Privacy Policy

SupplyWell Ltd

Company Number 11034617

Cotton Exchange, Liverpool, L3 9LQ

GDPR Privacy Notice for Users

  1. Introduction:

At SupplyWell, we are committed to protecting the privacy and security of our users' data in accordance with GDPR law (GDPR - The UK General Data Protection Regulation). We want our users to know that their private information is as safe as possible in our hands and that we will always be open and honest about how it will be used. 

This Privacy Notice for Users of our services is displayed on our website and contains all the information users need to know about how and why we collect, use, process, store, and transfer Personal Data about them and how we keep their data safe when they use our platform. This includes any data they may provide when they register with us, OR purchase a product or service, OR register with our online platform, OR register with us to find work placements. It also explains users' privacy rights and obligations concerning their data and how the law protects them. 

This privacy notice is provided in a layered format so users can click through to the specific bookmark areas set out in the contents above. Alternatively, users can view the full version of the privacy notice below.

Users of SupplyWell must be aged 16 or older. If any user is under 16 and they access SupplyWell Ltd or use the SupplyWell app by lying about their age, they must immediately stop using SupplyWell Ltd/the SupplyWell app. Our platform and our goods and services are not intended for children and we do not knowingly collect data relating to children.

  1. Important information about who we are

Data Protection Officer

We have appointed a Data Protection Officer (“DPO”) who is responsible for overseeing questions about this Privacy Notice, including any requests to exercise user’s legal rights surrounding their Personal Data. Users can contact the DPO using the information set out in the ‘Who to contact’ section.

Data Controller

SupplyWell Ltd is the data controller and responsible for the user’s Personal Data (collectively referred to as "SupplyWell", "we", "us" or "our" in this privacy notice.

In discharging our responsibilities as a Data Controller, we have employees who will deal with user data on our behalf (known as “Processors”). Therefore, the responsibilities described below may be assigned to an individual or may be taken to apply to the organisation as a whole. 

The Data Controller and Processors responsibilities:

  • Ensure that all processing of Personal Data is governed by one of the legal bases laid out in the GDPR;
  • Ensure that Processors authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of Personal Data;
  • Obtain the prior specific or general authorisation of the Controller before engaging another Processor;
  • Assist the Controller in the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights;
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller;
  • Maintain a record of all categories of processing activities carried out on behalf of a Controller;
  • Cooperate, on request, with the supervisory authority in the performance of its tasks;
  • Ensure that any person acting under the authority of the Processor who has access to Personal Data does not process Personal Data except on instructions from the Controller;
  • Notify the Controller without undue delay after becoming aware of a Personal Data Breach;
  • Designate a data protection officer where required by the GDPR, publish their details and communicate them to the supervisory authority; and
  • Support the data protection officer in performing their tasks by providing resources necessary to carry out those tasks and access to Personal Data and processing operations, and to maintain their expert knowledge.
  1. Data Subjects:

The individuals from whom we may gather and use data can include:

  • Users of our services;
  • Users of our website;
  • Users of our app;
  • Business and client contacts;
  • Customers;
  • Regulators;
  • Prospective candidates;
  • Candidates;
  • Third parties connected to our customers; and
  • Any other people that the organisation has a relationship with or may need to contact. 

This Privacy Notice applies to all our Users and all Personal Data processed at any time by us.

  1. The types of data we collect about users:

Personal Data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of Personal Data about users which we have grouped together below. Not all of the following types of data will necessarily be collected from all users, but this is the full scope of data that we collect and may be held by SupplyWell as controller, in user documents (e.g. contractual), file notes, on our software or elsewhere, including electronic or on paper. We will hold data that users have provided to us and also data collected by our website or app when they use it.

