Graylark Privacy Policy
At Graylark, we are committed to protecting the privacy and security of your personal data. This Privacy Policy outlines how we collect, use, and protect your information in accordance with the General Data Protection Regulation (GDPR) and other applicable laws.
Policy version: 07/04/2025
1 Introduction
This Privacy Policy is provided by Graylark Technologies Limited, a company registered in England and Wales under company number: 15528848 (‘we’, ‘our’ or ‘us’) for use of our cloud-based collective labour relations platform and any other platform/websites we operate with the same domain name and different extensions (Platform). Our platform helps organisations manage and implement changes across their workforce.
We take data protection very seriously. Please read this privacy policy carefully as it contains important information on how we process personal data on behalf of our client organisations in the context of collective labour relations.
It also explains your rights in relation to your personal data and how to contact us or the relevant regulator in the event you have a complaint. Our collection, storage, use and sharing of your personal data is regulated by law, including under the UK General Data Protection Regulation (UK GDPR).
We act as a data processor for the personal data obtained via the Platform, processing such data on behalf of our client organisations who are the data controllers. In certain limited circumstances, such as when processing data for our own business operations and marketing activities, we may act as a data controller. This means our client organisations are legally responsible for deciding how and for what purposes the personal data is used, while we process it according to their instructions.
2 What this policy applies to
This privacy policy relates to your use of the Platform and for accessing the services through the Platform.
The Platform may link to or rely on other apps, websites, APIs or services owned and operated by us or by certain trusted third parties to enable us to provide you with the service through the Platform. These other apps, websites, APIs or services may also gather information about you in accordance with their own separate privacy policies. For privacy information relating to these other apps, websites or services, please consult their privacy policies as appropriate. For more information see the section ‘Who we share your personal data with’ below.
3 Personal data we collect about you
The personal data we process on behalf of your organisation depends on the particular activities carried out through the Platform. This includes personal data relating to worker representatives and workforce management activities. We will process the following personal data on behalf of your organisation:
| What we use your personal data for | Our reasons |
|---|---|
| Create and manage your account with us | To perform our contract with you or to take steps at your request before entering into a contract |
| Providing service and/or the functionalities of the Platform to you | Depending on the circumstances:
|
| To enforce legal rights or defend or undertake legal proceedings | Depending on the circumstances:
|
| Sending relevant marketing communications and for making personalised suggestions and recommendations to you about the products that may be of interest to you based on your profile data | For our legitimate interests, to carry out direct marketing, develop our services and grow our business and having obtained your consent to receive direct marketing communications. |
| Carry out market research through your voluntary participation in surveys | Necessary for our legitimate interests to study how customers use our Platform and to help us improve and develop our Platform and services offered through the Platform. |
| Communications with you not related to marketing, including about changes to our terms or policies or updates concerning the requests placed by you through the Platform or changes to the Platform or service or other important notices | Depending on the circumstances:
|
| Protect the security of systems and data | To comply with our legal and regulatory obligations we may also use your personal data to ensure the security of systems and data to a standard that goes beyond our legal obligations, and in those cases our reasons are for our legitimate interests or those of a third party, i.e., to protect systems and data and to prevent and detect criminal activity that could be damaging for you and/or us |
| Operational reasons, such as improving efficiency, training, and quality control or to provide support to you | For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service to you |
| Statistical analysis to help us manage our business, e.g., in relation to our performance, customer base, functionalities and offerings or other efficiency measures | For our legitimate interests or those of a third party, i.e. to be as efficient as we can so we can deliver the best service to you and improve and develop our Service and the Platform. |
| Updating and enhancing user records | Depending on the circumstances:
|
| To comply with our legal and regulatory obligations | Depending on the circumstances:
|
| To share your personal data with members of our group and third parties in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency. In such cases information will be anonymised where possible and only shared where necessary |
Depending on the circumstances:
|
See ‘Who we share your personal data with’ for further information on the steps we will take to protect your personal data where we need to share it with others.
8 Marketing
We may send service-related communications and platform updates to designated organisational contacts as necessary for the operation of the collective labour relations platform. These communications will be limited to essential service information, platform functionality updates, and relevant business communications regarding our collective labour relations services.
As a data processor, we will only send communications as instructed by the client organisation and in accordance with our data processing agreement.
We will always treat your personal data with the utmost respect and never sell or share it with other organisations for marketing purposes.
For more information on data subject rights and how they should be exercised through your organisation as the data controller, see ‘Your rights’ below.
9 Who we share your personal data with
We do not share personally identifiable information (PII) collected through the collective labour relations platform with third parties. For security purposes, we automatically collect and process user location data (limited to country/region) through IP address detection. We may engage service providers such as cloud storage providers and developers to help us operate our platform, but these providers only process data under strict confidentiality obligations and do not have access to PII related to worker representatives or other individuals involved in collective labour relations activities.
