PRIVACY NOTICE
ORCA VALUE YOUR PRIVACY
AS MUCH AS YOU DO
[Last Updated July 2023]
1. Introduction
Your privacy is important to ORCA Computing, and we are committed to safeguarding the privacy and security of the personal information in our care. This policy explains how we collect your personal information, what we do with it, and your rights in respect of it. We have a separate Cookies Policy which sets out similar information relating to the cookies that we use, which can be found here.
When we say “we”, “our”, “us”, “ORCA”, or “ORCA Computing” in this policy, we are referring to all or any of the entities which make up the international ORCA Group, as the context requires. An explanation of some of the other terminology that we use in this policy is set out in Section 10, “Terminology”.
Please take a moment to familiarize yourself with our privacy practices and let us know if you have any questions by emailing privacy@orcacomputing.com.
ORCA may update its Privacy Notice from time to time. Any changes we make will become effective when we post a modified version of this policy on our website, and we agree the changes will not be retroactive. The legend at the top of the policy indicates when it was last changed/updated.
2. Who and where we are
ORCA Computing Limited is a company incorporated and registered in England and Wales with company number 12285629 whose registered office is at 30 Eastbourne Terrace, London, UK, W2 6LA. ORCA Computing Limited also has subsidiaries and branch offices outside of the UK.
ORCA develops full-stack quantum computing systems and related technologies and provides consultancy services. Our global reach means that we are subject to differing data protection regimes of the jurisdictions in which we operate. We aim to achieve uniformity of data protection practices across all jurisdictions in which we operate, whilst also complying with all relevant data protection laws. This policy reflects the EU’s GDPR standard of protection of personal information and references the relevant Articles of the EU GDPR where appropriate. In those jurisdictions where data protection regimes differ significantly to the EU GDPR, elements of this policy may not apply, for example individuals’ rights in relation to their personal information, and this policy does not establish any rights or obligations which are additional to those prescribed in the applicable local data protection law.
2.1 Data Controller
We are the data controller of the information that we process. That is, ORCA is the organisation that determines, alone or jointly with one or more other parties, how your personal information is processed and for what purposes. This means that we are legally responsible for ensuring our systems, processes, suppliers, and people comply with data protection laws in relation to the personal information that we handle.
The majority of ORCA’s internal business operations are centralised in the UK, operating out of ORCA Computing Limited to support the business globally. ORCA Computing Limited is the data controller for these centralised services. However, depending on the jurisdiction from which our services are provided to you, or in which your personal information is otherwise processed by us, ORCA Computing Limited or another entity of the ORCA Group may be the data controller in respect of your personal information.
Where we transfer your personal data to third parties, in certain circumstances those third parties may also be data controllers. More information about this is provided in the “Disclosure” sections of Section 5, “How do we process your personal information?”
2.2 Contacting us
If you have any questions or concerns as to how your personal information is handled by ORCA, please email privacy@orcacomputing.com.
You are, of course, welcome to write to us at our office directly at the address mentioned in Section 11.
3. Transfers of personal information across our business and to our suppliers
Our global presence means that your personal information may be transferred across the business worldwide due, for example, to our shared IT systems and datacentres, and cross-border working practices. Personal data transfers are facilitated across the ORCA Group by way of an intra-group data transfer agreement which applies contractual protections and other appropriate safeguards required under applicable data protection law to all such transfers of personal data within the ORCA Group. Such contractual protections include obligations on ORCA entities outside the EU and UK to resist and challenge demands for data made by local government agencies, to the extent possible.
We also use a number of suppliers and service providers in connection with the operation of our business who may have access to the personal information that we process. For example, IT suppliers providing us with software support, web hosting services, or cloud services may have access to personal data. In all cases, your personal information is handled in accordance with the relevant data protection laws. Where we use cloud services, our data will generally be hosted within the UK or EU, those being the locations which offer the highest level of data protection regulation of all the regions in which we operate. In the event that any personal data is to be processed by suppliers outside the EEA in countries that the UK and/or EU have not assessed as providing an adequate level of protection, we will ensure that personal data is adequately protected in accordance with applicable data protection law by ensuring information security and other appropriate safeguards are in place, and by ensuring that the contractual clauses govern how the data is to be processed or by ensuring that the supplier has binding corporate rules in place.
