Skip to main content

Privacy Policy

Last updated: 2026-05-30

Ghugi is a UK software service that helps small businesses send payslips to their employees by email. This policy explains what personal information we collect, why we collect it, and what rights you have over it under the UK GDPR and the Data Protection Act 2018.

Who we are

References to “we”, “us”, or “Ghugi” in this policy mean the UK limited company operating ghugi.com. Our registered details are:

  • Registered name: Babiha Care Solutions Limited
  • Company number: 17081576 (England and Wales)
  • Registered office: 8b Kelvin House, Kelvin Way, Crawley, RH10 9WE, United Kingdom
  • ICO registration number: ZC132791

Ghugi is one of the products operated by Babiha Care Solutions Limited.

Ghugi is a service for businesses. It is not intended for use by anyone under 18, and we do not knowingly collect personal data from children.

We are the data controller for account-holder data described below. For payslip recipient data uploaded by our customers, we act as a processor on the customer’s instructions — see our Data Processing Agreement.

How this policy applies

This policy covers two different kinds of people:

  1. Account holders— people who sign up for Ghugi to send payslips. For account holders, Ghugi is the data controller: we decide what data we collect from you and how we use it.
  2. Employees of Ghugi customers— people who receive payslips through Ghugi. For these people, Ghugi is the data processor: the employer decides what data is sent through Ghugi and we only act on their instructions. If you received a payslip via Ghugi and want to know or change what information is held about you, please contact your employer first.

What personal data we collect

From account holders:

  • Email address, name, and a hashed password.
  • Organisation details: business name, pay frequency, pay day, and timezone. (If you enter a billing address at checkout, it is held by our payment processor — see below.)
  • Billing details handled by our payment processor. We do not see or store full card numbers.
  • IP address, browser information, and logs of actions taken inside Ghugi, for security and troubleshooting.

From payslip recipients, on behalf of Ghugi customers:

  • Name, email address, and optional employee code.
  • The contents of payslip PDFs uploaded by the employer, which typically include home address, gross and net pay, tax code, National Insurance number, tax and NI deductions, employer and employee pension contributions, year-to-date totals, employer PAYE reference, and bank account details where shown on the payslip.

We receive this information from your employer (our customer), not from you directly.

How we use your data (lawful basis)

We rely on the following lawful bases under UK GDPR Article 6:

  • Contract— to run your Ghugi account and provide the service you signed up for.
  • Contract with the employer (processor role) — to send payslips on behalf of your employer.
  • Legitimate interests— to detect fraud, abuse, or security incidents and keep the service safe for everyone.
  • Legal obligation— to meet tax, audit, and court-order requirements.
  • Consent— for optional marketing emails, which you can withdraw at any time.

We do not use your data for profiling or automated decision-making. We do not sell your data to anyone.

National Insurance numbers

To match an uploaded payslip to the correct employee, Ghugi can use the National Insurance number printed on the payslip. We never store the NI itself. Instead, when an account holder enters an employee’s NI in the app or in a CSV import, we store a one-way cryptographic fingerprint of it (an HMAC-SHA-256 digest) on the employee’s record. The fingerprint cannot be reversed back into the original NI — it can only be compared against another NI to check whether the two are equal.

Our lawful bases under UK GDPR Article 6 for this processing are contract necessity (Article 6(1)(b)) and legal obligation(Article 6(1)(c)) — HMRC’s payroll rules require accurate identification of recipients. NI numbers are not “special category” data under Article 9.

We keep the NI fingerprint on an employee’s record for as long as that employee exists in your account, and delete it the moment you delete the employee or your organisation. Because we act as your processor here, you (the employer) decide how long to keep employee records, in line with HMRC’s payroll record-keeping rules (generally three years after the end of the relevant tax year).

Who we share your data with (sub-processors)

Ghugi uses the organisations below to run the service. Each processes personal data strictly on our instructions and under a written data processing agreement. A full table with processing locations is in Schedule 3 of our Data Processing Agreement.

