This privacy notice tells you what to expect when Storm ID collects personal information. It applies to information we collect about:
- visitors to our websites
- job applicants
- our current and former employees
You have the right to object to us processing your data.
Visitors to our websites
When someone visits a Storm ID website, we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Website tracking with Google Analytics
We use Google Analytics to measure website usage in order to inform improvements to the website. Google collects this data and provides us with access to aggregated reports of website use.
Google Analytics tracks information about:
- your location
- your device
- web pages on our website you have visited or interacted with
Google does not share any information about your identity with us.
Any data subject access requests pertaining to the information collected by Google Analytics should be made to Google.
Please refer to our cookies policy.
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Job applicants and our current and former employees
During the recruitment process, it is necessary for Storm ID to collect some information about the people applying for the advertised roles.
When individuals apply to work at Storm ID, we will only use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Criminal Records Bureau, we will not do so without informing them beforehand unless the disclosure is required by law.
Personal information about unsuccessful candidates will be held until the recruitment process has been completed, then it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
Once a person has taken up employment with Storm ID, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with Storm ID has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete it.
Applying directly to Storm ID
We do not use automated decision-making processes in our recruitment process. Every application is manually reviewed. We believe this is the best way to discover the best candidates and those with the most potential.
We collect data about candidates and ask for you to provide consent when you submit it.
Our application form creates a record in our Applicant Tracking System, People HR, and includes your:
- email address
- CVs and the information they contain as submitted by you
- covering letters and the information they contain as submitted by you
- online CV, portfolio or GitHub repository (if applicable)
- employment history with dates
- qualifications with dates
Throughout the recruitment process we will also make and keep notes about your application.
We use this information to:
- help us decide who we will and will not invite to interview
- form a basis for questioning during individual interviews
- determine who the best candidate for the role is
When you submit your CV and covering letter, we will keep this and any notes we make, throughout the recruitment process for the role you’ve applied for. If you withdraw your application at any point we will immediately delete your information.
Once the role has been filled, if you were not successful, we will delete all your information, which could include your:
- email address
- email correspondence with us
- CV and covering letter
- notes that we’ve made during the recruitment process
If you have made a speculative application, we will keep the information you have submitted for up to six months, after which time it will be destroyed.
If you were offered the role and you accepted, we will keep your data throughout your employment with us. We have a separate privacy notice for employees.
Any data subject requests pertaining to the information collected by People HR should be made to LinkedIn.
Other ways to apply
Sometimes we advertise our job openings on third party services to allow us to reach a wider audience than we can on our own. You may come across one or more of our advertised jobs in this way.
You do not have to apply using any of the services listed below. For every position advertised, you can apply by submitting your CV and covering letter directly to Storm ID via the forms on our website.
Applying via Digital Profile
Any notifications of your application we receive from this service will be deleted upon completion of the recruitment process for the role you’ve applied for.
Storm ID does not have the ability to amend or delete information held on you by Digital Profile.
Any data subject requests pertaining to the information you provided to Digital Profile should be made to Digital Profile.
Applying via LinkedIn
At times, we utilise LinkedIn audience data to target adverts to those who would find the information most relevant. LinkedIn compile this audience data on information given by a user to LinkedIn (such as date of birth, education and job title), but also indications that LinkedIn compile over time based on engagements and associations with other LinkedIn users and pages.
For those opted in to receiving communications from Storm ID, we may use personal information such as Storm ID website interactions, in order to target the relevant audience with useful content through LinkedIn Matched Audiences.
We may use cookie-based interactions with Storm ID web properties for targeted LinkedIn advertising.
Any data subject requests pertaining to the information collected by LinkedIn should be made to LinkedIn.
Applying via Facebook
We sometimes utilise Facebook audience data to target adverts to those who would find the information most relevant. Facebook compile this audience data on information given by a user to Facebook (such as date of birth and hometown) but also indications that Facebook compile over time based on page likes and engagements.
For those opted in to receiving communications from Storm ID, we may use personal information such as home city or town, in order to provide the relevant audience with useful content through Facebook ads.
We may use the following personal information for targeted Facebook advertising:
- Cookie based interactions with Storm ID web properties
- Date of birth
- Home country
- Home city or town
- Full name
To find out more, visit Facebook’s page aboutthe customer list upload process.
Facebook’s data policy also provides further information.
Any data subject requests pertaining to the information collected by Facebook should be made to Facebook.
Applying via Twitter
At times, we utilise Twitter audience data to target adverts to those who would find the information most relevant. Twitter compile this audience data on information given by a user to Twitter (such as date of birth) but also indications that Twitter compile over time based on Twitter post and page likes, and engagements with other Twitter accounts.
For those opted in to receiving communications from Storm ID, we may use personal information such as Twitter handles, in order to target the relevant audience with useful content through Twitter ads.
We may use cookie based interactions with Storm ID web properties and your location for targeted Twitter advertising.
To find out more about how we use Tailored Audiences visit Twitter’s Tailored Audiences page.
Any data subject requests pertaining to the information collected by Twitter should be made to Twitter.
Applying via Find a Job (formerly Universal Jobmatch)
We sometimes use the UK government’s Department for Work and Pensions (DWP) Find a Job service to advertise roles at Storm ID.
Storm ID only has access to the candidate data provided by Find a Job. It is our policy that this information is destroyed (for unsuccessful candidates) or compiled into an employee record (for successful candidates).
Any data subject requests pertaining to the information collected by Find a Job should be made to DWP.
Applying via a recruitment agency
We sometimes use recruitment agencies to help us recruit for our job openings. Recruitment agencies collect information on individuals in order to offer them job opportunities and to provide companies with candidates for job openings.
Storm ID only has access to the candidate data provided by recruitment agencies who are supplying candidates for our job openings. It is our policy that this information is destroyed (for unsuccessful candidates) or compiled into an employee record (for successful candidates).
Any data subject requests pertaining to the information collected by a recruitment agency should be made to the recruitment agency.
Controlling your personal information
Making a subject access request
You can make a subject access request using any method you choose. We have supplied a simple form in Word and PDF formats that you can use to make your request. Our subject access requests guidance contains information about how to make a subject access request to Storm ID.
This is not a mandatory form. Subject access requests made in other formats will also be accepted, but this form is designed to speed up the process.
We will reject your request if your request is for data held by a third party, such as a supplier or client of Storm ID. Such requests should be made directly to the third party.
We will also reject your request if we cannot verify your identity.
Please note that manifestly unfounded or excessive requests can be charged for or rejected.
There are five types of subject access request:
- Rectification (correction)
- Data portability (export)
Each of these has its own requirements and rules for dealing with that particular type of request.
Please see our subject access requests guidance for further information on making subject access requests.
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 20 December 2023.
How to contact us
By email to:
Or by post to:
Data Protection Officer
Storm ID Ltd
Leith Assembly Rooms
43 Constitution Street