Privacy Policy

Last Updated: [03 March 2025]

This Privacy Policy describes how HASH Tech Ltd ("we," "us," or "our") collects, processes, and protects your personal data when you use the Service or visit our website ((even if you do not register or use the platform) and explains your rights under the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018.

We use your personal data to provide and improve the Service. By using the Service, you agree that you have read and understood this Privacy Policy and consented to the collection and use of information in accordance with this Privacy Policy.

1. Interpretation and Definitions

1.1 Interpretation

The words with capitalized initial letters have meanings defined under the following conditions. These definitions shall have the same meaning regardless of whether they appear in singular or plural.

1.2 Definitions

For the purposes of this Privacy Policy:

  1. Account: A unique account created for you to access our Service or parts of our Service.

  2. Affiliate: An entity that controls, is controlled by, or is under common control with HASH Tech Ltd.

  3. Application: Refers to DOQWorld, the software program provided by the HASH Tech Ltd., including its web-based and mobile versions.

  4. Company: Refers to HASH Tech Ltd ("we," "us," or "our"), registered in the United Kingdom.

  5. Country: Refers to the United Kingdom.

  6. Data Controller: The entity (HASH Tech Ltd) that determines the purposes and means of processing certain types of personal data (e.g. authentication logs) under Article 4(7) of the UK GDPR.

  7. Data Processor: A third-party service provider that processes personal data on behalf of the Company under Article 4(8) UK GDPR (e.g. Supabase for authentication).

  8. Device: Any computer, smartphone, or tablet, or other internet connected device which can be used to access the Service.

  9. Employee User: An individual onboarded by the Primary User by uploading data (including personal data) into Application.

  10. Personal Data: Any information that relates to an identified or identifiable individual, as defined in Article 4(1) UK GDPR.

  11. Primary User: The account holder with administrative privileges, typically the employer. This user is the Data Controller of employee data (e.g. can onboard employees, manage subscriptions, add delegate accounts).

  12. Service: Refers to the DOQWorld services and its functionalities, including its HR and document management functionalities, mobile applications, and web services.

  13. Service Provider: Any third-party entity or individual contracted by Company to process data or provide operational support (e.g. cloud hosting, authentication services).

  14. Usage Data: Data collected automatically from the use of the Service or the Service infrastructure itself (e.g. log files, session durations, authentication logs).

  15. You: The individual, company, or legal entity accessing or using the Service also called as “User”.

2. Collecting and Using Your Personal Data

2.1 Types of Data (including Personal Data) Collected

We collect and process different categories of data depending on how the Service is used.

A.     Data Collected from Primary Users

When a Primary User registers for the Service, we may collect information including, but not limited to, the following:

  1. Email address

  2. First and last name

  3. Phone number

  4. Legal entity name

  5. Job title

  6. Address, State, ZIP/Postal code, City

  7. Login credentials

  8. Subscription and billing information

B.      Data Collected from Employee Users (Uploaded by the Primary User)

 

The Primary User may upload or input Employee User data into the Application, which may include:

  1. First and last name

  2. Employee ID

  3. Email address

  4. Phone number

  5. Job role, employment type, probation status

  6. Contracted hours, annual leave entitlement

  7. Rota and shift schedules

  8. Clock-in and clock-out records (QR-based check-ins)

The specific data collected may vary based on how the employer configures and uses the platform. Additional information may be required to support certain features and ensure compliance with applicable regulations. DOQWorld does not access, process, or analyse the contents of documents uploaded by the Primary User. The Company acts solely as a Service Provider (Data Processor) for secure document storage. The Primary User (Data Controller) remains responsible for ensuring that Employee User data is processed lawfully.

C.      Data Collected from Website Visitors

If you visit the DOQWorld website, we may collect:

  1. Contact form submissions (if applicable)

  2. Customer service inquiries

D.     Usage Data Collected Automatically

When accessing the Service or the website, we collect certain usage data automatically, including:

  1. IP address

  2. Browser type and version

  3. Operating system and device type

  4. Authentication logs (login timestamps, failed login attempts)

  5. Clock-in and clock-out timestamps

  6. Session activity logs

  7. Device identifiers and diagnostic data

E.      Additional Usage Data Collected Through Mobile Devices

When accessing the Service via a smart phone or tablet or other mobile device, we may also collect:

  1. Mobile device type

  2. Unique device ID

  3. Mobile operating system and browser details

2.2 How We Collect Your Data

We collect personal data in the following ways:

  1. Direct Input: When a Primary User provides information during registration, subscription, or account management.

  2. Employer Uploads: When a Primary User inputs Employee User data into the Application.

  3. Automated System Logging: When users log in, authenticate, or access features.

  4. Clock-in and Clock-out Tracking: When Employee Users use QR-based check-ins.

2.3 Legal Basis for Processing Personal Data

Under UK GDPR, we process personal data based on the following lawful grounds:

Purpose of Processing

 Legal Basis

Justification Under UK GDPR

Primary User Account Creation & Login Management

Performance of Contract (6(1)(b))

Required to provide the Service to registered users.

