Tefogo Ltd
Privacy Notice
1. Introduction
Tefogo fully appreciate the trust that our users are placing in us, we respect your privacy and take our responsibilities very seriously.
This privacy notice explains:
• Who we are
• The personal data we collect and our basis for doing so
• How we store, protect and share your data
• Your information rights and how to exercise them, including how you can make complaints
Please read this information carefully, it is important to understand before using any of our services. Privacy policies can appear complicated, legalistic and lengthy, but we have tried to speak plainly and clearly. If anything is not clear or you require further information, please contact our Data Protection Officer (details below) who will endeavour to help you.
This notice applies to all interactions you may have with Tefogo Ltd. If you see the term “Tefogo”, the “Company”, “we” or “us” in this notice, it refers to Tefogo Ltd as a company. When we say “you” or the “user”, this refers to any individual interacting with us or our services. In some sections we also talk about your “employer” or “organisation” that you work for – note that this refers to any organisation that you have connected your account to in the app, it does not have to be your legal employer.
This notice applies to all your interactions with us. This includes software applications provide (as either mobile or web applications), the use of our websites (Tefogo.com and Compassly.com) and any other interactions you may have with us. We will also refer to software applications as “apps” or just the “service”.
This privacy notice has been written in line with guidance from the Information Commissioners Office and industry best practice. It will be revised in line with changes to that guidance
This privacy notice explains:
• Who we are
• The personal data we collect and our basis for doing so
• How we store, protect and share your data
• Your information rights and how to exercise them, including how you can make complaints
Please read this information carefully, it is important to understand before using any of our services. Privacy policies can appear complicated, legalistic and lengthy, but we have tried to speak plainly and clearly. If anything is not clear or you require further information, please contact our Data Protection Officer (details below) who will endeavour to help you.
This notice applies to all interactions you may have with Tefogo Ltd. If you see the term “Tefogo”, the “Company”, “we” or “us” in this notice, it refers to Tefogo Ltd as a company. When we say “you” or the “user”, this refers to any individual interacting with us or our services. In some sections we also talk about your “employer” or “organisation” that you work for – note that this refers to any organisation that you have connected your account to in the app, it does not have to be your legal employer.
This notice applies to all your interactions with us. This includes software applications provide (as either mobile or web applications), the use of our websites (Tefogo.com and Compassly.com) and any other interactions you may have with us. We will also refer to software applications as “apps” or just the “service”.
This privacy notice has been written in line with guidance from the Information Commissioners Office and industry best practice. It will be revised in line with changes to that guidance
2. Changes To This Policy And Latest Version
This privacy notice is reviewed annually by the Tefogo management team each year. Changes may also be made outside of this annual review cycle to reflect changes in the provision of our services. We reserve the right to change this privacy at any time with without prior consultation or notice. If you are a registered user of our apps we will notify you by email of any significant changes to this policy.
The latest version of this policy will always be available on our website or upon request from our DPO.
This is the first published version of this policy, effective 1st March 2021. The update log will be maintained as below
The latest version of this policy will always be available on our website or upon request from our DPO.
This is the first published version of this policy, effective 1st March 2021. The update log will be maintained as below
3. Our Company Details
Company registered name:
Tefogo Ltd
Company registered address:
71-75 Shelton Street, London, WC2H 9JQ, United Kingdom
Company registration:
We are a UK limited company former under the Companies Act 2006 and registered with Companies House under the registration number 12843582.
ICO registration:
We are registered with the Information Commissioner Office, with the registration number of ZB012625.
You can check our registration details at: https://ico.org.uk/ESDWebPages/Entry/ZB012625
Tefogo Ltd
Company registered address:
71-75 Shelton Street, London, WC2H 9JQ, United Kingdom
Company registration:
We are a UK limited company former under the Companies Act 2006 and registered with Companies House under the registration number 12843582.
ICO registration:
We are registered with the Information Commissioner Office, with the registration number of ZB012625.
