1. DEFINITIONS
1.1. In this Data Processing Addendum:
1.1.1. Terms such as “process/processing”, “data subject”, “processor”, “controller”, “personal data”, “personal data breach” and “data protection impact assessment” shall have the same meaning ascribed to them in Data Protection Laws;
1.1.2. “Authorised Sub-processors” means (a) those Sub-processors (if any) set out in the Annex to this Data Processing Addendum (Authorised Sub-processors); and (b) any additional Sub-processors consented to in writing by the Controller in accordance with section 6.1;
.1.3. “EEA” means the UK or the European Economic Area;
1.1.4. “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation);
1.1.5. “Sub-processor” means any data processor (including an affiliate of Consumable AI) appointed by Consumable AI to process personal data on behalf of the Controller.

2. APPLICATION
2.1.This Data Processing Addendum shall apply where, in the course of providing the Service, Consumable AI processes any Personal Data as processor on the Customer’s behalf.

3. SCOPE
3.1. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects are set out in the Annex to this Data Processing Addendum.
3.2. The Customer warrants that it has all necessary rights to provide the Personal Data to Consumable AI for the purposes of the performance of the Service.

4. CONFIDENTIALITY
4.1. Consumable AI shall treat all Personal Data as strictly confidential and shall inform all its employees, agents, contractors and/or Authorized Sub-processors engaged in processing the Personal Data of the confidential nature of such Personal Data.
4.2. Consumable AI shall take reasonable steps to ensure the reliability of any employee, agent, contractor and Authorized Sub-processor who may have access to the Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the relevant Personal Data, as necessary for the purposes of the performance of this Agreement in the context of that person’s or party’s duties to Consumable AI.
4.3. Consumable AI shall ensure that all such persons or parties involved in the processing of Personal Data:
4.3.1.are subject to confidentiality undertakings or are under an appropriate statutory obligation of confidentiality; and
4.3.2. have undergone adequate training in the use, care, protection and handling of Personal Data.

5. SECURITY
5.1. Consumable AI shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed, and shall take all measures required pursuant to Article 32 GDPR.

6. SUB-PROCESSING
6.1. Subject to section 6.3, the Customer provides its general authorisation to Consumable AI to engage any Sub-processor selected by Consumable AI.
6.2. As at the date of this Data Processing Addendum, Consumable AI has engaged those Sub-processors set out in the Annex to this Data Processing Addendum (Authorised Sub-processors). Consumable AI shall give the Customer not less than thirty (30) days’ prior written notice of any intended change concerning the addition or replacement of a Sub-processor, thereby giving the Customer the opportunity to object to such changes. Each such notice shall include details of the processing activities to be undertaken by the additional or replacement Sub-processor and the identity and location of the Sub-processor.
6.3.With respect to each Sub-processor, Consumable AI shall:
6.3.1. carry out adequate due diligence on each Sub-processor to ensure that it is capable of providing the level of protection for the Personal Data as is required by this Data Processing Addendum including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of Data Protection Laws and this Data Processing Addendum;
6.3.2. include terms in the contract between Consumable AI and each Sub-processor which are equivalent to those set out in this Data Processing Addendum, and shall supervise compliance thereof;
6.3.3.remain fully liable to the Customer for any failure by each Sub-processor to fulfil its obligations in relation to the Processing of any Personal Data.

7. DATA SUBJECT RIGHTS
7.1. Consumable AI shall without undue delay notify the Customer if it receives a request from a data subject under any Data Protection Laws in respect of Personal Data, including requests by a data subject to exercise rights in Chapter III of GDPR, and shall provide full details of that request.
7.2. Consumable AI shall co operate as reasonably requested by the Customer to enable the Customer to comply with any exercise of rights by a data subject under any Data Protection Laws in respect of Personal Data and to comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Personal Data or this Agreement.

8. INCIDENT MANAGEMENT
8.1. In the case of a Personal Data Breach, Consumable AI shall without undue delay notify the Personal Data Breach to the Customer providing the Customer with sufficient information which allows the Customer to meet any obligations to report a Personal Data Breach under Data Protection Laws.

9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
9.1. Consumable AI shall, at the Customer’s request, provide reasonable assistance to the Customer with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any Supervisory Authority of the Customer or any of its affiliates which are required under Article 36 GDPR, in each case in relation to processing of Personal Data by Consumable AI on behalf of the Customer and taking into account the nature of the processing and information available to Consumable AI.

