1. Introduction and Data Controller

SnapIQ Ltd (“we”, “us”, “our”) is the data controller responsible for your personal data. We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”).

SnapIQ is a workforce management platform for the education sector that connects recruitment agencies, schools, and candidates (supply teachers and support staff). This policy explains what personal data we collect, why we collect it, how we use it, and what rights you have.

2. Summary of Key Points

This summary gives you the key facts at a glance. Please read the full policy for complete details.

• What we collect: Identity data, contact details, professional qualifications, GPS check-in coordinates, DBS and right-to-work documents (for Candidates), booking records, and usage data.
• Why we collect it: To provide the Platform services — matching Candidates to school assignments, verifying attendance, and managing bookings.
• Who we share with: Agencies, Schools, and our sub-processors (Clerk and Convex). We do not sell your data.
• How long we keep it: For as long as your account is active, plus up to 6 years after termination for compliance records. GPS check-in data is retained for 12 months.
• Your rights: Access, correction, erasure, restriction, portability, objection, and the right to complain to the ICO. See section 12.
• International transfers: Our sub-processors may process data in the United States under appropriate safeguards. See section 8.

3. Scope: Who This Policy Applies To

This Privacy Policy applies to all users of the SnapIQ platform (“Platform”) at snapiq.co.uk, including:

• Candidates — supply teachers, teaching assistants, and support staff who register on the Platform to be placed at schools. Candidates must be at least 16 years old.
• Agencies / Recruiters — recruitment agencies and employment businesses that use the Platform to manage candidates and fill vacancies. Agency account holders must be at least 18 years old.
• Schools / Clients — educational establishments that use the Platform to manage vacancies and receive staff. School account holders must be at least 18 years old.
• Administrators — individuals authorised by an Agency or School to manage that organisation’s account on the Platform.

If you are a Candidate aged 16 or 17, we recommend you read this policy with a parent or guardian. We do not knowingly collect data from anyone under 16.

4. Data We Collect

4.1 All Users

• Account information — name, email address, and authentication data collected via Clerk, our authentication provider.
• Messaging content — messages sent and received through the Platform’s built-in chat system.
• Usage data — pages visited, features used, browser type, device information, and IP address.
• Technical data — session tokens, log data, and error reports used to maintain Platform security and stability.

4.2 Candidates

• Profile information — skills, qualifications, subject specialisations, years of experience, and professional details you provide.
• Identity documents — passport or driving licence details provided as part of right-to-work verification.
• DBS certificate information — DBS certificate number, issue date, and clearance status. See section 5 for how we handle this sensitive data.
• Location data (GPS) — GPS coordinates collected during QR code check-ins to verify your attendance at an assigned school location. Location is only collected at the point of check-in, not continuously tracked.
• Booking and assignment data — details of confirmed bookings, scheduled shifts, schools attended, roles, dates, and times.
• Availability and preferences — working availability, travel preferences, and preferred roles you enter on the Platform.

4.3 Agencies

• Organisation details — agency name, company registration number, business address, and contact information.
• Staff account data — names and email addresses of Agency staff who have Platform accounts.
• Candidate management data — records of Candidates managed by the Agency on the Platform, including bookings created and placements made.
• Billing information — subscription and billing data processed via our payment provider.

4.4 Schools

• Organisation details — school name, address, contact information, and location data (used to set up QR code check-in points).
• Staff account data — names and email addresses of School staff who have Platform accounts.
• Vacancy and booking data — vacancy descriptions, booking requests, and records of staff placed at the school.

4.5 Data We Receive From Third Parties

If an Agency registers you as a Candidate on the Platform, we may receive your personal data (such as your name, contact details, and professional information) from that Agency before you have created your own account. When this happens, the Agency is responsible for ensuring they have the right to share your data with us. We will process that data in accordance with this policy and will notify you of our processing activities when you first access the Platform.

5. Sensitive and Special Category Data

Certain categories of personal data require a higher level of protection under UK GDPR Article 9 and the DPA 2018. We process the following sensitive data in connection with Platform services:

5.1 Criminal Records Data (DBS)

DBS (Disclosure and Barring Service) certificate information constitutes criminal records data under DPA 2018 Schedule 1. We process DBS data strictly for the purpose of verifying that Candidates are suitable to work with children and vulnerable adults in educational settings. The legal basis for processing DBS data is:

• Substantial public interest under DPA 2018 Schedule 1, Part 2, condition 6 (statutory and government purposes) and condition 10 (preventing or detecting unlawful acts), as applicable; and
• Explicit consent — where you have provided this data directly on the Platform.

