Privacy Policy

This Privacy Policy tells you what to expect when Caboodle Technology Ltd (caboodle) process your personal information. Your personal information is processed on the caboodle product 'Salary Extras'.

Our Responsibilities

This service was chosen by your employer, 'the controller' of your personal information, to bring you a range of benefits on their behalf.

In this relationship, we are 'the processor' of personal information where it is provided your employer. We are contractually obliged to provide the service to your employer, and we cannot provide the service without processing your personal information.

Caboodle only ever act under written instruction issued by your employer in the processing of your personal information. We have a data processing contract in place with your employer to ensure we protect and fairly process your personal information.

Where you provide information as an individual, we are the controller of your personal information. For example, if you submit your mobile phone number through the account page (directly as a data subject, or not provided through your employer, the data controller)

You have certain rights under the General Data Protection Regulation (CEU 2016/679) which are listed below. We have indicated where the decision for granting your rights rests directly with your employer.

Caboodle takes adequate steps to prevent unauthorised access to personal information, including implementing technological and operational security measures in accordance with ISO27001, documenting our processing activities, data processing contracts with sub-processors and suppliers, and appointing a Data Protection (Compliance) Officer.

Your Responsibilities

Where information is requested from you to apply for a scheme, you are responsible for ensuring the information provided to caboodle is accurate, including, where required updating the information with any changes when they occur. Any additional information provided that the system does not require, is provided at your own risk.

Why we collect your information

Caboodle cannot fulfil its contractual obligations to your employer without processing personal information.

The personal information collected is adequate, relevant and limited to what is necessary in relation to the processing purpose, which is the provision of employee benefits and communications.

Your Rights

Under UK GDPR, you have rights in relation to the processing of your personal information.

1. The right to be informed

You have a right to be informed about the collection and use of your personal information. Caboodle tell you how your information will be collected and used in this Privacy Policy.

Information Collection

Your employer decides how information will be collected. In some cases, personal information is collected and passed from your employer to caboodle before you register to Salary Extras. In other cases, you register and provide your information yourself.

The Information We Collect

The information we collect includes:

  • First name, Surname and Title
  • Payroll/Employee Number
  • National Insurance Number
  • Date of Birth
  • Home address
  • Mobile number
  • Telephone numbers
  • E-mail addresses
  • Salary details
  • Hours worked
  • Details of benefit entitlement
  • Details of benefit spend
  • Telephone conversations

For security and performance monitoring, caboodle also process IP addresses.

Use of Information

1. Employee Benefits

Examples of scenarios in which we would require your personal information include:

  • Access and administering of employee benefits applications
  • Ensuring the accuracy of your benefit application and any salary deductions
  • Ensuring when you apply for benefits, your application complies with relevant rules and legal guidelines

Any personal information shared during a telephone conversation with one of our operators is always kept strictly confidential. Calls are recorded for training and monitoring purposes to ensure caboodle maintains its high standards of customer service.

2. Cookies

A cookie is a small file which asks your permission to be placed on your computer's hard drive. Once you agree, the file is added, and the cookie helps Salary Extras monitor which pages you find the most useful to help us provide you with a better website. [This software is provided by Google Analytics which uses cookies to track visitor usage. You can read Google's privacy policy here: http://www.google.com/privacy.html]

A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can modify your browser setting to decline cookies if you prefer.

If you decline cookies, please be aware that this may impair your ability to use some areas of the website.

3. Communications

You will be emailed about some of your activity on Salary Extras.

Caboodle will never share, sell lease or distribute your data to any external third party for direct marketing purposes.

We may contact you via the Salary Extras message centre, via email from caboodle, or use a third-party email service to provide you with information about your benefits. These emails will be sent to the email address you used to register on the platform.

Transfer of Information

Where information is provided by your employer, your personal information is transferred to caboodle using the secure method agreed by your employer.

Where data is shared with a third-party or sub-processor are engaged, it is for one of the following reasons:

  1. Acting under the written instructions of the controller
  2. For the performance of a contract with the controller
  3. To fulfil our legal obligations

In such cases, your employer will be aware and will have asked us to release this data to a specified sub-processor or third party. Where required, service providers have signed the relevant contractual agreements with us to ensure adequate levels of data protection. These companies are required to act in accordance with the instructions we give them, and they must meet the requirements of the GDPR to keep your personal information secure. When we share data, we only share the minimum required for that application or communication, and service providers are not permitted to use the data for any purpose other than the purpose it has been expressly provided for.

