GDPR Compliance
Last updated: January 2026
1. Our Commitment to Data Protection
ClockinCloud Ltd is committed to protecting the personal data of our users in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This page explains how we comply with UK data protection law and outlines your rights as a data subject.
2. Data Controller Information
Data Controller: ClockinCloud Ltd
- Registered Address: United Kingdom
- Email: privacy@clockincloud.io
For organisations using ClockinCloud to manage their employees, the organisation is typically the data controller for employee data, and ClockinCloud acts as a data processor on their behalf.
3. Legal Basis for Processing
We process personal data under the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Performance of contract (Article 6(1)(b)) |
| Account management | Performance of contract (Article 6(1)(b)) |
| Location-based clock-in | Consent (Article 6(1)(a)) |
| Security and fraud prevention | Legitimate interests (Article 6(1)(f)) |
| Service improvements | Legitimate interests (Article 6(1)(f)) |
| Tax and legal compliance | Legal obligation (Article 6(1)(c)) |
4. Your Data Subject Rights
Under UK GDPR, you have the following rights regarding your personal data:
Right of Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data.
Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data and completion of incomplete data.
Right to Erasure (Article 17)
Also known as the "right to be forgotten", you can request deletion of your personal data in certain circumstances.
Right to Restriction (Article 18)
You can request that we limit how we use your data while a complaint is being investigated.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format.
Right to Object (Article 21)
You can object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent
Where processing is based on consent, you can withdraw that consent at any time.
5. How to Exercise Your Rights
To make a data subject request, please contact us at:
- Email: privacy@clockincloud.io
We will respond to your request within one month. In complex cases or where we receive many requests, we may extend this by a further two months, but we will inform you if this is necessary.
We may need to verify your identity before processing your request. Requests are free of charge unless they are manifestly unfounded or excessive.
6. Data Retention
We retain personal data only for as long as necessary:
- Active accounts: Data is retained while the account is active.
- After account deletion: Data is retained for 30 days to allow recovery, then securely deleted.
- Financial records: Retained for 7 years to comply with UK tax law.
- Audit logs: Retained for 2 years for security purposes.
7. International Data Transfers
When we transfer personal data outside the UK, we ensure appropriate safeguards are in place:
- Adequacy decisions: We may transfer data to countries recognised by the UK Government as providing adequate protection.
- International Data Transfer Agreements (IDTAs): We use UK-approved standard contractual clauses.
- Transfer Impact Assessments: We assess risks before transferring data to countries without adequacy decisions.
8. Data Processing Agreement
For organisations using ClockinCloud to process employee data, we offer a Data Processing Agreement (DPA) that sets out our obligations as a data processor under Article 28 of UK GDPR.
To request a DPA, please contact legal@clockincloud.io.
9. Security Measures
We implement appropriate technical and organisational measures to ensure data security, including:
- Encryption of data in transit (TLS) and at rest
- Secure authentication with optional biometric login
- Role-based access controls (60+ permissions)
- Comprehensive audit logging
- Regular security assessments
- Secure hosting infrastructure
10. Data Breach Procedures
In the event of a personal data breach, we will:
- Assess the breach and its potential impact
- Notify the Information Commissioner's Office (ICO) within 72 hours if required
- Notify affected individuals without undue delay if there is a high risk to their rights
- Document the breach and our response
- Take steps to mitigate any harm
11. Complaints
If you are unhappy with how we handle your personal data, you can:
- Contact us at privacy@clockincloud.io to raise your concerns
- Lodge a complaint with the Information Commissioner's Office (ICO)
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
12. Contact Us
For any questions about data protection or to exercise your rights, please contact:
- Email: privacy@clockincloud.io
- Address: ClockinCloud Ltd, United Kingdom