Privacy Policy

Last updated: 22 March 2026 | Effective Date: 22 March 2026

Teamurai Shift Scheduling Platform

Operated by: Mahmane Limited (Company No. 16942440)

Registered Office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, UK

Teamurai ("we", "us", or "our") is the trading name of Mahmane Limited. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our workforce management platform (the "Service").

This Service is provided to organizations ("Organizations" or "Employers") for managing their workforce. Your Organization is the Data Controller, and Mahmane Limited acts as a Data Processor on their behalf.

1. Information We Collect

We collect and process the following types of personal data:

1.1 Contact Information

  • Full name
  • Email address
  • Phone number
  • Emergency contact details (name and phone)

1.2 Employment Information

  • Job role and title
  • Organization affiliation
  • Work schedule and shift assignments
  • Clock-in/out times
  • Certification and qualification records
  • Timesheet and payroll-related data

1.3 Account Information

  • Login credentials (authentication tokens)
  • Session data
  • Device information and push notification tokens

1.4 Documents

  • Uploaded certification documents
  • Training records
  • Right-to-work documentation (if applicable)

1.5 Automatically Collected Data

  • IP address
  • Device type and operating system
  • App usage logs
  • Error and crash reports

2. How We Use Your Information

We process your personal data for the following purposes:

2.1 Service Provision

  • Managing shift schedules and assignments
  • Processing clock-in/out (timestamps only)
  • Tracking certifications and compliance requirements
  • Generating timesheets and work records
  • Sending shift notifications and reminders

2.2 Account Management

  • Authenticating users
  • Managing user roles and permissions
  • Enabling account deletion requests

2.3 Legal Compliance

  • Meeting employment law record-keeping requirements
  • Supporting payroll and tax obligations
  • Complying with care industry regulations
  • Maintaining audit trails

2.4 Security

  • Detecting and preventing fraud
  • Protecting against unauthorized access
  • Investigating security incidents

3. Legal Basis for Processing (UK/EU Users)

Under UK GDPR and EU GDPR, we process personal data on the following legal bases:

3.1 Contractual Necessity

Processing necessary to provide the Service to your Organization under our contract with them.

3.2 Legal Obligation

Processing required to comply with employment law, tax regulations, and care industry standards.

3.3 Legitimate Interests

Processing necessary for security, fraud prevention, and improving our Service, balanced against your privacy rights.

3.4 Consent

Where required by law, we obtain explicit consent for specific processing activities.

4. Data Sharing and Third Parties

4.1 Within Your Organization

Your personal data is shared with authorized users within your Organization (managers, dispatchers, administrators) based on their role and need-to-know basis.

4.2 Service Providers

We use trusted third-party providers for:

  • Cloud hosting and storage (DigitalOcean)
  • Push notification services
  • Error tracking and analytics

All providers are bound by data processing agreements requiring them to protect your data and are located within the UK/EEA or covered by appropriate safeguards.

4.3 Legal Requirements

We may disclose data if required by law, court order, or to protect our legal rights.

4.4 We Do Not Sell Your Data

Mahmane Limited does not sell, rent, or trade personal data to third parties for marketing purposes.

5. Data Retention and Deletion

Important: Your employer (the Organization) is the Data Controller responsible for your personal data. Mahmane Limited acts as a Data Processor on their behalf.

5.1 How to Request Account Deletion

To request account deletion:

  1. Contact your employer's administrator, HR department, or designated data protection contact
  2. They are responsible for handling your deletion request under GDPR
  3. Your employer will submit the deletion request to us as per our Data Processing Agreement with them

5.2 What Happens When Your Account Is Deleted

Once your employer submits a verified deletion request, we will process it within 30 days.

