Privacy Policy

8Employ Ltd

Last updated: March 2026 · Version 2.0

1. Who We Are

8Employ Ltd ("we", "our", "us") is a company registered in England and Wales (Company No. 17082344). We provide AI-powered business intelligence reports and operational analytics to small and independent businesses in the hospitality sector.

We act as a data controller for the personal data described in this policy. We are registered with the Information Commissioner's Office (ICO), registration number [PENDING].

We comply with the UK General Data Protection Regulation (UK GDPR) as retained under the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018.

Data Protection Contact

Email: privacy@8employ.uk

For all data protection enquiries, subject access requests, and rights requests, please contact us at the address above. We aim to respond to all requests within one calendar month.

2. What Data We Collect

We collect and process different categories of data depending on how you interact with our service. Not all categories will apply to every client.

Client contact information (personal data)

  • Business contact name and email address
  • Business name and trading address
  • Phone number (where voluntarily provided)

Business operational data (via your POS system)

  • Transaction records including sales volumes, revenue, and product-level data
  • Operational metrics such as trading hours, covers, and busiest periods
  • Waste and stock data (where recorded in your POS system)
  • Booking and reservation data including no-show rates

Financial data (via your accounting platform, where connected)

  • Profit and loss summaries, bank transaction summaries, and margin analysis from Xero or similar platforms
  • Balance sheet data and cash flow summaries

Publicly available review data

  • Google reviewer display names, star ratings, and review text as published on Google Maps
  • We collect this data via the Google Places API to include review analysis in your business reports

Platform administrator data

  • Admin usernames and hashed credentials for platform access
  • Login IP addresses (for security rate-limiting purposes only, not stored persistently)
  • Session tokens (held in memory during active sessions, automatically expired)

We do not collect customer-level personal data — that is, data about your individual customers. Our reports analyse business performance, not individual consumer behaviour.

3. How We Collect Your Data

We collect data through the following methods:

  • Directly from you: when you provide your contact details, upload spreadsheet files, or communicate with us via email or our web dashboard.
  • From your POS system: via authenticated API connections to platforms such as EposNow. You authorise this connection and can revoke it at any time.
  • From your accounting platform: via OAuth 2.0 authenticated connections to Xero or similar platforms. You explicitly authorise each connection through the platform's own consent flow.
  • From public sources: we collect publicly available Google review data via the Google Places API. This data is already published by reviewers on Google Maps.

4. Lawful Basis for Processing

Under UK GDPR Article 6, we must have a lawful basis for processing personal data. The table below sets out our purposes and the corresponding lawful basis for each:

Purpose Lawful Basis (Art. 6) Data Used
Generating your business intelligence reports Performance of contract (Art. 6(1)(b)) POS data, accounting data, contact details
AI-powered analysis and health scoring of your business Performance of contract (Art. 6(1)(b)) Business metrics, financial data, review data
Delivering reports to you via email Performance of contract (Art. 6(1)(b)) Email address, report content
Analysing publicly available Google reviews in your reports Legitimate interest (Art. 6(1)(f)) Reviewer names, ratings, review text
Maintaining platform security (rate limiting, audit logs) Legitimate interest (Art. 6(1)(f)) IP addresses, admin usernames, access logs
Improving the 8Employ product using aggregated data Legitimate interest (Art. 6(1)(f)) Anonymised and aggregated business metrics
Responding to your enquiries and support requests Legitimate interest (Art. 6(1)(f)) Contact details, message content
Complying with legal and regulatory obligations Legal obligation (Art. 6(1)(c)) Financial records, contact details

Legitimate Interest Assessments

Where we rely on legitimate interest, we have conducted a Legitimate Interest Assessment (LIA) to ensure our interests do not override the rights and freedoms of data subjects. Key assessments include:

  • Google review analysis: Reviewers have chosen to publish their opinions publicly. Our processing is limited to analysis within the context of our client's business report. We do not contact reviewers, build profiles, or use their data for any purpose beyond report generation. The reviewer's reasonable expectation when posting a public review is that it will be read and acted upon by the business.
  • Security logging: IP address logging for rate-limiting is necessary to protect client data from unauthorised access. Data is held in memory only and is not stored persistently.

