Mobile Tornado Group plc (“MTG”, “we”, “us” or “our”) recognises that the privacy of the personal information that our clients provide to us is critically important. We take the privacy and security of personal information very seriously. We are committed to complying with our legal obligations under the General Data Protection Regulation (“GDPR”), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“UK Data Protection Laws”) and other data protection laws around the world.
Mobile Tornado Group plc is a company, registered in England and Wales under No. 05136300, whose registered office is at Cardale House Cardale Court, Beckwith Head Road, Harrogate, North Yorkshire, HG3 1RY. MTG’s shares are traded on the Alternative Investment Market (AIM) of the London Stock Exchange. Substantial shareholders in MTG currently include Intechnology plc. MTG has been trading since 2005.
The business of MTG is the development and supply to our clients of Push To Talk over Cellular and Wi-Fi products and services. Our technology enables our clients to offer Push To Talk, Push To Message, Push To Alert and Push To Locate services to their userbases, (altogether “PTT Services”). These technologies facilitate two-way communication between users. Push To Talk, for example, allows users to exchange real time voice messages between mobile phones and/or personal computers. Push To Message, for example, allows users to message individuals in their contact list one-on-one, or broadcast to a larger group of contacts (one-to-many).
Our PTT Services are delivered via an internet protocol radio service (IPRS) platform (“IPRS Platform”). The key elements of the IPRS Platform include a PTToC server (which controls the delivery of our PTToC Services), load balancers and firewalls, together with various layers of software and client side applications. The IPRS Platform is connected to third party cellular networks via standard Gateway GPRS Support Nodes (GGSN’s). Our clients are public and private sector organisations and service providers (such as mobile phone operators who offer PTToC Services), rather than individuals. MTG is registered with the Information Commissioner’s office under Registration No. ZA800391. MTG operates a website, which provides more information about who we are and what we do, which can be viewed at https://www.mobiletornado.com (“the Website” or “our Website”).
There are three ways to contact MTG to discuss any data protection issues you may have:
The Data Protection Officer
Mobile Tornado Group plc
Cardale House Cardale Court
Beckwith Head Road
Harrogate, HG3 1RY
+44 (0)1423511900 and ask for the data protection officer.
We have appointed Marcus Emptage as the Data Protection Officer for MTG. The Data Protection Officer is responsible for managing data protection at MTG and ensuring that we comply with our legal obligations relating to personal information. The Data Protection Officer can be contacted using the contact details given in section 3. above.
Under data protection laws, personal data is any information relating to an individual from which that person can be identified. It does not include data from which the identity of an individual cannot be identified (which is anonymous data).
How our clients use our PTToC Services determines what types of personal data MTG itself processes. Some of our clients procure their own PTT server and manage it themselves, via a private or public network, whilst other of our clients access, over the internet, a PTToC server owned and operated by MTG on a Software as a Service (SaaS) model.
Where our clients use an MTG server on an SaaS model then certain types of personal data about end users of our PTToC Services may be stored in a database that sits on the MTG server. End users (“Subscribers”) are mobile users, who either use a client app on their smart phones or use a rugged/dedicated device or a computer. Such personal data may for the push-to-talk over cellular product typically include the following:
The types of personal data, listed above, are relevant to the provision of the PTToC Services and are used by organisations or Subscribers to better manage their operations. For any particular MTG client, the types of personal data processed and stored on our IPRS Platform are determined by that client and not by MTG. Our clients have full control over how much personal data will be kept on the IPRS Platform and have the option not to provide any data that personally identifies any particular Subscriber. For example, the full name and display name of a Subscriber is a field that can be filled with any data and is not verified or checked by MTG. Similarly, the phone number of a Subscriber can be replaced with an artificial identifier which is defined by the client. Location tracking can be turned off by the client or generally by an individual Subscriber: where that is the case the location coordinates are not transmitted from the PTToC application to the PTToC server. Similarly, the client can disable the ability to raise alarms for particular Subscribers. MTG can generally access call initiator and call participants data.
Under UK Data Protection Laws sensitive personal data is information relating to someone’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. None of the types of personal data listed above (and which are typically collected by our clients) will constitute sensitive personal data, with the possible exception of certain Subscriber names and addresses. However, as noted above, Subscriber personal identifiers, such as names and addresses, are optional and their collection is solely dictated by the client.
