Privacy Policy

Controller: Playroll Limited, a company registered in England and Wales (Company No. 13596140), whose registered office is at Second Floor Omni House 252 Belsize Road, NW6 4BT,London United Kingdom ("Playroll", "we","us", "our").

Applicable law: Processing of personal data through this Website is governed by the UK General Data Protection Regulation ("UK GDPR")as retained in UK law by the Data Protection Act 2018, together with the Privacy and Electronic Communications Regulations 2003("PECR") where applicable.

1. Introduction

This notice explains what personal data we collect when you visit our website (“Website”), why we collect it, how we use it, and what your rights are.

We are committed to protecting your personal data and handling it with transparency and integrity. If you have any questions about this notice or how we handle your data, please contact our Data Protection Officer (see Section 14 of this notice).

1.1. Who this notice covers

This notice applies to the following individuals whose personal data is processed through the Website:

• Visitors to the Website who browse our Website without submitting any information;

• Prospective clients and enquirers who submit contact or demo request forms, or otherwise communicate with us through the Website;

• Marketing subscribers who sign up to receive communications, newsletters, or updates from Playroll via the Website; and

• Any other individuals whose personal data is submitted to or collected by Playroll through the Website.

This notice does not apply to individuals whose personal data is processed by Playroll in its capacity as an employer-of-record, payroll, or contractor management services provider or otherwise. The processing of employer-of-record employees’ data will be done in accordance with a separate privacy notice, a copy of which will be provided to such employees. Additionally, upon becoming a client of Playroll, a separate data processing agreement will also be entered into between Playroll and that client.

‍

2. Personal Data We Collect

2.1. Data you provide to us

When you interact with our Website — for example by completing a contact or enquiry form, requesting a demo, requesting a document from our trust centre or subscribing to our mailing list — we may collect:

• Your name and email address;

• Your company name and job title;

• The content of any message or enquiry you submit; and

• Any other information you choose to provide.

2.2. Data collected automatically

When you visit our Website, we and our third-party service providers automatically collect certain technical and usage information, including:

• Your IP address and approximate geographic location;

• Browser type, version, and operating system;

• Pages visited, time spent on each page, and navigation paths;

• Referring URLs and search terms; and

• Other standard web log data.

This data is collected through cookies and similar technologies. Please refer to our Cookie Notice for full details of the cookies we use and how to manage your preferences.

2.3. What we do not collect through this Website

This Website does not collect special categories of personal data (such as health data, genetic data, biometric data, or data concerning racial or ethnic origin), financial account information, or data relating to minors. If such data is processed in connection with our services, this will be governed by a separate privacy notice.

2.4. Sources of personal data

We collect personal data about you from the following sources:

• Directly from you: when you complete a contact or enquiry form, request a demo, subscribe to our mailing list, or otherwise communicate with us;

• Automatically through your use of the Website: via cookies, pixels, analytics tags, and/or server logs when you browse our Website (see Section 5 and our Cookie Notice);

• From third-party platforms and advertising networks: where you interact with our content or advertisements on platforms such as LinkedIn, Google, or similar — these platforms may share information about your interaction with us in accordance with their own privacy policies and your consent settings on those platforms; and

• From publicly available sources: such as company registries or professional networking sites, where we carry out research on prospective clients or enrich our records with professional information you have made publicly available.

‍

3. How and Why We Use Your Personal Data

We use your personal data only where we have a valid lawful basis under UK GDPR Article 6. The table below sets out each processing activity, its purpose, and the lawful basis on which we rely.

3.1. Legitimate interests balancing

Where we rely on legitimateinterests as our lawful basis, we have carried out a balancing test to confirmthat our interests are not overridden by your rights and interests. You mayrequest further information about these assessments by contacting our DataProtection Officer.

3.2. Consent

Where we rely on your consent,you have the right to withdraw it at any time. Withdrawing consent does notaffect the lawfulness of processing carried out before withdrawal. To withdrawconsent, please contact us using the details in Section 12 or, for marketingcommunications, use the unsubscribe link in any email we send you.

‍

4. Marketing Communications

We will only send you marketing communications by email where:

• You have given us your consent to do so; or

• You are an existing or prospective client and we are marketing our own similar products or services, in accordance with the PECR soft opt-in. You will always be given the opportunity to opt out.

You can opt out of receiving marketing communications at any time by clicking the unsubscribe link in any marketing email, or by emailing us at legal@playroll.com.

‍

5. Cookies and Tracking Technologies

Our Website uses cookies and similar tracking technologies to improve your experience, understand how the Website is used, and support our marketing activities. Full details of the cookies we use, their purposes, and how to manage your preferences are set out in our Cookie Notice.

Where applicable laws require it, we will ask for your consent before setting non-essential cookies.

‍

6. Data Storage and Third-Party Processors

6.1. Primary storage

Your personal data is stored on servers located in the United Kingdom and EU.

