Privacy Notice

Joined-up Solutions Ltd trading as Kids Club HQ (KCHQ) is aware of its obligations under the UK General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018 - DPA2018. We are committed to processing your data securely and transparently. This privacy notice sets out, in line with the Privacy Regulations, the types of personal data that we collect and process about our staff, customers and web-site visitors. It also sets out how we use that information, how long we keep it for and other relevant information about your data.

Contents

Who we are

KCHQ is a Software as a Service (SaaS) provider of booking and scheduling capabilities for clubs and organisations. We act as both a Data Processor and a Data Controller: For our staff and associates we are a Data Controller, meaning that we determine the ‘means and purpose’ of processing personal data that we collect, for the purposes of conducting our business. This includes being a Controller for the personal details of our customers. However, we are a Data Processor for their customers – the children, parents, and members whose data they collect and use. This notice covers our responsibilities as a Data Controller - please see the individual Privacy Notices of the clubs and organisations for the handling of data for which they are the Controller.

Our contact details are:

hello@kidsclubhq.co.uk

Registered no: 05335754

ICO (Information Controllers Office) registration no: ZA159194

Data protection principles

In relation to your personal data, we will:

  • process it fairly, lawfully and in a clear, transparent way
  • collect your data only for specified and specific purposes
  • Only collect the minimum information we need to meet the purpose
  • only use it in the way that we have told you about
  • ensure it is correct and up to date
  • keep your data for only as long as we need it
  • process it securely, reducing the risk of it being lost or stolen

When acting as a Data Processor we have a contractual relationship with the Data Controller, and abide by their instructions at all times. You should refer to their Privacy Notice for details on the data processed, and the purposes for which it is processed

What data we collect about you

Personal data means any information capable of identifying an individual. It does not include anonymized data. We may process certain types of personal data about you as follows:

When you access our website:

  • Technical Data may include your login data, internet protocol addresses, browser type and version, browser plug-in types and versions, time zone setting and location, operating system and platform and other technology on the devices you use to access the Site.
  • Usage Data may include information about how you use our website, products and services.

When you complete a ‘contact us’ form:

  • Identity Data will include your Name & title.
  • Contact Data may include your work or home address, email address and telephone numbers.

When you choose to engage with a ‘free trial’ of our software:

  • Identity Data may include your Name, title, company and role.
  • Contact Data may include your work or home address, email address and telephone numbers.
  • Profile Data may include your username and password, preferences, feedback and survey responses.

When you choose to buy our services:

  • Identity Data will include your Name, title, company and role.
  • Contact Data may include your work or home address, email address and telephone numbers.
  • Profile Data may include your username and password, purchases or orders, your interests, preferences, feedback and survey responses.
  • Financial Data may include your bank account and payment card details.
  • Transaction Data may include details about payments between us and other details of purchases made by you.

When you choose to work for us, either as contractor or employee:

  • Identity Data will include your Name, title, and role.
  • Employment Data may include qualifications, ‘Right to Work’ checks, employment/ contract periods, absence (leave and sickness) and performance records.
  • Contact Data may include your home address, email address and telephone numbers, Emergency contacts.
  • Profile Data may include your username and password, system accesses granted etc.
  • Financial Data may include your bank account and payment details, pension rights, tax codes, NI identifier, etc.

We may also process Aggregated Data from your personal data, but this data does not reveal your identity and as such in itself is not personal data. If we link the Aggregated Data with your personal data so that you can be identified, then it is treated as personal data. Where we are required to collect personal data by law, or under the terms of the contract between us and you, if you do not provide us with that data when requested, we may not be able to perform the contract (for example, to deliver the Services to you). If you don’t provide us with the requested data, we may have to cancel your order of the Services. If we do, we will notify you at that time.

Why we process your data

There are 6 lawful reasons for processing personal data, which are:

  • You give consent for us to process your data
  • It is necessary to fulfil a contractual obligation with you
  • There is a regulatory obligation on us to do so
  • It is in the legitimate interest of the company to do so
  • It is in the public interest to do so
  • It is in your vital interest to do so.

You can see all the personal data types we may hold listed below.

  • Full Name
  • Address
  • Email address
  • Telephone Number
  • Organisation/company name
  • Twitter ID
  • IP address
  • Bank Account Name
  • Bank Account Number
  • Bank Account Sort Code
  • Payment records

How we collect your data

We collect personal data about you through a variety of different methods including:

  • Direct Interactions: You may provide data when filling in forms on the Site (or otherwise) or by communicating with us by post, phone, email, or otherwise, including when you:
    • subscribe to our Service;
    • create an account on the Site;
    • request resources or marketing be sent to you;
    • request a demonstration of the Service;
    • watch a demo video;
    • give us feedback.

  • Automated technologies or interactions: As you use our site, we may automatically collect Technical Data about your equipment, browsing actions and usage patterns. We collect this data by using cookies, server logs and similar technologies. We may also receive technical data about you if you visit other websites that use our cookies. Please see our cookie policy for further details.

