This policy explains how Grafter Lab Ltd ("Grafter Lab", "we", "us", "our") collects, uses, and protects your personal data when you use our platform, mobile application, and related services. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
Grafter Lab Ltd
Company Number: 17242271
Registered in England and Wales
Email: info@grafterlab.com
Website: grafterlab.com
Grafter Lab Ltd is the data controller for personal data processed through the Grafter Lab platform. Where we process personal data on behalf of our business customers (tenants), we act as a data processor and our customers act as the data controller.
2. What Data We Collect
We collect and process the following categories of personal data:
| Category | Examples | Who it relates to |
|---|---|---|
| Account information | Name, email address, password (hashed), role | All users |
| Location data | GPS coordinates at clock-in/clock-out, job site location | Staff users |
| Time and attendance | Clock-in/out times, hours worked, leave requests | Staff users |
| Employment information | Hourly rate, employment type, role, active status | Staff users |
| Contact details | Mobile phone number (for SMS schedule notifications) | Staff users |
| Financial data | Invoice amounts, payment status, VAT information, bank details (company level only) | Director/admin users |
| Job and project data | Job names, site addresses, customer names, job status, progress | Director/admin users |
| Device and usage data | IP address, browser type, app version, session data | All users |
| Communications | SMS messages sent via the platform, email open tracking | All users |
3. How We Use Your Data
We use your personal data for the following purposes:
- Providing the service — operating the platform, enabling clock-in/out, scheduling, invoicing, and job tracking
- Authentication — verifying your identity and maintaining secure access to your account
- GPS verification — confirming staff location at clock-in to validate attendance at job sites
- SMS notifications — sending schedule updates and alerts to staff via Twilio
- Financial operations — generating invoices, tracking payments, and cashflow forecasting
- Service improvement — analysing usage patterns to improve the platform
- Legal compliance — meeting our obligations under UK law including tax and employment regulations
- Security — detecting and preventing fraud, abuse, and unauthorised access
4. Legal Basis for Processing
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Providing the contracted service | Article 6(1)(b) — performance of a contract |
| GPS location at clock-in | Article 6(1)(b) — performance of a contract / Article 6(1)(f) — legitimate interests |
| SMS schedule notifications | Article 6(1)(b) — performance of a contract |
| Financial records and invoicing | Article 6(1)(c) — legal obligation |
| Service improvement and analytics | Article 6(1)(f) — legitimate interests |
| Security and fraud prevention | Article 6(1)(f) — legitimate interests |
5. Location Data
The Grafter Lab mobile app requests access to your device's GPS location. Location data is used exclusively to:
- Verify that staff are at the correct job site when clocking in
- Record the location at time of clock-in for attendance records
Location is only captured at the moment of clock-in and clock-out. We do not track your location continuously or when the app is in the background. You may deny location permission, but this may prevent the clock-in feature from functioning correctly. Location data is stored securely on our servers and is only accessible to your employer (the Grafter Lab tenant) and authorised Grafter Lab personnel.
6. Data Sharing
We do not sell your personal data. We share data only with the following third parties where necessary to provide the service:
| Third party | Purpose | Location |
|---|---|---|
| DigitalOcean | Cloud hosting and infrastructure | London, UK (LON1) |
| Twilio | SMS delivery for schedule notifications | USA (SCCs in place) |
| Stripe | Subscription billing and payment processing | USA/Ireland (SCCs in place) |
| Anthropic | AI assistant features within the platform | USA (SCCs in place) |
| Xero | Accounting integration (optional) | New Zealand/UK |
| Fergus | Job management integration (optional) | New Zealand |
| Postmark / Mailgun | Transactional email delivery | USA (SCCs in place) |
Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO).