Subscription & Billing Management

Performance of Contract (6(1)(b))

Necessary to manage customer subscriptions.

Processing Employee Data (Uploaded by Primary User)

Performance of Contract (6(1)(b)) – Data Processor

Employers use the Service to store employee records. DOQWorld does not access or process document contents.

Clock-in and Clock-out Data Retention

Performance of Contract (6(1)(b))

Employers require this feature as part of the agreed Service.

Authentication & Security Logs (IP addresses, logins)

Legal Obligation (6(1)(c))

Required under Article 32 UK GDPR to ensure platform security.

Usage Analytics & Performance Monitoring

Performance of Contract (6(1)(b))

Used to ensure smooth platform functionality and detect errors.

Responding to Customer Inquiries

Performance of Contract (6(1)(b))

Users contact support as part of using the Service.

Website Visitor Contact Forms

Consent (6(1)(a))

Users voluntarily submit contact forms, requiring explicit consent.

Device & Diagnostic Data Collection (Mobile Use)

Performance of Contract (6(1)(b))

Used only for debugging and performance improvement necessary for service reliability.

2.4 Data Minimization and No Special Category Data Processing

The Service is designed to collect only the data necessary for its intended functionality. We do not request or process:

  1. Special category data (e.g., health information, biometric data, trade union membership)

  2. Employee payroll or salary data

  3. Right-to-work documentation or any scanned identity verification documents

If a Primary User uploads such data, they are responsible for ensuring compliance with applicable data protection laws.

2.5 No Cookies or Tracking Technologies

DOQWorld does not use cookies or tracking technologies on the platform or within the Application. However, our website (hosted on Squarespace) may use essential cookies required for basic website functionality. These cookies are managed by Squarespace and are subject to their policies.

For more details on the types of cookies used and how they are managed, please refer https[TD1] ://www.squarespace.com/cookie-policy.

2.6 Data Accuracy and User Responsibility

Primary Users are responsible for ensuring that the personal data they provide is accurate, up to date, and lawfully processed. Employee Users should contact their employer to request corrections or updates to their data.

3. Use of Your Personal Data

We process Personal Data for the following purposes:

  1. To provide and maintain our Service: Including monitoring Service usage and functionality.

  2. To manage Your Account: Allowing registered users to access specific functionalities.

  3. To fulfil a contract: Including purchases or agreements made through the Service.

  4. To contact You: For updates, security notifications, and customer service communications.

  5. For promotional purposes: Providing you with relevant information unless you opt out.

  6. For legal compliance and security: Ensuring adherence to applicable laws and security standards.

  7. To managing subscriptions and payments: Processing employer account billing, verifying payment status, and issuing invoices.

4. Sharing Your Personal Data

We do not sell or rent your personal data. However, we may share it in the following circumstances:

4.1 With Service Providers (Sub-Processors)

We engage third-party Service Providers to support our platform operations. These providers process data on our behalf and under strict contractual obligations. Categories of Service Providers include:

Service

Purpose

Data Processed

Supabase

Database, authentication, file storage

Employee records, authentication logs, document metadata (not content)

Resend

Email notifications

User email addresses

Stripe

Payment processing

Employer billing details; DOQWorld only fetches subscription status via customer email ID

Squarespace

Website hosting & domain management

Used for domain name and website.

A full list of sub-processors is available upon request at customerservice@doqworld.co.uk.

4.2 Business Transfers

In the event of a merger, acquisition, or asset sale, personal data may be transferred to the acquiring entity. We will ensure:

  1. The new entity adheres to this Privacy Policy or applies equivalent safeguards.

  2. Users are notified before the transfer, allowing them to request data deletion if applicable.

4.3 Sharing Within Our Corporate Group

We may share personal data with affiliates within our corporate group for:

  1. Internal administrative purposes.

  2. Compliance with regulatory obligations.

4.4 Sharing at the Request of the Primary User

We do not share data with third-party Business Partners unless requested by the Primary User (e.g., integrating with external HR or payroll systems).

