Privacy Policy
This Privacy Notice describes how and why Fair Tip Ltd (“we”, “us”, “our”) collects, stores, uses, and shares your personal information when you use FairTIP, our tronc record-keeping and workflow service, at fairtip.org and app.fairtip.org (the “Service”).
Reading this notice will help you understand your privacy rights and choices. If you don’t agree with our policies and practices, please don’t use the Service. If you have questions, contact us at privacy@fairtip.org.
Summary of key points
This summary gives you the gist; the full notice is below.
- What information do we process? Your email when you sign up; your name when you complete account setup. Your National Insurance number if you’re a worker or troncmaster. Your role in each venue plus the hours, weight, and share for every allocation period you’re in. See section 1.
- Do we process any sensitive personal information? We don’t process special-category data (race, health, biometrics, etc.). We do process National Insurance numbers, which the law doesn’t classify as special-category but which we treat as sensitive in practice. See section 1.
- Do we collect information from third parties? No. We only collect information that you (or another member of your venue acting in their role) give us directly.
- How do we process your information? To provide the Service, comply with our legal obligations under the Employment (Allocation of Tips) Act 2023, send transactional emails, and keep the Service secure. See section 2.
- How do we keep your information safe? Row-level security at the database layer, encryption in transit (TLS) and at rest, magic-link authentication, and a least-privilege access model. See section 7.
- Who do we share your information with? The other members of your venue (within strict role boundaries), the venue’s accountant for payroll matching, and our sub-processors (Supabase, Vercel). See section 4.
- What are your rights? Access, correction, deletion (subject to legal retention), restriction, portability, and objection. See section 9.
- How do you exercise your rights? Email privacy@fairtip.org. We respond within one month.
Table of contents
- 1. What information do we collect?
- 2. How do we process your information?
- 3. What legal bases do we rely on?
- 4. When and with whom do we share your personal information?
- 5. Do we use cookies and other tracking technologies?
- 6. How long do we keep your information?
- 7. How do we keep your information safe?
- 8. Do we collect information from minors?
- 9. What are your privacy rights?
- 10. Controls for Do-Not-Track features
- 11. Do we make updates to this notice?
- 12. How can you contact us about this notice?
- 13. How can you review, update, or delete the data we collect from you?
1. What information do we collect?
In short: We collect what you and other members of your venue give us directly. The most sensitive item is the National Insurance number, which workers and troncmasters provide on their account profile.
Account information you provide
- Email address: given when you first sign in via magic link. Used to identify your account and send authentication links.
- First and last name: given when you complete account setup. Shown to other members of the venues you join.
National Insurance number (workers and troncmasters only)
Workers and troncmasters provide their UK National Insurance number on their account profile. The venue’s accountant uses it to match each signed tip share to the right payroll record. Workers without a worker or troncmaster membership are not asked for an NI number. Owners and accountants don’t need to provide one for their roles on a venue.
We treat NI numbers as sensitive personal information in practice, even though UK GDPR doesn’t classify them as special-category. They’re visible only to the person they belong to and to the accountant on the relevant venue. The owner of a venue cannot see worker NI numbers, by design: enforced at the database row-level security layer, not just in application code.
Venue and role information
- The venues you’re a member of and your role on each (owner, troncmaster, accountant, worker).
- Your hours and weight per allocation period (workers).
- Your share of each signed period (workers).
- Audit metadata: when you joined, when you signed off a period, when a policy was published.
Technical information collected automatically
- Authentication tokens (cookies / local storage) to keep you signed in.
- Server logs: IP address, request timestamps, error traces, kept for security and debugging.
- Aggregate, anonymised page-view analytics via Vercel Analytics (no cookies, no individual identifiers stored).
Information we don’t collect
We don’t collect: payment card data (we don’t take payments yet), location data, biometrics, health information, race or ethnic origin, political opinions, religious beliefs, trade-union membership, sex life, or sexual orientation.
We don’t buy personal data from third parties or receive enrichment data from data brokers.
2. How do we process your information?
In short: To run the Service, comply with our legal obligations under the Tipping Act 2023, send you transactional emails about your account, and keep the Service secure.
We process your information for the following purposes:
- To provide and run the Service: creating your account, calculating allocation shares, generating policy documents, surfacing the audit trail to authorised users of your venue.
- To comply with our legal obligations: particularly the Tipping Act 2023’s record-keeping duty (a venue must retain allocation records for at least three years after the end of the tax year in which the period was signed off).
- To send transactional emails: sign-in magic links, sign-off notifications, invite emails to new members.