You can check our registration details at: https://ico.org.uk/ESDWebPages/Entry/ZB012625
3.1. Contacting Our Data Protection Officer
If you need to contact our Data Protection Officer for any reason, please email dpo@tefogo.com, or write to the company at the address above, for the attention of the Data Protection Officer.
4. Basis For Lawful Processing
The purpose of Tefogo’s systems (primarily the Compassly app) are to allow:
• You to record your own personal development as a professional clinician, and present these credentials to healthcare providers
• Organisations to record and track your professional development as an employee of their organisation, including
• Professional bodies to share their clinical standards with clinicians
Article 6 of UK GDPR (the law governing UK data protection) lays out six different lawful purposes for the processing of personal data. We have reviewed the purposes of our processing of personal data, including that it is necessary for the relevant purposes, and we are satisfied that there is no other reasonable and less-intrusive way to achieve that purpose.
On that basis, our lawful basis for processing personal data is under “Consent”, that is the individual has given clear consent for us to process their personal data for a specific purpose. The ICO provide further information on this at:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
Due to the nature of our service (as a competency passport) we require your personal data to be able to use the app – you need to be identified within the app and have your records stored against you as an individual. Therefore use of the app is not possible without this consent.
You have the right to withdraw this consent, but this is likely to result in you no longer being able to use our services; see Information Rights below for further details on this and your other rights.
• You to record your own personal development as a professional clinician, and present these credentials to healthcare providers
• Organisations to record and track your professional development as an employee of their organisation, including
• Professional bodies to share their clinical standards with clinicians
Article 6 of UK GDPR (the law governing UK data protection) lays out six different lawful purposes for the processing of personal data. We have reviewed the purposes of our processing of personal data, including that it is necessary for the relevant purposes, and we are satisfied that there is no other reasonable and less-intrusive way to achieve that purpose.
On that basis, our lawful basis for processing personal data is under “Consent”, that is the individual has given clear consent for us to process their personal data for a specific purpose. The ICO provide further information on this at:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
Due to the nature of our service (as a competency passport) we require your personal data to be able to use the app – you need to be identified within the app and have your records stored against you as an individual. Therefore use of the app is not possible without this consent.
You have the right to withdraw this consent, but this is likely to result in you no longer being able to use our services; see Information Rights below for further details on this and your other rights.
5. The Personal Information We Collect And How We Collect It
There are a range of ways we collect and use personal information. Please note that these do not necessarily act independently – for example we may associate your information from the app with information you have provided when you communicate with us. We have included examples of how we use each type of information, but further details can be found under “How we and your organisation use your information”
5.1. Data You Provide To Us
This includes data you directly provide through a range of channels, including through the app, email or other communication methods, forms or surveys you complete.
The app will ask you for information in order to register and be identified to other users in the app. Data we collect include: Full name, phone number, email address, profile picture. We may also record data about the use of our services, such as marketing preferences and consent.
In order to effectively support you, we may record contact information outside of the app when we communicate with you. For example, if you contact us for support, we may record you name and any contact details you provide, details of our interaction
Similarly, if you contact us as part of doing business with us then we may record the contact details and other relevant information you provide. Such occasions could include job applications, sales discussions, conferences and other events, press enquiries, social media and surveys.
The app will ask you for information in order to register and be identified to other users in the app. Data we collect include: Full name, phone number, email address, profile picture. We may also record data about the use of our services, such as marketing preferences and consent.
In order to effectively support you, we may record contact information outside of the app when we communicate with you. For example, if you contact us for support, we may record you name and any contact details you provide, details of our interaction
Similarly, if you contact us as part of doing business with us then we may record the contact details and other relevant information you provide. Such occasions could include job applications, sales discussions, conferences and other events, press enquiries, social media and surveys.
5.2. Data We Automatically Collect
We collect data on your technical use of the app to help us provide the service and support you in using it. For example, we may use the information automatically collected about your mobile device and operating system to help you with a technical support request.
Data we collect include: log information about your use of the service such as device and operating / browser version, network information (such as IP addresses), language and other localisation information, the mobile app version number you are using, unique device and app identifiers, specific interactions within the app. Most interactions with the app are date and time stamped (the exact time is taken from the system clock).
