1. Who We Are
Scello Ltd (“Scello”, “we”, “us”) is the data controller responsible for your personal data. We are incorporated in England and Wales.
- Registered address: 12 Finsbury Square, London, EC2A 1AB
- ICO Registration: [PLACEHOLDER — ICO registration number]
- Data Protection Officer: dpo@scello.co
2. What Data We Collect
Workers
- Name, email address, and account credentials
- GPS zone containment results (boolean: inside/outside zone — not precise GPS coordinates)
- Movement status (active/inactive — derived from accelerometer, not raw sensor data)
- Heart-rate presence (boolean: signal detected/not detected — not bpm values)
- Session timestamps, duration, and zone identifiers
- Device metadata (model, OS version, app version)
Employers
- Company name, address, and contact details
- Billing information (processed by Stripe — see below)
- Zone definitions and workforce management actions
- Alert acknowledgement and resolution records
All Users
- Audit logs of actions taken within the platform
- IP address and user agent (for security and fraud detection)
- Communication preferences
3. Lawful Basis for Processing (UK GDPR Article 6)
- Contract performance (Article 6(1)(b)): Processing necessary to provide the Service as described in our Terms of Service.
- Legitimate interests (Article 6(1)(f)): Fraud detection, platform security, and improvement of services.
- Legal obligation (Article 6(1)(c)): Retention of evidence records where required by law.
- Consent (Article 6(1)(a)): Marketing communications and optional analytics.
4. Biometric & Special Category Data (Article 9)
Scello does not store raw biometric data. The “heart-rate presence” signal is a boolean (detected/not detected) and does not constitute biometric data as defined by UK GDPR Article 4(14).
Where a wearable device confirms worker presence via heart-rate detection, the lawful basis is explicit consent (Article 9(2)(a)) combined with substantial public interest (Article 9(2)(g)) in preventing wage theft. Workers may withdraw consent at any time from their account settings.
A full Data Protection Impact Assessment (DPIA) for biometric monitoring has been completed in accordance with Article 35 and is available at /privacy/dpia.
5. How We Use Your Data
- Generating and storing cryptographically signed session certificates
- Enabling employer workforce monitoring and alert management
- Providing the public verification portal
- Sending transactional emails (session summaries, alerts, invoices)
- Detecting fraud, device tampering, and policy violations
- Improving platform performance and reliability
7. International Transfers
Some sub-processors operate outside the UK/EEA. Where data is transferred internationally, we ensure appropriate safeguards are in place (UK International Data Transfer Agreements or EU Standard Contractual Clauses).
8. Data Retention
- Session certificates and evidence: 7 years (statutory limitation period for civil claims in England and Wales)
- Account data: Duration of relationship + 1 year after account closure
- Audit logs: 7 years (GDPR accountability Article 5(2))
- Marketing preferences: Until withdrawn
9. Your Rights
Under UK GDPR, you have the following rights. To exercise any of them, contact dpo@scello.co.
Right of Access
Request a copy of the personal data we hold about you (Subject Access Request).
Right to Rectification
Ask us to correct inaccurate or incomplete personal data we hold.
Right to Erasure
Request deletion of your personal data, subject to our legal retention obligations.
Right to Portability
Receive your data in a structured, machine-readable format (JSON export).
Right to Restriction
Ask us to pause processing of your data whilst a dispute is investigated.
Right to Object
Object to processing based on legitimate interests, including biometric monitoring.
Right to Complain
Lodge a complaint with the ICO (ico.org.uk) if you believe we have breached your rights.
11. Children's Privacy
The Service is not intended for users under 18 years of age. We do not knowingly collect data from minors. If you believe a minor has registered, please contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email or an in-app notice at least 14 days before they take effect. The “Last updated” date at the top of this page always reflects the current version.
13. Contact & Complaints
For privacy questions or to exercise your rights, contact our Data Protection Officer:
Scello Ltd — Data Protection Officer
12 Finsbury Square, London, EC2A 1AB
Email: dpo@scello.co
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.