Skip to main content
Opus Platforms

Legal & Compliance

Privacy Policy

Version 2.0.0 | Effective: February 5, 2026

Privacy at a Glance

  • We collect only data necessary for staffing services
  • Your data is encrypted and stored securely in UK/EU
  • We never sell your personal data to third parties
  • You have full control over your data (access, delete, port)
  • AI assistants help but don't make critical decisions
  • Compliant with UK GDPR & Data Protection Act 2018

1. Who We Are

Data Controller: Opus Platforms Limited (trading as "Opus")

Company Number: 16856935

Registered Office: Unit 314b, 566 Cable Street, London, E1W 3HB, United Kingdom

Email: privacy@opusplatforms.co.uk

Data Protection Contact: compliance@opusplatforms.co.uk

ICO Registration: ZC090582 (verify at ico.org.uk)

Opus is a PAYE staffing agency that connects UK employers with qualified gig workers through our web platform and WhatsApp. This policy explains how we collect, use, and protect your personal data in compliance with UK GDPR and the Data Protection Act 2018.

2. Data We Collect

2.1 Worker Registration

Data
Full name
Purpose
Identity, contracts, payroll
Legal Basis
Contract
Data
Email address
Purpose
Account access, notifications
Legal Basis
Contract
Data
Phone number (E.164)
Purpose
SMS verification, WhatsApp shifts
Legal Basis
Contract
Data
Home postcode
Purpose
Shift matching by location
Legal Basis
Contract
Data
Password (hashed)
Purpose
Account security
Legal Basis
Contract
Data
Role preferences
Purpose
Job recommendations
Legal Basis
Legitimate interest

2.2 Identity Verification (Right to Work)

Data
Passport / ID documents
Purpose
UK Right to Work verification
Legal Basis
Legal obligation (Immigration Act 2016)
Data
Biometric data (facial scan)
Purpose
Identity matching via IDSP provider
Legal Basis
Explicit consent (GDPR Article 9)
Data
National Insurance number
Purpose
PAYE payroll, tax reporting
Legal Basis
Legal obligation (HMRC)
Data
Visa type & restrictions
Purpose
Student hour limits, work eligibility
Legal Basis
Legal obligation
Data
Share code (non-UK citizens)
Purpose
Home Office RTW verification
Legal Basis
Legal obligation

Student Visa Compliance

If you hold a student visa, we automatically enforce 20-hour/week limits during term time and 40-hour/week during vacations. This is a legal requirement under UK immigration law.

2.3 DBS Background Checks

Data
Personal details for DBS
Purpose
Criminal record disclosure check
Legal Basis
Explicit consent
Data
DBS certificate number
Purpose
Compliance verification for roles
Legal Basis
Legitimate interest
Data
DBS Update Service status
Purpose
Ongoing monitoring (with consent)
Legal Basis
Consent

2.4 Employment & Attendance

Data
GPS coordinates (clock-in/out)
Purpose
Verify attendance at work site
Legal Basis
Consent + Legitimate interest
Data
Shift times & attendance
Purpose
Calculate pay, generate timesheets
Legal Basis
Contract
Data
Performance ratings
Purpose
Quality assurance, employer feedback
Legal Basis
Legitimate interest
Data
Training certificates
Purpose
Compliance, skill verification
Legal Basis
Contract

2.5 Financial Data

Data
Bank account details
Purpose
Salary payments via BACS
Legal Basis
Contract
Data
Tax codes
Purpose
PAYE deductions
Legal Basis
Legal obligation
Data
Pension enrolment
Purpose
Auto-enrolment compliance
Legal Basis
Legal obligation
Data
Payment history
Purpose
Payslips, P60s, earnings records
Legal Basis
Contract + Legal obligation

2.6 Employer Data

Data
Company name & registration
Purpose
Account setup, invoicing
Legal Basis
Contract
Data
Business contact details
Purpose
Service delivery, support
Legal Basis
Contract
Data
Site addresses & geofences
Purpose
Worker attendance verification
Legal Basis
Contract
Data
Billing & payment info
Purpose
Invoice processing
Legal Basis
Contract

2.7 Automatically Collected

Data
Login/session data
Purpose
Security, fraud prevention
Legal Basis
Legitimate interest
Data
Device/browser info
Purpose
Technical support, compatibility
Legal Basis
Legitimate interest
Data
Usage analytics (if consented)
Purpose
Platform improvement
Legal Basis
Consent
Data
AI interaction logs
Purpose
Audit trail, service improvement
Legal Basis
Legitimate interest

3. How We Use Your Data

We process your data for these purposes:

