Privacy Policy

The important stuff

1. Who are CACI?
2. What personal data do we hold about you and where does it come from?
3. What do we do with your personal data – why do we process it?
4. The legal stuff – what is known as “our lawful basis for processing?”
5. Who do we share your personal data with and why?
6. Is your personal data stored in the UK or do we transfer it overseas?
7. How long do we keep your data?
8. What are your rights relating to the personal data we might hold about you?
9. How do you contact CACI and our Data Protection Officer (the person who safeguards your data)
10. How can you make a complaint? Contact the government body who regulates the use of personal data

If you want to find out more, you can also visit our Consumer Hub.

1. Who are CACI?

CACI are based in London, and the part of our business primarily concerned with personal data is a Marketing Services business. We provide software, data products and consultancy services such as data analytics to help companies (for example, brands, retailers, leisure operators) and public service bodies (for example, government and charities), send more relevant marketing messages to you. Or, to provide the right services in the locality where you live or work.

You can also get in touch with our Compliance Team to discuss any data concerns via letter, telephone or email at :
Compliance Team
CACI Limited
CACI House
Kensington Village
Avonmore Road
London, W14 8TS

Email: [email protected]
Tel: 020 7605 7077

Our compliance team are responsible for making sure we comply with all regulations, and they handle any requests about our processing of personal data.

2. What personal data might we hold about you and where does it come from?

2.1 What personal data do we use in our data products and services?
The personal data that we might hold about you could include:
a) Name and address data
b) Date of birth
c) Presence of children in your household
d) Email address
We do not use any data that is highly sensitive. This is known as Special Category data. For example, ethnicity or health data. If we do hold this data, it is in aggregate across geographic regions to show averages.

2.2 Where does this personal data come from?
a) Publicly available personal data: This publicly available data refers to your name and address and is sourced from the Open Electoral Register. This is an edited version of the register of voters and only includes voters who have not opted out. The Open Electoral Register is commercially available from local authorities for uses that are permitted by the Representation of the People Act, 1983.

b) Marketing Data Providers who capture name, address, and date of birth. This data is collected through competitions that you enter, interest clubs like wine or gardening clubs you have signed up to or through offer websites. You will have given permission for your data to be used by the Provider for marketing applications. CACI will have been referenced as a user of this data in the Provider’s privacy policy, which you will have been shown.

c) Research Data: This is data captured in customer insight surveys by our clients or directly by CACI, for example where you have provided answers in-person to a survey about your experience at a shopping mall, or via email from a service provider asking about your purchasing habits. The personal data we collect from this research includes Age, Gender and Postcode only (not your name or full address), and we have partitions in place to prevent any CACI staff from reverse engineering the data to identify an individual. You will have been provided a separate privacy document explaining what CACI do with the data, in surveys we have conducted.

d) Suppression data where you have asked to be held on a suppression list such as the Mailing Preference Service (MPS) we will use that data to withhold your data being used for marketing purposes. Data held in a suppressions file means it is not made available for processing.

We may also receive personal data from our clients to carry out services for them including matching their data with our data products. We only do this on our clients’ instructions, handle it securely and return it to them promptly. This may include suppression data that is licenced on behalf of the client such as Mortascreen, The Bereavement Register or National Change of Address.

More information on who these data providers are can be found in our Consumer Hub.
You can find out what personal data we hold about you and where we got it by clicking here.

3. What do we do with your personal data and why do we process it?

We provide data products and services to help companies and public service bodies send relevant marketing messages to you. Or, to provide the right services in the location where you live or work. By companies we mean businesses like retailers, leisure operators, and insurance companies, etc. By public service bodies we mean government departments, local authorities, or charities, etc.

We use personal data for the following purposes:
3.1 Segments, Predictive models, and inferred data.
We provide our clients with information that describes local areas, postcodes, households, and individuals.
We do that in 3 ways

Demographic or Lifestyle segments
We group together postcodes and households that share similar demographic and lifestyle characteristics into recognisable groups (or segments as we call them).

These segments, or groups, are an increasing part of society. For example, technology firms may target ‘Early Adopters’ of technology. Or Social Media companies may create a segment for ‘Onlookers’. These are those that only read, but don’t post to, social media sites.

ACORN is our primary segmentation product and that describes postcode areas. Our clients match their customer personal data to ACORN segments to better understand who their customers are.

Find out more about which ACORN segment your postcode is HERE.

