Privacy Policy

Last updated: April 2025

1. Who we are

Punctulo is a workforce management platform operated by Unique Treble Ltd ("we", "us", "our"). Our registered address and contact details are available on request at [email protected].

We are the data controller for information we collect directly from you (account holders, visitors). Where you use Punctulo to manage your own employees, you are the data controller for your employees' data and we act as your data processor under a Data Processing Agreement (DPA) available on request.

2. What data we collect

Account holders (employers / managers)

  • Name and email address (from your Manus OAuth login)
  • Organisation name, registered address, and VAT number (if provided)
  • Billing information (handled by Stripe — we do not store card details)
  • Usage data: pages visited, features used, support tickets raised

Employees (added by account holders)

  • Name, email address, phone number, and job title
  • Clock-in and clock-out timestamps
  • GPS coordinates captured only at the moment of clocking — not during working hours
  • Rota assignments, leave requests, and absence records
  • Documents uploaded by the employer (contracts, certificates)

3. How we use your data

  • To provide and operate the Punctulo service
  • To process payments via Stripe
  • To send transactional emails (account confirmation, password reset, billing receipts)
  • To respond to support requests
  • To improve the platform through aggregated, anonymised analytics
  • To comply with legal obligations (HMRC, ICO)

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Legal basis for processing

  • Contract performance — processing necessary to deliver the service you have signed up for
  • Legitimate interests — fraud prevention, platform security, and service improvement
  • Legal obligation — retaining records as required by HMRC and UK employment law
  • Consent — where we ask for your explicit consent (e.g. marketing emails)

5. GPS and location data

Punctulo captures GPS coordinates when an employee clocks in or out. This data is used solely to verify that the employee is at the correct work location. We do not track employee location continuously or outside of clocking events. GPS data is stored securely and is accessible only to authorised managers within the account.

6. Data storage and security

  • All data is stored on UK-based AWS servers — no data leaves the UK
  • Data is encrypted at rest (AES-256) and in transit (TLS 1.2+)
  • Access is restricted to authorised personnel on a need-to-know basis
  • We conduct regular security reviews and penetration testing

7. Data retention

We retain your account data for as long as your account is active. If you close your account, we will delete your personal data within 90 days, except where we are required to retain it for legal or regulatory purposes (e.g. financial records for 6 years under HMRC rules).

Employee attendance records are retained for 6 years by default to comply with HMRC requirements. Account holders can configure shorter retention periods in their account settings.

8. Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete your data (subject to legal retention obligations)
  • Restriction — ask us to limit how we process your data
  • Portability — receive your data in a machine-readable format
  • Object — object to processing based on legitimate interests

To exercise any of these rights, email [email protected]. We will respond within 30 days.

9. Cookies

Punctulo uses a single session cookie to keep you logged in. We do not use advertising cookies or third-party tracking cookies. Analytics data is collected in aggregate and anonymised form using a self-hosted analytics tool.

10. Third-party processors

  • Stripe — payment processing (Stripe's privacy policy applies to card data)
  • Amazon Web Services (UK) — cloud hosting and storage
  • Manus — authentication (OAuth login)

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify account holders of material changes by email at least 14 days before they take effect. The date at the top of this page reflects the most recent update.

12. Contact and complaints

For any privacy questions or to exercise your rights, contact us at [email protected].

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).