Privacy Policy
As part of its services Patchwork has to handle information, this includes personal data.
This policy explains what personal data we handle, why we do so, and how to contact us in order to exercise your rights relating to data use & protection.
Policy
This policy is issued by LocumTap Ltd, trading as Patchwork Health (“Patchwork”, “we, “us”, “our”). This privacy policy explains how we use any personal information we collect about you when you use this website, and/or engage with us on behalf of a customer organisation, in order to use our products or services. We are both a controller and a processor of your personal data and are responsible for ensuring that it is properly protected. When we do so we are subject to the UK General Data Protection Regulation (UK GDPR). This policy lists occasions when we are the controller, and when we are the processor of your personal data
This policy contains information about who we are and how and why we collect, store, use, and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.
Our website and other services are not intended for use by children and we do not knowingly collect or use personal data relating to children.
Please see the “How to contact us” section below if you have any questions about this privacy policy or the data we hold on you.
What information do we collect about you?
The personal data we collect about you depends on how and why you engage with us. Different scenarios are listed below
Website User
We may collect and use the following Data about you:
- Identity Data – Full name, title, date of birth
- Contact Data – Address, email address, and telephone number(s).
- Technical Data – Internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Profile Data – Your username and password, your interests and preferences.
- Usage Data – Data about how you use our website, products and services, including feedback and survey responses.
- Marketing and Communications Data – Your preferences in receiving marketing from us and your communication preferences.
We need this personal data to provide you with products and services. If you do not provide the personal data we ask for, it may delay or prevent us from providing products and services to you.
We do not routinely collect and process special categories of personal data (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences through our website
Where we do need to process special category data, we will make sure we are allowed to do so under data protection laws, for example:
- We have your explicit consent;
- The processing is necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent; or
- The processing is necessary to establish, exercise, or defend legal claims.
We may also collect, use, and share Aggregated Data for example to analyse customer usage. Aggregated Data may be derived from you personal data but is not considered personal data in law as it does not include information that can be directly or indirectly identify you. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature.
No automated decision-making, including profiling, takes place when you use our website.
Application & product services user
- Identity Data – Full name, title, date of birth, Gender, CV, Training certifications & documents,
- Right to work, Managers name, Job title, shift start and end times, Shift Grade, Date of shifts completed, Department name.
- Contact Data – Address, Email address, Work email address, Phone number, Work phone number.
- Financial Data – Shift rate.
- Transaction Data – Details about shifts worked, Time booked, Application usage.
- Technical Data – Internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system types and platform technologies.
- Profile Data – Your username and password, Your interests and preferences, Department cost centre.
- Usage Data – Data about how you use our applications, products and services, including feedback and survey responses.
- Marketing and communications Data – Your preferences in receiving marketing from us and your communication preferences.
We need this personal data to provide you with products and services. If you do not provide the personal data we ask for, it may delay or prevent us from providing products and services to you. You may also be under a contractual or statutory obligation to provide this data to us. Where this is relevant it is used as a legal basis for processing within the section entitled “How will we use information about you?”.
Where we need to process special category data, we will make sure we are allowed to do so under data protection laws, for example:
- We have your explicit consent;
- The processing is necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent; or
- The processing is necessary to establish, exercise, or defend legal claims.
We may also collect, use, and share Aggregated Data for example to analyse customer usage. Aggregated Data may be derived from you personal data but is not considered personal data in law as it does not include information that can be directly or indirectly identify you. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature.
No automated decision-making, including profiling, takes place when you use our applications or other product services.
How do we collect information about you?
We collect information about you directly, such as when you access our website, register on services, use our services, or contact us (including via website and in-service forms). This may include asking you to provide training certificates, identity confirmation, right to work etc. so that we can register you to your selected organisation
We also collect information when you voluntarily complete customer surveys, submit enquires, or provide feedback.
We also collect website and services usage information automatically using cookies and other similar technologies when you interact with our website. This may include technical data about your equipment, browsing actions and patterns. Please see the cookie section below for additional information.
We will receive personal data about you from various third parties and public sources as set out below.
Technical, Identity, and Contact Data from the following third parties:
- Web analytics providers (such as Heap, Google, and Hotjar)
- Advertising networks (such as LinkedIn and Twitter)
- Identity and Contact Data from publicly available sources (such as Companies House, the UK Electoral Register)
How will we use the information about you?
