Privacy Policy

Last updated 22 June 2026

Draft for review — working version; have a solicitor check it before launch.

This policy explains how Mately Limited ("Mately", "we") handles personal data when you use the Mately app and website. For staff data that a business enters about its team, the business is the data controller and Mately is the processor — see our Data Processing Addendum.

1. What we collect

Account data — your name, email, password (hashed), and business details.
Team data your business enters — staff names, emails, roles, pay rates, contracted hours, worked time, leave, documents, and chat messages.
Payment data — handled by Stripe; we store a customer/subscription reference and billing status, never your full card number.
Technical data — log and diagnostic data needed to run the service securely (e.g. IP address for rate-limiting, device tokens for push notifications).

2. Why we use it and our lawful basis

To provide the service (performance of a contract).
To keep it secure and prevent abuse (legitimate interests).
To take payment (performance of a contract).
To meet legal obligations (e.g. tax records).

3. Who we share it with (sub-processors)

We use a small number of trusted providers to run Mately:

Render — hosting and database (EU region).
Stripe — payment processing.
Resend — transactional email (invites, verification, resets).
Google Firebase (FCM) — mobile push notifications.
Cloudflare — file storage and network protection (where enabled).

We do not sell personal data.

4. How long we keep it

We keep your data while your account is active. If a subscription ends, data is retained for 30 days and then permanently deleted, so a business can export its records first (employers have their own payroll and working-time record duties). You can request earlier deletion.

5. Your rights

You have the right to access, correct, delete, restrict, or port your personal data, and to object to certain processing. Mately provides a one-click data export. If your data was entered by an employer using Mately, contact that employer (the controller) first; we will help them respond.

6. Security

Passwords are hashed with Argon2id, traffic is encrypted in transit (HTTPS/HSTS), two-factor authentication is available, access is scoped per business, and sensitive admin actions are audit-logged.

7. Cookies

We use a single essential cookie to keep you signed in. We don't use advertising or third-party tracking cookies.

8. International transfers

Data is hosted in the EU. Where a provider processes data outside the UK/EEA, we rely on appropriate safeguards such as the UK IDTA or Standard Contractual Clauses.

9. Contact

Questions or requests: support@mately.co.uk. You also have the right to complain to the UK Information Commissioner's Office (ICO).