4. Whose personal information do we process?
We collect and process the personal information:
- of visitors to our website at www.orcacomputing.com (see Section 5.1 “Visitors to our website” for more information), including those that optionally engage with the contact form or subscribe to the mailing list as provided therein;
- of our non-customer/collaborator contacts, such as those who attend our seminars and events, engage with us via social media, and subscribe to our newsletters, email services and other promotional services other than via our website (see Section 5.2, “Non-customer/collaborator contacts”, for more information);
- obtained or created in relation to the services we provide, including the personal information of:
- our customers and collaborators, our customer and collaborator contacts, their people and third parties engaged by our customers and collaborators (see Section 5.3, “Customers and Collaborators”);
- of those who apply for a job or work placement with us (see Section 5.4, “Applicants”);
- of contractors, suppliers, funding bodies, and other third parties connected to the operation of our business (see Section 5.5, “Suppliers”); and
- of our employees.
5. How do we process your personal information?
We will only process your personal information where we are permitted to do so by law, meaning when we have one or more legal basis to do so. The following subsections explain how we process your personal information depending on the context of how personal information typically comes into our care, and include further information about the legal basis or bases that we rely on in those circumstances.
Please note, some people may come under multiple headings. For example, an applicant who submits a CV via our website will qualify as a website visitor and an applicant for the purposes of the subsections below.
In certain circumstances, we rely on the legal ground known as ‘legitimate interests’ to process your personal information. This is where the processing of your personal information is necessary to pursue our legitimate interests in a way which is reasonably expected as part of running our business, but which is not detrimental to you and would have minimal impact on your privacy.
Insofar as we wish to use your personal information for purposes other than those mentioned above, we will check whether these additional purposes are compatible with the original purposes. Depending on the circumstances, we will inform you about the change of purpose and obtain your consent for the further processing of your personal information.
If you would like more details about the specific legal basis we are relying on to process your personal information where more than one legal basis has been set out in the relevant subsection below, please email us at privacy@orcacomputing.com.
5.1 Visitors to our website
5.1.1 What information is collected when you use our website?
ORCA’s website, www.orcacomputing.com, is hosted by a UK-based web hosting provider that processes data in compliance with UK GDPR and EU GDPR.
Our website uses cookies (please see our Cookies Policy for more information), which with your consent collect personal information to enable us to conduct site analytics. Accordingly, the personal information collected by our website may also include details about your use of this website, including clicks, internal links, pages visited, scrolling, searches, and timestamps.
Our website also includes a contact form, which you can optionally use to contact us. This form collects any personal information that you may provide, including your first name, your last name, your email address, and any other personal information that you may provide through the contact form.
Our website also includes a facility to optionally sign up to our mailing list, which collects your email address.
Our website also contains several email addresses, including careers@orcacomputing.com, to which you may send us an email containing your personal data.
5.1.2 Legal bases for processing
One or more of the following legal bases for processing your data apply:
- You have provided us with your consent to use your personal information, e.g. in the course of subscribing to our mailing list, contacting us through our website’s contact form, and/or accepting the use of cookies (Article 6(1)(a) EU GDPR).
- It is necessary to pursue our legitimate interests for the purpose set out in the ‘Use’ section of this table (Article 6(1)(f) EU GDPR).
5.1.3 Use
We may use your information:
- To facilitate your use of our website;
- To process any information submitted through the contact form on our website, including completing any requests you may make through that form;
- To provide and improve our services and products, e.g. by monitoring and recording information relating to web-based services such as how and when systems are accessed and how data is uploaded, to analyse performance, subject always to our obligations under applicable law;
- To promote our services and to contact you with communications including breaking news, newsletters, and events;
- Subject always to our obligations under applicable law, to improve your experience of our website, newsletters, and other services.