Under data protection law, we can only use your personal data if we have a lawful basis for doing so, this includes:
- Contract: Where the processing is necessary for a contract we have with the individual, or because you have asked us to take specific steps before entering into a contract.Legal
- obligation: Where we need to use your personal data to comply with the law (but not including contractual obligations).
- Consent: Where you have freely given us clear consent for us to process your personal data for a specific purpose.
- Legitimate interests: Where we need to use your personal data for our legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect your personal data which overrides our legitimate interest).
- Public Task: Where the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
- Vital Interest: Where the processing is necessary to protect someone’s life.
| Purpose/Activity | Type of Data | Lawful basis for processing |
|---|---|---|
| To register you on a service | (a) Identity
(b) Contact |
To enter into and perform a contract with the organisation you are engaging with us, as a processor, on behalf of. |
| To provide products and services to you, including: (a) to process work bookings
(b) to manage your account |
(a) Identity
(b) Contact |
To enter into and perform a contract with the organisation you are engaging with us, as a processor, on behalf of. |
| To manage our relationship with you which will include: (a) Notifying you about changes to our products and services, terms, or privacy policy
(b) Asking you to leave a review, take a survey or for other market research purposes |
(a) Identity
(b) Contact (c) Profile (d) Marketing and Communications |
(a) Necessary to comply with a legal obligation (b) To enter into and perform a contract with the organisation you are engaging with us, as a processor, on behalf of.(c) Legitimate interest: To keep our records updated and study how customers use our products and services. |
| To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | (a) Identity
(b) Contact (c) Technical |
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise). |
| To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | (a) Identity
(b) Contact (c) Technical |
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise). |
| To deliver relevant website content and marketing materials to you and measure, run advertising campaigns or understand the effectiveness of the marketing we send to you | (a) Identity
(b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical |
(a) Necessary for our legitimate interests (to study how customers use our services, to develop them, to grow our business, and inform our marketing strategy)
(b) Consent, where this involves electronic marketing communication which require recipient consent. |
| To use data analytics to improve our website, marketing, customer relationships, and experiences | (a) Technical
(b) Usage |
(a) Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) OR
(b) Consent, where this involves us using non-essential website cookies and similar technologies. |
| To make suggestions and recommendations to you about products and services that may be of interest to you | (a) Identity
(b) Contact (c) Technical (d) Usage (e) Profile |
(a) Necessary for our legitimate interests (to develop our products and services to grow our business)
(b) Consent, where this involves electronic marketing communication which require recipient consent. |
| To respond to regulatory and enforcement requests, including shift and FOI requests | (a) Identity
(b) Profile |
Necessary to comply with a legal obligation. |
Who we share your personal data with
We routinely share personal data with:
Third parties we use to help provide our products and services to your organisation. For example
- Our partner organisations (E.G. NHS Trusts)
- Intercom and Vonage for customer support requests and calls
- Amazon Quicksights for data visualisation
Other third parties we use to help us run our business. For example
- Hubspot as providers of our CRM system
Egnyte as providers of our Document Management System
We only allow our service providers to handle your personal data if we are satisfied, following a due diligence & risk assessment process, that they take appropriate measure to protect your personal data. We also impose contractual obligations and data sharing agreements on service providers to ensure they can only use your personal data to provide services to us and to you
We may disclose your personal data to law enforcement agencies and regulatory bodies where we need to do so according to the law or regulations.
We may also need to share some personal data with other parties, such as potential buyers of some or all of our business or during a restructuring. Usually, data will be anonymised, but this may not always be possible. The recipient of the data will be bound by confidentially obligations
For more information about the third parties that we may share your personal data with please contact us using the contact details set out below.
