Last updated: 26 March 2026
Shinepoint ("we", "us", "our") is committed to protecting the privacy and security of personal data. We take our responsibilities under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 seriously, and we are dedicated to being transparent about how we collect, use, and safeguard your information.
This Privacy Policy explains how we collect, process, store, and protect personal data when you use the Shinepoint platform, visit our website, or interact with our services. It applies to all users of our platform, including business account holders, their employees whose data is processed through our platform, and visitors to our website.
By using our services, you acknowledge that you have read and understood this Privacy Policy. If you are using Shinepoint on behalf of a business, you confirm that you have the authority to agree to this policy on behalf of that organisation.
We collect and process the following categories of personal data:
When you register for a Shinepoint account, we collect your name, email address, job title, and contact details necessary to provide our services.
We collect information about your organisation, including company name, registered address, business sector, and other details required to configure your account.
Where businesses use Shinepoint to manage their workforce, we process employee data on behalf of that business. This may include employee names, contact details, employment records, leave records, training records, and other HR-related information as directed by the business.
We collect anonymised data about how you interact with our platform, including pages visited, features used, and general usage patterns. This data is used solely to improve our services and is not linked to individual users.
When you contact us for support or communicate with us by email, we retain records of that correspondence to help resolve your queries and improve our service.
Payment processing is handled entirely by a third-party payment processor. We do not store your full payment card details on our systems. We may retain limited billing information such as the last four digits of your card and billing address for record-keeping purposes.
We use cookies and similar technologies to maintain your session, remember your preferences, and improve your experience. See Section 9 for full details on our use of cookies.
Under Article 6 of the UK GDPR, we rely on the following lawful bases to process your personal data:
Processing is necessary for the performance of our contract with you, including providing access to the Shinepoint platform, managing your account, processing payments, and delivering the services you have subscribed to.
We process certain data where it is in our legitimate interests to do so, provided those interests are not overridden by your rights and freedoms. This includes maintaining the security of our platform, preventing fraud, improving our services, and conducting internal analytics.
Where we send you marketing communications or use non-essential cookies, we do so on the basis of your explicit consent. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
We process certain data to comply with our legal obligations, including maintaining financial records for tax purposes as required by HMRC, and responding to lawful requests from regulatory bodies or law enforcement.
We use the personal data we collect for the following purposes:
It is important to understand the distinction between our roles when processing personal data:
Shinepoint acts as the data controller for personal data related to platform accounts, billing information, website visitors, and direct communications with us. In this capacity, we determine the purposes and means of processing and are directly responsible for compliance with the UK GDPR.
When businesses use Shinepoint to manage employee HR data, Shinepoint acts as a data processor on behalf of that business. The business remains the data controller for its employee data and is responsible for ensuring it has a lawful basis to process that data and that employees are informed about how their data is used.
As a data processor, we only process employee data in accordance with the instructions of the business (data controller). We do not use employee data for our own purposes, and we do not share it with third parties except as instructed by the business or as required by law.
We offer a Data Processing Agreement (DPA) to all business customers, which sets out the terms under which we process personal data on their behalf. This agreement covers the nature and purpose of processing, the types of personal data processed, the categories of data subjects, and the obligations of both parties. If you require a copy of our DPA, please contact us at privacy@shinepoint.co.uk.
We may share personal data with the following categories of third-party service providers, strictly for the purposes described in this policy:
All third-party providers are carefully vetted and are bound by contractual obligations to protect your data and use it only for the purposes we specify.
We never sell your personal data. We do not and will not sell, rent, or trade personal data to any third party for their own marketing or commercial purposes.
International transfers: We do not transfer personal data outside the United Kingdom or the European Economic Area. Our infrastructure is hosted within the United Kingdom. In the unlikely event that an international transfer becomes necessary in the future, we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the ICO, and will update this policy accordingly.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:
| Data Category | Retention Period |
|---|---|
| Active account data | Retained while your account is active and in use |
| Deleted account data | Removed within 30 days of a deletion request |
| Financial records | Retained for 7 years as required by HMRC |
| Backup data | Automatically purged within 90 days |
| Anonymised analytics | Retained indefinitely (not personal data) |
When personal data is no longer required, it is securely deleted or anonymised in accordance with our data disposal procedures.
Under the UK GDPR, you have the following rights in relation to your personal data:
To exercise any of these rights, please contact us at privacy@shinepoint.co.uk. We will respond to your request within one month. In some cases, we may need to verify your identity before processing your request.
If you are an employee whose data is processed through Shinepoint on behalf of your employer, please direct your request to your employer in the first instance, as they are the data controller for your employment data.
Right to complain: If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). See Section 13 for their contact details.
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction.
Our security measures include:
While we strive to protect your personal data, no method of transmission or storage is completely secure. We continuously review and improve our security practices to ensure the highest level of protection.
Shinepoint is a business-to-business platform designed for use by employers and their workforce. Our services are not directed at children under the age of 16, and we do not knowingly collect personal data from children under 16.
If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that data as soon as reasonably practicable. If you believe that we may have collected data from a child under 16, please contact us at privacy@shinepoint.co.uk.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. When we make changes, we will update the "Last updated" date at the top of this policy.
For significant changes that materially affect how we process your personal data, we will make reasonable efforts to notify you by email or through a prominent notice on our platform before the changes take effect.
Your continued use of our services after any changes to this policy constitutes your acceptance of the updated policy. We encourage you to review this policy periodically to stay informed about how we protect your data.
If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we process your personal data, please contact us:
Shinepoint - Data Protection
Email: privacy@shinepoint.co.uk
We aim to respond to all enquiries within one month.
If you are not satisfied with our response, or you believe we are processing your personal data in a way that is not compliant with data protection law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Website: ico.org.uk
Telephone: 0303 123 1113
Live chat: ico.org.uk/global/contact-us/live-chat
We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first.