← Back to home

Privacy Notice

Last updated: 26 April 2026

WorkHive is operated by SJC Distributions Limited, a UK company registered in England and Wales. This notice explains how we handle personal data in line with UK GDPR and the Data Protection Act 2018.

Controller and Processor

Your employer is the data controller for staff records they upload. WorkHive (SJC Distributions Ltd) is the data processor. A Data Processing Agreement (DPA) is available on request.

What we collect

• Identity: name, email, phone, date of birth
• Employment: role, start date, hours, hourly rate, employee number
• HMRC: National Insurance number (encrypted), tax code
• Banking: sort code & account number (encrypted at column level)
• Right to Work: copies of ID documents and share codes
• Operational: shift data, clock-in times, GPS coordinates and (where enabled by your employer) photos at clock-in/out, holiday requests, sickness records
• Communications: messages and read receipts within team chat

Lawful basis

We process most data under contract performance (managing the employment relationship) and legal obligation (HMRC PAYE/RTI, Right to Work checks under Immigration Act 2014, auto-enrolment under Pensions Act 2008).

Where data lives

UK only. Hosted on Supabase EU-West-2 (London). Backups encrypted, never leave the region. We use Resend (EU-region) for email and Twilio for SMS.

How long we keep it

• PAYE records: 3 years after end of tax year (HMRC requirement)
• Right to Work copies: 2 years after employment ends (Home Office requirement)
• Employment records: 6 years after employment ends (Limitation Act 1980)
• Audit log: 6 years (employment law / tribunal defence)

Your rights

Under UK GDPR you can request access, rectification, erasure (subject to retention rules), restriction, portability, and objection. Contact your employer first. If unresolved, contact us at privacy@workhive.co.uk.

Complaints

You can complain to the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.

HR Helper (AI assistant)

If your workspace owner has enabled HR Helper, manager-level users may submit text questions which are processed by an AI model (Claude, by Anthropic) to produce employment-law guidance and ACAS-template letters.

• What is sent: the text of the manager's question, plus relevant staff details (names, dates, hours, holiday balance, sickness history) when the manager asks about a specific person — all of which the manager is already authorised to see in WorkHive.
• Where it goes: Anthropic (api.anthropic.com), the AI provider, processes the request to generate a reply. Anthropic is contracted under their Data Processing Addendum and does not train models on customer data.
• Stored where: the conversation is recorded in your workspace's messages table and audit_log for compliance evidence. Visible only to managers in your workspace.
• Retention: 6 years (in line with employment-law retention) then auto-purged.
• Your rights: the manager who sent the message can request deletion of their own messages, subject to the legitimate-interest grounds for retaining audit-log evidence.
• Disclaimer: outputs are general guidance, not legal advice. See our Terms § HR Helper.

Security

AES-256 encryption at rest. TLS 1.3 in transit. Field-level encryption on bank details and NI numbers. Mandatory 2FA for managers/owners. Daily encrypted backups with point-in-time recovery. Cyber Essentials certified.