Privacy Policy EU/ UK

Learn how Cecil treats personal data in line with the GDPR when we provide our products and services to you.

Updated over a week ago

This is our Privacy Policy for users located in the European Economic Area (“EEA”) or the United Kingdom (“UK).

For other users, please find our standard privacy policy here.
Find archived policies here.

1. Overview

Welcome to Cecil. We value the trust you place in us when providing us with your Personal Data, and we aim to protect your data to the highest of standards as we provide our products and services to you.

This Privacy Policy was last updated on 23 May 2023.

By accessing and using our Sites and Services, you freely and expressly consent to the collection, use, processing, storage, and disclosure of Personal Data by Cecil as set out in this Privacy Policy.

2. Scope of this policy

This Privacy Policy applies to Cecil corporate customers or prospective corporate customers, or as users of our Services that are located in the European Economic Area (“EEA”) or the United Kingdom (“UK).

Cecil processes your Personal Data in accordance with the applicable UK and EU data protection laws, such as the General Data Protection Regulation of the United Kingdom (“UK GDPR”) and the General Data Protection Regulation (EU 2016/679) (“EU GDPR”).

This Privacy Policy describes how we process the Personal Data of our customers and end-users (“you” or “your”) when you use our Services or engage with us in any way. It also describes your data protection rights, including your right to object to some of the processing activities which we carry out.

This policy applies to all Personal Data that we collect, use, or disclose when providing our websites, platforms, apps, products, and services owned or operated by us, including in relation to the following:

(together, the “Services”).

We may also provide you with additional information when we collect Personal Data where we feel it would be helpful to provide relevant and timely information.

3. Who are we?

In this policy, “Cecil”, “we”, “us” or “our” means Cecil Earth Pty Ltd ACN 647 150 972 and its affiliates.

For the purposes of the EU GDPR and the UK GDPR, Cecil is a data controller of your Personal Data. This Privacy Policy describes our independent privacy and data processing practices as a data controller.

4. What is Personal Data?

The EU GDPR and UK GDPR defines Personal Data as any information relating to an identified or identifiable natural person, i.e. one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (“Personal Data”).

Special Categories of Personal Data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation (“Special Categories of Personal Data”).

5. What information do we collect?

The Personal Data we collect, and process will vary depending on your dealings with us and the Services we provide to you.

We may also collect, and process Special Categories of Personal Data with your explicit consent when providing our Services to you, which includes Special Categories of Personal Data submitted by you, or on your behalf, through our platforms and apps.

(a) Information we collect when you use our Services

We collect the information you provide to us when you do things such as sign up for, and use our Services, or update your user profile, which may include:

  • individual or business account information including name, date of birth and age, details regarding gender, profile photo, organisation details including company or business name, and other related information regarding your business and/or employees that can be used to identify an individual;

  • site tools such as cookies;

  • any information that you upload to the Sites and/or input into your account; and

  • any other information you may provide to us voluntarily through your use of our Sites; and

  • contact information including residential and/or postal address, email address, telephone number, and social media handles.

(b) Information we collect from your other interactions with us

We collect information when you interact with us, such as when you use our websites, communicate with us via email, telephone, social media or chatbots, make enquiries regarding demos, or when we collect feedback from you on the Services we provide. The information we may collect in these circumstances include individual or business name, address, email, phone number, company/employer, job function, team size, the date, time, and reason for contacting us, survey and research responses, social media information, and call recordings.

(c) Information that we automatically collect from you

We automatically collect usage information when you browse our websites or use our Services to improve our Services and enhance your user experience. This information includes:

  • user names, member names, email addresses and other contact details;

  • your actions on our Sites (including any selections or inputs into items);

  • digital interactions data, i.e., how you use our digital properties (including our websites);

  • transactional details;

  • support queries and forum comments (if applicable);

  • third-party websites;

  • social media sites;

  • apps and electronic communications;

  • metadata (collected on an anonymous basis);

  • consumer analytic data (collected on an anonymous basis but which can be attributed to you based on other information we have about you);

  • log file information;

  • information about the type of device and operating system used by you;

  • location information;

  • computer IP addresses; and

  • marketing and cookie preferences, including any consent you have given us.

6. How and why do we use this information?

Where the EEA GDPR or the UK GDPR applies, we must have a legal basis to collect, use and disclose your Personal Data and we explain these legal bases below. We also explain the purposes for which we process your Personal Data, the processing operations that we carry out, and the categories of data that we use for each purpose.

(a) Legal Basis

  • Contractual performance – we have obligations to perform and fulfil under our contract with you. To fulfil those obligations, we will have to use, process and store your data. For example, this includes creating and maintaining your account, resolving issues you may experience with the Services.

  • Consent – in certain cases, you consent to us or have reasonable expectations of us using your Personal Data in a certain way. Whenever we ask for your consent, we will explain the situations where we use your data, and the purposes for which the data will be used.

