Privacy and Cookies
Privacy Notice
The following Notice is effective from 29th July 2025 and it applies across all SDF services (including SDF website and subdomains).
Who we are
“We” are ‘Smart Data Foundry’, a not-for-profit private limited company by guarantee, registered in Scotland and a wholly owned subsidiary of the University of Edinburgh, with company number SC709914 and VAT Registration Number GB 592 9507 00. We are based in Ward 2C, Edinburgh Futures Institute, 1 Lauriston Place, Edinburgh, EH3 9EF. We are registered with the Information Commissioner’s Office (ICO) with registration number ZB326175, and we have a Data Protection Officer.
The University of Edinburgh is a charitable body registered in Scotland, with registration number SC005336, VAT Registration Number GB 592 9507.
“EPCC” is part of the University of Edinburgh and provides the data infrastructure that Smart Data Foundry uses to host data used for research purposes.
What personal data do we collect and how do we use it?
We use the data shared with us to perform our functions – enable research on deidentified financial data and create data insights.
Our role | Source | Type of data | How we use it | Legal basis | Onward processing or sharing | Retention |
|---|---|---|---|---|---|---|
Controller | Direct from individual | Name and job title; Company or organization; Contact information, including email address and telephone number(s); Demographic information such as postcode | To communicate with you during business operations or reply to your enquiry. Also, to prospect for new leads and to drive our marketing campaign initiatives. | Legitimate interest | We use Microsoft Office 365, HubSpot, as assured processors, to communicate with business contacts | 1 year with records routinely cleansed and aligned to data subject rights |
Controller | Direct from individual | Name and job title; Company or organization; Contact information, including email address and telephone number(s); Demographic information such as postcode or preferences | While running our organization and fulfilling contractual obligations, or on an ad hoc basis to fulfil Research and Innovation functions described above. There will also be a contractual agreement as part of this. | Contract | We use Microsoft Office 365 as assured processors to operate our business. We also utilise AWS – with associated software – to operate our front-end and back-end to deliver data. We also process personal data received from users of myFoundry (platform to showcase SDF products) to verify the users and to deliver the service.
| 1 year with records routinely cleansed and aligned to data subject rights |
Controller | Direct from individual | Rich media: identifiable images or video content | On our external communication platforms, such as our websites | Legitimate interests | We utilise social media platforms and our own website | 1 year with records routinely cleansed and aligned to data subject rights
|
Controller | Direct from individual | Name, contact and professional information (within CVs) | We limit processing to relevant vacancies, we do no hold CVs on file speculatively | Legitimate interests | We use Microsoft Office 365 to securely store files and communicate with prospective employees and contractors | 2 years after vacancy closing date
|
Controller | Indirectly from Data providers | De-identified financial data which has been effectively anonymized by data providers and validated by our data operations team | We use effectively anonymized data for research and creating data insights | Legitimate interests | The EPCC are our Processor; the EPCC are an accredited Data Processor under the Digital Economy Act 2017. The EPCC’s secure infrastructure is securely hosted in the UK. | In alignment with the Data Sharing Agreement termination period, and no longer than 3 months following this period |
Our legitimate interests in processing personal data include:
- To manage our business and financial affairs
- To ensure that we provide the most appropriate products and services and that we continually develop and improve as an organisation
- To fulfil our goal of enabling research and creating data insights that help reduce poverty and inequality and improve economic wellbeing.
Cookies
Cookies are small pieces of computer code placed onto your computer, laptop, tablet, or phone by the websites that you visit. They are used widely to make websites work, or work more efficiently, as well as providing information to the owners of the site. You can disable basic ‘functional’ cookies by changing your browser settings, but this might affect your access to the website.
When you first visited SDF’s website or other SDF services, we asked if we could place a cookie on your device to help us improve our website by collecting and reporting information on how you use it. We would like to set HubSpot cookies to help us to improve our services by collecting and reporting information on how you use it.
More information on the cookies we use is below.
Global cookies
Some cookies we use are shared across our website and services (smartdatafoundry.com domain and its subdomains). We use optional HubSpot cookies to collect information about how visitors use our website and services. The information is used to compile insight reports and monitor usage to help us improve the website and services. Learn more at https://knowledge.hubspot.com/privacy-and-consent/what-cookies-does-hubspot-set-in-a-visitor-s-browser.
consent
This necessary cookie is used to remember visitor preferences on optional cookies across Smart Data Foundry website and services.
It expires in 1 year.
__cfruid
This is a necessary cookie set by HubSpot’s CDN (content delivery network) provider because of their rate limiting policies.
It expires at the end of the session.
_cfuvid
This necessary cookie is set by HubSpot’s CDN (content delivery network) provider because of their rate limiting policies.
It expires at the end of the session.
__cf_bm
This necessary cookie is set by HubSpot's CDN (content delivery network) provider and is a necessary cookie for bot protection.
It expires in 30 minutes.
__hstc
This optional cookie is used for tracking visitors. It contains the domain, hubspotutk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number.
It expires in 6 months.
hubspotutk
This optional cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
It contains a unique identifier to represent the current visitor.
It expires in 6 months.
__hssc
This optional cookie keeps track of sessions.
It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
It expires in 30 minutes.
__hssrc
Whenever HubSpot changes the session cookie, this optional cookie is also set to determine if the visitor has restarted their browser.
It contains the value "1" when present.
