This is our Privacy Policy (Privacy Statement). It explains how the Koru Kids website (www.korukids.co.uk), and Koru Kids more generally, obtains, uses and keeps your information safe.

We're committed to keeping your personal information safe and confidential both online and offline.

If you would like this statement in an alternative format for accessibility reasons, please submit a request to support@korukids.co.uk or by phoning us on 020 8050 5678 during working hours.

Initial signups

If you sign up as a nanny or a family on our website, you will need to enter personal details into our online form. We may use third parties such as Typeform to collect information from you, after which we transfer the information to our internal systems. We may continue to securely store the information with the third party, but they cannot use the information for any purposes other than secure storage.

If you sign up by phone, we will take notes during the call and transfer them into our systems. The call may be recorded for training and monitoring purposes, or to ensure that the data that we have captured is accurate.

Our primary database is Heroku and you can read more about their security here. Your personal data does not leave the EU except to countries which are either: (a) compliant with EU or equivalent regulations, or (b) with whom we’ve ensured adequate safeguards to meet EU standards. You can read more in our security section.

Nanny recruitment

Nanny applications are processed using a variety of data both provided by the nanny, and which we observe. Nanny data collected throughout the process includes contact details, student status, work availability, right to work details, experience information, references’ information, skills like languages, personal features like age and gender, interview notes, preferences for matches, consents, medical information where provided, DBS/first aid status, and visa information where relevant.

We’ll keep your application on file unless you ask us to delete it. We do this so we can get in touch should a vacancy become available for you, and for future screening purposes.

Aggregation of data

As you progress through your journey to find a nanny, or a job, or a nanny share match, we will aggregate data that you give us at various points. We do this in order to improve the quality of the matches that we make (in terms of nanny and family satisfaction, and duration of the match) and also to improve the efficiency of our match making. Information that we aggregate includes behavioural data like how you move through our website, things you say to us on the phone, things you say or do when attending an in-person event (notably, the nanny training sessions), as well as information that you give us regarding what you are looking for in terms of a match.

We might occasionally send you information about our services which we think would be of interest to you. If you'd prefer us not to use your contact details in this way you can tell us.

Becoming matched

In order to make a match for you, we need to share information about you with potential nannies and families. We share the minimum information necessary for a nanny or a family to make a good decision about whether they would like to proceed to an introduction with you. This minimum information might include the following data you have given us:

For nannies:  contact details, student status, work availability, experience information, quotes from references, skills like languages, personal features like age and gender, our impressions, preferences for matches, medical information (if specific consent is given), and DBS/first aid status.

For families: contact details, postcode, days and times required, match preferences (including nanny experience, personality, skills such as languages/driving/cooking), lifestyle information, children’s ages, genders, allergies or other relevant medical information, special or additional needs, schools

If you are supplying us with an emergency contact’s details, you confirm that you have that person’s permission to provide us with their details. Any emergency contact information will thereafter be treated as an extension of your personal data, and the same retention and deletion policies will apply.

Once you have confirmed that you would like to be introduced to a specific nanny or family, we will then pass on your contact details which may include a full name, email address, phone number, or other means of communication.

Using our service once matched

To use our service as a family or nanny once matched, you need to give us details enabling us to set up payroll with HMRC including things like national insurance number and (for nannies, but only rarely for families) bank account details. By law, we are required to collect and keep certain details including right to work checks and your contract.

We also pass some of your data along to subcontractors who help us process payroll and payments. These subcontractors include, but are not limited to, PAYEforNannies, Payroll Services UK, GoCardless and Telleroo. Our bank account is with Barclays. All of these receive some personal information from you as part of their role in providing subcontracted services. Where appropriate we also share your details with government agencies, specifically HMRC and the Pension Regulator. This is as part of performing our duties on behalf of families.

The information we ask for will depend on the exact nature of the service we are performing for you.

In order to help our matches become as successful as possible, we regularly check in with both families and nannies. This may be via email, text, phone, or another mode of communication. We can become aware of issues in a match, which we can then pass on to the nanny or family involved. We use our judgement in doing this, and our staff receive specific training on how this can be best done in order to achieve maximum success of the match for both families and nannies. Doing this is part of our service.

In order for our nannies to continue to develop in their roles and to make our matches as successful as possible, we have created communities of nannies. These operate via platforms including Facebook, Instagram, Whatsapp, and in person. Some of these platforms can be joined by the Koru Kids nannies if they would like to. For others, for reasons of speed, we proactively add Koru Kids nannies to these groups as part of our service. This has the result of sharing some individually identifiable data (e.g. a phone number in Whatsapp, and a full name in Facebook) with other nannies. We do this in order to support the nannies and perform our ongoing training duties on behalf of the families. If you have been added to a group and would like to be removed, you can remove yourself or ask us to do so.

Nannies are encouraged to share ideas, advice and requests for help in the Koru Kids nanny communities. Nannies should never share families’ identifying information, including full names of parents or children, or images that include the child’s face (whether photos of videos), unless they have explicit and specific approval from the parents to do so. Nannies receive several reminders about this as part of the journey of becoming Koru Kids nannies.