MTG does not record the voice traffic processed by the IPRS Platform. MTG personnel has no way to retrieve the content of Subscriber discussions conducted over the IPRS Platform. Our clients typically appoint a controller/dispatcher to manage the Subscribers in their organization. They do this via a despatch console installed in a Windows environment on a PC typically located at the client’s premises. The despatch console communicates with the IPRS Platform over the Internet. Voice recording is a feature that can be enabled on the despatch console and is automatically enabled during a push-to-alert event (see further below). Through the despatch console, a controller/dispatcher can record, retrieve and playback audio communications made by Subscribers. The recordings are stored only locally on the computer on which the despatch console is running. The despatch console is capable of:
An important feature of MTG’s IPRS Platform is the Push To Alert functionality. This allows Subscribers at risk to send a notification from their devices to control rooms, despatchers and dedicated groups, by pressing an SOS button. Whenever the dedicated SOS button is clicked, a notification is sent to the relevant PTToC server (which notification MTG can access) and from there it is forwarded to the control rooms or emergency groups of the relevant client. All steps in delivery, approval, and treatment are monitored and recorded for later debriefing. Once the emergency alert notification is received by the IPRS Platform then a number of processes are automatically triggered:
A further important feature of our IPRS Platform is the push-to-locate functionality. This allows for the tracking of individual Subscribers who carry a GPS-enabled device. MTG software installed on the GPS-enabled device automatically attempts to derive its location at predefined update intervals. Controllers/despatchers can also request a location update, set and track geo-fencing events, and initiate location based group calls. The precise details of how the push-to-alert function operates for any of our clients are determined by the relevant client. In many instances MTG personnel will be able to ascertain where a given Subscriber is.
Where our clients use their own PTToC server (and in effect only license software from MTG) then MTG will generally not itself process any Subscriber personal data during the ordinary operation of the IPRS Platform. When such clients require us to access their own PTToC server to inspect its operation, maintain it, rectify faults, deal with reported user issues or to update or alter the software on it, then such clients are responsible for providing us with a secure connection to their server, which restricts our service engineer access to client Subscriber personal data. When a client uses their own PTT server they are responsible for backing up any Subscriber personal data stored on it.
Our clients are for the purposes of UK Data Protection Laws, data controllers in relation to Subscriber personal data handled by our IPRS Platform because they determine the purposes for which and the means by which such Subscriber personal data is processed. Further information about how our clients manage such Subscriber personal data and their policies in relation to it will typically be available on our client’s websites, intranet sites or from their own data protection personnel.
MTG is the data processor in relation to Subscriber personal data processed on our IPRS Platform as we process that Subscriber personal data on behalf of our clients. Our obligations in relation to such personal data are set out in section 8 below.
As noted in section 7 above, MTG are a data processor in relation to Subscriber personal data that we process on the IPRS Platform. In relation to Subscriber personal data MTG has a number of legal obligations, which are set out below together with brief details of how we comply with them:
Our clients, as data controllers in relation to the personal data of their Subscribers, are responsible for, amongst other things, the following:
On the client side, there are potentially two types of person who may have access to Subscriber personal data: controllers (dispatchers) and organisation managers. Controllers/dispatchers – their role is to manage the Subscribers in their organisation via a despatch console installed on Windows/PC station. The access they have to Subscriber personal data is determined by the client and not by MTG.
Organisation managers – Their role is to manage the Controllers/Despatchers and/or Subscribers in their organisation. They control access to the IPRS Platform for Subscribers in their organisation. The access they have to Subscriber personal data is determined by the client and not by MTG.
In addition MTG’s customer care engineers may have access to Subscriber personal data. MTG’s customer care engineers typically access the IPRS Platform remotely using a secure connection. They maintain the IPRS Platform and ensure that it is working properly and provide assistance to Subscribers with problems. There are two levels of engineers: lower level engineers only have access to run time logs, while senior level engineers may access the Subscriber database but only for troubleshooting purposes.
MTG holds and processes personal data relating to individuals who work for or represent our current and prospective clients or who are, work for or represent suppliers to MTG (altogether “MTG Contacts”). MTG Contacts tend to be our principal or historic points of contact with an organisation, client administrative & technical personnel, organisation managers and controllers/despatchers and those involved in the supervision and/or provision of our PTT Services and the software and hardware that are used to run them.
That personal data includes all or at least some of the following items:
This data will not generally be regarded as sensitive personal data, with the possible exception of certain names and addresses. In order to improve the Website, we may also collect anonymous data about how users navigate through and use the Website. We do not collect or process personal data about children.
