Introduction

Welcome to Watoto Play Limited’s (“Our Company”) privacy policy. We know that you do care on how information about you is used and shared.

Our Company is wholly committed to protecting and respecting the privacy of all our therapists, clients, customers, partners and the end users of our services and website.

Our Company’s privacy policy will inform you how we collect, use, maintain and disclose information collected from users of our website – mycctoolkit.com (“Our Website”).

Important information about our policies

This privacy policy aims to give you information on how Our Company collects and processes your personal data through your use of Our Website, including any data you may provide (about yourself of a third party) through Our Website when you sign up as a wp-signup.phped user.

This privacy policy together with:

• Our Terms of Service applicable to your use of Our Website where you are our Customer (“Terms of Service Policy”); and
• Our Terms of Website Use Policy applicable to your use of our Website generally (“Terms of Use Policy”);

and any other documents referred to in the Terms of Service and/or the Terms of Use Policy sets out the basis on which any personal data Our Company collects from you, or that you provide to Our Company, whether through Our Website or when you use our Services will be processed by us.

It is necessary that you read our privacy policy  together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data. This is so that you are fully aware of how and why we are using your data. Our privacy policy supplements other notices and privacy policies and is not intended to override them.

Children’s Privacy

This site is not intended for minors and we do not knowingly collect or solicit personal information from anyone under the age of 13. Therapist members of Our Website may submit information of children, subject to the conditions described below.

Changes to the privacy policy, and your duty to inform us of changes

We keep our privacy policy under regular review. We reserve the right to make changes to our privacy policy from time to time to acknowledge:

• changes to data protection laws and other legislation, which may affect this privacy policy.
• guidance issued by the Information Commissioner’s Office and other relevant regulatory bodies.
• issues raised by our customers, partners and end users.

Accordingly, we suggest that you regularly check this page to ensure that you continue to be comfortable with the measures that we are taking to protect your privacy.

This policy was last updated on 20th January 2022.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Our Company as controller

Except as described below in this privacy policy, Our Company will be the controller and responsible for your personal data. Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

As controller, Our Company determines the purposes for which and the manner in your personal data is, or is to be, processed.

In this policy we describe the types of processing we may undertake with respect to your personal data.

The kind of information we may hold

• We may collect, use, store, transfer and otherwise process the following types of personal data:
• Customer Data: This is information you give us about you and your staff and may include:
• Identity Data including name, username, date of birth and gender;
• Contact Data including address, email address and telephone number;
• Transaction Data including details about payments to and from you and other details of products and services you have purchased from us;
• Creative Work created, saved or downloaded by you using the software and associated services provided and developed by Our Company which may be supplied to you;
• Technical Data including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access Our Website.
• Profile Data including your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses;
• Usage Data includes information about how you use our website, products and services.
• Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

As controller, we do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

We may also hold personal data submitted by our customers of their clients (“Client Data”). We will hold this Client Data as processor, and the relevant customer will be

the controller. The terms applicable to Client Data are described below in the section, The Customer as Data Controller, the Company as Data Processor.

How is your personal data collected?

We use different methods to collect data from and about you including through:

• Direct interactions.
  • You may give us your Identity Data and Contact Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
  • visit Our Website;
  • use our services, or apply to use our services;
  • correspond with us by filling in forms, post, phone, e-mail or otherwise;
  • request marketing to be sent to you;
  • participate in any discussion boards or other social media functions on Our Website;
  • submit an enquiry or support ticket to us regarding our services, whether by telephone, email, via our website or other channel;
  • wp-signup.php a profile, complete surveys, or tell us about any problems with Our Website;
  • submit material for publication on our website (whether in discussion boards, chat rooms or other social media platforms our website;
  • subscribe for any newsletter or publication we may supply.

• Automated technologies or interactions
  • As you interact with Our Website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.
  • We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy for further details.
  • Third parties or publicly available sources
  • We will receive personal data about you from various third parties as set out below:
  • Usage Data collected by Up Time Robot & – error and performance monitoring for Our Website;
  • Contact, Financial and Transaction Data from providers of technical, payment and delivery services such as Stripe.

How we will use personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you. This means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract;
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Legitimate interests means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
• You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us;
  • Where we need to comply with a legal obligation. This means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.
  • Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.
  • We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests (which means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience).
  • We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by email.

Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing.

Third-party marketing

As a general rule we do not share your personal data with any third party for marketing purposes. However if we do in the future we will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

Opting out: You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of service purchase or other transaction.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Disclosures of your personal data

We may share your personal data with the parties set out below for the purposes set out in the table above.