5.1.4 Disclosure
Your personal information may be transferred worldwide:
- Across the ORCA Group;
- To service providers who support the operation of our business, for example Hubspot (which stores contact details for our mailing list);
- To law enforcement, judicial, governmental and regulatory agencies or similar where and to the extent that we are compelled to do so by law, regulation or professional obligations; and
- To other third parties in limited circumstances.
5.2 Non-customer/collaborator contacts
5.2.1 Collection
We may collect personal information:
- directly from you, e.g. when you email us or our employees, engage with one of our social media accounts or those of our employees, register for in-person events, seminars, or webinars, or otherwise provide your details to us to receive communications from us.
- from other publicly available sources, subject always to our obligations under applicable law.
5.2.2 Types of personal data
The types of personal data that may be collected include:
- identification information, e.g. title, name, the company you work for, and your job title or position;
- contact information, e.g. your address, email address, phone number, and marketing preferences;
- personal data contained in documents and correspondence exchanged with you or relating to you, including statements and opinions of yours or statements about you or opinions of you;
- technical information, e.g. details of visits made to our premises such as swipe card access logs, and details of visits made to our online services;
- diversity, health, religious beliefs or other special category personal information;
- images, e.g. CCTV footage taken at our premises and photos taken at our seminars or events;
- any other information relating to you which you may provide to us.
5.2.3 Legal bases for processing
One or more of the following legal bases for processing your data apply:
- You have provided us with your consent to use your personal information, e.g. in the course of subscribing to our newsletters (Article 6(1)(a) EU GDPR).
- It is necessary to pursue our legitimate interests for the purposes set out in the ‘Use’ section below (Section 5.2.4, “Use”) (Article 6(1)(f) EU GDPR).
- We process special category personal data, as necessary, with your consent (Article 9(2)(a) EU GDPR).
5.2.4 Use
We may use your information:
- to complete any request you may make in relation to your marketing preferences, or other preferences relating to our communications with you;
- to provide and improve our services and products;
- to promote our services and to contact you with communications about commercial updates, breaking news, newsletters, and events;
- for health and safety reasons, (e.g. to inform access, adjustment and dietary requirements for our meetings and events) and the application, audit and enforcement of our policies;
- to facilitate our internal business operations, e.g. internal record keeping and accounting;
- subject always to our obligations under applicable law to monitor and analyse our interactions with you to improve our relationship with you and help us to grow and develop our business;
- for information and physical security and the prevention and detection of criminal and dishonest activity, including to ensure the security of our website and premises, and protect our information systems against data breaches, viruses and similar threats, e.g. by monitoring patterns of activity, and scanning communications for appropriate content, attachments and viruses.
5.2.5 Disclosure
Your personal information may be transferred worldwide:
- across the ORCA group;
- to service providers who support the operation of our business;
- to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where and to the extent that we are compelled to do so by law, regulation or professional obligations; and
- to other third parties in limited circumstances, e.g. where we run a joint seminar/ webinar with a third party that you wish to attend (and where the event is a webinar, your registration name may be visible to other attendees during the event).
5.3 Customers/Collaborators
5.3.1 Collection
We may collect personal information:
- directly from you, the customer or collaborator, e.g. to inform our work, and to enable us to carry out the relevant project or supply the relevant services;
- from third parties e.g. further information to verify your identity or inform our work for our client may be collected from other professional advisers and third parties connected to a matter,
- from publicly available resources, for example, company registers, press releases published by customers or collaborators, information published by media outlets including social media;
- directly from you, e.g. when you register for our online or in-person events, seminars, or webinars, or to receive communications from us.
5.3.2 Types of personal data
The types of personal data that may be collected include:
- identification information, e.g. title, name, date of birth, the company you work for, your job title or position;
- contact information, e.g. your address, email address, phone number, and marketing preferences;
- financial information, e.g. bank details and identifiers, and fees information;
- technical information, e.g. records of your visits to our premises (e.g. turnstile/ swipe access logs);
- personal data contained in documents and correspondence exchanged with you or relating to you, including statements and opinions of yours or statements about you or opinions of you;
- special category personal data, e.g. diversity, health and religious/philosophical beliefs;
- images, e.g. CCTV footage taken at our premises and photos taken at our meetings or events;
- other personal information provided to us by you, by our customer/collaborator, or by third parties on our customer/collaborator’s behalf to inform our work for our customer/collaborator, or generated or sourced by us in the course or providing our services to our customer or collaborator;
- any other information relating to you which you or our customer/collaborator may provide to us.
