Privacy Policy — PayPacket

Summary: PayPacket processes payroll data on behalf of your bureau. You are the data controller for your employees' data; we act as your data processor. We take that responsibility seriously — data is encrypted at rest, never sold, and never used to train AI models.

1. Who We Are

PayPacket Ltd ("PayPacket", "we", "us", "our") operates the payroll bureau software available at paypacket.io and app.paypacket.io.

For the purposes of UK GDPR and the Data Protection Act 2018, PayPacket Ltd is the data controller for the personal data of bureau account holders (operators, administrators). For the personal data of employees whose payroll is processed through the platform, PayPacket acts as a data processor on behalf of the bureau (who is the data controller).

The terms on which PayPacket acts as your data processor are set out in our Data Processing Agreement, which is incorporated into and forms part of our Terms & Conditions. The DPA covers your rights and our obligations under UK GDPR Article 28, including security measures, sub-processor authorisation, breach notification, and data deletion.

To contact us about data protection matters: privacy@paypacket.io

2. Data We Collect and Why

2.1 Account and billing data (bureau operators)

When you create a PayPacket account, we collect:

Name and email address
Payment method details (held by Stripe — we do not store raw card numbers)
Billing address
Account usage and subscription status

Legal basis: Performance of a contract (your subscription agreement with us) and our legitimate interest in preventing fraud and managing our business.

2.2 Employee payroll data (processed on your behalf)

When you use PayPacket to run payroll, you input or import employee data. This includes:

Names, addresses, and dates of birth
National Insurance numbers
Tax codes and PAYE reference data
Salary and pay element details
Bank account details (for payment files)
Statutory payment records (SSP, SMP, SPP, SAP, ShPP)
Pension contribution details

We process this data solely to provide you with the payroll service. We do not use employee data for our own commercial purposes, and we do not sell it to third parties.

Legal basis: Processing is necessary to perform the data processing agreement between us and you as the bureau. You, as the bureau, are responsible for having the appropriate legal basis to process your employees' data and for complying with your own obligations under UK GDPR.

2.3 Technical and usage data

We collect standard server logs and application telemetry, including:

IP addresses and browser/device information
Pages visited and features used within the application
Error logs and performance data

Legal basis: Our legitimate interests in operating a secure, reliable service.

3. Sensitive Personal Data

National Insurance numbers and bank account details are classified as sensitive personal data in the context of payroll. PayPacket applies field-level encryption to these fields — they are encrypted before being written to the database and decrypted only when required to perform payroll calculations or generate submissions. They are never stored or transmitted in plain text.

4. How We Use Your Data

To provide, maintain, and improve the PayPacket service
To process payroll calculations and generate payslips, P60s, and P45s
To submit Full Payment Submissions (FPS) and Employer Payment Summaries (EPS) to HMRC on your behalf
To manage your subscription and process payments via Stripe
To send transactional emails (pay run approvals, submission results, account alerts)
To comply with our legal and regulatory obligations
To investigate and resolve security incidents or disputes

We do not use your data for advertising, profiling for third-party marketing, or to train machine learning models.

5. AI Features and Data Protection

PayPacket includes optional AI-powered features: payslip validation, a payroll assistant, and CSV column mapping. These features are powered by Claude, an AI model operated by Anthropic PBC.

Before any data is sent to Anthropic's API:

Payslip validation: Employee names and National Insurance numbers are removed. Only anonymised pay figures, tax codes, and NI categories are transmitted.
Payroll assistant: Queries are processed against aggregated, anonymised payroll summaries. Raw employee records are not sent.
CSV import mapping: Only column headers and sample values from the first data row are transmitted to identify field types.

Anthropic processes data under their API terms. Data sent to the API is not used to train Anthropic's models under standard API usage. You can disable AI features entirely by not providing an Anthropic API key at the account level.

As data sent to Anthropic may be processed on servers outside the UK/EEA, this constitutes an international transfer. We rely on Anthropic's Standard Contractual Clauses and adequacy decisions where applicable.

6. Third-Party Processors

We share data with the following sub-processors to deliver the service:

Stripe, Inc. — payment processing and subscription billing. Stripe is PCI DSS Level 1 certified. Stripe Privacy Policy
HMRC Government Gateway — FPS and EPS submissions are transmitted to HMRC over TLS as required by the RTI framework.
Anthropic PBC — AI features (see Section 5). Only anonymised data is transmitted.
Cloud infrastructure provider — servers and databases used to host the application. All data is stored in the United Kingdom.
Email service provider — transactional emails only (pay run alerts, submission notifications, account alerts). Bureau operator email addresses only — no employee payroll data.

Full details of sub-processors, including transfer mechanisms, are set out in Schedule 2 of the Data Processing Agreement. We do not sell personal data to any third party, and we do not share data with any third party beyond those listed and as required by law.

7. Data Retention

Payroll data: Retained for 7 years from the end of the relevant tax year, in line with HMRC record-keeping requirements. You may request earlier deletion of specific records where legally permissible.
Account and billing data: Retained for the duration of your subscription and for 7 years thereafter for tax and accounting purposes.
Server logs: Retained for 90 days.
Deleted accounts: On account closure, payroll data is retained for the statutory 7-year period before secure deletion. Account credentials and payment details are deleted promptly.

8. Your Rights Under UK GDPR

If you are a bureau operator (account holder), you have the following rights regarding your personal data:

Right of access — request a copy of the personal data we hold about you
Right to rectification — request correction of inaccurate data
Right to erasure — request deletion of your data where we have no legal obligation to retain it
Right to restriction — request that we restrict processing of your data in certain circumstances
Right to data portability — receive your data in a structured, machine-readable format
Right to object — object to processing based on legitimate interests
Right to withdraw consent — where processing is based on consent, withdraw it at any time

For requests relating to employee data, please note that the bureau (as data controller) is the correct contact — we will act on your behalf as your data processor.

To exercise any right, contact us at privacy@paypacket.io. We will respond within one month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk or call 0303 123 1113.

9. Security

We implement appropriate technical and organisational measures to protect personal data, including:

Field-level encryption for sensitive payroll fields (National Insurance numbers, bank details)
TLS 1.2+ for all data in transit
Role-based access control — operators only see data for the client companies they are assigned to
An immutable audit trail of all data access and modifications
Regular security reviews

In the event of a personal data breach that is likely to result in risk to individuals, we will notify the ICO within 72 hours and affected users without undue delay, as required by UK GDPR.

10. Cookies

The PayPacket application uses the following cookies:

Session cookie — stores your authentication session (essential; expires at end of session or after 24 hours)
Theme preference — stores your light/dark theme choice (essential; no personal data)

We do not use tracking, advertising, or analytics cookies.

11. Children

PayPacket is a business service intended for use by payroll professionals. We do not knowingly collect personal data from individuals under the age of 18.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify account holders by email of any material changes at least 30 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.

13. Contact

For any data protection queries or to exercise your rights:

Email: privacy@paypacket.io
Website: paypacket.io