Like most services, our websites automatically collect information about you, commonly known as “cookies”. These cookies contain information on your device, operating system, browser type and version, network information (e.g. IP address and proxy servers), location and time zone and interaction with our services. This information may be collected both with and without authentication to our services (that is, whether you are logged in or not), as it is primarily collected to identify unique users to the website rather than any particular individual. Cookies may also be placed on your machine by third-party providers we work with. You are able to configure your cookie options in your browser, including deleting any persistent cookies.
Data we collect include: log information about your use of the service such as device and operating / browser version, network information (such as IP addresses), language and other localisation information, the mobile app version number you are using, unique device and app identifiers, specific interactions within the app. Most interactions with the app are date and time stamped (the exact time is taken from the system clock).
Like most services, our websites automatically collect information about you, commonly known as “cookies”. These cookies contain information on your device, operating system, browser type and version, network information (e.g. IP address and proxy servers), location and time zone and interaction with our services. This information may be collected both with and without authentication to our services (that is, whether you are logged in or not), as it is primarily collected to identify unique users to the website rather than any particular individual. Cookies may also be placed on your machine by third-party providers we work with. You are able to configure your cookie options in your browser, including deleting any persistent cookies.
5.3. Data Your Organisation May Provide And Collect About You
In addition to the data you provide to us, any organisation you join in the app may record information against your personal record. For example, an organisation will record you Job Description against your personal record. Your organisation may also provide us with personal information about you directly.
Important: in these circumstances we are providing our services to your organisation as your employer or equivalent, and this organisation will be acting as the data controller for your personal data – which we will process on their behalf. You should therefore contact your employer for information on how they process your personal data.
Data these organisations collect include: your job title and job description, your place of work, time periods of employment or other working relationships, competencies obtained / inductions completed, relationships with other members of the organisation (such as management and supervisory relationships), training completed.
Note that this information can only be collected by organisations you have chosen to join.
Important: in these circumstances we are providing our services to your organisation as your employer or equivalent, and this organisation will be acting as the data controller for your personal data – which we will process on their behalf. You should therefore contact your employer for information on how they process your personal data.
Data these organisations collect include: your job title and job description, your place of work, time periods of employment or other working relationships, competencies obtained / inductions completed, relationships with other members of the organisation (such as management and supervisory relationships), training completed.
Note that this information can only be collected by organisations you have chosen to join.
5.4. Data We Acquire From Third Parties
We may use data about you available in the public domain. For example, information on social media, public-facing websites, news and search results.
We may acquire data from third parties, for example for marketing and communications purposes.
Where relevant we may combine this type of third-party data with data provided by you.
We may acquire data from third parties, for example for marketing and communications purposes.
Where relevant we may combine this type of third-party data with data provided by you.
5.5. Excluded Types Of Data
It is not our intention to collect, and you should not provide
• Any patient information
• Any information about children
• Any confidential information about your organisation
• Any information relating to other individuals who are not users of the system or have not consented to you providing their information
Your use of the service is dependent on agreement to these terms. If you believe you have entered any of these types of data, please contact our DPO.
• Any patient information
• Any information about children
• Any confidential information about your organisation
• Any information relating to other individuals who are not users of the system or have not consented to you providing their information
Your use of the service is dependent on agreement to these terms. If you believe you have entered any of these types of data, please contact our DPO.
5.6. Other Uses
We do not sell your data to third parties. We do not share your data with third parties, except where this is necessary to carry out our purposes stated and with sub-processors noted within this privacy notice.
6. How We Use Your Information
We use your personal information in the following ways:
•To identify you as a unique user, allowing you to login and use the app and tailor the experience to you (including adapting to your device and time zone)
• To provide you with service information, such as new features, planned maintenance or updates
• For reporting purposes within the app itself, for example showing organisation managers the users who are identified by specific reporting queries
• To respond to your communication, including through our own channels (such as the application and emails) and third party (such as app stores or review sites)
• To help support your use of the app, for example by identifying the version of your mobile device operating system and version of our app to help diagnose issues you may be having with the app
In order to undertake these activities, your information may be shared across our teams. Information is shared at the minimum level required for each individual to be able to successfully carry out their role, on a least-privileged basis.