  • Supabase Inc.— database, authentication, and file storage (payslip PDFs, audit logs, account data). Hosted on AWS eu-west-2 (London, United Kingdom), so no international transfer is required for this processor.
  • Stripe Payments UK Ltd— subscription billing. Receives your name, billing email, and subscription details only. Never receives payslip content.
  • Resend, Inc.— transactional email delivery (account notifications, password resets, trial reminders, optional managed send). Our sender domain is registered in Resend’s eu-west-1 (Ireland) region, so payslip email transits via a Dublin datacenter rather than the US. Resend’s account metadata, logs, and API records remain in the United States under the UK Addendum to the EU SCCs. Message subject and body are processed by Resend.
  • Vercel, Inc.— website hosting and serverless functions, pinned to Vercel’s London (lhr1) region so our application compute does not leave the UK. Vercel’s cookieless web-analytics dashboard aggregates in the United States under the UK Addendum to the EU SCCs.
  • Cloudflare, Inc.— DNS, edge network, TLS termination, and bot management for ghugi.com. Sees IP addresses, request metadata, and TLS handshakes for every visitor; never sees payslip content. UK / EU edge points are used for UK visitors.
  • Functional Software, Inc. (Sentry)— application error monitoring on the EU region (Frankfurt), so no international transfer applies to stored error data. Sentry receives error stack traces, URL paths, and HTTP request metadata only; we strip emails, names, NI numbers, payslip content, IP addresses, and session-replay data before send.
  • Upstash, Inc.— serverless Redis used for rate-limiting. Provisioned on AWS eu-west-2 (London, United Kingdom), so no international transfer applies. Holds short-lived IP and email hashes only; no payslip data.
  • Zoho Corporation B.V.(Netherlands) — business email mailbox for our hello / support / billing / privacy / legal addresses. Stores incoming and outgoing administrative correspondence with Ghugi. Does not process payslip content. Hosted in the EU region (mailadmin.zoho.eu) so no international transfer is required.
  • Conditional — Google LLC— engaged only if a customer chooses to send payslips via Gmail. Receives the customer’s own OAuth refresh token plus each outgoing email. Where Google processes this data depends on the customer’s own Google Workspace data-region setting (US, EU, or no preference; admin-controlled on Frontline Plus / Enterprise Plus editions). UK IDTA applies to any transfers to the US.
  • Conditional — Microsoft Corporation — engaged only if a customer chooses to send payslips via Outlook / Microsoft Graph. Same scope as above. Where Microsoft processes this data depends on the customer’s own Microsoft 365 tenant region; the UK and 27 other locales offer Advanced Data Residency. UK IDTA applies to any transfers to the US.

If you have configured your own outgoing email provider (custom SMTP relay) inside Ghugi, that provider is your choice and is not a Ghugi sub-processor.

We may disclose personal data if we are legally required to (for example, a court order or a lawful request from HMRC). Where possible we will tell you before we do so.

Google API Services User Data Policy

If you connect a Gmail account to send payslips, Ghugi accesses Google user data through the Gmail API using the gmail.send scope only. The use of information received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data onlyto deliver the user-facing feature you signed in for — sending payslip emails from your own Gmail account on your authorisation.
  • We do nottransfer or sell Google user data to any third party — including advertising platforms, data brokers, or information resellers — except as necessary to provide that user-facing feature, with your explicit consent, for security purposes (for example, investigating abuse), or to comply with applicable law.
  • We do not allow humans to read Google user data, except (a) with your explicit consent for specific messages, (b) where required for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised so it can no longer be associated with an individual user.
  • We do not use or transfer Google user data for serving advertisements, including retargeted, personalised, or interest-based advertising.
  • We do not use Google user data, including the contents of emails or attachments, to develop, improve, or train generalised artificial intelligence or machine learning models.
  • We do not use or transfer Google user data for determining credit-worthiness or for lending purposes.
  • We do not use Google user data to build databases or perform analytics beyond what is necessary to deliver the user-facing feature you authorised.

You can revoke Ghugi’s access to your Google account at any time from your Google Account permissions page or from inside Ghugi at Settings → Email → Disconnect.

International transfers

Your payslip content, account data, serverless compute, and rate-limit store are all in the United Kingdom: Supabase database and storage on AWS eu-west-2 (London), Vercel serverless functions pinned to lhr1 (London), and Upstash Redis on AWS eu-west-2 (London). Every other primary data flow is EU-only: payslip email transits via Resend on AWS eu-west-1 (Ireland), error monitoring runs on Sentry’s EU region (Frankfurt), and admin email runs on Zoho’s EU region (Netherlands). No international transfer applies to any of these data flows.