Predictive Models
This is where we use algorithms to build a likelihood that you will display a certain behaviour or preference. This is based on the characteristics of people who live in similar areas to you. Or it may be based on other people who share similar preferences to you.
For example, we may predict that you are more interested in gardening, that you prefer shopping for groceries online, or that there are multiple adults in your home. These models are not actual data but help our clients understand the likelihood of their customers to be interested in a product or service. We also insist that any algorithms are built and overseen by expert, human, staff.
See our product documentation HERE.

Inferred data
We process personal data to infer characteristics about a local area, postcode, or household. For example, married couples living together. This is inferred based on two adults, living at the same address, with the same surname and in the same age range. In this case we would infer that they are more likely to be married. We don’t know this fact for sure, but it is a reasonable assumption.
See our product documentation HERE.

CACI create products, but we do not make any decisions on what marketing offers you receive. Our clients use these products to make better decisions about where they provide services or their marketing campaigns.
You can obtain a full list of the actual, modelled and inferred personal data about you. This can be done by contacting CACI at the details in Section 1 of this policy.

3.2 Tracking population movement between shopping locations.
Location data
Apps that are downloaded to mobile phones or tablets sometimes track your general location, with your permission. If you have given your permission, the app owner might send CACI this data in a ‘hashed’ form. Hashing involves applying a conversion of the device ID into a set of meaningless characters, this is ‘the hash’. It means that you cannot be identified using this code.

This general location is normally generated when you open an app, for example to check train times. When you do this your phone sends a ‘ping’ to the provider of the App. That provider then collates the location data and strips out the data that could identify you.

We do not receive a specific location. We only see whether a mobile phone appeared within a 630m2 area. This data is tagged with the ACORN code we talked about earlier so that clients can have a view of the type of people who pass through a particular area. CACI is looking at moving to a different system in the near future, whereby a phone ‘ping’ will only show whether a mobile phone appeared within a 13,498m2 area.

We use this data to track general population movement between shopping locations which helps retailers to understand consumer demand.

Location planning services
Our clients might ask us to match our segments to their customer postcodes. We can then understand the larger scale movement of their customers by segment type, between towns and their home locations. This is based on where the customers live and which of the clients’ shops they visit. This helps our clients decide where to locate new stores or restaurants. It also helps with what brands or offer might best appeal to customers.

If you would prefer your app providers not to track your movement in this way, visit the Consumer Hub to find out how to opt out. This varies whether you use an Apple or Android device.

3.3 Postal, email and digital marketing
Companies and public service bodies want to communicate with their existing customers, donors, or prospects. We help our clients to better target this communication so what you receive is more likely to be relevant to you, accurately addressed, and avoids wasteful spend by our clients.

Marketing by post
We sometimes help our clients send addressed letters to people who are not currently using their products or services but are likely to be interested. We provide accurate names and address contact details to our clients taken from the Open Electoral Register.
You can find out what personal data we have access to about you and whether you have given permission for it to be used for postal marketing by contacting our Compliance Team.

Marketing by email
We do not provide consumer email addresses to our clients to use for email marketing. Many people refer to this sort of marketing as ‘spam’. Our clients might use our predictive models, inferred data, or segments to tailor their email communications with you if you are a customer of theirs.

Digital advertising
When we, as consumers, visit some websites, social media sites, TV platforms or apps we are shown advertising. CACI help these media organisations to better target adverts at people who are more likely to be interested in particular products or services. You get to see adverts that are more relevant to you based on our segments, inferred data, or models. We don’t decide what advertising or offers you see. That is down to the media owner or brand advertiser and the decisions they make using our data.

3.4 Linking data for identity resolution
Companies and public bodies can be complex organisations with different divisions and brands. As consumers it can be annoying if an organisation does not recognise us when we are already a customer. For the organisation, not recognising you as a customer can lead to poor customer service, inappropriate or wasted marketing, and increased costs. We help organisations join up their customer interactions using personal data. This might involve matching your customer details (with your permission) across different divisions based on your address details or email address. This helps our client recognise you across their entire organisation and sometimes recognise you in digital channels, for example when you log into a website. We only do this under our clients’ instructions and with the data they hold on you.

3.5. Linking data to support our clients’ use of our data products
Many clients collect emails from prospects who sign up for newsletters and marketing communications, but they do not collect names and addresses. As CACI only holds data products at a postcode or name and address level, clients are experiencing an increasing proportion of records that they cannot apply our data to, thereby reducing insight on customers. For this reason, we purchase email addresses to enable clients to match our data insight products to their customers. We do not use the email addresses for any other purpose than to create a bridge between our products and our clients’ customers.

