Agilio General Privacy Notice 

Purpose of this notice

This privacy notice sets out how Agilio Software (referred to as “Agilio”, “we”, and “us”, in this notice) handle the information we receive from customers, potential customers and everyone who interacts with our products and services. 

Agilio Software is a group of companies and trades as Clarity Informatics, CODEplan, Isopharm, Myhrtoolkit, or MyLocumManager, depending on the products and services being provided.

We have appointed a Data Protection Officer, who is responsible for assisting with enquiries in relation to this privacy notice and our treatment of personal data. Our nominated Data Protection Officer can be contacted at Agilio Software, Elm Tree House, Bodmin Street, Holsworthy, Devon, EX22 6BB or by emailing [email protected].

Personal data we collect

We collect personal information from different sources. This includes personal information you give to us directly; personal data we collect from third parties; and personal information we collect automatically when you use our products and services.

When we have a direct contract with you for our products and services, or where you provide your personal data to us outside of any business relationship we have with your employer (or other similar organisation), or where we collect your information ourselves, we are the “Data Controller”. This means that we are responsible for deciding how we hold and use personal information about you.

Where we have a contract with your employer or other similar organisation for our products and services (instead of directly with you), we are a “Data Processor”.  In these circumstances, your employer (or other similar organisation) will be the “Data Controller” and it is responsible for deciding how we hold and use personal data about you.  Our use of your personal data is governed by the terms of that contract.

When acting as a Data Controller

We may collect and process information that you provide by filling in forms on our website. This may include when you sign up for a service, or to marketing communication, or complete a survey.

We also collect and process information through any interactive service which includes information that you input into our products and services. This also includes any information provided by your employer or other similar organisation.

The types of information we collect will depend on your dealings with our company and may include:

We also collect information ourselves, for example from publicly available data such as CQC or GDC databases and from social networking sites. Occasionally we will also receive information about a potential customer from a current customer, for example, as part of a referral scheme or promotion. We rely on our legitimate business interest to contact the potential customer.

We may combine the information we collect directly from you and information we collect automatically to offer and market tailored products, services, and features.

We do not provide services directly to children or proactively collect their personal information. However, we may sometimes be given information about children in the course of dealings with customers. The information in this notice applies to children as well as adults.

When acting as a Data Processor

When we are acting as a Data Processor, the information we process may include:

Please note that when inputting personal data relating to a third party (such as a patient’s contact details for electronic Patient Satisfaction Questionnaires) it is your responsibility as the Data Controller to always ensure that you have obtained the necessary prior legal basis to enable you to do so.  You must not input any other patient-related information.

The legal basis which your employer (or other similar organisation) is entitled to process your personal data is determined by them not us. We process that personal data in accordance with their instructions and for the purposes of enabling us to perform our obligations under our contract with them and to comply with our legal obligations.   If we receive inquiries about processing personal data from your customers or contacts, we will direct such inquiries to you as the Data Controller of such personal data.

Purposes and lawful basis for processing your information

The reasons Agilio collect and use your information depend on the situation. Under the headings below we have explained this in more detail, as well as the lawful basis we rely on.

When we obtain your consent
Where appropriate, Agilio may collect and use your personal information with your consent. Where you have given your consent for the processing of your personal data, you have the right to withdraw it at any time. We may seek your consent to provide you with email, post or telephone marketing about our products and services. This lawful basis is set out in Article 6(1)(a) of the UK GDPR.

When we are required to by law
There may be situations where we are required to comply with a legal obligation to process your information. For example, this could be to comply with a court order or when lawfully required to by law enforcement or when retaining personal identifiable information in financial records for tax purposes. This lawful basis is set out in Article 6(1)(c) of the UK GDPR.

When we have a legitimate business interest
There may be some situations where we have legitimate interest to process your personal information. We will always consider your interests and fundamental rights when using this basis for processing your information. This lawful basis is set out in Article 6(1)(f) of the UK GDPR.

We may use your personal information to:

When we ask you to take specific steps before entering a contract

Sometimes we will require a customer to undergo a credit reference check before we can offer certain services, for example, advance credit benefits. This lawful basis is set out in Article 6(1)(b) of the UK GDPR.

