Last updated: 17 April 2026
WorkShift ("we", "us", "our") is committed to protecting the privacy and personal data of our clients, their customers, and all visitors to websites we manage. This Privacy Policy explains how we collect, use, store, and share personal data in the course of providing our digital operations services. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. WorkShift Ltd is the data controller for personal data collected directly from our clients and website visitors. Where we act as a data processor on behalf of our clients, the terms of our client agreements and any data processing addenda govern the processing of such data.
We collect and process the following categories of personal data:
Client information: Name, business name, email address, phone number, billing address, payment details, and any information provided during the onboarding process including brand guidelines, service descriptions, and content requirements.
Website visitor data: Where we manage analytics on behalf of our clients, we may process data relating to website visitors including IP addresses (anonymised where possible), browser type, device information, pages visited, referral sources, and interaction patterns. This data is processed in accordance with our clients' own privacy notices and cookie policies.
Customer data: Where our services include managing booking systems, contact forms, or customer databases on behalf of our clients, we may process customer names, email addresses, phone numbers, and booking information as directed by our clients.
Technical data: Server logs, security audit records, uptime monitoring data, and performance metrics collected automatically as part of our hosting and infrastructure management services.
We process personal data only where we have a lawful basis to do so under UK GDPR. The applicable legal bases include:
Contract: Processing is necessary for the performance of our contract with you, including delivering the services outlined in your subscription tier.
Legitimate interest: Processing is necessary for our legitimate business interests, such as improving our services, preventing fraud, maintaining security, and communicating with you about your account.
Consent: Where we process data that is not necessary for contract performance or legitimate interests, we will obtain your explicit consent, which you may withdraw at any time.
Legal obligation: Where processing is necessary to comply with applicable laws, regulations, or legal proceedings.
We use the personal data we collect for the following purposes: providing, managing, and improving our digital operations services; communicating with you regarding your account, services, and any changes to our offerings; processing payments and managing billing; monitoring website performance, security, and uptime; generating analytics reports and performance insights for our clients; responding to support requests and enquiries; complying with legal and regulatory obligations; and preventing, detecting, and addressing technical issues, security threats, or fraudulent activity. We will not use your personal data for any purpose that is materially different from those described in this Privacy Policy without providing you with prior notice and, where required, obtaining your consent.
We do not sell, rent, or trade your personal data to third parties. We may share your data with the following categories of recipients where necessary for the purposes described in this policy:
Service providers: Trusted third-party companies that assist us in delivering our services, including hosting providers, domain registrars, payment processors, and email service providers. All service providers are contractually bound to process data only as instructed and to maintain appropriate security measures.
Our clients: Where we process data on behalf of our clients (such as website visitor data or customer enquiry data), we share relevant data with the client in accordance with the terms of our engagement.
Legal authorities: Where required by law, regulation, court order, or governmental authority, we may disclose personal data to the extent legally required. We will notify you of such disclosures where legally permitted to do so.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include: SSL/TLS encryption for all data in transit; encrypted storage for sensitive data; regular security monitoring and vulnerability scanning; automated backups with geographically distributed storage; access controls limiting data access to authorised personnel only; and regular security audits and staff training. While we employ commercially reasonable security measures, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to maintaining the highest standards of data protection appropriate to the nature of the data we process.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including any legal, accounting, or reporting requirements. Upon termination of your subscription, we will retain your client data for a period of 12 months to facilitate any necessary re-engagement or dispute resolution, after which it will be securely deleted or anonymised. Website visitor analytics data is retained for a maximum of 26 months in accordance with industry standard practices. Technical data such as server logs and security records is retained for a maximum of 12 months. You may request earlier deletion of your data at any time by contacting us, subject to any legal obligations that require us to retain certain information.
Under UK GDPR, you have the following rights regarding your personal data:
Right of access: You may request a copy of the personal data we hold about you.
Right to rectification: You may request correction of any inaccurate or incomplete personal data.
Right to erasure: You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent.
Right to restrict processing: You may request that we limit how we use your data in certain circumstances.
Right to data portability: You may request your data in a structured, commonly used format.
Right to object: You may object to processing based on legitimate interests or processing for direct marketing purposes.
To exercise any of these rights, please contact us at info@workshift.cloud. We will respond to all requests within 30 days. We may request verification of your identity before processing your request.
Where we manage websites on behalf of our clients, we may implement cookies and tracking technologies for analytics, performance monitoring, and functionality purposes. The specific cookies used on any managed website are detailed in that website's cookie banner and privacy notice. Essential cookies necessary for website functionality do not require consent. Non-essential cookies, including analytics and marketing cookies, are only activated with the user's consent in accordance with applicable cookie laws. Our clients retain control over the cookie and tracking configurations on their websites, and we implement only what is agreed upon during the onboarding process.
Our website and the websites we manage for our clients may contain links to third-party websites. We are not responsible for the privacy practices, content, or policies of these third-party sites. We encourage users to review the privacy policies of any third-party websites they visit. The inclusion of a link does not imply endorsement by WorkShift.
Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a person under 16, we will take steps to delete that information as promptly as possible. If you believe that a child has provided us with personal data, please contact us immediately.
We may update this Privacy Policy from time to time to reflect changes in our practices, applicable laws, or for other operational reasons. When we make material changes, we will notify you via email or through a prominent notice on our website at least 14 days before the changes take effect. We encourage you to review this Privacy Policy periodically. Your continued use of our services after any changes constitute your acceptance of the updated Policy.
If you are dissatisfied with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection. The ICO can be contacted at:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113
We would, however, appreciate the opportunity to resolve any concerns directly. Please contact us at info@workshift.cloud before approaching the ICO, and we will endeavour to address your concerns promptly.
For any questions, concerns, or data-related requests, please contact us at:
WorkShift
Email: info@workshift.cloud