Privacy Policy

Last updated: January 2026

1. Introduction

ClockinCloud Ltd ("we", "us", or "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our time tracking and HR management platform ("Service").

We are registered in England and Wales and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, job title, and contact details when you create an account or are added as an employee.
  • Organisation Information: Company name, address, and business details provided during registration.
  • Employment Data: Work schedules, leave records, attendance data, and other HR-related information.
  • Payment Information: Billing details and payment card information (processed securely by our payment provider).
  • Communications: Messages sent through our in-app chat feature and support communications.

2.2 Information Collected Automatically

  • Device Information: Device type, operating system, browser type, and mobile device identifiers.
  • Location Data: With your consent, we collect location data for clock-in/out verification and iBeacon detection.
  • Usage Data: How you interact with our Service, including pages viewed and features used.
  • Log Data: IP addresses, access times, and system activity logs for security purposes.

3. How We Use Your Information

We use your personal data to:

  • Provide, maintain, and improve our Service
  • Process time and attendance records
  • Manage leave requests and approvals
  • Generate reports and analytics for employers
  • Facilitate payroll integrations (e.g., with Xero)
  • Send notifications about schedules, approvals, and important updates
  • Provide customer support
  • Ensure security and prevent fraud
  • Comply with legal obligations

4. Legal Basis for Processing

Under UK GDPR, we process your data based on:

  • Contract: Processing necessary to perform our contract with you or your employer.
  • Legitimate Interests: For business purposes such as improving our Service and preventing fraud.
  • Consent: Where you have given explicit consent, such as for location tracking.
  • Legal Obligation: Where processing is required by law.

5. Data Sharing and Disclosure

We may share your personal data with:

  • Your Employer: Managers and administrators within your organisation can access your work-related data.
  • Service Providers: Third-party companies that help us operate our Service (hosting, payment processing, email delivery).
  • Integration Partners: When you connect third-party services like Xero, we share relevant data as authorised.
  • Legal Requirements: When required by law, court order, or to protect our legal rights.

We do not sell your personal data to third parties.

6. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit and at rest
  • Secure authentication mechanisms including biometric options
  • Regular security assessments and updates
  • Role-based access controls
  • Comprehensive audit logging

7. Data Retention

We retain your personal data for as long as necessary to provide our Service and fulfil the purposes described in this policy. Specific retention periods include:

  • Active Accounts: Data is retained while your account is active.
  • Deleted Accounts: We retain data for 30 days after account deletion to allow recovery, then securely delete it.
  • Legal Requirements: Some data may be retained longer to comply with legal obligations (e.g., tax records for 7 years).

8. Your Rights

Under UK GDPR, you have the right to:

  • Access: Request a copy of your personal data.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your data ("right to be forgotten").
  • Restriction: Request limitation of processing.
  • Portability: Receive your data in a structured, machine-readable format.
  • Object: Object to processing based on legitimate interests.
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise these rights, contact us at privacy@clockincloud.io.

9. International Transfers

Your data may be processed by service providers located outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions by the UK Government
  • International Data Transfer Agreements (IDTAs)
  • Standard Contractual Clauses

10. Children's Privacy

Our Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the "Last updated" date.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.