Skip to main content

Privacy Policy

Last updated: 2026-04-20

Ghugi is a UK software service that helps small businesses send payslips to their employees by email. This policy explains what personal information we collect, why we collect it, and what rights you have over it under the UK GDPR and the Data Protection Act 2018.

Who we are

References to “we”, “us”, or “Ghugi” in this policy mean the business operating ghugi.com. Ghugi is in the process of registering with the UK Information Commissioner’s Office (ICO); our ICO registration number will be added here once issued.

[Registered legal entity, company number (if applicable), and UK business address to be confirmed before the first paying customer onboards.]

How this policy applies

This policy covers two different kinds of people:

  1. Account holders— people who sign up for Ghugi to send payslips. For account holders, Ghugi is the data controller: we decide what data we collect from you and how we use it.
  2. Employees of Ghugi customers— people who receive payslips through Ghugi. For these people, Ghugi is the data processor: the employer decides what data is sent through Ghugi and we only act on their instructions. If you received a payslip via Ghugi and want to know or change what information is held about you, please contact your employer first.

What personal data we collect

From account holders:

  • Email address, name, and a hashed password.
  • Organisation details: business name, trading address, pay frequency, and timezone.
  • Billing details handled by our payment processor. We do not see or store full card numbers.
  • IP address, browser information, and logs of actions taken inside Ghugi, for security and troubleshooting.

From payslip recipients, on behalf of Ghugi customers:

  • Name, email address, and optional employee code.
  • The contents of payslip PDFs uploaded by the employer, which typically include home address, gross and net pay, tax code, National Insurance number, tax and NI deductions, employer and employee pension contributions, year-to-date totals, employer PAYE reference, and bank account details where shown on the payslip.

How we use your data (lawful basis)

We rely on the following lawful bases under UK GDPR Article 6:

  • Contract— to run your Ghugi account and provide the service you signed up for.
  • Contract with the employer (processor role) — to send payslips on behalf of your employer.
  • Legitimate interests— to detect fraud, abuse, or security incidents and keep the service safe for everyone.
  • Legal obligation— to meet tax, audit, and court-order requirements.
  • Consent— for optional marketing emails, which you can withdraw at any time.

We do not use your data for profiling or automated decision-making. We do not sell your data to anyone.

Who we share your data with (sub-processors)

Ghugi uses the organisations below to run the service. Each processes personal data strictly on our instructions and under a written data processing agreement:

  • Supabase Inc.— database, authentication, and file storage. Data is stored in the EU-West-2 region. Covers account data, payslip PDFs, and audit logs.
  • Stripe Payments Europe Ltd— subscription billing. Receives billing information only; never payslip content.
  • Resend Inc.(US company, EU/Ireland data residency) — transactional email (service notifications, password resets, trial reminders). Your message content is processed on EU servers.
  • Vercel Inc.— website hosting and edge delivery.

If you have configured your own outgoing email provider (SMTP, Gmail, or Outlook) inside Ghugi, that provider is your choice and is not a Ghugi sub-processor.

We may disclose personal data if we are legally required to (for example, a court order or a lawful request from HMRC). Where possible we will tell you before we do so.

International transfers

Your payslip content and account data are stored in the EU (Ireland). The UK government has recognised the EU as providing an adequate level of data protection, so no additional safeguards are required for UK→EU transfers.

Some sub-processors’ parent companies are in the USA (Stripe Payments Europe Ltd is a subsidiary of a US parent; Vercel Inc. is a US company whose edge network operates globally). Where personal data is transferred to the USA, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. You can ask for a copy of the safeguards by emailing us at the address below.

How long we keep your data

  • Payslip PDFsare kept for as long as the customer’s retention setting allows. This is configurable between 30 and 365 days; the default is 90 days.
  • Account data (profile, email, organisation record) is kept while your account is active and deleted when you close your account.
  • Audit logs are kept indefinitely for security and compliance.
  • Billing records are kept for at least 6 years, to meet HMRC requirements.

Your rights under UK GDPR

You have the right to:

  • ask for a copy of the personal data we hold about you;
  • ask us to correct inaccurate data;
  • ask us to delete your data when we no longer need it, subject to retention obligations;
  • ask us to restrict how we process your data in certain circumstances;
  • ask us to send your data to another service;
  • object to certain processing;
  • withdraw consent at any time, where we are relying on consent.

To exercise any of these rights, email privacy@ghugi.com. We will respond within one calendar month. Most requests are free of charge.

If you receive payslips through Ghugi rather than being a Ghugi account holder, please contact your employer first — they are the controller for that data. We will assist your employer where required by law.

Security

We take reasonable technical and organisational measures to keep your data safe, including:

  • encryption of data in transit using HTTPS/TLS 1.2 or higher;
  • encryption of stored SMTP credentials using AES-256-GCM, with the key held separately from the database;
  • row-level security on every tenant’s data inside our database;
  • access controls and audit logging on all administrative operations;
  • regular dependency updates and security scanning.

No service can guarantee absolute security. If a personal data breach poses a risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware, in line with UK GDPR Article 33.

Cookies and similar technologies

Ghugi uses only the cookies strictly necessary to keep you signed in and to keep the service working. We do not use third-party advertising cookies. We use first-party analytics (Vercel Analytics) that do not set tracking cookies or collect personal data.

Changes to this policy

If we make material changes, we will email account holders and update the “Last updated” date above. Continued use of Ghugi after a change means you accept the updated policy.

How to contact us or complain

  • Email: privacy@ghugi.com
  • Postal: [Ghugi UK registered business address — to be added before the first paying customer onboards]

If you are unhappy with how we handle your data, you have the right to complain to the UK Information Commissioner’s Office at ico.org.uk or by calling 0303 123 1113.