In some circumstances we may anonymise the personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.

If you refuse to provide us with certain information when requested, we may not be able to perform the contract we have entered into with you. Alternatively, we may be unable to comply with our legal or regulatory obligations.

Automated decision-making and profiling

Agilio does not make decisions solely through automated means without human involvement.

To provide current and potential customers, with appropriate information about our products and services, we tailor our marketing activities. We do this by examining personal information, which may include all or some of the following: location, contact details, existing customer relationship, buying habits, business information (including size, date of opening, CQC inspection report), job role, interaction with our software or helpline services (including frequency of sign-on and usage of certain features).

We do not make these decisions solely by automated means without any human involvement and therefore do not undertake profiling which meets the definition under Article 4(4) of the UK GDPR.

Data sharing

Generally, we do not share your information with third parties, save as set out below:

Within the Agilio Software group
We may disclose your personal information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006.

Sharing with your employer
Where we are a Data Processor, and you are using our products and services in connection with a contract that we have with your employer (or other similar organisation) we will share your personal data with that organisation and vice versa.

Agents and Vendors
We may also share personal data with agents or vendors working on behalf of Agilio. This includes third parties Agilio have appointed to protect, develop, or administer our products and services who require access to personal data. This may include for example an external IT developer or an external customer service provider. All companies engaged by Agilio who require access to personal data are required to abide by strict data processing policies and procedures which mirror the standards Agilio follow. We will always have robust agreements in place with third parties to ensure the secure processing of your data.

Agilio may also disclose personal data as part of a merger, sale of the company’s assets or other corporate transaction.

Transferring information outside the UK
Where an organisation we share information with processes personal information outside of the UK we ensure that either processing only occurs in countries that are deemed “adequate” by the UK or where there are standard contractual clauses or binding corporate rules in place.

Agilio’s customers are predominantly based in the UK, however, we do supply products and services with businesses and individuals based outside the UK (both EU and non-EU countries). In this case, transfer of data overseas is carried out to meet our contractual obligations with these customers. Transfers of this kind will only take place if the contract was entered into at the individual’s request or in their interests and was necessary.

Data security

We have put in place commercially reasonable and appropriate security measures to prevent your personal information from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and where we are acting as a Data Controller, we will notify you and any applicable regulator of a suspected breach where we are legally required to do so.  Where there is a suspected data security breach, but we are acting as a Data Processor and not a data controller, the contract between us and your employer (or other similar organisation) will govern what each of us is required to do, in those circumstances. 

Data Retention

Where we are acting as a Data Controller, we will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected.  Where we are acting as a Data Processor, we will retain your personal data for the period agreed by your employer (or other similar organisation) in our contract with them.

If we are responsible for assessing what retention period is appropriate for your personal data, we take into consideration:

Change of purpose

Where we are acting as a Data Controller and we need to use your personal data for another reason, other than for the purpose for which we collected it, we will only use your personal information where that reason is compatible with the original purpose.

Should it be necessary to use your personal data for a new purpose, we will notify you and communicate the legal basis which allows us to do so before starting any new processing.

Right of access, correction, erasure, and restriction

Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Should your personal information change, please notify us, using the contact details below (or, where applicable, notify your employer or the entity that has engaged you) of any changes of which we/they need to be made aware.

Your rights in connection with personal information
Under certain circumstances, by law you have the right to:

If you want to exercise any of the above rights, please email [email protected] or, (where applicable) please contact your employer (or other similar organisation). Please note that, where we are acting as a Data Processor, we will always notify your employer (or other similar organisation) of your request and we will pass on the details of the request, to them.

You will not have to pay a fee to access your personal information or to exercise any of the other rights. However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.  

Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing, and transfer of your personal information for a specific purpose (for example, in relation to direct marketing that you have indicated you would like to receive from us), you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent for direct marketing, please use the opt-out feature provided in the marketing, or email the contact listed such emails.

To withdraw your consent for any other processing, please email [email protected].

Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Changes to this notice

From time to time we may change this notice. Any changes we make will be updated on our website,

Updated 8 July 2022