- To keep the Service secure: detecting abuse, responding to security incidents, fixing bugs.
- To improve the Service: aggregate, anonymised usage metrics (which pages get viewed, in broad terms; no individual tracking).
3. What legal bases do we rely on?
In short: Mostly performance of the contract between you and us. Some processing (allocation-record retention) is required by law. A small amount (security, analytics) relies on our legitimate interests.
Under UK GDPR Article 6, we rely on the following lawful bases:
- Performance of a contract (Art. 6(1)(b)): for processing your account information, your venue memberships, your allocations, and your National Insurance number. We can’t provide the Service without these.
- Compliance with a legal obligation (Art. 6(1)(c)): for retaining signed allocation records and policy versions for the period required by the Employment (Allocation of Tips) Act 2023.
- Legitimate interests (Art. 6(1)(f)): for server-log retention, security monitoring, abuse detection, and aggregate analytics. We’ve assessed these as proportionate to the rights and freedoms of the people involved.
- Consent (Art. 6(1)(a)): we don’t currently rely on consent for any processing. If we introduce a feature that does (for example, optional marketing emails), we’ll ask you explicitly and let you withdraw consent at any time.
4. When and with whom do we share your personal information?
In short: With other members of your venue (within strict role limits), with the venue’s accountant for payroll, and with our sub-processors. We don’t sell your data.
Other members of your venue
Members of the same venue can see each other’s names and roles. Allocation details (hours, weight, share) are visible:
- To you (your own row in every period).
- To the troncmaster (every row in every period they’re responsible for, draft or signed).
- To the venue’s accountant (every signed period, read-only).
- To the owner (every signed period, read-only; never a draft).
National Insurance numbers are visible only to the person they belong to and to the venue’s accountant. Owners cannot see worker NI numbers, by design. This is enforced at the database row-level security layer, not just in application code.
The venue’s accountant
Where a venue has an accountant in place, they have read-only access to the names and National Insurance numbers of every non-owner team member, plus the signed allocation periods (to process payroll).
The accountant acts as a separate data controller for their own payroll processing. We don’t direct what the accountant does with the data once they receive it; that relationship is between the venue and its accountant.
Service providers (sub-processors)
We use the following service providers, who process personal data on our behalf under a written data-processing agreement:
- Supabase: managed PostgreSQL, authentication, and transactional email. Region: United Kingdom. Purpose: storing and serving your account, venue, allocation, and NI data; sending sign-in links and notifications. Supabase routes outgoing emails via Mailgun under its own sub-processor arrangement.
- Vercel: application hosting and aggregate analytics. Region: United Kingdom. Purpose: serving the FairTIP application.
Each sub-processor is contractually bound to no-less- protective data-protection obligations than this notice commits us to. We’ll publish at least 30 days’ notice on this page before adding or replacing a sub-processor, and email Owners for whom we have a current email address. If you object materially, you can stop using the Service and we’ll delete your data per section 6.
International transfers
Our sub-processors host data in the United Kingdom. As a result, no routine cross-border transfer of your personal data takes place. If a future change required us to transfer data outside the UK, we’d rely on a safeguard approved under UK GDPR (typically the UK International Data Transfer Addendum or the EU Standard Contractual Clauses) and update this notice.
Business transfers
If Fair Tip Ltd is sold or transferred in a merger, acquisition, or similar transaction, your personal data may be included in that transfer. The new owner will be bound by privacy commitments at least as protective as those in this notice, and we’ll notify you (where required by law) before the change takes effect.
Legal disclosures
We may disclose personal data when we’re legally required to (for example, if directed by HMRC or by a court order) or where necessary to defend our legal rights. We won’t disclose more than is necessary, and we’ll notify the affected user unless prohibited from doing so.
5. Do we use cookies and other tracking technologies?
In short: Only strictly-necessary cookies (for sign-in). No marketing or behavioural trackers.
We use one cookie essential to the Service: an authentication session set when you sign in, used to keep you signed in across pages.
We also use Vercel Analytics for aggregate usage metrics. Vercel Analytics is documented by Vercel as cookieless.
For details (specific cookie names, durations, and how to manage them), see our Cookie Policy.
6. How long do we keep your information?
In short: As long as we need to. Allocation records are retained for at least 3 years per the Tipping Act 2023; other data is deleted on request, or when your account closes.
- Allocation records (signed periods, shares, hours, weights, sign-off audit): at least three years from the end of the tax year in which the period was signed off, as required by §27I of the Employment (Allocation of Tips) Act 2023.