Data Deleted Immediately:

  • Profile information (name, email, phone, address)
  • Login credentials and authentication data
  • Emergency contact details
  • Uploaded certification documents
  • Device tokens and push notification data
  • Personal notes and custom fields containing PII
  • Session data and activity logs linked to your identity

Data Anonymized and Retained (Legal Requirement):

Your employer may be legally required to retain certain work records even after your account is deleted. In these cases, we anonymize the data by removing all personal identifiers:

  • Shift times and clock-in/out records → Retained with anonymous reference ID
  • Timesheet and payroll data → Retained without personal identifiers
  • Work location records → Site names only
  • Training completion records → Retained without personal identifiers

This anonymized data cannot be linked back to you specifically.

5.3 Retention Periods for Anonymized Data

Your employer determines retention periods based on legal requirements. Typical retention periods for care sector workers:

Record Type Retention Period Legal Basis
Working time records 2 years Working Time Regulations 1998
Payroll/tax records 3 years from tax year end HMRC requirements
Personnel/contract records 6 years after employment ends Limitation Act 1980
Training/certification records Duration + 6 years CQC compliance
Health surveillance 40 years COSHH 2002 (if applicable)
Accident records 3 years RIDDOR 2013

5.4 What Anonymization Means

When we anonymize data:

  • Personal identifiers are permanently removed (name, email, phone, NI number)
  • A unique reference code replaces your identity using irreversible hashing
  • Data cannot be traced back to you specifically
  • We apply the UK ICO's "motivated intruder test" to ensure re-identification is sufficiently remote

Example:

Before: "John Smith (john@email.com) worked at Oak Care Home on March 15, 2025"

After: "Worker reference A7F3 worked at Oak Care Home on March 15, 2025"

No method exists to link reference A7F3 back to John Smith.

5.5 Your GDPR Rights

Under UK GDPR, you have the right to request deletion of your personal data. However, this right is subject to exceptions where retention is required by law.

Right to Erasure (Article 17):

You can request deletion when:

  • Data is no longer necessary for its original purpose
  • You withdraw consent (where consent is the legal basis)
  • You object to processing (and no overriding legitimate interest exists)
  • Data was unlawfully processed

Exceptions (Article 17(3)):

Your employer may retain data where processing is necessary for:

  • Compliance with legal obligation (e.g., employment law, tax regulations)
  • Performance of task in public interest
  • Establishment/exercise/defense of legal claims

To Exercise Your Rights:

Contact your employer's administrator or data protection officer. They are your first point of contact as the Data Controller. They will coordinate with us to process your request.

If you have concerns about how your request was handled, you may contact us at privacy@teamurai.co.uk or the UK Information Commissioner's Office (ICO) at www.ico.org.uk.

5.6 Confirmation of Deletion

Once your account is deleted, we will send a confirmation to your employer confirming:

  • The date of deletion
  • Categories of data deleted
  • Categories of data anonymized and retained (if applicable)
  • The retention period for any anonymized data

Your employer will notify you of the completion of your deletion request.

5.7 Timeline for Deletion

We process deletion requests within 30 days of receiving verified instructions from your employer. If additional time is required due to legal obligations or technical constraints, your employer will be notified and will communicate this to you.

6. Special Category Data

We may process "special category data" under GDPR Article 9, which includes:

6.1 Health Data

This may include:

  • Sickness absence records
  • Health surveillance records (where required for hazardous work)
  • Occupational health assessments

Legal basis for processing:

  • Explicit consent (where obtained), OR
  • Employment law compliance (GDPR Article 9(2)(b)), OR
  • Public health interests (GDPR Article 9(2)(i)), OR
  • Legal claims (GDPR Article 9(2)(f))

6.2 Criminal Records (DBS Checks)

Where required for employment in the care sector, we may process:

  • DBS check results
  • Criminal record certificates
  • Suitability declarations

Legal basis for processing:

  • Legal obligation under the DPA 2018 (Schedule 1, Part 1, paragraph 10)
  • Employment in care/safeguarding roles
  • Your employer must have an Appropriate Policy Document in place

We do not make decisions about employment suitability based on criminal records — this is your employer's responsibility as Data Controller.