5. Use of Artificial Intelligence and Automated Processing

Our reports include AI-generated analysis. We are transparent about how this works:

What the AI does

  • Your business data (operational metrics, financial summaries, and publicly available review data) is sent to Anthropic's Claude AI for analysis
  • The AI generates an executive summary, identifies trends, highlights areas for improvement, and produces a business health score (0–100)
  • The AI may also generate specific recommendations regarding pricing, operations, or staffing

How the health score works

An initial health score is calculated algorithmically from your revenue performance, waste levels, review ratings, and booking reliability. The AI may then adjust this score based on its holistic analysis of your data. The methodology and weighting factors are documented internally and available on request.

Important safeguards

  • All AI outputs are advisory only — no automated decisions are made that have legal or similarly significant effects on you or your business
  • You have the right to request human review of any AI-generated output or health score
  • You may request that your reports be generated without AI analysis
  • Anthropic's data processing terms prohibit them from using your data to train their models

6. Who We Share Your Data With

We do not sell, rent, or trade your personal data. We share data only with the following processors who act on our behalf under written data processing agreements:

Processor Purpose Data Shared Location
Anthropic (Claude API) AI-powered report analysis Business metrics, financial summaries, reviewer names and review text United States
Twilio SendGrid Email delivery of reports Recipient email address, PDF report (as attachment) United States
Cloudflare Web application security, DDoS protection, DNS Web traffic metadata (IP addresses, request headers) Global CDN (UK-preferred routing)
Google (Places API) Fetching publicly available review data Business name and location (search query) United States
Xero (where connected) Accounting data integration OAuth tokens (not financial data — data flows inbound only) New Zealand / Australia
EposNow (where connected) POS data integration API credentials (not POS data — data flows inbound only) United Kingdom

We may also share your data if required to do so by law, regulation, or court order, or to protect our legal rights.

7. International Data Transfers

Some of our processors are located outside the United Kingdom. Where personal data is transferred internationally, we ensure adequate protection through one or more of the following mechanisms:

  • UK adequacy decisions — where the UK Government has determined that the recipient country provides an adequate level of data protection (e.g., New Zealand)
  • International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses — as required under UK GDPR Article 46(2)(c)
  • Processor-specific data protection addenda that incorporate appropriate safeguards

You may request a copy of the relevant transfer safeguards by contacting privacy@8employ.uk.

8. How Long We Keep Your Data

We retain data only for as long as necessary for the purposes set out in this policy. Our standard retention periods are:

Data Type Retention Period Basis
Client contact details Duration of service + 30 days Contract performance; deleted on termination
Business reports (PDF, HTML) 24 months from generation Service delivery and historical comparison
Financial and POS data files Duration of service + 30 days Contract performance
Audit and security logs 12 months from creation Legitimate interest (security)
Google review data (in reports) Retained within report files (see above) Legitimate interest
Anonymised aggregated data Retained indefinitely Legitimate interest (product improvement)
Financial records for tax purposes 6 years from end of financial year Legal obligation (Companies Act 2006)

Following termination of your service, we will securely delete or anonymise all identifiable data within 30 days, except where retention is required by law. You may request earlier deletion at any time (see Section 10).