As a data processor, we only engage sub-processors who provide sufficient guarantees to implement appropriate technical and organisational measures that meet GDPR requirements and ensure the protection of data subject rights. All sub-processors are bound by written contracts that include specific data protection obligations and require them to only process personal data on documented instructions from us, acting on behalf of the data controller (your organisation). These contracts include confidentiality obligations, security requirements, and audit rights that are at least as protective as those in our agreement with the data controller.
We or the third parties mentioned above may occasionally also need to share your personal data with:
external auditors, e.g. in relation to the audit of our accounts and our company —the recipient of the information will be bound by confidentiality obligations
professional advisors (such as lawyers and other advisors)—the recipient of the information will be bound by confidentiality obligations
law enforcement agencies, courts or tribunals and regulatory bodies to comply with legal and regulatory obligations
other parties in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised but this may not always be possible, however, the recipient of the information will be bound by confidentiality obligations
If you would like more information about who we share our data with and why, please contact us (see ‘How to contact us’ below).
We will not share your personal data with any other third party.
10 How long your personal data will be kept
We will retain and process your personal data in accordance with the instructions of your organisation (the data controller), our data processing agreement, and applicable data protection laws. However, we reserve the right to retain certain data as required by law or for legitimate business purposes, such as audit requirements, dispute resolution, and enforcement of agreements. By default, we will retain the data for as long as your organisation maintains an active account with us, plus any additional retention period specified in our data processing agreement with your organisation or as required by applicable laws governing collective labour relations records. When instructed by your organisation or upon contract termination, we will securely delete or return all personal data as specified in our data processing agreement.
Following the end of the aforementioned retention period, we will delete or anonymise your personal data in accordance with applicable technical standards and industry best practices, unless retention is required by law or for legitimate business purposes as outlined above.
11 International Transfers of Workforce Representative Data
While we primarily process and store your personal data within the UK, we may in the future need to transfer your personal data outside the UK to provide our services effectively. Any such transfers will only be made in compliance with UK data protection laws and with appropriate safeguards in place. If this changes, we would comply with applicable UK laws designed to ensure the continued protection and privacy of your personal data. Any updated destinations to which we send your personal data, would be indicated in the present section and notified to you in accordance with the section on ‘Change to this privacy policy’ below.
Furthermore, under UK data protection laws, as a data processor, we will only transfer personal data outside the UK under the explicit instruction of the data controller (your employer) and where permitted by our data processing agreement. Any such transfers would only occur where: the UK government has decided the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy regulation’) under Article 45 of the UK GDPR; there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or a specific exception applies under relevant data protection law. If international transfers were to be implemented, they would only be done with prior notification to and approval from the data controller. Accordingly, if we were to start transferring your personal data from the UK to:
The EEA: transfers would be conducted under the adequacy finding granted by the UK to the EU under the Withdrawal Agreement; for any transfers from the EU to the UK, we would rely on the adequacy regulation granted to the UK under the Adequacy Decision.
For any transfers of personal data outside the UK/EEA, we will only process data according to the instructions of the data controller (your employer) and in compliance with appropriate safeguards under the UK GDPR and other applicable data protection laws, which may include the relevant Standard Contractual Clauses or other approved transfer mechanisms included in our data processing agreements
In the event we could not or choose not to continue to rely on either of those mechanisms at any time we would not transfer your personal data outside the UK unless we could do so on the basis of an alternative mechanism or exception provided by UK data protection law.
12 Your rights
As a data processor, we will only process these rights requests when properly validated and formally instructed by your employer (the data controller). While you have the following rights under data protection law, please direct any requests to exercise these rights to your employer's data protection team. For more information regarding these rights, please visit the ICO website here.
| Access to a copy of your personal data | The right to be provided with a copy of your personal data through your employer. |
| Correction (also known as rectification) | The right to require your employer to instruct us to correct any verified inaccuracies in your personal data. |
| Erasure (also known as the right to be forgotten) | The right to have your personal data deleted through your employer's instruction to us—in certain situations, subject to legal requirements around collective labour relations records, our legitimate business interests, and other applicable legal obligations. |
| Restriction of use | The right to have your employer instruct us to restrict use of your personal data in certain circumstances, e.g. if you contest the accuracy of the data through your employer's data protection team. |
| Data portability | The right to receive the personal data you provided to your employer, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations. As a data processor, we will assist your employer in fulfilling these requests. |
| To object to use | The right to object:
|
| Not to be subject to decisions without human involvement | The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you |
For further information on each of those rights, including the circumstances in which they apply, please contact your employer's data protection team. You may find it helpful to refer to the guidance from the UK’s Information Commissioner on your rights under the UK GDPR. While all data rights requests must be directed to your employer's data protection team, if you need to contact us about platform-specific technical issues unrelated to data protection rights, please:
provide sufficient information to verify your identity as an authorised platform user (including your full name, username, and any additional verification information we may reasonably request), and
clearly describe the technical platform issue you are experiencing or the support you need
13 Keeping your personal data secure
As a data processor, we have implemented appropriate technical and organisational security measures to prevent personal data from being accidentally lost, used, or accessed unlawfully. We limit access to personal data to authorised personnel who have a genuine business need to access it for the purpose of providing our collective labour relations platform services to your employer, subject to appropriate confidentiality obligations.
