Privacy Policy

Last updated: February 21, 2025

Introduction

Movement ("we", "our", "us") is a software-as-a-service (SaaS) platform operated by Movement Industries Ltd, a company registered in England and Wales (Company No. 14266681). We are registered as a data controller with the Information Commissioner's Office (Registration No. ZB509853).

Our Two Distinct Roles

1. As a Data Processor (For Supporter Data)

When organisations use Movement to contact their supporters and members, we act purely as a data processor. This means:

  • We process supporter data solely on behalf of our clients
  • Our clients (the organisations) are the data controllers
  • Supporters should contact the organisation they engaged with for any data-related requests
  • We have no direct relationship with supporters
  • We cannot action supporter requests directly
  • All data protection responsibilities towards supporters rest with our clients

For information about how these organisations handle personal data, supporters should refer to their organisation's privacy policy.

2. As a Data Controller (For Platform Users)

We are the data controller only for:

  • Movement platform users (staff at client organisations)
  • Our website visitors
  • Prospective clients
  • Client representatives

What This Means in Practice

For Supporters/Members of Client Organisations

  • Your relationship is with the organisation you support, not with Movement
  • Contact your organisation directly for:
    • Data access requests
    • Updates to your information
    • Communication preferences
    • Any questions about how your data is used
    • Complaints or concerns
  • Movement cannot directly action any requests from supporters

For Our Clients (Organisations)

  • You are the data controller for your supporter data
  • You are responsible for:
    • Legal basis for processing
    • Responding to supporter requests
    • Privacy notices to supporters
    • Consent management
    • Record keeping
    • Risk assessments
  • Movement will assist you as required under our Data Processing Agreement

For Movement Platform Users

  • We are your data controller
  • Contact us directly for:
    • Account management
    • Access control
    • Security concerns
    • Platform-related privacy questions

Compliance Framework

We operate in compliance with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • EU General Data Protection Regulation (where applicable)
  • Additional relevant data protection laws and regulations

Data We Process

As a Data Processor (Client Supporter Data)

We process the following types of data on behalf of our clients:

  • Contact information
  • Campaign interaction data
  • Communication preferences
  • Custom fields as defined by clients

We process this data strictly according to our clients' instructions and our Data Processing Agreement.

As a Data Controller (Platform Users)

We collect and process:

  • Account credentials and authentication data
  • Two-factor authentication verification data
  • IP addresses for security monitoring
  • Platform usage analytics and logs
  • User preferences and settings
  • Access logs and security audit trails

Technical Data

For platform users, we collect:

  • Browser type and version
  • Operating system information
  • Device information
  • Connection type and speed
  • IP address
  • Time zone setting
  • Location data (country/region level only)

Data Storage and Security

Infrastructure Security

  • Primary data center location: Frankfurt, Germany (AWS)
  • Regular infrastructure security audits
  • Network segmentation and firewall protection
  • DDoS protection
  • Real-time security monitoring
  • Intrusion detection and prevention systems
  • Regular vulnerability assessments

Data Encryption

  • TLS 1.2+ for all data in transit
  • AES-256 encryption for data at rest
  • Secure key management system
  • Regular rotation of encryption keys
  • SSL/TLS certificates with strong cipher suites
  • Perfect forward secrecy for data in transit

Access Control

  • Role-based access control (RBAC)
  • Mandatory two-factor authentication
  • Strong password requirements
  • Regular access review and audit
  • Automated account lockout after failed attempts
  • Session timeout controls
  • IP-based access restrictions where appropriate

Security Monitoring and Response

  • 24/7 security monitoring
  • Automated threat detection
  • Security incident response team
  • Regular security awareness training
  • Vulnerability management program
  • Penetration testing program
  • Regular security assessments

Backup and Recovery

  • Daily encrypted backups
  • 4-week backup retention
  • Regular backup testing
  • Disaster recovery procedures
  • Business continuity planning
  • Geographic redundancy
  • Point-in-time recovery capabilities

Development Security

  • Secure development lifecycle
  • Regular code reviews
  • Automated security testing
  • Dependency vulnerability scanning
  • Change management procedures
  • Development/staging/production environment separation

Third-Party Processors

Core Infrastructure

  • Amazon Web Services (Frankfurt, Germany)
    • Primary data storage and processing
    • Encrypted backup storage
    • Network security services
  • Twilio (European data centers)
    • Communication services
    • SMS and voice capabilities
    • Real-time notifications
  • Aiven (Frankfurt, Germany)
    • Database management
    • Data processing
    • Analytics services

Security Controls for Third-Party Processors

  • Regular security assessments
  • Data processing agreements
  • Compliance certifications review
  • Security incident notification requirements
  • Data residency requirements
  • Processing restrictions
  • Audit rights

Data Retention

Client Supporter Data

  • Retention periods are set by our clients
  • We follow client instructions for data deletion
  • Backups are retained for 4 weeks after deletion
  • Clients can request immediate deletion

Platform User Data

  • Retained while accounts are active
  • Deleted within 30 days of account closure
  • Backup retention for 4 weeks
  • Analytics data is anonymised

Individual Rights

For Supporters

All rights requests should be directed to the organisation you engaged with (our client). This includes:

  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object

For Platform Clients

Contact privacy@movement.industries for:

  • Account information access
  • Account updates
  • Account deletion
  • Processing restrictions
  • Data export

Security Incident Response

In case of a security incident:

  • We immediately investigate and contain
  • We notify affected clients without undue delay
  • Clients are responsible for notifying their supporters if required
  • We support clients with required information
  • We implement preventive measures

Updates to This Policy

We review this policy regularly. Significant changes will be:

  • Communicated to platform users
  • Notified to clients
  • Posted on our website
  • Dated with version control

Contact Us

For Platform Users and Clients

Email: privacy@movement.industries

For Supporters

Please contact the organisation you engaged with directly.

Regulatory Authority

Information Commissioner's Office (www.ico.org.uk)