Privacy Policy

Last updated: February 12, 2025

Introduction

Movement ("we", "our", "us") is a software-as-a-service (SaaS) platform operated by Movement Industries Ltd, a company registered in England and Wales (Company No. 14266681). We are registered as a data controller with the Information Commissioner's Office (Registration No. ZB509853).

Our Two Distinct Roles

1. As a Data Processor (For Supporter Data)

When organisations use Movement to contact their supporters and members, we act purely as a data processor. This means:

  • We process supporter data solely on behalf of our clients

  • Our clients (the organisations) are the data controllers

  • Supporters should contact the organisation they engaged with for any data-related requests

  • We have no direct relationship with supporters

  • We cannot action supporter requests directly

  • All data protection responsibilities towards supporters rest with our clients

For information about how these organisations handle personal data, supporters should refer to their organisation's privacy policy.

2. As a Data Controller (For Platform Users)

We are the data controller only for:

  • Movement platform users (staff at client organisations)

  • Our website visitors

  • Prospective clients

  • Client representatives

What This Means in Practice

For Supporters/Members of Client Organisations

  • Your relationship is with the organisation you support, not with Movement

  • Contact your organisation directly for:

    • Data access requests

    • Updates to your information

    • Communication preferences

    • Any questions about how your data is used

    • Complaints or concerns

  • Movement cannot directly action any requests from supporters

For Our Clients (Organisations)

  • You are the data controller for your supporter data

  • You are responsible for:

    • Legal basis for processing

    • Responding to supporter requests

    • Privacy notices to supporters

    • Consent management

    • Record keeping

    • Risk assessments

  • Movement will assist you as required under our Data Processing Agreement

For Movement Platform Users

  • We are your data controller

  • Contact us directly for:

    • Account management

    • Access control

    • Security concerns

    • Platform-related privacy questions

Compliance Framework

We operate in compliance with:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

  • EU General Data Protection Regulation (where applicable)

  • Additional relevant data protection laws and regulations

Data We Process

As a Data Processor (Client Supporter Data)

We process the following types of data on behalf of our clients:

  • Contact information

  • Campaign interaction data

  • Communication preferences

  • Custom fields as defined by clients

We process this data strictly according to our clients' instructions and our Data Processing Agreement.

As a Data Controller (Platform Users)

We collect and process:

  • Account credentials and authentication data

  • Two-factor authentication verification data

  • IP addresses for security monitoring

  • Platform usage analytics and logs

  • User preferences and settings

  • Access logs and security audit trails

Technical Data

For platform users, we collect:

  • Browser type and version

  • Operating system information

  • Device information

  • Connection type and speed

  • IP address

  • Time zone setting

  • Location data (country/region level only)

Data Storage and Security

Infrastructure Security

  • Primary data center location: Frankfurt, Germany (AWS)

  • Regular infrastructure security audits

  • Network segmentation and firewall protection

  • DDoS protection

  • Real-time security monitoring

  • Intrusion detection and prevention systems

  • Regular vulnerability assessments

Data Encryption

  • TLS 1.2+ for all data in transit

  • AES-256 encryption for data at rest

  • Secure key management system

  • Regular rotation of encryption keys

  • SSL/TLS certificates with strong cipher suites

  • Perfect forward secrecy for data in transit

Access Control

  • Role-based access control (RBAC)

  • Mandatory two-factor authentication

  • Strong password requirements

  • Regular access review and audit

  • Automated account lockout after failed attempts

  • Session timeout controls

  • IP-based access restrictions where appropriate

Security Monitoring and Response

  • 24/7 security monitoring

  • Automated threat detection

  • Security incident response team

  • Regular security awareness training

  • Vulnerability management program

  • Penetration testing program

  • Regular security assessments

Backup and Recovery

  • Daily encrypted backups

  • 4-week backup retention

  • Regular backup testing

  • Disaster recovery procedures

  • Business continuity planning

  • Geographic redundancy

  • Point-in-time recovery capabilities

Development Security

  • Secure development lifecycle

  • Regular code reviews

  • Automated security testing

  • Dependency vulnerability scanning

  • Change management procedures

  • Development/staging/production environment separation

Third-Party Processors

Core Infrastructure

  • Amazon Web Services (Frankfurt, Germany)

    • Primary data storage and processing

    • Encrypted backup storage

    • Network security services

  • Twilio (European data centers)

    • Communication services

    • SMS and voice capabilities

    • Real-time notifications

  • Aiven (Frankfurt, Germany)

    • Database management

    • Data processing

    • Analytics services

Security Controls for Third-Party Processors

  • Regular security assessments

  • Data processing agreements

  • Compliance certifications review

  • Security incident notification requirements

  • Data residency requirements

  • Processing restrictions

  • Audit rights

Data Retention

Client Supporter Data

  • Retention periods are set by our clients

  • We follow client instructions for data deletion

  • Backups are retained for 4 weeks after deletion

  • Clients can request immediate deletion

Platform User Data

  • Retained while accounts are active

  • Deleted within 30 days of account closure

  • Backup retention for 4 weeks

  • Analytics data is anonymised

Individual Rights

For Supporters

All rights requests should be directed to the organisation you engaged with (our client). This includes:

  • Right to access

  • Right to rectification

  • Right to erasure

  • Right to restrict processing

  • Right to data portability

  • Right to object

For Platform Clients

Contact privacy@movement.industries for:

  • Account information access

  • Account updates

  • Account deletion

  • Processing restrictions

  • Data export

Security Incident Response

In case of a security incident:

  • We immediately investigate and contain

  • We notify affected clients without undue delay

  • Clients are responsible for notifying their supporters if required

  • We support clients with required information

  • We implement preventive measures

Updates to This Policy

We review this policy regularly. Significant changes will be:

  • Communicated to platform users

  • Notified to clients

  • Posted on our website

  • Dated with version control

Contact Us

For Platform Users and Clients

Email: privacy@movement.industries

For Supporters

Please contact the organisation you engaged with directly.

Regulatory Authority

Information Commissioner's Office (www.ico.org.uk)