Privacy & Cookies Policy – Piota App

This is the Privacy Policy (the ‘Policy’) of Schappit Limited (trading as “Piota Apps”) (hereafter ‘Schappit’, ‘we’ or ‘us’).

Schappit provides the Piota App (the “App”) to clients in different industries e.g., healthcare, schools, clubs, charities and others (each a “Client”). The App is customised for each Client and designed to facilitate the provision of information about the Client’s organisation to its service users, staff, membership or other audience. Depending how the Client chooses to set up their App, the App may collect and use certain information about service users, staff members and other users of the App (the “End Users”) which is processed by Schappit on the Client’s behalf.

This Policy describes the ways in which: (i) Schappit and the Client collect and use information about End Users when the App is downloaded and used on phones or devices; (ii) Schappit collects and uses information about you if you contact Schappit or if you make a comment or complaint to Schappit about the App (iii) if you are a Client, the ways in which Schappit collects and uses information when you engage us to provide the App to End Users; or (iv) if you visit our website at www.piota.co.uk (the ‘Website’).

1. General

By downloading and/ or accessing the App you agree to be bound by this Policy in respect of the information collected about you as further described in Section A. If you are a Client and you enter into a separate agreement with us to provide the App to End Users you agree to be bound by this Policy in respect of the information collected about you as further described in Section B. By contacting us to comment or complain you agree to be bound by this Policy as described in Section C. By visiting our Website you agree to be bound by this Policy in accordance with Section E.

Schappit may change this Policy at any time in which case we shall notify you of any changes to this Policy.

SECTION A – Your use of the App

2. What the App Does

The App allows you to receive information and updates selected by the Client. The Client directly controls and manages all information, data and other content on the app. Schappit performs technical maintenance, support and development of the App. For the purposes of data protection legislation, the Client shall be the ‘data controller’ responsible for how your information is used and Schappit shall be the ‘data processor’ acting on behalf of the Client.

If you have any concerns in relation to the information content on the App or the way your information is presented or is used by the App, please contact the Client. Contacts details can be found in the Contacts section of the App. If you have any questions or concerns regarding Schappit’s role and its processing of your data, please contact us as described in paragraph 21 below.

3. Who should use the App

The App is designed for use by End Users affiliated to the Client’s organisation whom the Client has invited to download and use it. Affiliated End Users are, for example but not limited to: patients, their family members and carers, staff members and contractors of a NHS service or department Client; students, their parents, staff members and governors of a school Client; members, staff and volunteers at a sports club or cultural organisation Client; service users, staff and volunteers at a charity Client; or customers and staff at a business Client.

If you are not an affiliated End User you may download and use the Client’s App but you should not rely on any information you see in it and neither the Client nor Schappit will accept any liability or responsibility for any injury, loss or damage caused by your use of the App.

4. Risks of using the App

The risk of misinformation is low for affiliated End Users as defined in paragraph 3 above. All content on the App is uploaded, edited and curated directly by staff members, professionals or other trusted persons appointed to do so by the Client. Therefore affiliated End Users can be confident the content is accurate, authoritative and has been validated and endorsed by the Client’s internal review processes. Unaffiliated End Users may experience higher risk if they rely on information in the App. For example, the treatment regime for a particular medical condition may differ between NHS trusts so a patient should not rely on medical advice information in the App of a NHS trust which is not their local trust.

The risk of your data privacy being abused as a result of using the App is low. No personal data will be sought or collected from you or your device at the time you download the App or subsequently use it to access public information on the App. Your explicit consent is required whenever you are asked to submit personal data. The App does not use cookies, display adverts or track you when you leave the App. We will never share your data without your consent or with any third parties for any purpose beyond what is strictly necessary for operation of the App. Paragraphs 5 and onwards below explain all these points in more detail.

There is a risk the App could be accessed by a child who submits personal data without parental consent. Please report any such instances immediately to our Data Protection Officer at jdickson@piota.co.uk.

