Privacy Policy

Company: Gigsavvy Ltd
Address: 80 Drummond Terrace, North Shields, Tyne & Wear, NE30 2AG
Registration Number: 15779819
Data Protection Contact: info@gigsavvy.co.uk
Phone: 07470695351

Last Updated: 3/8/25
Version: GS/PP/001/V2

1. INTRODUCTION

This Privacy Policy explains how Gigsavvy Ltd (“we”, “us”, “our”, “Company”) collects, uses, stores, and protects your personal information when you use our training services, health and safety management system, personnel directory platform, and website.

We are committed to protecting your privacy and ensuring your personal data is handled in accordance with UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy should be read alongside our Terms and Conditions, which govern the provision of our services.

1.1 Data Controller

Gigsavvy Ltd is the data controller for all personal data processed through our services. This means we determine the purposes and means of processing your personal data.

1.2 Contact Information

For any questions about this Privacy Policy or how we handle your personal data, please contact us at:

• Email: info@gigsavvy.co.uk
• Phone: 07470695351
• Address: 80 Drummond Terrace, North Shields, Tyne & Wear, NE30 2AG

2. INFORMATION WE COLLECT

2.1 Training Services Data

What we collect:

• Name, address, email, phone number
• Job title, employer details, employee ID
• Training course registrations and preferences
• Assessment results and certification records
• Attendance records and participation data
• Payment and billing information
• Dietary requirements and accessibility needs
• Emergency contact information

How we collect it:

• Direct registration forms (online and paper)
• Corporate client bulk registrations
• Assessment submissions and results
• Course feedback and evaluation forms
• Payment processing systems

2.2 Health and Safety Management System (HSSMS) Data

What we collect:

• Employee personal details (name, role, department)
• Health and safety training records
• Incident and accident reports
• Risk assessment data
• Medical information related to workplace incidents
• Investigation records and witness statements
• Corrective action records
• Audit and inspection findings
• Safety performance metrics

How we collect it:

• System user inputs and data entry
• Automated data generation from system use
• File uploads and document submissions
• Integration with other safety systems
• Mobile app incident reporting

2.3 Personnel Directory Platform Data

What we collect:

• Professional profile information (skills, experience, qualifications)
• Employment history and references
• Training completion records
• Contact preferences and availability
• Profile photos and professional documents
• Communication records between users
• Job application and inquiry data

How we collect it:

• User profile creation and updates
• Automatic training record integration
• Direct communication through platform
• Profile verification processes

2.4 Website and Marketing Data

What we collect:

• Website usage data and analytics
• IP addresses and browser information
• Cookie preferences and tracking data
• Email marketing engagement statistics
• Contact form submissions
• Newsletter subscriptions
• Social media interactions

How we collect it:

• Website analytics tools (Google Analytics)
• Cookie technologies
• Contact forms and enquiry submissions
• Email marketing platforms
• Social media integrations

2.5 Business Communications Data

What we collect:

• Email correspondence records
• Phone call logs and recordings (where notified)
• Meeting attendance and notes
• Contract negotiations and agreements
• Customer service interactions
• Complaint and feedback records

3. LEGAL BASIS FOR PROCESSING

We process your personal data under the following legal bases:

3.1 Contract Performance

Processing necessary to perform contracts for services as outlined in our Terms and Conditions.

• Delivering training services you have purchased
• Providing access to HSSMS and Directory platforms
• Processing payments and managing accounts
• Issuing certifications and maintaining training records

3.2 Legitimate Interests

• Marketing our services to existing customers
• Improving our services through analytics and feedback
• Preventing fraud and ensuring platform security
• Managing business operations and communications
• Maintaining quality assurance and compliance

3.3 Legal Obligation

• Maintaining health and safety records as required by law
• Reporting serious incidents to relevant authorities
• Complying with IOSH certification requirements
• Meeting tax and accounting obligations
• Responding to legal requests and investigations

3.4 Consent

• Email marketing to new prospects
• Non-essential cookies and tracking
• Sharing data with third parties for marketing purposes
• Processing special category data where not otherwise justified

3.5 Vital Interests

• Emergency medical situations during training events
• Protecting health and safety in urgent situations

4. HOW WE USE YOUR INFORMATION

4.1 Training Services

• Course Delivery: Managing registrations, sending course materials, facilitating online sessions
• Assessment and Certification: Conducting assessments, issuing certificates, maintaining training records
• Customer Support: Responding to queries, providing technical support, managing bookings
• Quality Assurance: Collecting feedback, monitoring instructor performance, improving courses

4.2 Health and Safety Management System

• System Operation: Providing access to risk assessment tools, policy libraries, incident reporting
• Compliance Support: Generating reports, tracking safety performance, managing documentation
• Incident Management: Recording and investigating incidents, managing corrective actions
• Data Analysis: Identifying trends, improving safety outcomes, benchmarking performance