•To identify you as a unique user, allowing you to login and use the app and tailor the experience to you (including adapting to your device and time zone)
• To provide you with service information, such as new features, planned maintenance or updates
• For reporting purposes within the app itself, for example showing organisation managers the users who are identified by specific reporting queries
• To respond to your communication, including through our own channels (such as the application and emails) and third party (such as app stores or review sites)
• To help support your use of the app, for example by identifying the version of your mobile device operating system and version of our app to help diagnose issues you may be having with the app
In order to undertake these activities, your information may be shared across our teams. Information is shared at the minimum level required for each individual to be able to successfully carry out their role, on a least-privileged basis.
6.1. Aggregated Form
There are cases where your personal information will also be used in aggregated form
Although your information may be used for this purpose, it will be in an anonymised form and you will not be identifiable from this data. Examples of this usage include:
• Service reporting purposes, for example total number of users logging in each month
• App performance and usage monitoring, for internal metrics and improvement, for example understanding any delays in responses from the server
• Feature assessment, development and broader understanding of how our users are using our services
• We believe in the value of academic research, and we may therefore use data from the app for research purposes. This will always be in aggregate, non-identifiable form unless we have specifically obtained your consent to participate in academic research
Although your information may be used for this purpose, it will be in an anonymised form and you will not be identifiable from this data. Examples of this usage include:
• Service reporting purposes, for example total number of users logging in each month
• App performance and usage monitoring, for internal metrics and improvement, for example understanding any delays in responses from the server
• Feature assessment, development and broader understanding of how our users are using our services
• We believe in the value of academic research, and we may therefore use data from the app for research purposes. This will always be in aggregate, non-identifiable form unless we have specifically obtained your consent to participate in academic research
7. We Store And Protect Your Information
All application data is stored with Amazon Web Services, with servers located in the UK. All data transferred (through the app or our websites) is protected through Transport Layer Security (TLS) and encrypted at rest.
All email and associated communications (for example, Microsoft Teams) is stored with Microsoft 365, in UK data centres.
You can find out more about how long we retain your information in the section on “Retention Period” below.
Our own operations are subject to information governance policies and system controls to help protect your information and our business.
Nobody can ever 100% ensure the protection of your data, and although we take reasonable steps to protect it, we offer no guarantees above those offered under the law.
All email and associated communications (for example, Microsoft Teams) is stored with Microsoft 365, in UK data centres.
You can find out more about how long we retain your information in the section on “Retention Period” below.
Our own operations are subject to information governance policies and system controls to help protect your information and our business.
Nobody can ever 100% ensure the protection of your data, and although we take reasonable steps to protect it, we offer no guarantees above those offered under the law.
8. Who We Share Your Data With
We will share your personal information with any organisation you choose to be added to within the app. They will use this information to identify you and allow you to be associated with their organisation profile, to record your induction and competency progress and other associate professional development information. You information will only be shared with organisations you choose, and you need to initiate joining these organisations within the app.
There are other rarer scenarios where we may need to share your data, and we may not be able to discuss this with you. This includes where it is necessary to in order to apply our terms of service, protect our rights, property or safety. This also includes where we are required to under the law (for example when requested by the police, tax authorities or the courts), or for public safety purposes.
There may also changes to our company that may result in us sharing your data. For example, a change of ownership (merger or acquisition), bankruptcy or receivership, sale or other transfer of assets. In all cases we will act within the requirements of the law, and we will notify you of such changes where possible. Please note that in some cases (for example bankruptcy) it may not be possible to notify you.
