← Back

Privacy Policy

Last updated: 11 May 2026

1. Who We Are

Saral (“we”, “us”, “our”) is the data controller responsible for personal data collected through this subcontractor management system. If you have any questions about how we handle your data, contact us at admin@getsaral.co.uk.

2. What Data We Collect

We collect the following categories of personal data from workers:

  • Full name, date of birth, nationality
  • Home address, phone number, email address
  • National Insurance (NI) number and Unique Taxpayer Reference (UTR)
  • Bank account details (account name, sort code, account number)
  • Right to work documentation (passport, BRP/VISA, HMRC Share Code)
  • Proof of address (utility bill or bank statement)
  • Accreditation documents (CSCS card, CITB certificate, etc.)
  • Emergency contact details
  • Health information (pre-existing injuries or medical conditions relevant to site safety)
  • Electronic signature, IP address, and submission timestamp

3. App Permissions

The Saral mobile app requests the following device permissions:

Camera

Used solely to scan QR codes displayed at project sites for manual check-in and check-out. We do not capture, store, or transmit any photographs or video from your camera. The camera reads only the QR code value in real time; no image data leaves your device.

Location (including Background Location)

Used to detect when you arrive at or depart from a project site during your working hours, enabling automatic check-in and check-out via geofencing (a defined zone around each site).

  • Location is checked only at site boundaries — not continuously tracked.
  • No GPS trail of your movements is recorded or stored.
  • Your location outside of project sites and outside of working hours is never seen or stored.
  • Background location (“Allow all the time”) is required so that automatic check-in works even when the app is not open on screen — the only function this enables is detecting site arrivals and departures.

A persistent notification is displayed on your device whenever the geofence monitor is active, making it visible at all times that the service is running.

Push Notifications

Used to send you alerts about attendance confirmations, pay slip availability, leave request updates, and messages from your employer. You can disable notifications at any time in your device settings.

4. Why We Collect Your Data (Lawful Basis)

Contract performance — Most data is necessary to fulfil our contractual obligations to you, including processing CIS payments, issuing payslips, and complying with HMRC reporting requirements.

Legal obligation — We are required by law to verify your right to work in the UK and to maintain accurate HMRC records under the Construction Industry Scheme (CIS).

Legitimate interests — Emergency contact information and health declarations are collected to protect worker safety on site. Location data for geofence-based attendance is processed under legitimate interests: accurately recording site attendance for payroll and compliance, balanced against workers’ rights to privacy. Workers are informed at app setup and via a persistent notification throughout.

5. How We Store and Protect Your Data

Your data is stored securely on Supabase (hosted within the EU). Access is restricted to authorised Saral personnel only. Files uploaded through this system (passport, proof of address, etc.) are stored in encrypted, private cloud storage and are not publicly accessible. All access is logged and audited.

6. How Long We Keep Your Data

Financial and payroll records (NI, UTR, bank details, signed contracts) — retained for 6 years after the end of your engagement, as required by HMRC.

Right to work documents — retained for 2 years after the end of employment, in line with Home Office guidance.

Health and safety records — retained for the duration of the engagement and up to 3 years thereafter.

After these periods, your data will be securely deleted.

7. Who We Share Your Data With

We do not sell or share your personal data with third parties for marketing purposes. We may share limited data with:

  • HMRC — as required under CIS regulations
  • Our accountant or payroll provider — for payment processing only
  • Site clients — limited to name, trade, and accreditation status for site access

8. Your Rights

Under UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correction — ask us to correct inaccurate or incomplete data
  • Erasure — request deletion of your data where we have no legal obligation to retain it
  • Restriction — ask us to restrict processing while a dispute is resolved
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests

To exercise any of these rights, email admin@getsaral.co.uk. We will respond within 30 days.

9. Complaints

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

10. Changes to This Policy

We may update this policy from time to time. The latest version will always be available at this page. Where changes are significant, we will notify active subcontractors directly.

Saral — Registered in England and Wales  |  UK GDPR compliant