We're committed to keeping your personal information safe and confidential both online and offline.
If you would like this statement in an alternative format for accessibility reasons, please submit a request to email@example.com or by phoning us on 020 8050 5678 during working hours.
1. Initial signups, contract set ups, and forms
If you sign up as a family or nanny on our website or app, you will need to enter personal details into our online forms. This information is collected and processed securely via our internal systems. The same applies to information you provide us to set up a contract between you and the nanny/parent you are hiring/due to work for.
We may collect further (less-sensitive) information from you at other stages, to provide the best possible service for you. This non-sensitive information may be collected using third parties such as Typeform. Once the data is collected, it is transferred to our internal systems within 24 hours, and erased from the third party's servers. Occasionally, we may continue to securely store collected information with a third party for backup and analysis purposes. The third party cannot see or use the information for any purposes other than secure storage.
If you sign up by phone, we will take notes during the call and transfer them into our systems. The call may be recorded for training and monitoring purposes, or to ensure that the data that we have captured is accurate.
Our primary database is Heroku and you can read more about their security here. Your personal data does not leave the EU except to countries which are either: (a) compliant with EU or equivalent regulations, or (b) with whom we’ve ensured adequate safeguards to meet EU standards. You can read more in our security section below.
2. Nanny recruitment
Nanny applications are processed using a variety of data both provided by the nanny, and which we observe. Nanny data collected throughout the process includes contact details, student status, work availability, right to work details, experience information, references’ information, skills like languages, personal features like age and gender, interview notes, training assessment data, preferences for matches, consents, medical information where provided, DBS/first aid status, and visa information where relevant.
We’ll keep your application on file unless you ask us to delete it. We do this so we can get in touch should a vacancy become available for you, and for future screening purposes.
Before we process your DBS check, we may request to see copies of some required documentation from you as part of an initial check. This might include proof of ID and proof of address. We ask you to upload these through a secure platform, then we store these documents securely while we process them. We usually process these documents within three days, and aim to permanently delete them within 30 days of receipt.
3. Aggregation of data
As you progress through your journey to find a nanny, or a job, or a nanny share match, we will aggregate data that you give us at various points. We do this in order to improve the quality of the matches that we make (in terms of nanny and family satisfaction, and duration of the match) and also to improve the efficiency of our match making. Information that we aggregate includes behavioural data like how you move through our website/app, things you say to us on the phone, things you say or do when attending an in-person event (notably, the nanny training sessions), as well as information that you give us regarding what you are looking for in terms of a match.
We might occasionally send you information about our services which we think would be of interest to you. If you'd prefer us not to use your contact details in this way you can tell us, or simply click the 'unsubscribe' link in the email.
4. Becoming matched – and the sharing of data
In order to make a match for you, we need to share information about you with potential nannies and families. We share the minimum information necessary for a nanny or a family to make a good decision about whether they would like to proceed to an introduction with you. This minimum information might include the following data you have given us:
For nannies: contact details, student status, work availability, experience information, quotes from references, skills like languages, personal features like age and gender, our impressions, preferences for matches, medical information (if specific consent is given), and DBS/first aid status.
For families: contact details, postcode, days and times required, match preferences (including nanny experience, personality, skills such as languages/driving/cooking), lifestyle information, children’s ages, genders, allergies or other relevant medical information, special or additional needs, schools. We ask for your child's full date of birth to ensure our records are always accurate, as this allows us to provide a tailored service to your family, and ensure the best possible matches between you and any nannies you hire with us.
If you are supplying us with an emergency contact’s details, you confirm that you have that person’s permission to provide us with their details. Any emergency contact information will thereafter be treated as an extension of your personal data, and the same retention and deletion policies will apply.
Once you have confirmed that you would like to be introduced to a specific nanny or family, we will then pass on your contact details which may include a full name, email address, phone number, or other means of communication.
As mentioned above, in order to facilitate a good match for you, we will share some of the personal information you give us with other users of our service. This sharing goes both ways – meaning you will likely receive such information on other users.
4.1 By signing up for our service you acknowledge that:
(1) you are agreeing for us to share your data with other users, for the purpose of facilitating and supporting matches between families and nannies;
(2) you may receive confidential personal data relating to a family or nanny we're matching you with;
and that regarding such data you agree that:
(a) you will treat any personal data you receive from Koru Kids, including that pertaining to other families or nannies we match you with, with absolute confidentiality;
(b) you will take adequate measures to protect the privacy and confidentiality of any such individuals and their personal data at all times;
(c) you will only use the data to facilitate a family-nanny childcare placement between you and the relevant family/nanny, as supported by Koru Kids Ltd;
(d) you will delete such data following the completion of its purpose, for example if a match becomes closed, or an interview is unsuccessful, or if your nannying contract is terminated;
(e) you acknowledge that you are responsible for any damages that may arise from your failure to uphold any part of sections (a) to (d).