  • Legitimate interest – we can process your data when this is necessary for us to achieve a business purpose, or where this is necessary for someone else to achieve their purpose. This includes obtaining payment for our Services, sending users relevant marketing communications, using Personal Data to make more informed predictions, decisions and offers for our users, enhancing our Service via research and development, data labelling, machine learning and predictive analytics.

  • We explain below what interests we, or others, are trying to achieve when we process your data. Where we process Personal Data on the basis of a legitimate interest, then – as required by data protection law – we have carried out a balancing test to document our interests, to consider what the impact of the processing will be on individuals, and to determine whether individuals’ interests outweigh our interests in the processing activity taking place.

  • Legal obligations – it is necessary to comply with the relevant legal, regulatory, and other requirements under EU, EU Member State or UK laws. In certain cases, we will have to use your data to meet these obligations, for example, to disclose your information in response to a request made by a law enforcement authority.

(b) Purposes

We may process your data for different purposes. We may also provide you with notices that further specify the purposes for some of the processing described below, and on the rare occasions when we need to ask for your consent, we will only do so at the time we collect your Personal Data.

(c) Provision of Services and administration of our contract with you (Contractual Performance or Consent)

We use your Personal Data to administer aspects of our relationship with you so we can fulfil the obligations we have in the contract between you and us or based on your explicit consent. We process your information:

  • to fulfil a contract, or take steps linked to contractual obligations;

  • to provide our Services, including ancillary Services such as customer support;

  • to take payment for Services (where applicable); or

  • to send you service, technical and other administrative emails, messages, and other types of communications relating to our Services, among other things.

To do this, we use your information related to our contract, such as your individual or business account information, billing information such as bank details, and information about your use of our Services.

To the extent we process Special Categories of Personal Data as a part of our Services, we will rely on your explicit consent where required by law.

(d) Marketing communication and preferences (Consent)

We send you marketing communications via email or SMS when you provide us with consent by using your contact details and information provided through your use of the Services.

You can opt out of receiving direct marketing communications from us at any time by following the unsubscribe instructions included in the relevant marketing communication, or by emailing us at

7. How we share your Personal Data

(a) Sharing of information when providing our Services

We may share your Personal Data with our affiliates and with other third parties from time to time for the purposes and means described in this Privacy Policy. In delivering our Services, we may disclose your information to:

  • members and personnel of the Cecil group – we may share your information between our departments or business functions, including with our employees, affiliates, and contractors for the purposes of the delivery and operation of our Services, and fulfilling requests by you, and we may share your information with our affiliates for the purposes of the delivery of their services to you where you have subscribed to their services, or where they integrate with us to provide our Services;

  • legal and regulatory authorities – we may share your information with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws;

  • parties involved in a business sale – in the event that we undergo any reorganisation, restructuring, merger, sale, or other transfer of assets your information will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to any new owners of the business;

  • business partners – we may share your data with our existing or potential agents, business partners or joint venture entities or partners to enable us to perform our business activities in relation to your services; and

  • your organisation – we may share your information with your employer and other personnel (where it is necessary and reasonable) in your organisation, if you use our Services in connection with your employment and your employer has established an account on your behalf.

(b) Sharing your information with third parties

We may disclose your Personal Data to specific third-party service providers who facilitate the delivery of our Services and operation of our business activities. We disclose your Personal Data to such third parties as doing so may be necessary to adequately provide our Services to you, or to assist us in analysing how our Services are used and ensure they are provided to you at the highest quality. These third parties are given access to your Personal Data only to perform these tasks on our behalf or for our benefit and are required not to disclose or use it for any other purpose.

Such third parties include providers of hosting services and technical infrastructure (e.g., Amazon Web Services), maintenance services, CRM services, customer support services, and marketing services.

(c) Sharing your information with overseas recipients

In connection with the purposes identified in this Privacy Policy, and the Services described, your Personal Data may be transferred outside the EEA or the UK, including to Cecil team members and affiliates based in Australia and the US, and to third-party service providers located globally, where we have a lawful basis to make such transfer.

By signing up, you acknowledge and agree that Cecil (an entity in Australia) may transfer your Personal Data to other countries where our affiliates and service providers are located. Please note that some of these countries may have data protection laws that are different from your country (and, in some cases, may not be as protective).

If your Personal Data is transferred to a third-party provider that is not located in the EEA or the UK, we ensure that such transfer is compliant with the relevant requirements and are subject to appropriate safeguards.

8. What rights do you have?

(a) Privacy rights

The UK GDPR and EU GDPR grant enhanced privacy rights to individuals residing in the UK or EEA including to:

  • request us for a copy of your Personal Data to correct, delete or restrict processing of your Personal Data, and to obtain the Personal Data you provide to us on a contractual basis or with your consent, in a structured, machine-readable format; correct and delete some Personal Data through your account provided by our Services.

  • where your Personal Data has been added to your account by your employer, you can ask your employer to correct or delete your Personal Data on your behalf. Your employer will then request us to correct or delete the Personal Data from our systems.

