|1.0||01-Mar-21||Initial version||J Knight, CEO|
Company registered address:
71-75 Shelton Street, London, WC2H 9JQ, United Kingdom
If you need to contact our Data Protection Officer for any reason, please email email@example.com, or write to the company at the address above, for the attention of the Data Protection Officer.
The purpose of Tefogo’s systems (primarily the Compassly app) are to allow:
Article 6 of UK GDPR (the law governing UK data protection) lays out six different lawful purposes for the processing of personal data. We have reviewed the purposes of our processing of personal data, including that it is necessary for the relevant purposes, and we are satisfied that there is no other reasonable and less-intrusive way to achieve that purpose.
On that basis, our lawful basis for processing personal data is under “Consent”, that is the individual has given clear consent for us to process their personal data for a specific purpose. The ICO provide further information on this at:
Due to the nature of our service (as a competency passport) we require your personal data to be able to use the app – you need to be identified within the app and have your records stored against you as an individual. Therefore use of the app is not possible without this consent.
You have the right to withdraw this consent, but this is likely to result in you no longer being able to use our services; see Information Rights below for further details on this and your other rights.
There are a range of ways we collect and use personal information. Please note that these do not necessarily act independently – for example we may associate your information from the app with information you have provided when you communicate with us. We have included examples of how we use each type of information, but further details can be found under “How we and your organisation use your information”
This includes data you directly provide through a range of channels, including through the app, email or other communication methods, forms or surveys you complete.
The app will ask you for information in order to register and be identified to other users in the app. Data we collect include: Full name, phone number, email address, profile picture. We may also record data about the use of our services, such as marketing preferences and consent.
In order to effectively support you, we may record contact information outside of the app when we communicate with you. For example, if you contact us for support, we may record you name and any contact details you provide, details of our interaction
Similarly, if you contact us as part of doing business with us then we may record the contact details and other relevant information you provide. Such occasions could include job applications, sales discussions, conferences and other events, press enquiries, social media and surveys.
We collect data on your technical use of the app to help us provide the service and support you in using it. For example, we may use the information automatically collected about your mobile device and operating system to help you with a technical support request.
Data we collect include: log information about your use of the service such as device and operating / browser version, network information (such as IP addresses), language and other localisation information, the mobile app version number you are using, unique device and app identifiers, specific interactions within the app. Most interactions with the app are date and time stamped (the exact time is taken from the system clock).
Like most services, our websites automatically collect information about you, commonly known as “cookies”. These cookies contain information on your device, operating system, browser type and version, network information (e.g. IP address and proxy servers), location and time zone and interaction with our services. This information may be collected both with and without authentication to our services (that is, whether you are logged in or not), as it is primarily collected to identify unique users to the website rather than any particular individual. Cookies may also be placed on your machine by third-party providers we work with. You are able to configure your cookie options in your browser, including deleting any persistent cookies.
In addition to the data you provide to us, any organisation you join in the app may record information against your personal record. For example, an organisation will record you Job Description against your personal record. Your organisation may also provide us with personal information about you directly.
Important: in these circumstances we are providing our services to your organisation as your employer or equivalent, and this organisation will be acting as the data controller for your personal data – which we will process on their behalf. You should therefore contact your employer for information on how they process your personal data.
Data these organisations collect include: your job title and job description, your place of work, time periods of employment or other working relationships, competencies obtained / inductions completed, relationships with other members of the organisation (such as management and supervisory relationships), training completed.
Note that this information can only be collected by organisations you have chosen to join.
We may use data about you available in the public domain. For example, information on social media, public-facing websites, news and search results.
We may acquire data from third parties, for example for marketing and communications purposes.
Where relevant we may combine this type of third-party data with data provided by you.
It is not our intention to collect, and you should not provide:
Your use of the service is dependent on agreement to these terms. If you believe you have entered any of these types of data, please contact our DPO.
We do not sell your data to third parties. We do not share your data with third parties, except where this is necessary to carry out our purposes stated and with sub-processors noted within this privacy notice.
We use your personal information in the following ways:
In order to undertake these activities, your information may be shared across our teams. Information is shared at the minimum level required for each individual to be able to successfully carry out their role, on a least-privileged basis.
There are cases where your personal information will also be used in aggregated form
Although your information may be used for this purpose, it will be in an anonymised form and you will not be identifiable from this data. Examples of this usage include:
All application data is stored with Amazon Web Services, with servers located in the UK. All data transferred (through the app or our websites) is protected through Transport Layer Security (TLS) and encrypted at rest.
All email and associated communications (for example, Microsoft Teams) is stored with Microsoft 365, in UK data centres.
You can find out more about how long we retain your information in the section on “Retention Period” below.
Our own operations are subject to information governance policies and system controls to help protect your information and our business.
Nobody can ever 100% ensure the protection of your data, and although we take reasonable steps to protect it, we offer no guarantees above those offered under the law.
We will share your personal information with any organisation you choose to be added to within the app. They will use this information to identify you and allow you to be associated with their organisation profile, to record your induction and competency progress and other associate professional development information. You information will only be shared with organisations you choose, and you need to initiate joining these organisations within the app.