If you are or believe that you may be an MTG Contact then please do help us to keep your personal data up to date by notifying us of any changes relating to for example your name, work address or marketing preferences. You can update any information MTG holds about you by contacting your usual contact at MTG or by contacting the data protection officer, whose details are in sections 3 & 4 above. They will be delighted to help you.
We collect personal data about MTG Contacts when we engage with existing and prospective clients and suppliers. This can be during marketing activities, when a contract to provide PTToC Services is concluded or in connection with the provision of the PTToC Services. The personal data can be collected in meetings, via our Website, during phone or video calls or during the client set up/registration process to use our PTToC Services.
We will use MTG Contacts personal data in the following ways:
UK Data Protection Laws provide that a data controller can only lawfully process personal data if it satisfies at least one of up to six possible legally defined grounds or bases for doing so, which are set out in the GDPR. We set out below the bases that MTG relies on in relation to its processing of MTG Contacts personal data.
The legally defined reasons MTG relies on are as follows:
The MTG Contact has consented to our processing his or her personal data
MTG can collect and process MTG Contact personal data with the consent of the contact. This will be the case if the contact has provided his or her personal data to us during the course of dealing with us either as a contact of a client, prospective client or supplier. MTG relies on this ground to carry out administrative, support and billing functions to our clients and suppliers.
MTG’s Contractual Obligations
MTG may process MTG Contact personal data to comply with and perform our contractual obligations under a contract or potential contract with a client or supplier. We rely on this basis to carry out administrative, support and billing functions to our clients and suppliers.
MTG may process personal data to pursue our legitimate interests in a way that might reasonably be expected as part of running our business and which does not materially impact on the rights, freedoms and interests of individuals. We have a legitimate interest in carrying out marketing activities in order to offer our current and prospective clients and targets new and improved PTToC Services that we think might be of interest to them. We rely on this ground in relation to our marketing activities.
As MTG is not a data controller but only a data processor in relation to Subscriber personal data, MTG does not need to satisfy at least one of the six permissible grounds in relation to Subscriber personal data but its clients have to.
If you are a contact of an existing client, or a prospective client who has shown an interest in our products or services, we may contact you by post and by telephone with marketing material and information about our PTT Services. We may also email such contacts to promote our PTT Services, unless, when the contact first provided their details to us or subsequently, the contact indicated that they didn’t want to receive or no longer want to receive such marketing emails messages from us. In addition, all our promotional emails contain an opt out option, which can be used to tell us to stop sending marketing emails. We regularly check (or ensure third parties appointed by us to run certain of our business services regularly check) our MTG Contact databases against lists maintained by the Telephone Preference Service (https://www.tpsonline.org.uk/tps) and the Mail Preference Service (https://www.mpsonline.org.uk) to ensure that we don’t call or post items to MTG Contacts who have registered with these services not to receive marketing calls or mailings.
You can tell us at any time to stop marketing to you by using any of the methods set out in section 3 above or by submitting a request to firstname.lastname@example.org Each time you receive a marketing email from MTG, you will be given the opportunity to opt-out of receiving further marketing emails or texts. We will try to implement any change to your marketing preferences as soon as reasonably possible.
MTG does not share Subscriber personal data with any other entity except, where lawfully requested by the relevant data controller (our client). We do not share MTG Contact personal data with any third party.
Individuals (“Data Subjects”) have a number of legal rights in relation to the personal data we hold about them. These include:
If you would like to exercise any of your legal rights in relation to the personal data we hold about you, you can submit a request by e-mailing email@example.com or by contacting the data protection officer whose details are set out in sections 3 & 4 above. Generally Data Subjects will not have to pay a fee to exercise any of their legal rights. However, we are entitled to charge a reasonable fee if any request is clearly unfounded, repetitive or excessive. We can also refuse to comply with an unfounded or excessive request. We may need to request information from a Data Subject to confirm their identity, in order to make sure that personal data is not disclosed to someone who is not entitled to have it. We may also need to ask a Data Subject for additional information to help us respond to their request. We will try to respond to a Data Subject’s request within one month but, if the request is very complex or if a Data Subject has made a number of requests, it could take longer. In such circumstances, we will explain to the Data Subject why it will take longer to respond and we will keep them updated.
