Privacy Policy

How we collect, use, and protect personal data.

Last updated: 31 March 2026
This policy applies to the AttendIQ web platform, mobile application, and website (attendiq.co.uk).
For questions, contact us at privacy@attendiq.co.uk.

1. Who we are

AttendIQ Ltd ("AttendIQ", "we", "us", "our") is a company registered in England and Wales. We operate the AttendIQ construction workforce management platform.

We are registered with the Information Commissioner's Office (ICO) as a data controller. ICO registration reference: [pending registration].

Data controller contact: privacy@attendiq.co.uk

2. How this notice applies

This notice covers three groups of people:

  • Admin users - principal contractor and supply chain administrators, site managers, and any user of the AttendIQ web portal
  • Workers - individuals whose records are held on the platform
  • Website visitors - anyone visiting attendiq.co.uk

AttendIQ operates in two distinct capacities depending on the data involved:

  • Data controller - for data we process for our own purposes (billing, platform security, fraud prevention, service improvement)
  • Data processor - for data our customers (principal contractors and supply chain companies) process for their own employment and site compliance purposes
Important for workers: Where your employer or a contractor has entered your records into AttendIQ, that organisation is the data controller for those records. If you have questions about how they use your data, or wish to exercise your data rights in respect of those records, contact them directly. AttendIQ will assist them in responding to your request.

3. Data we collect and why

3.1 Admin users

When you register for and use AttendIQ as an administrator, we process:

  • Registration information: name, work email address, password (stored in hashed form only - we cannot see your password)
  • Profile information: job title, phone number, organisation name
  • Role and permission settings within your organisation
  • Login history and multi-factor authentication settings
  • Activity logs: actions taken within the platform, retained for security and audit purposes

Legal basis: Performance of the contract between AttendIQ and your organisation (UK GDPR Article 6(1)(b)). Activity logs are processed on the basis of our legitimate interests in maintaining platform security and detecting fraud (Article 6(1)(f)).

3.2 Workers

Worker records are created by admin users on behalf of an employing or engaging organisation, or by workers themselves via the AttendIQ mobile app. Data typically includes:

  • Identity: first name, surname, date of birth, national insurance number
  • Contact details: email address, mobile phone number
  • A profile photograph
  • Competency and qualification records (card numbers, awarding bodies, expiry dates)
  • Right to work documents and verification records
  • Site induction completion records
  • Attendance records: clock-in and clock-out times, clock-in method, site location
  • Employment status and assignment records (which sites, projects, or zones a worker is assigned to)

Legal basis (for AttendIQ's own processing as controller): Legitimate interests in operating a secure, compliant platform (Article 6(1)(f)).

Legal basis relied upon by our customers as data controller: Legal obligation (Construction (Design and Management) Regulations 2015, Working Time Regulations 1998, right to work legislation) and legitimate interests in managing their workforce safely and compliantly.

3.3 Special category data

Some platform features involve special category personal data under Article 9 of the UK GDPR. This data is protected by AES-256 encryption at rest, row-level security ensuring strict tenant isolation, and role-gated access controls requiring explicit special category permissions (medical_view, da_view) assigned per-user by your organisation's administrator.

Medical and occupational health data: Where an administrator records health-related information such as fitness-for-work assessments or medical restrictions.
Legal basis: Article 9(2)(b) - processing necessary for employment purposes, subject to Schedule 1 Part 1 paragraph 1 of the Data Protection Act 2018. An Appropriate Policy Document is maintained.

Drug and alcohol test results: Where a contractor records D&A testing results as part of their site access policy.
Legal basis: Article 9(2)(b) - processing necessary for employment purposes, subject to Schedule 1 Part 1 paragraph 1 of the Data Protection Act 2018. An Appropriate Policy Document is maintained.

Biometric data: Biometric clock-in via facial recognition is a planned future feature (currently deferred). Before that feature is activated, we will collect a separate, explicit consent from each worker and will always provide a non-biometric alternative (QR code or PIN). This notice will be updated at that point.

3.4 Website visitors

When you visit attendiq.co.uk, we may process:

  • Technical data: IP address, browser type, pages visited, time on page, referring URL
  • Form submissions: if you submit a demo request, we collect your name, work email, company name, phone number, and job role

Legal basis: Legitimate interests in understanding how our website is used and responding to enquiries (Article 6(1)(f)). Marketing communications are sent only with your consent (Article 6(1)(a)).

4. Data sharing

We share personal data only where necessary. We do not sell personal data and do not share it with advertising networks.

Sub-processors

We engage the following sub-processors to operate the platform. All are engaged under written contracts containing the required Article 28 data processing terms.

Sub-processorLocationPurpose
Supabase IncUSA (data hosted in UK - AWS eu-west-2, London)Database hosting and authentication infrastructure
Amazon Web Services EMEA SARLLuxembourg (data hosted in eu-west-2, London)Cloud file storage
Stripe Payments Europe LtdIrelandPayment processing
Resend IncUSATransactional email delivery
Vonage Holdings CorpUSASMS delivery
Google LLCUSAMapping and location services (coordinates only, no worker identity)
Functional Software Inc (Sentry)USAApplication error monitoring
Typesense IncUSA (self-hosted instance)Platform search functionality

Other recipients

  • Regulators and law enforcement - including the ICO, Health and Safety Executive, or other bodies, where we are legally required to disclose data
  • Professional advisers - our lawyers and accountants, subject to professional confidentiality obligations
  • Business transfers - in the event of a merger, acquisition, or sale of the business, personal data may be transferred to the acquiring entity, subject to equivalent protections

5. International transfers

Primary data storage is on servers located in the United Kingdom (AWS eu-west-2, London).

