This privacy notice tells you what you can expect and how we may process and look after your data if you are using a Moki Band as an individual or are part of a Group, School or Organisation that is purchasing and using Moki products.

Moki are a controller for personal data, Personal Data means any information relating to natural persons who can be identified or who are identifiable, directly from the information in question; or

who can be indirectly identified from that information in combination with other information which could be available to Moki

To support this Privacy Policy and to ensure transparency to our Users we have put together a Data Protection FAQ section, this can be found here:

Moki Data Protection FAQ

About Moki

Minnow Technology Limited (T/A Moki), a Company registered in England & Wales (Company number: 11266496) with its registered offices at: Lennox House, 3 Pierrepont Street, Bath, BA1 1LB. We may also trade under the names of “Moki” or “Moki Bands”

Minnow Technology Limited (T/A Moki) are registered with the Information Commissioner's Office - registration number: ZA439656.

Moki ICO Registration Entry

Data Protection Officer (DPO) Contact Details

Minnow Technology Limited (T/A Moki) is the Data Controller for personal information that we collect for our purposes and we can be a Data Processor under certain circumstances.

You can contact our Data Protection Officer directly using the following methods:

Email:
dataprotection@moki.health

Post:
Data Protection Officer
Moki
54A Mount Pleasant
Atworth
SN12 8HQ

Solution Summary - Privacy by Design

Moki has been designed using a privacy by design approach, this means that data protection has been a driving force in developing the Moki solution at every stage.

Moki as Data Processor

Moki does not disclose any personal data to any third party unless specifically authorised by the purchasing organisation or required by law. As the Data Processor, Moki will act under the instructions of the purchasing organisation (Data Controller) in relation to the processing of personal data. All individuals whose data is processed should be aware that Moki processes data under the authority and instructions of the purchasing organisation, with data protection and privacy controls in place as required by law.

Any data that is inputted by the customer about their users, regardless of whether it is deemed as Personal Data or not, is pseudonymised and encrypted at the local level (within the Moki Application) in the classroom and/or school environment or is encrypted during transit and at rest.  

• Moki does not any require personal data from users of the product

• Moki is a Data Controller for our customer who purchase the solution, usually headteachers or school administrators. 
• We have conducted appropriate Data Privacy impact Assessments (DPIA’s) to ensure privacy is at the forefront of how we process any data and highlight and effectively manage and mitigate any identified risks to individuals.

• If the purchasing organisation enters any details which could be classed as Personal Data, Moki identifies as a Data Processor and does so under the instruction of the organisation who have chosen to enter the personal data. It is important to keep in mind that users can receive full features and benefits of the system without entering any Personal Data

• Moki does not collect health data or location data, Moki collects steps attributed to the unique Moki band.

Our Legal Basis for Processing

Under the United Kingdom General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018 there are various legal basis for the processing of Personal Data.

The legal basis that Moki uses is Consent, Legal Requirement or Performance of Contract depending on who you are and your involvement with Moki, these different individual types and the processing basis are detailed within this document.

For example, the “customer” of Moki (in most cases a school, sport clubs or centre for education) will have Consented for their details to be processed by Moki when they sign up for our marketing newsletter or online resources, we will rely on Performance of a Contract to deliver Moki products to them if they make a purchase via our online shop. We may further process your Personal Data for legal or regulatory purposes by using the Legal basis of processing. 

Marketing Communications

Consent is always used for marketing communications which you are able to withdraw consent from at any time if you are subscribed. Unsubscribe links are sent with each and every communication.

Personal Data - What Information Do We Collect?

