CPOMS Privacy Notice

Last Updated: September 2025

This Privacy Notice describes the personal data that CPOMS Systems Limited (“CPOMS,” “we,” or “us”) collect when you visit our websites or interact with our business representatives (collectively, the “Services”). This Privacy Notice also describes how we use and share that information, the choices you have, and how you can contact us if you have questions or concerns. This Privacy Notice does not apply to any personal we collect pursuant to agreements to provide services to our customers, including schools, school districts and other educational institutions. This information may include data about our customers’ employees, customers and other users (such as students and parents of school customers) collected through the software, professional services, or applications that we make available to our customers. To learn more about how we handle information in these contexts, please refer to our Data Processing Agreement within our Standard Terms and Conditions, available here.

Personal Data We Collect

Personal Data you provide to us may include:

  • Contact details, such as your company’s name, your first and last name, email address, company address, and phone number.
  • Communications that we exchange with you, including when you contact us with questions, feedback, or otherwise.
  • Marketing information, such as your preferences for receiving communications about our services, and details about how you engage with our communications.


Automatic data collection. We and our service providers may automatically log information about you, your computer or mobile device, and your interaction over time with our Services, such as:

  • Device data, such as your computers or mobile device’s operating system, manufacturer and model, browser type, IP address, unique identifiers, language settings, mobile device carrier, and general location information such as city, or geographic area; and
  • Usage data, such as pages or screens you viewed, how long you spent on a page, browsing history, and access times.


We may collect this personal data using cookies, pixels, tags, and other similar technologies. For more information, please visit our Cookie Policy by clicking on the cookie icon in the lower left hand corner.

Information we collect from third parties. We may maintain third-party social media pages, such as pages on LinkedIn, X, Facebook, and YouTube. If you interact with us via these pages, we may receive your communications and other information about your interactions with us. Any personal data collected by the social media companies that maintain our pages is governed by the privacy policies of the providers and is not within our control. We may also obtain personal data about you from publicly available sources, such as your organisation’s website, professional directories, industry publications, and our advertising and marketing partners.

How We Use Personal Information

We use your personal data for the following purposes and under each lawful basis specified below (in parentheses):

To provide the Services and respond to your inquiries. Collection and use of your personal data may be necessary to provide the Services to you. This includes administering, hosting, and operating the Services, and communicating with you and responding to any inquiries you may have. (Contract necessity)

To improve, monitor and personalise the Services. To analyse your use of the Services, to allow us to evaluate and improve the Services and its features, and to create aggregated, de-identified or anonymous statistics, which we may use for lawful business purposes, including for Services analytics and strategic planning. (Legitimate interests)

Business promotion. We may use personal data to promote our business, including:

  • Direct marketing. We may send you marketing communications, including, but not limited to, newsletters and notifications about special promotions, offers, and events that we think may be of interest to you, including by email and SMS. (Consent)
  • Interest-based advertising. We may also use personal data and engage advertising partners, including third party advertising companies and social media companies, to help us advertise our services, including by displaying advertising about our services on third-party websites and platforms. (Legitimate interests)


For compliance and protection. We use personal data to comply with our legal obligations and where it is in our legitimate interests to enforce any applicable terms and conditions, comply with legal obligations, defend against legal claims or disputes, protect the security and integrity of the Services, and identify and investigate fraudulent, harmful, unauthorised, unethical or illegal activity.

Where we rely on the lawful basis of legal obligation or contractual necessity if this personal data is not provided, we may not be able to provide our services to you.

How We Share Personal Data

When we share your personal data with third parties, we only permit them to process your personal data for specified purposes in accordance with our instructions. We require all third parties to respect the security of your personal data and to treat it in accordance with data protection laws and the recipient of the personal data will be bound by confidentiality obligations.

We may share your personal data with:

Affiliates, including any commonly owned and commonly branded companies, for purposes consistent with this Privacy Notice.

Service providers, including companies and individuals that provide services on our behalf or help us operate our Services or our business. These services include hosting, information technology, support, email delivery, advertising and marketing, and website analytics. We may also engage third-party artificial intelligence service providers to assist us with the operation of our business.

Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.

Advertising partners, including third-party advertising companies, social media and other platforms, for the business promotion purposes described above. These advertising partners may assist us with advertising our services on other third-party websites and platforms, including by identifying candidates for our advertising based on information about our existing customers and prospects.

