Privacy Policy
Last updated: 14 May 2026
This Privacy Policy explains how WorkerRecord Ltd ("we", "us", "our") collects, uses, and protects personal data when you use WorkerRecord ("the Service"). We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
We are the data controller for information collected directly through your account. Where you process your subcontractors' data using our Service, you act as a data controller and we act as a data processor on your behalf.
1. What data we collect
Account holders (Contractors and team members)
- Identity data: name, email address
- Contact data: mobile phone number (if you enable SMS/WhatsApp alerts)
- Account data: company name, role, account settings, alert preferences
- Billing data: payment method details (processed and stored by Stripe; we do not store card numbers)
- Usage data: activity log events, login history, feature usage
Subcontractors
- Identity data: name, email address, phone number (optional)
- Document data: compliance certificates and documents uploaded via the portal, together with expiry dates and review status
- Notification preferences: preferred notification channel (email, SMS, WhatsApp)
2. How we collect data
- Directly from you when you register, configure your account, or use the Service
- From subcontractors when they use the upload portal linked to your account
- Automatically through your use of the Service (usage logs, timestamps)
3. How we use your data
| Purpose | Lawful basis |
|---|
| Providing the Service (account management, document storage, alerts) | Contract performance |
| Processing payments | Contract performance |
| Sending transactional emails (verification, alerts, invoices) | Contract performance / Legitimate interest |
| Sending SMS/WhatsApp alerts (where enabled) | Consent (channel preference set by user) |
| Improving and securing the Service | Legitimate interest |
| Complying with legal obligations | Legal obligation |
4. Data sharing
We do not sell your data. We share data only with the following categories of third parties, solely to provide the Service:
- Stripe — payment processing (UK/EU)
- Resend — transactional email delivery (EU data centres)
- Twilio — SMS and WhatsApp message delivery (US, with Standard Contractual Clauses)
- DigitalOcean / AWS — cloud hosting and file storage
All processors are subject to data processing agreements and are required to process data only on our instructions.
5. Data retention
- Active accounts: data is retained for as long as your subscription is active
- After cancellation: data is retained for 30 days, then permanently deleted
- Compliance documents: retained as above; you can export all data at any time via Company Settings → Export
- Billing records: retained for 7 years as required by UK tax law
- Activity logs: retained for 2 years from the date of the event
6. Your rights under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data (subject to legal obligations)
- Right to data portability — export your data using the in-app export tools, or request a machine-readable copy
- Right to restrict processing — request we limit how we use your data
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent (e.g. SMS alerts), you may withdraw at any time via your notification preferences
To exercise any of these rights, contact us at privacy@workerrecord.co.uk. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
7. Subcontractor data — your responsibilities
When you add subcontractors to the Service and collect their documents, you act as a data controller for their personal data. You are responsible for:
- Having a lawful basis for collecting and processing their personal data
- Informing subcontractors that their data will be stored in WorkerRecord
- Responding to any data subject requests from subcontractors
We act as your data processor. Our Data Processing Agreement governs this relationship.
8. Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (HTTPS/TLS) and at rest
- Documents stored on private cloud storage with no public access
- Access controls — team members can only access their own company's data
- Rate limiting and security headers on all endpoints
- Regular security reviews
9. Cookies
WorkerRecord uses only essential cookies required for the application to function (session cookies, CSRF tokens). We do not use advertising, tracking, or analytics cookies. No cookie consent banner is required.
10. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email. The current version is always available at this URL.
11. Contact
For privacy-related queries, contact our data protection contact at privacy@workerrecord.co.uk or write to:
WorkerRecord Ltd
[Registered address - set SITECERT_REGISTERED_ADDRESS in .env]
England, United Kingdom