Purpose
Provide staffing services
Legal Basis
Contract
Details
Match workers to shifts, process assignments
Purpose
Verify identity & RTW
Legal Basis
Legal obligation
Details
Immigration Act compliance
Purpose
Process payroll & taxes
Legal Basis
Contract + Legal
Details
PAYE, NI, pension contributions
Purpose
Send shift notifications
Legal Basis
Contract
Details
WhatsApp/SMS/email alerts
Purpose
Verify attendance
Legal Basis
Legitimate interest
Details
GPS clock-in within geofence
Purpose
Generate timesheets
Legal Basis
Contract
Details
Calculate hours for payment
Purpose
Comply with AWR
Legal Basis
Legal obligation
Details
Track 12-week threshold
Purpose
Platform Assistant queries
Legal Basis
Consent + Contract
Details
AI-powered shift/compliance help
Purpose
Fraud prevention
Legal Basis
Legitimate interest
Details
Detect timesheet manipulation
Purpose
Improve services
Legal Basis
Legitimate interest
Details
Analytics, feature development

4. AI Platform Assistant

How AI Works on Opus

Opus provides AI-powered assistants via web chat and WhatsApp to help you find shifts, check compliance status, and manage your work. Here's what you need to know.

4.1 What AI Can Do

  • Workers (24 tools): Browse shifts, check earnings, view compliance status, manage availability
  • Employers (31 tools): View shift fill rates, check worker compliance, approve timesheets
  • All users: Get instant answers to platform questions 24/7

4.2 What AI Cannot Do

Critical Decisions Are Always Human/Rule-Based

  • AI does NOT calculate your pay (deterministic payroll system)
  • AI does NOT determine your compliance status (rule-based RAG system)
  • AI does NOT approve shift assignments (first-valid-wins or employer approval)
  • AI does NOT make hiring/firing decisions

4.3 Data Processing

  • Queries processed by: Third-party LLM providers (e.g., Anthropic Claude, OpenAI) under data processing agreements
  • Data shared: Your query text, user role, relevant context (shift data, compliance status)
  • Data NOT shared: Passwords, full bank details, biometric data
  • Retention: AI queries logged for 90 days for audit/improvement

4.4 Your Controls

You can opt out of AI features by contacting support. Core platform functionality remains available without AI assistance.

5. Who We Share Data With

5.1 Service Providers (Data Processors)

Provider
AWS (Amazon Web Services)
Purpose
Cloud hosting, database, file storage
Location
UK/EU
Safeguards
GDPR DPA, ISO 27001
Provider
Yoti / TrustID
Purpose
Right to Work identity verification
Location
UK
Safeguards
IDSP certified, UK GDPR
Provider
uCheck / Atlantic Data
Purpose
DBS background checks
Location
UK
Safeguards
DBS registered body
Provider
DocuSign / PandaDoc
Purpose
Electronic contract signatures
Location
EU/US
Safeguards
SCCs, ISO 27001
Provider
Stripe
Purpose
Payment processing
Location
EU/US
Safeguards
PCI-DSS, SCCs
Provider
Xero
Purpose
PAYE payroll processing
Location
UK/AU
Safeguards
SOC 2, GDPR DPA
Provider
Meta (WhatsApp Business)
Purpose
Shift notifications, messaging
Location
US
Safeguards
SCCs, DPA
Provider
Twilio
Purpose
SMS notifications, OTP
Location
US
Safeguards
SCCs, GDPR DPA
Provider
AWS SES / SendGrid
Purpose
Transactional emails
Location
EU/US
Safeguards
SCCs, GDPR DPA
Provider
HubSpot
Purpose
CRM, employer communications
Location
US
Safeguards
SCCs, ISO 27001
Provider
Freshdesk
Purpose
Support ticket management
Location
US
Safeguards
SCCs, SOC 2
Provider
n8n
Purpose
Workflow automation
Location
EU
Safeguards
GDPR compliant
Provider
Anthropic / OpenAI
Purpose
AI assistant processing
Location
US
Safeguards
DPA, no training on data
Provider
Postcodes.io
Purpose
UK postcode geocoding
Location
UK
Safeguards
Open data

5.2 Employers (Joint Controllers)

When you accept a shift, we share with that employer:

  • Your name, phone number, and email
  • Compliance status (RTW verified, training completed)
  • Attendance records (clock times, GPS coordinates if enabled)
  • Performance ratings from previous shifts

Joint Controller: Both Opus and the employer are responsible for your data during assignments. Contact the employer directly for their privacy practices.

