Privacy Policy — Locum's Nest | Your total workforce solution

LOCUM’S NEST - GDPR DATA PROTECTION AND COOKIE NOTICE

Last Updated: 17 November 2025.

1. INTRODUCTION AND SCOPE

This data protection notice (this “Notice”) describes how Locum’s Nest Ltd and its Affiliates (as defined in this Notice), except the Aya Entities as defined in this Notice, (collectively, “Locums Nest”, “us”, “we”, or “our”) collect, use, disclose and otherwise process personal data of data subjects who are both resident in the United Kingdom (“UK”) and who:

are National Health Service (NHS) hospitals or healthcare provider facilities in the UK (collectively “Facilities”);
visit or interact with our website, https://locumsnest.co.uk/ and/or our mobile application(s) (the “Digital Properties”);
communicate with us, including through e-mail, telephone or post; or
are a director, officer, contractor, partner, employee or other contact at a Business Partner, Professional Advisor, or Service Provider (as such terms are defined in Part C of Schedule 1 (Definitions),

collectively, a “Data Subject” or “you”. If you are not a Data Subject, this Notice does not apply to you.

If you are a Business Partner, Professional Advisor or Service Provider, please provide this Notice to your directors, officers, employees, or contacts who are Data Subjects prior to such Data Subject’s personal data being disclosed or otherwise made available to us.

We act as joint controller (along with the Aya Entities) of Data Subjects’ personal data under the UK General Data Protection Regulation, the UK Data Protection Act 2018, and related data protection and e-privacy laws in the UK (collectively, the “GDPR”) in relation to the processing activities covered by this Notice. Section 9 (How to Contact Us) below sets out our and Aya Entities’ respective responsibilities to deal with your data protection rights under the GDPR.

Capitalised terms used but not defined in the main body of this Notice have been defined in Schedule 1 (Definitions). The words “including” or “such as” in this Notice are not limiting.

2. WHAT TYPES OF PERSONAL DATA DO WE PROCESS AND HOW DO WE COLLECT THIS PERSONAL DATA?

In this section we set out the types of personal data relating to Data Subjects we may collect and the potential sources of such information. We may also receive any or all the types of personal data referred to in this section from our Affiliates.

Automatically Generated Personal Data

We may receive the following personal data relating to Data Subjects which is automatically collected or logged from our information systems or third parties when Data Subjects access and use the Digital Properties or otherwise interact with us:

Cookie and Technical Data
Usage Data
Geolocation Data

Data Subject Provided Personal Data

We may receive the following personal data directly from Data Subjects (whether by uploading, email, telephone, post, physical provision at our offices, or otherwise):

AML/KYC Data
Contact and Professional Data
Government Issued Data
Marketing and Communications Data
Profile Data
Voluntarily Provided Data

Government Provided Personal Data

We may receive the following personal data relating to Data Subjects from Governmental Authorities (including from websites and registers):

AML/KYC Data
Contact and Professional Data

Service Provider and Professional Advisor Provided Personal Data

We may receive the following personal data relating to Data Subjects from Service Providers, and Professional Advisors:

AML/KYC Data
Contact and Professional Data
Government Issued Data

Publicly Available Personal Data

We may receive the following personal data relating to Data Subjects from publicly available sources (including the internet):

AML/KYC Data
Contact and Professional Data
Government Issued Data

We may combine Personal Data that you provide to us with Personal Data that we collect from you, or about you from other sources, in some circumstances. This will include Personal Data collected in an online or offline context.

Special Category Personal Data

We do not request any special categories of personal data from Data Subjects with respect to the data processing activities covered by this Notice. (This includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information concerning health, and genetic and biometric data). However, Data Subjects may provide these types of personal data to us as Voluntarily Provided Personal Data. We will rely on “conditions” (including explicit consent) provided for in the GDPR to process such special category data.

Personal Data Relating to Children

Our Digital Properties and our services (including those relating to Contingent Workers) are not intended for children. We do not knowingly collect personal data from children under the age of 13. Parents or guardians of a child under the age of 13 who believe such child has disclosed personal to us, should contact us using the contact details in Section 9 (How to Contact Us) below. A parent or guardian of a child under the age of 13 may review and request the deletion of such child’s personal data and prohibit its use.

