Privacy Policy

Last updated: 3 April 2026

1. Who We Are

Gaffer is a construction workforce management platform operated by Flowstate Systems ("we", "us", "our"), a sole trader business based in Derry, Northern Ireland, United Kingdom, operating under the trading name Flowstate Systems.

For the purposes of UK data protection law - including the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 - the roles are as follows:

Flowstate Systems is a data processor, processing personal data on behalf of the employer or company that holds the Gaffer account.
The employer (admin account holder) is the data controller, responsible for determining the purposes and means of processing their workers' personal data.
For admin account data (the account holder's own name, email, and billing information), Flowstate Systems acts as the data controller.

Contact: hello@gafferai.uk

2. What Data We Collect

The following table sets out the categories of personal data we collect, the purpose of collection, and the legal basis under UK GDPR.

Data Type	Purpose	Legal Basis
Admin: name, email, phone, password	Account creation, authentication, communication	Contract performance (Art. 6(1)(b))
Worker: name, phone, email, PIN	Worker identification, account access, communication	Legitimate interest of employer (Art. 6(1)(f))
Employment details (pay rate, CIS/PAYE status, trade)	Payroll data aggregation, workforce categorisation	Contract performance / Legitimate interest
Photographs (face stamp)	Identity verification at clock-in and clock-out	Legitimate interest (workforce compliance). See Section 3 for full detail.
GPS location coordinates	Location verification at clock events, site attendance confirmation	Legitimate interest (site compliance). See Section 4 for full detail.
Clock-in/out timestamps	Attendance tracking, hours calculation, payroll	Contract performance / Legitimate interest
Signatures	Form sign-off, compliance verification, safety acknowledgements	Contract performance / Legal obligation
Form submissions	Health and safety records, inductions, toolbox talks, risk assessments	Legal obligation (Health and Safety at Work Act 1974, CDM Regulations 2015)
CSCS card details (number, type, expiry)	Certification tracking, expiry alerts, site access compliance	Legal obligation (CDM Regulations 2015)
Device information (browser, push token)	Push notifications, PWA functionality, offline sync	Consent (Art. 6(1)(a))
AI conversation data	Providing AI assistant responses to admin queries	Contract performance (Art. 6(1)(b))

3. Face Photographs (Face Stamp)

Gaffer captures a photograph of the worker using their device's front-facing camera at each clock-in and clock-out event. This is a core feature of the Service designed to verify that the correct individual is clocking in at the correct time and location.

3.1 How Face Photos Work

The photograph is captured on the worker's own device at the moment they tap clock-in or clock-out.
The image is stored as a compressed JPEG file within the clock event record in our database.
Photos are accessible only to admin users within the same company account. Workers cannot see other workers' photos.
Photos are displayed alongside clock records for manual visual verification by the employer.

3.2 What Face Photos Are Not Used For

We do not perform facial recognition, biometric analysis, or automated identity matching on these photographs.
We do not use facial geometry, measurements, or any biometric template extraction.
We do not compare photos against any database of faces.
We do not use face photos for any purpose other than displaying them to the employer as part of clock event records.

3.3 ICO Guidance on Biometric Data

Under ICO guidance, a photograph becomes biometric data only when it is processed through specific technical means (such as facial recognition software) to extract biometric identifiers. Because Gaffer stores photographs solely for manual visual review and does not process them through any biometric analysis, they are treated as standard photographic images rather than special category biometric data under Article 9 of UK GDPR.

If this position changes - for example, if we introduce facial recognition features in the future - we will update this policy, conduct a Data Protection Impact Assessment (DPIA), and obtain appropriate consent or establish an alternative lawful basis before any such processing begins.

3.4 Employer Obligations

Employers using the face stamp feature must inform their workers before first use that photographs will be taken at clock events and explain the purpose. Workers should be given this information as part of the employer's own privacy notice or employment documentation.

4. GPS Location Data

4.1 When Location Is Collected

GPS coordinates are captured at the moment of clock-in and clock-out only. Gaffer does not perform continuous location tracking, background tracking, or any monitoring of worker movements outside of clock events.

4.2 How Location Data Is Used

The GPS coordinates are stored as part of the clock event record to confirm the worker's location relative to their assigned site.
Coordinates are converted to a human-readable address using OpenStreetMap Nominatim (a third-party geocoding service). Only the GPS coordinates are sent to this service - no personally identifying information.
Location data is displayed to admin users alongside clock records for attendance verification.
Location data is not shared with any other third party.

4.3 Worker Device Permissions

The worker's device will request permission to access location services. If a worker denies location permission, the clock event will still be recorded but without GPS data. The employer will see that no location was captured for that event.

5. How We Use Personal Data

We process personal data for the following purposes:

Providing the workforce management service as described in our Terms of Service
Generating compliance reports, timesheets, and PDF exports for the employer
Sending push notifications about form assignments, certification expiry, messages, and account activity
Providing AI-powered insights and recommendations (Pro and Enterprise tiers only)
Maintaining the security and integrity of the Service
Responding to support requests and communications
Improving the Service (using aggregated, anonymised data only)

We do not sell personal data to any third party. We do not use personal data for advertising, marketing profiling, or any purpose unrelated to providing the Service.

6. AI Data Processing

The AI assistant feature (available on Pro and Enterprise tiers) is powered by Anthropic's Claude API. When an admin user sends a query to the AI assistant:

Relevant company data (such as worker names, clock events, form responses, job details) is sent to Anthropic's API to generate a contextual response.
This data is processed by Anthropic solely to generate the specific response requested. Anthropic does not store your data after the response is generated.
Anthropic does not use your data to train, fine-tune, or improve its AI models. This is governed by Anthropic's API Terms of Service, which explicitly state that API inputs and outputs are not used for model training.
AI conversation history is stored in our database (Supabase) as part of your account data, subject to the same retention periods and security measures as all other data.
Only admin users can access AI features. Worker accounts do not have access to the AI assistant.

