Privacy Policy
Supplywell Ltd
Company Number 11034617
Cotton Exchange, Liverpool, L3 9LQ
GDPR Privacy Notice for Users
- Introduction:
Welcome to SupplyWell Ltd.’s Privacy Notice for Users. A Privacy Notice refers to a publicly accessible, externally facing statement to data subjects, in this case, ‘users of our services’, letting them know how we, as an organisation, handle their personal data. A privacy notice differs from a privacy policy, which is an internally facing document which seeks to explain to an organisation’s employees how their company manages data and their responsibilities for ensuring data compliance while working there.
At SupplyWell Ltd, we are committed to protecting and respecting your privacy and Personal data in compliance with the United Kingdom General Data Protection Regulation (“GDPR”) and all other mandatory laws and regulations of the United Kingdom.
This Privacy Notice for Users of our services is displayed on our website and contains all the information you need to know about how and why we collect, use, process, store, transfer personal data about you and how we keep your data safe. It also explains your privacy rights and obligations, in relation to your data, and how the law protects you.
There is also a separate SupplyWell Privacy Notice for our employees. In addition, we also have a SupplyWell Privacy Policy which informs our employees of all their obligations and protocols when processing your data.
- What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals by organisations, businesses or the government. The GDPR aims to allow individuals more control over their personal data and make clear to organisations that they have a responsibility to protect the data that they have access to.
In this case, the term ‘data subjects’ refers to users of SupplyWell services, and ‘personal data’ is any information that can be used to identify the data subject. For example, a name, email or a phone number.
The ‘Data Controller’ is the entity that decides how and what personal data is processed. In this case, SupplyWell is a data controller.
‘Data Processing’ refers to any action that can be performed on the personal data, such as collecting, recording, organising, storing, using, and erasing.
- Data Subjects:
The individuals from whom we may gather and use data can include:
- Users of our services;
- Users of our website;
- Users of our app;
- Business and client contacts;
- Customers;
- Regulators;
- Prospective candidates;
- Candidates;
- Third parties connected to our customers; and
- Any other people that the organisation has a relationship with or may need to contact.
This Privacy Notice applies to all our Users and all Personal data processed at any time by us.
You must not use SupplyWell Ltd unless you are aged 16 or older. If you are under 16 and you access SupplyWell Ltd by lying about your age, you must immediately stop using SupplyWell Ltd. Our services, including our website and app, are not intended for children, and we do not knowingly collect data relating to children.
- SupplyWell responsibilities as Data Controller:
SupplyWell Ltd is your Data Controller and responsible for your Personal Data.
At SupplyWell, we are committed to protecting the privacy and security of your data in accordance with the General Data Protection Regulation (GDPR) and relevant UK law. We want our users to know that their private information is as safe as possible in our hands, and that we will always be open and honest about how it will be used.
In discharging our responsibilities as a data Controller, we have employees who will deal with your data on our behalf (known as “Processors”). Therefore, the responsibilities described below may be assigned to an individual or may be taken to apply to the organisation as a whole.
The Data Controller and our Processors have the following responsibilities:
- Ensure that all processing of personal data is governed by one of the legal bases laid out in the GDPR;
- Ensure that Processors authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal data;
- Obtain the prior specific or general authorisation of the Controller before engaging another Processor;
- Assist the Controller in the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights;
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller;
- Maintain a record of all categories of processing activities carried out on behalf of a Controller;
- Cooperate, on request, with the supervisory authority in the performance of its tasks;
- Ensure that any person acting under the authority of the Processor who has access to personal data does not process personal data except on instructions from the Controller;
- Notify the Controller without undue delay after becoming aware of a personal data Breach;
- Designate a data protection officer where required by the GDPR, publish their details
- and communicate them to the supervisory authority; and
- Support the data protection officer in performing their tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain their expert knowledge.
In addition, to comply with GDPR, SupplyWell will ensure that users are provided with the following information:
- The name and contact details of our company/ company representative for GDPR;
- The purpose of processing their data;
- The recipients of their data;
- How long we will store their data;
- How they can request access, correct, or erase their data;
- How they can withdraw their consent to the processing of their data;
- Who they can contact in case they want to file a complaint regarding the processing of their data;
- Why we need the data provided by the users; and
- If we intend to use the user data for other purposes than that originally detailed.
These principles apply to data about you, from which you can be identified. It does not include data where your identity has been removed (anonymous data).
- Your data protection rights:
GDPR aims to give control to data subjects over their data, by bringing strict guidelines to data controllers and providing subjects with the following rights:
- Your right of access – Users can access information associated with their account by logging into their account they created with us. This provides direct access to the majority of the current data we hold on our software, through their profile, which they can access at any time.