Authorities and others, such as law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate to comply with applicable laws or protect our rights and interests.

Business transferees, including acquirers and other relevant participants in business transactions (or negotiations for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganisation, sale or other disposition of all or any portion of the business or assets of, or equity interests in, us or our affiliates (including, in connection with a bankruptcy or similar proceedings).

Your Data Subject Rights Under Data Protection Laws:

Unsubscribe from marketing communications. You may opt out of our marketing-related communications by following the opt out or unsubscribe instructions contained in the marketing communication we send you. We may continue to send you administrative communications that are necessary for our relationship with you, such as relevant updates to our policies.

Privacy choices. Depending on where you reside, you may have the following rights:

  • Information. You may have the right to obtain information about how we collect, use, and share your personal information. We provide this information within this Privacy Notice.
  • Access to a copy of the personal information that we have collected about you. Where applicable, we will provide the information in a portable, machine-readable, readily usable format.
  • Correction of personal information that is inaccurate, incomplete or otherwise out of date.
  • Deletion of personal information that we no longer need to provide the Services or for other lawful purposes.
  • Request we restrict our handling of your personal information.
  • Object to how we are using your personal information.
  • Withdraw your consent to us handling your personal information, where we are relying on your consent to process such personal information.


Where applicable, you can exercise privacy rights by contacting us as provided in the How to Contact Us section below. We may ask for specific information from you to help us confirm your identity.

In most cases we will deal with your request as soon as possible and at the latest within one calendar month of the date the request was received. If we need to extend the time period for responding to your request, we will let you know within the one-month period. We do not charge a fee for any such requests unless there are exceptional circumstances.

In some instances, your choices may be limited, such as where fulfilling your request would impair the rights of others, our ability to provide a service you have requested, or our ability to comply with our legal obligations and enforce our legal rights. If you are not satisfied with how we address your request, you may submit a complaint by contacting us as provided in the How to Contact Us section below.

Data Security

We employ a number of technical, organisational and physical safeguards designed to protect the personal information we collect. However, no security measures are failsafe and we cannot absolutely guarantee the security of your personal information.

Data Retention

The length of time we retain personal information will be determined based upon the following criteria: the length of time your personal information remains relevant; the length of time it is reasonable to keep records to demonstrate that we have fulfilled our duties and obligations; any limitation periods within which claims might be made; any retention periods prescribed by law or recommended by regulators, professional bodies or associations; the type of contract we have with you, and our business interest in keeping such information as stated in this Privacy Notice.

Children

The Services are not intended for use by children. If we learn that we have collected personal data through our Services without the consent of the child’s parent or guardian as required by law, we will delete it. If you believe that we might have any information from or about a child under 13 (other than through the provision of services to our school customers), please contact us as provided below.

Job Applicants

When you apply for a job with us, we collect personal data that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other information of the type that may be included in a resume. This may also include diversity information that you voluntarily provide.

We use this information where necessary to facilitate our recruitment activities and process employment applications, such as by evaluating a job candidate for an employment activity, and in our legitimate interests to monitor recruitment statistics and to respond to surveys.

We may also use this information in our legitimate interests to provide improved administration of the Services and as otherwise necessary (i) to comply with relevant laws or to respond to subpoenas or warrants served on us, (ii) to protect and defend our or others’ rights or property, (iii) in connection with a legal investigation and (iv) to investigate or assist in preventing any violation or potential violation of the law, this Privacy Notice or our terms of use.

International Data Transfers

In the context of providing you with our Services, we may transfer your personal information to our affiliates and service providers in the United States and other jurisdictions. Please note that such jurisdictions may not provide the same protections as the data protection laws in your home country.

When we engage in cross-border data transfers, we will ensure that relevant safeguards are in place to afford adequate protection for personal information and we will comply with applicable data protection laws, in particular by relying on an EU Commission or UK government adequacy decision or on contractual protections for the transfer of personal information. For more information about how we transfer personal information internationally, please contact us as set out in the How to Contact Us section below.

Changes to This Privacy Notice

We reserve the right to modify this Privacy Notice at any time. If we make material changes to this Privacy Notice, we will notify you by updating the date of this Privacy Notice and posting it on the Services and/or by providing you with an electronic communication.

How to Contact Us

We – CPOMS Systems Limited – are the “Controller” of your personal information and are responsible for collecting your information in compliance with applicable laws.

