Privacy Policy

1. Introduction

1.1 Who We Are

Statixs ("we", "us", "our") provides HR management software specifically designed for healthcare employers in the United Kingdom. We are committed to protecting your privacy and handling your personal data with care and in compliance with applicable data protection laws.

1.2 Data Controller and Processor Roles

Statixs acts as:

• Data Controller for personal information collected directly from website visitors and during account registration
• Data Processor for customer data (including employee, applicant, and reference information) that our customers upload and process through our platform

1.3 Contact Information

Statixs
Data Protection Officer: [email protected]
Privacy Enquiries: [email protected]
General Contact: [email protected]
Website: www.statixs.com

1.4 Legal Framework

This Privacy Policy is designed to comply with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018 (DPA 2018)
• Privacy and Electronic Communications Regulations (PECR)
• Healthcare-specific data protection requirements where applicable

2. Personal Data We Collect

2.1 Information You Provide Directly

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent, click patterns
• Device Information: IP address, browser type, device type, operating system
• Log Data: Access times, error logs, performance data
• Cookies and Similar Technologies: See Section 9 for detailed information

2.3 Information from Third Parties

• DBS Service: Disclosure certificate information when you use our DBS checking service
• Payment Processors: Transaction confirmation and billing information
• References: Information provided by referees when conducting reference checks

2.4 Special Category Personal Data

In the course of providing our service, we may process special category data including:

• Health information (for occupational health and fitness to work assessments)
• Criminal conviction data (through DBS checks)
• Racial or ethnic origin (for equality monitoring, where consented)

We process special category data only where we have an appropriate legal basis and safeguards in place, as detailed in Section 3.

3. Legal Basis for Processing

3.1 Contract Performance

We process your personal data to perform our contract with you, including:

• Providing access to the Statixs platform
• Processing payments and managing subscriptions
• Delivering customer support
• Managing your account

3.2 Legal Obligations

We process personal data to comply with legal obligations, such as:

• Tax and accounting requirements
• Responding to lawful requests from authorities
• Maintaining records as required by law

3.3 Legitimate Interests

We process personal data based on our legitimate interests in:

• Improving and developing our services
• Ensuring security and preventing fraud
• Marketing our services to potential customers
• Analysing usage to enhance user experience

We carefully balance these interests against your rights and do not process data in ways you would not reasonably expect.

3.4 Consent

Where required by law, we obtain your explicit consent before processing personal data, including:

• Marketing communications (you can withdraw consent at any time)
• Non-essential cookies
• Special category data where no other legal basis applies

3.5 Special Category Data - Additional Legal Bases

For special category personal data, we rely on additional legal bases under Article 9 UK GDPR and Schedule 1 DPA 2018:

• Employment and Social Security: Processing necessary for employment law obligations and social security purposes
• Health and Social Care: Processing necessary for health and social care purposes where in the public interest
• Explicit Consent: Where data subjects provide explicit, informed consent
• Substantial Public Interest: Processing necessary for safeguarding vulnerable individuals

4. How We Use Your Personal Data

4.1 Core Service Delivery

• Providing access to the Statixs platform and its features
• Processing and storing customer data as instructed
• Coordinating DBS checks through the Disclosure and Barring Service
• Facilitating reference checks and communication with referees
• Generating CQC compliance reports and documentation
• Managing staff schedules and rotas
• Tracking training certifications and expiry dates

4.2 Account and Relationship Management

• Creating and managing your user account
• Authenticating users and maintaining security
• Providing customer support and responding to enquiries
• Sending service notifications and important updates
• Processing payments and managing billing

4.3 Service Improvement and Development

• Analysing usage patterns to improve functionality
• Conducting research and development
• Testing new features and enhancements
• Gathering feedback to enhance user experience

4.4 Security and Fraud Prevention

• Detecting and preventing security threats
• Investigating suspicious activity
• Maintaining system integrity and availability
• Enforcing our Terms of Service

4.5 Legal and Compliance

• Complying with legal obligations and court orders
• Establishing, exercising, or defending legal claims
• Cooperating with regulatory authorities

4.6 Marketing and Communications (With Consent)

• Sending newsletters and product updates
• Informing you about new features and services
• Conducting customer satisfaction surveys
• Inviting you to webinars and events

You can opt out of marketing communications at any time using the unsubscribe link in emails or by contacting us.

