This page summarises what data PayslipIQ processes, why, on what legal basis, who else touches it, and how long it stays.
What we process
- Payslip image or manually-entered figures, while the analysis request runs.
- An anonymised hashed IP for rate-limit counters; deletes within one hour.
- Email address and consent state for newsletter or Pro Report sign-ups.
- Anonymised analytics pageviews and device class (after consent).
Why
- Performance of a service requested by you (Article 6(1)(b)).
- Legitimate interest in service availability for abuse prevention (Article 6(1)(f)).
- Consent for marketing (Article 6(1)(a)).
Sub-processors
- Vercel — hosting and edge cache.
- Anthropic — AI vision and analysis. Inputs not used for training. May retain inputs up to 30 days for trust-and-safety review.
- Upstash — rate-limit Redis (hashed IP only).
- MailerLite — newsletter delivery (Ireland-resident processor).
- GA4 and Microsoft Clarity — anonymised analytics, behind consent.
How long
- Payslip content: not retained by PayslipIQ. Anthropic up to 30 days for safety review.
- Hashed-IP rate-limit buckets: up to 1 hour.
- Vitals telemetry: 30 days.
- Newsletter email: until you unsubscribe.
Your rights
Under UK GDPR you have the right to access, rectify, erase, restrict, port and object. Email privacy@payslipiq.co.uk. DPO: dpo@payslipiq.co.uk.