Privacy Policy
Last updated: 12 April 2026
1. Who we are
ClockRota is a staff scheduling and clock-in service for UK hospitality businesses. It is operated by:
Myles Chubb (trading as ClockRota)
Email: hello@clockrota.co.uk
Website: clockrota.com
For the purposes of UK data protection law (the UK General Data Protection Regulation and the Data Protection Act 2018), we are the data controller for information collected about account holders and website visitors. When venue owners enter staff data into ClockRota, we act as a data processor on their behalf (see section 9).
2. What information we collect
2.1 Account information
When you create an account, we collect:
- Your name and email address
- A password (stored as a secure hash — we never store your actual password)
- Phone number (if you choose to provide one)
2.2 Venue information
When you set up a venue, we collect:
- Venue name and address
- Venue GPS coordinates (for clock-in geofencing, if you choose to enable it)
- Operating days and business preferences
2.3 Staff information
When venue owners add staff members, the following data is collected:
- Staff member name, email address, and phone number
- Employment type (full-time, part-time, zero-hours), contracted hours, and hourly rate
- Job roles and start date
- Leave allowance
- A clock-in PIN (stored as a secure hash)
Venue owners are the data controllers for their staff data. We process it on their behalf to provide the service (see section 9).
2.4 Clock-in and shift data
When staff members use ClockRota to clock in and out, we collect:
- Clock-in and clock-out timestamps
- Clock-in method (GPS, PIN, kiosk, or manual manager entry)
- GPS coordinates at the time of clock-in (latitude, longitude, and distance from the venue) — only when GPS clock-in is used
- Whether the clock-in was late relative to the scheduled shift
We also process shift schedules, leave requests, shift swap requests, call-off records, and clock amendment requests as part of the service.
2.5 Payment information
We use Stripe to process payments. We do not store your card number, expiry date, or CVC. Stripe handles all card data directly. We store only:
- Your Stripe customer ID and subscription ID
- Your plan tier (Starter, Growth, or Pro) and subscription status
- Your trial end date
Stripe's privacy policy is available at stripe.com/gb/privacy.
2.6 Push notification data
If you enable push notifications, we store a push subscription endpoint and encryption keys provided by your browser. These allow us to send you shift reminders, rota updates, and other operational notifications. You can disable push notifications at any time via your browser settings.
2.7 Newsletter subscribers
If you subscribe to our newsletter via the landing page, we collect your email address. You can unsubscribe at any time.
2.8 Website usage (landing page only)
Our landing page at clockrota.com uses Google Analytics 4 to understand how visitors interact with the page. This may collect your IP address, device type, browser, and pages visited. This data is anonymised and aggregated. We only load analytics cookies with your consent (see our Cookie Policy).
The ClockRota app (app.clockrota.com) does not use any third-party analytics or tracking.
3. Why we use your information and our legal basis
| Purpose | Legal basis (UK GDPR) |
|---|---|
| To create and manage your account | Contract performance (Art 6(1)(b)) |
| To provide the scheduling, clock-in, and timesheet service | Contract performance |
| To process payments via Stripe | Contract performance |
| To send transactional emails (rota published, shift reminders, trial ending, password resets) | Contract performance / legitimate interests |
| To send push notifications about shifts and schedule changes | Consent — you opt in via your browser |
| To verify GPS location during clock-in | Legitimate interests of the venue owner (preventing time fraud) |
| To send newsletter emails | Consent — you opt in via the signup form |
| To analyse landing page traffic (GA4) | Consent — via cookie banner |
| To respond to support enquiries | Legitimate interests |
4. How long we keep your information
- Account data — retained for the duration of your subscription. If you cancel, we retain your data for 90 days to allow reactivation, then delete it.
- Staff data — retained according to the venue owner's instructions. When a staff member is deactivated, their data is soft-deleted (hidden but preserved for payroll/record-keeping). Venue owners can request full deletion.
- Clock-in data (including GPS coordinates) — retained for 2 years from the date of the clock entry for payroll and compliance purposes, then automatically purged.
- Payment records — retained for 7 years as required by HMRC for tax purposes.
- Push notification subscriptions — deleted automatically when the browser reports the subscription has expired, or when you disable notifications.
- Newsletter subscriptions — retained until you unsubscribe. Unsubscribed email addresses are retained for 12 months to prevent re-subscription emails, then deleted.
- Session data — login sessions expire after 30 days and are automatically deleted.
- Email correspondence — retained for up to 2 years, then deleted.
5. Who we share your data with
We do not sell your personal data. We share it only with the following service providers, who process it on our behalf to deliver the service:
| Service | Purpose | Data location |
|---|---|---|
| Stripe | Payment processing and subscription management | US (UK IDTA) |
| Resend | Transactional email delivery | US (UK IDTA) |
| Supabase | Database hosting (PostgreSQL) | EU |
| Vercel | Application hosting and deployment | US (UK IDTA) |
| Google Analytics 4 | Landing page analytics (with consent) | US (UK IDTA) |
Where data is transferred outside the UK, we rely on UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) to ensure adequate protection.
6. Your rights
Under UK GDPR, you have the following rights:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your data (subject to legal retention requirements)
- Restriction — ask us to restrict processing in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — where we rely on consent (e.g. push notifications, newsletter, analytics cookies), you can withdraw it at any time
To exercise any of these rights, email us at hello@clockrota.co.uk. We will respond within one month.
If you are a staff member whose data is held in ClockRota by your employer, please contact your employer in the first instance. They are the data controller for your information. We will assist them in fulfilling your request.
7. Cookies
Our landing page uses cookies for analytics. Our app uses cookies for authentication. For full details, see our Cookie Policy.
8. Security
We take reasonable technical and organisational steps to protect your personal data:
- All data is transmitted over HTTPS (TLS encryption)
- Passwords and PINs are hashed using Argon2 (industry-standard)
- Card details are handled entirely by Stripe — never stored on our servers
- Database hosted on Supabase with encryption at rest
- Application hosted on Vercel with automatic security updates
No method of transmission over the internet is completely secure. If you believe your account has been compromised, contact us immediately.
9. Data processing on behalf of venue owners
When venue owners enter staff data into ClockRota (names, emails, shift schedules, clock-in records, etc.), they are the data controller for that data. ClockRota acts as a data processor, processing it solely to provide the service.
Our obligations as a data processor are set out in the Data Processing Agreement included in our Terms of Service (Schedule 1). This covers:
- Processing only on the venue owner's documented instructions
- Confidentiality obligations
- Security measures
- Sub-processor management
- Assistance with data subject rights requests
- Data deletion or return on termination
Venue owners are responsible for ensuring they have a lawful basis to process their staff's personal data and for informing their staff about how their data is used.
10. Children
ClockRota is a business-to-business service and is not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
11. Changes to this policy
We may update this privacy policy from time to time. If we make significant changes, we will notify you by email or via a notice in the app. The "last updated" date at the top of this page will always reflect the most recent version.
12. Contact and complaints
If you have any questions about this privacy policy or how we handle your data, contact us at:
If you are unhappy with how we have handled your data, you have the right to complain to the Information Commissioner's Office (ICO):
Website: ico.org.uk/make-a-complaint
Helpline: 0303 123 1113