It expires at the end of the session.
myFoundry
session-token.0
This cookie stores the session token and identity for the authenticated user. It is used to maintain the user's session across different requests.
It expires in 30 days.
session-token.1
This cookie stores the session token and identity for the authenticated user. It is used to maintain the user's session across different requests.
It expires in 30 days.
callback-url
This cookie stores the URL to which the user should be redirected after signing in. It ensures that the user is redirected to the correct page after authentication.
It expires at the end of the session.
csrf-token
Cross-Site Request Forgery Token (CSRF Token) is required to make requests that changes state. (e.g. when signing in or out or updating the session).
It expires at the end of the session.
pkce.code_verifier
This cookie is a security mechanism used during the PKCE (Proof Key for Code Exchange) authentication flow.
It expires in 15 minutes.
state
This cookie serves as a security mechanism for OAuth flows to prevent CSRF (Cross-Site Request Forgery) attacks during the authentication process.
It expires in 15 minutes.
nonce
This cookie serves as a security mechanism for OpenID Connect (OIDC) flows to prevent token replay attacks and ensure the integrity of ID tokens.
It expires at the end of the session.
Auth service
AUTH_SESSION_ID
This cookie is used for managing the user's authentication flow. Set during login flows and cleared after a successful login.
It expires at the end of the session.
AWSALB
This cookie is created by AWS Application Load Balancer. It ensures session stickiness, directing subsequent requests from a client to the same target.
It expires in 1 week.
AWSALBCORS
This cookie is created by AWS Application Load Balancer. It ensures session stickiness, directing subsequent requests from a client to the same target in the target group.
It expires in 1 week.
KC_RESTART
This cookie helps auth service recover the state of an interrupted login session. Stores some temporary state for session recovery.
It expires at the end of the session.
KEYCLOAK_IDENTITY
This cookie is used for authenticating the user to the auth service. Stores the user’s identity token (ID token).
It expires at the end of the session.
KEYCLOAK_SESSION
This cookie tracks the full SSO (single sign-on) session across applications. Helps auth service know which session a user is in.
It expires in 1 month.
KC_AUTH_SESSION_HASH
This cookie is used to verify the integrity of the AUTH_SESSION_ID cookie. Part of auth service's mechanism for securely handling the authentication session.
It expires in 1 minute.
Dashboards
JSESSIONID
This cookie tracks the HTTP session for the user on the ShinyProxy application. Set when browser connects to ShinyProxy (e.g., user loads the dashboard).
It expires at the end of the session.
AWSALB
This cookie is created by AWS Application Load Balancer. It ensures session stickiness, directing subsequent requests from a client to the same target.
It expires in 1 week.
AWSALBCORS
This cookie is created by AWS Application Load Balancer. It ensures session stickiness, directing subsequent requests from a client to the same target in the target group.
It expires in 1 week.
Do you share my data?
We share aggregated data – such as tables and graphs - with our partners for research, such as government bodies and financial services companies, like banks and insurers.
We do not sell personal data and if we ever share insights about your data with third parties, such as with government bodies for the purposes of research, we will anonymize data.
If we ever share your de-identified data with third parties, such as with government bodies for the purposes of research, this data will be statistically aggregated and effectively anonymised.
When we refer to ‘de-identified data’, we mean data shared with us that has had personal data (sometimes referred to as ‘personal identifiable information’ or ‘PII’) removed before we receive it, so we are unable to identify an individual from that data. This type of data is also referred to as ‘effectively anonymised’.
How do you store data about me and for how long do you keep it?
We will only store your data for as long as we need it, and the maximum times are set out in the table above.
Your rights
You have rights in relation to personal information we hold about you as established by the UK GDPR and the Data Protection Act within the UK. Here are some details as to how you will be able to enact these rights:
Right of access: You can ask us at any time for a copy of the information that we hold about you, and for details about how this information is used.
Right of correction or completion: If the information we hold about you is inaccurate, incomplete, or out of date then you can tell us to correct it, complete it, or update it.
Right of erasure: In certain circumstances, you can ask us to delete the data we hold about you; for example, if it’s no longer necessary for us to hold the information or if there are no legal grounds for us to hold the information.
Right to restrict or object to processing: In certain circumstances, you can tell us to stop using your information, including for direct marketing.
Right of data portability: In certain circumstances, you can tell us to send you any information that we hold about you in a structured, commonly-used format that can be read by a computer or other digital device.
Right to complain: If you want to complain about the way we handle your data then please contact us using the contact details below. If you remain unhappy once we have responded, you have the right to complain to the UK’s data regulator, the Information Commissioner’s Office (ICO), by calling 0303 123 1113, visiting www.ico.org.uk, or writing to: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.
Most of the rights given to you by the UK GDPR have limits and exceptions, so if we can’t handle your request then we’ll explain our reasons to you. A common one may be on de-identified data used for research - we likely cannot act on this request as we receive the data in an effectively anonymised form where we cannot identify individuals within the data already.
We will need you to prove your identity before we can handle your request, and we cannot handle requests that relate to other people without their consent.
You can exercise any of the above rights by contacting us at the address or email address set out below.
How to get in touch
If you want to find out what information we collect and hold about you, contact our Data Protection Officer, or exercise any of your rights set out in the section above – then please email ig@smartdatafoundry.com with “FAO: Privacy team” in your subject line, or please write to us at: Privacy team, Ward 2C, Edinburgh Futures Institute, 1 Lauriston Place, Edinburgh, EH3 9EF