9. How We Protect Your Data

We implement appropriate technical and organisational measures in accordance with UK GDPR Article 32, including:

  • Encryption at rest: all client data, credentials, and API tokens are encrypted using AES-256 (Fernet) with a mandatory server-side encryption key. The application will not start without this key configured.
  • Encryption in transit: all web traffic is served over HTTPS with TLS 1.2+ enforced via HSTS headers. Email delivery uses TLS.
  • Access controls: role-based access control (RBAC) with administrator and viewer roles. Each user can only access clients explicitly assigned to them.
  • Authentication security: passwords are hashed using scrypt with random salts and timing-safe comparison. Sessions use cryptographically random 256-bit tokens.
  • CSRF protection: all state-changing requests are protected against cross-site request forgery.
  • Security headers: HTTP Strict Transport Security (HSTS), Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers are applied to all responses.
  • File permissions: sensitive files (encrypted registry, API tokens) are restricted to owner-read-write only (POSIX 0600).
  • Audit logging: all administrative actions (client creation, deletion, report generation, user management) are logged for accountability.
  • Regular security reviews: we conduct periodic security audits of our codebase and infrastructure.

10. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to exemptions:

  • Right of access (Art. 15): you can request a copy of all personal data we hold about you. We will provide this in a commonly used electronic format within one calendar month.
  • Right to rectification (Art. 16): you can ask us to correct inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): you can ask us to delete your personal data. Upon a valid erasure request, we will delete your data from our active systems, including encrypted storage, generated reports, and associated files. We will also purge backup copies within 7 days.
  • Right to restrict processing (Art. 18): you can ask us to limit how we use your data while a concern is being resolved. We will suspend report generation and email delivery for your account while restriction is in effect.
  • Right to data portability (Art. 20): you can request your data in a structured, commonly used, machine-readable format (JSON). This applies to data you have provided to us that we process on the basis of contract or consent.
  • Right to object (Art. 21): you can object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Rights related to automated decision-making (Art. 22): you have the right to request human review of any AI-generated health score or recommendation. You may also request that your reports be generated without AI analysis.

To exercise any of these rights, contact us at privacy@8employ.uk. We will respond within one calendar month. If your request is complex or we receive a high volume of requests, we may extend this by a further two months, and we will notify you of any such extension.

We will not charge a fee for exercising your rights unless your request is manifestly unfounded or excessive.

11. Information for Google Reviewers (Article 14 Notice)

If you have left a review on Google Maps for a business that uses our service, we may process limited personal data about you as follows:

  • Data collected: your Google display name, star rating, review text, and approximate review date, as published on your public Google Maps review.
  • Source: Google Places API (publicly available data).
  • Purpose: inclusion in a business intelligence report provided to the business you reviewed, and AI-powered analysis of review sentiment and trends.
  • Lawful basis: legitimate interest (Art. 6(1)(f)). We have assessed that this processing does not override your rights because: (a) you chose to publish your review publicly; (b) we do not contact you, build a profile about you, or use your data for marketing; (c) the processing is limited to the context of the business you reviewed.
  • Recipients: the business you reviewed (via their report), and Anthropic (for AI analysis, under data processing terms that prohibit model training on your data).
  • Retention: your review data is retained within the business's report files for 24 months.

Your rights: you may contact us at privacy@8employ.uk to request access to, rectification of, or erasure of your review data from our systems. You may also object to this processing. We will respond within one calendar month.

12. Cookies and Session Data

Our web dashboard uses the following cookies, all of which are strictly necessary for the service to function:

Cookie Purpose Duration
8employ_session Maintains your authenticated session after login 8 hours (or until logout)
csrf_token Protects against cross-site request forgery attacks 1 hour (rolling)

We do not use tracking cookies, advertising cookies, or third-party analytics on our dashboard. No consent banner is required because we use only strictly necessary cookies as defined by PECR 2003.

13. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33
  • Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34
  • Document the breach, its effects, and the remedial action taken in our internal breach register

If you believe your data may have been compromised, please contact us immediately at privacy@8employ.uk.

14. Children's Data

Our service is designed for business use and is not directed at children. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.

15. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our processing activities, legal requirements, or best practices. Where changes are significant, we will notify you by email before they take effect.

The latest version of this policy will always be available on request and via our website at 8employ.uk. Previous versions are retained internally for audit purposes.

16. Complaints

If you are unhappy with how we handle your personal data, we encourage you to contact us first at privacy@8employ.uk so that we can try to resolve your concern.

If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Information Commissioner's Office
  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF