ShopWorks Privacy Notice

Last updated: October 2025
Controller: SWT Software Ltd (trading as “ShopWorks”), registered in England and Wales, company number 09440080
Contact: help@theshopworks.com

Purpose

This notice explains how ShopWorks collects and processes personal data when you use our websites, mobile apps, or services provided to your employer. It reflects the requirements of the UK GDPR, the Data Protection Act 2018, and the ICO’s 2024 guidance on biometric and special category data.

Who We Are

ShopWorks provides workforce-management and time-and-attendance software. We act as a data processor for our business customers (your employer, agency, or contractor), who remain the data controller.
For data collected on our corporate website (e.g., contact forms or marketing subscriptions), we act as the data controller.

What Personal Data We Process

Depending on your use of ShopWorks systems, we may process:

Identification and contact data: name, email address, phone number, employee or contractor ID.
Employment and scheduling data: job title, location, contract type, working hours, pay rate, rota information, attendance logs, leave, and sickness records.
Biometric templates (where enabled): facial recognition or fingerprint data for secure clock-in/out verification.
Device and log data: IP address, browser type, device identifiers, and timestamps of system access.
Support and audit logs relating to platform usage.

We do not process banking, NI, or home-address details.

Special Category Data

Where biometric readers are used, ShopWorks and our customers process special category data (biometric identifiers) for employment compliance purposes.
Our lawful basis for processing under Article 6(1)(c) UK GDPR is legal obligation.
The additional condition under Article 9(2)(b) and Schedule 1, Part 1(1)(b) of the Data Protection Act 2018 is employment, social security and social protection law.
An Appropriate Policy Document and a full Data Protection Impact Assessment (DPIA) are maintained to meet ICO guidance.

How We Use Data

We process data to:

Provide and maintain time-and-attendance, scheduling, and payroll-support services.
Support your employer’s compliance with Working Time Directive, National Minimum Wage, and HMRC obligations.
Ensure secure authentication and prevent “buddy-clocking” fraud.
Support audits, incident resolution, and customer reporting.
Maintain platform security, detect errors, and monitor usage.
Fulfil legal and contractual requirements.

No automated decisions with legal or significant effects are made without human review.

Data Sharing and Transfers

Data is hosted securely on Amazon Web Services in the UK (EU-West-2, London) and Ireland (EU-West-1).
AWS acts as a sub-processor under contract; no AWS staff access personal data.
Data may be shared with our customers (your employer or agency) to manage payroll, scheduling, or compliance.
We do not sell or rent personal data.
Where transfers outside the UK occur, appropriate safeguards (UK adequacy decisions or Standard Contractual Clauses) are applied.

Data Retention

Payroll and attendance data are retained for seven years to meet HMRC requirements.
After this period, records are automatically anonymised.
Biometric templates are deleted within one month of an employee leaving employment.

Security Measures

ShopWorks implements extensive technical and organisational measures under ISO 27001 and Cyber Essentials Plus, including:

Encryption at rest and in transit (AWS KMS).
Multi-factor authentication and role-based access control.
Secure development lifecycle with unit and penetration testing.
Continuous monitoring, logging, and quarterly security board reviews.
Business continuity, disaster recovery, and incident-response procedures.

Your Rights

Under UK GDPR, you may:

Request access to your data.
Request correction of inaccurate data.
Request erasure once retention obligations expire.
Object to processing where lawful basis is legitimate interest.
Request restriction or portability (where applicable).

Requests should first be directed to your employer (the data controller). For data processed directly by ShopWorks (e.g., via our website), contact info@

Cookies

Our websites use essential and analytics cookies. You can control optional cookies through your browser or our cookie banner. No advertising or tracking cookies operate within customer systems.

Changes to This Notice

We review this notice annually or after any material change to our processing. The latest version is always available at www.theshopworks.com/privacy-policy.

Contact and Complaints

If you have questions, contact:
Data Protection Officer – help@theshopworks.com
You may also contact the Information Commissioner’s Office (ICO) at www.ico.org.uk if you believe your data has been handled unlawfully.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.