Legal & Compliance

Privacy Policy

Version 2.6.0 | Effective: March 25, 2026

Privacy at a Glance

✓We collect only data necessary for staffing services
✓Your data is encrypted and stored securely in UK/EU
✓We never sell your personal data to third parties
✓You have full control over your data (access, delete, port)
✓AI assistants help but don't make critical decisions
✓Compliant with UK GDPR & Data Protection Act 2018

1. Who We Are

Data Controller: Opus Platforms Limited (trading as "Opus")

Company Number: 16856935

Registered Office: Unit 314b, 566 Cable Street, London, E1W 3HB, United Kingdom

Employer PAYE Reference: 120/BF05099

HMRC Accounts Office Reference: 120PP03666762

Email: compliance@opusplatforms.co.uk

Data Protection Contact: compliance@opusplatforms.co.uk

ICO Registration: ZC090582 (verify at ico.org.uk)

Opus is a PAYE staffing agency that connects UK employers with qualified gig workers through our web platform and WhatsApp. This policy explains how we collect, use, and protect your personal data in compliance with UK GDPR and the Data Protection Act 2018.

2. Data We Collect

2.1 Worker Registration

Data	Purpose	Legal Basis
Full name	Identity, contracts, payroll	Contract
Email address	Account access, notifications	Contract
Phone number (E.164)	SMS verification, WhatsApp shifts	Contract
Home postcode	Shift matching by location	Contract
Password (hashed)	Account security	Contract
Role preferences	Job recommendations	Legitimate interest
Language preference	Communicating in your preferred language	Consent

Data

Full name

Purpose

Identity, contracts, payroll

Legal Basis

Contract

Data

Email address

Purpose

Account access, notifications

Legal Basis

Contract

Data

Phone number (E.164)

Purpose

SMS verification, WhatsApp shifts

Legal Basis

Contract

Data

Home postcode

Purpose

Shift matching by location

Legal Basis

Contract

Data

Password (hashed)

Purpose

Account security

Legal Basis

Contract

Data

Role preferences

Purpose

Job recommendations

Legal Basis

Legitimate interest

Data

Language preference

Purpose

Communicating in your preferred language

Legal Basis

Consent

2.2 Identity Verification (Right to Work)

Data	Purpose	Legal Basis
Passport / ID documents	UK Right to Work verification	Legal obligation (Immigration Act 2016)
Biometric data (facial scan)	RTW biometric matching via Home Office-certified IDSP; raw biometric data is processed by the IDSP only and is not retained by Opus	Substantial public interest (Article 9(2)(g) UK GDPR; DPA 2018, Schedule 1, Part 2, Para 6, preventing unlawful employment); explicit consent is also collected via Document 6 as an additional safeguard. Article 6(1)(c) legal obligation applies to the RTW check.
National Insurance number	PAYE payroll, tax reporting	Legal obligation (HMRC)
Visa type & restrictions	Student hour limits, work eligibility	Legal obligation
Share code (non-UK citizens)	Home Office RTW verification	Legal obligation

Data

Passport / ID documents

Purpose

UK Right to Work verification

Legal Basis

Legal obligation (Immigration Act 2016)

Data

Biometric data (facial scan)

Purpose

RTW biometric matching via Home Office-certified IDSP; raw biometric data is processed by the IDSP only and is not retained by Opus

Legal Basis

Substantial public interest (Article 9(2)(g) UK GDPR; DPA 2018, Schedule 1, Part 2, Para 6, preventing unlawful employment); explicit consent is also collected via Document 6 as an additional safeguard. Article 6(1)(c) legal obligation applies to the RTW check.

Data

National Insurance number

Purpose

PAYE payroll, tax reporting

Legal Basis

Legal obligation (HMRC)

Data

Visa type & restrictions

Purpose

Student hour limits, work eligibility

Legal Basis

Legal obligation

Data

Share code (non-UK citizens)

Purpose

Home Office RTW verification

Legal Basis

Legal obligation

Student Visa Compliance

If you hold a student visa, we automatically enforce 20-hour/week limits during term time and 40-hour/week during vacations. This is a legal requirement under UK immigration law.

