Privacy Policy – Sensei Workforce

Document History

Date Author Version
01/04/2020 Daniel Wood v1.0.0
25/05/2022 Charlie Tyrell v2.0.0
10/06/2022 Daniel Wood v2.1.0

Introduction

Sensei Workforce (Sensei) is a product of Dojo Development Ltd.

This Privacy Policy governs the manner in which Dojo Development Ltd (the “Company”) collects, uses, maintains and discloses information collected from users (each, a “User”) of the https://account.senseiworkforce.com/ web application (“Sensei Workforce”), and information provided to the Company by clients (each, a “Client”). This privacy policy applies to Sensei Workforce and all products and services offered by Dojo Development Ltd.

Herewithin, “Staff” refers to any Dojo Development employee or contractor.

Dojo Development needs to gather and use information about individuals on behalf of Clients to provide workforce software services including Client-approval of User’s entitlement to book and complete shifts.

This policy describes how this personal data must be collected, handled and stored to meet GDPR data protection standards — and to comply with the law.

Why This Policy Exists

This policy ensures that Dojo Development:

  • Complies with the UK Data Protection Act 2018 and follows good practice;
  • Protects the rights of staff, contractors and clients about how individuals’ data is stored and processed;
  • Is open about how individuals’ data is stored and processed;
  • Protects itself and users of the system from the risks of a data breach.

Data Protection

Dojo Development Ltd is registered with the Information Commissioner’s Office (ICO), https://ico.org.uk ref: ZB289697. As a signatory to General Data Protection Regulations and the Data Protection Act 2018, Dojo Development is bound by its terms.

Our nominated Data Protection Officer (DPO) is:

Daniel Wood
Managing Director

Dojo Development Ltd

25 Barnes Wallis Road
Segensworth East
Fareham
Hampshire
PO15 5TT

E-mail: [email protected]

Dojo Development offices are in a secure building with a manned front desk during office hours (Monday to Friday) and 24/7. CCTV, access is only available to authorised staff through an electronic key system to access the main building and further locks to access individual units. 

In the event of remote working, Dojo Development has a dedicated Working from Home policy which all staff are provided and required to adhere to. This policy is in line with guidance provided by ICO.

Access to information is required for Client onboarding and User support services. Dojo Development systems are password protected. Dojo Development has a full systems maintenance and back-up plan in place along with a business continuity plan for both systems and processes.

Staff may be required to handle controlled confidential data. All staff are provided with both initial induction training and ongoing refresher training regarding GDPR and the Data Protection Act. Data protection is a key element of staff contracts of employment with clear disciplinary procedures.

Dojo Development has never been compromised to date, but has a procedure for notifying clients should a compromise occur.

GDPR Data Protection Law

The UK Data Protection Act 2018 in association with General Data Protection Regulation (GDPR) describes how organisations including Dojo Development must collect, handle and store personal information.

Dojo Development adheres to GDPR and the Data Protection Act which underpin the following principles:

  1. Be processed fairly and lawfully
  2. Be obtained only for specific, lawful purposes
  3. Be adequate, relevant and not excessive
  4. Be accurate and kept up to date where appropriate
  5. Not be held for any longer than necessary
  6. Processed in accordance with the rights of data subjects
  7. Be protected in appropriate ways
  8. Not be transferred outside the European Economic Area (EEA)

Policy Scope

Policy applies to all data that Dojo Development holds relating to identifiable individuals, even if that information technically falls outside of GDPR and the UK Data Protection Act 2018. This may include but is not limited to::

  1. Names of individuals
  2. Postal addresses
  3. Email addresses
  4. Telephone numbers
  5. …plus any other information relating to individuals

General Principles

The following are principles on which effective information security is based:

  • Anyone with access to Sensei Workforce must be made aware of the Company’s expectations about the use and care of that information and that information provided is appropriately secured.
  • All information and related resources held by Dojo Development, even unclassified information, must be handled with due care. Information may include personal information which requires particular protection.
  • The availability of information should be limited to those who need to use or access the information to do their work.
  • Once information has been security classified, all users of the information must observe the minimum procedural requirements for the use, storage, transmission and disposal of that information
  • Information is not transferred overseas
  • Clients and users have the right to complain via Dojo Development’s complaint process or directly to the Information Commissioner’s Office.
  • All Staff review the DPA Risk Assessment & Control Measures and follow stated control measures, these are periodically audited by Dojo Development.

Subject Access Requests

All individuals who are the subject of personal data held by Dojo Development are entitled to:

  • Ask what information the Company holds about them;
  • Ask how to gain access to information;
  • Be informed on how to keep information up-to-date;
  • Have the right to erasure to delete personal data (this excludes data held for regulatory purposes). Requests are handled on a case-by-case basis and if a request is refused, Dojo Development will provide a reason without undue delay and at the latest, within one month;
  • Be informed on how Dojo Development is meeting its GDPR data protection obligations;
  • If an individual contacts the Company requesting this information, this is called a subject access request. Subject access requests should be sent via email, addressed to the Data Protection Officer at [email protected]. The Data Protection Officer can supply a standard request form, although individuals do not have to use this;
  • The Data Protection Officer must verify the identity of anyone making a subject access request.