They also have the right to ask us, through a Subject Access Request, that we provide them with a copy of the data we hold about them and to check that we are lawfully processing it. If a user requests it, we will send them a copy of their data.
- Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. If a user informs us that their data is incorrect or incomplete, we will verify and update that data in our database right away. We can then resume processing the data after verifying its accuracy with the user. Users’ profiles in our software system, gives users who have signed up, access to be able to correct much of their own data, and we rely on users to do so to ensure that they have provided us with details of any changes in their personal circumstances
- Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances (the ‘right to be forgotten’) such as:
- The user withdraws their consent to the processing of their data (users may withdraw their consent at any time and if they do so, SupplyWell is obliged to comply with their request and will stop processing their data and remove it upon their request);
- The user objects to the processing of their data; or
- SupplyWell obtained the user’s data unlawfully.
Users may delete their SupplyWell account at any time which will remove their account page from our systems and our related software. We do not guarantee the ability to delete all stored data. If you would like us to delete/correct personally identifiable data, let us know and we will action your request as soon as practicable.
- Your right to restriction of processing – You have the right to ask us to suspend processing your data whilst its accuracy or reason for processing is established. However, there may be certain circumstances where we cannot suspend processing if it prevents us complying with a legal obligation. If this situation occurs, we will advise you at the time the reason why we cannot suspend processing.
- Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances. Once we have received your objection, we will no longer process your information for the purposes you originally agreed to, unless we have another legal basis for doing so which we will advise you of at the time.
Users can opt out of marketing promotions and ask us to stop sending them marketing messages at any time by amending their profile settings. Where users specifically opt out of receiving these marketing messages, we will continue to retain other personal data provided to us as a result of interactions with us not related to your marketing preferences.
- Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. However, if your request is clearly unfounded, we could refuse to comply with your request. If you make a request, we have one month to respond to you. Please contact us at data@supplywell.co.uk if you wish to make a request.
We may need to request specific information from you to help us confirm your identity and ensure you have the right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
- Reasons for holding your data
Under the GDPR, we need to have a legal basis for processing your data. We will only use your personal data when the law allows us to. We will never process your data without a legal basis for doing so and it is for a related purpose. There are different types of lawful basis for processing that data (detailed below):
- Where we need it to perform our contractual obligations. We may require certain information from you in order to fulfil our contractual obligations and provide you with the promised service. This can include your contact details, DOB, PAYE, salary and pensions details, medical information and criminal records.
- Where we need it to comply with a legal obligation or satisfy legal compliance. We may be required by law to collect and process certain types of data, such as fraudulent activity or other illegal actions;
- Where it is necessary for our legitimate interests (or those of a third party) as part of running our business, and where your interests and fundamental rights do not override those interests. Examples could be your address, so that we know where to deliver something to, or your name, so that we have a record of who to contact moving forwards.
- Where we need it to protect your vital interests or someone else’s;
- Where it is needed in the public interest; and
- Where consent has been provided. If none of the above reasons apply, users can be asked for their consent for their data to be collected. This means that there are certain situations which allow us to collect your personal data by your consent, such as when you tick a box that confirms you are happy to receive email newsletters from us, or ‘opt in’ to a service. You are able to remove your consent at any time. You can do this by contacting data@supplywell.co.uk.
SupplyWell requires your data in order to carry out background checks required in order to work as an educator, find you assignments as a supply educator, continue our relationship with you once we have found you an assignment and to source ongoing assignments, providing other services to you as part of our commitment to our educator community, paying you for work carried out and in order for you to access services through our website/platform. SupplyWell may ask users for a second approval if they have consented to have their data processed when they applied for a job with SupplyWell, but their data will be stored for future hiring as well.
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases SupplyWell rely on for processing your information are:
- Contractual Obligations;
- Legal obligation;
- Legitimate interests; and
- Your consent.
- The types of data we hold
These are the types of data that may be held by SupplyWell as controller, in user documents (e.g. contractual), file notes, on our software or elsewhere, including electronic or on paper. We will hold data you have provided to us and also data collected by our website or app when you use it.
We currently collect and process the following data information from users:
Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you which we have grouped together below. Not all of the following types of data will necessarily be collected from you, but this is the full scope of data that we collect and when we collect it from you:
- Profile/Identity data: This is data relating to your first name, last name, gender, date of birth.
- Contact data: This is data relating to your phone number, addresses, email addresses, phone numbers.
- Application and background data: Education, employment history, referee details, immigration and right to work status.
- Marketing and Communications data: This is your preferences in receiving marketing information and other information from us.
- Billing data: This is information relating to your debit and credit card information such as the name attached to your payment details and your billing address.
- Financial data: These are your National Insurance number, statutory payroll and banking details e.g. your account number and sort code.
- Transactional data: This is information of details and records of all payments you have made for our services or products.
- Online identifiers: These include IP addresses and cookie identifiers which may be personal data.
- Location data
We do not collect any Special Categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data).
We do collect information about criminal convictions and offences as part of our educator background checks (DBS), however we do not store this information.
Aggregated data – We also collect, use and share aggregated data such as volumes of bookings, types of teachers booked, kinds of schools using the service (EG 20% of schools booked M1 level teachers). Aggregated data could be derived from your Personal data but is not considered Personal data in law as this data will not directly or indirectly reveal your identity. However, if we combine or connect Aggregated data with your Personal data so that it can directly or indirectly identify you, we treat the combined data as Personal data which will be used in accordance with this Privacy Notice.
We may also aggregate data to enable research or analysis so that we can better understand and serve you and others. For example, we may conduct research on your demographics and usage. Although this aggregated data may be based in part on Personal data, it does not identify you personally. We may share this type of anonymous data with others, including service providers, our affiliates, agents and current and prospective business partners.
- How we get the personal information:
Data you provide to us – you will provide SupplyWell with personal data when you correspond with us via the website or app, either on your own behalf or on behalf of an organisation. You will also provide us with personal data when you subscribe to receive our marketing.
Most of the personal information we process is provided to us directly by you when you:
- Sign up to our website or app;
- Enter information to your profile on our website or app;
- Respond to a job advertisement from us;
- Submit your information to us via social media or networking platforms;
- Sign up to marketing materials;
- Email correspondence to us;
- Complete payroll information required by HMRC;
- Accept recruitment services from us;
- Accept our service being carried out for you;
Data collected by our website and app automatically – as you use the website and app, we will collect technical data including your browser type, the Internet Protocol (IP) address used to connect your computer to the internet, and your usage habits. Website usage stats are anonymised. Location data is used in the app to provide directions to schools. SupplyWell collects this data using cookies. As everything from IP addresses to cookie data constitutes personal data, our website might process personal data from people who will never even contact our company. Facebook and Twitter pixels – these allow these apps (where you have provided your permission to them) to track the fact that you have used our website. We have a cookie statement on our website.
- How we will use your data:
We use the information that you have given us in order to:
- Contact you;
- Start work finding services for you;
- To provide you with ongoing work finding services;
- To notify you about changes to our services and/or products;
- To provide customer support;
- To gather analysis or valuable information so that we can improve our services;
- To detect, prevent and address technical issues;
- To provide marketing and content updates if you opt to receive such content. From time to time we may make suggestions and recommendations to you about goods or services that may be of interest to you.
Change of Purpose – We will only use your Personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact our Data Protection Officer. If we need to use your Personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
- Storing your personal information & data Security
Your information is securely stored. We are concerned with keeping your data secure and protecting it from inappropriate disclosure. We implement a variety of security measures to ensure the security of your Personal data on our systems, including:
We have put in place measures to limit access to your data through our software system.
Any Personal data collected by us is only accessible by a limited number of employees who have special access rights to such systems and are bound by obligations of confidentiality.
Your account information will be protected by a password for your privacy and security. You need to prevent unauthorised access to your account and personal information by selecting and protecting your password appropriately and limiting access to your computer or device and by signing off after you have finished accessing your account.
We have put in place appropriate security measures to prevent your data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We implement certain security measures to ensure the security of your Personal data on our systems, including specialist web servers and adopting a secure protocol and encrypting our databases.
If and when we use third parties to store your data, we will not relinquish control of your Personal data or expose it to security risks that would not have arisen had the data remained in our possession. However, unfortunately no transmission of data over the internet is guaranteed to be completely secure. It may be possible for third parties not under the control of SupplyWell Ltd to intercept or access transmissions or private communications unlawfully. While we strive to protect your Personal data, we cannot ensure or warrant the security of any Personal data you transmit to us. Any such transmission is done at your own risk. If you believe that your interaction with us is no longer secure, please contact us.
- Data Sharing
We will only share your data with third parties where required by law, where it is necessary to carry out our working relationship with you, or where we have another legitimate interest in doing so. For example, we may share your data with schools with whom we have a booking or with the HMRC for the purposes of payroll.
We may provide your data to third parties to process the information on our behalf, for example, for CRM systems or marketing delivery systems. We require that these parties agree to process this information based on our instructions and requirements consistent with this privacy notice.