Caboodle hosts a variety of voluntary benefit providers on the Salary Extras platform for which services you will transact directly with the provider on their web application via an external link from Salary Extras. You are advised to read and accept their Privacy Policies and terms and conditions of use and select the appropriate tick-boxes where indicated to capture your marketing preferences for these companies.

Where required, your information may be processed outside of the European Economic Area (EEA) and only where adequate safeguards for the protection of your information have been proven. Please contact us if you have any questions about the transfer of your personal data outside of the EEA.

Storage of Information

Unless otherwise agreed with your employer, all information you provide to us is stored on our secure servers in the UK. We have certified measures in place to protect your personal data according to ISO27001 (certificate number: 14657), Once we have received your information, we use strict procedures and security features to prevent unauthorised access to it.

Retention and Deletion

Your personal information will be held according to the following criteria:

  1. The period your employer tells us to retain it for
  2. Until your employer tells us to delete the information
  3. According to legal obligation

We may retain your information for HMRC regulatory or other legal reasons even if you request, or your employer instructs us, to delete your information. The current minimum regulatory period for retention according to HMRC is 6 years plus the following accounting year after the last record was processed.

If you do not have a salary sacrifice scheme application subject to HMRC regulation and your employer instructs us to, your personal information will be securely deleted from Salary Extras and any other systems.

While your information is retained, caboodle will respect your applicable privacy rights and its obligations to accountability for data protection under UK GDPR.

2. The right of access

You have a right to access your personal data from the data controller of your personal information, so that you are aware of and can verify the lawfulness of the processing. This is commonly known as a 'subject access request'.

You may at any time make a written request for a copy of the personal information your employer, as the data controller, has on record for you which will include any information we process on their behalf. If your employer asks us to, we will respond to the request within one month.

Your employer, as the data controller, is responsible for your right of access and should be contacted directly to make a right of access request.

3. The right to rectification

You have the right to have personal data rectified if it is inaccurate or incomplete.

As controller of your personal information, your employer ensures the accuracy of your data. Your employer checks that personal information is accurate and tells us when to update it. When provided by your employer, caboodle will rectify personal data within one month of receipt.

In some cases, if your employer prefers you to self-serve your own personal information, you will be able to update any inaccurate information yourself on the 'Personal Details' page of Salary Extras or through the contact centre.

Please contact your employer directly to make a right to rectification request, unless you can update the information yourself.

4. The right to erasure

You have the right to request your personal data is deleted or removed where there is no compelling reason for its continued processing.

Where the right to erasure does not apply, your employer or caboodle will refuse to deal with a request.

You should contact your employer directly to make a right to erasure request who will contact us accordingly.

5. The right to restrict processing

You have a right to ask us to suspend processing of personal data under certain circumstances such as,

  • you contest the accuracy of your personal data.
  • the data has been unlawfully processed (i.e. in breach of the lawful reason for processing) but you do not want us to delete it.
  • you no longer need the personal data, but you need to keep it in order to establish, exercise or defend a legal claim; or
  • you object to caboodle processing your data but we need to verify whether we have overriding legitimate grounds to use it.

6. The right to data portability

The right to portability allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, so that you can reuse for their own purposes.

Requests made in relation to your right to data portability can be made using any of the contact methods in the 'contact us' section of this policy.

Caboodle will ensure you obtain a machine-readable copy of the information held by any caboodle Technology system according to procedure, within one month of the request being made.

7. The right to object

You have the right to object to your data being processed under certain circumstances, such as direct marketing, or where there are grounds that relate to your particular situation

8. Rights in relation to automated decision making and profiling

We do not complete any automated decision making or profiling.

Limits

Caboodle reserve the right to divulge information when we are required to do so by law, for example under a court order or provisions contained in legislation.

Contacting Us

If you have any questions or concerns relating to the processing of your personal information by caboodle, please contact:

Compliance Officer
Caboodle Technology Ltd
The Quadrangle
Crewe Hall
Weston Road
Crewe
CW1 6UY
United Kingdom

Or email: security@caboodle-technology.co.uk

Call: : (+44) 330 100 2313

Changes to the policy

We may change this policy from time to time as we add new services or features, or in response to changes in the law or our commercial arrangements. Any changes to this policy will be posted on this website. The last time this policy was updated was January 2021.