We also have procedures in place to deal with any suspected data security breach. As a data processor, we will notify your employer (the data controller) without undue delay of any suspected data security breach, and they will be responsible for any required notifications to individuals or regulators.
For information about our platform security measures and how we protect data processed on behalf of your employer, please contact your employer's data protection team or refer to our security documentation. Technical documentation about our security controls is available to authorised organisational representatives subject to appropriate confidentiality agreements and security protocols.
14 How to complain
If you have any queries or concerns about how your personal data is processed on our platform, please contact your employer's data protection team in the first instance. For technical platform issues unrelated to personal data processing, you may contact our support team (see 'How to contact us' below).
While you have the right to lodge a complaint with the Information Commissioner, we encourage you to first raise any concerns with your employer's data protection team so they can be addressed promptly.
The Information Commissioner can be contacted at https://ico.org.uk/make-a-complaint or telephone: 0303 123 1113.
15 Changes to this privacy policy
We may change this privacy policy from time to time. When we make significant changes, we will notify your employer (the data controller) with reasonable advance notice, who will be responsible for communicating these changes to you where appropriate. Changes will also be posted on our platform. Your continued use of our platform after such changes constitutes acceptance of the updated privacy policy.
16 How to contact us
You can contact us by email at privacy@graylarktechnologies.com, if you have any questions about this privacy policy or the information we process on behalf of your employer. To exercise your data protection rights or make a complaint, please contact your employer's data protection team in the first instance, as they are the data controller. We will cooperate with your employer to fulfil any valid data subject rights requests.
| Categories of Personal Data Processed | In more detail |
|---|---|
| Identify and account data you input into the Platform. Registration is mandatory in order to access the services through the Platform |
|
| Data collected when you use specific functions in the Platform | Data you store online with us using the Platform and placing a request for accessing any services, through the Platform, including your usage history, service request history or preferences (while such data may not always be personal data as defined at law in all cases, we will assume it is and treat it in accordance with this policy as if it were) |
| Data collected when you permit the collection of location data | If enabled by your organisation, location data may be collected when using the Maps function for organising in-person collective consultation meetings or events. This feature is optional and controlled by organisational settings. |
| Other data the Platform collects automatically when you use it |
|
| Data collected when you make an enquiry with us | Your name and email address |
| Marketing and communications data | Your preferences in receiving marketing emails from us and our third parties and your communication preferences |
If you do not provide personal data we ask for where it is required, it may prevent us from providing service to you through the Platform.
We also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals’ usage data (including information about how users interact with and use the Platform and place any request for accessing services through the Platform) to calculate the percentage of users accessing a specific feature of the Platform in order to analyse general trends in how users are interacting with the Platform to help improve the Platform and our offerings.
We collect and use this personal data for the purposes described in the section ‘How and why we use your personal data’ below.
4 Sensitive Data
Sensitive personal data (also known as special category data) means information related to personal data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data (where used for identification purposes); data concerning health; data concerning a person’s sex life; and data concerning a person’s sexual orientation.
Please note that we do not knowingly or intentionally collect sensitive personal data or information about criminal convictions from individuals and that you should not submit sensitive data to us.
If you submit special category data, we will process it solely on behalf of your organisation, and only where your organisation has determined and documented a lawful basis for such processing.
5 Location service/data
For security purposes, we automatically determine your location (limited to Country/Region) using your IP address. This information is used solely for security checks and does not affect Platform functionality.
The Platform's map features function independently of your location data. The location information we collect is used solely for security purposes.
Our map services are provided through Google Maps integration. When using theses service/data, data may be collected by Google in accordance with their Privacy Policy.
We exert no control over Google’s Privacy Policy and we therefore recommend that you consult their privacy policy for further information on how Google protect personal data please visit their site - https://policies.google.com/privacy?hl=en-US. For more information see the section ‘Who we share your personal data with’ below.
6 How your personal data is collected
We use different methods to collect data from and about you including through:
Your interaction with us: We collect personal data from you when you are onboarded to the Platform by your organisation's administrators, browse the service listings available on the Platform, place any request for accessing the services or connecting with a service provider through the Platform, subscribe to our communications, request for marketing emails to be sent to you, contact us directly or reach out to us via social media, make submissions via the Platform when a forum element is available, or indirectly, such as your activity while using the Platform, participate in any feedback or survey.
Automated technologies or interactions: As you interact with the Platform, we will automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.
7 How and Why, we use your personal data
Under data protection law, we can only use your personal data if we have a proper reason, e.g.:
where you have given consent
to comply with our legal and regulatory obligations
for the performance of a contract with you or to take steps at your request before entering into a contract, or
for our legitimate interests or those of a third party
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own. You can obtain details of this assessment by contacting us (see ‘How to contact us’ below).
The table below explains what we use your personal data for and why.