International Transfer
Some of our third party service providers are located outside of the United Kingdom. Patchwork will neither transfer, process, or permit personal data to be transferred or processed outside the United Kingdom without the conditions provided by all relevant data protection legislation being met. This occurs when one or more of the following conditions have been satisfied:
- The territory into which the data is to be transferred has been approved by the UK’s Information Commissioner;
- The territory into which the data is to be transferred is within the European Economic Area;
- The territory into which the data is to be transferred has an adequacy decision issued by the UK’s Information Commissioner;
- The transfer is made under the unaltered terms of the standard contractual clauses issued by the UK’s Information Commissioner’s Office and was signed prior to the 21st of September 2022;
- From 21st of September 2022 contracts use the International Data Transfer Agreement provided by the Information Commissioner’s Office;
- The transfer is made under the provision of binding corporate rules that have been approved and certified by the UK’s Information Commissioner’s Office;
- The transfer is made in accordance with one of the exceptions set out in relevant data protection legislation.
How long will your data be kept?
We will not keep your personal data for longer than we need to for the purposes set out in this policy. Different retention periods apply for different types of personal data.
When we stop needed your personal data, we will either delete or anonymise it.
As an indication, if your organisation has purchased services from us, we will keep your personal data while we are providing those services. Thereafter, we will keep your personal data for as long as is necessary:
- To respond to any questions, complaints, or claims made by you or on your behalf
- To show that we treated you fairly
- To keep records required by law.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements
You can request further details of retention periods for different aspects of your personal data by contacting us.
Your rights
You have the following rights, which you can exercise without prejudice at any time, and free of charge:
| Access | The right to receive a copy of your personal data |
| To be forgotten | The right to make us delete your personal data – in certain situations. |
| Restriction of processing | The right to make us restrict processing of you personal data – in certain circumstances, e.g. if you contest the accuracy of the data |
| Data portability | The right to receive the personal data we hold on you in a structured, commonly used and machine-readable format, and/or transmit that data to a third party – in certain situations. |
| To object | The right to object: – At any time to your personal data being processed for direct marketing (including profiling); – In certain other situations to our continued process of your personal data, e.g. processing carried out for the purpose of our legitimate interests. |
| Not to be subject to automated individual decision making | The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you. |
For further information about any of the rights set out above please contact us, see the section entitled “How to complain”, or see the guidance provided by the UK Information Commissioner’s Office (ICO) on individuals’ rights
If you would like to exercise any of your rights, please:
- Email, call, or write to us – please see the “How to contact us” section at the end of this policy;
- Let us enough information to identity you e.g. your full name, address, organisation name, GMC number;
- Let us have proof of your identity if requested
- Let us know which right you want to exercise and the data to which your request relates.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances
We have a statutory obligation to respond to all legitimate requests within one month of receipt. Occasionally it could take us longer than one month but less than three months, if your request is particularly complex, or you have made a number of requests. In this case, we will notify you of this inside of one month and keep you updated as we fulfil your request
Security
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic, managerial procedures, and security measures to safeguard and secure the information we collect against accidental loss or unlawful usage or access. We limit access to your personal data to those who have a genuine business need to access it. Those processing your data will do so only in an authorised manner and are subject to a duty of confidentiality
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Marketing
We would like to send you information about services of ours which may be of interest to you
We will only send you marketing communications if you have consented to receive them or it is in our legitimate interests to send them, for example because it is business-to-business marketing. You always have the right to opt out of receiving further promotional communications and also may opt out at a later data.
You may remove your consent for processing at any time.
If you no longer wish to be contacted for marketing purposes, please:
- Contact us at help@patchwork.health.
- Or use the unsubscribe function within the footer of any marketing or sales email.
We may ask you to confirm for update your marketing preferences if there are changes in the law, regulation, or the structure of our business.
Please note that we may also send you other communications in relation to your purchase of products and services or in order to respond to queries you have raised, such communications are service communications and are not considered a form of marketing communications.
Methods of Processing
Patchwork Health takes appropriate security measures to prevent unauthorised access, disclosure, modification, or unauthorised destruction of data.
Data processing is carried out using computers and/or IT enabled tools, following organisational procedures, and modes strictly related to the purposes indicated. In addition to Patchwork, in some cases, data may be accessible to certain types of persons in charge, involved with the operation of applications (administration, sales, marketing, legal, system administration) or external parties (such as third party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as data processors by Patchwork. An up-to-date list of these parties may be requested from Patchwork at any time.
Place
The data is processed at Patchworks operating offices, and in any other places where the parties involved in the processing are located.
Cookies
Cookies are text files placed on your device (e.g. computer, smartphone, or other electronic device) when you use our website or applications or other services, to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity, as well as for targeted adverting purposes.