4.5 With Your Explicit Consent

We will request explicit consent before sharing personal data for:

  1. Marketing or promotional purposes.

  2. Any purpose not covered in this Privacy Policy.

You may withdraw consent at any time by contacting us at customerservice@doqworld.co.uk.

5. Retention of Your Personal Data

We retain your Personal Data only as long as necessary for the purposes outlined in this Privacy Policy, including legal, contractual and security obligations. Retention periods vary based on data type and purpose to ensure compliance with UK GDPR (Article 5(1)(e)) and UK employment regulations.

5.1 Retention Periods by Data Category

Data Type

Retention Period

Reason

Employee Records

Retained for 6 years after employer account deletion, unless otherwise requested.

Compliance with UK employment laws & record-keeping obligations.

Clock-In & Clock-Out Data

Retained for 3 years after employee record deletion.

Payroll & compliance with UK Working Time Regulations.

Authentication Logs

Retained for 1 year.

Security & audit purposes.

Subscription & Billing Records

Retained for 7 years.

Legal and financial compliance (HMRC).

Customer Support Inquiries

Retained for 6 months.

Service improvement & dispute resolution.

Usage Data

Retained for up to 6 months.

Service functionality & troubleshooting.

5.2 Data Deletion Process

We provide multiple options for data deletion, ensuring compliance with UK GDPR Article 17 (Right to Erasure):

  1. Employer Request: Primary Users may request full data deletion upon terminating their DOQWorld subscription. Deletion is processed immediately, except where legal or regulatory obligations require continued retention (e.g., financial records, working time data).

  2. Automated Deletio: If a Primary User account remains inactive for 1 year, all non-essential records will be deleted. Legally required data (e.g., payroll, tax, working time records) will be retained for the applicable retention periods before deletion.

  3. Employee Data Deletion: Employee Users must request data deletion directly from their employer. DOQWorld, as a Data Processor, will act on employer instructions to delete or anonymize data, except where retention is legally required.

  4. Legal & Security Exceptions: Some data (e.g., billing records, security logs) may be retained even after account deletion for compliance and audit purposes.

6. Where Do We Store Your Personal Data?

The Personal Data we process is primarily stored by our hosting provider Supabase on servers located within the European Economic Area (EEA).

To provide the Services, we may transfer some of your Personal Data to third-party Service Providers that process data outside the United Kingdom (UK) and the EEA. In such cases, we ensure that:

  1. The country benefits from an adequacy decision issued by the UK government, meaning it provides an equivalent level of data protection.

  2. If located in a country that does not have an adequacy decision (e.g., the United States), appropriate safeguards are implemented, such as:

    1. Standard Contractual Clauses (SCCs) approved under UK GDPR.

    2. The UK International Data Transfer Agreement (IDTA) where required.

    3. Additional security and contractual measures to ensure compliance with UK GDPR.

For further details on international transfers or to request a copy of the applicable safeguards, you may contact us at customerservice@doqworld.co.uk.

7. Your Rights and Data Deletion

Under UK GDPR, you have certain rights regarding your Personal Data. These rights depend on the nature of the data processing and legal requirements.

7.1 Your Data Protection Rights

You have the right to:

  1. Access Your Data (Article 15 UK GDPR): Request a copy of the personal data we hold about you.

  2. Rectify Your Data (Article 16 UK GDPR): Request corrections to inaccurate or incomplete personal data.

  3. Erase Your Data ("Right to Be Forgotten") (Article 17 UK GDPR): Request deletion of your data in certain circumstances, such as when it is no longer necessary for processing.

  4. Restrict Processing (Article 18 UK GDPR): Request temporary restriction of data processing under certain conditions.

  5. Object to Processing (Article 21 UK GDPR): Object to processing based on legitimate interests or direct marketing.

  6. Withdraw Consent (Article 7(3) UK GDPR): Withdraw consent at any time if processing is based on consent.

  7. Decide the fate of your data after death: the right to impose the fate that you wish to reserve your Personal Data in the event of death.

  8. File a complaint with the supervisory authority or to get compensation from the competent courts.

7.2 Exercising Your Rights

You may exercise these rights by:

  1. Using your account settings to access, update, or delete certain personal data.

  2. Contacting us at customerservice@doqworld.co.uk to request data access, deletion, or correction.

We will respond to all requests within one month as required by UK GDPR Article 12(3). If an extension is needed due to complexity, we will inform you.

7.3 Limitations on Data Deletion

We may not be able to delete all data immediately if:

  1. Legal obligations require retention (e.g., financial records, security logs).

  2. The data is necessary for contractual performance.

  3. Retention is required to establish, exercise, or defend legal claims.

For more information on how long we retain data, please refer to Section 5 (Data Retention).