Get some advice on how to manage who uses your data and how to set permissions in our Consumer Hub.

3.5 Other uses of personal data
a) Complying with applicable laws: We might need to retain your personal data to comply with Data Protection Law.

b) Managing complaints and enquiries: We might also process your data to manage a complaint you might make or an enquiry.

c) Recruitment: If you apply for a job with us, or are employed by us, we will process your personal data to enable us to review your application, hire you or manage your employment with us.

d) Our customers: If you are a customer of ours, we will process your personal details so we can recognise you when you contact us. Or, for us to send you relevant information or manage our contractual relationship with you.

e) Our own marketing activity: If we think you, or the organisation that you work for, might be interested in our services, we will process your contact data so that we can provide you with relevant information. For more details on how we collect, store, and use personal data for our own marketing purposes to run our business, click HERE.

f) Website browsing: When you visit our website, www.caci.co.uk, we will track some basic data so that we can recognise you when you return. This data might include IP address (a unique code, which identifies the computer or device you are using), operating system and browser type (e.g., Windows and Google). We may send cookies to your device to track your progress through our website. You can find more detail on cookies HERE.

4. The legal stuff – what is known as “our lawful basis for processing?”

Data protection law helps protect you by stating that every organisation must clearly detail and explain their lawful reasons for holding and using personal information. At CACI, our lawful basis for processing your personal data under the General Data Protection Regulation (GDPR) is called “Legitimate Interest”. This means we have a business reason to process your data which has been balanced against your individual rights over your data, and there is no other means of achieving the business reason. For example, it would not be desirable to sell retirement holidays to people in their twenties, so we balance the privacy of knowing your age against the purpose of selling retirement holidays.

The GDPR interpretation is that we have a “Legitimate Interest” in processing your data to develop our products and services. Our legitimate interest is to offer value to our clients by helping them target advertising and services you are likely to find interesting.

In turn, our clients have a legitimate interest in using CACI products to offer better customer service to you and provide more relevant advertising and services, this is particularly relevant to new and emerging businesses in an economy looking for growth.

The things we take into account when looking at balancing our interests with yours are your rights under data protection law in terms of how we source, store, secure, retain and use your personal data. We also carefully consider the negative impacts of our processing. As in the above example, this could be, postal marketing sent by our clients, targeted by our data, not being wanted or relevant to you. We would never process your personal data for activities that place our interests ahead of yours.

5. Why do we share your personal data and who with?

We may share your personal data with our clients and partners for us to provide our data products and services. They use this to better understand consumers and make sense of the data, allowing them to make better marketing decisions. These organisations will mostly be brands and public service organisations that you would recognise. These organisations cover sectors such as:
• Car companies
• Care homes
• Charities
• Energy and water suppliers
• Financial services including banks, building societies, insurance companies, and credit card providers.
• Health and beauty companies
• Housing, including builders of private homes and social housing providers.
• Web based brands.
• Leisure groups, including restaurant and pub chains, cinemas, gyms.
• Local and central government
• Mail order companies
• Media companies, including newspaper and magazine publishers and TV companies.
• Packaged goods manufacturers
• Gaming
• Public and private healthcare providers
• Public sector organisations
• Retailers of all types
• Social media companies
• Telecommunications companies
• Travel and transport, including travel agents, rail and bus operators and airlines.

We also may share your personal data with advisors, consultancies and advertising agencies who use our products and services to advise their clients about targeting relevant advertising and services to you.

Finally, we might also provide your data to marketing specialists or marketing services providers who help plan and distribute advertising on behalf of their clients.

We do not supply personal data to organisations that work in sectors where we believe there may be an adverse effect on the consumer, for example debt collection, pay day loan companies or door-to-door selling.

6. Is your personal data stored in the UK, or do we transfer it overseas?

Our primary data centre where we securely store your personal data is in London, England. We do not transfer your data outside of the UK unless our clients ask us to do so, which is rarely the case.

We might also use overseas organisations for information security, hosting or back up services. For example, help in securely protecting personal data and providing a secondary store of this data in case of a technology issue. Sometimes, we might use a technology provider to provide services to us who have support and maintenance staff based overseas (for example, a support desk based in India).

If your personal data is accessed by our clients or partners overseas, we will ensure it is protected through the contracts we have, and the secure technology used. We also make sure the data is only transferred to countries in a way that has been approved by UK authorities.

7. How long do we keep your personal data?

Retaining only current and accurate personal data is in our interests for the products and services we provide to our clients. If the personal data we use is not accurate or up to date, then it is less likely that advertising or recommended services will be relevant. We might have to store personal data for an additional time for legal and audit purposes. For example, in case you want to know what personal data we have held about you in the past.