10. DELETION OR RETURN OF CONTROLLER PERSONAL DATA
10.1.Consumable AI shall promptly and in any event within 90 (ninety) calendar days of the earlier of: (i) cessation of processing of Personal Data by Consumable AI; or (ii) termination of this Agreement, at the choice of the Customer either:
10.1.1. return a complete copy of all Personal Data to the Customer by secure file transfer in such format as notified by the Customer to Consumable AI and securely wipe all other copies of Personal Data processed by Consumable AI or any Authorised Sub-processor; or
10.1.2. securely wipe all copies of Personal Data processed by Consumable AI or any Authorised Sub-processor, and in each case provide written certification to the Customer that it has complied fully with this section 10.

11. AUDIT RIGHTS
11.1. Consumable AI shall make available to the Customer on request all information necessary to demonstrate compliance with this Data Processing Addendum and Data Protection Laws and allow for and contribute to audits, including inspections by the Customer or an independent auditor mandated by the Customer of any premises where the processing of Personal Data takes place.
11.2. Consumable AI shall permit the Customer or an independent auditor mandated by the Customer during normal working hours and on reasonable prior notice to inspect, audit and copy any relevant records, processes and systems in order that the Customer may satisfy itself that the provisions of Data Protection Laws and this Data Processing Addendum are being complied with.
11.3. Consumable AI shall provide reasonable co operation to the Customer in respect of any such audit and shall at the request of the Customer, provide the Customer with evidence of compliance with its obligations under this Data Processing Addendum and Data Protection Laws.

12. INTERNATIONAL TRANSFERS
12.1.Consumable AI shall not (permanently or temporarily) process the Personal Data nor permit any Authorised Sub-processor to (permanently or temporarily) process the Personal Data in a country outside of the UK or the EEA without an adequate level of protection unless Consumable AI provides appropriate safeguards (such as entering into (or procuring that any relevant Sub-processor of Consumable AI enters into) an agreement with the Customer on Standard Contractual Clauses (as adopted by the European Commission)), and on condition that enforceable data subject rights and effective legal remedies for data subjects are available in accordance with Article 46 GDPR.

13. COSTS
13.1. Consumable AI shall be entitled to charge the Customer reasonable costs based on its standard billing rates for providing any support or carrying out requests made under this Data Processing Agreement.

Annex

1. Introduction
1.1 Consumable AI Limited and its group companies (“we”, “our” or “us”) provide this Data Privacy Statement to inform our independent contractors of our policy relating to the processing of their personal information.
1.2 This statement sets out the basis on which we will process your personal information. Please read it carefully to understand our practices regarding your personal information and how we will use it.
1.3 This statement may be amended at any time.

2. About us
2.1 We are the data controller of the personal data of Consumable AI, and are subject to applicable data protection laws (the UK General Data Protection Regulations and the Data Protection Act 2018).
2.2 We will comply with data protection law. This says that the personal information we hold about you must be:
2.2.1 used lawfully, fairly and in a transparent way;
2.2.2 collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
2.2.3 relevant to the purposes we have told you about and limited only to those purposes;
2.2.4 accurate and kept up to date;
2.2.5 kept only as long as necessary for the purposes we have told you about;
2.2.6 kept securely.

3. Contacting us
If you have any questions about this Data Privacy Statement or your personal information, or wish to exercise any of your rights as described in this statement or under applicable data protection laws, you can contact our Operations Team by email: support@Consumable AI.com or contact Support via the Consumable AI App.
Queries will be responded to within ten working days. Subject Access Requests will be responded to as per regulatory timelines.

4. What types of data are protected
4.1 Personal data
This Data Privacy Statement applies to your “personal data”, which is any personal information relating to you as an identified or identifiable person. This data is referred to in this Data Privacy Statement as “Personal Information”).
4.2 Special categories of personal data
Within the broad range of personal data, the following are “Special Category Data” which are subject to a greater degree of protection:
physical or mental health;
racial or ethnic origin;
political opinions;
trade union membership;
religious beliefs;
sexual life; and
genetic and biometric data.

5. What information we collect
5.1 Information you give us
5.1.1 You may give us Information by filling in forms online, such as registering on the App, or by corresponding with us by phone, email, in person, or otherwise.
5.1.2 To assist us in complying with our obligation to maintain accurate Information, you should immediately update your information in the Consumable AI App and notify the Operations Team in writing of any changes to your personal details. Such changes may include, but are not limited to:
your name, change of address, phone number or mobile phone number;
your nationality or immigration status;
any change of contact details such as address, phone number etc.;
your bank details.
Failure to comply with this requirement may result in Shepherd account lock out or termination, or delays in processing payment requests, particularly in the case of inaccurate bank information.
5.1.3 Where you have notified us or we otherwise become aware of an inaccuracy in Information, we will take steps to ensure that Information is erased or rectified without delay.
5.1.4 At times we may use information you have given us in marketing assets to promote the role to other potential Consumable AI. We reserve the right to use anonymised information you have provided us to do this, such as positive feedback in the Shepherd Survey. Where we would like to use your name and location, we will expressly ask permission before doing so.
5.2 Information we collect about you
5.2.1 We collect Information to operate our business to meet Client service level agreements (SLAs) and to comply with our legal and regulatory obligations as a contracting party.
5.2.2 We may collect, store and use Information relating to your use of our IT systems, including our App
5.2.3 The Information that we may collect about you includes, but is not limited to, the following:
name;
home address;
contact details (such as phone numbers and email addresses);
copies of your passport, driving licence and similar documents for ID verification;
languages spoken and level of proficiency;
location
IP addresses