Some operational sub-processors still process some data outside the UK / EEA: Resend’s account metadata, logs, and API records (the payslip email transit itself stays in the EU), Vercel’s web-analytics aggregation, Cloudflare’s control plane, and (if you connect a Gmail or Outlook sender) Google and Microsoft. Where personal data is transferred to the United States, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as referenced in each vendor’s data-processing addendum. You can request copies of these safeguards by emailing privacy@ghugi.com.

How long we keep your data

  • Payslip PDFs are kept for as long as the customer’s retention setting allows. This is configurable between 30 and 365 days; the default is 90 days.
  • Payslip send records— the record that a payslip was emailed to an employee (their name and email address, the date, and whether it was delivered), which we keep after the PDF itself has been deleted — are retained for about 4 years and then automatically deleted. This covers HMRC’s payroll record-keeping period (three years after the end of the relevant tax year) with a short buffer.
  • Account data(your name, email, and organisation record) is kept while your account is active. If you delete your organisation (Settings → Security → Danger zone), we immediately and permanently delete the organisation and all employee records, payslip PDFs, send history, and the billing record held by our payment processor. Your personal login (name and email) is kept so you can sign back in and set up a new organisation. If you also want your login and profile permanently erased, email privacy@ghugi.com and we will delete it within one calendar month, unless we are legally required to keep some of it (for example, billing records for tax).
  • Audit logs— the record of administrative actions taken inside Ghugi, such as sending a payslip batch or changing a setting — are kept for 13 months and then automatically deleted. This covers a full annual payroll cycle plus a short buffer for year-end queries, while meeting the UK GDPR principle of not keeping personal data for longer than necessary.
  • Billing records are kept for at least 6 years, to meet HMRC requirements.
  • OAuth credentials (Gmail and Outlook senders)are kept only while the connected send method is active. They are deleted immediately when you disconnect at Settings → Email → Disconnect, or when you delete your organisation. You can also revoke our access from your Google Account permissions page or Microsoft account apps and services page at any time.

Your rights under UK GDPR

You have the right to:

  • ask for a copy of the personal data we hold about you;
  • ask us to correct inaccurate data;
  • ask us to delete your data when we no longer need it, subject to retention obligations;
  • ask us to restrict how we process your data in certain circumstances;
  • ask us to send your data to another service;
  • object to certain processing;
  • withdraw consent at any time, where we are relying on consent.

To exercise any of these rights, email privacy@ghugi.com. We will respond within one calendar month. For complex or numerous requests we may extend this by up to two further months, and will tell you if we need to. Most requests are free of charge.

If you receive payslips through Ghugi rather than being a Ghugi account holder, please contact your employer first — they are the controller for that data. We will assist your employer where required by law.

Security

We take reasonable technical and organisational measures to keep your data safe, including:

  • encryption of data in transit using HTTPS/TLS 1.2 or higher;
  • encryption of stored SMTP credentials using AES-256-GCM, with the key held separately from the database;
  • row-level security on every tenant’s data inside our database;
  • access controls and audit logging on all administrative operations;
  • regular dependency updates and security scanning.

No service can guarantee absolute security. If a personal data breach is likely to risk people’s rights and freedoms, we will notify the ICO within 72 hours of becoming aware, in line with UK GDPR Article 33. If a breach is likely to result in a high risk to you, we will also tell you directly without undue delay, in line with Article 34.

Cookies and similar technologies

Ghugi uses the fewest cookies we can get away with. The session cookie that keeps you signed in and the Cloudflare bot-management cookie are strictly necessary. Our analytics (Vercel Web Analytics and Speed Insights) are cookielessand collect only aggregated statistics, which the Data (Use and Access) Act 2025 permits without prior opt-in provided we disclose clearly and offer an easy opt-out — which we do.

Full list, purposes, lifetimes, and a one-click opt-out are on the Cookie Policy page.

Changes to this policy

If we make material changes, we will email account holders and update the “Last updated” date above. Continued use of Ghugi after a change means you accept the updated policy.

How to contact us or complain

  • Email: privacy@ghugi.com
  • Postal: 8b Kelvin House, Kelvin Way, Crawley, RH10 9WE, United Kingdom

If you have a complaint, please tell us first so we can put it right — email privacy@ghugi.com or use the in-app Help & support form. We will acknowledge your complaint within 30 days and respond as quickly as we can. If you are still unhappy, you have the right to complain to the UK Information Commissioner’s Office at ico.org.uk or by calling 0303 123 1113.