7. Data Retention
We retain your personal data for as long as necessary to provide the service and meet our legal obligations:
- Active accounts — data is retained for the duration of the subscription
- Time and attendance records — retained for 6 years (HMRC requirement)
- Financial records (invoices, payments) — retained for 7 years (Companies Act / HMRC)
- Location data — retained as part of timesheet records (6 years)
- Deleted accounts — data is purged within 90 days of account closure, except where legal retention applies
8. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate or incomplete data
- Right to erasure — request deletion of your data (subject to legal retention obligations)
- Right to restrict processing — request that we limit how we use your data
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interests
- Rights related to automated decision-making — we do not make solely automated decisions that significantly affect you
To exercise any of these rights, contact us at info@grafterlab.com. We will respond within 30 days.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
9. Security
We take the security of your data seriously and implement appropriate technical and organisational measures including:
- All data transmitted over HTTPS/TLS encryption
- Passwords stored using bcrypt hashing — never in plain text
- Database hosted on DigitalOcean servers in London with restricted access
- Multi-tenant data isolation — each company's data is scoped to prevent cross-tenant access
- Regular security reviews and access controls
- API keys and credentials stored as environment variables, never in code
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay.
10. Cookies
The Grafter Lab web platform uses cookies and similar technologies to maintain your session and provide the service. We use:
- Session cookies — essential for keeping you logged in during your session
- CSRF protection cookies — essential security cookies to prevent cross-site request forgery
We do not use advertising cookies, tracking cookies, or third-party analytics cookies. No cookie consent banner is required as we only use strictly necessary cookies.
11. Children
Grafter Lab is a business operations platform intended for use by adults aged 18 and over. We do not knowingly collect personal data from children under the age of 18. If you believe a child has provided us with personal data, please contact us at info@grafterlab.com and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes to our practices or legal requirements. We will notify active users of material changes by email or via the platform. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of Grafter Lab after changes are posted constitutes acceptance of the updated policy.
13. Account and Data Deletion
You have the right to request deletion of your Grafter Lab account and associated personal data at any time. This section explains how deletion works, what data is deleted, and what we are legally required to retain.
How to request deletion
To request deletion of your account and personal data, choose whichever method is easiest:
- Email us at info@grafterlab.com with the subject line "Account Deletion Request", from the email address associated with your Grafter Lab account. Please include the name of the company registered on Grafter Lab so we can locate the correct account.
- In-app: once signed in to Grafter Lab, go to Settings → Account and use the "Delete My Account" option (available to account owners).
We will confirm receipt of your request within 3 working days and complete deletion within 30 days, in accordance with UK GDPR requirements.
What gets deleted
When your account is deleted, we will permanently remove:
- Your user profile and login credentials
- Personal contact details (name, email address, phone number)
- Profile photos and other uploaded media
- Device tokens for mobile push notifications
- Session and authentication records
- Location data attached to your personal clock-in records (where legally permitted)
- Any content you have created within the platform that contains personal identifiers
What we are required to retain
Certain records must be retained by law even after your account is deleted. These records are anonymised where possible and access is strictly limited:
- Financial records (invoices, payments, VAT records) — retained for 7 years under the Companies Act and HMRC requirements
- Time and attendance records — retained for 6 years under HMRC requirements
- Records required for tax, audit, or legal defence — retained for the period required by law
These retained records do not contain your login credentials, contact details, or any personal identifiers not required for the legal purpose.
Deletion timeline
- Within 3 working days — we confirm receipt of your deletion request
- Within 30 days — we complete deletion of your account and personal data
- Within 90 days — residual copies in encrypted database backups are purged as backup rotation completes
If you are a company account owner
If you are the account owner of a Grafter Lab tenant (company) subscription, deleting your account will also close the company subscription and delete all company data. Before deleting, we recommend:
- Downloading any invoices, quotes, or financial reports you wish to keep
- Exporting your customer and supplier lists
- Cancelling any active Xero or other integrations
If you are an employee or staff user (not the account owner), your personal data can be deleted from the platform while your employer's company account continues. Contact your Grafter Lab administrator, or email us directly.
Questions
If you have questions about the deletion process before making a request, email info@grafterlab.com and we will respond within 3 working days.
14. Contact Us
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:
Grafter Lab Ltd
Email: info@grafterlab.com
Website: grafterlab.com
Company No. 17242271 — Registered in England and Wales