We may also share aggregated data (as outlined in “How we use your information – Aggregated form”) with third parties, for example:
-Academic institutions for research purposes
-In broader market-facing scenarios, such as advertising, funders or sponsors
-Our business partners, for example accountants and lawyers
There are other rarer scenarios where we may need to share your data, and we may not be able to discuss this with you. This includes where it is necessary to in order to apply our terms of service, protect our rights, property or safety. This also includes where we are required to under the law (for example when requested by the police, tax authorities or the courts), or for public safety purposes.
There may also changes to our company that may result in us sharing your data. For example, a change of ownership (merger or acquisition), bankruptcy or receivership, sale or other transfer of assets. In all cases we will act within the requirements of the law, and we will notify you of such changes where possible. Please note that in some cases (for example bankruptcy) it may not be possible to notify you.
We may also share aggregated data (as outlined in “How we use your information – Aggregated form”) with third parties, for example:
-Academic institutions for research purposes
-In broader market-facing scenarios, such as advertising, funders or sponsors
-Our business partners, for example accountants and lawyers
8.1. Third Parties And Sub-Processors
Where we use sub-processors to provide our services, we ensure that we do so in line with the requirements of GDPR. We may also work with other parties and systems in the day-to-day running of our business, and may use these systems for lower risk personal data (for example, survey tools). In all cases, we have contractual arrangements that protect your information rights, and we carry out due diligence on those companies data protection and information standards.
We currently work with the following sub-processors:
• Amazon Web Services
• Google Firebase
• Notion Labs, Inc
We periodically need to provide access to third parties to help improve our services, for example external information security experts.
We currently work with the following sub-processors:
• Amazon Web Services
• Google Firebase
• Notion Labs, Inc
We periodically need to provide access to third parties to help improve our services, for example external information security experts.
9. Information Rights
In addition to our best efforts to help you with any queries, you have a number of rights under data protection law. These have formal names under data protection law, but we have also tried to explain what these mean for you.
Please note that, in the event that any of these requests lead to us being unable to continue to process your data, we may no longer be able to provide a service to you. This may lead to your account may be removed and your data deleted.
For help with any of these rights, please contact our DPO. Under normal circumstances we will not charge a fee for any of the below, although there are exceptional scenarios where we can charge a “reasonable fee”. We will normally reply within one calendar month, although we can in some cases extend this by up to two calendar months.
Please note that, in the event that any of these requests lead to us being unable to continue to process your data, we may no longer be able to provide a service to you. This may lead to your account may be removed and your data deleted.
For help with any of these rights, please contact our DPO. Under normal circumstances we will not charge a fee for any of the below, although there are exceptional scenarios where we can charge a “reasonable fee”. We will normally reply within one calendar month, although we can in some cases extend this by up to two calendar months.
9.1. Right To Be Informed
This means that we have to tell you about how we use your data, and there are requirements under the law that determine what “privacy information” we have to tell you. Part of the purposes of this Privacy Notice is to address all these requirements
9.2. Right Of Access
This is also referred to as a “Subject Access Request” or SAR. It means that you can ask us for copies of your personal information that we hold.
9.3. Right To Rectification
If you believe we hold information about you that is incorrect or incomplete, we have to change it. There are some circumstances where we can refuse to comply (for example if we are satisfied that the data is accurate). You have the right to complain to the ICO if you disagree with our decision.
Please note that much of the information we hold on you can be corrected yourself by editing your profile within the app.
Please note that much of the information we hold on you can be corrected yourself by editing your profile within the app.
9.4. Right To Erasure
This is also known as “The right to be forgotten”. You can ask us to remove your information from our systems. Exercising this right will result in you no longer being able to use our apps or services
Note that any information we store on backup systems will not be erased as a result of such a request, but we will put it “beyond use” in line with ICO guidance.
Note that any information we store on backup systems will not be erased as a result of such a request, but we will put it “beyond use” in line with ICO guidance.
9.5. Right To Restrict Processing
Under these circumstances, we would still store your personal data but not use it. This will normally be as part of a wider action (for example associated with the Right to erasure or the Right to rectification) and generally on a temporary basis.