6.2. Third-party processors

We engage trusted third-party service providers to process personal data on our behalf. These providers act as data processors under our instruction and are bound by data processing agreements that require them to handle your data securely and in compliance with UK GDPR. Categories of processors we use in connection with this Website include:

• Cloud infrastructure: server hosting and storage (e.g. Amazon Web Services);

• Analytics providers: website analytics tools that help us understand how users interact with our Website;

• Customer relationship management (CRM) tools: tools used to manage and respond to enquiries from Website visitors and prospective clients;

• Email service providers: platforms used to send and manage email communications, including responses to enquiries and marketing emails; and

• Marketing and advertising platforms: tools used to manage and deliver marketing campaigns, including tracking the effectiveness of those campaigns.

We do not sell your personal data to third parties, and we do not permit our processors to use your personal data for their own purposes.

6.3. Advertising platforms and audience matching

We participate in audience-management programmes operated by advertising platforms, including LinkedIn, Google, and similar providers. As part of these programmes, we may share contact identifiers (such as email addresses) in cryptographically hashed form so that the platform can match them against its own registered users, enabling us to show targeted advertisements to relevant audiences or suppress our existing contacts from prospecting campaigns. Although the identifiers shared are hashed before transmission, this process does not render them fully anonymous — a hashed identifier can still be matched to an individual under certain conditions, and we therefore handle them as personal data subject to the protections set out in this notice.

We carry out these activities on the basis of our legitimate interests in promoting ourservices to relevant audiences, or on the basis of your consent where required by applicable law. You have the right to object to this processing at any time. We do not use third-party data enrichment providers to supplement contact information for advertising purposes without a specific lawful basis.

To opt out of interest-based advertising, you may adjust your settings on the relevant advertising platform (such as LinkedIn’s Ad Settings or Google’s My Ad Center), use the unsubscribe or opt-out mechanism in any marketing communication we send you, or contact us at legal@playroll.com.

6.4. Corporate restructuring

If we sell or transfer any part of our business or assets, or if we are acquired by or merge with another organisation, personal data we hold about you may be disclosed to the prospective buyer or transferee as part of that transaction. In such cases, we will take reasonable steps to ensure that the recipient is bound by obligations consistent with this notice and applicable data protection law.

‍

7. Security of Your Personal Data

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful loss, misuse, unauthorised access or disclosure, alteration, and destruction. Our security practices include:

• Encryption: personal data is encrypted both in transit (using TLS) and at rest on our AWS infrastructure;

• Access controls: access to personal data is restricted on a need-to-know basis; personnel with access are subject to confidentiality obligations and undergo data protection training;

• Infrastructure standards: our primary cloud provider (AWS) is certified to SOC II standards; all systems are protected by firewalls with threat detection and prevention mechanisms;

• Monitoring and resilience: we conduct continuous monitoring of our systems and perform regular data backups to protect against loss; and

• Incident response: we maintain procedures for detecting, reporting, and investigating personal data breaches, and will notify you and the relevant supervisory authority where required to do so by applicable law.

Please be aware that no method of transmission over the internet or electronic storage is completely secure. While we take all reasonable steps to protect your personal data, we cannot guarantee its absolute security. If you become aware of any security concern relating to your interactions with our Website, please contact us immediately at legal@playroll.com.

‍

8. International Data Transfers

Playroll operates globally, and your personal data may be accessed by, or transferred to, Playroll group companies or third-party processors located outside the United Kingdom. Where such transfers take place, we ensure that appropriate safeguards are in place in accordance with UK GDPR Chapter V.

As the United Kingdom has not granted South Africa an adequacy decision under UK GDPR, where data is accessed by our South African subsidiary, transfers are governed by an intra-group data transfer agreement incorporating an International Data Transfer Agreement (IDTA) approved by the Information Commissioner's Office, or a UK Addendum to the EU Standard Contractual Clauses, as applicable.

For transfers to other third countries, we rely on one or more of the following mechanisms as appropriate:

• Adequacy regulations: where the destination country has been recognised by the UK Secretary of State as providing an adequate level of data protection;

• International Data Transfer Agreement (IDTA): the ICO-approved form of transfer agreement for restricted transfers from the UK; or

• UK Addendum to EU Standard Contractual Clauses: the ICO-approved addendum to the European Commission's standard contractual clauses; or

• Binding Corporate Rules (BCRs): where applicable within our group, we rely on BCRs that have been approved by the ICO under Article 47 of the UK GDPR

You may request a copy of the relevant transfer mechanism by contacting our Data Protection Officer using the details in Section 14.

