Last Updated: May 6, 2025

1. INTRODUCTION

Innovation Consulting & Solutions ("ICS", "we", "our", or "us") is committed to protecting and respecting your privacy and the privacy of the data subjects whose information we process. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use our website (https://innovationsln.com/), products, and services (collectively, the "Services").

We recognize the sensitive nature of data processing in humanitarian contexts and are committed to upholding the highest standards of data protection while enabling effective humanitarian response.

2. ABOUT ICS

ICS was founded in Syria, Lebanon, and Turkey in 2019 and the UK in 2020. We are a leading provider of information and communication technology solutions focused on delivering cutting-edge tools to the humanitarian community. Our extensive field experience and people-first approach enable us to support humanitarian and development requirements, particularly in the MENA region.

3. DEFINITIONS

For the purposes of this Privacy Policy:

• Personal Data: Any information relating to an identified or identifiable natural person ("data subject").
• Data Controller: The entity that determines the purposes and means of processing personal data.
• Data Processor: The entity that processes personal data on behalf of the Data Controller.
• Processing: Any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, or otherwise making available.
• Beneficiary: An individual who receives humanitarian assistance or services from our NGO clients.
• Cyber Essentials: A UK government-backed scheme that helps organizations protect against a range of the most common cyber attacks.

4. DATA PROTECTION PRINCIPLES

ICS adheres to the following principles when processing personal data:

• Lawfulness, fairness, and transparency: We process personal data lawfully, fairly, and in a transparent manner.
• Purpose limitation: We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.
• Data minimization: We ensure that personal data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
• Accuracy: We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date.
• Storage limitation: We keep personal data in a form that permits identification of data subjects for no longer than necessary for the purposes for which it is processed.
• Integrity and confidentiality: We process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
• Accountability: We are responsible for and can demonstrate compliance with these principles.

5. CATEGORIES OF PERSONAL DATA WE COLLECT

Depending on your interaction with our Services, we may collect the following categories of personal data:

5.1 Data You Provide Directly

• Account information: Name, email address, phone number, organization name, job title
• Profile information: Profile photo, biographical information, location
• Communication data: Information provided in emails, forms, or other communications with us
• Payment information: Payment card details, billing address, transaction history

5.2 Data We Collect Automatically

• Technical data: IP address, browser type and version, operating system, device information
• Usage data: Pages visited, features used, time spent on the Services, clickstream data
• Location data: General location information based on IP address or more precise location if you permit

5.3 Sensitive Personal Data

We recognize that our NGO clients may collect sensitive personal data from beneficiaries. While we generally do not directly collect sensitive personal data from beneficiaries, we act as a data processor for such information when it is processed through our systems. This may include:

• Health data
• Biometric data
• Ethnic origin
• Religious beliefs
• Political opinions

Such data is always handled with additional safeguards as described in this Policy.

6. HOW WE COLLECT PERSONAL DATA

We collect personal data through various channels, including:

• Direct interactions when you create an account, subscribe to our services, or contact us
• Automated technologies such as cookies and similar tracking technologies
• Third parties, such as our NGO clients who use our platforms to collect and process beneficiary data

7. LAWFUL BASES FOR PROCESSING

We process personal data on the following legal bases:

7.1 For Our Website Users and Clients

• Contract: Processing necessary for the performance of a contract to which the data subject is party
• Legitimate Interests: Processing necessary for our legitimate interests, such as to improve our Services, prevent fraud, and for direct marketing
• Consent: Processing based on the data subject's specific, informed, and unambiguous consent
• Legal Obligation: Processing necessary for compliance with a legal obligation to which we are subject

7.2 For Beneficiary Data (When Acting as a Processor)

When we process beneficiary data on behalf of our NGO clients, the legal basis for processing is determined by the NGO client (the data controller). In humanitarian contexts, this may include:

• Vital Interests: Processing necessary to protect the vital interests of the data subject or of another natural person
• Public Interest: Processing necessary for the performance of a task carried out in the public interest
• Consent: Where appropriate and feasible in the humanitarian context

8. HOW WE USE PERSONAL DATA

8.1 Primary Purposes

We use the personal data we collect for the following primary purposes:

• To provide and maintain our Services
• To authenticate users and manage accounts
• To process transactions and send related information
• To provide customer support and respond to inquiries
• To send service-related notifications
• To ensure the security and integrity of our Services

8.2 Secondary Purposes

We may also use personal data for the following secondary purposes:

• To improve and personalize our Services
• To conduct research and analysis
• To communicate about new features, offers, and promotions
• To develop new products and services
• To comply with legal obligations

8.3 Processing of Beneficiary Data

When processing beneficiary data on behalf of our NGO clients, we:

• Only process such data in accordance with the documented instructions from the NGO client
• Implement appropriate technical and organizational measures to ensure the security of processing
• Assist the NGO client in responding to data subject requests
• Assist the NGO client in ensuring compliance with security obligations

9. DATA SHARING AND DISCLOSURE

9.1 Categories of Recipients

We may share personal data with the following categories of recipients:

• Service Providers: Third-party vendors who perform services on our behalf, such as hosting, data analysis, payment processing, and customer service
• NGO Clients: When providing services to NGO clients, we may share data as necessary to provide those services
• Professional Advisors: Including lawyers, auditors, and insurers who provide consultancy, legal, insurance, and accounting services
• Authorities: We may disclose personal data to regulatory authorities, law enforcement agencies, or other third parties where we believe in good faith that disclosure is legally required