5.3 Legal & Regulatory Authorities

  • HMRC: Tax and National Insurance reporting (legal obligation)
  • Home Office: Right to Work compliance verification
  • ICO: Data protection investigations if required
  • Law enforcement: If required by court order or statutory duty
  • The Pensions Regulator: Auto-enrolment compliance

6. International Transfers

Your data is primarily stored in UK/EU AWS regions. Some services involve transfers outside the UK:

Service
WhatsApp (Meta)
Destination
USA
Safeguard
EU-US Data Privacy Framework + SCCs
Service
Stripe
Destination
USA
Safeguard
EU-US DPF + SCCs
Service
Anthropic/OpenAI
Destination
USA
Safeguard
SCCs + DPA (no model training)
Service
HubSpot
Destination
USA
Safeguard
EU-US DPF + SCCs
Service
DocuSign
Destination
USA
Safeguard
BCRs + SCCs

SCCs = Standard Contractual Clauses approved by the UK ICO. Request copies at privacy@opusplatforms.co.uk

7. Data Retention

Data Type
Account data
Retention Period
Duration of account + 6 years
Reason
Legal claims, tax records
Data Type
Right to Work documents
Retention Period
2 years after employment ends
Reason
UK Immigration Act requirement
Data Type
Payroll & tax records
Retention Period
7 years
Reason
HMRC statutory requirement
Data Type
Attendance records
Retention Period
6 years
Reason
Employment law, payroll disputes
Data Type
Contracts (signed)
Retention Period
6 years after termination
Reason
Limitation Act 1980
Data Type
DBS certificates
Retention Period
Until superseded or 3 years
Reason
Proportionality principle
Data Type
AI interaction logs
Retention Period
90 days
Reason
Audit, service improvement
Data Type
Marketing consent
Retention Period
Until withdrawn
Reason
Ongoing consent
Data Type
Support tickets
Retention Period
3 years after resolution
Reason
Service continuity

After retention periods expire, data is securely deleted or anonymized.

8. Your Rights Under UK GDPR

Access (Art. 15)

Request a copy of all data we hold about you. Free of charge, response within 1 month.

Rectification (Art. 16)

Request correction of inaccurate data. Update in account settings or contact us.

Erasure (Art. 17)

Request deletion when data is no longer needed. Some data retained for legal obligations.

Restriction (Art. 18)

Limit processing while disputes are investigated.

Portability (Art. 20)

Receive your data in machine-readable format (JSON) for transfer.

Object (Art. 21)

Object to processing based on legitimate interests or direct marketing.

How to Exercise Your Rights

  • Online: Account Settings → Privacy → Data Rights
  • Email: privacy@opusplatforms.co.uk
  • Response time: Within 1 month (may extend to 3 months for complex requests)
  • Verification: We may request ID to prevent unauthorized access

Automated Decision-Making

We do not use fully automated decision-making that produces legal effects. Our RAG compliance system uses deterministic rules, not AI profiling. You always have the right to human review of any compliance decision.

Right to Withdraw Consent

Where we process your data based on consent (e.g., biometric verification, analytics cookies, talent pool participation), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Withdraw via Account Settings or email privacy@opusplatforms.co.uk.

9. Security Measures

Encryption: TLS 1.3 in transit, AES-256 at rest (AWS KMS)
Access Controls: Role-based access, MFA for staff, least privilege
Authentication: bcrypt password hashing (12 rounds), JWT tokens
Monitoring: AWS CloudWatch, intrusion detection, audit logs
Incident Response: Breach notification within 72 hours per GDPR
Vendor Security: All processors vetted for SOC 2 / ISO 27001

10. Cookies

We use essential cookies for authentication and security. Analytics cookies require your consent. See our full Cookie Policy for details.

Manage preferences anytime in Account Settings → Privacy.

11. Children's Privacy

Our services are for individuals 18+ (UK minimum working age for most roles). We do not knowingly collect data from children. If discovered, it will be deleted immediately.

12. Policy Changes

We may update this policy to reflect legal or service changes. For material changes:

  • We update the version number and date
  • We notify you via email for significant changes
  • We request renewed consent if legally required

Continued use after changes constitutes acceptance. Check back periodically for updates.

13. Contact & Complaints

Contact Opus

Email: privacy@opusplatforms.co.ukAddress: Unit 314b, 566 Cable Street, London, E1W 3HB

Complain to ICO

Information Commissioner's OfficeWycliffe House, Water Lane, Wilmslow, SK9 5AFPhone: 0303 123 1113ico.org.uk/make-a-complaint

We encourage you to contact us first so we can resolve your concern directly.

Version History

v2.0.0Feb 5, 2026Added AI Platform Assistant disclosure, complete third-party integrations, table of contents
v1.1.0Jan 10, 2026Added student visa compliance, GPS tracking details
v1.0.0Nov 1, 2025Initial GDPR-compliant privacy policy

UK GDPR Compliant — This policy fulfills Articles 12, 13, and 14 transparency requirements.
Last reviewed: February 5, 2026 | Next review: August 2026

Skip to chat widget