This policy explains what personal data Clockdin collects, why we collect it, what we do with it, and the rights you have over it. We've kept it as plain as we can while still being legally meaningful. If anything's unclear, email us — details at the bottom.
Who we are
Clockdin is a trading name of Plan Outsource Ltd, a company registered in England and Wales. We're the "data controller" for the personal data described in this policy — meaning we decide why and how it's processed.
Registered in England and Wales
Contact: clockdin.info@gmail.com
For some data — particularly timesheet content uploaded by contractors via an agency or umbrella company account — we act as a "data processor" on behalf of that business customer. In those cases, the business customer is the controller and their own privacy policy applies to that data.
Data we collect
We only collect what we need to run the service. That breaks down into a few categories:
Account data
- Name and email address
- Company or agency name (where applicable)
- Role (contractor / agency / umbrella company)
- Password (stored hashed, never in plain text)
Timesheet and workflow data
- Hours worked, dates, project or assignment references
- Approval status, comments, and timestamps
- Assignment metadata (start/end dates, rates where supplied)
Billing data
- Billing address and VAT number (if applicable)
- Payment is handled by our payment processor — we never see or store full card numbers
Technical data
- IP address, browser type, device type, operating system
- Pages visited, features used, timestamps (for product analytics and security)
- Cookies and similar technologies (see Cookies)
Communications
- Emails you send us, support tickets, and our replies
How we use it
We use your data to:
- Provide the Clockdin service — submitting, approving, and tracking timesheets
- Authenticate you and keep your account secure
- Send service emails (approval notifications, trial expiry reminders, important updates)
- Bill you and handle disputes or refunds
- Improve the product through anonymised usage analytics
- Respond to support requests
- Comply with our legal and tax obligations
- Send occasional marketing emails — only if you've opted in, and you can opt out any time
We do not sell your data. We do not use your timesheet content to train AI models. We do not share data with advertisers.
Lawful basis
Under UK GDPR we need a lawful basis to process personal data. Ours are:
| Purpose | Lawful basis |
|---|---|
| Running the service you signed up for | Performance of a contract |
| Keeping the service secure, preventing fraud, improving the product | Legitimate interests |
| Marketing emails to individual subscribers | Consent |
| Tax, accounting, and legal obligations | Legal obligation |
Who we share it with
We share data only with parties who help us run the service, and only to the extent needed. Current sub-processors include:
- Hosting and infrastructure — our cloud provider (data hosted in the UK/EU where possible)
- Payment processing — Stripe or equivalent, for subscription billing
- Email delivery — for transactional and notification emails
- Analytics — privacy-respecting product analytics; no advertising trackers
- Customer support tooling — for handling support tickets
Within the Clockdin platform, your data is shared with the other parties in your timesheet workflow — that's the whole point. A contractor's submitted timesheet is visible to the agency reviewing it and the umbrella company processing it. Each party only sees what they need.
We may also disclose data if legally required (court order, regulatory request) or to protect our rights or the safety of others.
How long we keep it
- Account data: while your account is active, plus 12 months after closure for dispute resolution
- Timesheet records: for the duration of your subscription, plus retention periods required by your business customer or by UK tax law (currently 6 years)
- Billing records: 6 years, in line with HMRC requirements
- Marketing data: until you unsubscribe, then deleted promptly
- Support tickets: 2 years
- Backups: rolling 35-day window; deleted data is purged from backups within that period
Security
We take security seriously because timesheet data underpins people getting paid. Our measures include:
- TLS encryption in transit and AES-256 encryption at rest
- Hashed passwords (bcrypt or equivalent)
- Role-based access controls and least-privilege principles internally
- Regular security reviews and dependency patching
- Logging and monitoring of access to production systems
No system is perfectly secure. If a breach occurs that affects your data, we'll tell you and the ICO within the timeframes required by UK GDPR.
International transfers
We aim to host data in the UK or EU. Where a sub-processor operates outside the UK (for example, in the United States), we rely on UK GDPR-approved safeguards — the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or adequacy decisions where they apply.
Your rights
Under UK GDPR you have the right to:
- Access — get a copy of the personal data we hold about you
- Rectification — correct anything that's wrong
- Erasure — ask us to delete your data ("right to be forgotten")
- Restriction — ask us to pause processing
- Portability — get your data in a portable format
- Objection — object to processing based on legitimate interests, including marketing
- Withdraw consent — at any time, where consent was the basis
To exercise any of these, email clockdin.info@gmail.com. We'll respond within one month. If you're unhappy with our response, you can complain to the UK Information Commissioner's Office: ico.org.uk.
Cookies
We use cookies and similar technologies for two things:
- Strictly necessary cookies — keeping you logged in, remembering your preferences, security. These can't be disabled.
- Analytics cookies — measuring how the product is used so we can improve it. Only loaded with your consent.
You can manage cookie preferences via the banner that appears on your first visit, or in your browser settings.
Children
Clockdin is a B2B product. It's not directed at anyone under 18 and we don't knowingly collect data from children. If you believe we have, contact us and we'll delete it.
Changes to this policy
If we make material changes, we'll email account holders and update the "Last updated" date at the top. Minor wording fixes might just appear here. Continued use of Clockdin after a change means you accept the updated policy.
Contact us
Questions, concerns, or requests under this policy? Email clockdin.info@gmail.com. We aim to reply within two working days.