‍

9. Use of Artificial Intelligence Tools

We use trusted artificial intelligence (“AI”) tools as part of our internal data processing operations, including to assist with analysing and routing enquiries submitted through this Website, improving Website content, supporting our customer relationship management processes, and powering any AI-assisted chat or support features made available on the Website. Where AI tools process personal data submitted through this Website, this is governed by the commitments set out below.

Our use of AI tools in connection with this Website is subject to the following commitments:

• No special category data: We do not use AI tools to process special categories of personal data collected through this Website (as defined in UK GDPR Article 9), which includes data concerning health, racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, or sexual orientation.

• No solely automated decision-making with legal effect: We do not make decisions about you that are based solely on automated processing (including profiling) and that produce legal or similarly significant effects in connection with this Website. All decisions with legal or similarly significant effects on individuals are made by authorised personnel. If this changes, we will update this notice and seek your consent where required.

• No training on your personal data: We do not use personal data submitted through this Website to train or develop AI models — whether our own or those of our AI service providers. Where we use anonymised or aggregated data to improve our systems, this is done in a manner that does not identify you. Where we engage third-party AI service providers, we contractually require that your personal data is not used to train their models and is not made available to their other customers.

• Human oversight: Where AI tools are used, we maintain human review and oversight of processing activities to ensure accuracy and compliance.

• Security: AI processing takes place in a secure, controlled environment. Our use of AI tools does not alter the security standards applied to your personal data.

We review our AI tools periodically to ensure their continued compliance with applicable data protection law.

10. How Long We Keep Your Personal Data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, subject to any legal, regulatory, or contractual requirements to retain it for longer.

After the retention period expires, we delete it securely or anonymise it so that it can no longer be attributed to you. Should you wish to receive a copy of our retention schedule for the applicable data, please contact us at legal@playroll.com.

11. Children’s Privacy

This Website is not directed at children or minors under the age of 18. We do not knowingly collect personal data from minors through this Website. If you are a parent or guardian and believe that a minor has provided personal data to us through this Website, please contact us at legal@playroll.com and we will take steps to delete that information.

12. Your Data Protection Rights

Under UK GDPR, you have the following rights in respect of personal data we hold about you:

• Right of access (Article 15): You may request a copy of the personal data we hold about you. We will respond to valid requests within one month. Subject access requests are free of charge; however, if a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request.

• Right to rectification (Article 16): You may ask us to correct inaccurate personal data or complete incomplete data.

• Right to erasure (Article 17): You may ask us to delete your personal data in certain circumstances — for example, where it is no longer necessary for the purposes for which it was collected.

• Right to restriction of processing (Article 18): You may ask us to restrict processing of your personal data in certain circumstances, for example while accuracy is being verified.

• Right to data portability (Article 20): Where processing is based on consent or a contract and is carried out by automated means, you may ask us to provide your personal data in a portable, machine-readable format.

• Right to object (Article 21): You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or for the establishment, exercise, or defence of legal claims.

• Right to withdraw consent (Article 7(3)): Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

• Rights in relation to automated decision-making (Article 22): As set out in Section 9, we do not carry out solely automated decision-making with legal or similarly significant effects in connection with this Website.

To exercise any of the above rights, please contact our Data Protection Officer by email at legal@playroll.com. We may need to verify your identity before processing your request.

13. Links to Third-Party Websites

Our Website may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies before providing any personal data. This notice applies only to our Website.

‍

14. Contact Us and How to Complain

14.1. Contacting our Data Protection Officer

If you have any questions about this notice, wish to exercise your rights, or have concerns about how we handle your personal data, please contact our Data Protection Officer:

Email: legal@playroll.com

Post: Data Protection Officer, Second Floor Omni House 252 Belsize Road, NW6 4BT, London United Kingdom

14.2. Right to complain to the ICO

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, if you are unhappy with how we handle your personal data. Any complaint to the ICO is without prejudice to your right to seek redress through the courts.

ICO website: www.ico.org.uk

Email: casework@ico.org.uk

Telephone: 0303 123 1113 (or 01625 545860 textphone)

Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

14.3. Users outside the United Kingdom

If you are located outside the United Kingdom, you may also have the right to lodge a complaint with your local data protection supervisory authority. Playroll will cooperate with any such authority in accordance with applicable law.

15. Changes to This Notice

We may update this notice from time to time to reflect changes in our practices or applicable law. When we make material changes, we will post the updated notice on our Website with a new effective date. We encourage you to review this notice periodically.

Where changes materially affect how we process your personal data and you have previously provided consent, we will notify you directly and, where required, seek fresh consent before the changes take effect. We will not rely on continued use of the Website as a means of accepting material changes to this notice.

‍

16. South African Data Subjects — PAIA and POPIA

Where Playroll processes the personal data of South African data subjects, such processing is also subject to the Protection of Personal Information Act 4 of 2013 ("POPIA"). Playroll's PAIA and POPIA Manual, which sets out the rights available to South African data subjects and how to exercise them, is available here.