Privacy Policy
This policy explains what personal data we collect when you use rtwchecker.co.uk and our Right to Work checking service, why we collect it, how long we keep it, and the rights you have over it.
We only collect data we need to run the service. We never sell your data, never run advertising trackers, and never use your workers' data to train models. UK-hosted, UK-controlled.
1. Who we are
RTW Checker is a product of INSTANT CHECK LTD (company number 15716195), registered in England and Wales at Unit 2k1 Hastingwood Business Park, Wood Lane, Birmingham B24 9QR. We are part of U HOLDINGS LTD (company number 16954106).
We are the data controller for the personal data described in this policy. We are registered with the Information Commissioner's Office under registration number ZB743659.
You can contact our data protection point of contact at privacy@instantcheck.co.uk.
2. The two types of personal data we handle
Throughout this policy we draw a clear line between two very different categories of personal data we process:
A. Personal data about you (our customer / visitor)
The person reading this — the HR manager, compliance officer, agency owner, or visitor — interacting with rtwchecker.co.uk. For this data we act as the data controller.
B. Personal data about your workers (the people you check)
The names, dates of birth, share codes, photographs and Home Office check results of people you employ or are considering employing. For this data we act as a data processor under your instructions. Our handling of this data is governed by the Data Processing Addendum at /dpa, which forms part of the contract between you and us.
3. Personal data we collect about you (Category A)
| Data | Why we collect it | Lawful basis |
|---|---|---|
| Name, work email, company, phone (optional), workforce size, message | When you submit the "Book a demo" form so we can respond and arrange the demo | Legitimate interest (responding to your enquiry) |
| Account email, hashed password, role, company assignment | When you create or use an RTW Checker login | Contract (performing our service to you) |
| IP address, browser user-agent, audit log of actions you take | Security, abuse prevention, compliance audit trail for your own organisation | Legitimate interest (security, audit), legal obligation (record-keeping) |
| Billing details (if you become a paying customer) | To process payments | Contract |
4. Personal data we process about your workers (Category B)
When you upload workers to RTW Checker for checking, we receive and process the following on your behalf:
- Worker name and date of birth (required to perform a check on gov.uk)
- Right to Work share code (provided by the worker to you)
- The result of the check returned by gov.uk, including a copy of the official PDF
- Photograph and visa type extracted from the PDF for dashboard display
- Visa expiry date for expiry alerts
We process this data only on your documented instructions. The full processor terms are in our DPA. We do not sell, rent or share this data with anyone outside the limited sub-processors listed in section 8.
5. Cookies and tracking
We use a small number of strictly necessary cookies. We do not run advertising, behavioural or third-party analytics trackers. See our Cookie Policy for the full list.
6. How long we keep your data
| Data | Retention |
|---|---|
| Demo-request submissions | 24 months from submission, then deleted |
| Account data | Duration of your account + 6 years (UK tax / company record retention) |
| Worker check evidence (PDFs, results) | For the duration of your subscription, plus the retention period the Home Office requires (currently throughout employment + 2 years from the end of employment) unless you instruct earlier deletion |
| Audit logs | 2 years rolling |
| Backups | Encrypted backups retained for 30 days then overwritten |
7. Where data is stored and processed
All personal data is stored and processed in the United Kingdom. Our application and database are hosted in London on Fly.io's UK region. We do not transfer personal data outside the UK or the European Economic Area in the normal operation of the service.
8. Sub-processors we rely on
To deliver the service we use a small number of carefully chosen sub-processors. Each one is contractually bound by GDPR-compliant data processing terms.
| Sub-processor | Role | Region |
|---|---|---|
| Fly.io | Application hosting and database | United Kingdom (London region) |
| GoDaddy / Microsoft 365 | Business email for support correspondence | European Union |
| Formspree | Receipt of demo-request submissions from the website | United States (with EU-US Data Privacy Framework) |
| GOV.UK | Source of the Right to Work check result (you authorise us to query this on your behalf) | United Kingdom |
We will give you reasonable advance notice if we change our sub-processor list.
9. Your rights under UK GDPR
You have the right to:
- Access the personal data we hold about you
- Rectify data that is inaccurate or incomplete
- Erase your personal data ("right to be forgotten") in certain circumstances
- Restrict our processing of your data in certain circumstances
- Object to processing we carry out on the basis of legitimate interest
- Data portability — receive your data in a structured machine-readable format
- Withdraw consent at any time where we relied on consent
- Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113
To exercise any of these rights, email privacy@instantcheck.co.uk. We respond within one calendar month.
10. Security
We protect your data with industry-standard controls including encryption in transit (HTTPS / TLS 1.2+), encryption at rest, least-privilege access controls, audit logging of administrative actions, and short-lived backups. See our Security page for the full list.
11. Changes to this policy
We update this policy when our service or the law changes. We post the "Last updated" date at the top. For material changes we email account-holding customers in advance.
12. Contact
Questions about this policy or how we handle data:
Email: privacy@instantcheck.co.uk
Post: Data Protection, Instant Check Ltd, Unit 2k1 Hastingwood Business Park, Wood Lane, Birmingham B24 9QR