Applying for a job with Koru Kids

If you apply for a job with Koru Kids as part of the internal team (not as a nanny), we will access this information either via the jobs website you applied through, or as an email into our email system. We use Front, an email system which is itself GDPR compliant, along with the Google Suite of analysis tools. As the recruitment proceeds, we might also contact you by phone and by video conference, using services including Skype, Google Hangouts, and Appear In. We do not currently record video. We might ask you to sign up for an interview via a third party calendar system such as Google Calendar or Calendly, and these would therefore also have some of your personal data. We keep internal logs of recruitment data including performance of individuals at various stages of our recruitment processes. We keep this data for research purposes as it is useful in continually improving our recruitment processes. If you would like your individual data deleted after an unsuccessful application you can request this and we will do so.

Our lawful basis for holding your data:

We will only hold and process your personal information where we have a legal basis to do so. The legal basis will depend on the purposes for which we have collected and use your personal information. The legal basis will typically be one or more of the following:

  • Our legitimate business interests: We use some data to analyse and improve our services. This may include information you give us, or we observe, about your family or yourself. After analysis, we put this data ‘beyond use’, in accordance with the ICO’s guidelines (see our deletion policy). In other instances, we will anonymise the data so that it can no longer be attributed to you. We use legitimate interest to process your data only if it does not unduly affect your privacy and other rights.
  • Performance of a contract with you (or in order to take steps prior to entering into a contract with you): For example, if you’ve signed up where you have purchased a product from us and we need to use your contact details and payment information in order to process your order and send the product to you.
  • Compliance with law: When we are subject to a legal obligation to retain your data for a certain period. This includes instances in which we hold data to protect against possible future legal action arising from contractual and other liabilities, for the duration of that liability. Find out more in our retention policy.
  • Consent: For example, where you have provided your consent to receive certain marketing from us. You can withdraw your consent at any time, including by clicking on the “unsubscribe” link at the bottom of any marketing email we send you.

Contacting us by email

When you email us, you are giving us information included in the email and also your email address. Please be aware that email isn't 100% secure.

Emails are stored in two places: Front and the Koru Kids platform. These are both secure and can't be accessed by external parties. We store this information for an indefinite period of time in order to help us serve individual users, and in order to perform research and analysis to improve our systems for everyone. If you would like personally identifying emails to be deleted, you can request this and we will do so.

Cookies

When you visit our website and other digital properties, we may also collect information from you automatically, for example using cookies and other similar technologies. A cookie is a small text file of letters and numbers that we may set on your device to determine, among other things:

  • information about your device, operating system and IP address;
  • your login information;
  • browser type and version;
  • information about your visit, including URL, clickstream (i.e. your journey to, through and from our site), length of visits to certain pages, and page interaction information.

We do not use cookies to track your use of the internet after you leave our sites, nor do we store any personal information in them that could identify you to other people.

How You Can Control Cookies

Internet browsers typically accept cookies by default, but you can usually change this. Please note: changing your cookie settings will generally prevent all websites from using cookies, not just ours. Please also be aware that disabling cookies in your browser may impair the functionality of our site.

Your rights on your personal information

If we hold information about you, you can request to be provided with a copy of this and to have any inaccuracies corrected where necessary. A copy of this can be requested in writing, or in person at our trading address, which is 19-21 Featherstone St, London EC1Y 8SL, or over the telephone on 020 8050 5678.

You can also request that your personal data be deleted, or that we stop using it, where it is no longer necessary.

To find out more about your information rights visit the website of the Information Commissioner at: www.ico.org.uk

Using your personal information for marketing

We will tell you if we intend to use your information for marketing purposes and we'll give you the opportunity to opt out if you want to. If you receive marketing emails and don't want to in future, please use the unsubscribe link within the email and we will remove you from future campaigns.

For marketing activities, we may process your personal information for the following purposes:

  • to monitor your use of our website and other digital properties to improve the user experience and to ensure that content is presented in the most effective manner for you and for your device;
  • to tailor any marketing or advertising so that it is more relevant to you;
  • to conduct marketing analysis to allow us to assess trends and the effectiveness of our advertising and marketing campaigns (including using your personal information to evaluate, analyse or predict certain personal aspects relating to you, such as your preferences, economic situation, interests, and/or location);

We may also match personal information that you provide to us directly with other information about you obtained from or held by third party sources (such as social media platforms). This may include your contact details, demographic data, your social media interactions, preferences, shopping habits, interests, geographic location and age or age range. We may use this personal information to tailor and show advertisements more relevant to you either on our website or on third party websites (including social media platforms).

Data Retention

Koru Kids seeks to process data in a fair and lawful manner. That ethos applies to your data and, wherever applicable, that of your child/children. That means that Koru Kids retains data for only as long as is necessary.

In deciding on how long to retain data we consider factors such as the purpose for which the data is processed, our legal obligations to retain data in certain circumstances, and to protect against certain eventualities, such as for example, future legal action.

