Privacy Policy
Last updated: 5 March 2026
1. Who We Are
Intelligent Payroll Limited T/A The Pay Bureau (“we”, “us”, “our”) is the data controller responsible for your personal data. We are a company registered in England and Wales, providing a payroll bureau management platform (“the Service”).
For any data protection queries, contact us at support@thepaybureau.com
2. What Data We Collect
We collect and process the following categories of personal data:
Account Data: Your name, email address, and password (hashed) when you register for an account.
Profile Data: Your profile photo (optional), display name, and account preferences.
Client Data: Information you enter about your payroll clients, including company names, PAYE references, contact details, payroll configurations, and employee counts. This data is entered and controlled by you.
Usage Data: Information about how you interact with the Service, including pages visited, features used, and timestamps of activity.
Technical Data: IP address, browser type, device information, and cookies (see Section 7).
3. How We Use Your Data
We use your personal data for the following purposes:
- Providing and maintaining the Service, including user authentication and data storage
- Sending you important service notifications (e.g., security alerts, changes to terms)
- Sending payroll deadline reminders and notifications you have opted into
- Improving the Service based on usage patterns and feedback
- Processing payments for paid tier subscriptions
- Responding to your support requests and enquiries
- Complying with legal obligations
4. Legal Basis for Processing
Under the UK General Data Protection Regulation (UK GDPR), we process your data on the following legal bases:
Contract (Article 6(1)(b)): Processing necessary to perform our contract with you (providing the Service).
Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, such as improving the Service, preventing fraud, and ensuring security, where these interests are not overridden by your rights.
Consent (Article 6(1)(a)): Where you have given specific consent, such as opting into marketing communications. You may withdraw consent at any time.
Legal Obligation (Article 6(1)(c)): Where we need to process data to comply with a legal obligation.
5. Third-Party Processors
We use the following third-party services to operate the Service. Each processes data on our behalf under appropriate data processing agreements:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt) |
| Vercel | Application hosting and deployment | Global CDN (EU primary) |
| Stripe | Payment processing (paid tier only) | US/EU |
| Resend | Transactional email delivery | US |
6. Data Storage and Security
Your data is stored securely using industry-standard encryption. All data is encrypted in transit (TLS 1.2+) and at rest. Database access is protected by Row Level Security policies that ensure you can only access data belonging to your own account or organisation.
We implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. These include access controls, regular security reviews, and secure development practices.
7. Cookies
We use the following types of cookies:
Essential Cookies: Required for authentication and security. These cannot be disabled as the Service will not function without them.
Preference Cookies: Store your settings such as theme preference (light/dark mode). These improve your experience but are not strictly necessary.
We do not use advertising cookies or third-party tracking cookies. We do not sell your data to advertisers or data brokers.
8. Your Rights Under GDPR
Under the UK GDPR, you have the following rights regarding your personal data:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data (“right to be forgotten”)
- Right to Data Portability: Request your data in a structured, machine-readable format
- Right to Restrict Processing: Request that we limit how we use your data
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at support@thepaybureau.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
9. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. If you close your account, we will delete your data within 90 days, except where we are required to retain it for legal or regulatory purposes.
Client data you enter into the Service is deleted when you delete it or when your account is closed. We do not retain backups of deleted data beyond our standard backup rotation period (30 days).
10. International Transfers
Some of our third-party processors (see Section 5) are based outside the UK and EU. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office, and adequacy decisions where applicable.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through the Service. The “Last updated” date at the top of this page indicates when the policy was last revised.
For any privacy-related questions or concerns, contact our data protection team at support@thepaybureau.com