  • Third parties or publicly available sources: We may receive personal data about you from various third parties and public sources as set out below:
    • Analytics providers such as Google based outside the UK;
    • Identity and Contact Data from publicly available sources such as LinkedIn.

Sensitive / Special categories of data

We must process special categories of data in accordance with more stringent guidelines. Most commonly, we will process special categories of data when the following applies:

  • you have given explicit consent to the processing
  • we must process the data in order to carry out our legal obligations
  • we must process data for reasons of substantial public interest
  • you have already made the data public.

As a Data Controller, KCHQ do not collect or Process any sensitive data.

Child Data

In our role as a Data Controller, it is not KCHQ’s intent to process data from anyone under the age of 16. If you are aware of anyone having submitted data to us relating to an individual under the age of 16, please let us know at dpo@jem-gdpr.co.uk and we will immediately stop processing and delete any personal data relating to that individual. If we become aware of having been provided data relating to an individual under the age of 16 (without parental consent) we will immediately stop processing and delete any personal data relating to that individual.

As a Data Processor we process child data on behalf of Controllers who have contracted for our services. Our contractual agreement with each Controller on the handling of such data - secured access, sharing, destruction etc. - is detailed in our Service Agreements with each Controller, and their instructions to us are to be found in their individual Privacy Notices.

Sharing your data

Your data will be shared within the Company where it is necessary for staff to undertake their duties in provision of the Services to you.

We also share some of your data with the following third parties:

  • Freshdesk who provide the KCHQ support system
  • QuickBooks who we use for accounting
  • Mailchimp who we use for bulk email
  • ActiveCampaign who we use for customer relationship management

We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal obligation upon us.

Protecting your data

We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented appropriate technical and organisational measures to ensure the security of your data:

  • TLS is used to encrypt all communications between you and our servers.
  • Access to production servers by KCHQ staff is limited to just those who need access to perform their responsibilities. Strong passwords are required for all accounts.
  • All coding is done with security in mind and tested for known threats.
  • The Operating Systems and installed services are hardened and patched to keep the systems defences up to date.

Where we share your data with third parties, we provide written instructions to them to ensure that your data are held securely and in line with UK-GDPR and DPA2018 requirements. Third parties must also implement appropriate technical and organisational measures to ensure the security of your data. You can link to their specific Data Privacy Polices here:

As a Data Controller KCHQ stores personal data on Google servers based in the UK and Ireland. As signatories to the EU / EEA data privacy legislative framework (GDPR), Ireland is deemed to have ‘adequate’ data privacy policies as defined by DPA2018 and UK-GDPR.

As a Data Processor, KCHQ processes data on behalf of our Controllers on Amazon Web Services (AWS) servers, based in Ireland, which is deemed to have ‘adequate’ data privacy policies as defined by DPA2018 and UK-GDPR.

How long we keep your data for

In line with data protection principles, we only keep your data for as long as necessary. Retention periods can vary depending on why we need your data, and are listed here

Your rights in relation to your data

The law on data protection gives you certain rights in relation to the data we hold on you. These are:

  • the right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice
  • the right of access. You have the right to access the data that we hold on you. To do so, you should make a subject access request. You can read more about this in our Subject Access Request policy which is available from hello@kidsclubhq.co.uk
  • the right for any inaccuracies to be corrected. If any data that we hold about you is incomplete or inaccurate, you can require us to correct it
  • the right to have information deleted. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it. There may be circumstances where we cannot delete your data – regulatory retention for example. We will clearly explain if it cannot be deleted when a request is made.
  • the right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct
  • the right to portability. You may transfer the data that we hold on you for your own purposes
  • the right to object to the inclusion of any information. You have the right to object to the way we use your data where we are using it for our legitimate interests
  • the right to regulate any automated decision-making and profiling of personal data. You have a right not to be subject to automated decision making in way that adversely affects you.

Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases we may continue to use the data where so permitted by having a legitimate reason for doing so.

If you wish to exercise any of the rights explained above, please contact our Data Manager on 07876 041 552 or at E-mail: dpo@jem-gdpr.co.uk

How to complain

We strive to meet the highest standards when collecting and using personal information. Complaints are taken very seriously, and data subjects are encouraged to bring any issues to our attention.

To do this either e-mail or write to: The Data Manager KCHQ JEM – GDPR Ltd 2 Gravel Hill Nayland Suffolk CO6 4JB

Tel: 07876 041 552 E-mail: dpo@jem-gdpr.co.uk

We welcome the opportunity to resolve any queries in the first instance. However if you think your data protection rights have been abused or breached in any way by us, or we have not dealt adequately with your concern, the supervisory authority in the UK for data protection matters is the Information Commissioner’s Office (ICO).
You are able to make a complaint to the ICO at https://ico.org.uk/concerns/.

Or by post, telephone or email: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Telephone: 0303 123 1113 Email: casework@ico.org.uk.



Version number: 8
Issue date: 13th December 2022