We care about your data! The privacy policy for our systems, platforms, website and all data

We are very proud to be UKAS ISO 27001 and ISO 9001 certified. Please call us if you would like to review our documentation.

To protect your privacy:
We do not share your data with anybody outside your company.
We keep your data encrypted on UK servers, unless directed otherwise by your company.
The ONLY sensitive personal data we use for our 360° Feedback and Opinion surveys are your name and your company email address.
Your company may wish to include other data.

We are proud to be GDPR compliant and all our staff are trained to treat your personal data with care and confidentiality. Please feel free to download our GDPR Summary statement.

Click here for our GDPR Summary Statement

… or read more on our blog post “We care about your data!

CR Systems are registered on the UK Data Protection register ZA066642.

At CR Systems, we respect your privacy. We want to maintain your confidence in our handling of any data and information that is collected during your visit to our web site. We have developed and provided this Privacy Policy to inform you of our practices and policies regarding the collection, use, maintenance, and disclosure of your personal data and information.

We are committed to providing you with adequate information so you can make an informed decision whether to visit our web site and whether you wish to voluntarily provide any personal data or information, e.g., your name, e-mail address, telephone number, etc. Our Privacy Policy is described in the following sections.


“Cookies” are small data files that are written to and stored on your hard drive when you visit a web site. They do not read files on your hard drive.

Like most web sites, we use cookies to personalize a user’s experience of our web site and to make it easier for users to complete forms. Our cookies do not track user movement once you leave our web site, except for noting your destination address.

Most web browsers allow the user to be notified upon the proposed installation of a cookie and the user can then decline the cookie. Even if you decline the cookie, you may continue to use our entire web site.

We use data and information received from our cookies for marketing purposes and to improve our on-line offering of services and products. We may also do so to evaluate our site’s technical capacity and to review the navigational structure of our site, e.g., to revise or restructure our web site for easier and more intuitive movement throughout.

Currently, the data and information we collect with cookies is only reviewed in an aggregated form, which is not personally identifiable. In the future, however, we may correlate the data and information received from cookies with personally identifiable information, to identify specific users and track their web site usage. This personally identifiable information will be limited to contact information, such as the user’s name, address, phone number, fax number, and e-mail address. Our use of this combined information will continue to be solely for the purposes stated above with respect to information collected through cookies.

Whether or not the data and information received from cookies is correlated to any specific user, we do not, and will not, disclose, sell, rent or share any data or information derived from cookies with any third parties other than to CR360′s affiliated companies (“Affiliates”), except for personally identifiable information saved in cookies when you register for or enroll in a program or service as we disclose in accordance with our policy for Voluntarily Provided Information set forth below, or as otherwise stated in this Privacy Policy.

Log Files

We also review data and information contained in log files located on our web server, which record the date and time of each visit to our web site, the user’s IP (internet protocol) address, the referring IP address or domain (the prior web site visited), and the files viewed on our web site (including HTML pages, graphics, etc.). We use log file information to analyze data in the aggregate to determine the trends and usage of our site. We can not correlate the log data to identify specific users.

We do not, and will not, disclose, sell, rent or share any information derived from log files with any third parties.

Voluntarily Provided Information

If you register for or enroll in a program or service through our web site, make purchases from our on-line offerings, respond to a request for information or make any other on-line request of us, you will be voluntarily providing personally identifiable information. If you do not agree with this Privacy Policy, we ask that you please do not provide the requested information. You may nevertheless continue to use most of our web site, subject, however, to the collection of information through cookies and log files as discussed above. If you have previously provided personally identifiable information by registration through our web site, you may request to be removed from our active database of mailing lists (see the discussion below).

Voluntarily provided information is used to send you announcements of new products, updates, and promotional information, as well as to provide the services or goods that you request and give you better customer service. We share personally identifiable information with our Affiliates, as well as with our third-party business partners, sales representatives and distributors (collectively, “Partners”) who may provide the requested goods or services to you directly or otherwise contact you directly. Moreover, we rely on various third-party service companies (“Service Companies”) to provide certain services (e.g., shipping, credit card billing) for which it is necessary to provide users’ personally identifiable information.

We do not, and will not, disclose, sell, rent or share any personally identifiable information received as a result of enrollment, registrations or e-commerce transactions on our web site with any third parties, other than our Affiliates, Partners, Service Companies, or as otherwise stated in this Privacy Policy.

Please note that although we may seek to require that Affiliates, Partners, and Service Companies use information regarding our users only in the ways permitted by this Privacy Policy, we do not control and are not responsible for their privacy practices, or those of any other party.

Collection of Data & Information by Our ISP

Our Internet Service Provider (ISP) also collects certain information about your visit. It is the same information contained in a log file that we collect and analyze, i.e., the date and time of the visit, the user’s IP (internet protocol) address, the referring IP address or domain, and the files viewed on our web site (including HTML pages, graphics, etc.). In addition, our ISP has access to back-up files containing the personally identifiable information that you voluntarily provide (even if your input fails). The ISP does not disclose, share, release, publish, disseminate, rent, or sell any personally identifiable information to any third parties, but does use the log files to analyze data in an aggregate form, which is not personally identifiable information.

Links to Third-Party Web Sites

Through our web pages, you may connect to third parties’ web sites via hyperlinks, and the connections may or may not be obvious. We are not responsible for the collection, use, maintenance, sharing, or disclosure of data and information by such third parties. We encourage our users to be aware of the varied privacy policies of web sites that they visit.


