Skip to content
WageFlowWageFlow

Privacy Policy

Last updated: 11 May 2026. This policy explains how WageFlow collects, uses, and protects personal data.

1. Who we are

WageFlow Ltd (“WageFlow”, “we”, “us”) is the data controller for personal data we hold about visitors to this website, prospective customers, and the administrators of customer organisations. We are registered in England and Wales (company number 17152820), with our registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ.

When you use WageFlow to process payroll for your employees, your employer (the WageFlow customer) is the data controller for the employee data; WageFlow acts as a data processor under a Data Processing Agreement. This policy describes our role as a controller for visitors and customer administrators.

ICO registration is in progress. Our ICO registration number will be published here once it is issued.

2. What data we collect

We collect personal data in the following circumstances:

  • Waitlist sign-ups. If you join our waitlist, we collect your email address.
  • Account registration. If you create a WageFlow account, we collect your name, email address, employer / organisation name, and the credentials you use to sign in.
  • Customer support. If you contact us, we collect the contents of your message and the email address you wrote from.
  • Website analytics. We use Google Analytics to understand how visitors use the site. Analytics data is aggregated and we do not use it to identify individuals.

3. Why we collect it (legal basis)

  • To provide the service you have asked for (legal basis: contract). For account holders, we process the data necessary to run the WageFlow service.
  • To respond to enquiries and provide support (legal basis: legitimate interests).
  • To improve the product and the website (legal basis: legitimate interests). We balance this against your privacy and never combine analytics data with identifying data.
  • To meet legal obligations (legal basis: legal obligation). Payroll software is subject to HMRC record-keeping requirements; we retain data as required by law.

4. Where your data is stored

Personal data is stored in the United Kingdom. Our database is hosted on Supabase (London region) and our web application is hosted on Vercel (London region). We do not transfer personal data outside the UK except where necessary to make HMRC submissions, in which case data is sent directly to HMRC over an encrypted channel.

5. Who we share it with

We share personal data with the following categories of recipient:

  • Sub-processors who help us run the service: Supabase (database hosting), Vercel (application hosting), and Google (Google Analytics on this marketing site).
  • HMRC, when you use WageFlow to submit Real Time Information (RTI), Employer Payment Summary (EPS), or other statutory returns. Only the data required for the submission is shared.
  • Pension providers you choose to connect (such as NEST), when you submit pension contributions through WageFlow.
  • Accounting platforms you choose to connect (such as Xero or FreeAgent), when you sync payroll journals.
  • Law enforcement and regulators, where we are required by law to disclose data.

We never sell personal data. We do not share data with third parties for their own marketing.

6. How long we keep it

We keep personal data for as long as you have an active relationship with us, and for as long afterwards as we are required to by law. Payroll records are subject to HMRC's record-keeping rules, which typically require retention for at least three years after the end of the tax year they relate to.

Waitlist sign-ups are kept until you ask us to remove you or until you become a customer.

7. How we protect it

We take data protection seriously. Sensitive fields (including National Insurance numbers, bank details, salary, and tax codes) are encrypted at the application layer using AES-256-GCM with per-organisation encryption keys, so that a breach in one customer organisation cannot expose another. We use row-level security in our database as defence in depth, audit-log changes to sensitive records, and enforce strict access controls on our infrastructure.

8. Your rights

Under UK GDPR you have the right to:

  • Ask us what personal data we hold about you (a “subject access request”)
  • Ask us to correct data that is wrong
  • Ask us to delete data, where we are not required to keep it
  • Ask us to restrict how we use your data
  • Ask us to give you a copy of your data in a portable format
  • Object to processing we carry out on the basis of legitimate interests
  • Withdraw consent, where we are relying on consent

To exercise any of these rights, email legal@wageflow.co.uk. We will respond within one month.

9. Cookies

This site uses a small number of essential cookies, plus cookies set by Google Analytics. We do not use advertising cookies. You can disable cookies in your browser, though some parts of the site may not work as expected.

10. Complaints

If you think we have mishandled your data, please email legal@wageflow.co.uk first so that we can try to put it right. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

11. Changes to this policy

We will update this page if our practices change. The “Last updated” date at the top of the page tells you when the policy was last revised.