2.3 DBS Background Checks

Data	Purpose	Legal Basis
Personal details for DBS	Criminal record disclosure check	Consent (Article 6(1)(a)) + employment obligations (Article 9(2)(b) UK GDPR; DPA 2018, Schedule 1, Part 1, Para 1)
DBS certificate number	Compliance verification for roles	Legitimate interest
DBS Update Service status	Ongoing monitoring (with consent)	Consent

Data

Personal details for DBS

Purpose

Criminal record disclosure check

Legal Basis

Consent (Article 6(1)(a)) + employment obligations (Article 9(2)(b) UK GDPR; DPA 2018, Schedule 1, Part 1, Para 1)

Data

DBS certificate number

Purpose

Compliance verification for roles

Legal Basis

Legitimate interest

Data

DBS Update Service status

Purpose

Ongoing monitoring (with consent)

Legal Basis

Consent

2.4 Employment & Attendance

Data	Purpose	Legal Basis
GPS coordinates (clock-in/out)	Verify attendance at work site	Consent + Legitimate interest
Shift times & attendance	Calculate pay, generate timesheets	Contract
Performance ratings	Quality assurance, employer feedback	Legitimate interest
Training & professional certifications (e.g., SIA, CSCS, driving licences)	Compliance, skill verification, role eligibility	Contract

Data

GPS coordinates (clock-in/out)

Purpose

Verify attendance at work site

Legal Basis

Consent + Legitimate interest

Data

Shift times & attendance

Purpose

Calculate pay, generate timesheets

Legal Basis

Contract

Data

Performance ratings

Purpose

Quality assurance, employer feedback

Legal Basis

Legitimate interest

Data

Training & professional certifications (e.g., SIA, CSCS, driving licences)

Purpose

Compliance, skill verification, role eligibility

Legal Basis

Contract

2.5 Financial Data

Data	Purpose	Legal Basis
Bank account details	Salary payments via BACS	Contract
Tax codes	PAYE deductions	Legal obligation
Pension enrolment	Auto-enrolment compliance	Legal obligation
Payment history	Payslips, P60s, earnings records	Contract + Legal obligation

Data

Bank account details

Purpose

Salary payments via BACS

Legal Basis

Contract

Data

Tax codes

Purpose

PAYE deductions

Legal Basis

Legal obligation

Data

Pension enrolment

Purpose

Auto-enrolment compliance

Legal Basis

Legal obligation

Data

Payment history

Purpose

Payslips, P60s, earnings records

Legal Basis

Contract + Legal obligation

2.6 Employer Data

Data	Purpose	Legal Basis
Company name & registration	Account setup, invoicing	Contract
Business contact details	Service delivery, support	Contract
Site addresses & geofences	Worker attendance verification	Contract
Billing & payment info	Invoice processing	Contract

Data

Company name & registration

Purpose

Account setup, invoicing

Legal Basis

Contract

Data

Business contact details

Purpose

Service delivery, support

Legal Basis

Contract

Data

Site addresses & geofences

Purpose

Worker attendance verification

Legal Basis

Contract

Data

Billing & payment info

Purpose

Invoice processing

Legal Basis

Contract

2.7 Automatically Collected

Data	Purpose	Legal Basis
Login/session data	Security, fraud prevention	Legitimate interest
Device/browser info	Technical support, compatibility	Legitimate interest
Usage analytics (if consented)	Platform improvement	Consent
AI interaction logs	Audit trail, service improvement	Legitimate interest
AI tool execution audit logs	Governance, compliance, safety auditing	Legitimate interest
AI approval records	Human oversight of AI-proposed high-impact actions	Legitimate interest

Data

Purpose

Security, fraud prevention

Legal Basis

Legitimate interest

Data

Device/browser info

Purpose

Technical support, compatibility

Legal Basis

Legitimate interest

Data

Usage analytics (if consented)