· service providers acting as processors based provide IT, hosting and system administration services;

· professional advisers including lawyers, bankers, auditors and insurers based in who provide consultancy, banking, legal, insurance and accounting service;

· HM Revenue & Customs, regulators and other authorities who require reporting of processing activities in certain circumstances;

· Payment service providers, including Stripe (https://stripe.com/);

· Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy;

· Other third parties:

• • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply the Terms of Service or the Terms of Website Use Policy and other agreements; or
  • to protect the rights, property, or safety of the Company, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction;
  • to assist us in improving our products and services. We monitor aggregated data that is collected by our service and may share this with third parties collectively and in an anonymous way. This data will not reveal personal information.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use

your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Where the Company will store personal data

We may hold personal information in electronic databases, such as our customer relationship management system. We take all reasonable steps to keep any personal information we hold about you (and any Client Data you submit) secure. All information which is provided to, or collected by, Our Company is:

• stored on the Company’s secure servers in the U.K.
• Hosted on secure data centre managed by our hosting partner with 24/7 manned security, CCTV, biometric access to the facility and restrictive access to the internals of the building based on authorisation levels.

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. Your data is encrypted on our servers during transit and at rest. 

Passwords and Security

Where we have given you (or where you have chosen) a password which enables you to access your account, you are responsible for keeping this password confidential. Our Company asks you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although the Company will do its best to protect your personal data, the Company cannot guarantee the security of your data transmitted via Our Website; any transmission is at your own risk.

Once Our Company has received your information, Our Company will use strict procedures and security features to try to prevent unauthorised access.

Security Best Practices

To assist with the security of your personal data you should:

• use a complex password for your account. Our Website uses 2 factor authentication which it can switch on. It is also strongly advised to use a combination of letters, numbers, and other characters;
• do not write your password down anywhere or tell it to anyone. If you forget it, you can reset your password here.
• log out of the website on computers or mobile phones when finished using Our Website;
• preferably use Our Website only on computers or devices that belong to you and not share devices;
• if using shared devices create a separate user account which only you have access to;
• use a password or fingerprint scanner to secure your mobile phone – like TouchID on your iPhone;
• do not reply to emails from us asking for your password or credit card details. We will never do this. If you’re unsure, contact us via our internal support ticket system in your membership dashboard.
• if you are a therapist user, do not give full access to your therapist account to clients whether supervised or not.
• For client access always allow access via a client account. You will receive one client account with your therapist membership and more client accounts can be purchased if you want to provide your clients with individual accounts.
• If you are screen sharing, please use the option “share part screen” you can watch the tutorial on how to do this in the library and get help using our regular meet-ups on using the platform. 

How long Our Company will use personal data?

Our Company will retain your personal data for:

• such time as this is required in connection with the services we are supplying to you;
• following completion of the services for a period of not less than 6 years from the date the Services end.

We may retain Customer Data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

Your rights as a data subject

Under certain circumstances, if you are an individual in respect of whom Our Company processes Personal Data, you have the following rights. Please note that this is a summary of your rights. If you wish to understand your rights in detail you should read the relevant laws of your country, guidance and regulations for a fuller explanation.

You have the right to:

• Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. We will supply the data free of charge but we reserve the right to charge a reasonable fee (or refuse to act on the request) if you request additional copies of the information, if access requests are unfounded or excessive. There are circumstances where we may withhold the supply of your Personal Data – for instance where the rights and freedoms of others may be affected or where we are permitted by law.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
  • if you want us to establish the data’s accuracy;
  • where our use of the data is unlawful but you do not want us to erase it;
  • where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims;
  • you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you or information as state
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

No fee usually required: You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you: We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond: We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Withdrawal of consent

In any cases where the legal basis for our processing of your Personal Data is consent, you have the right to withdraw that consent at any time. Such withdrawal will not affect the lawfulness of any processing before you withdraw consent.

If you fail to provide personal information

If you, the Customer, fail to provide certain information when requested, Our Company may not be able to perform the Services and any contract we have entered into with you or we may be prevented from complying with our legal obligations. In which case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

Third Party Links

The Website may, from time to time, contain links to and from the websites, plug-ins and applications of our partner networks, advertisers and affiliates. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. Please note that we do not control these third-party websites, which may have their own privacy policies, and that we are not responsible for their privacy statements.

When you leave Our Website, we encourage you to read the policy statement of every website you visit.

You are the controller of Client Data

Where you input Client Data to Our Website, which may be collected, stored and processed as a result of your use of the services, you will be the controller of the Client Data. Our Company will be a processor only. In cases where you are collecting, storing and processing Patient or client Data you will determine the purposes for which and the manner in which that Client Data is, or is to be processed.

You will also be responsible for:

• informing your staff and clients of your own privacy policy and practices, including the lawful grounds upon which you are processing any personal data;
• compliance with all applicable data protection legislation including all data protection and privacy laws relevant to the territory in which you operate and/or which are applicable to your clients.
• drawing your clients attention to this privacy policy;
• informing us if any client objects to either your or our processing. You can inform us at [email protected].