5.3.3 Legal bases for processing
One or more of the following legal bases for processing your data apply:
- It is necessary to pursue our legitimate interests for the purposes set out in the ‘Use’ section below (Section 5.3.4, “Use”) in the ‘Use’ section of this table (Article 6(1)(f) EU GDPR).
- It is necessary for the performance of a contract with our customer, e.g. in connection with the provision of hardware, software or consultancy services to our customer (Article 1(6)(b) EU GDPR).
- It is necessary for the performance of a contract with our collaborator (Article 1(6)(b) EU GDPR).
- To meet our legal and regulatory obligations (Article 6(1)(c) EU GDPR).
- You have provided us with your consent to use your personal information, e.g. in the course of completing a survey or signing-up to an event (Article 6(1)(a) EU GDPR).
5.3.4 Use
We may use your information:
- to deliver our services to you or our customer;
- to facilitate the performance of projects with our collaborator;
- to manage and administer our relationship with you or our customer/collaborator e.g., communicating with you;
- to facilitate our internal business operations, e.g. internal record keeping, procurement and accounting practices;
- to establish, exercise or defend legal claims;
- as required by law and to comply with our statutory and regulatory obligations;
- to complete any request that you may make in relation to your marketing preferences, or other preferences relating to our communications with you;
- subject always to our obligations under applicable law, to improve our services and products;
- to promote our services and to contact you with communications about updates, newsletters and events;
- for health and safety reasons, (e.g. to inform access, adjustment and dietary requirements for our meetings and events) and the application, audit and enforcement of our policies;
- subject always to our obligations under applicable law, to monitor and analyse our interactions with you to improve our relationship with you and help us to grow and develop our business;
- for information and physical security and the prevention and detection of criminal and dishonest activity, including to ensure the security of our website and premises, and protect our information systems against data breaches, viruses and similar threats, e.g. by monitoring patterns of activity and scanning communications for appropriate content, attachments and viruses;
- so that you may provide a reference for us, in connection with a bid or tender, where we have agreed that you are happy to do so.
5.3.5 Disclosure
Your personal information may be transferred worldwide:
- across the ORCA Group;
- to service providers who support the operation of our business, e.g., postal, courier and telecommunication service providers, financial institutions and other payment services providers, and providers of debt management services;
- to other third parties connected to, involved in or engaged by us to support our work for our customer;
- to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where and to the extent that we are compelled to do so by law, regulation or professional obligations; and
- to other third parties in appropriate circumstances, e.g. to our customers/collaborators during the course of our work with them, and where we run a joint seminar/ webinar with a third party that you wish to attend (and where the event is a webinar, your registration name may be visible to other attendees during the event).
5.4 Applicants
5.4.1 Collection
We may collect personal information:
- directly from you, e.g. via your application, submission of your CV, completing our diversity questionnaires, in interviews, and at recruitment events and networking occasions;
- from third parties, including recruitment agencies, our own staff, providers of background checking services, former employers or other referees, academic institutions, professional bodies, and publicly available resources, including professional social media such as LinkedIn.
5.4.2 Types of personal data
The types of personal data that may be collected include:
- personal information, including name, date of birth, address, contact details, qualifications, and education and employment history;
- pre-employment vetting information including the results of criminal records checks, verification of address and qualifications, references, official forms of ID and right to work status;
- personal data contained in documents and correspondence exchanged with you or relating to you, including statements and opinions of yours or statements about you or opinions of you, including notes from interviews;
- records of your visits to our premises (e.g. turnstile/ swipe access logs);
- any other information relating to you that you may provide to us.
