SSubPay

Legal

Privacy Policy

Last updated: [date]

[SubPay โ€” trading name] is provided by [Company Legal Name] Ltd, a company registered in England and Wales under company number [company number], with its registered office at [registered address] ("SubPay", "we", "us", "our").

This policy explains what personal data we collect through subpay.co.uk and the SubPay application (together, the "Service"), why we collect it, and the rights you have over it under UK data protection law โ€” principally the UK GDPR and the Data Protection Act 2018.

If you have questions about this policy or want to exercise any of your rights, contact us at [privacy email address].

1

Who this policy covers

This policy applies to:

  • Visitors to our public website
  • People who create a SubPay account
  • Members of a workspace invited by an account owner
  • Anyone who contacts us for support

SubPay is a business-to-business product built for construction subcontractors and main contractors operating in the UK. It is not directed at consumers, and we do not knowingly collect data from children.

2

What data we collect

Account and identity data

  • Name (optional) and email address
  • Password is never stored โ€” we use passwordless, email-based sign-in with a time-limited six-digit code

Workspace data

  • Workspace (company) name
  • Your role within a workspace (owner, admin, or member)
  • Invite codes and who joined via them

Commercial data you enter into the Service

This is the core of what SubPay stores on your behalf, and it may itself contain personal data about third parties (for example, a named individual acting as an employer's representative on a contract):

  • Contracts: name, reference, employer/main contractor name, value, retention percentage, VAT rate, CIS status, payment terms, key dates
  • Payment applications: amounts claimed, retention, CIS deductions, VAT, net values, statuses, dates
  • Payments received: amounts, dates, references, notes
  • Notices (Payment Notices and Pay Less Notices): dates, amounts, reasons, reference numbers
  • Any free-text notes you add to the above

Billing data

We do not store your card details. Payment is processed entirely by Stripe; we hold only what Stripe returns to us (a customer reference, subscription status, and renewal dates).

Technical data

  • A session cookie, so you stay signed in
  • A CSRF-protection cookie, required for the Service to function securely
  • Standard web server logs (IP address, browser type, pages requested) for security and troubleshooting

We do not use advertising cookies, analytics trackers, or any third-party tracking technology on the Service.

3

How we use your data, and our legal basis for doing so

What we doWhyLegal basis
Create and operate your account and workspaceTo provide the Service you've signed up forPerformance of a contract
Store and calculate your contracts, applications, notices and paymentsThis is the Service itselfPerformance of a contract
Send your six-digit sign-in codeYou can't use the Service without itPerformance of a contract
Send a daily digest email summarising items that need your attentionCore functionality of the Service, sent only to workspace membersPerformance of a contract
Process your subscription payment via StripeBilling for the ServicePerformance of a contract
Investigate misuse, security incidents, or technical faultsKeeping the Service safe and workingLegitimate interest
Improve the Service based on aggregate, non-identifying usage patternsProduct developmentLegitimate interest
Comply with tax, accounting, or legal obligationsWe're required toLegal obligation

We do not sell your data, and we do not use it for advertising.

4

Who we share your data with

We share data only where necessary to run the Service:

  • Stripe โ€” payment processing. Stripe processes your billing details directly; see Stripe's own privacy policy at stripe.com/gb/privacy.
  • Our email delivery provider โ€” to send sign-in codes and digest emails.
  • Our hosting provider โ€” [hosting provider name], who host our database and application infrastructure.
  • Other members of your own workspace โ€” if you're part of a team account, other members with access to that workspace can see the commercial data within it (that's the point of a shared workspace), along with your name, email, and role.

We do not share your data with any other third party for their own marketing purposes.

International transfers

Some of the providers above may process data outside the UK. Where they do, we rely on their own compliance with UK-approved transfer mechanisms (such as the UK's International Data Transfer Addendum to the EU Standard Contractual Clauses).

5

How long we keep your data

We keep your account and workspace data for as long as your account remains active, and for a reasonable period afterwards to meet our own legal and accounting obligations (typically up to six years, reflecting standard UK record-keeping requirements for commercial and tax records). If you ask us to delete your account, we will do so in line with Section 7 below, except where we're legally required to retain specific records.

6

Cookies

We use only the cookies necessary for the Service to function:

CookiePurposeType
Session cookieKeeps you signed inStrictly necessary
CSRF token cookieProtects against cross-site request forgeryStrictly necessary

Neither cookie is used for advertising, analytics, or cross-site tracking. Because both are strictly necessary for the Service to work, we don't display a cookie consent banner โ€” there's nothing optional to consent to.

7

Your rights under UK GDPR

As a data subject, you have the right to:

  • Access the personal data we hold about you
  • Rectification of inaccurate or incomplete data
  • Erasure ("the right to be forgotten") of your personal data, subject to our legal retention obligations
  • Restriction of how we process your data in certain circumstances
  • Data portability โ€” receiving your data in a structured, commonly-used format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time, where we rely on consent (we currently don't rely on consent for any of the processing described above)

To exercise any of these rights, including requesting deletion of your account and data, contact us at [privacy email address].

We don't currently have a self-service deletion option inside the Service itself โ€” every request is handled directly by us, and we'll respond within one calendar month as required by law.

If you're unhappy with how we've handled your data, you have the right to complain to the UK's data protection regulator:

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

ico.org.uk ยท 0303 123 1113

We'd appreciate the chance to resolve any concern directly first, at [privacy email address].

8

Security

We take reasonable technical and organisational measures to protect your data, including encrypted connections (HTTPS) for all traffic, per-workspace data isolation at the database level, and restricted internal access to production data. No system is completely secure, and we can't guarantee absolute security of information transmitted to the Service.

9

Children

The Service is intended for business use by adults working in the construction industry. We do not knowingly collect data from anyone under 18.

10

Changes to this policy

We may update this policy from time to time. If we make material changes, we'll notify workspace owners by email or via a notice within the Service before the changes take effect.

11

Contact us

[Company Legal Name] Ltd

[Registered address]

[Privacy email address]

[General contact email, if different]