Your Client Data is to be distinguished from Customer Data which Our Company has collected from you (our Customer). For example, you may have agreed to our collection, use, transfer and storage of Customer Data (including data of your staff) for Our Company’s own business purposes including administration of contractual arrangements, sales and marketing.

Conditions for Processing

You will ensure that you have all necessary appropriate consents and notices in place to enable lawful transfer of the Client Data to Our Company and/or lawful collection of the Client Data by Our Company on your behalf for the duration and purposes of the services we provide to you.

Our Company shall, in relation to any Client Data processed in connection with the performance by Our Company of the services we provide to you:

• process that Client Data only as set out in this privacy policy or otherwise on your written instructions unless Our Company is otherwise required by the laws of any member of the European Union or by the laws of the European Union applicable to the Company (“Applicable Laws”). We will inform you if we believe your instructions are unlawful;
• ensure that we have in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Client Data and against accidental loss or destruction of, or damage to, Client Data, as are appropriate;
• ensure that all our staff who have access to and/or process Client Data are obliged to keep the Client Data confidential;
• not transfer any Client Data outside of the UK unless the you have given you prior written consent has been obtained and the following conditions are fulfilled:
  • you or Our Company has provided appropriate safeguards in relation to the transfer;
  • the data subject has enforceable rights and effective legal remedies;
  • Our Company complies with its obligations under the applicable data protection legislation by providing an adequate level of protection to any personal data that is transferred; and
  • Our Company complies with reasonable instructions notified to it in advance by you subject to 28 days’ notice with respect to assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the

Applicable Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

• • notify the Customer without undue delay on becoming aware of a Personal Data Breach;
  • within 60 days of the date of termination or cancellation of your Contract delete Patient’s or clients Data and copies thereof unless required by Applicable Laws to store the Personal Data; and
  • maintain comprehensive and accurate records and information to demonstrate its compliance with these obligations.

You acknowledge that Our Company uses various third-party suppliers to provide functionality within Our Website for your optional use to deliver and send text and email messages. You accept that such use will be in accordance with the third-party suppliers’ terms and conditions and their respective privacy policies.

You will ensure that you have obtained consent from any individual, or other authority, to share that individual’s Client’s Data via these communications.

Our Company confirms that it will notify you if it proposes to enter into any agreements with any third-party processor. In such cases, a written agreement with the third party processor will be entered into incorporating terms which are substantially similar to those set out in this privacy policy for processing by that third party.

You hereby consent to the following third party processors processing Client Data as part of our service. 

At any time on not less than 28 days’ notice, Our Company may revise this part of the privacy policy by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when this policy is updated).

Our Company is not liable in respect of any Client Data which is controlled by you in breach of the Applicable Laws or outside the scope of the permissions granted to you by your client.

Client Data

Client Data, which may be personal data you enter and save into Our Website about your clients when using Our Website and our services. It may also be personal data your client enters and save’s directly into a Client Account. The personal data entered may include, but is not limited to:

• Name;
• Address;
• Email address;
• Landline and Mobile Number;
• Insurer details;
• GP details;
• Emergency Contact;
• Medical records;
• Session Notes;
• Treatment plans;
• Letters & documentation;
• Communications with other healthcare professionals;
• Creative work/ activities/ worksheets

and other information necessary for the operation of our services and/or Our Website.

This Client Data may be supplied by you when you:

• use our services in the course of your business;
• use Our Website in the course of your business; or
• when you report a problem with our Site.

This Client Data may be processed by us for the purposes of:

• storing Client Data on Our Website;
• storing Client Data on our servers;
• supplying you with our products and services;
• enabling and assisting us to comply with all legal, regulatory and compliance obligations to which we are subject; and
• ensuring the security of our services, maintaining back-ups of our databases and sending communications to you.

Our Processing of Client Data

The legal basis for this processing is:

• you have obtained all necessary and appropriate consent from the client/data subject in accordance with the Applicable Laws;
• because this is necessary for your use of Our Website and the supply of our services to you, and performance of our contract; and/or
• your legitimate interests, namely the supply of your services to your Clients.

We will assist you in any audit of our processing of Client Data, on your reasonable written notice and at reasonable times.

Duration of Processing

Where we are the processor, Our Company will only process Client Data in accordance with the conditions for processing set out in this policy.

We shall only process Client Data while our contract with you is continuing and shall cease such processing:

• when requested by you;
• on termination of the contract;
• on cancellation of the contract; or
• at the request of the data subject.

Following completion of the services we may retain the Client Data for a maximum period of 45 days from the date the Services end, unless you instruct us otherwise.

Contact

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to [email protected].

If you have any questions or have a complaint about this privacy policy please let us know us immediately.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).

We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance at: [email protected]