Privacy Policy

1. Data Controller

PayslipIQ Ltd (“we”, “us”, “our”) operates the website payslipiq.co.uk and is the data controller for any personal data processed through this service. For data protection enquiries, contact us at privacy@payslipiq.co.uk or our Data Protection contact at dpo@payslipiq.co.uk.

2. What PayslipIQ Stores

PayslipIQ does not store payslip images, documents, or extracted figures on our own servers. When you submit a payslip (image or manual entry) to our analysis tool, the data is held in memory on our servers only for as long as it takes to forward the request to our AI processor and return the results. Once the response is delivered, the data is discarded from our memory. We do not log payslip contents and we do not retain copies. We do not create user accounts and do not require registration.

However, your data is processed by a third-party AI provider (Anthropic: see Section 7). We have no control over Anthropic's retention policy beyond what their published terms allow. You should review Section 7 carefully before deciding whether to upload sensitive personal information.

3. Information We Collect

We may collect the following limited information:

• Email address: Only if you voluntarily subscribe to our newsletter via the email capture form. Your email is stored securely by our email service provider (MailerLite) and used solely to send you payslip tips and tax updates. You can unsubscribe at any time via the link in every email.
• Analytics data: We use Google Analytics 4 and Microsoft Clarity to understand how visitors use our site. These tools collect anonymised data such as page views, session duration, device type, and approximate location. No personally identifiable information is collected through analytics. These scripts only load after you grant cookie consent.
• IP address: Your IP address is used temporarily for rate limiting (to prevent abuse of our analysis API). It is hashed and stored in a temporary cache (Upstash Redis) that expires within one hour. It is not stored permanently or shared with third parties.

4. Lawful Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we rely on the following lawful bases:

• Consent (Article 6(1)(a)): For newsletter subscriptions and analytics cookies. You may withdraw consent at any time.
• Legitimate interests (Article 6(1)(f)): For rate limiting and abuse prevention, which is necessary to maintain the availability and security of the service.
• Performance of contract (Article 6(1)(b)): For processing your payslip submission and returning analysis results, where you have submitted data to use the tool.

5. Cookies

We use a single essential cookie (psiq:consent) to record your cookie preference. This is strictly necessary for the site to function and does not require consent.

Third-party analytics cookies (Google Analytics, Microsoft Clarity) are only set after you explicitly accept analytics cookies via our consent banner. You can change your preference at any time by clearing your browser cookies and revisiting the site.

6. Data Retention

• Payslip data on PayslipIQ servers: Not retained. Held in memory only during the request, discarded immediately after analysis.
• Payslip data sent to Anthropic: Anthropic may retain inputs and outputs for up to 30 days for trust-and-safety review (see Section 7). PayslipIQ does not currently hold a Zero Data Retention agreement with Anthropic.
• Email addresses: Retained until you unsubscribe or request deletion.
• Rate-limit data (hashed IP): Automatically expires within 1 hour.
• Analytics data: Retained by Google/Microsoft per their respective retention policies (typically 14 months for GA4).

7. Third-Party Services and Sub-Processors

We use the following third-party data processors:

• Anthropic (Claude AI): Performs payslip analysis. Data is transmitted securely via API. Anthropic has confirmed that customer API inputs and outputs are not used to train its models. However, under Anthropic's standard commercial terms, Anthropic may retain inputs and outputs for up to 30 days for trust-and-safety review. After that period the data is deleted from Anthropic's production systems. Servers are located in the USA. See Anthropic Commercial Terms and Anthropic Privacy Policy.
• MailerLite: Manages our email newsletter. Only stores email addresses of voluntary subscribers. EU-based data processing. See MailerLite's privacy policy.
• Vercel: Hosts our website infrastructure. Edge functions execute in London (lhr1) where supported. See Vercel's privacy policy.
• Upstash: Provides rate limiting via Redis. Stores only hashed IP addresses temporarily in an encrypted Redis instance, expiring within 1 hour.
• Google Analytics 4: Provides anonymised website usage analytics with IP anonymisation enabled. Loads only after consent.
• Microsoft Clarity: Provides anonymised session replay and heatmap analytics, with text masking enabled to redact sensitive form input. Loads only after consent.