We currently collect and process the following data information from users:

  • Identity data is data relating to first name, last name, any previous names, job title, gender, and date of birth. If the user is a supply educator, their identity data will include details of their subject areas and application and background data, including past experience, education, qualifications, employment history, referee details, references, immigration and right-to-work status.  If users represent a school, Multi Academy Trust or other educational institution, identity data includes their specific details.  
  • Contact data is data relating to phone numbers, postal addresses and email addresses.
  • Financial data is data relating to National Insurance number, statutory payroll and banking details e.g. bank account number and sort code and payment card details.
  • Transaction data includes details about payments to and from users and other details of products and services they have purchased from us or in the case of supply educators, details of placements they have accepted and carried out.
  • Technical data includes internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices used to access this platform. 
  • Profile data includes username (or similar identifier) and password, purchases or orders made by users, details of any placements where users have been shortlisted, or applied, placements they have accepted, feedback on those placements from educators and from the educational institutions, user interests, preferences, feedback, and survey responses.  
  • Usage data includes information about how users interact with and use our platform, products and services. 
  • Marketing and Communications data includes user preferences in receiving marketing from us and our third parties and communication preferences.

We also collect, use, and share aggregated data such as statistical or demographic data which is not Personal Data as it does not directly (or indirectly) reveal the user's identity. For example, we may aggregate individuals' Usage Data to calculate the percentage of users accessing a specific platform feature in order to analyse general trends in how users are interacting with our platform to help improve the platform and our service offering.

We do not collect any Special Categories of Personal Data about users (this includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership and genetic and biometric data).  We do collect information about your health, to establish your physical and mental fitness to be an educator, and criminal convictions and offences, as part of our educator background checks (DBS), however, we do not store this information.

  1. How we collect personal information:

We use different methods to collect data from and about users including through:

Interactions with us 

Users may give us their Personal Data by filling in online forms or by corresponding with us by post, phone, email or otherwise. This includes Personal Data provided when users:

  • apply for our products or services on behalf of an educational establishment;
  • create an account on our platform or online platform;
  • register as a supply educator looking for placements;
  • subscribe to our services or publications;
  • request marketing to be sent to them;
  • Register with our Teachers Matter community;
  • complete payroll information required  by HMRC;
  • sign up to Yoti, or a similar ID checking platform, as part of the completion of background employment checks;
  • give us feedback or contact us. 

Automated technologies or interactions

As users interact with our platform, we will automatically collect Technical Data about their equipment, browsing actions, and patterns. We collect this Personal Data by using cookies, server logs and other similar technologies. For further details, please see our cookie policy.

Third parties or publicly available sources

We will receive Personal Data about users from various third parties and public sources. As everything from IP addresses to cookie data constitutes Personal Data, our website might process Personal Data from people who will never even contact our company. 

  • Meta, LinkedIn, and X allow these apps (where users have provided their permission to them) to track the fact that they have used our website.
  • Technical data is collected from analytics providers (such as Google based outside the UK and search information providers (such as Bing based outside] the UK).
  • Contact, Financial and Transaction data is collected from providers of technical, payment and delivery services (such as Hubspot based outside the UK).
  • Reference data is sought from relevant third parties (e.g. previous employers) as part of the pre-employment checks, as it is necessary to establish the suitability of working with children.
  1. How we will use the data 

Legal basis for holding user data 

Under the UK GDPR, we need to have a legal basis for collecting and processing user data. We will only use Personal Data when the law allows us to. We will never process data without a legal basis for doing so and it is for a related purpose. There are different types of lawful bases for processing that data (detailed below). The lawful bases SupplyWell rely on for processing user information are: 

  • Contractual obligations - We may use Personal Data where we need it to perform our contractual obligations. We may require certain information from users in order to perform the contract we are about to enter into or have entered into with them and provide them with the promised service. This can include contact details, DOB, PAYE, salary and pension details, medical information, and data related to background employment checks such as criminal records. 
  • Legitimate interests - We may use Personal Data where it is necessary for our legitimate interests (or those of a third party) as part of running our business, and where user interests and fundamental rights do not override those interests. We make sure we consider and balance any potential impact on users and their rights (both positive and negative) before we process Personal Data for our legitimate interests. We do not use Personal Data for activities where our interests are overridden by the impact on users (unless we have user consent or are otherwise required or permitted to by law). 
  • Legal obligations - We may use Personal Data where we need it to comply with a legal obligation or satisfy legal compliance. We may be required by law to collect and process certain types of data, such as fraudulent activity or other illegal actions. We will identify the relevant legal obligation when we rely on this legal basis.
  • Consent - We may use Personal Data where consent has been provided. We rely on consent only where we have obtained a user’s active agreement to use their Personal Data for a specified purpose, for example, if they subscribe to an email newsletter or if they have contacted us directly seeking information. Users are able to remove their consent at any time. They can do this by contacting data@supplywell.co.uk.