9.2 International Data Transfers

We may transfer personal data to countries outside the UK and European Economic Area (EEA). When we do so, we ensure that appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules
• Adequacy decisions by the European Commission
• Specific derogations for humanitarian action where applicable

9.3 Organizational Safeguards

We maintain detailed data sharing agreements with all third parties that process personal data on our behalf, requiring them to:

• Process personal data only on our documented instructions
• Implement appropriate technical and organizational security measures
• Assist us in fulfilling our obligations to data subjects
• Delete or return all personal data at the end of the service provision
• Submit to audits and inspections

10. DATA SECURITY

We have implemented appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, alteration, or disclosure. These measures include:

10.1 Technical Measures

• Encryption of personal data at rest and in transit
• Firewalls, intrusion detection, and prevention systems
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Regular data backups and disaster recovery procedures

10.2 Organizational Measures

• Staff training on data protection and security
• Confidentiality obligations for staff and contractors
• Data protection impact assessments for high-risk processing
• Incident response procedures
• Regular audits and compliance reviews

10.3 Cyber Essentials Certification

We have achieved Cyber Essentials certification, demonstrating our commitment to cybersecurity and protecting the data we process. This certification verifies that we have implemented key technical controls to mitigate common cyber threats.

11. DATA RETENTION

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

11.1 Retention Criteria

To determine the appropriate retention period, we consider:

• The amount, nature, and sensitivity of the personal data
• The potential risk of harm from unauthorized use or disclosure
• The purposes for which we process the data
• Whether we can achieve those purposes through other means
• Applicable legal, regulatory, or contractual requirements

11.2 Retention Periods

Typical retention periods include:

• Account information: For the duration of your account plus up to 24 months after account closure
• Transaction information: Up to 7 years for tax and accounting purposes
• Communication records: Up to 3 years from the date of the communication
• Technical and usage data: Up to 13 months

11.3 Data Deletion

When personal data is no longer needed, we securely delete or anonymize it. For beneficiary data processed on behalf of NGO clients, we follow the retention instructions provided by the client.

12. YOUR RIGHTS AS A DATA SUBJECT

Depending on your location and applicable law, you may have the following rights regarding your personal data:

12.1 Access Rights

• The right to know whether we process your personal data
• The right to access your personal data
• The right to receive information about how we process your personal data

12.2 Rectification Rights

• The right to have inaccurate personal data rectified
• The right to have incomplete personal data completed

12.3 Erasure Rights

• The right to have your personal data erased in certain circumstances

12.4 Restriction Rights

• The right to restrict the processing of your personal data in certain circumstances

12.5 Data Portability Rights

• The right to receive your personal data in a structured, commonly used, and machine-readable format
• The right to transmit that data to another controller

12.6 Objection Rights

• The right to object to processing based on legitimate interests
• The right to object to direct marketing
• The right to object to scientific or historical research or statistical purposes

12.7 Automated Decision-Making Rights

• The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects

12.8 Withdrawal of Consent

• The right to withdraw consent at any time where processing is based on consent

13. EXERCISING YOUR RIGHTS

To exercise any of these rights, please contact us using the details provided in the "Contact Us" section. We will respond to your request within one month, which may be extended by up to two additional months if necessary, taking into account the complexity and number of requests.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

14. COOKIES AND SIMILAR TECHNOLOGIES

14.1 What Are Cookies

Cookies are small text files placed on your device when you visit a website. They are widely used to make websites work or work more efficiently, as well as to provide information to the website owners.

14.2 How We Use Cookies

We use cookies for the following purposes:

• Essential cookies: Required for the operation of our website
• Analytical cookies: Allow us to recognize and count the number of visitors and see how visitors move around our website
• Functionality cookies: Enable us to personalize our content for you
• Targeting cookies: Record your visit to our website, the pages you have visited, and the links you have followed

14.3 Cookie Management

You can set your browser to refuse all or some browser cookies or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly.

15. CHILDREN'S PRIVACY

Our Services are not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to remove that information from our servers.

For beneficiary data processed on behalf of our NGO clients, special protections apply to children's data, and we work with our clients to ensure appropriate safeguards are in place.

16. DATA PROTECTION IN HUMANITARIAN CONTEXTS

We recognize the unique challenges of data protection in humanitarian contexts and adhere to the following additional principles:

16.1 Do No Harm

We ensure that our data processing activities do not expose individuals to additional risks or harms, particularly vulnerable populations in crisis-affected areas.

16.2 Purpose Limitation and Data Minimization

We are particularly stringent in applying purpose limitation and data minimization principles in humanitarian contexts, collecting only data that is directly relevant and necessary for specified humanitarian purposes.

16.3 Balancing Data Protection with Humanitarian Imperatives

While maintaining high standards of data protection, we recognize that in certain humanitarian contexts, some data protection requirements may need to be balanced against the imperative to save lives and alleviate suffering.

16.4 Special Protection for Vulnerable Groups

We implement enhanced safeguards for data relating to vulnerable individuals and groups, including children, refugees, internally displaced persons, and victims of conflict or disaster.

17. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.

We encourage you to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

18. CONTACT US

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Data Protection Officer
Innovation Consulting & Solutions
Email: info@innovationsln.com

For data subjects in the European Union, please note that you have the right to lodge a complaint with your local data protection authority if you are concerned about how your personal data is being processed.

‍