Data and Processes

Client onboarding

Dojo Development may be provided with personal information of Users by the Client if an onboarding service is requested.

The Client is responsible for ensuring all data provided to the Company is accurate and up-to-date.

Dojo Development processes the information by creating all Users, Sites, Shifts and any other entities required by the Client on Sensei Workforce for use by Users and the Client in assigning workforce to available shifts.

Dojo Development is in no way responsible for any approval of user verification or authorisation process; this must be completed as the Client’s sole responsibility.

Dojo Development may monitor, record, store and use any telephone, email or other communication with you in order to check any instructions given to us, for training purposes, for crime prevention or to improve the quality of our customer service.

User information

User’s can register on Sensei Workforce directly and submit the required information for user verification to the Client.

Dojo Development does not share this information with any third-party company apart from the user’s designated tenant “the Client”. The purpose of the information is to enable the Client to  verify User entitlement to book and complete shifts for the User’s chosen job type(s).

Dojo Development regards the lawful and correct treatment of personal information as critical to the successful continuation of its operations and to maintaining customer confidence in its services. Dojo Development fully endorses and adheres to the principles of data protection and General Data Protection Regulation:

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall not be kept for longer than is necessary.
  5. Personal data shall be processed in accordance with the rights of data subjects under this Act and aligned to GDPR.
  6. Personal data shall not be transferred to a country or territory outside the European Economic Area.

In summary, when asking you for information, Dojo Development will:

  • Ensure you know why we need it;
  • Protect it and make sure nobody has access to it that shouldn’t have;
  • Make sure we keep it no longer than necessary;
  • Under no circumstances use it for marketing or any other purposes.

Data Minimisation

Data Minimisation is a principle that states that data collected and processed should not be held or further used unless this is essential for reasons that were clearly stated in advance to support data privacy. In the General Data Protection Regulation (GDPR), this is defined as data that is:

  1. Adequate
  2. Relevant
  3. Limited to what is necessary for the purposes for which they are processed

In summary, when collecting data, Dojo Development will inform the User of the following:

  1. That we are collecting their data
  2. How we plan on using the data
  3. Why we are collecting the data
  4. How long we need to store the data

We only store the minimum viable amount of data required in order to provide the Sensei Workforce service.

Data Storage and Management

Data Storage Location

Dojo Development use the Azure Cloud Platform by Microsoft to host the Sensei Workforce web application. All of our data is stored in the UK South-based (London) data centre.

Protection of Data in Storage

Sensei Workforce uses Azure Key Vault and Azure disc encryption to protect data in storage.

Azure Key Vault helps customers easily maintain control of keys that are used by cloud applications and services to encrypt data. Azure Disk Encryption enables customers to encrypt VMs. Azure Storage Service Encryption makes it possible to encrypt all data placed into a customer’s storage account.

Data Encryption

Microsoft provides a number of options that can be utilized by Sensei Workforce for securing data in transit internally within the Azure network and externally across the Internet to the end-user. 

These include communication through Virtual Private Networks (utilizing IPsec/IKE encryption), Transport Layer Security (TLS) 1.2 or later (via Azure components such as Application Gateway or Azure Front Door), protocols directly on the Azure virtual machines (such as Windows IPsec or SMB), and more.

Additionally, “encryption by default” using MACsec (an IEEE standard at the data-link layer) is enabled for all Azure traffic travelling between Azure datacenters to ensure confidentiality and integrity of customer data.

Data Retention and Disposal

Information held for longer than is necessary carries additional risk and cost. Records and information should only be retained when there is a business need to do so.

Under UK GDPR and the DPA 2018, personal data processed by Dojo Development must not be retained for longer than is necessary for its lawful purpose.

The default standard retention period for Dojo Development records is 6 years plus current, otherwise known as 6  years + 1. This is defined as 6 years after the last entry in a record followed by the first review or destruction to be carried out in the additional current (+ 1) year.

Records must only be retained beyond the default Dojo Development retention period if their retention can be justified for statutory, regulatory, legal or security reasons or for their historic value. 

The maximum retention period for Dojo Development records identified as having historic value is defined as 20 years after the last entry in the record, with an additional one calendar year for final review and transfer or destruction.

Following the retention period records must be securely destroyed in accordance with Dojo Development’s security policy. Processes are in place to ensure that all backups and copies are included in the destruction of records, or that data is put beyond use.

Children’s Data Use

Although Sensei Workforce is not intended for use by children, as it solely relates to professional employment, Users can report any knowledge of a child accessing the app and providing personal data, without parental consent, using the contact details provided below.