3. HOW DO WE USE PERSONAL DATA?

This section sets out how we use the personal data that we obtain or receive and our lawful basis under the GDPR for doing so (as defined in Part B of Schedule 1).

Purpose of Data Processing	Type of Personal Data	Lawful Basis for Processing
To ensure the Digital Properties work as intended and remains secure (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	Cookie and Technical Data Usage Data Geolocation Data	Legitimate Interests (i.e., in operating a well-functioning and secure Digital Properties) Consent (for cookies which are optional)
For Facilities, to help and assist you in filling open shifts with qualified physicians, advanced practice and other healthcare professionals.	AML/KYC Data Contact and Professional Data Profile Data Voluntarily Provided Data	Legitimate Interests (i.e., searching for a suitable contract of employment for you, prior to commencement) Performance of a Contract Condition for any special category personal data: Article 9(2)(e) GDPR Article 9(2)(f) GDPR Article 9(2)(g) GDPR Any conditions specified under applicable UK and/or EEA member state law
Operating, evaluating, developing, promoting, and growing our business. This may include evaluating, entering into, and performing corporate transactions (including those involving raising capital, whether equity or debt, mergers and acquisitions, joint ventures, the sale, transfer, or merger of all or parts of our business or our assets).	All types of data set out in Part A of Schedule 1 to the extent relevant to the activity	Legitimate Interests (i.e., promoting our services and growing our business) Performance of a Contract Condition for any special category personal data: Article 9(2)(e) GDPR Article 9(2)(f) GDPR Article 9(2)(g) GDPR Any conditions specified under applicable UK and/or EEA member state law

Purpose of Data Processing	Type of Personal Data	Lawful Basis for Processing
Complying with legal and regulatory obligations, including: conducting due diligence maintaining accurate books and records facilitating internal and external audits conducting internal investigations conducting verification, “know your client”, terrorist financing, sanctions, and anti-money laundering checks preventing and detecting fraud investigating and addressing any complaints, claims, proceedings, or disputes responding to requests and directions from Governmental Authorities seeking advice from Professional Advisors, including legal advice.	AML/KYC Data Contact and Professional Data Profile Data Government Issued Data Marketing and Communications Data Voluntarily Provided Data	Legitimate Interests (i.e., complying with industry standards or best practices) Compliance with a Legal Obligation Condition for any special category personal data: Article 9(2)(e) GDPR Article 9(2)(f) GDPR Article 9(2)(g) GDPR Any conditions specified under applicable UK and/or EEA member state law
Preparing for and addressing investigations and disputes (including those involving Affiliates, Professional Advisors, Governmental Authorities)	All types of data set out in Part A of Schedule 1 to the extent relevant to the investigation or dispute	Legitimate Interests (i.e., preparing for and addressing investigations and disputes) Compliance with a Legal Obligation Condition for any special category personal data: Article 9(2)(e) GDPR Article 9(2)(f) GDPR Article 9(2)(g) GDPR Any conditions specified under applicable UK and/or EEA member state law
Responding to Data Subjects who request such contact	Contact and Professional Data Voluntarily Provided Data	Consent
Providing services to Facilities and Business Partners, including: managing contractual relationships; communicating with Facilities and Business Partners (other than marketing); analyzing and managing commercial risks	Contact and Professional Data Profile Data AML/KYC Data Voluntarily Provided Data Government Issued Data	Legitimate Interests (i.e., providing our services to Contingent Workers and Business Partners) Performance of a Contract

Purpose of Data Processing	Type of Personal Data	Lawful Basis for Processing
Managing and protecting our business, employees and staff from risks and threats, including identifying and preventing virtual threats such as cyber-attacks.	Cookie and Technical Data Usage Data Contact and Professional Data Voluntarily Provided Data Geolocation Data	Legitimate Interests (i.e., protecting our business and employees and preventing fraud)
Sending electronic marketing and promotional materials to Data Subjects in a business-to-business context and enabling Data Subjects to complete surveys	Cookie and Technical Data Contact and Professional Data Marketing and Communications Data Geolocation Data	Legitimate Interests (i.e., promoting and growing our business) Consent

If a Data Subject has provided consent to processing and subsequently withdraws that consent, we may still process that Data Subject’s personal data where we have another lawful basis for doing so, provided that the Data Subject has not expressly asked us to stop processing their personal data in accordance with Section 6 (Data Protection Rights).

