This Privacy Policy describes how WhosWhere ("we", "us", or "our") collects, uses, and discloses your personal information when you use our hybrid work coordination service at whoswhere.app (the "Service").

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR). By using the Service, you consent to the data practices described in this policy.

1. Information We Collect

1.1 Personal Information You Provide

When you register for WhosWhere, we collect:

• Account Information: First name, last name, email address, password (encrypted)
• Contact Information: Mobile phone number (optional)
• Company Information: Company name, company address, company phone number (for administrators)

1.2 Check-in Data

When you use the Service, we collect information about your daily work location, including:

• Date of check-in
• Location type (Home, Office, Unwell, or Split)
• Morning and afternoon locations (for split days)
• Recurring schedule preferences

1.3 Automatically Collected Information

We automatically collect certain technical information, including:

• IP address
• Browser type and version
• Device type and operating system
• Pages visited and actions taken within the Service
• Date and time of access

1.4 Cookies and Similar Technologies

We use cookies and similar tracking technologies to operate the Service and improve your experience. For more information, see Section 7 (Cookies).

2. How We Use Your Information

We use your personal information for the following purposes:

• Providing the Service: To create and manage your account, process check-ins, and display team locations
• Authentication and Security: To verify your identity and protect against unauthorised access
• Communication: To send you service-related notifications, including invitation emails and password resets
• Improvement and Analytics: To understand how users interact with the Service and improve functionality
• Compliance: To comply with legal obligations and enforce our Terms of Service
• Customer Support: To respond to your enquiries and provide technical assistance

3. Legal Basis for Processing

Under UK GDPR, we process your personal data on the following legal bases:

• Contract Performance: Processing is necessary to provide the Service under our Terms of Service
• Consent: You have given clear consent for specific processing activities (e.g., cookies)
• Legitimate Interests: Processing is necessary for our legitimate business interests (e.g., improving the Service, preventing fraud)
• Legal Obligation: Processing is required to comply with legal obligations

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

• Within Your Organisation: Your name and check-in status are visible to other users in your company
• Service Providers: We may share data with trusted third-party service providers (e.g., hosting, email delivery) who process data on our behalf
• Legal Requirements: We may disclose information if required by law, court order, or governmental authority
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the new owner

5. Data Retention

We retain your personal information for as long as necessary to provide the Service and comply with our legal obligations:

• Account Data: Retained while your account is active and for 90 days after account closure
• Check-in Data: Retained for the duration of your employment with the company and for 12 months after account closure
• Financial Records: Retained for 7 years to comply with UK tax and accounting requirements
• Marketing Communications: Retained until you unsubscribe or opt out

6. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data (subject to legal obligations)
• Right to Restrict Processing: Request that we limit how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for processing activities at any time

To exercise any of these rights, please contact us at privacy@whoswhere.app. We will respond to your request within one month.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Service, remember your preferences, and analyse usage. In compliance with PECR, we obtain your consent before setting non-essential cookies.

Types of Cookies We Use:

• Essential Cookies: Required for authentication and basic functionality (no consent required)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how users interact with the Service

You can manage cookie preferences through our cookie consent banner or your browser settings. Note that disabling essential cookies may affect your ability to use the Service.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including:

• Encrypted storage of passwords using industry-standard hashing (BCrypt)
• Secure transmission of data using HTTPS/TLS encryption
• Regular security audits and vulnerability assessments
• Access controls and authentication mechanisms
• Regular backups and disaster recovery procedures

Despite these measures, no method of transmission over the internet is 100% secure. You are responsible for maintaining the confidentiality of your account credentials.

9. International Data Transfers

Your data is primarily stored and processed in the United Kingdom. If we transfer data outside the UK or European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions by the UK Information Commissioner's Office (ICO).

10. Third-Party Services

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with your personal information.

We may use third-party service providers such as hosting providers, email delivery services, and analytics platforms. These providers are contractually obligated to protect your data and use it only for the purposes we specify.

11. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately, and we will delete it.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by email or by posting a notice on the Service. Your continued use of the Service after such notification constitutes acceptance of the updated policy.

13. Contact Information and Complaints

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us:

• Email: privacy@whoswhere.app
• Website: whoswhere.app

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have not complied with data protection laws. Visit ico.org.uk for more information.