8. International Transfers

Some of our third-party processors (Anthropic, Vercel, Google, Microsoft) process data outside the UK, primarily in the United States. Where this occurs, transfers are protected by the UK Addendum to the EU Standard Contractual Clauses (UK SCC Addendum), the EU-US Data Privacy Framework where the processor participates, or the processor's participation in an adequate data protection framework as recognised by the UK Government.

9. Data Security

All data transmitted to and from payslipiq.co.uk is encrypted using TLS 1.2+ (HTTPS). We do not store sensitive financial data on our servers. Access to our infrastructure is restricted and protected by multi-factor authentication. We follow the principle of least privilege for sub-processor access.

10. Automated Decision-Making and AI Processing (Article 22)

PayslipIQ uses artificial intelligence (Anthropic Claude) to analyse the figures you submit and produce educational explanations of your payslip. Under Article 22 of the UK GDPR, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you.

PayslipIQ does not make automated decisions that have legal or similarly significant effects on you. Our AI produces informational, educational guidance only. We do not approve or refuse loans, employment, benefits, tax assessments, or any other regulated decision. We do not score, rank, or profile you. We do not share AI outputs with third parties for decision-making purposes. The figures and explanations we return are for your own understanding and should be checked against your employer's payroll, HMRC, or a qualified adviser.

You retain the right to (a) request human review of any output, (b) contest any AI-generated explanation you believe is incorrect, and (c) receive a plain-English explanation of how the AI reached its conclusion. To exercise any of these rights, email privacy@payslipiq.co.uk.

Data Protection Impact Assessment (DPIA): Because PayslipIQ processes payslip data (which can include identifiers, salary, tax-code, and National Insurance information) using a third-party AI processor based outside the UK, we have completed a DPIA under Article 35 of the UK GDPR. The DPIA identifies the following risk factors: (1) financial-adjacent personal data flowing to an automated processor, (2) third-country transfer to the United States, and (3) AI-assisted analysis that, while not fully automated decision-making under Article 22, still warrants documented mitigations. The DPIA also documents our mitigations: no payslip persistence on PayslipIQ servers, hashed IPs only in our rate-limit cache, transport encryption (TLS 1.3) end-to-end, contractual controls on Anthropic, and explicit consent for any analytics. The full DPIA, the risk register, and our Transfer Impact Assessment are published on the Trust Centre and reviewed at least every 12 months or whenever a new processor is added.

11. Your Rights Under UK GDPR

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

• Right of access: request a copy of your personal data
• Right to rectification: request correction of inaccurate data
• Right to erasure: request deletion of your personal data
• Right to restrict processing: request we limit how we use your data
• Right to data portability: receive your data in a structured format
• Right to object: object to processing based on legitimate interests
• Right to withdraw consent: withdraw consent at any time without affecting prior processing

Since PayslipIQ does not store payslip data on its servers, there is no financial data on our systems to access or delete. If you have subscribed to our newsletter, you can unsubscribe at any time or contact us to request deletion of your email address. To request deletion of any data Anthropic may hold under their 30-day retention window, contact privacy@payslipiq.co.uk and we will forward the request.

To exercise any of these rights, email privacy@payslipiq.co.uk. We will respond within 30 days.

12. Right to Complain

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk/make-a-complaint
• Telephone: 0303 123 1113

13. Children

PayslipIQ is not intended for use by individuals under the age of 13 (the UK's digital age of consent under UK GDPR). We do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete it promptly. Parents or guardians who believe a child has submitted information to PayslipIQ may contact privacy@payslipiq.co.uk.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last updated” date. Material changes will be highlighted via our newsletter where applicable.

15. Contact

For any questions about this Privacy Policy or to exercise your data rights:

• Email: privacy@payslipiq.co.uk
• Contact form: /contact
• Trust Centre: /trust: full sub-processor list and security posture