5. Information from End Users which is collected by the App

The Client will collect some or all of the following information using the App (depending upon how you as an End User uses it) which is processed and shared with Schappit:

(a) any information which you submit when completing a form or a survey provided by your Client via the App;

(b) the e-mail address or phone number that you submit to Schappit if you sign up to register for the App (where such registration option is provided);

(c ) certain analytical information that Schappit will collect from you as you use the App, for example which sections of the App you visit, the number of occasions you visit the App per month and so forth (“Analytical Information”). Schappit may combine the Analytical Information in certain circumstances with the information provided in 3(a) and (b) above; and

(d) generic make and model details of your phone or device, e.g. iPhone 13 or Samsung Galaxy S21 FE 5G

For the avoidance of doubt:

(e) no personal data is collected at the time of download of the App

(f) unique device identifiers such as device manufacturer serial numbers (e.g. IMEI, MAC, ICCID, MEID, CDN numbers) are never collected by the App; and

(g) no Cookies are used on the app, therefore your activity before and after you visit the App is not tracked by the App

6. Information which is processed by the App

The Client may add its existing records in relation to you (and, if you are a parent or guardian of a child or patient or other dependant at a particular Client, any child or patient or dependant to whom you are the parent or legal guardian) to the App to assist the Client in relation to the tasks outlined in paragraph 2. This information will include any or all of the following information, depending on what the Client chooses to provide to Schappit and the nature of its organisation:

your name, your phone number(s), your email address(es), your gender, your internal ID number;
in the case of e.g. a school App or an App for paediatric patients that you have downloaded as a parent or guardian, your child’s name, gender, internal ID number;
other details about you and your child including but not limited to e.g. age/year group, class, ward number, medical condition details, photos and videos of your child.

If you have any queries or concerns in relation to any such information please contact the Client. Schappit shall process all such information in accordance with this Policy.

7. How the information about End Users on the App is used

The information about you described in paragraphs 5 and 6 will be used by the Client and Schappit as follows:

(a) all of the information listed in paragraphs 5 and 6 above will be used to enable the Client to undertake communication and administration tasks in relation to the management of its organisation, including but not limited to:

(i) dissemination of information about the Organisation’s activities to you and other App users, e.g., updating you in relation to activities, events and news relating to the organisation and providing contacts details for you to use;

(ii) obtaining consents when required for activities such as organisation trips;

(iii) obtaining information from you such as change of contact details;

(iii) providing feedback on the Organisation through surveys;

(iv) if your organisation is a school, children’s club or similar, recording information in relation to pupils, for example absences, commendations, disciplinary occurrences and other attainment and progress measures;

(v) if your organisation is a healthcare service, obtaining symptom reports, wellbeing measures, supporting photos and file uploads from you;

(b) the Analytical Information listed in paragraphs 5(c) and 5(d) will be used to optimise the performance of the App and your experience of the App;

(d) all of the information listed in paragraphs 5 and 6 will be used to provide technical support in relation to your use of the App and troubleshooting;

(e) all of the information listed in paragraphs 5 and 6 will be used to prevent fraud or illegal activities

(f) Schappit may use all of the information listed in paragraphs 5 and 6 in anonymised and aggregated form for its own research and marketing purposes; and

(h) to share with third parties as described in paragraph 13 below.

For the avoidance of doubt, Schappit will never disclose or otherwise share any End User data or information to any third party, except those where it is strictly necessary for the ongoing provision and performance of the App (listed in paragraph 13 below).

Should the purpose of data collection change for any of the items described above we will inform you.

It is not possible for End Users to opt out of selected data processing activities as described above. We have sought to minimise the amount and types of data processed to what is strictly necessary to fulfil our Client’s purposes and our ongoing service requirements, and will continue to do so. If you are unhappy with the manner in which your data is processed by the App you should delete the App from your devices.

SECTION B – The Client

8. Information which is collected from a Client

If you are an employee or other staff member at a Client organisation, Schappit will collect the following information about you from the Client in relation to the organisation’s use of the App:

(a) name and email address of persons at the organisation chosen to be app administrators;

(b) if the Client chooses to engage with Schappit to provide a registration system on its App, details of staff members such as but not limited to contact e-mail address(es), telephone numbers, job role, department, site;

(c ) information that Schappit collects from a Client’s website or via other authorised marketing methods including contact names, addresses, telephone numbers and e-mail addresses.

