1. Introduction
TimeMatrix respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, store, and protect information about you when you use our workforce management platform — including our web application, mobile apps, and associated APIs.
This policy applies to all users of TimeMatrix: employers (administrators and managers), employees (staff), and visitors to our website. Please read it carefully alongside any other privacy notices we may provide on specific occasions when we collect or process personal data about you.
TimeMatrix is designed for UK-based businesses. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Who We Are
TimeMatrix is an app owned and operated by Creative IT Consultants Ltd ("we", "us", "our"), a company registered in England and Wales.
We are the data controller for personal data collected through our platform and website. Where your employer uses TimeMatrix and adds your details, your employer acts as the data controller for that employment data and we act as a data processor on their behalf.
Contact Details
- Email: [email protected]
- Website: www.creativeitconsultants.co.uk
- Post: Data Privacy, Creative IT Consultants Ltd, Avon House, 435 Stratford Road, Shirley, Solihull, England, B90 4AA
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
Third-Party Links
Our platform may include links to third-party websites, plug-ins, or applications. Clicking those links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements.
3. The Data We Collect About You
Personal data means any information about an individual from which that person can be identified. We may collect, use, store, and transfer the following categories of personal data:
| Category | Examples |
|---|---|
| Identity Data | First name, last name, username, profile photo |
| Contact Data | Email address, telephone number |
| Employment Data | Job title, department, employment start date, contract hours, pay rate (if entered by employer) |
| Attendance & Time Data | Clock-in/out times, break durations, shift schedules, working hours, lateness records |
| Location Data | GPS coordinates captured at clock-in/out (where GPS attendance is enabled by your employer) |
| Financial Data | Payable hours summaries (used to generate payroll-ready timesheets; no payment card details are stored) |
| Technical Data | IP address, browser type and version, device type, operating system, time zone, session tokens |
| Profile Data | Username and password (hashed), user preferences, permissions and role |
| Usage Data | Pages visited, features used, actions performed (audit log) |
| Communications Data | Preferences for receiving notifications and system emails |
| Document Data | Documents uploaded to the platform (e.g. contracts, certificates) at the employer's direction |
Sensitive Personal Data
Where an employer records absence reasons (e.g. sickness, medical appointments), this may constitute special category data relating to health. We process this strictly on the instruction of the employer (data controller) and only to the extent necessary to provide the service.
If You Fail to Provide Personal Data
Where we need to collect personal data by law or to perform a contract with you and you fail to provide it, we may not be able to perform the contract or provide the service. We will notify you if this is the case.
4. How Is Your Personal Data Collected?
Direct Interactions
You provide data directly when you:
- Create an account or are added to the platform by your employer
- Clock in or out via the web or mobile app
- Submit or respond to a holiday or absence request
- Upload documents or complete forms within the platform
- Contact us by email, phone, or through the platform
Automated Technologies
As you interact with our platform, we automatically collect Technical Data and Usage Data using cookies, server logs, and similar technologies. See our Cookies section below.
Third Parties
We may receive data about you from your employer when they set up or manage your account. We do not purchase or acquire personal data from data brokers.
5. How We Use Your Personal Data
We will only use your personal data where the law allows us to. Most commonly we will use it where:
- We need to perform a contract with you or your employer
- It is necessary for our legitimate interests and your interests and rights do not override those
- We need to comply with a legal obligation
| Purpose | Lawful Basis |
|---|---|
| Register you as a user and manage your account | Performance of contract |
| Record attendance, clock-in/out, and shift data | Performance of contract; Legitimate interests (workforce management) |
| Generate timesheets and payroll-ready reports | Performance of contract; Legal obligation (Working Time Regulations 1998) |
| Manage holiday and absence requests | Performance of contract; Legal obligation |
| Verify location at clock-in (GPS attendance) | Legitimate interests (preventing time fraud); consent where required |
| Maintain security, prevent fraud, and audit access | Legitimate interests; Legal obligation |
| Send transactional emails (e.g. shift notifications, approvals) | Performance of contract |
| Improve our platform and troubleshoot issues | Legitimate interests |
| Comply with legal and regulatory requirements | Legal obligation |
Marketing
We do not use employee data for marketing purposes. We may contact account administrators (employers) with information about platform updates, new features, or service announcements. You can opt out of non-essential communications at any time by contacting us at [email protected].
