Privacy policy

This is the privacy notice of CRAOI Theory 699053                                                                                                                                             


Last updated: 11/11/2023

At CRAOI we are committed to protecting the privacy and security of your personal information. We have developed this privacy notice to describe how we collect, use, share, and store your personal information when you use the CRAOI, website, mobile app and/or CRAOI devices (our “Services”).

Within this Privacy Notice we will cover the following topics in the following order:

  • About us this notice and how to contact us
  • The information collected and how it is collected
  • How the collected information is used
  • How information is shared
  • Storage and security
  • Retention of your personal data
  • How to access or delete your data
  • Data breach notification
  • What are cookies?
  • How do we use cookies?
  • Privacy policies of other websites
  • Changes to our privacy policy


CRAOI is the data controller. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

We reserve the right to update this privacy notice at any time. We may also notify you in other ways from time to time about the processing of your personal information.

If you have any questions or complaints about this privacy notice or how we handle your personal information, please contact us directly via [email protected]. 


Personal information means any information about an individual from which that person can be identified. When you use our Services, we collect the following types of personal information: 


  • Personal identifiers, such as your first and last names, your company name and general age profile (optional)
  • Contact information, such as your email address and  general location (optional)
  • Information required to create an account, which is the same email address as provided for contact information
  • Records of communication between us including messages sent through our Mobile App and email messages
  • Third party data collated from opt-ins such as syncing with your calendar of choice (push to calendar only)
  • Marketing preferences that tell us what types of marketing you would like to receive
  • Information received by your company for the correct  use of our Services
  • Usage Information across the App and Website 



  • Verify your identity for security purposes when you use our services
  • Serve personalised and tailored services to you
  • Automated decision-making profiling your use of the app
  • Anonymised information to provide details of top uses and values of App 
  • Provide you with our services in the best way for your specific needs
  • To improve our services
  • Provide you with suggestions and advice on products, services and how to obtain the most from using our website and services
  • To perform the contract in place with your employer
  • Where it is necessary for legitimate interests (or those of a third party)
  • When consent to use information in a particular manner, for example marketing
  • To protect client / user interests (or someone else’s interests)
  • Where it is needed in the public interest
  • To prevent fraudulent use of our services

If you fail to provide personal information then you will be unable to receive personalised insights within the App however you will still be able to utilise the App, as long as you provide your email for the sign-up/ login. 

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform that contract. In that case, we may have to stop providing a service to you. If so, we will notify you of this at the time.


  • Third-party service providers include the Google Cloud Platform. 
  • The third party platforms that we utilise prioritise the security of their solutions and offer several features to ensure the protection of customer data.  GCP offers robust security features to protect data. It provides encryption at rest and in transit, fine-grained access controls through IAM, and audit logging to track data access and changes.
  • Information is not shared outside the European Economic Area (EEA).
  • With your consent, we may communicate using software provided by a third party such as WhatsApp (Facebook), Slack (Salesforce) Workvivo and Zoom Video Communications (Zoom). Communication examples will be if we are hosting virtual workshops, creating optional challenges and sharing optional comms with you directly for an additional level of CRAOI support. If you have any concerns about using a particular software for communication, please don’t consent/ opt-in and please tell us. 
  • Anonymised findings via the app will be used to report on findings to the company you work for. These insights will be confidential and remain private and anonymised at all times. The insights will only be used to identify trends and findings across a cohort of users and individuals will remain unidentifiable at all times. We may aggregate anonymous information such as statistical or demographic data for any purpose. Anonymous information is that which does not identify you as an individual. Aggregated information may be derived from your personal data but is not considered as such in law because it does not reveal your identity. For example, we may aggregate usage information to assess whether a feature of our app is useful. However, if we combine or connect aggregated information with your personal data so that it can identify you in any way, we treat the combined information as personal data, and it will be used in accordance with this privacy notice.


