Privacy Policy

Compliance Track is operated from the United Kingdom. For personal data a customer uploads about their employees, the customer is the data controller and Compliance Track acts as processor under our Data Processing Agreement. For the customer's own account, billing, and usage data, Compliance Track is the controller. For data protection queries, contact privacy@compliancetrack.app.

Account and billing data we collect as controller: name, work email, company name, password hash, login and device metadata, plan and payment records (handled by our payment provider), and audit logs of actions in the service.

Employee data you upload as controller, processed by us as processor: names, contact details, job titles, passport numbers, visa types, visa start and expiry dates, right to work check dates and results, share codes, sponsorship references, certificate of sponsorship details, salaries, work locations, and any documents you choose to upload.

We process your account data to provide the service (contract), to send service related communications and reminders (contract and legitimate interests), to bill you (contract and legal obligation), and to keep the service secure and prevent fraud (legitimate interests). Employee data is processed only on your documented instructions as set out in the DPA, for the purpose of helping you manage your right to work and sponsor compliance records.

Account and billing records are kept for the life of your account and for up to 7 years after closure to meet tax and accounting obligations. Employee records you uploaded are retained while your account is active and are deleted or returned within 30 days of account closure, except where you have asked us to retain them longer to support your own right to work record keeping duty (a check plus two years after the worker leaves). Audit logs are kept for 12 months. Backups are rotated on a 30 day cycle.

We currently use the following subprocessors:

• Supabase, for database and authentication hosting (EU region).
• Cloudflare, for application hosting and content delivery.
• Stripe, for payment processing.

When document scanning launches, an AI provider will be added to this list and customers will be notified in advance. A current list is maintained at privacy@compliancetrack.app on request.

Data is encrypted in transit (TLS) and at rest. Access is role based, scoped to your organisation, and enforced at the database layer with row level security on every record. Administrative access is restricted, audited, and protected by multi factor authentication. We test our controls regularly and patch known vulnerabilities promptly.

We aim to host personal data in the UK or EEA. Where a transfer outside the UK or EEA is necessary (for example, payment processing with Stripe), we rely on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another adequacy mechanism recognised under UK GDPR.

Under UK GDPR you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and the right not to be subject to solely automated decisions with legal effect. You can exercise these rights by emailing privacy@compliancetrack.app. For employee data, the data subject should usually contact their employer first, since the employer is the controller. You also have the right to complain to the Information Commissioner's Office at ico.org.uk.

If a personal data breach affects your data, we will notify you without undue delay and in line with our obligations under UK GDPR and the DPA, and assist you in meeting your own notification obligations to the ICO and to affected individuals.

We use a small number of essential cookies to keep you signed in and to keep the service secure. We do not set non essential cookies (such as advertising or third party analytics cookies) unless you accept them in the cookie banner. You can change your choice at any time by clearing your cookie preferences.

When we make material changes we will notify you and may require you to re accept the updated policy. The version above always reflects the current document.