Agilio General Privacy Notice 

Purpose of this notice

This privacy notice sets out how Agilio Software (referred to as “Agilio”, “we”, and “us”, in this notice) handle the information we receive from customers, potential customers and everyone who interacts with our products and services. 

Agilio Software is a group of companies and trades as Clarity Informatics, CODEplan, Isopharm, Myhrtoolkit, or MyLocumManager, depending on the products and services being provided.

We have appointed a Data Protection Officer, who is responsible for assisting with enquiries in relation to this privacy notice and our treatment of personal data. Our nominated Data Protection Officer can be contacted at Agilio Software, Elm Tree House, Bodmin Street, Holsworthy, Devon, EX22 6BB or by emailing [email protected].

Personal data we collect

We collect personal information from different sources. This includes personal information you give to us directly; personal data we collect from third parties; and personal information we collect automatically when you use our products and services.

When we have a direct contract with you for our products and services, or where you provide your personal data to us outside of any business relationship we have with your employer (or other similar organisation), or where we collect your information ourselves, we are the “Data Controller”. This means that we are responsible for deciding how we hold and use personal information about you.

Where we have a contract with your employer or other similar organisation for our products and services (instead of directly with you), we are a “Data Processor”.  In these circumstances, your employer (or other similar organisation) will be the “Data Controller” and it is responsible for deciding how we hold and use personal data about you.  Our use of your personal data is governed by the terms of that contract.

When acting as a Data Controller

We may collect and process information that you provide by filling in forms on our website. This may include when you sign up for a service, or to marketing communication, or complete a survey.

We also collect and process information through any interactive service which includes information that you input into our products and services. This also includes any information provided by your employer or other similar organisation.

The types of information we collect will depend on your dealings with our company and may include:

• Contact details, including name, address, telephone number and email address, professional information such as your GDC number or CPD Cycle start and end dates
• Further information about you to help us confirm your identity and ensure security of your account. This may include your information such as you date of birth, or the answers to security questions
• Financial information to process payments. Agilio process bank account details to pay invoices and arrange standing orders and direct debits, however, we do not process payment card information. All card payments taken, and refunds made are administered via third party systems
• Communication you have with us, which may include emails you send us and records and recordings of telephone calls
• Information about how you will be using the product or service—for example, whether you are using the product or service for business use or for your own personal use
• Cookie and tracking data (please see our cookie notice)
• Information about enquiries or complaints you make to us

We also collect information ourselves, for example from publicly available data such as CQC or GDC databases and from social networking sites. Occasionally we will also receive information about a potential customer from a current customer, for example, as part of a referral scheme or promotion. We rely on our legitimate business interest to contact the potential customer.

We may combine the information we collect directly from you and information we collect automatically to offer and market tailored products, services, and features.

We do not provide services directly to children or proactively collect their personal information. However, we may sometimes be given information about children in the course of dealings with customers. The information in this notice applies to children as well as adults.

When acting as a Data Processor

When we are acting as a Data Processor, the information we process may include:

• business contact details and your users’ personal details, such as name, address, email address, phone numbers
• details of contact we have had with you (for example, when providing you with a quote for our products or services)
• details of any products or services you have received from us, as well as any associated payment-related information
• information about any complaints and enquiries made to us
• tracking cookie data (please see our cookies policy)
• any other information that you and your users input into our products and services

Please note that when inputting personal data relating to a third party (such as a patient’s contact details for electronic Patient Satisfaction Questionnaires) it is your responsibility as the Data Controller to always ensure that you have obtained the necessary prior legal basis to enable you to do so.  You must not input any other patient-related information.

The legal basis which your employer (or other similar organisation) is entitled to process your personal data is determined by them not us. We process that personal data in accordance with their instructions and for the purposes of enabling us to perform our obligations under our contract with them and to comply with our legal obligations.   If we receive inquiries about processing personal data from your customers or contacts, we will direct such inquiries to you as the Data Controller of such personal data.

Purposes and lawful basis for processing your information

The reasons Agilio collect and use your information depend on the situation. Under the headings below we have explained this in more detail, as well as the lawful basis we rely on.

When we obtain your consent
Where appropriate, Agilio may collect and use your personal information with your consent. Where you have given your consent for the processing of your personal data, you have the right to withdraw it at any time. We may seek your consent to provide you with email, post or telephone marketing about our products and services. This lawful basis is set out in Article 6(1)(a) of the UK GDPR.

When we are required to by law
There may be situations where we are required to comply with a legal obligation to process your information. For example, this could be to comply with a court order or when lawfully required to by law enforcement or when retaining personal identifiable information in financial records for tax purposes. This lawful basis is set out in Article 6(1)(c) of the UK GDPR.

When we have a legitimate business interest
There may be some situations where we have legitimate interest to process your personal information. We will always consider your interests and fundamental rights when using this basis for processing your information. This lawful basis is set out in Article 6(1)(f) of the UK GDPR.

