Privacy Policy - PayAdjust

1. Who We Are

PayAdjust is a UK-based payroll management platform operated by PayAdjust Ltd. We act in a dual role:

Data Controller — for our own business operations (account management, billing, platform analytics).
Data Processor — on behalf of employer organisations who use PayAdjust to manage their payroll. Employers remain the primary data controller for their employees' personal data.

Contact: privacy@payadjust.com

2. Data We Collect

We process the following categories of personal data:

Category	Examples
Personal identifiers	Full name, email address, date of birth, gender
Financial data	Bank account number, sort code, account holder name
Employment data	Job title, department, start date, salary, pension contributions
Tax & NI data	National Insurance number, tax code, NI category, PAYE reference
Pension data	Contribution rates, auto-enrolment status, opt-out records
Technical data	IP address (via hosting), browser type, authentication tokens

3. How and Why We Process Your Data

Purpose	Lawful Basis (UK GDPR Art. 6)	Detail
PAYE tax & NI calculations	Legal obligation (Art. 6(1)(c))	PAYE Regulations 2003, SSCBA 1992
Payment of wages	Contractual necessity (Art. 6(1)(b))	Processing bank details for salary payment
Pension auto-enrolment	Legal obligation (Art. 6(1)(c))	Pensions Act 2008
RTI submissions to HMRC	Legal obligation (Art. 6(1)(c))	Real Time Information reporting
AI pension advice	Legitimate interests (Art. 6(1)(f))	Helping employees optimise pension contributions
Email notifications	Legal obligation & contract	Payslip delivery, opt-out notices, invite emails
Account management & billing	Contractual necessity (Art. 6(1)(b))	Subscription and organisation management

4. AI Processing Disclosure

PayAdjust offers optional AI-powered pension advice. When you use this feature, we send the following data to OpenAI's API:

Annual salary, pension contribution percentages, and tax code
Calculated tax and National Insurance amounts

We do not send your name, National Insurance number, bank details, or any other directly identifying information to OpenAI.

OpenAI processes this data under a Data Processing Agreement. Your data is not used to train OpenAI's models. The AI output is provided as general guidance only and does not constitute financial advice.

5. Sub-Processors

We use the following third-party services to deliver our platform:

Processor	Purpose	Data Shared	Location
Supabase	Database hosting & authentication	All employee and organisation data	EU (London region)
Vercel	Application hosting	Request logs, server-rendered pages	Global CDN (EU primary)
Resend	Transactional emails	Email addresses, notification content	US (with safeguards)
Stripe	Subscription billing	Organisation billing information	US (with safeguards)
OpenAI	AI pension advice	Anonymised salary and pension data	US (with safeguards)
HMRC	Tax reporting (RTI)	Employee tax, NI, and earnings data	UK

6. International Transfers

Some of our sub-processors are based outside the UK. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:

UK International Data Transfer Agreements (IDTAs)
Standard Contractual Clauses (SCCs) approved by the ICO
Processor-specific Data Processing Agreements

Our primary database (Supabase) is hosted in the London (eu-west-2) region, ensuring core employee data remains within the UK/EEA.

7. Data Retention

Data Type	Retention Period	Legal Basis
PAYE records (P45, P60, tax codes)	6 years after end of tax year	Taxes Management Act 1970
Payslips and salary records	6 years after end of tax year	Limitation Act 1980
NI contribution records	6 years after end of tax year	PAYE Regulations 2003
Pension auto-enrolment records	6 years	Pensions Act 2008
Pension opt-out notices	4 years	AE Regulations 2010
Bank account details	Until final payment + 1 month	Data minimisation principle
Audit logs	6 years	Best practice / breach investigation

When data is subject to an erasure request, we will immediately delete data not subject to legal retention requirements and restrict processing of retained data to storage only until the retention period expires.

8. Your Rights

Under UK GDPR, you have the following rights:

Right of access — Request a copy of all personal data we hold about you. Employees can download their data directly from the Settings tab.
Right to rectification — Request correction of inaccurate data. Contact your employer or update your details in the app.
Right to erasure — Request deletion of your data, subject to legal retention requirements (see Section 7).
Right to restrict processing — Request that we limit how we use your data.
Right to data portability — Receive your data in a structured, machine-readable format (JSON).
Right to object — Object to processing based on legitimate interests.

To exercise any of these rights, contact your employer (as the data controller) or email us at privacy@payadjust.com. We will respond within one calendar month.

9. Right to Complain

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Telephone: 0303 123 1113

We would appreciate the chance to address your concerns first — please contact us at privacy@payadjust.com.

10. Cookies

PayAdjust uses strictly necessary cookies only for authentication session management (Supabase Auth). We do not use tracking cookies, analytics cookies, or third-party advertising cookies. Because these cookies are essential for the service to function, no cookie consent is required under the Privacy and Electronic Communications Regulations (PECR).

11. Security

We implement appropriate technical and organisational measures including:

AES-256-GCM encryption of sensitive fields (NI numbers, bank details) at rest
TLS encryption for all data in transit
Mandatory multi-factor authentication (TOTP) for all users
Row-level security policies isolating organisation data
Rate limiting on all API endpoints
Security headers (HSTS, CSP, X-Frame-Options)
HMAC-SHA256 hashing for searchable encrypted fields

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes via email or an in-app notice. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact

For any questions about this privacy policy or our data practices, contact us at:

Email: privacy@payadjust.com
Website: payadjust.com