9. How the information collected from or about Clients is used

The information about Client staff described in paragraphs 8(a) will be used by Schappit to provide login access to the app console. The information about Client staff described in paragraph 8(b) will be used by the Client to take advantage of the registration feature on the App, e.g. to provide security for sensitive or confidential data on the App and to direct notifications and particular content to relevant people. The information collected by Schappit as described in paragraph 8(c) will be used by Schappit to market the App to other Clients (subject to compliance with data protection legislation) based on the Clients that Schappit believes may be interested in having an App developed for it.

10. Ground for processing

Schappit relies on the legitimate interests processing ground to process the information collected under paragraph 8 above. It is in Schappit’s legitimate interests to collect the data under paragraphs 8(a) and 8(b) in order to provide the App to the Client and under paragraph 8(c) to promote the App to Clients. This processing does not outweigh the rights/freedoms of the data subject because it only has a minimal/low level impact on the rights of the data subject. This is because: (a) it is not particularly sensitive data; (b) in relation to the information provided under paragraphs 8(a) and 8(b) the Client wants to use the App offered/ provided by Schappit i.e., the Client voluntarily signs up to Schappit’s App in order to obtain a benefit and Schappit uses the personal data provided to provide such App to the Client; and (c) in relation to the information collected under paragraph 8(c), there is always an opt-out option provided and the information displayed on an Client website is displayed, in part, for marketing purposes.

SECTION C – Contact with Schappit

11. Information Schappit collects and uses if you contact us or make complaints

When Schappit receives complaints by email it files any relevant document and may retain details of the complainant and other individuals identified in the complaint. Schappit will only use this information to process the complaint, improve its ongoing product offerings and to check on Schappit’s services and staff. Schappit shall retain information in relation to a complaint for 6 years after its closure, in a secure environment and access to it will be restricted on a ‘need to know’ basis.

SECTION D – Data Sharing and Security

12. GDPR

The App is compliant with GDPR 2018. The GDPR sets out the following rights applicable to data subjects. Please refer to our Data Protection Policy in the About the App section of the App or on our website for full details of how you can exercise these rights:

The right to be informed;
The right of access;
The right to rectification;
The right to erasure (also known as the ‘right to be forgotten’);
The right to restrict processing;
The right to data portability;
The right to object; and
Rights with respect to automated decision-making.

13. Sharing information with third parties

Your information (as described in paragraphs 5 and 6 and, if you are affiliated with a Client, under paragraph 8) will, subject to Schappit’s obligations to comply with applicable data protection legislation, be shared with the following third parties:

(a) In relation to the data collected by Schappit under paragraph 8:

(i) to Schappit’s marketing company service providers and CRM (customer relationship management) software supplier in order to manage and facilitate its marketing to and engagement with Clients;

(ii) to Schappit’s accounting software package used to facilitate payments from Clients;

(b) In relation to the data collected by the Client and Schappit under paragraphs 5 and 6: having taken precautions to maintain the security of such information, the Client may share this information with:

(i) relevant regulatory bodies, including ICO and OFSTED;

(ii) organisers of activities and events organised by the Client in relation to such activities or events; or

(iii) its staff, governing bodies, applicable local authorities and other official bodies related to the management and functioning of the Client.

(c ) In relation to the data collected by Schappit under paragraph 8 and the Client and Schappit under paragraphs 5 and 6, Schappit may share the information with the following third parties after redacting as much as possible of the data:

(i) the operators of the mobile application stores from which the App is available to download, including Apple’s App Store and Android’s Google Play;

(ii) internal company service providers used to facilitate communication between Schappit’s employees via services such as Gmail and Slack;

(iii) Schappit’s data centre management company and web hosting partner;

(iv) Schappit’s technical support ticketing system;

(v) Schappit’s third party developers;

(vi) data aggregators and service providers as part of an analysis of user metrics or sales performance;

(vii) any third party, in relation to the sale of some or all of Schappit’s business, or its assets, or as part of any business restructuring or reorganisation. Schappit will take steps with the aim of ensuring that your rights continue to be protected;

(viii) law enforcement agencies in compliance with law enforcement.

14. Data Storage and Transfer

Schappit has implemented technology and policies to safeguard your privacy from unauthorised access and improper use. All data collected by the App is stored on servers in a data centre in greater London owned by data centre company NTT Global Data Centers. NTT Global Data Centers and web hosting company Rochen Ltd protect the data in storage.