MTG takes the security of personal data very seriously. We use appropriate security measures to protect personal data from unauthorised access, disclosure, alteration or loss. In relation to Subscriber data, we understand the importance of secured communications when any Subscriber is communicating privately and does not want a third party to listen in. In order to achieve that, the IPRS Platform needs to eliminate the risk of interception. MTG’s IPRS Platform is built with security by design principles, meaning confidentiality, integrity, and availability.
The development of our IPRS Platform, its installation and maintenance are carried out in accordance with the rules set out by the latest security standards. Our products and services comply with the security and privacy requirements of GDPR, ISO 27000 and AES-256. When Subscribers, organisation managers, controllers/despatchers communicate using our IPRS Platform, either over a cellular data connection or Wi-Fi, the PTT server uses a proprietary Mobile Tornado communications protocol, which would make it very hard for an unauthorised third party to intercept the communications.
Additionally sensitive information like user credentials/passwords is encrypted using state of the art third party encryption software.
In order to increase the safety and privacy of the subscribers, MTG has further introduced the following features in the PTT service:
Except for very large groups, the names of the participants in a call are listed and shared among all Subscribers participating in the PTT session so they can see who has joined the call and thus protect their privacy.
Our security model can be represented by four different layers: physical, logical, data and code. Physical access to relevant hardware is restricted to authorised personnel. Access to the management portal is protected by the use of cryptographic protocols (TLS), logical protection deployed over the firewalls, switches, load-balancers, and the use of single board computers (SBCs), which allow for enhanced security.
Where a client uses an MTG server, there is a state of the art firewall between that server and the internet. The firewall is a network security device, which monitors incoming and outgoing network traffic and permits or blocks data packets passing through it based on a set of security rules, which are continually updated so as to target current threats such as malicious viruses and hackers.
Further MTG’s security methodology utilises several mechanisms in connection with the encryption of data sent between us and our clients’ IT systems, the main ones being as follows:
All MTG Contact personal data, which we store electronically, is stored on our private, secure network of computers. Access to our IT systems is password protected. Our IT provider regularly monitors our computer and network systems for possible vulnerabilities and attacks and use state of the art firewalls and anti-virus software, which is regularly updated.
We only process personal data in the UK or the EEA.
MTG is based in the UK and is committed to complying with UK Data Protection Laws. UK Data Protection Laws are amongst the strictest in the World and we generally take the view that if we comply with UK Data Protection Laws that such compliance will help us ensure compliance with local data protection laws that apply outside the UK. However where we contract with a client based outside the UK we endeavour to ensure that we also comply with any particular local data protection law requirements.
You also have the right to make a complaint to the Information Commissioner’s Office (ICO), which is the UK data protection supervisory authority, if you feel that your personal data has not been handled properly or if you are not happy with the way that we have responded to any request you have made relating to the personal data we hold about you. The ICO can be contacted by telephone on 0303 123 1113 or online at www.ico.org.uk/concerns. We would appreciate the opportunity to resolve any data protections issues with you, so please contact us in any of the ways set out in section 3 above, in the first instance.
What are cookies?
Are cookies safe?
Yes. The information stored in cookies is anonymous and secure. It cannot be used to identify you personally and cannot harm your computer.
Can I switch cookies off?
Our organisation utilises Force24’s marketing automation platform.
Force24 cookies are first party cookies and are enabled at the point of cookie acceptance on this website. The cookies are named below:
They allow us to understand our audience engagement thus allowing better optimisation of marketing activity.
f24_autoId – This is a temporary identifier on a local machine or phone browser that helps us track anonymous information to be later married up with f24_personid. If this is left anonymous it will be deleted after 6 months . Non-essential, first party, 10 years, persistent.
f24_personId – This is an ID generated per individual contact in the Force24 system to be able to track behaviour and form submissions into the Force24 system from outside sources per user. This is used for personalisation and ability to segment decisions for further communications. Non-essential, first party, 10 years, persistent.
The information stored by Force24 cookies remains anonymous until:
• Our website is visited via clicking from an email or SMS message, sent via the Force24 platform and cookies are accepted on the website.
• A user of the website completes a form containing email address from either our website or our Force24 landing pages.
The Force24 cookies will remain on a device for 10 years unless they are deleted.
We also use similar technologies including tracking pixels and link tracking to monitor your viewing activities
Device & browser type and open statistics
All emails have a tracking pixel ( a tiny invisible image ) with a query string in the URL. Within the URL we have user details to identify who opened an email for statistical purposes.
All links within emails and SMS messages sent from the Force24 platform contain a unique tracking reference, this reference help us identify who clicked an email for statistical purposes.