The other legal bases are where it is needed in the public interest or to protect users’ vital interests or someone else's.

Purposes for which we will use Personal Data 

We have set out below, in a table format, a description of all the ways we plan to use the various categories of Personal Data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

In view of the fact that we serve both educational establishments and staff in them for supplying supply educators, and we also serve supply educators finding them placements, we have categorised this to make it easier to understand what we do with user-particular data.  

Direct marketing 

Users will receive marketing communications from us if they have requested information from us or purchased goods or services from us and have not opted out of receiving the marketing.

Opting out of marketing 

Users can ask us to stop sending them marketing communications at any time by logging into the platform and amending their profile settings by checking or unchecking relevant boxes to adjust their marketing preferences. 

If users opt out of receiving marketing communications,  we will continue to retain other Personal Data provided to us as a result of interactions with us not related to marketing preferences and users will still receive service-related communications that are essential for administrative or customer service purposes.

Cookies

For more information about the cookies we use and how to change their cookie preferences, please see our Cookie Policy.

For full details on how we will use your data as 'People representing schools and other educational institutions' or 'Supply Educators' please click here.

  1. Disclosures of users’ Personal Data

We may share users’ Personal Data where necessary with the external third parties set out below, for the purposes set out in the tables above:

  • Service providers who carry out some or all of the technical functions supporting our platform;
  • Educational establishments who are looking to fill placements (for example details of supply educator qualifications, employment history or references);
  • Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. If a change happens to our business, then the new owners may use users’ Personal Data in the same way as set out in this privacy notice; 
  • Third parties where, required by law, it is necessary to carry out our working relationship with the user, or where we have another legitimate interest in doing so. For example, we may share the data with schools with whom we have a booking or with the HMRC for the purposes of payroll;
  • Third parties who process information on our behalf, for example, for CRM systems, compliance and onboarding systems or marketing delivery systems. We require that these parties agree to process this information based on our instructions and requirements consistent with this privacy notice;
  • Our website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about users. We do not control these third-party websites and are not responsible for their privacy statements. When users leave our site, we encourage them to read the privacy notice of every website they visit.

Third parties will only process user data on our instructions and where they have agreed to treat the data confidentiality and to keep it secure. All our third-party service providers are required to take appropriate security measures to protect our user data in line with our policies. 

We do not allow our third-party service providers to use user Personal Data for their own purposes. We only permit them to process user Personal Data for specified purposes and in accordance with our instructions. 

We may also share user data at any time if required for legal reasons or in order to enforce our terms or this privacy notice.

International transfers

We may transfer user’s Personal Data to service providers that carry out certain functions on our behalf. We might do this electronically, for instance using an API service. This may involve transferring Personal Data outside the UK to countries which have laws that do not provide the same level of data protection as the UK law.

Whenever we transfer a user’s Personal Data out of the UK to service providers, we ensure a similar degree of protection is afforded to it by ensuring that the contract we have with the service providers provides an appropriate level of protection. 

  1. Data Retention & Data Security:

Data Security

User information is securely stored. We have put in place appropriate security measures to prevent user Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. 

In addition, we limit access to user Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process user Personal Data on our instructions and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected Personal Data breach and will notify users and any applicable regulator of a breach where we are legally required to do so.

The security measures we implement to ensure the security of user’s Personal Data on our systems include:

  • Specialist web servers, adopting a secure protocol, and encrypting our databases;
  • Measures to limit access to user data through our software system. Any Personal Data collected by us is only accessible by a limited number of employees who have special access rights to such systems and are bound by obligations of confidentiality; 
  • User account information will be protected by a password for privacy and security. Users need to prevent unauthorised access to their accounts and personal information by selecting and protecting their password appropriately, limiting access to their computer or device and by signing off after they have finished accessing their account.
  • If and when we use third parties to store user data, we will not relinquish control of user data or expose it to security risks that would not have arisen had the data remained in our possession. Unfortunately, no transmission of data over the internet is guaranteed to be completely secure. It may be possible for third parties not under the control of SupplyWell Ltd to intercept or access transmissions or private communications unlawfully. While we strive to protect users Personal Data, we cannot ensure or warrant the security of any Personal Data users transmit to us. Any such transmission is done at the user’s own risk. If the user believes that their interaction with us is no longer secure, please contact us.
  • Whenever we transfer user Personal Data out of the UK to service providers, we ensure a similar degree of protection is afforded to it by ensuring that the contract we have with the service providers provides an appropriate level of protection. We may transfer user Personal Data to service providers that carry out certain functions on our behalf. This may involve transferring Personal Data outside the UK to countries which have laws that do not provide the same level of data protection as the UK law.
Data Retention & Disposal

We don't want to keep user data for any longer than is necessary. Information held for longer than is necessary carries additional risk and cost. We will only retain user Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. 

