This privacy notice describes how personal data is processed in connection with the SiteRoll website and software service. It is drafted for users in the United Kingdom and should be read together with our Cookie Policy. Last updated: [insert date].
This notice is provided in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies to personal data processed when you visit our website, create or administer an account, use the SiteRoll platform, or otherwise interact with us in relation to the service. SiteRoll is a workforce time-tracking and related operations platform. Depending on the context, personal data may be processed either by us as data controller or on behalf of our business customers as data processor. Where your employer or another organisation has invited you to use SiteRoll, that organisation will usually be the controller of personal data it submits about you (for example attendance, location, or payroll-related information), and we will process such data on documented instructions under contract, unless applicable law provides otherwise.
The data controller responsible for personal data processed in connection with this privacy notice (save where we act solely as processor on behalf of a customer) is: SiteRoll You may contact us regarding data protection matters at: admin@siteroll.co.uk We are not obliged to appoint a Data Protection Officer unless required by law; if we have appointed one, their contact details will be published here: [insert if applicable].
The nature of the data we process depends on how you use SiteRoll. It may include, without limitation: • Identity and account data: name, email address, telephone number, role, organisation identifiers, credentials and authentication data. • Workforce and operational data: time and attendance records, site or job assignments, geolocation or similar data where the product is configured to collect it, photographs or biometric data where such features are enabled by the customer, mileage, messages, documents, and audit or activity logs. • Financial data: billing contact details and payment transaction data processed by our payment service provider (we do not store full payment card numbers on our own systems where payments are handled by the provider). • Technical and usage data: IP address, device and browser type, approximate location derived from IP for localisation where enabled, diagnostic logs, and security telemetry. We do not knowingly collect special category personal data except where our customers choose to upload it into the service; customers are responsible for ensuring an appropriate lawful basis and safeguards.
We process personal data for the following purposes, relying on the lawful bases indicated (which may overlap depending on context): • To provide, operate, secure, and support the SiteRoll service, including authentication, troubleshooting, and customer support — performance of a contract; legitimate interests in operating a secure SaaS platform. • To process subscriptions and payments — performance of a contract; legal obligations relating to tax and accounting where applicable. • To comply with applicable law, regulatory requests, and court orders — legal obligation. • To improve the product, analyse aggregate usage where you have consented to analytics cookies or similar technologies, and understand how features are used — consent (where required); legitimate interests in improving our service, balanced against your rights. • To send essential service communications — performance of a contract; legitimate interests. • Where we rely on legitimate interests, you may object on grounds relating to your particular situation; we will assess such objections as required by law. Where we act as processor, the customer’s privacy notice and contract govern lawful bases for end-user data; we process only as instructed, subject to our agreement and applicable law.
We engage carefully selected service providers (subprocessors) who process personal data on our behalf under written terms that require them to protect the data and use it only for the services we instruct. Categories of recipients may include cloud hosting and infrastructure, authentication and database services, payment processing, email delivery, and analytics (where you have consented). A non-exhaustive list of material providers is referenced in our internal privacy inventory and may be made available to customers on request; their own privacy notices apply to their processing in addition to our agreements with them.
Some subprocessors may process personal data outside the United Kingdom, including in countries that are not subject to a UK adequacy decision. Where such transfers occur, we implement appropriate safeguards required under UK GDPR (for example the International Data Transfer Agreement or Addendum, or other approved mechanisms), together with supplementary measures where a transfer risk assessment indicates they are needed. You may request further information about transfers by contacting us using the details above.
We retain personal data only for as long as necessary for the purposes described in this notice, including to satisfy legal, regulatory, accounting, or reporting requirements, and to resolve disputes and enforce agreements. Retention periods vary by data category and, where we act as processor, by the customer’s configuration and instructions. [Insert specific retention periods or criteria—for example, active account data for the life of the subscription plus a defined period, backup cycles, and deletion on closure—after confirming your actual practices.]
We implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including access controls, encryption in transit where standard for the service, segregation of customer environments as designed into the product, and incident response procedures. No method of transmission or storage is completely secure; we encourage customers to configure roles and permissions appropriately.
Subject to applicable law, you may have the following rights in respect of personal data we process as controller: • The right to be informed (this notice); • The right of access; • The right to rectification; • The right to erasure; • The right to restrict processing; • The right to data portability (where processing is based on consent or contract and carried out by automated means); • The right to object to processing based on legitimate interests or for direct marketing; • Rights in relation to automated decision-making and profiling (we do not generally undertake solely automated decision-making with legal or similarly significant effects; contact us if you believe otherwise applies). Where we act as processor, please contact your organisation (the controller) to exercise rights in the first instance; we will assist them as required by contract and law. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority (www.ico.org.uk). We would welcome the opportunity to address your concerns before you approach the ICO.
To exercise any of the rights above, or if you have questions about this notice, please contact us at admin@siteroll.co.uk. We may need to verify your identity before responding. We will respond within one month in most cases, or inform you if an extension is permitted under law.
We use cookies and similar technologies as described in our Cookie Policy, including a consent mechanism for non-essential cookies where required by the Privacy and Electronic Communications Regulations (PECR). Cookie policy
We may update this privacy notice from time to time. The “Last updated” date at the top will be revised when we make material changes. Where required by law, we will notify you by appropriate means (for example by email or an in-product notice). Continued use of the service after changes take effect may constitute acceptance where permitted by law.