9.6. Right To Portability
This gives you the right to receive any personal data you have provided to us. This does not include any additional data we have created based on the data you have provided us (although this is still covered by the SAR above). We will not include any data that is personal data for other individuals.
Please note that this right applies to your data controller. For data on your user profile (or otherwise associated with your direct interaction with us) that will be us. For data about your interactions with your employer, we will act as the processor and your employer as the controller.
Please note that this right applies to your data controller. For data on your user profile (or otherwise associated with your direct interaction with us) that will be us. For data about your interactions with your employer, we will act as the processor and your employer as the controller.
9.7. Right To Object
You have the right to stop our use of your personal data. A very good example of this would be your right to ask us to stop using your personal data for direct marketing purposes. You don’t have to object to us processing all of your personal data; for example, you may consent to us continuing to process your data for the purposes of using the app, but not to us using it for direct marketing.
9.8. Withdrawing Consent
In addition to your rights above, as our lawful basis for processing your data is “Consent”, you have the right to withdraw that consent. As we need your consent to provide access to the app in line with our purpose above, withdrawing consent would lead to you no longer being able to use our app or services.
10. Automated Decision Making
“Automated individual decision-making” refers to algorithms, including artificial learning (AI) or machine learning (ML), that make decisions about you without any human involvement. We do not have any automated decision-making in our system. There are additional legal rights that would apply if we did (“Rights related to automated decision making including profiling”), that are therefore not applicable.
11. Retention Period
We will retain your data whilst you continue to use the service and until you withdraw consent. If you do so, we will remove your data within 30 days. Note that, as with your right to erasure, any information we store on backup systems will not be erased as a result of such a request, but we will put it “beyond use”.
Note that for audit purposes a history of your activity will remain in the system, but it will not be personally identifiable as you. If you wish to re-join the system at a later date, we will not be able to re-associate that information with your new account
There are specific types of data that we will retain indefinitely in order to comply with our legal obligations. For example, if you request not to receive any direct marketing from us then we need to record this preference indefinitely.
Where we act as data processor for your employer, you will need to request the data controller for their terms of retention.
Note that for audit purposes a history of your activity will remain in the system, but it will not be personally identifiable as you. If you wish to re-join the system at a later date, we will not be able to re-associate that information with your new account
There are specific types of data that we will retain indefinitely in order to comply with our legal obligations. For example, if you request not to receive any direct marketing from us then we need to record this preference indefinitely.
Where we act as data processor for your employer, you will need to request the data controller for their terms of retention.
12. Complaints
12.1. Directly With Us
We take complaints extremely seriously and will always endeavour to quickly resolve any complaints you have. Although you have the right to formally raise complaints (see below), we would appreciate the opportunity to discuss complaints and hopefully resolve them with you directly first.
Please raise any complaints to the DPO (see contact details above). If you do not feel that this has addressed your complaints sufficiently, please put them in writing to the CEO at our address above.
Please raise any complaints to the DPO (see contact details above). If you do not feel that this has addressed your complaints sufficiently, please put them in writing to the CEO at our address above.
12.2. With The Information Commissioners Office
If we are not able to resolve your complaints, or you wish to raise them directly with the supervisory authority, in the UK this is the Information Commissioner’s Office (ICO).
The ICO’s address is:
Information Commissioner's Office
Wycliffe HouseWater Lane
Wilmslow
Cheshire
SK9 5AF
Their helpline number is: 0303 123 1113
And further details can be found on their website. The section on how to “Make a complaint” can be found here.
Please raise any complaints to the DPO (see contact details above). If you do not feel that this has addressed your complaints sufficiently, please put them in writing to the CEO at our address above.
The ICO’s address is:
Information Commissioner's Office
Wycliffe HouseWater Lane
Wilmslow
Cheshire
SK9 5AF
Their helpline number is: 0303 123 1113
And further details can be found on their website. The section on how to “Make a complaint” can be found here.
Please raise any complaints to the DPO (see contact details above). If you do not feel that this has addressed your complaints sufficiently, please put them in writing to the CEO at our address above.