DBS data is stored securely and access is restricted to authorised Agency and School users who have a legitimate need to verify your suitability for a placement.

5.2 Right-to-Work Documents

We process identity document data (including passport details and visa information) for the purpose of right-to-work verification. The legal basis is compliance with our legal obligations under the Immigration, Asylum and Nationality Act 2006, and explicit consent where you upload documents directly.

5.3 Health Data

We do not routinely collect health data. If you voluntarily disclose health information (for example, in a message or as part of an adjustment request), we will treat this as special category data and process it only to the extent necessary to accommodate your needs. The legal basis is explicit consent and, where relevant, our obligations under the Equality Act 2010.

6. How We Use Your Data

We use your personal data only for the purposes set out below, along with the legal basis for each:

• Providing the Platform — creating and managing your account, authenticating your identity, and delivering Platform features. Legal basis: contract performance.
• Matching and bookings — processing booking requests, matching Candidates to vacancies, and managing schedules. Legal basis: contract performance.
• Attendance verification — recording GPS coordinates at the point of check-in to verify a Candidate’s attendance at an assigned location. Legal basis: consent (requested at time of check-in); contract performance.
• Compliance verification — verifying DBS status, right-to-work, and other regulatory checks required for educational placements. Legal basis: legal obligation; substantial public interest (DBS data).
• Messaging and notifications — facilitating in-platform chat between users, and sending booking confirmations and account notifications. Legal basis: contract performance; legitimate interests.
• Platform improvement and security — analysing usage patterns, diagnosing errors, and improving Platform features. Legal basis: legitimate interests.
• Legal compliance — meeting our obligations under employment, immigration, tax, and data protection law. Legal basis: legal obligation.
• Marketing — sending you information about Platform features and updates relevant to your account type, where you have not opted out. Legal basis: legitimate interests (for existing users); consent (for prospective users). You can opt out at any time by contacting support@snapiq.co.uk.

7. Data Sharing and Sub-processors

7.1 Sharing Between Platform Users

The Platform is designed to facilitate connections between Agencies, Schools, and Candidates. The following inter-party sharing is integral to the service:

• Agencies can view Candidate profiles, compliance status (including DBS), and booking history for Candidates they manage.
• Schools can view the name, role, and check-in status of Candidates booked to attend their premises.
• Candidates can view details of the Schools and Agencies they are connected with through confirmed bookings.

7.2 Sub-processors

We use the following sub-processors to deliver the Platform. Each sub-processor is bound by data processing agreements and appropriate safeguards:

• Clerk — authentication and user identity management. Processes login credentials, session tokens, and account data. Data may be processed in the United States — see section 8.
• Convex — backend database and real-time infrastructure. Stores and processes all Platform data including profiles, bookings, messages, and GPS check-in records. Data may be processed in the United States — see section 8.

We may add further sub-processors (for example, an email delivery provider or error monitoring service) as the Platform grows. We will update this policy when we do so and notify you of material changes in advance (see section 14).

7.3 Other Disclosures

• Legal requirements — we may disclose data to law enforcement, courts, or regulators where required by law or to protect our legal rights.
• Business transfers — in the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected users before any such transfer and before data becomes subject to a different privacy policy.
• We do not sell your personal data to third parties.

8. International Data Transfers

Our sub-processors Clerk and Convex are headquartered in the United States. When your personal data is transferred to or processed in the United States, we ensure that appropriate safeguards are in place in accordance with UK GDPR Chapter V. These safeguards include:

• UK International Data Transfer Agreements (IDTAs) or equivalent standard contractual clauses approved by the ICO, incorporated into our contracts with each sub-processor; and / or
• UK adequacy regulations or addenda where applicable.

You may request a copy of the safeguards we rely on for international transfers by contacting support@snapiq.co.uk.