Where we need to collect personal data by law or under the terms of a contract that we have with a Data Subject and the Data Subject fails to provide that personal data when requested, we may not be able to perform the contract we have with the Data Subject or with her/his relevant employer.

4. SHARING OF PERSONAL DATA

We may share Data Subjects’ information with the following third parties (as defined in Part C of Schedule 1):

Affiliates, including the Aya Entities
Business Partners
Governmental Authorities
Professional Advisors
Service Providers

Please see Section 5 (International Data Transfers) below for information on international transfers to such third parties. We require all our data processors and any other third party that we provide Data Subjects’ personal data to respect the security of Data Subjects’ personal data and to treat it in accordance with applicable law.

5. INTERNATIONAL DATA TRANSFERS

Your personal data may be transferred to, stored in, or accessed within the UK or transferred to, stored in or accessed from countries outside the UK (including to the United States) in connection with the purposes described in this Notice. For transfers to countries outside the UK, the data protection regime may be different than in the country in which the Data Subject is resident and may not provide the same level of data protection. We will rely on EU Standard Contractual Clauses and equivalent UK international data transfer agreements when we transfer personal data out of the UK (collectively, the “SCCs”).

To the extent that we undertake any onward transfers of personal data to any third parties, such transfers shall only be to the third parties listed in Section 4 (Sharing of Personal Data) above and for the purposes described in Section 3 (How Do We Use Your Personal Data?) above. SCCs (or an alternate approved mechanism) shall be relied upon to make any onward transfers of personal data outside of the UK.

6. DATA PROTECTION RIGHTS

If you are a Data Subject, you may relative to the personal data we process about you:

Request access to such personal data;
Request correction of such personal data;
Request erasure of such personal data;
Object to processing of such personal data;
Request restriction of processing of such personal data;
Request the transfer of such personal data to you or to a third party; or
Withdraw consent at any time where we are relying on consent to process such personal data; or
Obtain a copy of any SCCs we use to transfer such personal data outside of the UK.

To exercise any of the rights set out above, please contact us using the contact details provided in Section 9 (How to Contact Us) below. There are exceptions and exemptions that apply to some of the rights, which we will apply in accordance with the applicable data protection laws. Where you have any such rights under applicable laws, we will respond to any such rights that you want to exercise within one month of receiving the request, unless the request is complex, in which case it may take longer. In addition to the above rights, you have the right to lodge a complaint with the relevant supervisory authority in the EEA member state or the UK, based on where you reside.

We may need to request specific information from you to help us confirm your identity and your right to access the personal data (or to exercise any of the other rights).

7. AUTOMATED PROCESSING AND DECISION MAKING

We do not make any decisions regarding Data Subjects solely using automated processes (including profiling) based on Data Subjects’ personal data where such decision produces legal effects concerning the Data Subject or similarly affects the Data Subjects.

8. RETENTION OF PERSONAL DATA

We will only retain a Data Subject’s personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, regulatory requirements, the potential risk of harm from unauthorized use or disclosure of the personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal or regulatory requirements. Details of retention periods for personal data are available from us on request using the contact details at Section 9 (How to Contact Us).

9. HOW TO CONTACT US

Should you wish to exercise your data protection rights relating to the personal data processed under this Notice, we suggest that you contact us and we will coordinate the response to your request.

Should you have any questions regarding this Notice or wish to exercise any of your rights, please contact us using the following contact details:

Our Data Protection Officer and UK Representative can be contacted using the following contact details:

Address: 72 Great Suffolk Street, London, SE1 0BL
Email: ahmed@locumenest.co.uk

10. COOKIE NOTICE

Cookies are small text files that are placed on your computer by websites or software applications that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the digital properties. We use certain cookies on our Digital Properties. We will deploy cookies (which are not “strictly necessary”) on your device only with your consent. Please see our cookie banner on our Digital Properties and our Cookie Policy (https://locumsnest.co.uk/cookie-policy/) for more details.

