Privacy Policy

1. Who We Are

WorkplacePlugins Ltd ("we", "us") is the data controller for the personal data we collect through our website and platform at workplaceplugins.com. We are registered in England and Wales. For data you upload to the platform (e.g. candidate CVs, client records), you are the data controller and we act as your data processor.

2. What Data We Collect

Account data: Name, email address, company name, industry, and login credentials when you create an account.

Usage data: Pages visited, features used, plugin installations, API calls, and timestamps. Collected automatically via server logs.

Business data: Data you upload or generate through our Agents — CVs, time entries, financial records, compliance documents. This data belongs to you.

Payment data: Billing details are collected and processed by Stripe. We do not store card numbers.

3. How We Use Your Data

We process your data to: (a) provide and maintain the Service; (b) process payments; (c) send transactional emails (password resets, billing notifications); (d) monitor platform security and prevent abuse; (e) improve the Service based on anonymised usage patterns. We do not use your business data to train AI models.

4. Legal Basis (UK GDPR)

Contract: Processing necessary to provide the Service you've subscribed to.

Legitimate interest: Security monitoring, fraud prevention, and service improvement.

Consent: Marketing communications (opt-in only, with easy opt-out).

5. Data Sharing

We share data only with: (a) Stripe for payment processing; (b) infrastructure providers (Railway, PostgreSQL) for hosting; (c) Google Gemini for AI processing within Agents — data sent to the AI is not used for model training. We do not sell personal data. We do not share data with advertisers.

6. Data Security

We protect your data with: 256-bit TLS encryption in transit; encryption at rest for sensitive fields; tenant isolation ensuring no cross-organisation data access; rate limiting and DDoS protection; audit logging of all data access; regular security reviews.

7. Data Retention

Account data is retained while your account is active and for 30 days after deletion. Business data you upload is retained until you delete it or close your account. Audit logs are retained for 2 years. Payment records are retained for 7 years as required by HMRC.

8. Your Rights

Under UK GDPR, you have the right to: access your personal data; correct inaccurate data; delete your data ("right to be forgotten"); restrict processing; data portability; object to processing; withdraw consent. To exercise these rights, contact us via our contact page. We respond within 30 days.

9. Cookies

We use essential cookies for session management and CSRF protection. We do not use tracking cookies or third-party analytics cookies. No cookie consent banner is required as we only use strictly necessary cookies.

10. International Transfers

Your data is stored in European data centres. Where processing requires transfer outside the UK/EEA (e.g. AI processing via Google Gemini), we ensure adequate safeguards are in place including Standard Contractual Clauses.

11. Children

The Service is not intended for individuals under 18. We do not knowingly collect data from children.

12. Changes

We may update this policy from time to time. Material changes will be notified via email. The "last updated" date at the top indicates the most recent revision.

13. Contact

For privacy-related enquiries: Contact page or email privacy@workplaceplugins.com. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.