5.4.3 Legal bases for processing
One or more of the following legal bases for processing your data apply:
- It is necessary to pursue our legitimate interests for the purposes set out in Section 5.4.4, “Use” (Article 6(1)(f) EU GDPR).
- It is necessary in order for us to take steps, at your request, to enter into a contract with you (Article 1(6)(b) EU GDPR).
- To meet our legal and regulatory obligations (Article 6(1)(c) EU GDPR).
- You have provided us with your consent to use your personal information (Article 6(1)(a) EU GDPR).
We may process criminal offence data, where necessary, e.g., as part of the recruitment process for particular roles:
- with your consent.
- in relation to legal claims.
- to prevent or detect unlawful acts.
- to comply with regulatory requirements relating to unlawful acts and dishonesty and/or for reasons of public interest combined with a statutory provision (e.g., to protect the public against dishonesty, to prevent fraud).
- to protect the public against dishonesty.
- to prevent fraud.
5.4.4 Use
We may use your information:
- for our recruitment processes, including vetting and background checks where appropriate, and to assess suitability, eligibility and fitness to work;
- for human resources administration, in respect of your application and our onboarding process (if applicable);
- for health and safety reasons, e.g. to inform access, adjustment and dietary requirements and the application, audit and enforcement of our policies in respect of in-person meetings/interviews and, if applicable, for your future role at ORCA;
- for information and physical security and the prevention and detection of criminal and dishonest activity, including to ensure the security of our website and premises, and protect our information systems against data breaches, viruses and similar threats, e.g. by monitoring patterns of activity and scanning communications for appropriate content, attachments and viruses;
- for reporting purposes when required to do so by law or regulation.
5.4.5 Disclosure
Your personal information may be transferred worldwide:
- across the ORCA Group;
- to service providers who support the operation of our business;
- to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where we are compelled to do so by law, regulation or professional obligations; and
- to other third parties in limited circumstances.
5.5 Suppliers
5.5.1 Collection
We may collect personal information:
- directly from you;
- from the organisation that you work for;
- from third parties, such as other professional advisers and third parties connected to a matter, and through publicly available sources.
5.5.2 Types of personal data
The types of personal data that may be collected include:
- personal identifiers e.g. title, name, date of birth, address, email address and phone number;
- professional contact information, e.g. the organisation you work for, your job title or position, address, email address and phone number;
- professional information, e.g., your expertise and experience, feedback on your services (including opinions) from our people and/ or our clients and other information relevant and connected to how you may have performed any service referred to you by us;
- financial information, e.g. bank details and identifiers, and fees information;
- personal data contained in documents and correspondence exchanged with you or relating to you, including statements and opinions of yours or statements about you or opinions of you;
- images, e.g. CCTV footage taken at our premises and photos taken at our meetings or events;
- technical information, e.g. details of visits made to our premises such as turnstile/ swipe card access logs;
- any other information relating to you which you may provide to us.
5.5.3 Legal bases for processing
One or more of the following legal bases for processing your data apply:
- It is necessary to pursue our legitimate interests for the purposes set out in Section 5.5.4, “Use” (Article 6(1)(f) EU GDPR).
- It is necessary for the performance of a contract with you (Article 6(1)(b) EU GDPR).
- To meet our legal and regulatory obligations (Article 6(1)(c) EU GDPR).
- You have provided us with your consent to use your personal information (Article 6(1)(a) EU GDPR).
5.5.4 Use
We may use your information:
- to deliver our services to our customers / to enable our projects with collaborators;
- to manage and administer our relationship with you e.g. communicating with you, and instruction and billing procedures;
- to facilitate our internal business operations, e.g. internal record keeping, and procurement and accounting practices (in respect of suppliers and other service providers);
- to establish, exercise or defend legal claims;
- as required by law and to comply with our statutory and regulatory obligations;
- for information and physical security and the prevention and detection of criminal and dishonest activity, including to ensure the security of our website and premises, and protect our information systems against data breaches, viruses and similar threats, e.g. by monitoring patterns of activity and scanning communications for appropriate content, attachments and viruses;
- so that you may provide a reference for us, in connection with a bid or tender, where we have agreed that you are happy to do so;
5.5.5 Disclosure
Your personal information may be transferred worldwide:
- across the ORCA Group;
- to service providers who support the operation of our business;
- to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where we are compelled to do so by law, regulation or professional obligations;
- to other third parties in appropriate circumstances, e.g. to our clients during the course of our work with them and where we run a joint seminar/ webinar with a third party that you wish to attend (and where the event is a webinar, your registration name may be visible to other attendees during the event).