4.3 Personnel Directory Platform

• Profile Matching: Connecting personnel with suitable opportunities
• Communication Facilitation: Enabling contact between businesses and personnel
• Verification: Maintaining training completion records, profile accuracy
• Platform Security: Monitoring for inappropriate use, preventing fraud

4.4 Business Operations

• Customer Relationship Management: Maintaining client records, managing communications
• Marketing: Promoting relevant services, sending newsletters, conducting market research
• Financial Management: Processing payments, managing accounts, financial reporting
• Legal Compliance: Meeting regulatory requirements, responding to legal requests

5. INFORMATION SHARING AND DISCLOSURE

5.1 Third Party Service Providers

We share data with trusted service providers who help us deliver our services:

Training and Certification Partners:

• IOSH (Institution of Occupational Safety and Health) – for certification processing
• Other certification bodies – for accreditation purposes
• Assessment partners – for examination administration

Technology Service Providers:

• Cloud hosting providers – for secure data storage
• Payment processors – for handling transactions
• Email service providers – for communications
• Analytics providers – for website performance monitoring

Professional Service Providers:

• Legal advisors – for compliance and legal matters
• Accountants – for financial management
• IT support providers – for technical maintenance

5.2 Legal Requirements

We may disclose personal data when required by law:

• Court orders and legal proceedings
• Regulatory investigations and compliance requirements
• Health and Safety Executive (HSE) reporting obligations
• Tax and accounting obligations
• Law enforcement requests

5.3 Business Transfers

In the event of a merger, acquisition, or business sale, personal data may be transferred to the new entity, subject to the same privacy protections.

5.4 Directory Platform Sharing

Within the Personnel Directory platform, profile information is shared between registered users (businesses and personnel) to facilitate employment connections. This sharing is based on user consent through platform registration.

6. INTERNATIONAL DATA TRANSFERS

6.1 Transfer Safeguards

When we transfer personal data outside the UK, we ensure appropriate safeguards are in place:

• Adequacy decisions by the UK government
• Standard contractual clauses approved by the ICO
• Binding corporate rules for multinational service providers
• Certification schemes and codes of conduct

6.2 Specific Transfers

Our main service providers may transfer data to:

• Cloud storage providers – with appropriate contractual safeguards
• Software suppliers – under standard contractual clauses
• Payment processors – with adequate protection measures

7. DATA RETENTION

7.1 Training Records

• Assessment and certification data: 6 years after certification expiry
• Course attendance records: 7 years for audit and compliance purposes
• Payment records: 6 years for tax and accounting requirements
• Marketing data: Until consent withdrawn or legitimate interest ceases

7.2 Health and Safety Management System

• Incident reports: As required by HSE regulations (typically 3-40 years depending on incident type)
• Risk assessments: 3 years after superseded
• Training records: Duration specified by regulation (usually 3-6 years)
• System usage data: 2 years for performance monitoring

7.3 Personnel Directory Platform

• Active profiles: Duration of platform access plus 1 year
• Communication records: 2 years after last contact
• Training completion records: Permanent record for verification purposes

7.4 Website and Marketing Data

• Analytics data: 26 months (Google Analytics default)
• Email marketing data: Until consent withdrawn
• Contact form submissions: 2 years unless ongoing business relationship

7.5 General Business Records

• Customer communications: 6 years after relationship ends
• Contract records: 6 years after contract termination
• Financial records: 6 years for tax purposes

8. DATA SECURITY

8.1 Technical Security Measures

• Encryption: Data encrypted in transit and at rest using industry-standard protocols
• Access Controls: Multi-factor authentication and role-based access controls
• Network Security: Firewalls, intrusion detection, and secure connections
• Regular Updates: Security patches and software updates applied promptly
• Backup Systems: Regular backups with secure storage and recovery procedures

8.2 Organizational Security Measures

• Staff Training: Regular data protection and security awareness training
• Access Management: Principle of least privilege and regular access reviews
• Incident Response: Documented procedures for data breaches and security incidents
• Third Party Due Diligence: Security assessments of all service providers
• Physical Security: Secure premises and controlled access to equipment

8.3 Data Breach Procedures

In the event of a data breach, we will:

• Contain and assess the breach within 24 hours
• Notify the ICO within 72 hours if high risk is identified
• Inform affected individuals if high risk to their rights and freedoms
• Document the breach and take corrective action
• Review and update security measures as necessary

9. YOUR RIGHTS

Under UK data protection law, you have the following rights:

9.1 Right of Access

You can request a copy of the personal data we hold about you, including:

• What data we process
• Why we process it
• Who we share it with
• How long we keep it

9.2 Right to Rectification

You can ask us to correct inaccurate or incomplete personal data.