5. Data Sharing and Disclosure

5.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

5.2 Service Providers and Processors

We share personal data with trusted third-party service providers who help us deliver our service:

All service providers are bound by data processing agreements and are required to:

• Process data only as instructed
• Implement appropriate security measures
• Maintain confidentiality
• Assist with data subject rights requests
• Delete or return data upon termination

5.3 DBS Service

When you use our DBS checking service, we share necessary information with the Disclosure and Barring Service to process applications. This is done in accordance with DBS requirements and data protection law.

5.4 Referees and Third Parties

When conducting reference checks through our platform, we share relevant applicant information with nominated referees. Referees are informed of their data protection obligations.

5.5 Legal Requirements

We may disclose personal data when required to:

• Comply with court orders or legal processes
• Respond to lawful requests from public authorities
• Enforce our Terms of Service
• Protect our rights, property, or safety, or that of others
• Prevent fraud or illegal activity

5.6 Business Transfers

If Statixs is involved in a merger, acquisition, or sale of assets, your personal data may be transferred. We will provide notice and ensure the new entity honours this Privacy Policy.

5.7 With Your Consent

We may share your data with third parties where you have given explicit consent to do so.

6. International Data Transfers

6.1 UK and EEA Data Storage

We primarily store and process personal data within the United Kingdom and European Economic Area (EEA).

6.2 Transfers Outside the UK/EEA

Where we use service providers located outside the UK/EEA, we ensure appropriate safeguards are in place:

• Adequacy Decisions: Transfers to countries with adequacy decisions from the UK Government
• Standard Contractual Clauses (SCCs): UK International Data Transfer Agreement or EU SCCs
• Binding Corporate Rules: For organisations with approved BCRs
• Additional Safeguards: Technical measures such as encryption and access controls

6.3 Transfer Impact Assessments

We conduct Transfer Impact Assessments to ensure that transferred data receives adequate protection equivalent to UK standards, even when transferred to third countries.

7. Data Security

7.1 Security Measures

We implement comprehensive technical and organisational measures to protect personal data:

7.2 Data Breach Notification

In the event of a personal data breach, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours where required
• Notify affected data subjects without undue delay if the breach poses a high risk to their rights
• Notify customer organisations (as data controllers) promptly to enable them to meet their own obligations
• Document all breaches and our response measures

7.3 Your Security Responsibilities

You are responsible for:

• Maintaining the confidentiality of your login credentials
• Using strong, unique passwords
• Enabling two-factor authentication when available
• Logging out of shared devices
• Promptly reporting any suspected unauthorised access

8. Data Retention

8.1 Retention Principles

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, and resolve disputes.

8.2 Retention Periods

8.3 Secure Deletion

When personal data is no longer required, we securely delete or anonymise it using industry-standard methods that make recovery impossible.

8.4 Customer Data Deletion

Upon termination of your subscription, we provide 30 days for you to export your customer data. After this period, we securely delete all customer data unless legally required to retain it.

9. Your Rights Under UK GDPR

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

9.1 Right of Access

9.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data. You can update most information directly through your account settings.

9.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data where:

• It is no longer necessary for the purpose it was collected
• You withdraw consent and there is no other legal basis
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Erasure is required to comply with a legal obligation

This right is not absolute and may be limited by legal retention requirements or other lawful grounds.

9.4 Right to Restriction of Processing

You can request that we limit how we use your data while we:

• Verify the accuracy of disputed data
• Assess whether our legitimate interests override your objection to processing

You may also request restriction where processing is unlawful but you prefer restriction to deletion, or where you need the data to establish, exercise, or defend legal claims.

9.5 Right to Data Portability

You can request a copy of your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible. This applies to data you provided under consent or contract, and that we process by automated means.

9.6 Right to Object

You can object to processing of your personal data where:

• We process data based on legitimate interests
• Processing is for direct marketing purposes (we will stop immediately)
• Processing is for research or statistical purposes (unless in the public interest)

9.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects. We do not currently use automated decision-making in this way.