To exercise your Privacy Rights, contact our Data Protection Officer (DPO):

By email at: [email protected]writing “Data Protection Officer” or “DPO” in the subject line

By post to:

Data Protection Officer
CPOMS Systems Limited
CPOMS House
Acorn Business Park
Skipton
BD23 2UE

We hope that we can resolve any query or concern you raise about our use of your personal data. If not, you can contact the UK Information Commissioner’s Office at ico.org.uk or via telephone on 0303 123 1113 for further information about your rights and how to make a formal complaint.

Our Privacy Promise
We promise to treat you and your Information fairly and lawfully

We will only collect, use and share your Information if we have either a legal right or a legal obligation to do so, or if we have your consent.

This is known as the “legal basis” and the law requires us to let you know the legal basis for each purpose for which we collect and use your Information.

You will find the legal basis, together with other details of the Information we collect by clicking on the applicable link below.

We ensure fairness by regularly reviewing our collection and use of your Information and by providing you with details in Privacy Notices like this.

We promise to be clear and transparent about our collection and use of your Information

Openness is at the heart of CPOMS’s culture.


We’ve designed this Privacy Notice to be transparent – making it as easy as possible for you to see clearly what information we collect, how we use it, who we may share it with, how long we keep it, and how we protect it.


Just click on the appropriate sections below for answers to your questions.

We promise to use your Information only for the purposes we’ve specified

We’ll only use your Information for the purposes we’ve told you about in this Privacy Notice or in other Privacy Notices that we post wherever we collect Information from you.

We can’t – and won’t – use or share it for any other purposes without your permission unless, of course, we have a clear legal obligation to do so.

We promise to collect no more than we need for those purposes

We take care to collect only as much information as we need for each specified purpose.

We also restrict and monitor access to your information so that only those members of our staff with a genuine business need can access it.

We promise to check that your Information is accurate and keep it up to date

We do what we reasonably can to check that the Information we collect is accurate and, with your help, we’ll keep it up to date.

If you have a CPOMS user account, you can update your own information, such as change of address or contact details, by logging into your account.

If you do spot a mistake in your information, please call or write and ask us to correct it. You’ll find our details in “Contact Us”.

We promise to keep it for no longer than we need it

We need to keep information for different periods of time, depending on the purposes for which we collected it.

We provide details in the relevant Privacy Notices so, in each of the sections below, whether you are a Customer, a Supplier, a job applicant or just visiting our website or our offices, you will find specific answers to the question, ‘How long do we keep your Information?

This is based on either how long the law allows us to keep it for business purposes, or requires us to keep it for legal purposes.

We promise to protect your Information and your Privacy

Information Security is a top priority for CPOMS.

We maintain strict Security Standards and we constantly monitor all our computer and communications devices, systems and networks to protect them from external and internal threats.

Access to Personal Information is constantly monitored and logged.

We promise to uphold your Privacy Rights and make it simple to exercise them

See the section below ‘Your Privacy Rights and how to exercise them’.

We promise to respond quickly to your requests and concerns
You can raise any concerns you may have about our handling of your Information by writing to our Data Protection Officer.
If you are not happy with the outcome, you also have the right to raise your concern with the Information Commissioner’s Office.
 
Click on “Contact us…” below for contact details.
When you use our website
How do we collect and use your Personal Information?

Personal details
If you use the web-form to book a demo or training, we will use your name and contact details to arrange the demo or training you have requested.
If you contact us by phone, email or letter, or if you use the “Contact us” web-form, we will use your name, contact details – and any other Information you may provide – to respond to your enquiry.
We may also use your Information to email you with details of our other products and services and those of our parent company. You can prevent these emails by ticking the applicable box in the web form or, alternatively, you can stop receiving them at any time by clicking on the “unsubscribe” link that you will find in the footer of all our marketing emails.

Cookies

Click on the cookie icon in the bottom left corner, available throughout the CPOMS website, for details of information collected and used by cookies.

How and with whom do we share your Information?

Where necessary to fulfill your request or respond to your enquiry, we may share your Information internally with CPOMS colleagues in other departments and with our parent company.

We use Microsoft and other IT service providers to process and store Information but, otherwise, we do not share your Information with any other external organisations.

We would disclose your Information if required to do so by law, for example, under a court order.

In the event that CPOMS is acquired by another company, your Information will be shared with them so they can continue to process your Information in accordance with this Privacy Notice.

