We are committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using the website, you can be assured that it will only be used in accordance with this privacy statement and in line with the guidance of the Data Protection Act. All such information will remain strictly confidential and will be used only for the purpose described at the time of the submission.
What we collect
We may collect, store and use the following kinds of personal data:
Information about your visits to and use of this website:
We may also collect information about your computer and your visits to this website such as your IP address, geographical location, browser type, referral source, length of visit and number of page views. This information may be used in the administration of the website, to tailor the services and information we provide on the website, for marketing purposes, as well as to improve the quality of the website overall.
We use website traffic analytic cookies to help us identify which pages are being used and how the users navigated to them. This allows us to improve the website’s usability and content.
We also use a single cookie to help us speed up your page load times. We do this by sending different (compressed) versions of each webpage after a cookie has been set, to maximise performance and usability.
Cookies help us to provide you with an improved website experience, both by allowing us to identify which pages are helpful to you and which aren’t, and to identify issues with individual pages.
Cookies don’t provide any access to your computer or your information, nor do they provide any more information about you than what you choose to share if you use a contact form to get in touch with us.
We may also use web beacons/clear gifs/iframes in some of our emails to tell us when an email has been opened, and to track the progress of our marketing campaigns. We may also include customised links to allow us to see which pages of our website you visit when you click a link in one of our emails. Web beacons don’t store any additional information on your computer but they can tell us when you have opened one of our emails, as well as the IP address.
Information that you provide to us (by telephone, email or using this website) for the purpose of your enquiry and/or when subscribing to our website services and/or email newsletters/notifications:
When you use the contact forms on our website to submit a message or make an enquiry, we ask you to enter personal details such your name, address, email address and telephone number, amongst other details. Before submitting the form, you might also be asked whether you agree for us to use your data, and which data usage purposes you consent to. Sthetix will only use your data in fulfilling your request or if you consent to your data being used for other purposes. Your data is treated with strictest confidentiality and will only be disclosed to individuals or organisations involved in your treatment or care. When you submit a form on our website, your IP address and page visit information may also be collected alongside it. This can enable us to understand which pages you found most useful and which features would benefit from improvement.
In addition to the information you enter on the form, we also receive the unique cookie ID associated with your browsing session. This means we are able to connect your contact details to the data we collect on how you used our website and how you continue to use it (using Google Analytics). Google Analytics do not receive any of your contact information or personally identifiable details. The cookie does not give any information about your browsing outside of our website. We collect this information to help us better understand how our users interact with the website based on their enquiry.
What we do with the information collected
The information we collect helps us to better understand your needs and is necessary to provide you with more information about the treatment or procedure you enquired about. Information about the pages you visit may also be used to tailor our communications with you. Additionally, your information may be stored in a CRM system (database) for internal record keeping. We may use the information to improve our products and services. Where we have your consent, we may periodically send newsletters and promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided. From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, telephone, fax or mail. We may use the information to customise the website according to your interests.
Controlling your personal information
You may choose to restrict the collection or use of your personal information for direct marketing purposes at any time by writing to or emailing us.
We will not sell, distribute or lease your personal information to third parties unless we have your prior permission or are required by law to do so. You may request details of personal information which we hold about you under the Data Protection Act 1998. If you would like a copy of the information held on you please write to or email us.
In addition to aforementioned circumstances, we may disclose information about you:
(a) to the extent that we are required to do so by law;
(b) in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk); and
(c) to the purchaser (or prospective purchaser) of any business which we are (or are contemplating) selling.
If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
Technical Security Details
If you've made it this far, we're impressed.
Unencrypted data transmission using the internet is inherently insecure, whether by email or otherwise, so nobody can guarantee the security of data transmitted unencrypted over the internet. However, all connections made to this website are encrypted using HTTPS wherever your browser allows it.
We do take website and information security very seriously so here's what we've done to try to maximise our data security (you can safely ignore the rest unless you're curious about the technical stuff):
Our webserver will try to establish a TLS 1.2 connection where the client permits, falling back to TLS 1.1 and TLS 1.0 for backwards-compatibility where necessary.
In Chrome and Android browsers, the cipher chosen is CHACHA20_POLY1305 with Elliptic Curve Diffie-Hellman Key Exchange (ECDH) and Elliptic Curve Digital Signature Algorithm Identification (ECDSA) where the browser permits. This provides 384bit Elliptic Curve key length (equivalent to 7680 bit RSA key length) along with mobile-friendly super-fast 256-bit symmetric encryption using the CHACHA20 algorithm.
The server is able to provide ECC, RSA and DSA certificates with lengths 256 bit, 4096 bit and 4096 bit respectively, and requires a 256 bit symmetric key algorithm (either CHACHA20, AES256-GCM or AES256-CBC) as a minimum.
All key exchanges are either Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) or Diffie-Hellman Ephemeral (DHE). These ensure ongoing forward secrecy alongside the high bit lengths.
Overall, this means our server achieves a perfect security score and a grade of A+ under Qualys's SSLLabs Security Test, which is a great deal more than most online banking websites achieve!
The measures above establish a secure connection from your browser to our webserver, but how do we receive your enquiry forms securely?
When you submit a form, after the server receives it, all of the data is packaged into a JSON format, compressed, and encrypted using ECIES (Elliptic Curve Integrated Encryption Scheme). In this scheme, using a 521 bit elliptic curve, a 256 bit AES key is derived and used to encrypt the data (using AES256-CBC). The encrypted data and necessary elliptic curve parameters are then emailed (using regular ol' email) to our CRM system, where the decryption can then take place. As a result, no unencrypted information ever travels over the internet, or even leaves the server!
A note about contact forms on other websites:
The vast majority of data security breaches occur from data being stored in a database that is accessed through a public webserver. Usually, when you send a contact form on another website, one or both of the following happens:
- Your data is saved (either encrypted or unencrypted, though usually unencrypted) in a database that can be accessed by the webserver
- Your data is sent unencrypted over email to a mailbox.
These are pretty standard approaches across the web, but both of these are potential vulnerabilities which are regularly exploited to disastrous effect.
In our view, no unencrypted customer data should ever reside on (or be accessible to) a public facing webserver, and there should preferably be no data at all, encrypted or otherwise (hackers can't steal data that isn't there).
Mailboxes carry the same vulnerability, as a single compromised email account would mean a massive data breach.
Our website and security measures avoid both vulnerabilities, by not storing any enquiries in an online database, but instead sending each enquiry over email in maximally encrypted form, and not decrypting it until it has safely landed in our internal network.