Privacy Policy

Data Controller: Opus Platforms Limited (trading as "Opus")

Opus engages and supplies temporary workers to hirers through our web platform and WhatsApp. This policy explains how we collect, use, and protect your personal data in compliance with UK GDPR and the Data Protection Act 2018.

2.1 Worker Registration

2.2 Identity Verification (Right to Work)

2.3 DBS Background Checks

2.4 Employment & Attendance

2.5 Financial Data

2.6 Employer Data

2.7 Automatically Collected

2.8 CV Analytics & Candidate Scoring (Workers Only)

2.9 Local On-Device Storage of Pending Writes (PWA / Offline Mode)

If you use Opus from a browser or installed PWA while offline (or with poor connectivity), the service worker queues certain writes locally on your device until connectivity returns. The queue is stored in your browser's IndexedDB under the database opus-sync-queue, object store pending. Queued writes currently cover three flows:

Entries are replayed automatically when your device regains connectivity (Background Sync API) and removed from IndexedDB after successful replay. Clearing your browser data deletes any pending entries. See §9 for the security framing.

We process your data for these purposes:

4.1 What AI Can Do

• Workers (46 tools): Browse shifts, check earnings, view compliance status, manage availability
• Employers (49 tools): View shift fill rates, check worker compliance, assist with timesheet review (human approval required for final approval)
• All users: Get instant answers to platform questions 24/7

An AI also parses what you type or say to determine which tool to invoke. This routing AI does not itself make decisions about you; downstream tools that can act on your behalf have their own controls (see §8).

4.2 What AI Cannot Do

4.3 Data Processing

• Queries processed by: Anthropic (Claude) under strict data processing agreements
• Data shared: Your query text, user role, relevant context (shift data, compliance status)
• Data NOT shared: Passwords, full bank details, biometric data
• Translation: If you set a language preference, platform communications (e.g., WhatsApp notifications) are translated using AI processing by our LLM providers
• Retention: AI queries logged for 2 years for audit/improvement

4.4 Conversational Memory

To make the AI assistant more useful across sessions, Opus operates a memory service (MemoryExtractionService) that, after a conversation completes, extracts durable facts and preferences from the transcript and persists them in your AI profile (ai_user_profiles table; cached in Redis for low-latency injection). These remembered facts are injected into the system context of your future AI sessions so the assistant can personalise responses.

Conversational memory does not change your compliance status, your assignments, your pay, or any other deterministic platform decision. It only personalises the AI assistant's responses.

Your controls:

• Opt out: set training_opt_out in Account Settings → Privacy. This stops new memories being persisted from your conversations.
• Delete existing memory: use the in-app memory clear control, or submit a DSAR via §8.
• Global killswitch: Opus operates an admin-level killswitch (MEMORY_ENABLED=false) that disables the memory feature platform-wide if needed for incident response.

4.5 AI Governance & Human Oversight

Opus operates a tiered AI governance framework ensuring appropriate human oversight for all AI-assisted actions:

High-impact actions (Tier 2) are never executed automatically. They are proposed by the AI system and routed to the Ops Approval Workbench, where an authorised Opus team member must review and explicitly approve before execution. All AI tool executions - including approvals and rejections - are recorded in a permanent audit log retained for 6 years in accordance with UK employment law and ICO accountability obligations.

4.6 Model Training & Improvement

We use de-identified and anonymised interaction data to improve our internal AI models for:

• Intent routing: Understanding what users are asking (e.g., "show my shifts" vs "check my pay")
• Safety classification: Detecting and routing high-risk requests to human review
• Tool extraction: Improving accuracy of structured parameter extraction from natural language

Opt-out: You may opt out of your interaction data being used for model training at any time by contacting compliance@opusplatforms.co.uk or via Account Settings → Privacy → AI Data Preferences. Opting out does not affect your access to AI features.

4.7 Your Controls

You can opt out of AI features by contacting support. Core platform functionality remains available without AI assistance.

