Privacy Notice

1. Who we are

StaffClock is operated by Chavannes Ltd (Company No. 17198260), registered in England and Wales. We are the data controller for personal data processed through this service.

We are registered with the Information Commissioner's Office (ICO) under registration reference ZC142025.

Contact: privacy@staffclock.co.uk

2. What data we collect

• Email address — provided when you sign up, used to authenticate you and deliver the service.
• Account and usage data — data you submit to use the service, plus the timestamps needed to operate it.
• Payment identifiers — if you subscribe to a paid plan, the identifiers needed to manage your subscription (handled by our payment processor; we do not store card numbers).

We do not collect more personal data than we need to deliver the service.

3. Why we collect it (lawful basis)

• Contract performance (Article 6(1)(b) UK GDPR) — we process your email address and account data to deliver and bill for the service you signed up for.
• Legitimate interest (Article 6(1)(f) UK GDPR) — we apply basic abuse-prevention and security processing necessary for the integrity of the service.
• Consent / soft opt-in (Regulation 22 PECR) — for marketing emails we rely on your explicit consent if you signed up to a free plan, or on the PECR soft opt-in if you are a paying customer. You can withdraw consent at any time via the unsubscribe link in every marketing email; this does not affect the transactional emails below.

3a. The two kinds of email you may receive

• Service / transactional emails — sign-in links, payment receipts, account-change confirmations, and other messages that are part of the service you signed up for (Article 6(1)(b)). These continue regardless of your marketing preference.
• Marketing emails — product updates, tips, and occasional promotional messages. You can opt out at any point via the one-click List-Unsubscribe header or the link in every marketing email, without affecting your service emails.

4. What we do with your data

We use your data only to deliver, secure, and bill for the service. We do not sell, rent, or share your data with any third party for marketing purposes.

Your data is stored and processed in the United Kingdom. See our /security page for details on encryption and infrastructure controls.

5. Third-party processors

We use the following sub-processors. All transfers outside the UK are covered by Standard Contractual Clauses (SCCs) or an equivalent UK transfer mechanism. See also our Data Processing Agreement.

This table is kept identical in the DPA. See docs/processor-register.md for the canonical list.

6. Data retention

• Account data is held until you delete your account via /delete-account. Deletion is permanent and irreversible, and takes effect synchronously.
• Payment records are held by our payment processor in accordance with their own retention policy and applicable financial/tax regulations, which may require them to retain transaction records after your account is closed. We retain only the references needed to operate your account while it is active.
• Security audit log (timestamps of account changes and rights requests, with hashed IP and user-agent for incident investigation only) is retained for 365 days, then permanently deleted by an automated purge job. Hashes are peppered with a server-side secret so raw client identifiers are never stored.

7. Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Rectification of inaccurate or incomplete data.
• Erasure — delete your account and all associated data at /delete-account at any time.
• Restriction of processing in certain circumstances.
• Data portability — download all your staff and credential data as a CSV at /app/data-export.csv (requires login).
• Object to processing based on legitimate interest.

To exercise any right other than self-service deletion, submit a request at /account/dsar-request or contact privacy@staffclock.co.uk. We respond within one calendar month.

8. Cookies

We use only functional cookies necessary to operate the service (for example, to keep you signed in). Session cookies are set HttpOnly, Secure, and SameSite=Strict. We do not use advertising or cross-site tracking cookies. If you set any non-essential cookie, obtain prior PECR consent before setting it.

9. Right to complain

If you believe we have not handled your personal data lawfully, you may lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk · 0303 123 1113. We would appreciate the chance to address your concerns first.