Privacy Policy – Website

Document History

Date Author Version
01/04/2020 Daniel Wood v1.0.0

Introduction

This section of the Privacy Policy governs the manner in which Dojo Development Ltd collects, uses, maintains and discloses information collected from users (each, a “User”) of the https://www.senseiworkforce.com/ website (“Site”). 

Personal identification information

We may collect personal identification information from Users in a variety of ways, including, but not limited to, when Users visit our site, register on the site, place an order, subscribe to the newsletter, respond to a survey, fill out a form, and in connection with other activities, services, features or resources we make available on our Site. Users may be asked for, as appropriate, name, email address, mailing address, phone number. Users may, however, visit our Site anonymously. We will collect personal identification information from Users only if they voluntarily submit such information to us. Users can always refuse to supply personally identification information, except that it may prevent them from engaging in certain Site related activities.

Non-personal identification information

We may collect non-personal identification information about Users whenever they interact with our Site. Non-personal identification information may include the browser name, the type of computer and technical information about Users means of connection to our Sites, such as the operating system and the Internet service providers utilised and other similar information.

Web browser cookies

Our Site may use “cookies” to enhance User experience. Users web browser places cookies on their hard drive for record-keeping purposes and sometimes to track information about them. User may choose to set their web browser to refuse cookies or to alert you when cookies are being sent. If they do so, note that some parts of the Site may not function properly.

By using the Site, Users agree to the terms and conditions outlined in this privacy policy.

How we use collected information

Dojo Development Ltd may collect and use Users personal information for the following purposes:

  • To improve customer service
    Information you provide helps us respond to your customer service requests and support needs more efficiently.
  • To personalise user experience
    We may use information in the aggregate to understand how our Users as a group use the services and resources provided on our Site.
  • To improve our Site
    We may use feedback you provide to improve our products and services.
  • To run a promotion, contest, survey or other Site feature
    To send Users information they agreed to receive about topics we think will be of interest to them.
  • To send periodic emails

We may use the email address to send User information and updates pertaining to their order. It may also be used to respond to their inquiries, questions, and/or other requests. If User decides to opt-in to our mailing list, they will receive emails that may include company news, updates, related product or service information, etc. If at any time the User would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email or User may contact us via our Site.

How we protect your information

We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our Site.

Sharing your personal information

We do not sell, trade, or rent Users’ personal identification information to others. We may share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our business partners, trusted affiliates and advertisers for the purposes outlined above. We may use third-party service providers to help us operate our business and the Site or administer activities on our behalf, such as sending out newsletters or surveys. We may share your information with these third parties for those limited purposes provided that you have given us your permission.

Third-party websites

Users may find advertising or other content on our Site that link to the sites and services of our partners, suppliers, advertisers, sponsors, licensors and other third parties. We do not control the content or links that appear on these sites and are not responsible for the practices employed by websites linked to or from our Site. In addition, these sites or services, including their content and links, may be constantly changing. These sites and services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including websites which have a link to our Site, is subject to that website’s own terms and policies.

Changes to this policy

Dojo Development Ltd has the discretion to update this privacy policy at any time. When we do, we will revise the updated date at the top of this document. We encourage Users to frequently check this page for any changes to stay informed about how we are helping to protect the personal information we collect. 

Should the purpose of data collection change, the User will be informed by Dojo Development and the User consent will be re-obtained.

Complaints

Users have the right to complain to their Local Supervisory Authority, or to the Information Commissioners Office, should they suspect there has been a breach of data confidentiality.

Contacting us

If you have any questions about this Privacy Policy, the practices of Sensei Workforce, or your dealings with Sensei Workforce, please contact us at:

Dojo Development Ltd
25 Barnes Wallis Road
Segensworth East
Fareham
Hampshire
PO15 5TT

E-mail: [email protected]

Cookie Policy

Document History

Date Author Version
17/01/2022 Daniel Wood v1.0.0

Introduction

Sensei Workforce (Sensei) is a product of Dojo Development Ltd.

We use cookies and similar tools (collectively, “cookies”) for the purposes described below.

Operational Cookies: We use cookies to provide our services, for example:

  • Recognising you when you sign in to use our services.
  • Preventing fraudulent activity.
  • Improving security.
  • Keep track of your preferences.

We also use cookies to understand how Users use our app so we can make improvements. 

Additional Information

Operational cookies will remain on your browser for 14-days from your last visit to our app, except for cookies used to remember your privacy settings, which may remain on your browser for longer. Other cookies remain on your browser for 14-days after you provide us with your consent to use these cookies.

The settings on your browser will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, how to disable and remove cookies, and when cookies will expire.

Operational cookies allow you to take advantage of some of Sensei Workforce’s essential features. If you block or otherwise reject operational cookies through your browser settings some features and services may not work. 

You may also need to manually adjust some of your preferences every time you visit one of our services.

See our Privacy Policies above for more information about the types of information we gather.