Privacy Policy

Last updated: June 12, 2026

1. Introduction

This Privacy Policy explains how StaffSync Portal collects, uses, processes, stores, and protects personal data. It covers both the public website and the SaaS workforce management platform. We are committed to safeguarding personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Who We Are

StaffSync Portal is operated by the site owner as a sole trader. For data processing activities where we act as the Data Controller (such as billing or marketing communications), you can contact us via email at support@staffsyncportal.com.

3. Types of Personal Data Collected

We collect and process the following categories of personal data:

  • Account Data: Names, emails, passwords, roles, and login activity.
  • Client/Business Data: Company name, billing address, business phone, and contact details.
  • Employee/Workforce Data: Employee names, emails, job roles, department assignments, shift schedules, check-in/out attendance timestamps, holiday requests, and leave allowance balances.
  • Payment/Subscription Data: Billing transactions are handled securely by Stripe; we do not store full credit card numbers on our servers.
  • Contact Form Data: Name, email, company, enquiry type, and message content.
  • Technical Data: IP addresses, browser/device types, server logs, security audits, and essential session cookies.
  • Email Metadata: Transactional email delivery and bounce reports processed via Resend.

4. How Data Is Collected

Personal data is collected directly when you register an account, fill out the public contact form, set up client company configurations, or update employee profile records. Additionally, data is collected automatically when users clock in or out, and when system security logs record network transactions.

5. Purposes and Lawful Bases

Under UK GDPR, we process personal data based on the following lawful bases:

  • Performance of a Contract: To manage client accounts, process subscriptions, enable employee check-ins, send setup/reset invitations, and provide customer support.
  • Legitimate Interests: To detect and prevent fraud, secure database transactions, improve system performance, and maintain communications.
  • Legal Obligation: To maintain accounting records and comply with statutory tax or workplace reporting requirements where applicable.
  • Consent: For cookies or optional communications where users have given explicit consent.

6. Customer Employee Data

StaffSync Portal acts as a Data Processor for the employee files, rotas, and attendance logs uploaded by our Customers. The Customer is the Data Controller and is responsible for obtaining necessary consent or establishing a valid lawful basis for managing employee records. Employees wishing to access, correct, or delete their shifts or attendance history should contact their employer directly.

7. Sharing Personal Data

We share personal data only with trusted third-party service providers essential for platform operation:

  • Vercel: Web application hosting and CDN.
  • Neon: Managed PostgreSQL database hosting.
  • Stripe: Payment processing and billing portal services.
  • Resend: Transactional email distribution.
  • Professional Advisers / Authorities: In the event of audit requirements, legal obligations, or if the sole proprietorship incorporates or is transferred/sold.

8. International Transfers

Some third-party providers (such as Stripe or Resend) may process data in territories outside the United Kingdom or the European Economic Area (EEA), such as the United States. Where such transfers occur, we ensure that standard contractual clauses (SCCs) or other appropriate UK ICO approved transfer mechanisms are in place.

9. Retention

We retain account and subscription logs while your Customer account is active. Billing records are retained for at least six (6) years as required by UK tax law. Contact form submissions are retained for as long as necessary to address your enquiry. Reset tokens and signup invitations automatically expire and are pruned from the database.

10. Security

We employ reasonable technical and organizational safeguards to protect personal data. This includes bcrypt hashing of passwords, SSL/TLS database connections, strict tenant isolation checks, and token-based API authentication. No method of internet transmission is 100% secure, and we cannot guarantee absolute security.

11. User Rights

Under UK GDPR, you have the following rights:

  • The right to access your personal data.
  • The right to request rectification of inaccurate records.
  • The right to request erasure (the "right to be forgotten").
  • The right to object to or restrict processing.
  • The right to request data portability.
  • The right to withdraw consent at any time.

To exercise these rights, please email us at support@staffsyncportal.com. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).

12. Cookies and Similar Technologies

We use secure, essential session cookies solely to authenticate users and manage login state. These cookies do not track you across other websites. We do not use advertising or tracking cookies. If marketing or analytics cookies are introduced in the future, we will update this policy and provide an appropriate cookie consent mechanism.

13. Children

Our Platform is designed for business organization and employee scheduling. We do not knowingly collect personal data from children under the age of 16, except when an employer lawfully enters workforce data for apprentice or young worker records.

14. Changes to Privacy Policy

We may update this Privacy Policy periodically. Any modifications will be posted directly to this page, and the "Last updated" date will be revised.

15. Contact and Complaints

For any data protection queries, complaints, or subject access requests, please contact us at support@staffsyncportal.com.