When such clients require us to access their own PTT server to inspect its operation, maintain it, rectify faults, deal with reported user issues or to update or alter the software on it, then such clients are responsible for providing us with a secure connection to their server, which restricts our service engineer access to client Subscriber personal data. When a client uses their own PTT server they are responsible for backing up any Subscriber personal data stored on it.

7. Storm’s role in relation to Subscriber personal data processed on our IPRS Platform

Our clients are for the purposes of UK Data Protection Laws, data controllers in relation to Subscriber personal data handled by our IPRS Platform because they determine the purposes for which and the means by which such Subscriber personal data is processed. Further information about how our clients manage such Subscriber personal data and their policies in relation to it will typically be available on our client’s websites, intranet sites or from their own data protection personnel.

Storm is the data processor in relation to Subscriber personal data processed on our IPRS Platform as we process that Subscriber personal data on behalf of our clients. Our obligations in relation to such personal data are set out in section 8 below.

8. Storm’s Responsibilities in relation to Subscriber personal data

As noted in section 7 above, Storm are a data processor in relation to Subscriber personal data that we process on the IPRS Platform. In relation to Subscriber personal data Storm has a number of legal obligations, which are set out below together with brief details of how we comply with them:

To only process personal data in accordance with instructions from the data controller, which in all cases will be our client. We comply with this as the client’s managers and controllers/despatchers set up how the IPRS System manages personal data and we merely ensure that the system performs in accordance with those instructions.
To enter into binding processor contracts with the data controllers (our clients). The GDPR sets out minimum terms which a controller must impose on its processor by contract. We either have in place such contracts or are in the process of amending relevant contracts so that they contain fully compliant provisions.
Not to engage a sub-processor without the controller’s prior specific or general written authorisation. The identity of any sub-processors we use is confirmed and agreed either specifically or in general terms with our clients prior to their appointment.
To implement appropriate technical and organisational measures to ensure the security of personal data. How we comply with this obligation is set out in section 21 below.
To notify the relevant data controller (our client) of personal data breaches without undue delay. We would do this as soon as we were aware of any data breach. We would notify our key client contact in the first instance.
To notify the relevant data controller (our client) immediately if any of their instructions would lead to a breach of the GDPR or local data protection laws. This oversight is managed by our data protection officer, whose details are set out in sections 3 & 4 above.
To comply with GDPR/DPA accountability obligations, including maintaining records and appointing a data protection officer. Details of our data protection officer are set out in sections 3 & 4 above. Our data protection officer manages our accountability and record keeping obligations in accordance with the GDPR.
Ensure that any transfer outside the EEA is authorised by the controller and complies with the GDPR transfer provisions.

9. Our client’s responsibilities in relation to Subscriber personal data

Our clients, as data controllers in relation to the personal data of their Subscribers, are responsible for, amongst other things, the following:-

ensuring that their processing of Subscriber personal data is in compliance with the six data protection principles set out in the GDPR.
ensuring that individual Subscribers can exercise their rights regarding their personal data, including the rights of access, rectification, erasure, restriction, data portability, objection and those related to automated decision-making.
Implementing appropriate technical and organisational security measures to ensure the security of personal data.
Notifying personal data breaches to the ICO and, where necessary, other supervisory authorities in the EU, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
Complying with certain accountability obligations, such as maintaining records, carrying out data protection impact assessments and appointing a data protection officer.
Ensuring compliance with the GDPR’s restrictions on transfers of personal data outside the EU.
Co-operating with supervisory authorities: they must cooperate with supervisory authorities (such as the ICO) and help them perform their duties.

In particular it is the responsibility of our clients to ensure that their Subscribers, controllers/dispatchers and organisation managers do not misuse any personal data collected during their use of our IPRS Platform.

10. Who has access to Subscriber personal data held on our IPRS Platform

On the client side, there are potentially two types of person who may have access to Subscriber personal data: controllers (dispatchers) and organisation managers.

Controllers/Dispatchers – their role is to manage the Subscribers in their organisation via a despatch console installed on Windows/PC station. The access they have to Subscriber personal data is determined by the client and not by Storm.

Organisation managers – Their role is to manage the Controllers/Dispatchers and/or Subscribers in their organisation. They control access to the IPRS Platform for Subscribers in their organisation. The access they have to Subscriber personal data is determined by the client and not by Storm.

In addition Storm’s customer care engineers may have access to Subscriber personal data. Storm’s customer care engineers typically access the IPRS Platform remotely using a secure connection. They maintain the IPRS Platform and ensure that it is working properly and provide assistance to Subscribers with problems. There are two levels of engineers: lower level engineers only have access to run time logs, while senior level engineers may access the Subscriber database but only for troubleshooting purposes.