We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

System perimeter security will be secured using an advanced Firewall device setup to prevent non-essential access via port access restrictions. All data is stored on secure servers provided by GCP (Google Cloud Platform). Google Cloud is a suite of Google’s public cloud computing resources & services.

  • Google Cloud offers Google Cloud Storage
  • In Google cloud services, data transmission is a fully encrypted format 
  • Google Cloud provides backup services

– please refer to 

CRAOI will have up-to-date device and server security which includes protection for the following:

(a) data controls – prevents the flow of sensitive data outbound;

(b) device controls – prevents access to ROMS, USB and Wi-Fi;

(c) anti-virus – protects the device from malicious content and files types including Malware, Phishing and Viruses; and

(d) web controls – prevents access to websites classified as potentially dangerous and/or offensive.

User access to CRAOI’s systems will be controlled with a best practice “authentication” policy, which includes email verification and password complexity and renewal period rules. Access to application software will be controlled with two factor authentication rules.

CRAOI will use G-Suite, supplied and provided by Google (please refer to Email Security’ which gives extensive email security measures. These include:

(a) targeted threat protection – sandbox for both email attachments and URLs within emails providing additional protection from Ransomware style attacks and other types of malicious threats;

(b) attachment management – this prevents the flow of dangerous file types and

(c) anti-virus, phishing, malware and spoofing emails are trapped at the gateway before reaching endpoint devices; and

(d) strong anti-spam protection following rules based policies.


CRAOI shall ensure that it has a written contract which meets the requirements of GDPR in place with each data processor to which it may pass personal data to be processed, for example GCP DPA can be found here ( In particular, CRAOI will expect each data processor to guarantee that it will meet the requirements of GDPR and will protect clients’ and other individuals’ rights.

Before engaging a new data processor, CRAOI will check that:

(a) the geography and location of the data processor and where the personal data will be processed;

(b) the data processor has appropriate technical and organisational measures in place to keep personal data secure; and

(c) the data processor’s staff who will be engaged in processing personal data in relation to the Scheme are subject to a duty of confidentiality and are aware of data protection matters and their obligations.

CRAOI will seek appropriate assurances from each data processor as to the security arrangements it has in place. This may take the form of:

(a) for an existing data processor, a short summary of its key data security measures;

(b) for a new data processor, before entering into a new contract, a short statement of its key data security measures; and

(c) subsequent confirmation from each continuing data processor every 36 months of what, if any, changes there have been to its security arrangements.

CRAOI recognises that its data processors may wish to sub-contract some services, which may include subcontractors processing data on behalf of the data processor. CRAOI will ensure that its contract with a data processor wishing to do this will contain provisions concerning sub-contracting which meet the requirements of GDPR.


The employees all have responsibility to ensure that in performing their duties they do not endanger the safety and security of personal data CRAOI holds and processes and at all times act in an appropriate manner concerning the Data Protection Legislation generally and their individual obligations.

CRAOI gives all employees a Privacy Notice which covers not only the Privacy Notice required by GDPR Article 14 as regards CRAOI’s use of their own personal data, but also the obligations of CRAOI which they must uphold and adhere to. A ‘Do’s and Don’ts’ list is also given to employees. All employees must be aware and cognisant of personal data security and confidence and this will be reinforced by training.

All CRAOI employees will undertake mandatory formal training on data protection (and other issues) at suitable intervals and other training as CRAOI considers appropriate.

CRAOI will undertake Data Protection Impact Assessments (as defined in GDPR) (“DPIA”) as and when appropriate.


CRAOI recognises that personal data should not be held longer than is necessary. In general terms, very little physical hard copy personal data is held at all, and if so it is for a variety of periods of time depending upon the nature and type of the matter concerned. Such physical information – and thus the hard copy personal data within it – will be kept by CRAOI for 6 years and then destroyed as such minimum period of time is required from tax and regulatory rules, guidance, codes and good industry practice, in addition to the fact that six years is often the limitation period in relation to claims.