Where do we process and store your Information?
Your Information may be stored and processed by CPOMS or by our contracted service providers, including our parent company, in:
(a) the UK, or
(b) the EU, where it has the same legal protection as in the UK, or
(c) by our parent company in the US, under an agreement approved by the Information Commissioner’s Office as guaranteeing the same legal protection as in the UK (an International Data Transfer Agreement).
 
If a service provider needs to store or process your Information in or access it from any other country, we will put in place measures approved by the Information Commissioner’s Office that commit the service provider to the same level of data protection as is required under the UK Data Protection Act and UK GDPR.
 
If your school or organisation is located outside the UK, your Information may also be accessed by CPOMS colleagues who manage your contract with CPOMS in the country location of the applicable Regional Office.
How long do we keep your Information?

Any Personal Information you provide to us via our website is used to generate an email from you to us, which may be kept on our email system for up to seven years.

Where necessary for marketing purposes, we will keep your name and email address for as long as you wish to receive details of our other products and those of our parent company. If you elected not to receive marketing communications, e.g. by “unsubscribing”, we will keep your name and relevant contact details on an “Opted-out of Marketing” list for as long as is necessary to comply with your wishes.

Personal details
The processing of your name and contact details is necessary for the pursuit of our legitimate interests in selling our products and those of our parent company to schools and other organisations with safeguarding obligations or interests.
In view of the very low risk to your rights and freedoms posed by this use of your Information, and of the facilities we provide for you to exercise your right to opt-out at any time, we have concluded that our interests are not overridden by your rights.

Cookies

The legal basis for our use of cookies is your consent.

If you're a CPOMS customer or user
How do we collect and use your Information?

If your school purchases a CPOMS product and you are a named contact or user, we will use your name, login details and contact details to manage the service and provide customer support to you.

If you are the person responsible for managing the CPOMS contract, we may also use your contact details to email your school or organisation with details of our other products and services and those of our parent company.

You can prevent these emails by ticking the applicable box in the web form or you can stop receiving them at any time by clicking on the “unsubscribe” link in the footer of our marketing emails.

How and with whom do we share your Information?

Where necessary to provide the CPOMS services, fulfil your customer service requests or respond to your enquiries, we share your Information internally with CPOMS colleagues in other departments and with one or more of our third party service providers.

We may share your name and contact details with our parent company for the purpose of marketing their child protection related products and services.

We use Microsoft and other IT service providers to process and store Information but, otherwise, we do not share your Information with any other external organisations.

We would disclose your Information if required to do so by law, for example, under a court order.

In the event that CPOMS is acquired by another company, your Information will be shared with them so they can continue to provide the CPOMS service and to process your Information in accordance with this Privacy Notice.

Where do we process and store your Information?
Your Information may be stored and processed by CPOMS or by our contracted service providers, including our parent company, in:
(a) the UK, or
(b) the EU, where it has the same legal protection as in the UK, or
(c) by our parent company in the US, under an agreement approved by the Information Commissioner’s Office as guaranteeing the same legal protection as in the UK (an International Data Transfer Agreement).
 
If a service provider needs to store or process your Information in or access it from any other country, we will put in place measures approved by the Information Commissioner’s Office that commit the service provider to the same level of data protection as is required under the UK Data Protection Act and UK GDPR.
 
If your school or organisation is located outside the UK, your Information may also be accessed by CPOMS colleagues who manage your contract with CPOMS in the country location of the applicable Regional Office.
How long do we keep your Information?

If you are a user of CPOMS products and services, we will keep your name, login details and contact details for as long as you remain a registered user.

If you or your school ask us to terminate your access, for example if you leave that school or organisation, we will no longer have access to your Information once the school or organisation has closed your account.

Any Personal Information contained in email and other correspondence between us may be kept for up to seven years.

Where necessary for marketing purposes, we will keep your name and email address for as long as you wish to receive details of our other products.

If you elected not to receive marketing emails or if you “unsubscribe”, we will keep your name an email address on a “No Email Marketing” list for as long as is necessary to comply with your wishes.

The processing of your name, userid and contact details is necessary for the pursuit of:
(a) Your employer’s legitimate interests in using CPOMS products and services to facilitate safeguarding in its school or other organisation
(b) Our legitimate interests in selling and providing our products and services to schools and other customer organisations.