6. Your rights
6.1 In this Section 6, we have listed the rights that data subjects have under the EU GDPR and UK GDPR data protection laws.
6.2 A data subject’s principal rights under data protection law are:
- the right to access – you can ask for copies of your personal data;
- the right to rectification – you can ask us to rectify inaccurate personal data and to complete incomplete personal data;
- the right to erasure – you can ask us to erase your personal data;
- the right to restrict processing – you can ask us to restrict the processing of your personal data;
- the right to object to processing – you can object to the processing of your personal data;
- the right to data portability – you can ask that we transfer your personal data to another organisation or to you;
- the right to complain to a supervisory authority – you can complain about our processing of your personal data; and
- the right to withdraw consent – to the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent.
6.3 These rights are subject to certain limitations and exceptions. You can learn more about the rights of data subjects by visiting https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.
6.4 You may exercise any of your rights in relation to your personal data by written notice to us, using the contact details set out below.
7. Data Storage and Data Retention
7.1 Your personal information will be stored in:
- ORCA’s information systems; and
- third party software applications and service providers which have been procured to support the management of the information in our care.
In all cases, personal information of yours that is shared or stored outside of the ORCA Group will be limited to the minimum required for the relevant purpose and subject to the appropriate provisions and safeguards regarding data subjects’ rights, information security, disclosure, confidentiality and data protection. For more information about personal data transfers, please see Section 3 of this policy.
7.2 We may occasionally store data (documents) in our offices, which may include some of your data.
7.3 Your personal information is retained by us in accordance with applicable law and regulation. Our data retention periods vary depending on the location, nature and context of the personal information that we have in our care. Generally speaking, we delete personal information when the purpose for its processing has been fulfilled or the contractual relationship with our customer, contractor or you has ended, and there are no other legal obligations to retain the personal information nor legal bases for further processing.
In accordance with established policies and procedures, ORCA will periodically destroy or erase any personal information that is no longer needed.
8. Links to other websites
We sometimes provide you with links to other websites, but these websites are not under our control. We are not liable to you for any issues arising in connection with their use of your information, the website content or the services offered to you by those websites.
We recommend that you check the privacy policy and terms and conditions on each website to see how each third party will process your information.
9. Amendments
9.1 We may update this policy from time to time by publishing a new version on our website.
9.2 You should check this page occasionally to ensure you are happy with any changes to this policy.
9.3 We may notify you of significant changes to this policy by email.
10. Terminology
“data controller” means a person who, or organisation which, alone or jointly with others, determines how Personal Information is processed and for what purposes;
“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1. 4.5.2016
“individual” or “you” means the person whose Personal Information is being collected, held, or processed.
“ORCA Group” means ORCA Computing Limited, its branch office(s) and subsidiaries.
“personal information” or “personal data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“process”/ “processing” means any activity that involves Personal Information. It includes obtaining, recording or holding the personal information, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Personal Information to third parties as a result of those third parties having access to it.
“special category personal information” means information revealing someone’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic information, biometric information, information concerning health of concerning sex life or sexual orientation.
“UK GDPR” means the Data Protection Act 2018 and the UK GDPR (as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU exit) Regulations 2019).
11. Our details
11.1 This website is owned and operated by ORCA Computing Ltd.
11.2 We are registered in England and Wales under registration number 12285629, and our registered office is at 30 Eastbourne Terrace, London, UK, W2 6LA.
11.3 You can contact us:
(a) by post, to the postal address given above;
(b) using our website contact form;
(c) by telephone, on the contact number published on our website; or
(d) by email, using the email address published on our website.