Client Privacy Notice

This privacy notice sets out how CV Technologies Limited, trading as Routes, processes personal data on behalf of its clients through the Routes platform and in connection with the provision of its services. Whilst Routes generally acts as a data processor in respect of personal data which clients choose to input, upload or otherwise manage through the platform, this notice is intended to provide transparency as to the categories of personal data processed, the purposes of such processing, and the measures adopted to safeguard that data.

CV Technologies Limited acts as a data controller in respect of personal data processed for its own business purposes, including client account management, billing, contractual administration, compliance, service improvement, support and security.

In relation to personal data which a client submits to, stores within, or otherwise processes through the Routes platform for that client’s own purposes, CV Technologies Limited acts as a data processor and processes such data solely on the documented instructions of the relevant client, who remains the data controller in respect of that information.

CV Technologies Limited, trading as Routes, is responsible as data controller for personal data processed for its own business purposes. In relation to personal data processed through the Routes platform on behalf of a client, the client remains the data controller and CV Technologies Limited acts as data processor. Clients are responsible for determining the lawful basis for their own processing activities and for issuing such privacy information to data subjects as may be required under applicable data protection legislation.

Any queries concerning this notice or the handling of personal data by Routes may be directed to CV Technologies Limited, trading as Routes, at Wigan Hall, New Market Street, Wigan, WN1 1HH, United Kingdom, or by using the contact details made available through our website or contractual documentation.

The categories of personal data processed through Routes will depend upon the manner in which a client uses the platform. As a minimum, the Routes platform requires a name, email address and password in order to establish a user account. Any additional personal data fields or categories of information collected through the platform will be determined by the relevant client in its capacity as data controller, according to the manner in which it chooses to configure and use the service.

Such additional data may include:

• Identity and profile information, such as dates of birth, photographs, identifiers and school, club or programme details
• Contact information
• Education, training, development and progression records
• Achievement and qualification information
• Goals, assessments, references, comments and feedback
• Documents and other materials uploaded by users or administrators
• Communications sent through the platform
• Limited technical, device and usage information necessary to provide, maintain, secure and support the service

Routes processes client data for the purpose of providing and supporting the functionality of the platform, including hosting data, enabling user access, storing and displaying records, facilitating uploads, feedback, references and progress tracking, supporting account administration, maintaining service performance, providing customer support, monitoring security, troubleshooting issues, and carrying out such other processing as is necessary in order to deliver the services requested by the client in accordance with the applicable contract and the client’s documented instructions.

Where CV Technologies Limited processes personal data on behalf of a client through the Routes platform, it does so in order to perform its contractual obligations to that client under the applicable service agreement and on the client’s documented instructions. Routes does not determine the lawful basis relied upon by the client for the client’s own use of personal data within the platform. Each client remains responsible for identifying and documenting its own lawful basis for processing and for providing appropriate privacy information to individuals.

Depending upon the manner in which the Routes platform is used, that lawful basis may, in many cases, be consent, particularly where use of the platform is optional rather than mandatory; however, each client must undertake its own assessment by reference to the specific circumstances of its processing activities.

To assist clients in meeting their transparency obligations, CV Technologies Limited can provide a user-facing, age-appropriate privacy notice template for use by clients where appropriate. Any such template is intended as a support document only, and each client remains responsible for ensuring that the privacy information it issues accurately reflects its own processing activities, lawful basis, and the manner in which it uses the Routes platform.

CV Technologies Limited may make client data available to those authorised personnel who require access for the purpose of providing, maintaining, securing and supporting the Routes platform. We may also engage carefully selected third-party service providers, including providers of hosting, infrastructure, support and security services, who process personal data on our behalf subject to appropriate contractual safeguards.

Client data will not be disclosed to third parties except where such disclosure is necessary for the provision of the service, required by applicable law, necessary to protect rights, property or security, or otherwise authorised or instructed by the client.

Client data processed through Routes will be retained for so long as is necessary to provide the service to the client and in accordance with the applicable contract, the client’s instructions, and any legal or regulatory obligations. Upon expiry or termination of the relevant service arrangement, and subject to any agreed retention provisions, client data will be returned, deleted or otherwise securely disposed of in accordance with the contractual terms and our internal procedures.

Certain limited information may be retained where necessary for legal, regulatory, compliance, security, dispute resolution or audit purposes.

CV Technologies Limited implements appropriate technical and organisational measures designed to protect client data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed through the Routes platform.

Such measures include access controls, authentication measures, encryption where appropriate, monitoring, contractual safeguards and internal security policies. Client data processed through Routes is kept within a controlled service environment hosted in the United Kingdom by Microsoft Azure; no further sub-processors are utilised at present. It is not anticipated that personal data will be transferred internationally; CV Technologies Limited will however ensure that appropriate safeguards are in place in such instances.

Where artificial intelligence or machine learning functionality is deployed as part of the service, such functionality is applied solely for the purpose of delivering the relevant feature within the platform and not for the development or training of external or general-purpose models using client data.

Insofar as the Routes platform is likely to be accessed by children, CV Technologies Limited designs and operates the service with regard to the Information Commissioner’s Office Children’s Code, also referred to as the Age Appropriate Design Code, and the standards applicable to online services likely to be accessed by children.

Individuals whose personal data is processed through Routes may have rights under applicable data protection law, including rights of access, rectification, erasure, restriction, objection and, where applicable, data portability. Where artificial intelligence or other automated functionality is used within particular features of the platform, Routes does not intend that such processing should result in solely automated decisions producing legal or similarly significant effects without appropriate human involvement, unless otherwise expressly agreed with the client and permitted by law.

Where CV Technologies Limited acts as data processor on behalf of a client, requests relating to client data should ordinarily be directed to the relevant client as data controller. Where appropriate and in accordance with the applicable contractual arrangements, Routes will provide reasonable assistance to clients in responding to such requests.

CV Technologies Limited may amend this privacy notice from time to time in order to reflect changes to the Routes platform, service arrangements, legal obligations or data protection practices. The most recent version of this notice will be made available through the Routes website or otherwise provided to clients upon request.

This notice is intended to provide transparency in relation to the manner in which client data is processed through the Routes platform and to assist clients in meeting their own data protection compliance obligations. It should be read in conjunction with any applicable contract, data processing agreement and, where relevant, any separate privacy information relating to CV Technologies Limited’s own controller activities.

If any individual has concerns about the manner in which personal data has been handled through the Routes platform, they may raise the matter with CV Technologies Limited using the contact details provided in this notice. Complaints will be acknowledged within 30 days of receipt and a response provided without undue delay.

Where the concern relates to personal data processed by Routes on behalf of a client, the complaint should ordinarily be directed in the first instance to the relevant client as data controller, as that client is responsible for determining the purposes and lawful basis of the processing. If the matter is not resolved, individuals may also have the right to lodge a complaint with the Information Commissioner’s Office: ico.org.uk