In view of the very low risk to your rights and freedoms posed by this use of your Information, and of the facilities we provide for you to exercise your right to opt-out at any time, we have concluded that our interests are not overridden by your rights.

If you use the CPOMS Authenticator App

The CPOMS Authenticator App is used as part of our two-factor authentication (2FA) process to verify that the person requesting access to CPOMS is, in fact, you. To work, the app needs your permission to use your device’s camera to scan a QR code to enable you to download the app. Limited device details are collected and processed to enable the app to receive authentication requests and to send confirmation when you use the app to respond to authentication requests.

The permissions required by the application, are used for the following purposes:

  1. android.permission.CAMERA

This permission is required for scanning the QR codes from CPOMS. Once the QR code is scanned, the authentication information is stored on your device. No images from the camera are stored or transferred anywhere.

  1. android.permission.GET_ACCOUNTS

This permission is required for CPOMS to use Google Cloud Messaging (GCM). CPOMS uses GCM to send notifications to the Android device with CPOMS Authenticator installed, to notify them when someone is trying to log in to their CPOMS account. The only information that is transferred to CPOMS is the GCM registration token, which is an ID used to identify the instance of CPOMS Authenticator on the users’ devices so that CPOMS can direct messages to a specific device. See https://developers.google.com/cloud-messaging/gcm for more technical information.

Marketing activities
How do we collect and use your Information?

If your email address, or a general contact email address is published on your website or a government or local authority website, or if you request a demo online or contact us via our website Contact form, we may collect and use it to email your school or organisation with details of our products and services and those of our parent company.

You can stop these emails by clicking on the “unsubscribe” link in the footer of our marketing emails at any time.

How and with whom do we share your Information?

We may share your name and contact details with our parent company for the purpose of marketing their child protection related products and services.

We use Microsoft and other IT service providers to process and store Information but, otherwise, we do not share your Information with any other external organisations.

We would disclose your Information if required to do so by law, for example, under a court order.

In the event that CPOMS is acquired by another company, your Information will be shared with them so they can continue to process your Information in accordance with this Privacy Notice.

Where do we process and store your Information?
Your Information may be stored and processed by CPOMS or by our contracted service providers, including our parent company, in:
(a) the UK, or
(b) the EU, where it has the same legal protection as in the UK, or
(c) by our parent company in the US, under an agreement approved by the Information Commissioner’s Office as guaranteeing the same legal protection as in the UK (an International Data Transfer Agreement).
 
If a service provider needs to store or process your Information in or access it from any other country, we will put in place measures approved by the Information Commissioner’s Office that commit the service provider to the same level of data protection as is required under the UK Data Protection Act and UK GDPR.
 
If your school or organisation is located outside the UK, your Information may also be accessed by CPOMS colleagues who manage your contract with CPOMS in the country location of the applicable Regional Office.
How long do we keep your Information?

Any Personal Information contained in email and other correspondence between us may be kept for up to seven years.
Where necessary for marketing purposes, we will keep your name and email address for as long as you wish to receive details of our other products.

If you elect not to receive marketing emails or if you “unsubscribe”, we will keep your name an email address on a “No Email Marketing” list for as long as is necessary to comply with your wishes.

The processing of your name and/or email address for marketing purposes is necessary for the pursuit our legitimate interests in selling and providing our products and services to schools, academies and other customers.

In view of the very low risk to your rights and freedoms posed by this use of your Information, and of the facilities we provide for you to exercise your right to opt-out at any time, we have concluded that our interests are not overridden by your rights.

If you supply CPOMS with goods and services
How do we collect and use your Information?

If your company supplies goods or services to CPOMS and you are a named contact, we will use your name and contact details to manage the contract.

How and with whom do we share your Information?

Where necessary to manage the contract, we may share your Information internally with CPOMS colleagues in other departments, with our parent company, and with one or more of our other third party service providers.
We may also share your contact details if we recommend your company to other organisations.

We use Microsoft and other IT service providers to process and store information but, otherwise, we do not share your Information with any other external organisations.
We would disclose your Information if required to do so by law, for example, under a court order.

In the event that CPOMS is acquired by another company, your Information will be passed to them so they can continue to receive goods and/or services from your company and to process your Information in accordance with this Privacy Notice.

Where do we process and store your Information?
Your Information may be stored and processed by CPOMS or by our contracted service providers, including our parent company, in:
(a) the UK, or
(b) the EU, where it has the same legal protection as in the UK, or
(c) by our parent company in the US, under an agreement approved by the Information Commissioner’s Office as guaranteeing the same legal protection as in the UK (an International Data Transfer Agreement).
 