9.3 Right to Erasure (“Right to be Forgotten”)

You can request deletion of your personal data in certain circumstances:

• The data is no longer necessary for the original purpose
• You withdraw consent and there’s no other legal basis
• The data has been unlawfully processed
• Legal obligation requires deletion

9.4 Right to Restrict Processing

You can ask us to limit how we use your data in certain situations:

• You contest the accuracy of the data
• Processing is unlawful but you don’t want deletion
• We no longer need the data but you need it for legal claims
• You’ve objected to processing pending verification of legitimate interests

9.5 Right to Data Portability

You can receive your personal data in a structured, machine-readable format and transfer it to another organization where:

• Processing is based on consent or contract
• Processing is carried out by automated means

9.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

9.7 Rights Related to Automated Decision Making

You have rights regarding automated decision making and profiling, including the right to:

• Be informed about automated processing
• Request human intervention
• Challenge automated decisions

9.8 How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: info@gigsavvy.co.uk
• Phone: 07470695351
• Post: Data Protection Officer, Gigsavvy Ltd, 80 Drummond Terrace, North Shields, Tyne & Wear, NE30 2AG

We will respond to requests within one month (extendable to three months for complex requests).

10. COOKIES AND WEBSITE TRACKING

10.1 What are Cookies

Cookies are small text files stored on your device when you visit our website. They help us provide you with a better user experience.

10.2 Types of Cookies We Use

Essential Cookies (Always Active):

• Session management and security
• User authentication and preferences
• Shopping cart and booking functionality
• Load balancing and performance

Analytics Cookies (With Consent):

• Google Analytics – website usage statistics
• Performance monitoring and optimization
• User journey and behavior analysis

Marketing Cookies (With Consent):

• Social media integration
• Advertising campaign tracking
• Personalized content delivery
• Remarketing and retargeting

10.3 Managing Cookie Preferences

You can control cookies through:

• Our cookie consent banner (first visit)
• Browser settings and preferences
• Third-party opt-out tools
• Our cookie preferences center

10.4 Third-Party Tracking

Our website may include content from third parties (social media, videos, maps) that may set their own cookies. Please review their privacy policies for details.

11. SPECIAL CATEGORIES OF PERSONAL DATA

11.1 Health and Safety Data

We process special category data (health information) in the following circumstances:

• Health and safety incidents: Processing necessary for public health and workplace safety
• Medical emergencies: Processing necessary to protect vital interests
• Occupational medicine: Processing necessary for preventive medicine purposes
• Legal obligations: Processing required by health and safety regulations

11.2 Legal Basis for Special Category Processing

• Article 9(2)(b) – Employment, social security, and social protection law
• Article 9(2)(c) – Vital interests protection
• Article 9(2)(h) – Preventive or occupational medicine
• Article 9(2)(g) – Substantial public interest (health and safety)

11.3 Additional Safeguards

For special category data, we implement additional protections:

• Enhanced access controls and encryption
• Regular training for staff handling health data
• Specific retention periods for medical information
• Enhanced consent processes where required

12. CHILDREN’S PRIVACY

12.1 Age Restrictions

Our services are not intended for children under 16. We do not knowingly collect personal data from children under 16 without appropriate parental consent.

12.2 Parental Consent

Where we provide training to individuals under 18, we obtain appropriate consent from parents or guardians and ensure additional safeguards are in place.

12.3 Educational Settings

When providing training in educational settings, we work with institutions to ensure appropriate consent mechanisms and safeguarding procedures are followed.

13. CHANGES TO THIS PRIVACY POLICY

13.1 Policy Updates

We may update this Privacy Policy periodically to reflect:

• Changes in our business practices
• Updates to data protection laws
• New service offerings
• Enhanced security measures

13.2 Notification of Changes

We will notify you of significant changes through:

• Email notification to registered users
• Website banners and announcements
• Direct communication for major changes
• Updated version numbers and dates

13.3 Continued Use

Your continued use of our services after policy updates constitutes acceptance of the revised terms.

14. SUPERVISORY AUTHORITY

14.1 Right to Complain

You have the right to lodge a complaint with the UK’s data protection supervisory authority:

Information Commissioner’s Office (ICO)

• Website: www.ico.org.uk
• Phone: 0303 123 1113
• Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

14.2 When to Complain

You can complain to the ICO if you believe we have processed your personal data unlawfully or violated your data protection rights.

15. CONTACT INFORMATION

15.1 General Data Protection Queries

Email: info@gigsavvy.co.uk
Phone: 07470695351
Hours: 9am – 4pm, Monday – Friday

15.2 Postal Address

Data Protection Officer
Gigsavvy Ltd
80 Drummond Terrace
North Shields
Tyne & Wear
NE30 2AG

15.3 Service-Specific Contacts

Training Services:
HSSMS Support:
Directory Platform:
Technical Support:

Email: info@gigsavvy.co.uk
Tel: 07470695351

This Privacy Policy is effective from 15/6/24 and was last updated on 3/8/25.

Document Version: GS/PP/001/V2