All data is encrypted in transit using http over SSL (https). In certain instances, where Schappit engages any third party service provider as listed in paragraph 13 above, Schappit will transfer your information outside the EEA. However, Schappit has a contractual agreement in place with each third party and systems and processes in place to ensure that such transfer is deemed adequate under applicable data protection legislation.

15. Data Standards and Management

Schappit will store your information for the period for which the Client is a client of Schappit’s or, in the case of the information listed in paragraph 8(c), for the period of time for which Schappit considers that a marketing follow-up is regarded as being likely. If the Client stops being a client of Schappit’s, Schappit will take all reasonable steps to delete and/or otherwise anonymise all information held about you and the Client within two months of the Client ceasing to engage Schappit, excepting information collected as described in paragraph 11 or information we are required to retain by agencies as described in paragraph 13(c)(xi).

If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), our Data Protection Officer will ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.

You have the right to complain to your Local Supervisory Authority or to the ICO if you suspect there has been a breach of data confidentiality.

SECTION E – Your use of the Website

16. Visitors to the Website

The Website is essentially a brochure for Schappit’s business and the App. The Website uses cookies as further described in paragraph 19 for the limited purposes set out in paragraph 19 to collect information. Schappit does not otherwise collect information via the Website.

17. Links to third party websites and third party adverts

Neither Schappit nor the Client is responsible for the privacy policies and practices of other sites even if you access them using links from the App, adverts in the App or from adverts on a webpage when you are using the App. Schappit is also not responsible for the Client’s privacy policies and practices. You should check the policy of the Client and each site you visit and contact its owner or operator if you have any concerns or questions.

SECTION F - Cookies and Similar Technologies

18. Piota Device Token (the “PDT”) as used by the App

Schappit does not use cookies when you use the App. Instead we use a proprietary PDT ‘token’ or ‘identifier’ which is much more limited in its scope and cannot be used to track users, suggest adverts, extract personal data or for other malign purposes performed by website cookies.

(a) How the PDT is used:

(i) We place a PDT in the Application Sandbox (an isolated zone designed to hold only certain files) of the device onto which a Piota app has been downloaded;

(ii) The PDT reads and stores only the device’s generic make and model

(iii) This information is used for the following purposes only:

A. Notifications. To send notifications to eligible devices

B. Content. To control access to articles on the App to designated users.

C. Analytics. To record which pages of the app are visited, so anonymised and aggregated analytics data can be compiled

(b) The PDT has no ability to ‘see’ or track End User activity on the device beyond activity on the App. If the End User deletes the App from their device the PDT is permanently destroyed.

19. Cookies used by the Website

Schappit uses cookies and similar technologies in the following ways when you visit our Website:

Google Analytics. Schappit uses Google Analytics cookies to collect information about how visitors use the Website, which Schappit uses to help improve it. These cookies collect information in an anonymous form, including the number of visitors to the Website, where visitors have come to the Website from and the pages they visited. Google Privacy Overview

SECTION G – Contact

20. Schappit Details

If at any time you would like to contact Schappit about your views on this Policy or any enquiry relating to your personal information, you can do so by sending an e-mail to feedback@piota.co.uk or direct to our Data Protection Officer, James Dickson, at jdickson@piota.co.uk or Schappit Limited, Oak Business Centre, 79-93 Radcliffe Road,Sileby, Leicester, LE12 7PU. This is Schappit’s registered address and we are a company incorporated in England and Wales with company number 09084187.

21. Schappit’s Registration with the ICO

To the extent that Schappit acts as a Data Controller for the purposes of the UK General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (amended) (i.e., in relation to the Analytical Information and the information collected under paragraphs 5(c) and paragraph 8) we have notified the Information Commissioner of our role as a ‘data controller’ under the the UK General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (amended) with registration number ZA074234.

22. Organisation Details

In relation to the information collected about you as listed in paragraphs 5 and 6, Schappit will work together with the Client if you wish to: (i) access a copy of the personal data that we hold about you; (ii) correct any items of personal data that we hold about you; and/or (iii) have any items of personal data that we hold about you erased or object to our processing of such items of personal data. You must contact the Client (via the contact details provided on the App) to indicate your wish to exercise any of the foregoing rights. If you are a staff member or otherwise affiliated with a Client and therefore we hold information about you as listed in paragraph 8, you may contact Schappit as indicated in paragraph 20 at any time if you wish to exercise any of the foregoing rights.

March 2022