Privacy Policy

What data do we process?

On behalf of our clients, we may process the following categories of data:

• Staff data (HR & compliance): Employee IDs, names, job roles, right-to-work documents, training and certification records, and employment history.
• Time and attendance data: Shift allocations, clock-in and clock-out times, location/GPS validation, absence, holiday, and payroll-related data.
• Customer and supplier data: Names, company details, contact information, contracts, service records, and invoicing details.
• Financial and operational data: Payment records, invoicing, budget, and operational information.
• Technical data: Device identifiers, login details, IP addresses, and system usage logs, collected to ensure security and system performance.

The exact data processed will depend on the services used by each client.

Purpose of processing

We only process personal data to deliver services to our clients, including:

• Staff management and HR compliance.
• Time and attendance tracking.
• Customer relationship and contract management.
• Payroll and invoicing support.
• Operational and compliance reporting.
• Security monitoring and service improvement.

We do not use personal data for marketing or any purpose outside client instructions.

Legal basis for processing

As Data Processor, MySiteOps does not determine the legal basis for processing. This responsibility lies with the Data Controller (our client).

Our clients, as Controllers, are responsible for ensuring they have a lawful basis (e.g. consent, contract, legal obligation, legitimate interests) before instructing us to process data.

Security and storage of data

We take appropriate technical and organisational measures to protect data against unauthorised access, alteration, disclosure, or loss. These measures include:

• Encrypted storage and transfer.
• Secure data centres located in the UK/EEA.
• Role-based access controls.
• Regular security reviews and audits.

If data is transferred outside the UK/EEA, we ensure adequate safeguards are in place, such as Standard Contractual Clauses or adequacy regulations.

Data retention

We retain data only for as long as instructed by the client (Controller). At the end of the service, or on client request, data will be securely deleted or returned unless legal obligations require retention.

Your rights

As we act only as Data Processor, individuals wishing to exercise their rights under UK GDPR (access, rectification, erasure, restriction, portability, or objection) must contact the Data Controller (our client) directly.

We will assist our clients in fulfilling data subject rights requests in line with our Data Processing Agreement.

Data Processing Agreement (DPA)

MySiteOps acts solely as a Data Processor. Under our DPA with each client, we commit to:

• Process personal data only on documented instructions from the Controller.
• Ensure authorised staff are under confidentiality obligations.
• Implement appropriate technical and organisational security measures.
• Notify the Controller of any data breach without undue delay.
• Assist the Controller in complying with data subject rights and regulatory obligations.
• Engage sub-processors only with appropriate safeguards in place.
• Delete or return personal data at the end of service provision.

Limitation of liability

While we take all reasonable steps to protect data, no system can be guaranteed 100% secure. We cannot be held liable for unauthorised disclosures beyond our reasonable control.

We are not responsible for third-party websites or services linked from MySiteOps.

Contact us

For data protection queries, contact our Data Protection Officer:

Updates to this policy

We may update this Privacy Policy from time to time. Updates will be posted on our website and take effect immediately.