Keruja

Privacy Policy

Effective date: 23 March 2026

This Privacy Policy explains how Wemoveon Ltd (“Wemoveon”, “Keruja”, “we”, “us” or “our”) handles personal data in connection with Keruja.

Keruja is a business software platform used by organisations such as event staffing agencies and caterers. In many cases, we process personal data on behalf of those organisations. In some cases, we process personal data for our own purposes.

1. Who we are

Wemoveon Ltd
Company No. 10061558
61 Bridge Street, Kington, United Kingdom, HR5 3DJ
Email: contact@keruja.com

2. Important role distinction: when we act as processor and when we act as controller

For most service data entered into Keruja by customer organisations — including staff records, applicant records, client records, compliance documents, timesheets, contracts, messages, and operational records — the customer organisation is the data controller and Wemoveon Ltd acts as its data processor.

That means the customer organisation decides why and how that personal data is used, and we process it on its behalf to provide the Service.

We may act as an independent controller for limited purposes such as:

  • managing our own relationship with customer organisations;
  • account administration;
  • billing and subscription management;
  • website enquiries and demo requests;
  • security administration, fraud prevention, and service protection;
  • maintaining legal, regulatory, tax, and audit records;
  • improving, securing, and operating our business and services.

If you are a member of staff, applicant, or client whose data has been entered into Keruja by a customer organisation, that organisation is usually the first point of contact for privacy requests relating to that data.

3. Our role as data processor

Keruja provides its services to organisations (such as staffing agencies and caterers), which act as data controllers for the personal data they manage.

Wemoveon Ltd (Keruja) acts as a data processor, processing personal data on behalf of these organisations in accordance with their instructions.

If you are a staff member, applicant, or client of one of our customers, your personal data is controlled by that organisation, not by Keruja directly.

For any queries regarding how your data is used, you should contact the organisation you interact with.

4. Personal data we process

Depending on how Keruja is used, we may process the following categories of personal data.

a) Identity and contact data

Examples include name, email address, phone number, postal address, postcode, and account details.

b) Employment, staffing, and work records

Examples include role details, shifts, timesheets, expenses, leave requests, availability, staffing activity, review data, performance or reputation data, and operational notes.

c) Payroll and finance-related data

Examples may include pay-related fields, tax-related identifiers, banking details, and payroll-export data where entered and used by customer organisations.

d) Compliance and identity document data

Examples include right-to-work documents, passports, visa or residence permit documents, DBS or training certificates, and related review statuses.

e) Contract and signature data

Examples include contract details, signature type, signature record, IP address, user agent, and timestamps connected with signing activity.

f) Location and attendance data

Examples include check-in and check-out timestamps, GPS location data, attendance evidence, and device-derived attendance records.

g) Photos and uploads

Examples include selfie evidence photos, receipts, file uploads, documents, attachments, and related metadata.

h) Applicant and recruitment data

Examples include application form responses, uploaded files, pipeline status, consent records, and onboarding-related information.

i) Client portal and communication data

Examples include event requests, approvals, reviews, messages, notifications, support requests, and communication preferences.

j) Technical and usage data

Examples include IP addresses, device identifiers, session records, browser and operating environment information, log data, notification tokens, and anti-tamper indicators.

k) Consent and privacy records

Examples include consent type, method, timestamp, source, IP address, user agent, and withdrawal records.

5. Special category and higher-risk data

Depending on how customer organisations use Keruja, the platform may process higher-risk data such as:

  • identity and right-to-work documents;
  • selfie evidence photos;
  • GPS location data;
  • payroll identifiers and bank details;
  • certain health-related leave information entered by customer organisations.

We do not use selfie photos as biometric templates for identity recognition. Selfie images are used as evidence records where enabled by the customer organisation.

6. How we receive personal data

We receive personal data:

  • directly from customer organisations;
  • directly from users who create accounts, fill in forms, submit documents, sign contracts, or interact with the platform;
  • from applicants using recruitment forms or widgets;
  • from integrations or service providers used in connection with the platform;
  • from website visitors who submit demo requests or contact us.