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Role-based access controls
  • Multi-tenant data isolation
  • Regular security audits and penetration testing
  • Audit logging of all data access
  • Secure backup and disaster recovery procedures
  • Staff training on data protection

8. Data Breaches

In the unlikely event of a personal data breach, we will:

  • Notify your employer (Data Controller) within 24 hours of discovery
  • Assess the risk to data subjects and document our findings
  • Support your employer's notification to the ICO within 72 hours if required under GDPR Article 33
  • Support your employer's communication to affected workers if there is a high risk to rights and freedoms (GDPR Article 34)
  • Take immediate steps to contain the breach and prevent further damage
  • Cooperate fully with regulatory investigations

Your employer is responsible for determining whether the breach poses a risk to you and for notifying you if required by law.

9. International Data Transfers

Your data is stored in the UK (DigitalOcean London region).

If we transfer data outside the UK/European Economic Area, we ensure appropriate safeguards are in place:

  • UK/EU Standard Contractual Clauses
  • UK International Data Transfer Agreement (IDTA)
  • Adequacy decisions (where applicable)
  • Additional technical safeguards

10. Children's Privacy

Our Service is not intended for individuals under 16 years of age. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately at privacy@teamurai.co.uk.

11. Your Data Protection Rights

Depending on your location, you have the following rights:

11.1 Right to Access

You can request a copy of the personal data we hold about you.

11.2 Right to Rectification

You can request correction of inaccurate or incomplete data.

11.3 Right to Erasure ("Right to Be Forgotten")

You can request deletion of your personal data, subject to legal retention requirements described in Section 5.

11.4 Right to Restrict Processing

You can request that we limit how we use your data.

11.5 Right to Data Portability

You can request your data in a structured, machine-readable format.

11.6 Right to Object

You can object to certain types of processing.

11.7 Rights Related to Automated Decision-Making

You have rights regarding decisions made solely by automated means.

To Exercise Your Rights:

Contact your Organization's administrator or data protection officer first, as they control your data. They will coordinate with us to process your request. You may also contact us at privacy@teamurai.co.uk.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you and your Organization of significant changes:

  • By email to Organization administrators
  • Through in-app notifications
  • By updating the "Last Updated" date at the top of this policy

Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Information

For questions, concerns, or to exercise your data protection rights:

Data Protection Officer

Mahmane Limited (trading as Teamurai)

Email: privacy@teamurai.co.uk

Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, UK

If you are unsatisfied with our response, you have the right to complain to your local data protection authority:

  • UK: Information Commissioner's Office (ICO) — www.ico.org.uk
  • EU: Your local supervisory authority

14. Data Controller and Processor Information

Data Controller:

Your Organization (Employer) determines the purposes and means of processing personal data.

Data Processor:

Mahmane Limited (trading as Teamurai)
Company Number: 16942440
Registered Office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, UK

We act only on instructions from your Organization regarding personal data processing.

Your employer has entered into a Data Processing Agreement with us that governs how we process personal data on their behalf. You may request a copy of this agreement from your employer.

Appendix A: Data Retention Summary for Care Workers (UK)

The following records are retained after account deletion in anonymized form:

Data Type Retention Reason
Clock-in/out times 2-6 years Working Time Regs, payroll
Shift assignments 6 years Contractual records
Timesheet data 3-6 years HMRC, tax compliance
Certification status 6 years CQC compliance
Training records 6 years Regulatory evidence
Accident records 3 years RIDDOR
Health surveillance 40 years COSHH (if applicable)

All data containing personal identifiers (name, email, phone, NI number, etc.) is permanently deleted upon account closure.

Appendix B: Account Deletion Process Summary

  1. Worker requests deletion from their employer (Data Controller)
  2. Employer verifies the request and submits deletion request to Mahmane Limited
  3. Mahmane Limited executes deletion/anonymisation within 30 days
  4. Confirmation sent to employer
  5. Employer notifies worker of completion
  6. Worker can no longer access the app; anonymized records retained per legal requirements

This process ensures compliance with both GDPR data subject rights and UK employment law retention requirements.