9. Data Retention

We retain your personal data only for as long as necessary for the purpose for which it was collected, or as required by law. Our standard retention periods are:

• Account data — retained for the duration of your active account, plus 6 years after account closure or the end of our relationship, to comply with our obligations under employment, tax, and limitation-period law.
• Booking and assignment records — retained for 6 years after the date of the booking, to support employment and statutory compliance queries.
• DBS and right-to-work documents — retained for the duration of the placement relationship and for 6 years thereafter, in accordance with regulatory guidance on record-keeping for employment in education.
• GPS check-in data — retained for 12 months after the check-in date, after which it is deleted or anonymised.
• Messages — retained for 3 years after the message is sent, unless you request earlier deletion.
• Usage and technical data — retained for up to 12 months for security and diagnostic purposes.

When data reaches the end of its retention period it is securely deleted or anonymised. We may retain data for longer than the periods above where we have an ongoing legal obligation to do so (for example, in connection with legal proceedings or a regulatory investigation).

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include:

• Encrypted data transmission using TLS/HTTPS for all Platform traffic.
• Authentication managed by Clerk, which implements industry-standard security practices including secure password hashing and multi-factor authentication options.
• Data stored by Convex in encrypted form at rest, with access controls restricting data access to authorised users only.
• Role-based access controls ensuring users can only access data relevant to them.
• Regular security reviews and prompt patching of known vulnerabilities.

While we take these measures seriously, no system can be completely secure. If you believe your account has been compromised or you become aware of any security issue, please contact us immediately at support@snapiq.co.uk.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with UK GDPR Article 34.

11. Automated Decision-Making

We do not make solely automated decisions (without human involvement) that produce legal or similarly significant effects for you, as described in UK GDPR Article 22.

Some Platform features use automated processes to assist human decision-making — for example, surfacing relevant Candidates for a vacancy based on your profile data. These processes inform but do not replace human judgement, and no placement or booking is confirmed without review by an Agency or School user. If you have concerns about any decision made in connection with your use of the Platform, please contact us at support@snapiq.co.uk.

12. Your Rights

Under the UK GDPR you have the following rights in relation to your personal data. We will respond to all valid requests within one calendar month, which may be extended by a further two months where a request is complex or we receive multiple requests from you.

• Right of access (Subject Access Request) — you may request a copy of the personal data we hold about you, along with information about how we use it.
• Right to rectification — you may request correction of inaccurate or incomplete personal data.
• Right to erasure (“right to be forgotten”) — you may request deletion of your personal data where there is no compelling reason for us to continue processing it. Note that this right is not absolute — we may need to retain data to comply with legal obligations (see section 9).
• Right to restriction of processing — you may ask us to pause processing of your data in certain circumstances, for example while a dispute about accuracy is resolved.
• Right to data portability — you may request your personal data in a structured, commonly used, machine-readable format for transfer to another service, where processing is based on consent or contract performance.
• Right to object — you may object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent — where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
• Rights in relation to automated decision-making — you have the right not to be subject to solely automated decisions that significantly affect you. See section 11.

To exercise any of these rights, contact us at support@snapiq.co.uk. We may ask you to verify your identity before processing your request.

Right to complain to the ICO: If you believe we have not handled your personal data in accordance with the law, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection. You can contact the ICO at ico.org.uk/make-a-complaint or by calling 0303 123 1113. We would, however, appreciate the opportunity to address your concerns before you contact the ICO, so please contact us first.

13. Cookies

The Platform uses cookies and similar technologies. We use two categories of cookies:

• Essential cookies — strictly necessary for the Platform to function. These include session and authentication cookies set by Clerk to keep you logged in, and cookies set by Convex for real-time data connections. You cannot opt out of these cookies without losing access to the Platform.
• Analytics cookies — if we use any analytics tools in future, we will update this section and obtain your consent before setting analytics cookies. We do not currently use analytics cookies.

We do not use advertising or tracking cookies. You can manage cookie preferences through your browser settings. For more information about cookies and how to manage them, visit aboutcookies.org.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

For material changes — such as changes to the categories of data we collect, the purposes for which we use it, or the parties we share it with — we will provide at least 30 days’ advance notice via the Platform and / or by email to the address associated with your account, before the change takes effect.

For minor or non-material changes, we will update the “Last updated” date at the top of this page. We encourage you to review this policy periodically.

15. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a concern about how we handle your personal data, please contact us:

• Email: support@snapiq.co.uk
• Subject line for data rights requests: “Data Rights Request — [your name]”
• Subject line for data protection / GDPR queries: “GDPR Query”

We aim to respond to all data protection enquiries within 5 working days and all formal Subject Access Requests within one calendar month.