Several of our sub-processors are based outside the UK. Where we transfer personal data outside the UK, we rely on one of the following safeguards:

  • An adequacy regulation made by the UK Secretary of State
  • A UK International Data Transfer Agreement (IDTA) - the UK equivalent of EU Standard Contractual Clauses
  • The UK Extension to the EU-US Data Privacy Framework, where applicable

You can request details of the specific safeguard used for any particular transfer by contacting privacy@attendiq.co.uk.

6. Retention periods

We retain personal data for as long as necessary for the purpose it was collected, and no longer. Our standard retention periods are:

Data typeRetention periodReason
Admin user account dataSubscription duration plus 6 years after terminationLimitation Act 1980
Worker identity and employment recordsDuration of employment or engagement plus 6 yearsLimitation Act 1980
Right to work documentsDuration of employment plus 2 yearsImmigration, Asylum and Nationality Act 2006
Attendance recordsDuration of engagement plus 2 yearsWorking Time Regulations 1998
Competency and induction records6 years after worker's last activityCDM 2015 and H&S litigation limitation period
Site inspection and permit records6 years after site closure or project endCDM 2015
Medical and D&A records6 years after last entry (40 years if COSHH hazardous substance exposure is involved)Limitation Act 1980; COSHH Regulations 2002
Website enquiry submissions12 months from submissionPurpose limitation
Security and audit logs90 days (active logs); 6 years (audit trail)Security and legal compliance

Where a customer deletes a worker record or terminates their subscription, we delete personal data from active systems within 30 days. A data export window of 30 days is provided on termination. Audit log data is retained for the applicable limitation period before deletion.

7. Your rights

Under the UK GDPR, you have the following rights in relation to personal data we hold about you as data controller:

  • Right of access - request a copy of the personal data we hold about you
  • Right to rectification - ask us to correct inaccurate personal data
  • Right to erasure - ask us to delete your personal data (subject to legal retention requirements - see below)
  • Right to restriction - ask us to restrict processing in certain circumstances
  • Right to data portability - where processing is based on consent or contract, receive your data in a structured, machine-readable format
  • Right to object - object to processing based on legitimate interests; we will cease unless we demonstrate compelling grounds
  • Right not to be subject to automated decisions - you have the right not to be subject to a decision based solely on automated processing that produces legal or significant effects on you

What happens when you request erasure

When an erasure request is processed:

  • Anonymised immediately: Your name is replaced with "REDACTED". Your email, phone number, date of birth, National Insurance number, and address are permanently removed.
  • Deleted immediately: Competency records, induction records, drug and alcohol test results, medical records, right-to-work documents, form submissions, timesheet data, and site assignments held by the requesting employer.
  • Retained but de-identified: Attendance records (clock-in/out times and site) are kept for the legally required period but your identity is removed, so they can no longer be linked to you. GPS location data is permanently deleted from these records.
  • Retained indefinitely: The audit log entry recording that the erasure took place, as required for compliance purposes.

Where legal retention obligations apply (for example, HMRC requires employer records for 6 years, and COSHH Regulations require health surveillance records for 40 years), we anonymise your identity while retaining the de-identified operational record for the legally required period. Once the retention period expires, the remaining data is permanently deleted.

If you are employed by multiple organisations through AttendIQ, an erasure request from one employer affects only the data held by that employer. Your worker record and data held by other employers are not affected.

To exercise any of these rights, contact us at privacy@attendiq.co.uk. We will respond within one month. We may need to verify your identity before processing a request.

Workers: If your data was entered by your employer and you wish to exercise rights in relation to those records, contact your employer in the first instance. We will assist them in responding to your request.

8. Automated decision-making

The AttendIQ platform includes an access rules engine that evaluates whether a worker meets the criteria to access a particular site, based on induction completion, competency validity, right to work status, and any active site bans. This evaluation is carried out automatically.

The access rules themselves are configured by the principal contractor, who is the data controller for that processing. Workers have the right to request human review of any access decision that affects them; this should be directed to the principal contractor.

AttendIQ does not make any purely automated decisions that have legal or significant effects on individuals independently of customer configuration.

9. Cookies

We use cookies and similar technologies on attendiq.co.uk. For full details of the cookies we use, how we use them, and how to manage your preferences, please see our Cookie Policy.

10. Your right to complain

If you are unhappy with how we handle your personal data, please contact us at privacy@attendiq.co.uk in the first instance. We aim to resolve all concerns promptly.

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office:

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

11. Changes to this notice

We may update this privacy notice from time to time. We will notify admin users of material changes by email or in-platform notification. The "last updated" date at the top of this page will always show the most recent version.

12. Contact

For any questions about this privacy notice or how we handle personal data:

Email: privacy@attendiq.co.uk
Post: AttendIQ Ltd, England and Wales (registered address to be confirmed on incorporation)

UK data residency
GDPR compliant by design
99.5% uptime SLA
UK-based support team