We may have legal obligations to keep user data even after users have stopped using our service, for example, under legal requirements from HMRC. By law, we must keep basic information (including Contact, Identity, Financial, and Transaction Data) for six years after users cease being our customers for tax purposes. We may also need to retain user Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation with respect to our relationship with them.

In some circumstances, users can ask us to delete their data (see ‘Users’ legal data protection rights’ section below for further information). In some circumstances, we will anonymise user Personal Data (so that it can no longer be associated with them) for research or statistical purposes, in which case we may use this information indefinitely without further notice to the user. 

A data retention period refers to the amount of time that an organisation holds onto information. Different data have different retention periods. Best practice dictates that data should only be kept only as long as it’s useful, as long as there is an administrative need to keep it to carry out its business or support functions or for as long as it is required to demonstrate compliance for audit purposes or for legislative requirements. 

To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of their Personal Data, the purposes for which we process their Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

We adhere to the ICO’s recommended retention periods which are:

  • HMRC records e.g.: income tax and NI returns, income tax records, and correspondence with HMRC - 6 years from the end of the tax year to which they relate;
  • Pension records - 12 years after the benefit ceases;
  • Personnel files and training records (including formal disciplinary records and working time records) - 6 years after employment ceases;
  • References - At least one year after the reference is given to meet the limitation period for defamation claims;
  • Right to work in the UK checks - Home Office recommended practice is 2 years after employment ends;
  • Statutory Sick Pay (SSP) records - It is advised to keep records for at least 6 months after the end of the period of sick leave in case of a disability discrimination claim;
  • Terms and conditions including offers, written particulars, and variations - It is advised to review 6 years after employment ceases or the terms are superseded.
  • Working time records including overtime, annual holiday, jury service, time off for dependents, etc - 2 years from the date on which they were made.
  1. Users’ legal data protection rights:

GDPR aims to give control to data subjects over their data, by bringing strict guidelines to data controllers and providing users with the following rights:

  • Right of access – Users can access information associated with their account by logging into the account they created with us. This provides direct access to the majority of the current data we hold on our software, through their profile, which they can access at any time.  

Users also have the right to ask us, through a Subject Access Request, that we provide a copy of the data we hold about them and to check that we are lawfully processing it. To do this, users can write a letter or email stating that they are making a Subject Access Request, being specific about the data they wish to access within any time periods, and they must include their name, address, email address and contact telephone number. 

  • Right to rectification - Users have the right to ask us to rectify personal information they think is inaccurate. They also have the right to ask us to complete information which they think is incomplete. If a user informs us that their data is incorrect or incomplete, we will verify and update that data in our database. We can then resume processing the data after verifying its accuracy with the user. Users’ profiles in our software system, give users who have signed up, access to be able to correct much of their own data, and we rely on users to do so to ensure that they have provided us with details of any changes in their personal circumstances
  • Right to erasure - Users have the right to ask us to erase their personal information in certain circumstances (the ‘right to be forgotten’) such as:
    • The user withdraws their consent to the processing of their data (users may withdraw their consent at any time and if they do so, SupplyWell is obliged to comply with their request and will stop processing their data and remove it upon their request); 
    • The user objects to the processing of their data; or
    • SupplyWell obtained the user’s data unlawfully.

Users may delete their SupplyWell account at any time which will remove their account page from our systems and our related software. We do not guarantee the ability to delete all stored data. If users would like us to delete/correct personally identifiable data, they are required to let us know and we will action their request as soon as practicable.

