Legal

Privacy Policy

Last updated: 15 June 2026  ·  Grafter Lab Ltd  ·  Company No. 17242271

This policy explains how Grafter Lab Ltd ("Grafter Lab", "we", "us", "our") collects, uses, and protects your personal data when you use our platform, mobile application, and related services. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Grafter Lab Ltd
Company Number: 17242271
Registered in England and Wales
Email: info@grafterlab.com
Website: grafterlab.com

Grafter Lab Ltd is the data controller for personal data processed through the Grafter Lab platform. Where we process personal data on behalf of our business customers (tenants), we act as a data processor and our customers act as the data controller.

2. What Data We Collect

We collect and process the following categories of personal data:

CategoryExamplesWho it relates to
Account informationName, email address, password (hashed), roleAll users
Location dataGPS coordinates at clock-in/clock-out, job site locationStaff users
Time and attendanceClock-in/out times, hours worked, leave requestsStaff users
Employment informationHourly rate, employment type, role, active statusStaff users
Contact detailsMobile phone number (for SMS schedule notifications)Staff users
Financial dataInvoice amounts, payment status, VAT information, bank details (company level only)Director/admin users
Job and project dataJob names, site addresses, customer names, job status, progressDirector/admin users
Device and usage dataIP address, browser type, app version, session dataAll users
CommunicationsSMS messages sent via the platform, email open trackingAll users

3. How We Use Your Data

We use your personal data for the following purposes:

4. Legal Basis for Processing

PurposeLegal basis (UK GDPR)
Providing the contracted serviceArticle 6(1)(b) — performance of a contract
GPS location at clock-inArticle 6(1)(b) — performance of a contract / Article 6(1)(f) — legitimate interests
SMS schedule notificationsArticle 6(1)(b) — performance of a contract
Financial records and invoicingArticle 6(1)(c) — legal obligation
Service improvement and analyticsArticle 6(1)(f) — legitimate interests
Security and fraud preventionArticle 6(1)(f) — legitimate interests

5. Location Data

The Grafter Lab mobile app requests access to your device's GPS location. Location data is used exclusively to:

Location is only captured at the moment of clock-in and clock-out. We do not track your location continuously or when the app is in the background. You may deny location permission, but this may prevent the clock-in feature from functioning correctly. Location data is stored securely on our servers and is only accessible to your employer (the Grafter Lab tenant) and authorised Grafter Lab personnel.

6. Data Sharing

We do not sell your personal data. We share data only with the following third parties where necessary to provide the service:

Third partyPurposeLocation
DigitalOceanCloud hosting and infrastructureLondon, UK (LON1)
TwilioSMS delivery for schedule notificationsUSA (SCCs in place)
StripeSubscription billing and payment processingUSA/Ireland (SCCs in place)
AnthropicAI assistant features within the platformUSA (SCCs in place)
XeroAccounting integration (optional)New Zealand/UK
FergusJob management integration (optional)New Zealand
Postmark / MailgunTransactional email deliveryUSA (SCCs in place)

Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO).

7. Data Retention

We retain your personal data for as long as necessary to provide the service and meet our legal obligations:

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

To exercise any of these rights, contact us at info@grafterlab.com. We will respond within 30 days.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

9. Security

We take the security of your data seriously and implement appropriate technical and organisational measures including:

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay.

10. Cookies

The Grafter Lab web platform uses cookies and similar technologies to maintain your session and provide the service. We use:

We do not use advertising cookies, tracking cookies, or third-party analytics cookies. No cookie consent banner is required as we only use strictly necessary cookies.

11. Children

Grafter Lab is a business operations platform intended for use by adults aged 18 and over. We do not knowingly collect personal data from children under the age of 18. If you believe a child has provided us with personal data, please contact us at info@grafterlab.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices or legal requirements. We will notify active users of material changes by email or via the platform. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of Grafter Lab after changes are posted constitutes acceptance of the updated policy.

13. Account and Data Deletion

You have the right to request deletion of your Grafter Lab account and associated personal data at any time. This section explains how deletion works, what data is deleted, and what we are legally required to retain.

How to request deletion

To request deletion of your account and personal data, choose whichever method is easiest:

We will confirm receipt of your request within 3 working days and complete deletion within 30 days, in accordance with UK GDPR requirements.

What gets deleted

When your account is deleted, we will permanently remove:

What we are required to retain

Certain records must be retained by law even after your account is deleted. These records are anonymised where possible and access is strictly limited:

These retained records do not contain your login credentials, contact details, or any personal identifiers not required for the legal purpose.

Deletion timeline

If you are a company account owner

If you are the account owner of a Grafter Lab tenant (company) subscription, deleting your account will also close the company subscription and delete all company data. Before deleting, we recommend:

If you are an employee or staff user (not the account owner), your personal data can be deleted from the platform while your employer's company account continues. Contact your Grafter Lab administrator, or email us directly.

Questions

If you have questions about the deletion process before making a request, email info@grafterlab.com and we will respond within 3 working days.

14. Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

Grafter Lab Ltd
Email: info@grafterlab.com
Website: grafterlab.com
Company No. 17242271 — Registered in England and Wales