6. Disclosures of Your Personal Data
We may share your personal data with:
- Your employer — administrators and managers on your account can access your attendance records, timesheets, and documents as permitted by the platform's role-based access controls.
- Infrastructure providers — cloud hosting, file storage, and database services (e.g. AWS). These providers act as data processors under appropriate data processing agreements.
- Email delivery services — transactional email providers (e.g. Brevo/Sendinblue) used solely to deliver system notifications.
- Payment processors — if your employer pays for the platform by card; we do not store card details ourselves.
- Legal and regulatory authorities — where required by law, court order, or in connection with legal proceedings.
We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.
7. International Transfers
Our platform and data are primarily hosted within the UK and European Economic Area (EEA). Where data is transferred outside the UK/EEA (for example, to cloud infrastructure in the US), we ensure a similar degree of protection by using:
- UK adequacy regulations or equivalent safeguards
- Standard contractual clauses approved by the ICO
- Binding corporate rules where applicable
Please contact us if you would like further information about the specific mechanisms used when transferring your personal data outside the UK.
8. Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, accessed without authorisation, altered, or disclosed. These include:
- Encryption of data in transit (TLS/HTTPS) and at rest
- Role-based access controls and least-privilege permissions
- Two-factor authentication (2FA) support for all accounts
- Comprehensive audit logging of all sensitive actions
- Regular security reviews and dependency updates
- Secure, isolated data per organisation (tenant isolation)
We limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know it.
We have procedures in place to deal with any suspected personal data breach and will notify you and the ICO of a breach where we are legally required to do so.
9. Data Retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
- Active account data — retained for as long as your account is active or the subscription is in force.
- Attendance and timesheet records — retained for a minimum of 6 years to comply with UK employment and tax law (HMRC requirements).
- Audit logs — retained for 2 years unless a longer period is required for a legal dispute or regulatory obligation.
- Deleted accounts — personal data is anonymised or securely deleted within 90 days of account closure, except where longer retention is required by law.
In some circumstances you can ask us to delete your data sooner — see Your Legal Rights below.
10. Your Legal Rights
Under UK data protection law, you have rights in relation to your personal data:
Right of Access
You can request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one month.
Right to Rectification
You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
Right to Erasure ("Right to be Forgotten")
You can ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note that we may not always be able to comply with your request where legal obligations require us to retain certain data.
Right to Restrict Processing
You can ask us to suspend processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
Right to Data Portability
Where processing is based on consent or contract and carried out by automated means, you may request a copy of your personal data in a structured, commonly used, machine-readable format.
Right to Object
You can object to the processing of your personal data where we rely on legitimate interests as our legal basis.
Rights Related to Automated Decision-Making
TimeMatrix does not make solely automated decisions that have a significant legal or similarly significant effect on you.
How to Exercise Your Rights
To exercise any of these rights, please contact us at [email protected]. We may need to verify your identity before processing your request. There is generally no fee for exercising your rights, though we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.
12. Changes to This Policy
We review this privacy policy periodically and update it when necessary. The "last updated" date at the top of this page will always reflect when changes were last made. Where changes are significant we will notify account administrators by email.
13. Contact Us
If you have any questions about this privacy policy or our data practices, please contact our Data Privacy team:
- Email: [email protected]
- Website: www.creativeitconsultants.co.uk
- Subject line: Privacy Enquiry — TimeMatrix
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: www.ico.org.uk
- Helpline: 0303 123 1113