Legal · Version 1.0 · Last updated 7 July 2026
Privacy Policy
How Security Shift UK Ltd collects, uses and protects personal data as a data controller under UK GDPR and the Data Protection Act 2018.
Who we are
Security Shift UK Ltd is the data controller for personal data processed through the platform. Contact us at privacy@securityshiftuk.com for any data protection query, including access, rectification, erasure or objection requests.
What we collect
We collect data provided directly by you, generated by your use of the platform, and received from third parties who help us verify identity and licences.
- Account data: name, email, phone, role, password hash, profile photo.
- Officer data: SIA licence number, right-to-work documents, address, date of birth, next of kin, bank/Stripe Connect details, availability, ratings, incident history.
- Company data: registered company name, address, VAT number where provided, insurance evidence, billing details, staff contacts.
- Shift and location data: shifts posted, accepted, GPS check-in coordinates at start/end of shift, check-in photograph where enabled.
- Communications: in-app messages, notification preferences, support correspondence.
- Technical data: IP address, browser, device, cookies (see Cookie Policy).
Why we use it — lawful bases
We rely on the following lawful bases under UK GDPR: (a) performance of a contract, to run your account, match shifts, invoice and pay; (b) legal obligation, to keep SIA and right-to-work evidence and prevent fraud; (c) legitimate interests, to secure the platform, prevent no-shows and improve the service; and (d) consent, for marketing communications, biometric check-in and any non-essential cookies.
Sharing
We share personal data only where necessary to run the marketplace, meet legal obligations, or with your consent.
- Between the Officer and Company for a confirmed shift (limited to what is needed to work together safely).
- With Stripe for payments and payouts, and with our infrastructure providers (hosting, email, error monitoring, analytics).
- With the SIA register for licence verification lookups.
- With law enforcement or regulators where lawfully required.
Retention
We retain compliance and financial records for 6 years after the last activity on an account, in line with HMRC and SIA guidance. Marketing consent, cookie choices and communications are held for 24 months after last contact. On account deletion, personal data is removed or irreversibly anonymised except where retention is required by law.
Your rights
You have the right to access your personal data, request correction or deletion, object to processing, restrict processing, request portability, and withdraw consent at any time. To exercise a right, email privacy@securityshiftuk.com. You also have the right to complain to the Information Commissioner's Office (ico.org.uk).
International transfers
Data is primarily processed within the UK and EEA. Where a supplier processes data outside these regions, we rely on UK adequacy regulations or the ICO's International Data Transfer Addendum with standard contractual clauses.