7. How we use personal data

Where we act as controller, we use personal data for purposes such as:

  • providing and administering the website and Service;
  • handling enquiries and demo requests;
  • managing accounts, subscriptions, billing, and customer relationships;
  • protecting the Service, investigating misuse, maintaining audit and security records, and preventing fraud;
  • improving, securing, monitoring, and operating the Service;
  • complying with legal, regulatory, tax, and audit obligations.

Where we act as processor, we process personal data on behalf of the customer organisation to provide features such as:

  • recruitment and onboarding;
  • scheduling and staffing;
  • attendance and time tracking;
  • payroll export workflows;
  • compliance tracking and document handling;
  • contract generation and signing;
  • client and staff portal features;
  • communications, notifications, and support workflows;
  • retention, audit, and reporting functions.

8. Legal bases

Where we act as controller, we rely on one or more of the following legal bases, as applicable:

  • performance of a contract;
  • taking steps at your request before entering into a contract;
  • legitimate interests, such as operating, securing, improving, and administering the Service and our business;
  • compliance with legal obligations;
  • consent, where consent is required.

Where we act as processor for customer organisations, the relevant customer organisation is responsible for determining the lawful basis for its processing.

9. AI and automated assistance

Keruja includes certain AI-assisted or rules-based features. Based on the current implementation:

  • AI and matching outputs are advisory only;
  • customer users remain responsible for reviewing and approving decisions;
  • we do not market or operate the platform as a fully autonomous decision-making system.

10. Sharing of personal data

We may share personal data with service providers and subprocessors that help us operate Keruja, including providers for:

  • hosting and infrastructure;
  • database services;
  • file storage;
  • email delivery;
  • billing;
  • monitoring and logging;
  • malware and file scanning;
  • AI-assisted dashboard features;
  • calendar connectivity and related integrations.

We may also disclose personal data:

  • where required by law, regulation, court order, or competent authority;
  • in connection with corporate transactions;
  • to professional advisers, auditors, and insurers where necessary.

We do not sell personal data.

11. International transfers

Some of our service providers may process personal data outside the United Kingdom or European Economic Area.

Where we transfer personal data internationally, we take steps intended to ensure an appropriate level of protection, such as using providers with recognised transfer mechanisms or contractual safeguards where appropriate.

We do not guarantee that data will remain in any single country unless expressly agreed in writing for a specific deployment.

12. Data retention

Retention depends on the category of data, the customer organisation’s configuration, legal obligations, and the purpose of processing.

Examples based on current implementation include:

  • configurable retention for many document types and compliance records;
  • configurable or workflow-based retention for recruitment records;
  • configurable retention for evidence files and some audit and chat data;
  • user deletion workflows where applicable;
  • retention of certain records needed for legal, audit, fraud-prevention, or proof-of-consent purposes.

Where we do not have a fixed period, we retain data only for as long as necessary for the relevant purpose, contractual relationship, legal obligation, dispute handling, or legitimate interest.

13. Security

We use technical and organisational measures intended to protect personal data, including measures such as:

  • role-based access controls;
  • tenant scoping and portal separation;
  • encryption in transit;
  • encryption for certain secrets and tokens at rest;
  • two-factor authentication features;
  • audit logging;
  • file scanning;
  • rate limiting and production hardening measures;
  • redaction of certain sensitive information from logs.

No system can guarantee absolute security, and we cannot guarantee that unauthorised access, human error, or third-party failures will never occur.

14. Your rights

Where the UK GDPR or EU GDPR applies, individuals may have rights including:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to object;
  • the right to data portability;
  • rights relating to certain automated decision-making.

If we process your data on behalf of a customer organisation, please contact that organisation first, as it is usually the controller responsible for responding. We will assist customer organisations where required.

If we act as controller for your data, you may contact us at contact@keruja.com.

You may also have the right to complain to the Information Commissioner’s Office in the UK or your local supervisory authority.

15. Cookies

We use cookies and similar technologies on our website. You can manage your cookie preferences using our .

16. Third-party services and links

Keruja may integrate with or link to third-party services. Those services have their own terms, privacy notices, and practices. We are not responsible for third-party services except as required by law.

17. Children

Keruja is intended for business use and is not designed for children.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version on the website and update the effective date.

19. Contact

Wemoveon Ltd
Company No. 10061558
61 Bridge Street, Kington, United Kingdom, HR5 3DJ
Email: contact@keruja.com

Privacy Policy | Keruja | Keruja