8. Disclosure of Your Personal Data

We may disclose your Personal Data only when necessary and in compliance with UK GDPR.

8.1 Business Transactions

If the Company undergoes a merger, acquisition, restructuring, or sale of assets, your personal data may be transferred to the acquiring entity. In such cases:

  1. We will ensure the receiving party adheres to this Privacy Policy or implements equivalent safeguards.

  2. You will be notified in advance of any transfer affecting your data.

8.2 Legal and Regulatory Obligations

We may disclose your personal data when required to comply with legal obligations, including:

  1. Law enforcement requests: When responding to valid court orders, subpoenas, or regulatory demands.

  2. Compliance with legal obligations: Where required by UK law, financial regulations, or tax authorities.

  3. Fraud prevention & security measures: To detect, investigate, and prevent fraudulent or illegal activities.

Any legal disclosure will be conducted in accordance with due process and applicable laws. We will assess all requests to ensure they are legitimate, necessary, and proportionate.

8.3 Protection of Rights & Safety

We may disclose data where necessary to:

  1. Protect the rights, property, or safety of DOQWorld, our users, or the public.

  2. Enforce our Terms of Service and investigate potential violations.

9. Security of Your Personal Data

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or alteration, in compliance with UK GDPR Article 32 (Security of Processing). While we apply industry-standard security practices, no system is completely immune to security risks.

9.1 Security Measures Implemented by DOQWorld

We have adopted the following security measures to protect user data:

  1. Biometric Authentication: Secure login authentication for users who enable it (DOQWorld does not store biometric data; authentication occurs on the user’s device).

  2. Single Active Session Policy: Users can only be logged in from one session at a time, reducing the risk of unauthorized access.

  3. Audit Logs & Monitoring: System-generated logs track access and activities for security monitoring and compliance.

  4. Secure Payment Processing: All payments are processed by Stripe, which complies with PCI-DSS standards to ensure the security of financial transactions.

9.2 Security Features Implemented by Supabase (Hosting & Authentication Provider)

We use Supabase for database management, authentication, and file storage. Supabase applies industry-standard security measures, including:

  1. Encryption: All data is encrypted at rest and in transit using strong encryption protocols.

  2. Access Controls: Role-based permissions restrict access to authorized users only.

  3. Automated Backups: Daily backups ensure data integrity and recovery in case of system failure.

9.3 Shared Responsibility for Security

While we implement robust security measures, security also depends on user actions. We recommend that users:

  1. Use a strong, unique password for their account.

  2. Enable biometric authentication if supported by their device.

  3. Keep login credentials confidential and avoid sharing access.

If you have security-related concerns, please contact us at customerservice@doqworld.co.uk.

10. Children's Privacy

The Service is not intended for individuals under the age of 13. We do not knowingly collect or process personal data from children.

If we become aware that we have collected personal data from an individual under 13 years old without verified parental consent, we will:

  1. Immediately delete the data from our systems.

  2. Restrict account access if necessary to prevent further data collection.

  3. Allow parents or legal guardians to contact us at customerservice@doqworld.co.uk to request data deletion.

If you believe that a child has provided us with personal data without parental consent, please contact us immediately.

11. Third-Party Links

Our Service may contain links to third-party websites or services. These external sites operate independently of DOQWorld, and we do not control their content, privacy policies, or data processing practices.

When you follow a third-party link:

  1. Any personal data you provide to that website is governed by their privacy policy, not ours.

  2. We do not accept responsibility for how third parties collect, use, or secure your data.

  3. We encourage you to review the privacy policies of any third-party sites before providing personal data.

If you have concerns about a linked third-party website, please contact them directly.

12. Changes to this Privacy Policy

We may update this Privacy Policy periodically to reflect legal requirements, business changes, or improvements to our Service.

  1. Minor updates (e.g., clarifications, formatting changes) will be posted on this page with the "Last Updated" date revised.

  2. Significant changes (e.g., new data processing activities, changes in legal rights, or updates to how personal data is shared) will be communicated to users via email or in-app notifications, where applicable.

We encourage you to review this Privacy Policy regularly. If you continue using the Service after an update takes effect, it will indicate your acceptance of the revised terms. If you do not agree to any changes, you may discontinue use of the Service and request account deletion.

13. Contact Us

For questions or concerns regarding this Privacy Policy, contact us at:

Email: customerservice@doqworld.co.uk

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at www.ico.org.uk.

 [TD1]To be confirmed.