  • object to our use of your Personal Data or information in some circumstances, i.e., when we process your Personal Data based on our legitimate interests or where we are using the data for marketing purposes.

In some circumstances Cecil will not be able to comply with your request regarding your Personal Data. If we are unable to remove any of your information, we will inform you of our reasons. For example, if fulfilling your request would reveal Personal Data about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping.

To exercise any of these rights, including obtaining a copy of your legitimate interest balancing test, you can get in touch with us at If you have unresolved concerns, you have the right to make a complaint to a data protection authority in your jurisdiction or where you believe a breach may have occurred.

For the provision of information marked as mandatory when you register to use our Service, if such information is not provided, then you will not be able to use our Services. All other provision of your information is optional. If you do not provide such information, our provision of certain Services to you may be detracted from.

Where we rely on your consent, you will always be able to withdraw that consent at any time. If you ask to withdraw your consent to our processing your data, this will not affect any processing which has already taken place.

(b) Direct marketing communications

In some cases, we may send you direct marketing based on our legitimate interests or where you have provided us with explicit consent.

You have an absolute right to opt out of direct marketing at any time. You can do this by following the instructions in the communication within the electronic message we send to you, or by contacting us via email at

We may still send you important notices relating to your account, operational activities, and technical updates, even after you have opted out of receiving marketing communications.

(c) Cookies

The Services we provide use cookies which are small text files containing a string of alphanumeric characters which are sent to your computer that uniquely identifies your browser and lets us enhance your experience when using our Services such as helping you with logging in more efficiently, enhancing your navigation through our Services, and generally improving the user experience.

Cookies also convey information to us about how you use our Services. When you use our Services, certain information may be recorded for statistical purposes. The information that may be recorded includes information regarding your:

  • IP address or server address;

  • domain name;

  • date and time of visit;

  • length of your session;

  • the pages which you have accessed;

  • the number of times you access our Sites within a period of time;

  • the file URL you look at and information relating to it;

  • the website which referred you to our Sites;

  • the operating system which your computer uses;

  • previous websites visited; and

  • browser type.

You can opt out of cookies collection, delete and refuse to accept cookies at any time by changing your privacy settings provided in your Internet browser. However, certain features of the Sites or Cecil Platform may not work if you delete or disable cookies. Some of our service providers may use their own cookies and web beacons in connection with the services they perform on our behalf.

9. Storage & Security

At Cecil, we’re serious about information security, and maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of your data. Our managed services within our AWS infrastructure supports encrypted and automated back up of data stored in our cloud platform. We also conduct an annual Well Architected Review with an accredited AWS partner to ensure compliance with best practices of the Well Architected Framework. Further details on our third-party storage provider’s location and security can be found here. We also contractually require that our Service Providers protect such information from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

You should be aware that no data transmission over the Internet or other network can be guaranteed to be 100% secure. As a result, while we strive to protect information transmitted on or through the Sites, we cannot and do not guarantee the security of any information you transmit on or through the Sites. Accordingly, you disclose Personal Data to us at your own risk, and to the extent possible, we will not be liable for any unauthorised access, modification or disclosure, or misuse of your Personal Data.

You can also play an important role in keeping your Personal Data secure, by maintaining the confidentiality of any password and accounts used on the Services. Please notify us immediately if there is any unauthorised use of your account by any other Internet user, or any other breach of security relating to your account via email at

10. How long will you retain my data?

We will store your Personal Data for a commercially reasonable time, and for as long as we have a lawful basis to do so. This is a case-by-case determination that depends on things such as the nature of the data, why it is collected and processed, and relevant legal or operational retention needs. You can delete some Personal Data at any time, some data is deleted automatically, and some data we retain for longer periods of time. For example, we will retain:

  • account information for as long as your subscription or agreement continues or for as long as it is necessary to deliver our Services;

  • a record of the fact that you have asked us not to send you direct marketing, so that we can respect your request in future. If you unsubscribe from receiving direct marketing, then we will remove your details from our direct marketing mailing list; and

  • usage information and analytics data relating to your use of the Services to understand how people use our Services. We will do this through the use of cookies and tracking technologies to provide us with user analytics data to improve our Services and enhance your user experience.

We will also retain your information for the purposes of complying with legal and audit obligations such as security, fraud prevention, financial record-keeping, troubleshooting, fee collection, ensuring the continuity of our Services, and when you have had direct communications with us.

11. How do I get in touch with you?

If you have any questions or concerns about how we process your data, please contact us via email at

12. Changes to our Privacy Policy

We reserve the right to change this Privacy Policy from time to time without notice to reflect changes in the laws or regulations, our information practices, our Services, or our operational requirements.

We advise that you periodically review this page to see any changes we have made. In the event that we make any significant changes in terms of data processing operations or any other change that may be relevant to you or may impact you or your Personal Data, we will additionally notify you via email or notifications on our Services. Non-material changes and clarifications will take effect immediately, and material changes will take effect 30 days after the posting of the amended and updated Privacy Policy on the Website.

Did this answer your question?