11. AMENDMENTS TO THIS NOTICE

This Notice may be revised from time to time, including where we add new features and services, as laws or regulations change, and as industry privacy and security best practices evolve. We display a “Last Updated” date in at the top of this Notice so it is clear when there has been a change. If we make any material change to this Notice regarding use or disclosure of personal data, we will notify you of such change.

SCHEDULE 1 (DEFINITIONS)

A. TYPES OF PERSONAL DATA THAT WE MAY PROCESS

TYPE OF PERSONAL DATA	DETAILS
Anti-Money Laundering and Know Your Customer Data (“AML/KYC Data”)	Personal data contained in government issued identification documents Financial and banking information (including investment history and source of funds) Information relating to political exposure if revealed during AML, KYC, fraud checks
Contact and Professional Data	First name and last name Name of employer or the organization represented Title and position Grade/specialty experience E-mail address and physical address Telephone numbers
Cookie and Technical Data	Our cookie banner sets out details of the cookie and related data which we collect and process (including “strictly necessary” and “optional” cookies). Internet protocol (IP) address Browser type and version Time zone setting and location Browser plug-in types and versions Operating system and platform Other technology on the devices used to access the Digital Properties Geolocation Data
Geolocation Data	Country, region, state and city in which a Data Subject is located
Government Issued Data	Driver’s license number Passport number National identification number Tax identification number
Marketing and Communications Data	Preferences in receiving marketing from us and third parties Communication preferences
Profile Data	Username E-mail address Phone number Profession and current employment status Professional experience Grade, qualifications, degree(s) and transcripts Specialty
Usage Data	Information about how the Digital Properties is used
Voluntarily Provided Data	Any other personal data provided by the Data Subject, including “special category” personal data.

B. GDPR LAWFUL BASES FOR PROCESSING

LAWFUL BASIS	DESCRIPTION
Compliance with a Legal Obligation	We may process personal data to the extent necessary for us for us to comply with applicable laws.
Consent	We may process personal data where the Data Subject has provided consent for us to do so.
Legitimate Interests	We may process personal data for our legitimate interests as a business or those of a third party where our processing does not prejudice the Data Subject’s rights so as to override our legitimate interest. We have provided examples where applicable in Section 3 (How do we use personal data?).
Performance of a Contract	We may process personal data where it is necessary for us to do so in order to exercise our rights or satisfy our obligations under a contract we have with the Data Subject.

C. THIRD PARTY DATA SOURCES AND RECIPIENTS

THIRD PARTY	DESCRIPTION	STATUS OF THIRD PARTY
Affiliates	Refers to our affiliates, subsidiaries, or entities, if any, under common management or subject to common control as us.	Joint controller with our other Affiliates.
Business Partners	Refers to current or prospective business partners (i) involving investments from us and/or (ii) with which we undertake commercial, corporate, or other business transactions (involving mergers, acquisitions, equity, debt, or credit), includes transactional counterparties, banks, lenders, and financial institutions; and (iii) hospitals and healthcare providers, including NHS hospital trusts.	Independent controller.
Governmental Authorities	Refers to governmental authorities in the UK, Europe, or other countries, including law enforcement agencies, tax authorities, and supervisory authorities, and regulators.	Independent controller.
Aya Entities	Aya Healthcare, Inc. and its affiliates, which may include, but is not limited to, Qualivis, LLC, Bespoke Workforce, LLC, Vaya Workforce Solutions, LLC and Symmetry Workforce Solutions, LLC.	Joint Controller
Professional Advisors	Refers to current or prospective professional advisors including lawyers, solicitors, attorneys, accountants, investment and merchant bankers, brokers, auditors, and insurers.	Independent controller.
Service Providers	Refers to current or prospective party providers of services such as IT services, hosting services, and other business process and marketing services.	Typically, data processors. However, Service Providers who are independently regulated will be independent controllers.