9.8 Right to Withdraw Consent

Where we process data based on consent, you can withdraw that consent at any time. This does not affect the lawfulness of processing before withdrawal.

9.9 How to Exercise Your Rights

To exercise any of these rights:

• Email us at [email protected] or [email protected]
• Use the data subject request form on our website
• Contact our support team at [email protected]

We will respond within one month (extendable by two months for complex requests). We may request proof of identity to protect your data from unauthorised access.

9.10 Right to Complain

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with:

Information Commissioner's Office (ICO)
Website: www.ico.org.uk
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We encourage you to contact us first so we can try to resolve your concerns directly.

10. Cookies and Tracking Technologies

10.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website. They help us provide and improve our service.

10.2 Types of Cookies We Use

Essential Cookies (Always On)

These cookies are necessary for the website to function and cannot be disabled:

• Authentication: Keep you logged in securely
• Security: Protect against cross-site request forgery
• Load Balancing: Distribute traffic across servers

Functional Cookies (Optional)

These cookies enhance functionality and personalisation:

• Preferences: Remember your settings and choices
• Language: Display content in your preferred language

Analytics Cookies (Optional)

These help us understand how visitors use our website:

• Usage Analytics: Pages visited, time spent, user flows
• Performance Monitoring: Loading times, errors
• A/B Testing: Compare different versions of features

We use analytics data in aggregated and anonymised form.

Marketing Cookies (Optional, Consent Required)

These cookies are used for targeted advertising:

• Remarketing: Show relevant ads on other websites
• Conversion Tracking: Measure advertising effectiveness
• Social Media: Enable sharing and social features

10.3 Managing Cookies

You can control cookies through:

• Cookie Consent Manager: Use our cookie banner to manage preferences
• Browser Settings: Configure your browser to block or delete cookies
• Opt-Out Links: Use industry opt-out tools like Your Online Choices (www.youronlinechoices.com)

Note: Blocking essential cookies may prevent proper functioning of our website.

10.4 Third-Party Cookies

We use trusted third parties that may set cookies for:

• Google Analytics (analytics)
• Payment processors (secure transactions)
• Customer support chat (help functionality)

These third parties have their own privacy policies governing their use of cookies.

11. Children's Privacy

Our service is not directed to individuals under 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us immediately so we can delete it.

12. Changes to This Privacy Policy

12.1 Policy Updates

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Updating the "Last Updated" date at the top of this policy
• Sending email notification to your registered email address
• Displaying a prominent notice on our website
• Requiring acknowledgment of changes upon next login for significant changes

12.2 Review and Acceptance

We encourage you to review this Privacy Policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

12.3 Previous Versions

You can request previous versions of this Privacy Policy by contacting [email protected].

13. Healthcare-Specific Considerations

13.1 NHS and CQC Context

When our service is used by NHS trusts, care homes, and other CQC-regulated providers, we recognise the additional sensitivity and requirements around healthcare data.

13.2 Health Information Processing

Where we process health information (such as occupational health records or fitness-to-work assessments), we:

• Apply additional security measures beyond standard personal data
• Limit access to authorised personnel only
• Maintain comprehensive audit logs
• Ensure compliance with Schedule 1 conditions of DPA 2018
• Implement appropriate policy documents as required

13.3 Criminal Conviction Data

DBS check information (criminal conviction data) is processed under:

• Article 10 of UK GDPR (processing of criminal conviction data)
• Schedule 1, Part 1, paragraph 1 of DPA 2018 (employment and safeguarding purposes)
• DBS Code of Practice requirements

We maintain strict access controls and retention limits for disclosure information in accordance with DBS requirements.

14. International Users

While Statixs primarily serves UK-based healthcare organisations, if you access our service from outside the UK:

• Your data may be transferred to and processed in the UK
• You consent to such transfer and processing
• UK data protection laws will apply
• You acknowledge that UK laws may differ from those in your jurisdiction

15. Contact Us

15.1 Data Protection Enquiries

For any questions about this Privacy Policy or our data practices:

15.2 Data Subject Requests

To exercise your data protection rights, please use our dedicated data subject request form on our website or email [email protected] with "Data Subject Request" in the subject line.

15.3 Security Concerns

If you have security concerns or suspect a data breach, immediately contact [email protected].