If a service provider needs to store or process your Information in or access it from any other country, we will put in place measures approved by the Information Commissioner’s Office that commit the service provider to the same level of data protection as is required under the UK Data Protection Act and UK GDPR.
 
If your school or organisation is located outside the UK, your Information may also be accessed by CPOMS colleagues who manage your contract with CPOMS in the country location of the applicable Regional Office.
How long do we keep your Information?

We will keep your name, login details and contact details for as long as you remain a point of contact within your company. If you are replaced as the contact, we will delete If the contract expires or is terminated, we will delete your Information from our supplier management system within seven years.
Any Personal Information contained in email and other correspondence between us may be kept for up to seven years.

The processing of your Information is necessary for the pursuit of:
• Your employer’s legitimate interests in supplying us with goods and services, and
• Our legitimate interests in procuring the supply of goods and services from your employer.
In view of the very low risk to your rights and freedoms posed by this use of your Information, and of the facilities we provide for you to exercise your right to opt-out at any time, we have concluded that our interests are not overridden by your rights.

If you're applying for a job with CPOMS
How do we collect and use your Information?
Application Stage

When we are looking for new people to join the team, we may engage a recruitment agency, post the job on our website, on job sites or on social media, or place advertisements in the media.
So, we may receive the CV Information that you have provided via any of these channels.

At this stage, we may also view (but will not copy or keep) Information in your LinkedIn profile but we do not access Information about you on other social media platforms.

We use this Information to determine whether your qualifications and experience meet the requirements for the role.

To ensure that our recruitment strategy and processes are fair and not discriminatory, we will not ask about your ethnicity, sexual orientation and whether you have a disability.

Interview Stage

If we invite you to an interview, we will also ask whether there are any ‘reasonable adjustments’ we can make to ensure you do not have difficulty in attending.

At the interview stage, we will seek to learn more about to you determine whether you will be right for the role and the role will be right for you.
This may include details of income We may take notes during the interview for later consideration or for discussion with colleagues involved in the recruitment process.

Offer Stage

If we make an offer, we will need to collect further Information:
• Proof of your identity and right to work in the UK, e.g. a valid UK passport or valid overseas passport with documents proving your right to work in the UK
• Disclosure and Barring Service (DBS) check of criminal records
• References, e.g. from your former employer as proof of employment
• P60 and bank details to enroll you for tax and payroll, and any additional Information you may provide to us for payroll-related purposes, such as attachments of earnings

How and with whom do we share your Information?

Your CV Information will be reviewed by members of the recruitment team (part of the HR department) and the hiring manager, who may share it with colleagues and team members.
For some roles it may also be shared with other senior managers, directors and board members.

P60 and payroll-related Information is shared, only to the extent necessary in each case, with the payroll team (part of the Accounts department) and with our bank, with HMRC and with the providers of our pension scheme and other employee benefits.

If you have informed us of the need for salary deductions, such as a Direct Earnings Attachment or an Attachment of Earnings, we may share Information with the court or creditor to the extent necessary to implement it.

If necessary for the purpose of obtaining legal advice to enable us to hire you, we may share ‘right to work’ related Information with our lawyers.

Emergency contact details are shared, for example with your line manager, only when needed to make contact in an emergency.

Where do we process and store your Information?
Your Information may be stored and processed by CPOMS or by our contracted service providers, including our parent company, in:
(a) the UK, or
(b) the EU, where it has the same legal protection as in the UK, or
(c) by our parent company in the US, under an agreement approved by the Information Commissioner’s Office as guaranteeing the same legal protection as in the UK (an International Data Transfer Agreement).
 
If a service provider needs to store or process your Information in or access it from any other country, we will put in place measures approved by the Information Commissioner’s Office that commit the service provider to the same level of data protection as is required under the UK Data Protection Act and UK GDPR.
 
If your school or organisation is located outside the UK, your Information may also be accessed by CPOMS colleagues who manage your contract with CPOMS in the country location of the applicable Regional Office.
How long do we keep your Information?

We will only keep your Information for as long as is required or permitted by law.

If your application is not successful

All your Information will be rendered unidentifiable or destroyed within a month of notifying you of our decision.