11. What personal data does Storm itself collect?

Storm holds and processes personal data relating to individuals who work for or represent our current and prospective clients or who are, work for or represent suppliers to Storm (altogether “Storm Contacts”). Storm Contacts tend to be our principal or historic points of contact with an organisation, client administrative & technical personnel, organisation managers and controllers/dispatchers and those involved in the supervision and/or provision of our PTT Services and the software and hardware that are used to run them.

That personal data includes all or at least some of the following items:

First name, surname, title, work address and post code, work email address, work and mobile contact telephone number
Information about marketing preferences
Information about our interactions with them.

This data will not generally be regarded as sensitive personal data, with the possible exception of certain names and addresses.

In order to improve the Website, we may also collect anonymous data about how users navigate through and use the Website.

We do not collect or process personal data about children.

12. Updating or changing Storm Contacts personal data

If you are or believe that you may be an Storm Contact then please do help us to keep your personal data up to date by notifying us of any changes relating to for example your name, work address or marketing preferences.

You can update any information Storm holds about you by contacting your usual contact at Storm or by contacting the data protection officer, whose details are in sections 3 & 4 above or our client services team on 01423 513335. They will be delighted to help you.

14. How does Storm collect Storm Contacts personal data?

We collect personal data about Storm Contacts when we engage with existing and prospective clients and suppliers. This can be during marketing activities, when a contract to provide PTT Services is concluded or in connection with the provision of the PTT Services. The personal data can be collected in meetings, via our Website, during phone or video calls or during the client set up/registration process to use our PTT Services.

15. How does Storm use Storm Contacts personal data?

We will use Storm Contacts personal data in the following ways:

To fulfil our contractual obligations to our clients in relation to the provision of PTT Services.
To deal with any technical or Subscriber issues that arise on our IPRS Platform.
To manage the administrative aspects of our contracts with clients and suppliers including billing, software and hardware updates and support.
To comply with any legal obligations upon us.

16. What is the legal basis on which Storm processes Storm Contacts personal data?

UK Data Protection Laws provide that a data controller can only lawfully process personal data if it satisfies at least one of up to six possible legally defined grounds or bases for doing so, which are set out in the GDPR. We set out below the bases that Storm relies on in relation to its processing of Storm Contacts personal data.

The legally defined reasons Storm relies on are as follows:-

The Storm Contact has consented to our processing his or her personal data. Storm can collect and process Storm Contact personal data with the consent of the contact. This will be the case if the contact has provided his or her personal data to us during the course of dealing with us either as a contact of a client, prospective client or supplier. Storm relies on this ground to carry out administrative, support and billing functions to our clients and suppliers.
Storm’s Contractual Obligations. Storm may process Storm Contact personal data to comply with and perform our contractual obligations under a contract or potential contract with a client or supplier. We rely on this basis to carry out administrative, support and billing functions to our clients and suppliers.
Legitimate Interests. Storm may process personal data to pursue our legitimate interests in a way that might reasonably be expected as part of running our business and which does not materially impact on the rights, freedoms and interests of individuals. We have a legitimate interest in carrying out marketing activities in order to offer our current and prospective clients and targets new and improved PTT Services that we think might be of interest to them. We rely on this ground in relation to our marketing activities.

As Storm is not a data controller but only a data processor in relation to Subscriber personal data, Storm does not need to satisfy at least one of the six permissible grounds in relation to Subscriber personal data but its clients have to.

17. Marketing

If you are a contact of an existing client, or a prospective client who has shown an interest in our products or services, we may contact you by post and by telephone with marketing material and information about our PTT Services. We may also email such contacts to promote our PTT Services, unless, when the contact first provided their details to us or subsequently, the contact indicated that they didn’t want to receive or no longer want to receive such marketing emails messages from us. In addition, all our promotional emails contain an opt out option, which can be used to tell us to stop sending marketing emails.

We regularly check (or ensure third parties appointed by us to run certain of our business services regularly check) our Storm Contact databases against lists maintained by the Telephone Preference Service (https://www.tpsonline.org.uk/tps) and the Mail Preference Service (https://www.mpsonline.org.uk) to ensure that we don’t call or post items to Storm Contacts who have registered with these services not to receive marketing calls or mailings.

18. Changing your marketing preferences

You can tell us at any time to stop marketing to you by using any of the methods set out in section 3 above or by submitting a request via this email address: hello@storm.co.uk

Each time you receive a marketing email from Storm, you will be given the opportunity to opt-out of receiving further marketing emails or texts.

We will try to implement any change to your marketing preferences as soon as reasonably possible.

18. Who do we share personal data with?

Storm does not share Subscriber personal data with any other entity except, where lawfully requested by the relevant data controller (our client).

We do not share Storm Contact personal data with any third party.