We may use your personal information to:

• Manage the products and services we supply to you. Agilio will collect and use your personal information when you buy or register for a product or service from us. We will also collect and use your data when you register an online account or download and register on one of our apps.
• Tailor communications we send you. We may use personal information we have collected about you to provide you with tailored information about products and services which may be of interest to you. This may include building a profile to analyse how you are using and interacting with our products services.
• To build our business. We may also build a profile using personal information to analyse how customers are using and interacting with our products, services, and marketing communications to help improve or design new offerings. We may also send out market research or surveys to get your views and include any identifiable responses in our analysis.
• To defend our business. This may include using personal information to make or defend legal claims. For example, we may need to keep a recording of a telephone conversation beyond our stated retention period to defend ourselves against a legal claim made against us.
• To generate insights. We may use your personal information to create anonymised or aggregated data to produce research, internal reports, and test our products and services. One data is anonymised, individuals will not be identifiable. Where appropriate, we may share this data with third or publish for reporting, research, or marketing purposes.       

When we ask you to take specific steps before entering a contract

Sometimes we will require a customer to undergo a credit reference check before we can offer certain services, for example, advance credit benefits. This lawful basis is set out in Article 6(1)(b) of the UK GDPR.

In some circumstances we may anonymise the personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.

If you refuse to provide us with certain information when requested, we may not be able to perform the contract we have entered into with you. Alternatively, we may be unable to comply with our legal or regulatory obligations.

Automated decision-making and profiling

Agilio does not make decisions solely through automated means without human involvement.

To provide current and potential customers, with appropriate information about our products and services, we tailor our marketing activities. We do this by examining personal information, which may include all or some of the following: location, contact details, existing customer relationship, buying habits, business information (including size, date of opening, CQC inspection report), job role, interaction with our software or helpline services (including frequency of sign-on and usage of certain features).

We do not make these decisions solely by automated means without any human involvement and therefore do not undertake profiling which meets the definition under Article 4(4) of the UK GDPR.

Data sharing

Generally, we do not share your information with third parties, save as set out below:

Within the Agilio Software group
We may disclose your personal information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006.

Sharing with your employer
Where we are a Data Processor, and you are using our products and services in connection with a contract that we have with your employer (or other similar organisation) we will share your personal data with that organisation and vice versa.

Agents and Vendors
We may also share personal data with agents or vendors working on behalf of Agilio. This includes third parties Agilio have appointed to protect, develop, or administer our products and services who require access to personal data. This may include for example an external IT developer or an external customer service provider. All companies engaged by Agilio who require access to personal data are required to abide by strict data processing policies and procedures which mirror the standards Agilio follow. We will always have robust agreements in place with third parties to ensure the secure processing of your data.

Agilio may also disclose personal data as part of a merger, sale of the company’s assets or other corporate transaction.

Transferring information outside the UK
Where an organisation we share information with processes personal information outside of the UK we ensure that either processing only occurs in countries that are deemed “adequate” by the UK or where there are standard contractual clauses or binding corporate rules in place.

Agilio’s customers are predominantly based in the UK, however, we do supply products and services with businesses and individuals based outside the UK (both EU and non-EU countries). In this case, transfer of data overseas is carried out to meet our contractual obligations with these customers. Transfers of this kind will only take place if the contract was entered into at the individual’s request or in their interests and was necessary.

Data security

We have put in place commercially reasonable and appropriate security measures to prevent your personal information from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and where we are acting as a Data Controller, we will notify you and any applicable regulator of a suspected breach where we are legally required to do so.  Where there is a suspected data security breach, but we are acting as a Data Processor and not a data controller, the contract between us and your employer (or other similar organisation) will govern what each of us is required to do, in those circumstances. 

Data Retention

Where we are acting as a Data Controller, we will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected.  Where we are acting as a Data Processor, we will retain your personal data for the period agreed by your employer (or other similar organisation) in our contract with them.

If we are responsible for assessing what retention period is appropriate for your personal data, we take into consideration:

• the purposes for which we originally collected the personal data
• the lawful grounds on which we based our processing
• the types of personal data we have collected
• the amount and categories of your personal data
• whether the purpose of the processing could reasonably be fulfilled by other means

Change of purpose

Where we are acting as a Data Controller and we need to use your personal data for another reason, other than for the purpose for which we collected it, we will only use your personal information where that reason is compatible with the original purpose.

Should it be necessary to use your personal data for a new purpose, we will notify you and communicate the legal basis which allows us to do so before starting any new processing.

Right of access, correction, erasure, and restriction

Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Should your personal information change, please notify us, using the contact details below (or, where applicable, notify your employer or the entity that has engaged you) of any changes of which we/they need to be made aware.

Your rights in connection with personal information
Under certain circumstances, by law you have the right to:

• Request access to your personal information. This enables you to receive details of the personal information we hold about you and to check that we are processing it lawfully.
• Request correction of the personal information that we hold about you.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party.

If you want to exercise any of the above rights, please email [email protected] or, (where applicable) please contact your employer (or other similar organisation). Please note that, where we are acting as a Data Processor, we will always notify your employer (or other similar organisation) of your request and we will pass on the details of the request, to them.

You will not have to pay a fee to access your personal information or to exercise any of the other rights. However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.  

Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing, and transfer of your personal information for a specific purpose (for example, in relation to direct marketing that you have indicated you would like to receive from us), you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent for direct marketing, please use the opt-out feature provided in the marketing, or email the contact listed such emails.

To withdraw your consent for any other processing, please email [email protected].

Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Changes to this notice

From time to time we may change this notice. Any changes we make will be updated on our website, https://agiliosoftware.com/.

Updated 8 July 2022