If your application is successful

Information that we will need during the course of your employment, such as your name, contact details and bank details, will be transferred to our HR and other business systems and will be subject to our Employee Privacy Notice.
All other Information collected in the course of the recruitment process will be retained as follows:

• CVs and application forms:
Leaving date + 7 years
• Payroll-related Information excluding your bank details:
Leaving date + 7 years
• Your bank details:
Leaving date + 1 year
• Information held for compliance with the Equality Act and to maintain ‘reasonable adjustments’:
Leaving date + 7 years
• Copies of right-to-work documentation and DBS checks:
Leaving date + 7 years
• Details of next of kin / emergency contact details:
Leaving date + 3 months

Application, Interview and Offer stages
Our processing of your Information in our job application, selection and recruitment processes is necessary in order for us to take steps, at your request, prior to entering into a contract of employment.

Put more simply, you are seeking employment with CPOMS and we need this Information in order to assess your suitability for the role.

There are certain parts of our recruitment process in which the legal basis is different:

  • Gathering further Information from you during interviews, making notes and discussing with relevant colleagues is necessary for us to pursue our legitimate interests in selecting suitable individuals for employment. We have performed a balancing test and have concluded that our legitimate interests are not overridden by your rights and freedoms, and that it is also in your interests, as an applicant, for us to ensure that we make a good hiring decision.
  • Collecting proof of identify and right to work in the UK is necessary for us to comply with our legal obligations.
  • We have a legitimate interest in providing appropriate levels of assurance to our customers (predominantly schools) because, in your role, you will have access to information relating to schoolchildren and other vulnerable individuals. It is therefore necessary for us to seek references from your former employer(s) and to perform a Disclosure and Barring Service (DBS) check of criminal records so we can continue to provide that assurance.
Your Privacy Rights

(a) Right of access to your Information – we will provide you with the Information we hold
(b) Right to have inaccurate or out of date Information corrected
(c) Right to unsubscribe from marketing messages and emails
(d) Right not to be profiled for marketing purposes – we don’t do this anyway
(e) Right to object to our processing of your Information on grounds relating to your particular situation
(f) Right to restrict our processing of your Information in certain circumstances
(g) Right to have your Information deleted in certain circumstances (“Right to be Forgotten”)
(h) Right to transfer your Information to another provider (“Right of Portability”)
(i) Where our legal basis for processing is your consent, you may withdraw it at any time
(j) Right to make a complaint to the ICO (see “Lodging a complaint” below).

If you tell us you want to exercise your rights, we’ll confirm that we have received your request and let you know if we need anything else from you, then we will respond as quickly as possible and, in any case, within a month.

Lodging a complaint

If we fail to respond within a month when you send us a request to exercise any of these rights, or if you are unhappy about the way we or any of our partners are handling your Information, you can lodge a complaint by contacting [email protected].

If you are not happy with our response or handling of your complaint, you have the right to report your concern to the Information Commissioner’s Office, whose contact details can be found on their website at: www.ico.org.uk/global/contact-us.

How do I make a Rights request, ask a question or raise a concern?
Contact Us

We – CPOMS Systems Limited – are the “Controller” of your Personal Information, which means we decide the purposes for collecting your information and how we will process it.
More importantly, it means we are responsible for looking after it and complying with the law and your Privacy Rights.

Our registered address is:

CPOMS Systems Limited
CPOMS House
Acorn Business Park
Skipton
BD23 2UE

To exercise your Privacy Rights, contact our Data Protection Officer (DPO):

By email at: [email protected] writing “Data Protection Officer” or “DPO” in the subject line

By post to: Data Protection Officer, CPOMS Systems Limited, CPOMS House, Acorn Business Park, Skipton, BD23 2UE.

If you have any concerns about our handling of your Personal Information, we would like the opportunity to look into it for you and put things right, so please get in touch with our Data Protection Officer (DPO) at [email protected] to let us know what went wrong, and please write “Data Protection Officer” or “DPO” in the subject line.

If you are not happy with our response, you have the right to complain to the Information Commissioner’s Officehttps://ico.org.uk/make-a-complaint.

We are also the UK representative for our parent company, Raptor Technologies LLC, based in the US. If you wish to exercise your Privacy Rights or raise any concerns about their processing of your Personal Information, you can send your email or letter to us, marked for their attention and we will ensure that it is forwarded to them and acted on promptly. Alternatively, if you prefer, we will deal with the matter as their representative in the UK.