6. Information provided by third parties
6.1 We may also collect Information from external sources, such as those that are commercially available to us.
6.2 Some of the Information we collect (as described in section 4), and additional Information, may be provided to us by recruitment agencies with whom you have registered an interest. Such recruitment agencies support our recruitment processes under a duty of confidentiality.
6.3 We may also receive Information from organisations such as credit reference agencies, fraud prevention agencies and referees.

7. Data relating to criminal convictions & offences
7.1 We may also request data relating to criminal convictions and offences. This data is only processed:
if you have given your consent to the processing; or
if it is necessary for the purposes of performing or exercising our or your obligations or rights under law; or
if it is necessary for the prevention or detection of an unlawful act and it is necessary for reasons of substantial public interest; or
in connection with any legal proceedings (including prospective legal proceedings) and/or the obtaining of legal advice.
7.2 We won’t request any further data relating to criminal convictions or offenses beyond confirmation if you have any unspent convictions. Confirmation that you do have unspent convictions won’t affect your ability to see and assign most jobs on the app, however some clients reserve the right to only have Consumable AI perform work in their stores without unspent criminal convictions.

8. What we do with your information and on what basis
8.1 We process Information (other than special categories of personal data) for the reasons listed below. The legal justification for the processing of the Information is, in each case, one or more of these reasons. Specific examples are given – some of which may overlap, as there may be more than one reason for processing Information.
8.2 Processing is necessary for the performance of tasks
In order for us to ensure that Consumable AI can perform our contractual obligations as outlined in the Terms and Conditions, we may process Information for the following purposes (where applicable):
onboarding processes (e.g. communicating with you in relation to your registration);
considering your suitability for work and conducting appropriate identify verification checks;
induction processes;
scheduling and sharing relevant job information;
complying with our legal and regulatory obligations;
training;
payment processes and administration of your contract;
monitoring SLA’s;
criminal records checks;
undertaking business analysis activities.
8.3 Where we have a legal or regulatory obligation
UK and EU law and certain rules and regulations require us to process Information in order to comply with our legal or regulatory obligations. In order for us to do so, we may process Information for the following purposes (where applicable):
preventing illegal working;
where new legislation requires mandatory reporting, e.g. HMRC complying with health and safety obligations;
ensuring the safety and security of our systems;
carrying out equal opportunities monitoring;
responding to government statistical monitoring (Office for National Statistics);
in relation to legal claims made by a Shepherd, or against a Shepherd, in order to comply with court processes and court orders providing regulatory references; and

8.4 Where we have a legitimate interest
8.4.1 Data protection law allows us to process Information where it is necessary for the purposes of our legitimate interests. We consider it to be in our legitimate interests to process Information for the following purposes:
onboarding processes (including communicating with you in relation to your registration);
considering your suitability for work, taking up references, and conducting appropriate checks;
scheduling and sharing relevant job information;
administering our IT system including troubleshooting, data analysis, testing, research, statistical and survey purposes;
dealing with any legal disputes involving you or other current, prospective or former contractors;
improving our software to ensure that content is presented in the most effective manner for you and for your computer, mobile device or other item of hardware through which you access our software;
ensuring the safety and security of those working for us;
where a Shepherd may have been removed from the App as part of our efforts to keep our software safe and secure and to monitor compliance with our related policies;
reporting to government entities.
8.5 Special categories of personal data
8.5.1 We may process “special categories of personal data” for the purposes of:
performing or exercising our or your obligations or rights under law, including for assessing suitability for particular jobs and considering whether adjustments may need to be made to accommodate an individual with a disability;
where it is in the public interest, such as for equal opportunities monitoring;
establishing, bringing or defending legal claims.
8.5.2 We may also process “special categories of personal data” in other limited circumstances, with your explicit written consent. We do not need your consent to process “special categories of personal data” in circumstances where we already have a legal right to do so and we carry out such processing in accordance with this statement. If we do ask you for your written consent, we will provide you with full details of the information we are seeking from you and the reason why, in order for you to make an informed decision. It is not a condition of your contract that you agree to any such request by us.