This means that we may need to keep a record of a relationship with a customer after that relationship has ended, for example, to confirm that the relationship existed, as well as some of its details. That is the case with you and that of your child/children.

Rest assured, we do not keep data for longer than is necessary, and you do have a right to have your data erased, should you wish us to do so. If so, then we will apply certain assessments to decide whether it is appropriate to delete it. We will do this by balancing the need to retain your data, the extent of that data, and the request received.

The following are the retention periods we follow according to our legal obligations and/or the relevant period of legal liability:

Data Subject Description Retention Period
Unsuccessful candidates You’ve applied to be a nanny but were unsuccessful at passing through our screening checks Indefinite (or until deletion is requested)
Successful candidates (unmatched) You’ve applied to be a nanny successfully, but have not been introduced to a family. Within 30 days of you requesting deletion
Successful candidates (‘matched’ nannies and employed nannies) You’ve successfully applied to be a nanny, and we introduced you to one or more families, who you may have gone on to work for 6 years from end of employment/date of introduction
Koru Kids staff You’re not a nanny, but you work as part of the Koru Kids internal team 6 years from end of employment
Parents (speculative, un-matched) You’ve signed up to our service but left before we were able to introduce you to a nanny Within 30 days of you requesting deletion
Parents (matched, nanny-employers) You’ve signed up to our service, and you’ve met a nanny/nannies through us, who may have gone on to work for you 6 years from termination of contract

Any data we retain will at all times be held in accordance with our security policy and procedures.

Deleting your data

We follow the Information Commissioner’s Office (ICO) advice which is to delete all data where it is technically feasible. Where it isn’t technically feasible to do this, the ICO require us to put it “beyond reasonable use” which means:

  • we are not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
  • we will not give any other organisation access to the personal data;
  • we will surround the personal data with appropriate technical and organisational security;
  • we will commit to permanent deletion of the information if, or when, this becomes possible.

Any third parties we use to store your data are contractually bound to delete any such data either upon request from us, or upon the termination of our contract with them, unless they are required to retain the data by law.

If you have additional questions, please contact our Data Protection Officer, Marcus Martin, at marcus dot martin at korukids.co.uk.

How we protect your data

We take data security extremely seriously, and seek to protect your personal data through appropriate technical and organisational measures, based on the nature of the data and the processing activity.

We have put in place such measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We undertake appropriate due diligence to vet suppliers and their security protocols to ensure that they, and we, meet the standards expected under European law. We also provide regular data protection training our staff.

However, we cannot and do not guarantee that such measures will prevent unauthorised access to personal data or other information about you that we collect and store. Unauthorised entry or use, hardware or software failure, and other factors may compromise the security of such information at any time.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

International Transfers of Your Data

Some of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.

In these instances, we ensure a similar degree of protection is afforded to your data by ensuring at least one of the following safeguards is implemented:

  • We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission
  • We may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe
  • Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield, or have self-certified as meeting Privacy Shield standards, which requires them to provide similar protection to personal data shared between the Europe and the US
  • For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not automatically ensure an adequate level of data protection, we will ensure we have an agreement in place with any such supplier to ensure adequate safeguards are implemented, to emulate the standards applicable to European providers

Subcontractors

We use third parties to provide elements of services for us. We have contracts in place with these data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

Currently, these suppliers include: Verifile, CharlieHR, Xero, AirTable, MailChimp, Telleroo, MixMax, Payroll Service UK, Whatsapp, Typeform, Front App, HelloSign, Effective Accounting, PAYE for Nannies, Directli, Google Suite (including Drive & Analytics), GoCardless, Yay.com, Zapier, Tettra, Facebook, and Acuity.

This list is subject to change. All suppliers are extensively vetted for security and GDPR-compliance.

Legal statement about this Privacy Statement

This Privacy Policy is not designed to form a legally binding contract between Koru Kids and our users. Instead it's a guide on to our online protection standards – although, of course, we do consider it of utmost importance to abide by the principles stated here.

Contacting us about our Privacy Statement

If you think this Privacy Statement hasn't answered all your questions, or you want to know more, please contact us and we who will be more than willing to help you.

Links to other websites

Certain hypertext links in this website may lead you to websites which are not under the control of Koru Kids. When you activate these, you may leave the Koru Kids website. These links are provided solely for your convenience and do not represent any endorsement or recommendation by Koru Kids.

Koru Kids accepts no responsibility or liability for the contents of any website to which a hypertext link exists and gives no representation or warranty as to the information on such websites. Koru Kids accepts no responsibility or liability for any loss arising from any contract entered into with any website to which a hypertext link exists.

No liability for unavailability

Koru Kids accepts no liability for any loss that may arise if the goods or services advertised within this website become unavailable.

Customer responsibility

It is your responsibility to ensure that your computer is virus protected. Koru Kids accepts no responsibility for any loss you may suffer as a result of accessing and downloading information from this site.

Policy last reviewed: July 2018

Version 3_0