- Profile data (name, email, NI number): for as long as your account is active. If you request account deletion, we delete or anonymise your profile data within 30 days, except where retention is required for allocation records (above).
- Authentication logs: up to 90 days, subject to Supabase’s data-retention policies.
- Application server logs: up to 30 days, subject to Vercel’s data-retention policies.
7. How do we keep your information safe?
In short: Industry-standard technical and organisational measures, including database row-level security and encrypted-at-rest storage.
- Encryption in transit: all client-server traffic uses TLS 1.2 or higher.
- Encryption at rest: database storage is encrypted at rest by our hosting provider.
- Row-level security: the database enforces access control at the row level, so every query is automatically scoped to what the requesting user is authorised to see.
- Magic-link authentication: sign-in uses short-lived links sent to your email; we don’t store passwords.
- Least-privilege model: each role on each venue (owner, troncmaster, accountant, worker) sees only what it strictly needs.
- Audit logging: sign-offs, policy publications, and other write operations are logged with author + timestamp + a snapshot of the structural facts at the time.
- Backups: daily managed backups via Supabase.
- Personnel access control: production system access is limited to authorised Fair Tip Ltd personnel under confidentiality undertakings.
- Incident response: documented procedures for detecting, containing, and notifying breaches.
No system is impenetrable. If we suffer a personal data breach affecting you, we’ll notify the ICO within 72 hours of becoming aware (where the breach meets the legal threshold) and you directly if there’s a high risk to your rights.
8. Do we collect information from minors?
In short: No. The Service is not intended for under-16s.
FairTIP is not directed at, and we don’t knowingly collect data from, anyone under 16. UK GDPR sets the digital-services age at 13; we’ve adopted the higher 16 threshold as a service policy. If you believe a child has provided data on the Service, contact privacy@fairtip.org and we will delete it.
9. What are your privacy rights?
In short: Under UK GDPR you have a set of rights over your personal data. We’ll honour them on request, within one month.
You have the right to:
- Access the personal data we hold about you.
- Correct any inaccurate or incomplete data.
- Delete your data, subject to our legal retention obligations (notably the Tipping Act 3-year window for allocation records).
- Restrict or object to processing in certain circumstances.
- Receive a copy of your data in a portable, machine-readable format.
- Withdraw consent where we’re relying on consent for any processing (we currently aren’t; see section 3).
- Not be subject to automated decisions that have legal or similarly significant effects. We don’t use automated decision-making.
To exercise any of these rights, email privacy@fairtip.org. We’ll respond within one month. We may ask you to verify your identity before acting on a request. This protects you against someone else impersonating you.
You can complain to the Information Commissioner’s Office at any time, at ico.org.uk/concerns. We’d be glad to address your concern directly first if you’d like to give us the opportunity.
10. Controls for Do-Not-Track features
In short: We don’t do behavioural tracking, so there’s nothing for DNT to switch off.
Most web browsers and some mobile operating systems offer a Do-Not-Track (“DNT”) feature you can switch on to signal your preference not to have your online activity monitored.
The Service uses no third-party behavioural-tracking technology, so DNT has nothing to act on with respect to FairTIP. The aggregate analytics we use (Vercel Analytics) is documented by Vercel as cookieless and not cross-site-tracking.
11. Do we make updates to this notice?
In short: Yes, as the Service evolves and as the law changes. Material changes are flagged at the top of this page.
We’ll update this notice as needed to stay compliant with relevant laws and to reflect changes to the Service. The updated version will be indicated by a revised “Last updated” date at the top of this notice. For material changes (a new sub-processor, a change to what data we collect, a change to retention) we’ll also notify Owners by email. Notice to the Owner is treated as notice to all members of that venue, as set out in section 14 of our Terms & Conditions.
12. How can you contact us about this notice?
In short: Email is the easiest route.
Fair Tip Ltd is a company registered in Scotland under company number SC892153. Our registered office is on file with Companies House.
We’re registered with the Information Commissioner’s Office (ICO) under registration number C1957346.
For any privacy enquiries, please contact us at privacy@fairtip.org.
13. How can you review, update, or delete the data we collect from you?
In short: Email us. We’ll respond within one month.
Some changes you can make in-product:
- Your name lives on your account page and you can edit it there at any time.
- Your National Insurance number lives on the same page (under “National Insurance number”) and you can edit it there at any time.
For everything else (a full export of your data, deletion of your account, a copy of any allocation period you were part of), email privacy@fairtip.org with the words “Data request” in the subject line. We’ll respond within one month and will let you know if we need to verify your identity first.