7. Data Storage and Security

7.1 Where Data Is Stored

Database: Supabase (PostgreSQL), hosted in the EU (AWS eu-west-1, Ireland). Supabase is SOC 2 Type II certified.
File storage: Supabase Storage (photographs, form attachments), hosted in the same EU region.
Application hosting: Vercel (serverless functions and static hosting). Vercel processes requests but does not persistently store your personal data.

7.2 Security Measures

All data in transit is encrypted using HTTPS/TLS 1.2 or higher.
All data at rest in the database and file storage is encrypted.
Admin passwords are securely hashed using industry-standard algorithms with unique salts.
All database queries are scoped by company ID, enforcing multi-tenant data isolation. One company cannot access another company's data.
Row-level security (RLS) policies are enabled on all database tables.
Access to production infrastructure is restricted to authorised personnel only.

7.3 Breach Notification

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will:

Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33 of UK GDPR.
Notify affected data controllers (employers) without undue delay so they can fulfil their own notification obligations to affected individuals.
Take immediate steps to contain and remediate the breach.

8. Third-Party Data Processors

We share personal data with the following third-party service providers who act as sub-processors:

Processor	Purpose	Data Shared	Location
Supabase	Database hosting, file storage, authentication	All account and worker data	EU (Ireland)
Vercel	Application hosting, serverless function execution	Request data (transient processing only)	EU / US (edge network)
Anthropic	AI assistant feature (Pro and Enterprise tiers only)	Company data included in AI queries	US
OpenStreetMap Nominatim	Reverse geocoding (GPS to address conversion)	GPS coordinates only (no personal identifiers)	Various

All third-party processors are bound by their own data processing terms and privacy policies. We select processors that maintain appropriate technical and organisational security measures.

8.1 International Transfers

Where personal data is transferred outside the United Kingdom (for example, to Anthropic in the United States or to Vercel's edge network), such transfers are made in compliance with UK GDPR requirements. We rely on the following safeguards:

UK adequacy regulations where applicable
Standard contractual clauses (UK International Data Transfer Agreement or UK Addendum to EU SCCs) where adequacy decisions do not apply
The processor's own certifications and data protection commitments

9. Your Rights Under UK GDPR

Under UK data protection law, individuals whose data is processed through Gaffer have the following rights:

9.1 Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you. This is known as a Subject Access Request (SAR). We will respond within one calendar month.

9.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data where there is no compelling reason for continued processing. Note that we may need to retain certain data to comply with legal obligations (for example, health and safety records required under CDM Regulations).

9.4 Right to Restrict Processing (Article 18)

You have the right to request that we restrict processing of your data in certain circumstances, such as while we verify the accuracy of data you have contested.

9.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON).

9.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests. Where you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

9.7 Right to Withdraw Consent (Article 7)

Where processing is based on consent (such as push notifications), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

9.8 How to Exercise Your Rights

If you are a worker: In the first instance, contact your employer (the company that manages your Gaffer account). As the data controller, your employer is responsible for handling your rights requests. If your employer is unresponsive or you are unable to resolve the matter, you may contact us directly at hello@gafferai.uk and we will work with the employer to address your request.

If you are an admin account holder: Contact us directly at hello@gafferai.uk.

We will respond to all valid requests within one calendar month. In complex cases, we may extend this by a further two months, but we will inform you of any extension and the reasons within the first month.

There is no fee for exercising your rights, unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

9.9 Right to Complain

If you are not satisfied with how we handle your data or your rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Phone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

10. Data Retention

10.1 Active Accounts

While your account is active, data is retained according to your subscription tier:

Site (Starter): 12 months of historical records
Site Pro: 24 months of historical records
Site Enterprise: Unlimited retention

Data older than your tier's retention period is automatically archived and then permanently deleted.

10.2 After Account Cancellation

All account data is retained for 30 calendar days after cancellation to allow for data export.
After 30 days, all data is permanently deleted from our database, file storage, and backups. This includes worker records, clock events, photographs, form submissions, signatures, CSCS data, and AI conversation history.
Deletion from third-party processor backup systems may take up to an additional 30 days, in line with their standard backup rotation schedules.

10.3 Legal Retention Obligations

Certain records may need to be retained by the employer for longer periods to comply with UK legislation. For example, health and safety records under the CDM Regulations 2015 or RIDDOR may need to be kept for specific periods. It is the employer's responsibility to export and retain such records independently before account cancellation.

11. Cookies and Tracking

Gaffer uses only essential cookies and local storage required for the Service to function. We use:

Authentication tokens: To keep you logged in and maintain your session.
Local storage: To enable offline PWA functionality and store pending sync data.
Service worker cache: To enable the PWA to load and function offline.

We do not use analytics cookies, advertising cookies, social media tracking pixels, or any third-party tracking scripts. We do not track user behaviour for marketing purposes.

12. Children

The Service is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that data promptly. In the construction industry context, workers are expected to be of legal working age (16 or over in the UK).

13. Data Protection Impact Assessments

Given that Gaffer processes location data and photographs of workers, we have conducted a Data Protection Impact Assessment (DPIA) in accordance with Article 35 of UK GDPR. We review and update this assessment periodically and whenever we introduce significant changes to our data processing activities.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Notify admin account holders by email or in-app notification at least 14 days before the changes take effect.
Where changes affect worker data processing, we will notify the employer so they can inform their workers.

15. Contact Us

If you have any questions about this Privacy Policy, our data processing practices, or wish to exercise your data protection rights, please contact us:

Email: hello@gafferai.uk
Business: Flowstate Systems, Derry, Northern Ireland, BT48