Privacy Policy

Last updated: 25 May 2026

This policy explains how Swiftimise collects, uses, stores and shares personal data when you use our crew-management platform — whether you’re an employer signing up to manage your workforce, an employee receiving rotas and payslips, or a contractor invoicing through the platform.

We are a UK-based service. We process personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For employees and contractors using the platform on behalf of a client, that client is the data controller for most of the data we hold about you; Swiftimise acts as the data processor on their behalf. For the small amount of platform-level data we hold about clients directly (e.g. billing, account login), we are the controller.

1. Who we are

Swiftimise is operated by APQ Ltd, a company incorporated in the United Kingdom. Contact details are at the bottom of this page.

2. What data we collect, and why

We only collect data we need to run the platform. The categories below describe everything we store; not every record will exist for every user (e.g. contractors don’t have payroll fields).

Identity & contact details

Name, salutation, preferred name and date of birth
Email address and phone number
Home address and country of residence
Profile photo (optional)
Emergency contact details

Why: to set up your account, send you rotas and payslips, verify your identity during onboarding, and comply with statutory record-keeping (e.g. UK right-to-work and employment-record obligations).

Right-to-work and qualifications

Passport / visa / Home Office share code
National Insurance number
Driving licence (where relevant to the role)
CV, professional references and certifications you upload
References you provide for fellow workers, and references collected about you

Why: UK employers are legally required to verify each worker’s right to work in the UK before employment begins. We collect the minimum documentation needed for that check and to evidence each worker’s qualifications for the role they’ll perform.

Banking and tax details

Bank account holder name, sort code and account number
Tax-relevant details such as student-loan plan and tax code (where you provide them)
For contractors: VAT number, VAT-registered flag, business address, company number

Why: to enable payroll processing for employees, and invoice generation for contractors. Banking details are visible only to your employer, never shared externally, and never stored on our marketing pages or cached browser-side.

Work-related data

Contract type and pay rate(s)
Hours worked, submitted via timesheets and approved by your manager
Scheduled shifts (rotas) and your acceptance/refusal of each
Holiday requests, approvals, accrued and paid balances
Sick leave declarations and associated fit notes
Other leave records: maternity, paternity, jury service, bereavement, etc.
Bonuses, commissions, allowances and reimbursements allocated to you
Service-charge and tips allocations
Contracts and other documents signed electronically through the platform
Holiday-pay rate calculations (52-week rolling average) used to compute statutory pay

Why: this is the operational data the platform exists to manage — scheduling, time tracking, leave administration, and pay computation. Without it the service can’t function.

Communications data

WhatsApp messages we send you (rota notifications, timesheet requests, holiday decisions)
Email messages we send you (invitations, password resets, holiday decisions, invoices)
Acceptance replies, message read-status and delivery timestamps

See the dedicated WhatsApp section below for more detail on how Meta processes these.

Account and security data

Login credentials (passwords are stored hashed with bcrypt — never in plain text)
Session cookies (one HttpOnly, Secure cookie for authentication; no tracking cookies)
Audit timestamps (when you logged in, when records were created/modified)

3. Legal bases we rely on

Different processing activities rely on different lawful bases under UK GDPR Article 6:

Performance of a contract — for everything needed to operate the service you signed up for (rotas, payroll inputs, document signing, invoicing).
Legal obligation — for right-to-work checks, statutory leave records, tax-year payroll exports, and other obligations imposed by UK employment and tax law.
Legitimate interests — for sending operational notifications, fraud prevention, securing the platform, and improving the service. We balance these interests against your privacy each time.
Consent — for any optional features that require it (e.g. using your profile photo on printed rotas). You can withdraw consent at any time.

4. WhatsApp messages

We send certain operational messages over WhatsApp Business Cloud, a service provided by Meta Platforms Ireland Ltd. Specifically:

Your scheduled rota for the upcoming week (with an Accept button)
Timesheet submission requests after a shift ends
Holiday-decision and document-expiry reminders

To deliver these messages, your phone number is shared with Meta. Meta processes the number for the sole purpose of routing the message and applies its own privacy policy (https://www.whatsapp.com/legal/business-policy/). We do not use WhatsApp for marketing. You can opt out of WhatsApp messages at any time by contacting your employer (who can switch your notifications to email-only) or by blocking the sender on WhatsApp.