  • Right to restriction of processing - Users have the right to ask us to suspend processing their data whilst its accuracy or reason for processing is established. This right also enables users to ask us to suspend the processing of their Personal Data in one of the following scenarios:
    • Where our use of the data is unlawful but they do not want us to erase it;
    • Where they need us to hold the data even if we no longer require it as they need it to establish, exercise or defend legal claims; or 
    • Where they have objected to our use of their data but we need to verify whether we have overriding legitimate grounds to use it.

There may be certain circumstances, however, where we cannot suspend processing if it prevents us from complying with a legal obligation. If this situation occurs, we will advise the user at the time of the reason why we cannot suspend processing.

  • Right to object to processing - Users have the right to object to the processing of their personal information in certain circumstances. Once we have received their objection, we will no longer process their information for the purposes they originally agreed to, unless we have another legal basis for doing so which we will advise them of at the time. 

Users also have the right to object to the processing of their Personal Data for direct marketing purposes (See ‘Opting out of Marketing’ in the ‘How we will use Users' data’ section for details of how to object to receiving direct marketing communications). 

  • Right to data portability - Users have the right to ask that we transfer the personal information they gave us to another organisation, or to them, in certain circumstances. We will provide to the user, or a third party they have chosen, their Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which they initially provided consent for us to use or where we used the information to perform a contract with them.

If users wish to exercise any of the rights set out above, they are required to contact us.

See Contact details in the ‘Who to Contact’ section below.

No fee is usually required

Users are not required to pay any charge for exercising their rights to access their Personal Data. If we determine, however, that a request is manifestly unfounded, repetitive or excessive, we may charge a reasonable fee or refuse to comply. In such cases, we will provide clear reasons for our decision and inform data subjects of their right to complain to the ICO. 

What we may need from users

We may need to request specific information from users to help us confirm their identity and ensure they have the right to access their Personal Data (or to exercise any of their other rights).

If we ask for specific information, this is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact users to ask them for further information in relation to their request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if a request is particularly complex or the user has made a number of requests. In this case, we will notify the user and keep them updated.

  1. Who to contact

If users have any questions about this privacy policy or about the use of their Personal Data or they want to exercise their privacy rights, they can contact the DPO using the details set out below.

Our contact details:

Name: SupplyWell Ltd

Address: SupplyWell, 122 Cotton Exchange, Liverpool, L3 9LQ 

Phone Number: 0333 305 0601

E-mail: hello@supplywell.co.uk

Web address: www.supplywell.co.uk

Company Number: 11034617 

The name and contact details of our Data Protection Officer (DPO) or Company Representative for GDPR: Dan Price, CPO

Contact: data@supplywell.co.uk

The purpose of processing user data:

Providing recruitment and employment and associated services

Whether we intend to use user data for other purposes than recruitment and employment:

We will not use user data for any purposes other than recruitment and employment. If there were any circumstances where we would like to, we would inform users before processing their data further.

The recipients of user data:

SupplyWell or a third party in connection with the reasons stated above. 

How long we will store user data:

As long as the user is using the services of SupplyWell or the legal processes dictate.

How users can request access, correct, or erase their data:

By writing to our company representative for GDPR: Dan Price, CPO at data@supplywell.co.uk.

How users can withdraw their consent to the processing of their data:

By writing to our company representative for GDPR: Dan Price, CPO at data@supplywell.co.uk.

  1. Complaints 

If users have any concerns about our use of their personal information, they can make a complaint to our CEO, Michael Heverin, at gdprcomplaints@supplywell.co.uk.

Users have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with any concerns before users approach the ICO so would ask that users please contact us in the first instance.

The ICO’s address
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.  Helpline number: 0303 123 1113.  ICO website: www.ico.org.uk

  1. Changes to the privacy policy and user data changes

We keep our privacy policy under regular review. This version was last updated in September 2024. It is important that the Personal Data we hold about users is accurate and current. Users are requested to please keep us informed if their Personal Data changes during their relationship with us, for example, a new address or email address.

By using the services and the website or app of SupplyWell Ltd, users consent to the collection and use of data by us as set out in this privacy notice. Continued access or use of SupplyWell Ltd will constitute their express acceptance of any modifications to this privacy notice.

  1. Third-party links  

Our platform via our website or our app may include links to third-party platforms, plug-ins, and other applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about users. We do not control these third-party platforms and are not responsible for their privacy statements. When users leave our platform, we encourage them to read the privacy policy of every platform they visit.