5.1 Service Providers (Data Processors)

5.2 Employers

When you accept a shift, we share with that employer:

• Your name, phone number, and email
• Compliance status (RTW verified, training completed)
• Attendance records (clock times, GPS coordinates if enabled, QR attendance events if applicable)
• Performance ratings from previous shifts

Data Controller Relationship: Opus and hirers generally act as independent controllers for the personal data each processes for its own purposes. Where Opus and a hirer jointly determine the purposes and means of a specific processing activity, an arrangement under Article 26 UK GDPR will be put in place. Contact the hirer directly for their privacy practices.

5.3 Legal & Regulatory Authorities

• HMRC: Tax and National Insurance reporting (legal obligation)
• Home Office: Right to Work compliance verification
• ICO: Data protection investigations if required
• Law enforcement: If required by court order or statutory duty
• The Pensions Regulator: Auto-enrolment compliance

5.4 User-Initiated MCP Client Integrations

Opus exposes a Model Context Protocol (MCP) endpoint that lets you connect authenticated third-party MCP clients — for example, OpenAI ChatGPT or Anthropic Claude Desktop — to read or act on the data your role permits inside Opus. These integrations are user-initiated: nothing flows to a third-party MCP client unless you authenticate and authorise that client yourself.

• What data the third-party client can see: whatever the MCP tools your role grants would return (the same scope your normal Opus session has).
• Who controls the data once it leaves Opus: the third-party MCP client you chose, under your contract with that provider. Opus does not act as the controller of the onward use.
• What Opus retains: an MCP audit log of which tools were invoked, by which client, with what correlation ID (retained for 6 years for payroll/employment audit reasons). The audit log does not include the third-party client's downstream processing.
• Revocation: you can disconnect a connected MCP client at any time from Account Settings → Integrations.

OpenAI and Anthropic are not Opus processors in this flow — they are recipients you have chosen as the user. See the ROPA entry "User-initiated MCP client integrations" for the full framing.

Your data is primarily stored in UK/EU AWS regions. Some services involve transfers outside the UK:

SCCs = Standard Contractual Clauses approved by the UK ICO. Request copies at compliance@opusplatforms.co.uk

After retention periods expire, data is securely deleted or anonymized.

Profile photo sharing with employers

If you upload a profile photo, it is held privately in our encrypted storage and is shared with employers only under one of the following lawful bases:

• Legitimate interest (UK GDPR Art. 6(1)(f)) — employers can see the photos of workers they have booked, are currently working with, or have worked with in the past (a confirmed assignment exists between you and that employer). The legitimate interest is identity verification of booked staff and on-site safety; balanced against your right to a private image. You may object under Art. 21 by deleting your photo or contacting compliance@opusplatforms.co.uk.
• Talent pool participation — if you are part of the Opus talent pool (see Terms §4.7), employers browsing the talent pool can see your photo alongside your otherwise-anonymised profile (display ID, stats, ratings, area). You can opt out at any time from Account Settings → Privacy; once you opt out your photo stops appearing in future browses, but copies an employer has already viewed cannot be recalled.

Employers who have no booking history with you and to whom you have not granted talent-pool consent will not see your photo. Employers cannot download or persistently store your photo through our platform — they are issued short-lived (15-minute) presigned URLs that expire automatically.

Automated Decision-Making

Compliance RAG gating (UK GDPR Article 22). Opus operates a Red/Amber/Green compliance system that determines whether a worker is eligible to be assigned to shifts. RAG gating is a solely automated decision within the meaning of UK GDPR Article 22: it is performed by deterministic rules (not AI or machine-learning profiling), it does not involve a human in the loop at the moment of decision, and it has a significant effect on you because a non-green status blocks access to shifts and therefore to earnings. The rules check Right-to-Work validity, training completion, contract signing, and other compliance artefacts.

Your Article 22 safeguards:

• Right to human review on request — email compliance@opusplatforms.co.uk and a human operator will re-examine your status.
• Right to contest — challenge the outcome (for example, by submitting an updated document or correcting a record).
• Right to an explanation of the logic — see our published RAG rules summary for the deterministic criteria applied.