19. What are your legal rights in relation to your personal data?

Individuals (“Data Subjects”) have a number of legal rights in relation to the personal data we hold about them. These include:

The right to be informed about how we process and manage the Data Subject’s personal data. We comply with the Data Subject’s rights in this regard by the publication of this privacy policy.
The right to obtain a copy of any personal data about the Data Subject which we hold at any time and to obtain certain information about how we process that data. This is called a Subject Access Request and Data Subjects can submit such a request by contacting the data protection officer: see sections 3 & 4 above.
The right to request that any inaccurate or incomplete personal data that we hold about the Data Subject is corrected. The Data Subject can update their personal data by contacting the data protection officer: see sections 3 & 4 above.
In certain circumstances, the right to request that we erase or restrict our processing of personal data that we hold about the Data Subject.
The right to request the transfer of their personal data to the Data Subject or to a third party nominated by them.
The right to request that we stop using their personal data for direct marketing or for purposes based on legitimate interests. A Data Subject can tell us at any time to stop marketing to them by using any of the methods set out in section 3 above or by emailing hello@storm.co.uk.
The right to require us to stop processing their personal data where the Data Subject contests the accuracy of the information we hold about them.
Where our processing of the Data Subject’s data is based on their consent, the right to withdraw their consent at any time so that we then stop processing their personal data based on that consent.
The right to have any decision, made solely on the basis of automatic processing of the Data Subject’s personal data, reviewed by a human being, express their point of view on the decision, obtain an explanation of the decision and challenge it.
The right to compensation in certain circumstances where we breach the Data Subject’s rights relating to any information in a way that causes the Data Subject damage.

If you would like to exercise any of your legal rights in relation to the personal data we hold about you, you can submit a request through our Website using this link: www.storm.co.uk or by contacting the data protection officer whose details are set out in sections 3 & 4 above.

Generally Data Subjects will not have to pay a fee to exercise any of their legal rights. However, we are entitled to charge a reasonable fee if any request is clearly unfounded, repetitive or excessive. We can also refuse to comply with an unfounded or excessive request. We may need to request information from a Data Subject to confirm their identity, in order to make sure that personal data is not disclosed to someone who is not entitled to have it. We may also need to ask a Data Subject for additional information to help us respond to their request. We will try to respond to a Data Subject’s request within one month but, if the request is very complex or if a Data Subject has made a number of requests, it could take longer. In such circumstances, we will explain to the Data Subject why it will take longer to respond and we will keep them updated.

20. How long will we keep your personal data?

We retain Storm Contact personal data for as long as reasonably necessary to fulfil the purposes it was collected for and to enable us to comply with our legal obligations. This will often be for as long as a client uses our PTT Platform or a supplier supplies us or if longer for up to six years after the last recorded transaction or interaction with the client or supplier. Six years is generally the limitation period under UK law for a client or supplier to bring a breach of contract claim against us. At the end of the relevant period, personal data will be irretrievably deleted.

Generally, Storm stores Subscriber personal data (and a back-up of it) for a limited retention period, as specified by individual clients. Call logs are typically retained for 36 days. Location history is typically retained for 1 year. After the retention period has expired then the Subscriber personal data and any back-up of it will be irretrievably deleted.

21. How do we protect personal data?

Storm takes the security of personal data very seriously. We use appropriate security measures to protect personal data from unauthorised access, disclosure, alteration or loss.

In relation to Subscriber data, we understand the importance of secured communications when any Subscriber is communicating privately and does not want a third party to listen in. In order to achieve that, the IPRS Platform needs to eliminate the risk of interception. Storm’s IPRS Platform is built with security by design principles, meaning confidentiality, integrity, and availability.

The development of our IPRS Platform, its installation and maintenance are carried out in accordance with the rules set out by the latest security standards. Our products and services comply with the security and privacy requirements of GDPR, ISO 27000 and AES-256.

When Subscribers, organisation managers, controllers/dispatchers communicate using our IPRS Platform, either over a cellular data connection or Wi-Fi, the PTT server uses a proprietary Mobile Tornado communications protocol, which would make it very hard for an unauthorised third party to intercept the communications.

Additionally sensitive information like user credentials/passwords is encrypted using state of the art third party encryption software.

In order to increase the safety and privacy of the subscribers, Storm has further introduced the following features in the PTT service:

If the credentials of a Subscriber are used in another device, the Subscriber receives a warning message (“logged on in another device”) and the PTT application automatically signs-out from the service in favour of the second device. This ensures that the subscriber is aware of this fact and no one can listen to PTT sessions that they are not allowed to participate.
To minimize the chances of impersonation, when a subscriber talks in a PTT session, the display name associated with the Subscriber (as dictated by client) appears on screen, so other Subscribers get to know who is.
Except for very large groups, the names of the participants in a call are listed and shared among all Subscribers participating in the PTT session so they can see who has joined the call and thus protect their

Our security model can be represented by four different layers: physical, logical, data and code. Physical access to relevant hardware is restricted to authorised personnel. Access to the management portal is protected by the use of cryptographic protocols (TLS), logical protection deployed over the firewalls, switches, load-balancers, and the use of single board computers (SBCs), which allow for enhanced security.