5. Third-party services we share data with

We share data with the following processors strictly to operate the platform. Each is bound by a written data-processing agreement (or equivalent contractual terms):

Amazon Web Services (UK / Ireland) — file storage (S3), transactional email (SES), and OCR (Textract) for document processing.
Meta Platforms Ireland Ltd — WhatsApp Business Cloud, for the operational messages listed above.
Stripe Payments Europe Ltd — subscription billing for clients. Payment card data is collected directly by Stripe and never touches our servers.
BoldSign — electronic signing of contracts and termination letters.
Companies House (UK government API) — we look up your company details when you register as an employer, to pre-fill your profile.
Google LLC — Google Maps address autocomplete (for entering addresses) and Google Sign-In (only if you choose that login method).
Zoom Video Communications Inc. — if your employer uses the Zoom integration to schedule meetings, your name and email are shared with Zoom for that meeting.
Hetzner Online GmbH — hosts the application servers in Germany.

We do not sell your data to advertisers and we do not use it for any targeted-advertising or profiling purpose.

6. International transfers

Most of our processing happens in the UK and the EEA. Where a sub-processor (e.g. AWS, Stripe, Meta) routes data outside the UK/EEA, the transfer is covered by the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with UK addendum, or an adequacy decision — whichever applies to that recipient.

7. How long we keep data

Account & employment records — for the duration of your relationship with your employer, plus six years after termination to comply with HMRC record-keeping rules (Income Tax (Earnings and Pensions) Act 2003).
Right-to-work documents — throughout your employment plus two years after termination.
Sick-leave records and fit notes — three years (UK Statutory Sick Pay regulations).
Payroll exports — six years.
Audit logs — two years.
Inactive accounts that were never linked to a contract — deleted after 12 months of inactivity.

When the retention period ends, the data is either deleted or anonymised (so it can still inform aggregate statistics but no longer identifies you).

8. How we secure data

All connections to the platform use HTTPS with a current TLS version.
Passwords are hashed with bcrypt; we cannot recover a forgotten password.
File uploads are stored in a private S3 bucket; URLs are short-lived presigned links.
Session cookies are HttpOnly, Secure and SameSite=None so they can’t be read by client-side JavaScript or sent over plain HTTP.
The database is backed up daily; backups are encrypted at rest.
Access to the production environment is restricted to a small number of staff using hardware-backed SSH keys and two-factor authentication.

9. Your rights

You have the following rights under UK GDPR:

Access — request a copy of the personal data we hold about you. We’ll respond within one calendar month.
Rectification — correct anything that’s wrong. Most fields you can edit yourself from your profile; for the rest, contact us.
Erasure (right to be forgotten) — ask us to delete your data, subject to the retention periods imposed on us by law.
Restriction — ask us to limit processing while a dispute is resolved.
Portability — receive your data in a machine-readable format (CSV or JSON).
Object — to any processing we rely on legitimate interests for.
Complain — to the UK Information Commissioner’s Office (ICO) at ico.org.uk if you believe we’ve mishandled your data.

10. Cookies

We use one strictly-necessary cookie: connect.sid, which keeps you signed in for up to 8 hours. It contains a random session identifier and nothing more. We do not use analytics, advertising, or tracking cookies, and we don’t embed third-party trackers on the marketing site.

11. Children

The platform is intended for adult workers and the businesses that employ them. We do not knowingly collect data from anyone under 16. If you believe a minor has registered, please contact us and we’ll delete the account.

12. Changes to this policy

We’ll update this page when we change how we handle data. The “Last updated” date at the top reflects the most recent revision. Material changes will be announced by email to account holders at least 30 days before they take effect.

13. Contact us

Questions, data-subject access requests, complaints, or anything else — email us:

enquiries@swiftimise.com

Postal mail can be sent to our registered office. The current registered address is available on demand by emailing the address above.