There are other rarer scenarios where we may need to share your data, and we may not be able to discuss this with you. This includes where it is necessary to in order to apply our terms of service, protect our rights, property or safety. This also includes where we are required to under the law (for example when requested by the police, tax authorities or the courts), or for public safety purposes.
There may also changes to our company that may result in us sharing your data. For example, a change of ownership (merger or acquisition), bankruptcy or receivership, sale or other transfer of assets. In all cases we will act within the requirements of the law, and we will notify you of such changes where possible. Please note that in some cases (for example bankruptcy) it may not be possible to notify you.
We may also share aggregated data (as outlined in “How we use your information – Aggregated form”) with third parties, for example:
Where we use sub-processors to provide our services, we ensure that we do so in line with the requirements of GDPR. We may also work with other parties and systems in the day-to-day running of our business, and may use these systems for lower risk personal data (for example, survey tools). In all cases, we have contractual arrangements that protect your information rights, and we carry out due diligence on those companies data protection and information standards.
We currently work with the following sub-processors:
We periodically need to provide access to third parties to help improve our services, for example external information security experts.
In addition to our best efforts to help you with any queries, you have a number of rights under data protection law. These have formal names under data protection law, but we have also tried to explain what these mean for you.
Please note that, in the event that any of these requests lead to us being unable to continue to process your data, we may no longer be able to provide a service to you. This may lead to your account may be removed and your data deleted.
For help with any of these rights, please contact our DPO. Under normal circumstances we will not charge a fee for any of the below, although there are exceptional scenarios where we can charge a “reasonable fee”. We will normally reply within one calendar month, although we can in some cases extend this by up to two calendar months.
This means that we have to tell you about how we use your data, and there are requirements under the law that determine what “privacy information” we have to tell you. Part of the purposes of this Privacy Notice is to address all these requirements
This is also referred to as a “Subject Access Request” or SAR. It means that you can ask us for copies of your personal information that we hold.
If you believe we hold information about you that is incorrect or incomplete, we have to change it. There are some circumstances where we can refuse to comply (for example if we are satisfied that the data is accurate). You have the right to complain to the ICO if you disagree with our decision.
Please note that much of the information we hold on you can be corrected yourself by editing your profile within the app.
This is also known as “The right to be forgotten”. You can ask us to remove your information from our systems. Exercising this right will result in you no longer being able to use our apps or services
Note that any information we store on backup systems will not be erased as a result of such a request, but we will put it “beyond use” in line with ICO guidance.
Under these circumstances, we would still store your personal data but not use it. This will normally be as part of a wider action (for example associated with the Right to erasure or the Right to rectification) and generally on a temporary basis.
This gives you the right to receive any personal data you have provided to us. This does not include any additional data we have created based on the data you have provided us (although this is still covered by the SAR above). We will not include any data that is personal data for other individuals.
Please note that this right applies to your data controller. For data on your user profile (or otherwise associated with your direct interaction with us) that will be us. For data about your interactions with your employer, we will act as the processor and your employer as the controller.
You have the right to stop our use of your personal data. A very good example of this would be your right to ask us to stop using your personal data for direct marketing purposes. You don’t have to object to us processing all of your personal data; for example, you may consent to us continuing to process your data for the purposes of using the app, but not to us using it for direct marketing.
In addition to your rights above, as our lawful basis for processing your data is “Consent”, you have the right to withdraw that consent. As we need your consent to provide access to the app in line with our purpose above, withdrawing consent would lead to you no longer being able to use our app or services.
“Automated individual decision-making” refers to algorithms, including artificial learning (AI) or machine learning (ML), that make decisions about you without any human involvement. We do not have any automated decision-making in our system. There are additional legal rights that would apply if we did (“Rights related to automated decision making including profiling”), that are therefore not applicable.
We will retain your data whilst you continue to use the service and until you withdraw consent. If you do so, we will remove your data within 30 days. Note that, as with your right to erasure, any information we store on backup systems will not be erased as a result of such a request, but we will put it “beyond use”.
Note that for audit purposes a history of your activity will remain in the system, but it will not be personally identifiable as you. If you wish to re-join the system at a later date, we will not be able to re-associate that information with your new account
There are specific types of data that we will retain indefinitely in order to comply with our legal obligations. For example, if you request not to receive any direct marketing from us then we need to record this preference indefinitely.
Where we act as data processor for your employer, you will need to request the data controller for their terms of retention.
We take complaints extremely seriously and will always endeavour to quickly resolve any complaints you have. Although you have the right to formally raise complaints (see below), we would appreciate the opportunity to discuss complaints and hopefully resolve them with you directly first.
Please raise any complaints to the DPO (see contact details above). If you do not feel that this has addressed your complaints sufficiently, please put them in writing to the CEO at our address above.
If we are not able to resolve your complaints, or you wish to raise them directly with the supervisory authority, in the UK this is the Information Commissioner’s Office (ICO).
The ICO’s address is:
And further details can be found on their website, https://ico.org.uk/. The section on how to “Make a complaint” can be found at https://ico.org.uk/concerns/.