Shift allocation is not within Article 22. The FIRST_VALID_WINS allocation model resolves a race condition between workers who have each chosen to accept the same shift; it is a worker-initiated contract acceptance, not a platform decision about you. The EMPLOYER_APPROVAL model is reviewed by a human (the employer) and is therefore also outside Article 22.

Our approach to responsible AI is governed by our Responsible AI Principles (RESPONSIBLE-AI-PRINCIPLES), which set out the fairness, transparency, accountability, and safety standards applied to all AI systems on the Opus platform.

A Data Protection Impact Assessment (DPIA) is maintained for our AI processing activities in accordance with UK GDPR Article 35 and ICO guidance on AI and data protection.

CV Analytics and Headhunting

CV-driven candidate matching operates in three distinct layers:

1. Affinda — ML CV parser (third-party processor). Your uploaded CV is sent to Affinda's EU endpoint solely to extract structured fields. Affinda is contracted to delete the source document after parsing (deleteAfterParse=true).
2. Opus deterministic scoring. Reliability and placement scores are calculated by a published rules-based formula. No AI or machine learning is used at this layer.
3. Recruiter-approved approach (ADR-038 dryRun/confirm gate). A human Opus recruiter reviews the shortlist before any outbound approach is made.

Under the EU AI Act, CV analytics used in employment matching are classified as high-risk per Annex III §4 (employment, workers' management, and access to self-employment). You have the right to an explanation of the scoring formula, the right to contest your score, the right to human review of any decision affecting your profile's visibility, and the right to withdraw headhunting consent at any time.

Fraud / Duplicate-Profile Detection

Opus runs a deterministic, rule-based fraud-detection layer that flags potential duplicate registrations and impersonation attempts using:

• National Insurance (NI) number matches across accounts
• Fuzzy name and date-of-birth matches
• Bank-account-fragment matches across accounts

When a multi-signal flag fires, an alert is surfaced to admin operators. A flagged account can lead to admin-confirmed suspension via the HIGH-risk suspend_user MCP tool (which requires an explicit dryRun/confirm gate). Because suspension has a significant effect on you, this falls within UK GDPR Article 22 and you have the right to human review (admin confirmation is already mandatory), the right to contest, and the right to an explanation of which signals fired.

Your right to human review: You may request human review of any decision in which AI was involved by contacting compliance@opusplatforms.co.uk.

AI-Assisted Actions: Where AI proposes high-impact actions (e.g., payroll adjustments, compliance overrides, account suspensions), these are always routed to a human operator for explicit approval before execution. See §4.5 for our tiered governance framework.

Right to Withdraw Consent

Where we process your data based on consent (e.g., biometric verification, analytics cookies, talent pool participation), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Withdraw via Account Settings or email compliance@opusplatforms.co.uk.

We use three categories of cookies and similar storage technologies. Your consent is required for analytics and marketing cookies; you can grant, refuse, or change consent at any time from Account Settings → Privacy or via the in-app cookie banner. See our full Cookie Policy for the full list with names, durations, and providers.

• Essential cookies / storage — authentication, CSRF protection, and consent state. These do not require consent (PECR reg 6 essential exemption) and the platform does not function without them.
• Analytics (consent-gated) — Google Analytics 4 loads only after you grant analytics consent. We send anonymous usage events (anonymize_ip: true); cookies set include _ga and _ga_<container> with Google's default 2-year retention. Data is processed in the US under the Google DPF / SCCs (see §6).
• Marketing (consent-gated) — Apollo.io visitor tracking loads only after you grant marketing consent and is used for outbound marketing measurement. Data is processed in the US under SCCs.

Manage preferences anytime in Account Settings → Privacy.

Our services are for individuals 18+ (UK minimum working age for most roles). We do not knowingly collect data from children. If discovered, it will be deleted immediately.

We may update this policy to reflect legal or service changes. For material changes:

• We update the version number and date
• We notify you via email for significant changes
• We request renewed consent if legally required

Continued use after changes constitutes acceptance. Check back periodically for updates.

We encourage you to contact us first so we can resolve your concern directly.