As regards personal data in electronic digital form, the same principles apply. Digital personal data is securely encrypted and password-protected.


Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.
  • If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact… 
  • It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.


CRAOI takes seriously the need to deal with any data breach swiftly and appropriately to minimise or eliminate risk of detrimental impact on any data subjects. For this purpose, a data breach may include (but is not limited to) unauthorised disclosure of or access to personal data; or accidental or unlawful destruction of personal data; or loss or alteration of personal data.

CRAOI shall require its employees and its data processors to report data breaches or complaints to CRAOI’s Data Protection Officer promptly and to assist CRAOI in ensuring compliance with the requirements of GDPR.

On being notified of a data breach or complaint, the CRAOI Data Protection Officer will as soon possible notify CRAOI’s senior management and CRAOI shall initially deal with it through the process outlined in CRAOI’s GPDR Complaints Policy.

Notwithstanding the initialisation of the procedure outlined in CRAOI’s GDPR Complaints Policy, in any event where a data breach has occurred, CRAOI shall consider whether it is necessary or appropriate to notify the Information Commissioner’s Office (“ICO”) or the affected individual in the event of a data breach, and will take professional advice as a matter of urgency where required.

CRAOI will maintain a record of any data breaches and complaints and action taken in relation to each breach and complaint in inventory form.

CRAOI will act reasonably in assisting data controllers of information it holds and its appointed sub-processors in investigating and resolving any breaches of this Policy or GDPR generally and will review, update and amend this Policy (and others) in the light and context of any breaches or issues arising.


Cookies are small text files that are placed on your computer’s hard drive by your web browser when you visit a website that uses them. They allow information gathered on one web page to be stored until it is needed for use at a later date.

They are commonly used to provide you with a personalised experience while you browse a website, for example, allowing your preferences to be remembered.

They can also provide core functionality such as security, network management, and accessibility; record how you interact with the website so that the owner can understand how to improve the experience of other visitors; and serve you advertisements that are relevant to your browsing history.

Some cookies may last for a defined period of time, such as one visit (known as a session), one day or until you close your browser. Others last indefinitely until you delete them.

Your web browser should allow you to delete any cookie you choose. It should also allow you to prevent or limit their use. Your web browser may support a plug-in or add-on that helps you manage which cookies you wish to allow to operate.

The law requires you to give explicit consent for use of any cookies that are not strictly necessary for the operation of a website.

When you first visit our website, we ask you whether you wish us to use cookies. If you choose not to accept them, we shall not use them for your visit except to record that you have not consented to their use for any other purpose.

If you choose not to use cookies or you prevent their use through your browser settings, you may not be able to use all the functionality of our website.


We use cookies in a range of ways to improve your experience of our website, including:

  • Understanding how you use our website
  • To track how you use our website
  • To record whether you have seen specific messages we display on our website
  • To keep you signed in to our website (where applicable)
  • To record your answers to surveys and questionnaires on our site while you complete them (where applicable)


  • Functionality – recognise you
  • Advertising – collect information about your visit, the content you viewed etc. We sometimes share some limited aspects of this data with third parties for advertising purposes. We may also share online data collected through cookies with our advertising partners. This means that when you visit another website, you may be shown advertising based on your browsing patterns on our website.


You can set your browser not to accept cookies, and the website provides information on how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.


The CRAOI website contains links to other websites. Our privacy policy applies only to our website, so if you click on a link to another website, you should read their privacy policy.


CRAOI keeps its privacy policy under regular review and places any updates on this web page. If we make any changes to our privacy policy you will be notified directly through your app via our in-app notifications and you will have to consent to these changes and confirm that you have received these updates via the app before continuing to use it. 

If you have any questions or complaints about this privacy notice or how we handle your personal information, please contact us directly via [email protected]. You have the right to make a complaint at any time to the Data Protection Commission (DPC). This can be done at We would, however, appreciate the opportunity to talk to you about your concern before you approach the DPC.