Where a client uses a Storm server, there is a state of the art firewall between that server and the internet. The firewall is a network security device, which monitors incoming and outgoing network traffic and permits or blocks data packets passing through it based on a set of security rules, which are continually updated so as to target current threats such as malicious viruses and hackers.

Further Storm’s security methodology utilises several mechanisms in connection with the encryption of data sent between us and our clients’ IT systems, the main ones being as follows:

Deep packet inspection and rate limits enforcement by SBC
Segmentation and segregation of networks and functions
Limitation of unnecessary lateral communications
Multiple factor subscriber authentication
IP, users ID, and packet authentication
Voice stream encryption by AES-256
Continuous validation of the integrity
Strict hardening of network devices
Personal address book protection
Protocol compliance validation
Remote control of user device
Private keys support in KMS
Voice recording encryption
IM manipulation protection
Constant security audits

All Storm Contact personal data, which we store electronically, is stored on our private, secure network of computers. Access to our IT systems is password protected. Our IT provider regularly monitors our computer and network systems for possible vulnerabilities and attacks and use state of the art firewalls and anti-virus software, which is regularly updated.

22. Where is your personal data processed?

We only process personal data in the UK or the EEA.

23. Personal data of international Subscribers and Storm Contacts

Storm is based in the UK and is committed to complying with UK Data Protection Laws. UK Data Protection Laws are amongst the strictest in the World and we generally take the view that if we comply with UK Data Protection Laws that such compliance will help us ensure compliance with local data protection laws that apply outside the UK. However where we contract with a client based outside the UK we endeavour to ensure that we also comply with any particular local data protection law requirements.

24. Changes to our privacy policy

As we continue to develop our business and to take advantage of advances in technology, our privacy policy may change. This version was last updated on 12.01.2021. Any changes we may make to our privacy policy will be posted on this page and, if appropriate, we will notify any significant changes to relevant individuals by email or in some other manner. Please refer to this page frequently for updates and changes to our privacy policy.

25. How do you make a complaint to the regulator?

You also have the right to make a complaint to the Information Commissioner’s Office (ICO), which is the UK data protection supervisory authority, if you feel that your personal data has not been handled properly or if you are not happy with the way that we have responded to any request you have made relating to the personal data we hold about you. The ICO can be contacted by telephone on 0303 123 1113 or online at www.ico.org.uk/concerns. We would appreciate the opportunity to resolve any data protections issues with you, so please contact us in any of the ways set out in section 3 above, in the first instance.

Cookie Policy

Cookies and How We Use Them
What are cookies?

Computer cookies are small text files that a website transfers to your computer. Cookies cannot harm your computer and are anonymous. They do not contain any information that could be used to identify you, nor do they contain any confidential information such as your email address or credit card details.

Using cookies helps us to make our Website easier for you to use and helps us to give you a more personalised web experience, such as enabling us to present information about our products, which we believe will be of more interest to you. Examples of our use of cookies include:

Are cookies safe?
Yes. The information stored in cookies is anonymous and secure. It cannot be used to identify you personally and cannot harm your computer.

Can I switch cookies off?
Storm uses these cookies to make our Website easier to use and to allow us to provide the best possible standard of service. Cookies are an essential part of how our Website works. However we require your consent to use them. To withdraw your consent, or if you want to be notified each time a cookie is about to be used, you should use the settings provided in your Website browser to prevent us from storing cookies on your computer. However if you choose not to consent to the use of cookies your experience of our Website could be impaired and it’s possible many important aspects of the site will not work at all.

FORCE24 cookies & tracking

Our organisation utilises Force24’s marketing automation platform.

Force24 cookies are first party cookies and are enabled at the point of cookie acceptance on this website. The cookies are named below:-

F24_autoID
F24_personID

They allow us to understand our audience engagement thus allowing better optimisation of marketing activity.

f24_autoId – This is a temporary identifier on a local machine or phone browser that helps us track anonymous information to be later married up with f24_personid. If this is left anonymous it will be deleted after 6 months . Non-essential, first party, 10 years, persistent.

f24_personId – This is an ID generated per individual contact in the Force24 system to be able to track behaviour and form submissions into the Force24 system from outside sources per user. This is used for personalisation and ability to segment decisions for further communications. Non-essential, first party, 10 years, persistent.

The information stored by Force24 cookies remains anonymous until:

Our website is visited via clicking from an email or SMS message, sent via the Force24 platform and cookies are accepted on the website.
A user of the website completes a form containing email address from either your website or your Force24 landing pages.

The Force24 cookies will remain on a device for 10 years unless they are deleted.