9. Disclosure of your information to third parties
9.1 For the purposes set out in section 8 above, we may share Personal Information with:
our group companies;
professional advisors (including lawyers, accountants and auditors);
legal and regulatory authorities; and HM Revenue & Customs and other government/state related entities.
9.2 We may also disclose Information to third parties where it is in our legitimate interest to do so, including for the following reasons:
in the event that we sell or buy any business or assets, in which case we may disclose Information to the prospective seller or buyer of such business or assets; or
if we are under a duty to disclose or share Information in order to comply with any legal obligation.
9.3 Save as set out in this Data Privacy Statement, or as required by law, we do not sell Information or disclose it to any third parties without your consent, unless there is a legitimate interest, e.g. sharing your postal address with a 3rd party to send you materials to support completion of a job.

10. Updating policies and procedures
10.1 Any new or updated policies or procedures will be communicated to you by via the App, or any other appropriate method.

11. Security of your information
11.1 We are committed to ensuring that your Information is safe and we will take all steps reasonably necessary to ensure that your Information is treated securely and in accordance with this Data Privacy Statement.
11.2 All Information you provide to us electronically is stored on secure servers within the United Kingdom and the EU.
11.3 Where we have given you (or where you have chosen) a password which enables you to access certain parts of our software, you are responsible for keeping this password confidential. We ask you not to share your passwords with anyone.
11.4 We take appropriate technical and organisational security measures and have rules and procedures in place to guard against unauthorised access, improper use, alternation, disclosure and destruction and accidental loss of personal data.

12. How long we keep your information
12.1 We will keep your Information for as long as necessary to fulfil the purposes described in this Data Privacy Statement, or for as long as we are required to do so by law or in order to comply with a regulatory obligation should one arise.

13. Your rights
13.1 Access to your Information and updating your Information
13.1.1 You have the right to access Information that we hold about you, subject to certain limited exceptions provided by law. If you so request, we shall provide you with a copy of Information which we are processing and hold about you (“data subject access request”). For any further copies which you request, we may charge a reasonable fee based on administrative costs.
13.1.2 You also have the right to receive such Information in a structured and commonly used format so that it can be transferred to another data controller (“data portability”).
13.1.3 We want to make sure that your Information is accurate and up to date. You may ask us to correct or remove information which you think is inaccurate.
13.1.4 Right to object to processing in certain circumstances
13.1.5 You also have the right to object, on grounds relating to your particular situation, at any time to the processing of your Information which is based on our legitimate interests. Where you object on this ground, we shall no longer process your Information unless:
the processing is nevertheless necessary for the performance of your contract or contract to work or provide services; or
the processing is necessary for the establishment, exercise or defence of legal claims; or we have a legal or regulatory obligation for which the processing of the Information is necessary; or we can demonstrate that our legitimate interest is sufficiently compelling to override your fundamental rights and freedoms.
13.2 Your other rights
13.2.1 You also have the right to request that we rectify your Information if it is inaccurate or incomplete.
13.2.2 In certain limited circumstances, you have the right to request the erasure of your Information (‘right to be forgotten’).

14. Exercising your rights
14.1 You can exercise any of your rights as described in this Data Privacy Statement and under data protection laws by contacting us via support@Consumable AI.com.
14.2 Save as described in this Data Privacy Statement or provided under data protection laws, there is no charge for the exercise of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either: (a) charge a reasonable fee, taking into account the administrative costs of providing the information or taking the action requested; or (b) refuse to act on the request.
14.3 Where we have reasonable doubts concerning the identity of the person making the request, we may request additional information necessary to confirm your identity.

15. International transfers
15.1 As an international organisation, authorised personnel may access your Information in any country in which we operate. Therefore, it may be necessary to transfer your details to members of our group located in countries that may not offer equivalent data protection or privacy laws to those in the UK or the EU. Our data is stored in the UK and Ireland (EU) via encrypted AWS servers.
15.2 Regardless of where your Information is transferred, we shall ensure that your Information is safe and shall take all steps reasonably necessary to put in place appropriate safeguards to ensure that your Information is treated securely and in accordance with this statement and applicable law.

16. Complaints
16.1 Complaints to Consumable AI should be submitted in writing to complaints@Consumable AI.com. We aim to respond within three working days.
16.2 You also have the right to complain to the Information Commissioner’s Office (https://ico.org.uk/) about our data processing activities. The Office has a dedicated helpline at 0303 123 1113.

17. Changes
17.1 This Data Privacy Statement may be amended by us at any time in our sole and absolute discretion. Any changes which may be made to this Statement in the future will be notified to you via the Consumable AI App.
17.2 This Data Privacy Statement was last updated on 26th March 2024.