We maintain and review e-mail correspondence that you send to us. We will use (and maintain in a file specific to you) the personally identifiable information disclosed in the e-mail. Because such correspondence contains information that is not transmitted through the operation of our web site, it is not subject to the terms of this Privacy Policy.

Required Disclosures of Data & Information

In addition to disclosures to our Affiliates, Partners, and Service Companies, and regardless of anything in this Privacy Policy to the contrary, we may disclose personally identifiable information, with or without prior notice to you, when we believe that the law requires it, in response to subpoenas or at the demand of governmental agencies, to protect our systems or business, to protect other visitors to the web site, or to respond to an emergency. If you partake, or we reasonably suspect you of partaking in any illegal activity we may also disclose your personally identifiable information, even without a subpoena, warrant or court order. We may also make disclosures of your personally identifiable information with your affirmative consent.

Maintenance & Transmission of Data & Information

Although we use reasonable efforts to maintain the privacy of your personally identifiable data and information, due to technological limitations, and the risk of unlawful interceptions and accessing of transmissions and/or data, we cannot completely assure you, and you should not expect, that your personally identifiable data and information, and any other electronically communicated information, will be absolutely confidential.

For all e-commerce transactions, we use industry-standard commercial encryption technology to protect the data and information that you transmit to us via our web site. Although this technology is not flawless, we believe that it provides reasonable protection for your data and information. We will endeavor to update our protective devices as encryption technology develops further.

Once received, personally identifiable information is protected from outside CR360 by “firewalls,” and access within CR360 is generally limited to the sales, marketing, and information technology departments. We also seek to require our Affiliates, Partners and Service Companies to exercise reasonable efforts to maintain the confidentiality of your information.

Your Right to Review & Modify Data & Information

You have the right, at any time, to review and/or modify any of your personally identifiable information that you provide during registration, or any other voluntarily provided information. You may also remove yourself from our active databases of e-mail lists. To do so, you should send an e-mail to [email protected] requesting that (a) we provide a copy of your profile of personally identifiable information, (b) we update or modify certain personally identifiable information, or (c) you be removed from our databases of active e-mail lists. We will endeavor to comply with your request as soon as reasonably possible. To protect your confidentiality, we can only send a requested profile to the e-mail address listed in the profile. In any event, our back-up files will maintain copies of your personally identifiable information. We reserve the right to contact former customers or users of the web site from time to time.

Users Under 13

This web site is not directed at children under the age of 13. If you are younger than 13, please do not provide any personally identifiable information in connection with your use of the web site.


We reserve the right to transfer any and all information that we collect from our visitors to a third party in the event that we sell or transfer substantially all of our assets related to the web site to such third party.

GDPR Summary Statement

Click here for our GDPR Summary Statement, read more on our blog post “We care about your data!

We process data specifically for our clients’ internal use. We do not process or share any of our clients’ data for any other purpose or with any other source unless directed by the client. We hold very little personal data, usually the minimum level in terms of sensitivity.

Data Sensitivity

The level of personal data that we need to maintain our service is generally considered to be among the lowest of categories in terms of sensitivity. To be specific we hold:

Core Data (360° Feedback only. Opinion based surveys this data is optional)

• Individual name

• Individual email address

• Working relationship to some other members of the client organisation

• Raw scores and written feedback Optional Data (depending entirely on client requirement)

• Department

• Grade

• Location

• Other demographics as defined by client need

Data Location and Security

We hold the data on secure, encrypted databases within the UK.

The data is duplicated in geographically separate locations and replicated in real time to ensure the fastest possible restoration of availability in cases of significant breakdown.

The client has the option to define and locate the data servers to wherever they wish based on their operational requirements. Raw data and processed data (360 Reports etc) are held on separate databases.

Data is exported only to those countries specifically requested by the client as part of their operating remit.

Data Retention

Processed data is deleted automatically after use. Report files (pdf files) that are generated from the processed data are either deleted immediately after delivery unless specifically requested by the client.

Raw data is held for a period of 12 months on our operational servers, and then archived for a time period agreed with the client but no longer than seven years. Our default position is to delete any reports/analysis immediately from our database upon delivery to the client. The raw data is kept for 12 months and then deleted.

Data Consent

The data collected is assumed to be authorised by the individual as part of the contract of employment between the individual and the client. It is the clients’ responsibility to inform the individual how their data will be used (different clients’ use the data in different ways).

In addition we can support this by adding an option (client decision) for each individual to be informed both online and in any correspondence of the use of their data and then given the option to actively opt in to the process before providing any data.

Data Profiling

It is a mute point as to whether 360° Feedback is a form of Data Profiling. It does not predict any future behaviours from the individual concerned, and in terms of analysis it simply reports and compares the views of others.

It should always be remembered that 360° Feedback has very limited validity and reliability beyond its Face Validity. It is therefore the responsibility of the client to manage appropriately any data profiling processes that may ensue from the collection and analysis of the data.

In opinion based surveys there is a greater degree of profiling, however all personal data is always agglomerated and minimum levels of display are agreed with the client to protect the anonymity and confidentiality of the individual personal data involved.


All our staff are trained twice a year and are aware of their responsibility in terms of individual data protection and the processes we use to protect both individual and corporate data. As from April 2018 the training will specifically include a GDPR update section so that staff are kept updated of any material changes in their obligation to the protection of our clients’ and their employees’ personal data.

Data Controllers and Processors

The Data Protection Officer (DPO) for CR Systems is the Managing Director. All Data Processors are vetted by either the DPO or appointed Data Controller who also takes responsibility for all training of Data Processors.

Cyber Essential Plus Certification

Cyber Essential Plus Certification