4.2 Feedback, appraisal, and reference data
You further acknowledge that:
(a) such information you provide to us relating to an individual may, in some cases, be shared with that individual upon their request. For example, if you're a parent and you provide Koru Kids with feedback on your nanny's performance, we will generally keep this confidential by default. However, we may be required by law to share this information with the nanny down the line should they choose to exercise their data subject access rights. The same would also apply in reverse.
(b) we recognise that the party which provided the feedback/appraisal/reference information has their own right to privacy. Where possible, we will seek to balance both parties' rights by anonymising such data prior to sharing it. Alternatively, we may redact or omit such information from subject access requests, pursuant to the 2018 Data Protection Act, Schedule 2, Part 4.
5. Using our service once matched
To use our service as a family or nanny once matched, you need to give us details enabling us to set up payroll with HMRC including things like national insurance number and (for nannies, but only rarely for families) bank account details. By law, we are required to collect and keep certain details including right to work checks and your contract.
We also pass some of your data along to subcontractors who help us process payroll and payments. These subcontractors include, but are not limited to, PAYEforNannies, Payroll Services UK, GoCardless and Telleroo. Our bank account is with Barclays. All of these receive some personal information from you as part of their role in providing subcontracted services. Where appropriate we also share your details with government agencies, specifically HMRC and the Pension Regulator. This is as part of performing our duties on behalf of families.
The information we ask for will depend on the exact nature of the service we are performing for you.
In order to help our matches become as successful as possible, we regularly check in with both families and nannies. This may be via email, text, phone, or another mode of communication. We can become aware of issues in a match, which we can then pass on to the nanny or family involved. We use our judgement in doing this, and our staff receive specific training on how this can be best done in order to achieve maximum success of the match for both families and nannies. Doing this is part of our service.
In order for our nannies to continue to develop in their roles and to make our matches as successful as possible, we have created communities of nannies. These operate via platforms including Facebook, Instagram, Whatsapp, and in person. Some of these platforms can be joined by the Koru Kids nannies if they would like to. For others, for reasons of speed, we proactively add Koru Kids nannies to these groups as part of our service. This has the result of sharing some individually identifiable data (e.g. a phone number in Whatsapp, and a full name in Facebook) with other nannies. We do this in order to support the nannies and perform our ongoing training duties on behalf of the families. If you have been added to a group and would like to be removed, you can remove yourself or ask us to do so.
Nannies are encouraged to share ideas, advice and requests for help in the Koru Kids nanny communities. Nannies should never share families’ identifying information, including full names of parents or children, or images that include the child’s face (whether photos of videos), unless they have explicit and specific approval from the parents to do so. Nannies receive several reminders about this as part of the journey of becoming Koru Kids nannies.
6. Applying for a job with Koru Kids
If you apply for a job with Koru Kids as part of the internal team (not as a nanny), we will access this information either via the jobs website you applied through, or as an email into our email system. We use Front, an email system which is itself GDPR compliant, along with the Google Suite of analysis tools.
As the recruitment proceeds, we might also contact you by phone and by video conference, using services including Skype, Google Hangouts, and Appear In. We do not currently record video. We might ask you to sign up for an interview via a third party calendar system such as Google Calendar or Calendly, and these would therefore also have some of your personal data.
Staff applications are processed using a variety of data both provided by the applicant, and which we observe. Applicant data collected throughout the process includes contact details, work availability, right to work details, experience information, referees’ information, the applicant's CV and cover letter (where submitted), skills like languages, and interview notes. It may also include personal features like age and gender, and visa information where relevant.
We keep internal logs of recruitment data including performance of individuals at various stages of our recruitment processes. We keep this data for research purposes as it is useful in continually improving our recruitment processes. We also do this so we can get in touch should a vacancy become available for you, and for future screening purposes.
We’ll keep your application on file unless you ask us to delete it. If you would like your individual data deleted after an unsuccessful application you can request this and we will do so (provided we are not required to retain it by law).
7. Our lawful basis for holding your data:
We will only hold and process your personal information where we have a legal basis to do so. The legal basis will depend on the purposes for which we have collected and use your personal information. The legal basis will typically be one or more of the following:
- Our legitimate business interests: We use some data to analyse and improve our services. This may include information you give us, or we observe, about your family or yourself. After analysis, we put this data ‘beyond use’, in accordance with the ICO’s guidelines (see our deletion policy). In other instances, we will anonymise the data so that it can no longer be attributed to you. We use legitimate interest to process your data only if it does not unduly affect your privacy and other rights.