Third parties will only process your data on our instructions and where they have agreed to treat the data confidentiality and to keep it secure. All our third-party service providers are required to take appropriate security measures to protect your data in line with our policies.
We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may share your data with subcontractors or affiliates, subject to confidentiality obligations to use it only for the purposes for which we disclose it to them and pursuant to our instructions.
We may also share your data with interested parties in the event that SupplyWell Ltd anticipates a change in control or the acquisition of all or part of our business or assets or with interested parties in connection with the licensing of our technology. If SupplyWell Ltd is sold or makes a sale or transfer, we may, in our sole discretion, transfer, sell or assign your data to a third party as part of, or in connection with, that transaction. Upon such transfer, the privacy notice of the acquiring entity may govern the further use of your data. In all other situations your data will still remain protected in accordance with this privacy notice.
We may also share your data at any time if required for legal reasons or in order to enforce our terms or this privacy notice.
Third-Party Links – Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our site, we encourage you to read the privacy notice of every website you visit.
- Data Retention & Disposal
A data retention period refers to the amount of time that an organisation holds onto information. Different data have different retention periods. Best practice dictates that data should only be kept only as long as it’s useful, as long as there is an administrative need to keep it to carry out its business or support functions, or for as long as it is required to demonstrate compliance for audit purposes or for legislative requirements.
We don’t want to keep your data for any longer than is necessary. Information held for longer than is necessary carries additional risk and cost. Records and information will only be retained when there is a business need to do so. We may have legal obligations to keep your data even after you have stopped using our service, for example, under legal requirements from HMRC.
We may retain your data for a longer period than usual in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
The recommended retention periods are:
- HMRC records e.g. income tax and NI returns, income tax records and correspondence with HMRC – 6 years from the end of the tax year to which they relate;
- Pension records – 12 years after the benefit ceases;
- Personnel files and training records (including formal disciplinary records and working time records) – 6 years after employment ceases;
- References – At least one year after the reference is given to meet the limitation period for defamation claims;
- Right to work in the UK checks – Home Office recommended practice is 2 years after employment ends;
- Statutory Sick Pay (SSP) records – It is advised to keep records for at least 6 months after the end of the period of sick leave in case of a disability discrimination claim;
- Terms and conditions including offers, written particulars, and variations – It is advised to review 6 years after employment ceases or the terms are superseded.
- Working time records including overtime, annual holiday, jury service, time off for dependents, etc – 2 years from date on which they were made.
- Acceptance of this notice
The effective date of issue of this notice is detailed on the final page of the document. We keep our privacy notice under review and will place any updates on our website. By using the services and the website or app of SupplyWell Ltd, you consent to the collection and use of data by us as set out in this privacy notice. Continued access or use of SupplyWell Ltd will constitute your express acceptance of any modifications to this privacy notice.
- Further information
We have appointed a data protection officer (“DPO”) who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights surrounding your Personal data please contact the DPO using the details set out below:
Full name: Dan Price
Email address: data@supplywell.co.uk
Postal address: SupplyWell, Suite 202-204, Cotton Exchange Building, Liverpool, L3 9LQ.
- Complaints
If you have any concerns about our use of your personal information, you can make a complaint to our CEO, Michael Heverin, at gdprcomplaints@supplywell.co.uk.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
GDPR information for Users
Our contact details:
Name: SupplyWell Ltd
Address: SupplyWell, Cotton Exchange, Liverpool, L3 9LQ
Phone Number: 0333 305 0601
E-mail: hello@supplywell.co.uk
Web address: www.supplywell.co.uk
Company Number: 11034617
Effective date of Notice: June 2022
The name and contact details of our Data protection Officer (DPO) or Company Representative for GDPR: Dan Price, CPO
Contact: data@supplywell.co.uk
The purpose of processing your data:
Providing recruitment and employment and associated services
Whether we intend to use your data for other purposes than recruitment and employment:
We will not use your data for any purposes other than recruitment and employment. If there were any circumstances where we would like to, we would inform users before processing their data further.
The recipients of your data:
SupplyWell or a third party in connection with the reasons stated above.
How long we will store your data:
As long as the user is using the services of SupplyWell or the legal processes dictate.
How you can request access, correct, or erase your data:
By writing to our company representative for GDPR: Dan Price, CPO at data@supplywell.co.uk.
How you can withdraw your consent to the processing of your data:
By writing to our company representative for GDPR: Dan Price, CPO at data@supplywell.co.uk.
Who you can contact in case you want to file a complaint regarding the processing of your data:
By writing to: Mr Michael Heverin, SupplyWell CEO at gdprcomplaints@supplywell.co.uk