Personal Data may be received by Moki in various different ways depending on how you interact with us.  We will only use your personal data when the law allows us and only for the following purposes outlined in the table below and to the extent that is required for us to carry out the full services on behalf of our Customer based on the Agreement we have with them. In addition, we will use your personal data where we need to comply with our legal and/or regulatory obligations

Below are details of the types of information that may be collected and the purposes:

Data Subject (Whose data is this?)	The individual who purchases Moki bands on behalf of their Organisation / Group (The Customer)	The individual who purchases Moki bands on behalf of their Organisation / Group (The Customer)	An individual who signs up for email marketing communications from Moki
Data Category (What data is obtained?)	Name, organisation details including contract and delivery information	Payment and transaction details and information	Email address
Description of the information that may be collected	Full name of ordering and receiving individuals. Billing and delivery address, organisational names, appropriate additional contact information including email and phone number	detail of your order and payment methods.	The Email address of the individual
Is Personal data mandatory or required?	Yes	Yes	Yes
How is information captured and where is it stored?	Data entered into Moki online store	Data entered into Moki online store	Data entered into email sign up box
Purpose of data collection	To receive, fulfil and support the products and services purchased from Moki	To receive, fulfil and support the products and services purchased from Moki	To deliver the requested marketing communications
Moki’s legal basis to processing	Performance of Contract	Performance of Contract	Consent

We may anonymise and aggregate data for Moki’s business purposes including reports and research.

Sharing Personal Data with Third Parties 

We go through a stringent due diligence process when we select any third parties to work with to ensure their policies and processes are in line with our own.

We will only share your Personal Data in the following circumstances:

• We have a legal obligation to do so, for example for law enforcement or regulatory bodies.

• To protect our interests or business and help us prevent fraud, detect crime or investigate any form of malicious or other activity which may be against our terms of service.

• Where you give us specific permission to do so by providing consent

• If we are in the process of or have been sold to another organisation 

• Where it is required for Moki to grow or further its business 

Moki also use third parties to provide services to our business such as hosting, email communications, payment and delivery services. These organisations will only process your data under the instructions of Moki unless you are otherwise advised.

Business Growth Context

Moki may share personal data in the context of business growth, such as during partnerships, investments, or acquisitions. For example, if Moki is being acquired by another company, personal data may be shared with the acquiring entity as part of due diligence and integration processes.

Data Shared

This could potentially include customer data (e.g., contact information, purchase history) and user data (e.g., anonymized and aggregated step data). However, any sharing will be governed by strict contractual obligations and compliance with data protection laws, ensuring that personal data is handled securely and lawfully.

Informed Consent Requirement

Where Moki shares personal data with third parties at the request or with the consent of the purchasing organisation, it is the responsibility of the purchasing organisation to ensure that it has obtained the informed consent of any individuals whose personal data is being shared. Moki does not share personal data of the wearer with third parties unless under specific circumstances, such as legal obligations or with the consent of the purchasing organisation. Any sharing of anonymized and aggregated data (e.g., steps, gender, SEN/Free School Meals flags) for research or analytical purposes does not include identifiable personal data.

In summary, while Moki takes significant steps to protect user data through pseudonymization, encryption, and other security measures, the sharing of personal data is tightly controlled, with limited sharing and robust protections against potential threats.

Security 

Moki has been developed with your Privacy in mind and we have taken appropriate technical and organisational measures to protect the confidentiality and integrity of your data including encryption of data during storage and transit.

International Transfers

We may transfer your personal data to countries outside the UK. If we do we will ensure that appropriate safeguards are in place. These safeguards may include adequacy decisions or Standards Contractual Clauses. The most common destination will be the European Union or United States of America. 

Your Rights

Under data protection law you have rights we need to make you aware of, these are listed below.  

Please contact our Data Protection Officer to discuss any of these rights and how we may assist.

Your right of access

You have the right to ask us for copies of your personal information

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you.

Please see the Data Protection Officer details above to how to request any of the above rights.

Data Retention 

We will only retain personal Data for as long as necessarily required to deliver the services to our customers.

The retention period of personal Data is linked to the services we provide to our customers and therefore the period that we will retains data for will vary according to how long you use our services and stay subscribed to our marketing communications.

For further details or any questions please contact the Data Protection Officer at the details provided in this policy.

Changes to our Privacy Policy

This Privacy Policy goes through regular reviews and is updated where appropriate, revised version will be visible on our websites.

This Privacy Policy was last updated: September 2024