- Performance of a contract with you (or in order to take steps prior to entering into a contract with you): For example, if you’ve signed up where you have purchased a product from us and we need to use your contact details and payment information in order to process your order and send the product to you.
- Compliance with law: When we are subject to a legal obligation to retain your data for a certain period. This includes instances in which we hold data to protect against possible future legal action arising from contractual and other liabilities, for the duration of that liability. Find out more in our retention policy below.
- Consent: For example, where you have provided your consent to receive certain marketing from us. You can withdraw your consent at any time, including by clicking on the “unsubscribe” link at the bottom of any marketing email we send you.
Collecting references is an essential function of our recruitment and safeguarding processes. As a result, we do not rely on referees’ consent when collecting their names and contact email/phone numbers from candidates. Our legal basis for processing referees’ data is legitimate interest.
Referees’ details are used solely for the purpose of collecting a confidential reference. Referees do not receive any other communications from us.
Referees are entitled to decline to give a reference, and request that they be deleted from our systems.
Candidates are encouraged to notify referees in advance that they will be contacted by Koru Kids. This helps referees know our email/phone call is genuine.
8. Contacting us by email
When you email us, you are giving us information included in the email and also your email address. Please be aware that email isn't 100% secure.
Emails are stored in two places: Front and the Koru Kids platform. These are both secure and can't be accessed by external parties. We store this information for an indefinite period of time in order to help us serve individual users, and in order to perform research and analysis to improve our systems for everyone. If you would like personally identifying emails to be deleted, you can request this and we will do so.
When you visit our website and other digital properties, we may also collect information from you automatically, for example using cookies and other similar technologies. A cookie is a small text file of letters and numbers that we may set on your device to determine, among other things:
- information about your device, operating system and IP address;
- your login information;
- browser type and version;
- information about your visit, including URL, clickstream (i.e. your journey to, through and from our site), length of visits to certain pages, and page interaction information.
10. How You Can Control Cookies
Internet browsers typically accept cookies by default, but you can usually change this. Please note: changing your cookie settings will generally prevent all websites from using cookies, not just ours. Please also be aware that disabling cookies in your browser may impair the functionality of our site.
11. Your rights on your personal information
If we hold information about you, you can request to be provided with a copy of this and to have any inaccuracies corrected where necessary. A copy of this can be requested in writing, or in person at our trading address, which is 145 City Rd, London, EC1V 1LP, or over the telephone on 020 8050 5678.
You can also request that your personal data be deleted, or that we stop using it, where it is no longer necessary.
To find out more about your information rights visit the website of the Information Commissioner at: www.ico.org.uk
12. Using your personal information for marketing
We will tell you if we intend to use your information for marketing purposes and we'll give you the opportunity to opt out if you want to. If you receive marketing emails and don't want to in future, please use the unsubscribe link within the email and we will remove you from future campaigns.
For marketing activities, we may process your personal information for the following purposes:
- to monitor your use of our website and other digital properties to improve the user experience and to ensure that content is presented in the most effective manner for you and for your device;
- to tailor any marketing or advertising so that it is more relevant to you;
- to conduct marketing analysis to allow us to assess trends and the effectiveness of our advertising and marketing campaigns (including using your personal information to evaluate, analyse or predict certain personal aspects relating to you, such as your preferences, economic situation, interests, and/or location);
We may also match personal information that you provide to us directly with other information about you obtained from or held by third party sources (such as social media platforms). This may include your contact details, demographic data, your social media interactions, preferences, shopping habits, interests, geographic location and age or age range. We may use this personal information to tailor and show advertisements more relevant to you either on our website/app or on third party websites (including social media platforms).
13. Data Retention
Koru Kids seeks to process data in a fair and lawful manner. That ethos applies to your data and, wherever applicable, that of your child/children. That means that Koru Kids retains data for only as long as is necessary.
In deciding on how long to retain data we consider factors such as the purpose for which the data is processed, our legal obligations to retain data in certain circumstances, and to protect against certain eventualities, such as for example, future legal action.
This means that we may need to keep a record of a relationship with a customer after that relationship has ended, for example, to confirm that the relationship existed, as well as some of its details. That is the case with you and that of your child/children.
Rest assured, we do not keep data for longer than is necessary, and you do have a right to have your data erased, should you wish us to do so. If so, then we will apply certain assessments to decide whether it is appropriate to delete it. We will do this by balancing the need to retain your data, the extent of that data, and the request received.