Among the types of Personal Data that Patchworks applications collect, by themselves or through third parties, there are: Cookies, Usage Data, First Name, Last Name, Phone Number, Company Name, Profession, Country, Email Address, Field of Activity, Device Information, Data communicated while using the service
Complete details on each type of Personal Data collected by cookies are provided in the dedicated sections of this policy or by specific explanation texts displayed prior to the data collection.
Personal data may be freely provided by the user, or, in the case of Usage Data, collected automatically when using website, applications, or other services.
Unless otherwise specified, all data requested by Patchwork applications is mandatory, and failure to provide this Data may make it impossible for Patchwork applications to provide their services. In cases where it is specifically stated that some data is not mandatory, users are free not to communicate this data without consequence for the availability or functioning of the service.
Users who are uncertain about which personal data is mandatory are welcome to contact the policy owner at: help@patchwork.health
Users are responsible for any third-party personal data obtained, published, or shared through Patchwork applications and confirm that they have the third party’s consent to provide the data to the owner.
Strictly necessary cookies
These cookies are essential for your ability to navigate an application, or use specific secure areas of an application. Without these some services cannot be provided. Because these cookies are strictly necessary, they do not require consent
Website
Cookie Script: Cookie preferences – Remembering of User Cookie preferences
Hub-spot: User visitation Distinguishing between human and automated use of website
LinkedIn: Consent & Analytics Sync Storage of guest cookie preferences and storage of sync with linkedIn analytics cookie
Applications
Rails sessions – Authentication To authenticate users on to the application
Performance Cookies
These cookies collect information about how an application is used. This includes pages that are visited most often, storing of information between visits, to indicate where a user has come from, or if an email has been opened
Additionally, some performance cookies are analytics cookies that have been set up using third-party analytics software. We use Google Analytics and HotJar to help us do this. These cookies also provide aggregated, non-personally identifiable statistical data based on certain interest categories.
Website
Hubspot: Website Analytics – Provision of website performance analytics
Intercom: Helpdesk – Provision of helpdesk services performance monitoring
Application
HotJar analytics – Provision of application analytics
Google analytics – Provision of application analytics
Functionality cookies
Functionality cookies allow an application to remember personalisation choices and provide enhanced functionality. They may also be used to provide services you have asked for such as watching a video or asking for a live chat.
Website
Hubspot: User Authentication – To provide persistent user authentication services
LinkedIn: Language preferences – To provide language preferences
Application
Remember Hub user token & session – To provide session continuation
Intercom session identification – To provide session continuation for intercom services
Targeting or advertising cookies
Targeting or adverting cookies are used to deliver targeted services, or personalisation in advertising. They are also used to measure the effectiveness of advertising campaigns and to limit how often you see any particular advert.
Website
Doubleclick: Browser cookie support & website user – Monitoring of browser cookie support & website use by visitors
LinkedIn: Content sharing – Sharing of website content via social media
Meta: Content sharing – Sharing of website content via social media
Adsense: Advertising effectiveness – Monitoring of advertising efficiency
Third-party links and social networks
If you click on a hyperlink from within any of Patchwork’s applications to any third-party websites (for example sharing content over social networks), you may be sent cookies from these third-party websites.
Third-party websites have their own privacy and cookie policies which Patchwork cannot control. Please check the third-party websites for more information about their cookies and how to manage them.
Other websites
Our websites or applications may contain links to other websites. We do not control these third-party websites and are not responsible for their privacy statements. This privacy policy only applies to Patchwork’s website and Patchwork applications.
Changes to our privacy policy
We keep our privacy policy under regular review and we will place any updates on this web page. This privacy policy was last updated 04/05/2022
How to complain
Please contact us if you have any queries or concerns about our use of your data. We hope we will be able to resolve any issues you may have.
You also have the right to lodge a complaint with the Information Commissioner or any relevant data protection supervisory authority. The Information Commissioner may be contacted at:https://ico.org.uk/make-a-complaintor via telephone: 03031231113
How to contact us
Please contact us if you have any questions about our privacy policy or information we hold about you using the contact details set out below: By email at: help@patchwork.health By post: Patchwork Health, Canvas Building, 35 Luke Street, London, EC2A 3LH