How long we keep personal data is detailed below.

• Our name and address database: We receive an annual refresh of the Open Electoral Register as well as monthly updates. This data is retained for up to six years. Parliamentary elections are every five years and so it is reasonable to retain this source of personal data for that period. However, the data is regularly refreshed and updated. Personal data sourced from marketing data providers is stored for up to two years.

• Predictive models, inferred data, lifestyle segments: Our models inferred data and segmentations are linked to our name and address database. The combined name and address database with the models, characteristics and segments is rebuilt annually and refreshed quarterly. The combined database is retained for a year in case of consumer queries.

• Suppression data: It is in our interest to only retain and use accurate personal data. We use industry recognised lists of people who have requested their data not be used for marketing. Likewise, consumers may have directly told us they do not want their data to be used for marketing. We retain these suppression lists for 50 years.

• Client consumer data: If we access personal data that is supplied by a client for us to undertake our services, we retain that data only for the period required to fulfil those services under the contract we have.

• Personal data in relation to our recruitment activities: For personal data related to CV’s, cover letters and other information associated with our recruitment activities, we keep this data for up to six months. This is unless the job advert makes clear that we are retaining the personal data for longer. Successful applicants when they join CACI will have access to our staff data retention policy.

• Personal data in relation to our own marketing activities: We keep personal data that is used for our own marketing purposes to the terms of our supplier contracts and a maximum of 2 years from the last engagement.

• Research data: Personal data received as part of a customer insight survey is retained for a maximum of two years post survey date.

8. What are your rights relating to the personal data we might hold about you?

You have several important rights regarding the personal data we hold about you which are covered by data protection law.
All these rights are important but not all of them are relevant to the personal data we hold or the services we provide.

The rights are:
• Right to be informed: This is where you can understand what data we hold about you and the use case applications we use the data for, as contained throughout this policy. You can read about the ways we use data HERE.

• Right of access: This is about you understanding what personal data we hold about you. You can make a request to understand what data we hold about you HERE.

• Right to rectification: This is about your rights to expect us to correct anything that is wrong about the personal data we collect about you. For example, if you think the name and address data is wrong you have the right to challenge this and ask us to amend the data. Remember, this personal data comes from our data partners after you have given permission for them to share it with us. We will record your request and amend this data as appropriate. Your right to challenge does not apply to our predictive models, inferred variables, or lifestyle segments. These data sets are modelled and predicted and are therefore subjective. They are not a statement of fact but a statistical indicator of whether you are more likely to have a characteristic than not. You can contact us HERE to find out what information we hold about you and to request an amendment.

• Right to Erasure (Right to be forgotten): This is where you can request for us to delete your data from our name and address database. We will retain your data still on a suppression list so that we know not to use your data again going forwards. For example, if your name and address appear on a future Open Electoral Register marketing data file. You can request to opt out HERE. If you wish to be completely deleted, this is also possible.

• Right to restrict processing: This is really about the usage of your data and the purpose for which it is used. You may ask us to stop using your data and delete it. We may in some limited circumstances still have the right to continue using your data. For example, to defend a legal claim. You can request to opt out HERE.

• Right to portability: This is about your right to move your personal data elsewhere. We believe this is not relevant to our processing of personal data.

• Right to object to processing (usage or storage): For example, you have the right to object to us using your data in postal marketing. You can request to opt out HERE.

• Rights in relation to automated decision making and profiling: We do not make decisions about what adverts you see or what services you are offered. It is our clients who make that decision using a combination of different sources of information.

For further information on these rights, please visit the ‘Your Rights’ section provided by the data protection regulator, the Information Commissioner’s Office ICO.

9. How do you contact CACI and our Data Protection Officer (the person who safeguards your data)

We have a Data Protection Officer (DPO) who has responsibility for safeguarding your data. They can be contacted at:
Data Protection Officer
CACI Limited
CACI House
Kensington Village
Avonmore Road
London, W14 8TS

Tel: 020 7605 7077
Email: [email protected]

10. How can you make a complaint? Contact the government body who regulates the use of personal data

If you are unhappy about the way your data is being processed by CACI or how we have handled your enquiry, you have the right to take your complaint to the Information Commissioner’s Office (ICO). You can contact the ICO on 0303 123 1113. See www.ico.org.uk/make-a-complaint

If you would like to know more about what personal data we collect and how we use it, please have a look at our Big Table of Information Here.