The following are the retention periods we follow according to our legal obligations and/or the relevant period of legal liability:
|Data Subject||Description||Retention Period|
|Unsuccessful nanny candidates||You’ve applied to be a nanny but were unsuccessful at passing through our screening checks||Within 30 days of you requesting deletion|
|Successful nanny candidates (unmatched)||You’ve applied to be a nanny successfully, but have not been introduced to a family.||Within 30 days of you requesting deletion|
|Successful candidates (‘matched’ nannies and employed nannies)||You’ve successfully applied to be a nanny, and we introduced you to one or more families, who you may have gone on to work for||6 years from end of your employment/date of your last introduction to a family|
|Koru Kids staff applicants (unsuccessful)||You've applied to work as part of the Koru Kids internal team but have not been successful||Within 30 days of you requesting deletion|
|Koru Kids staff applicants (successful) and existing staff||You’re not a nanny, but you work as part of the Koru Kids internal team||6 years from the end of your employment|
|Parents (speculative, un-matched)||You’ve signed up to our service but left before we were able to introduce you to a nanny||Within 30 days of you requesting deletion|
|Parents (matched, nanny-employers)||You’ve signed up to our service, and you’ve met a nanny/nannies through us, who may have gone on to work for you||6 years from the termination of your contract|
Any data we retain will at all times be held in accordance with our security policy and procedures.
14. Deleting your data
We follow the Information Commissioner’s Office (ICO) advice which is to delete all data where it is technically feasible. Where it isn’t technically feasible to do this, the ICO require us to put it “beyond reasonable use” which means:
- we are not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
- we will not give any other organisation access to the personal data;
- we will surround the personal data with appropriate technical and organisational security;
- we will commit to permanent deletion of the information if, or when, this becomes possible.
Any third parties we use to store your data are contractually bound to delete any such data either upon request from us, or upon the termination of our contract with them, unless they are required to retain the data by law.
If you have additional questions, please contact our Data Protection Officer, Marcus Martin, at marcus dot martin at korukids.co.uk.
15. Security: How we protect your data
We take data security extremely seriously, and seek to protect your personal data through appropriate technical and organisational measures, based on the nature of the data and the processing activity.
We have put in place such measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We undertake appropriate due diligence to vet suppliers and their security protocols to ensure that they, and we, meet the standards expected under European law. We also provide regular data protection training our staff.
However, we cannot and do not guarantee that such measures will prevent unauthorised access to personal data or other information about you that we collect and store. Unauthorised entry or use, hardware or software failure, and other factors may compromise the security of such information at any time.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
16. International Transfers of Your Data
Some of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.
In these instances, we ensure a similar degree of protection is afforded to your data by ensuring at least one of the following safeguards is implemented:
- We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission
- We may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield, or have self-certified as meeting Privacy Shield standards, which requires them to provide similar protection to personal data shared between the Europe and the US
- For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not automatically ensure an adequate level of data protection, we will ensure we have an agreement in place with any such supplier to ensure adequate safeguards are implemented, to emulate the standards applicable to European providers
We use third parties to provide elements of services for us. We have contracts in place with these data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
Currently, these suppliers include: Verifile, CharlieHR, Xero, AirTable, MailChimp, Telleroo, MixMax, Payroll Service UK, Whatsapp, Typeform, Front App, HelloSign, Effective Accounting, PAYE for Nannies, Directli, Google Suite (including Drive & Analytics), GoCardless, Yay.com, Zapier, Tettra, Facebook, Viral Loops, and Acuity.
This list is subject to change. All suppliers are extensively vetted for security and GDPR-compliance.
18. Legal statement about this Privacy Statement
19. Contacting us about our Privacy Statement
If you think this Privacy Statement hasn't answered all your questions, or you want to know more, please contact us and we who will be more than willing to help you.
20. Links to other websites
Certain hypertext links in this website may lead you to websites which are not under the control of Koru Kids. When you activate these, you may leave the Koru Kids website. These links are provided solely for your convenience and do not represent any endorsement or recommendation by Koru Kids.
Koru Kids accepts no responsibility or liability for the contents of any website to which a hypertext link exists and gives no representation or warranty as to the information on such websites. Koru Kids accepts no responsibility or liability for any loss arising from any contract entered into with any website to which a hypertext link exists.
21. No liability for unavailability
Koru Kids accepts no liability for any loss that may arise if the goods or services advertised within this website or app become unavailable.
22. Customer responsibility
It is your responsibility to ensure that your computer is virus protected. Koru Kids accepts no responsibility for any loss you may suffer as a result of accessing and downloading information from this site.
Policy last reviewed: 17 September 2019