Purpose

Platform improvement

Legal Basis

Consent

Data

AI interaction logs

Purpose

Audit trail, service improvement

Legal Basis

Legitimate interest

Data

AI tool execution audit logs

Purpose

Governance, compliance, safety auditing

Legal Basis

Legitimate interest

Data

AI approval records

Purpose

Human oversight of AI-proposed high-impact actions

Legal Basis

Legitimate interest

3. How We Use Your Data

We process your data for these purposes:

Purpose	Legal Basis	Details
Provide staffing services	Contract	Match workers to shifts, process assignments
Verify identity & RTW	Legal obligation	Immigration Act compliance
Process payroll & taxes	Contract + Legal	PAYE, NI, pension contributions
Send shift notifications	Contract	WhatsApp/SMS/email alerts
Verify attendance	Legitimate interest	GPS clock-in within geofence
Generate timesheets	Contract	Calculate hours for payment
Comply with AWR	Legal obligation	Track 12-week threshold
Platform Assistant queries	Consent + Contract	AI-powered shift/compliance help
Fraud prevention	Legitimate interest	Detect timesheet manipulation
Improve services	Legitimate interest	Analytics, feature development
AI governance & oversight	Legitimate interest	Internal review and human approval of AI-proposed high-impact actions via Ops Approval Workbench
AI model improvement	Legitimate interest	De-identified data used to train intent routing and safety classification models (opt-out available - see §4.6)

Purpose

Provide staffing services

Legal Basis

Contract

Details

Match workers to shifts, process assignments

Purpose

Verify identity & RTW

Legal Basis

Legal obligation

Details

Immigration Act compliance

Purpose

Process payroll & taxes

Legal Basis

Contract + Legal

Details

PAYE, NI, pension contributions

Purpose

Send shift notifications

Legal Basis

Contract

Details

WhatsApp/SMS/email alerts

Purpose

Verify attendance

Legal Basis

Legitimate interest

Details

GPS clock-in within geofence

Purpose

Generate timesheets

Legal Basis

Contract

Details

Calculate hours for payment

Purpose

Comply with AWR

Legal Basis

Legal obligation

Details

Track 12-week threshold

Purpose

Platform Assistant queries

Legal Basis

Consent + Contract

Details

AI-powered shift/compliance help

Purpose

Fraud prevention

Legal Basis

Legitimate interest

Details

Detect timesheet manipulation

Purpose

Improve services

Legal Basis

Legitimate interest

Details

Analytics, feature development

Purpose

AI governance & oversight

Legal Basis

Legitimate interest

Details

Internal review and human approval of AI-proposed high-impact actions via Ops Approval Workbench

Purpose

AI model improvement

Legal Basis

Legitimate interest

Details

De-identified data used to train intent routing and safety classification models (opt-out available - see §4.6)

4. AI Platform Assistant

How AI Works on Opus

Opus provides AI-powered assistants via web chat and WhatsApp to help you find shifts, check compliance status, and manage your work. Here's what you need to know.

4.1 What AI Can Do

Workers (27 tools): Browse shifts, check earnings, view compliance status, manage availability
Employers (30 tools): View shift fill rates, check worker compliance, approve timesheets
All users: Get instant answers to platform questions 24/7

4.2 What AI Cannot Do

Critical Decisions Are Always Human/Rule-Based

AI does NOT calculate your pay (deterministic payroll system)
AI does NOT determine your compliance status (rule-based RAG system)
AI does NOT approve shift assignments (first-valid-wins or employer approval)
AI does NOT make hiring/firing decisions

4.3 Data Processing

Queries processed by: Anthropic (Claude) under strict data processing agreements
Data shared: Your query text, user role, relevant context (shift data, compliance status)
Data NOT shared: Passwords, full bank details, biometric data
Translation: If you set a language preference, platform communications (e.g., WhatsApp notifications) are translated using AI processing by our LLM providers
Retention: AI queries logged for 2 years for audit/improvement

4.5 AI Governance & Human Oversight

Opus operates a tiered AI governance framework ensuring appropriate human oversight for all AI-assisted actions:

Tier	Risk Level	Examples	Safeguard
Tier 0	Read-only	Browse shifts, view earnings	Full audit logging
Tier 1	Low-write	Update availability, create support tickets	User confirmation + audit
Tier 2	High-impact write	Bulk shift cancellations, timesheet approvals, compliance overrides, user suspensions	Human ops approval required before execution
Tier 3	Prohibited	Pay calculation, compliance determination, assignment allocation	AI cannot perform - deterministic systems only

Tier

Tier 0

Risk Level

Read-only

Examples

Browse shifts, view earnings

Safeguard

Full audit logging

Tier

Tier 1

Risk Level

Low-write

Examples

Update availability, create support tickets

Safeguard

User confirmation + audit

Tier

Tier 2

Risk Level

High-impact write

Examples

Bulk shift cancellations, timesheet approvals, compliance overrides, user suspensions

Safeguard

Human ops approval required before execution

Tier

Tier 3

Risk Level

Prohibited

Examples

Pay calculation, compliance determination, assignment allocation

Safeguard

AI cannot perform - deterministic systems only

High-impact actions (Tier 2) are never executed automatically. They are proposed by the AI system and routed to the Ops Approval Workbench, where an authorised Opus team member must review and explicitly approve before execution. All AI tool executions - including approvals and rejections - are recorded in a permanent audit log retained for 6 years in accordance with UK employment law and ICO accountability obligations.

4.6 Model Training & Improvement

We use de-identified and anonymised interaction data to improve our internal AI models for:

Intent routing: Understanding what users are asking (e.g., "show my shifts" vs "check my pay")
Safety classification: Detecting and routing high-risk requests to human review
Tool extraction: Improving accuracy of structured parameter extraction from natural language

Model Training Safeguards

All PII is stripped before any data enters training pipelines
Data Protection Officer (DPO) approval required before each training cycle
Data Protection Impact Assessment (DPIA) maintained and reviewed bi-annually
No biometric, financial, or identity document data is ever used for training
Third-party LLM providers (Anthropic) are contractually prohibited from training on Opus data

Opt-out: You may opt out of your interaction data being used for model training at any time by contacting compliance@opusplatforms.co.uk or via Account Settings → Privacy → AI Data Preferences. Opting out does not affect your access to AI features.

4.7 Your Controls

You can opt out of AI features by contacting support. Core platform functionality remains available without AI assistance.

5. Who We Share Data With

5.1 Service Providers (Data Processors)

Provider	Purpose	Location	Safeguards
AWS (Amazon Web Services)	Cloud hosting, database, file storage	UK/EU	GDPR DPA, ISO 27001
Yoti	Right to Work identity verification	UK	IDSP certified, UK GDPR
uCheck	DBS background checks	UK	DBS registered body
eSignatures.io	Electronic contract signatures	UK/EU	UK GDPR, ISO 27001
Stripe	Payment processing	EU/US	PCI-DSS, SCCs
Xero	PAYE payroll processing	UK/AU	SOC 2, GDPR DPA
Meta (WhatsApp Business)	Shift notifications, messaging	US	SCCs, DPA
Twilio	SMS notifications, OTP	US	SCCs, GDPR DPA
AWS SES	Transactional emails	EU	GDPR DPA, ISO 27001
HubSpot	CRM, employer communications	US	SCCs, ISO 27001
Freshdesk	Support ticket management	US	SCCs, SOC 2
n8n	Workflow automation	EU	GDPR compliant
Anthropic (Claude)	AI assistant processing	US	DPA, no training on data
New Relic	Observability and monitoring	EU	GDPR DPA, SOC 2
PagerDuty	Incident management	US	SCCs, SOC 2
Slack	Internal communications	US	SCCs, SOC 2
CharlieHR	HRIS employee record sync	UK	GDPR DPA
Postcodes.io	UK postcode geocoding	UK	Open data

Provider

AWS (Amazon Web Services)

Purpose

Cloud hosting, database, file storage

Location

UK/EU

Safeguards

GDPR DPA, ISO 27001

Provider

Yoti

Purpose

Right to Work identity verification

Location

Safeguards

IDSP certified, UK GDPR

Provider

uCheck

Purpose

DBS background checks

Location

Safeguards

DBS registered body

Provider

eSignatures.io

Purpose

Electronic contract signatures

Location

UK/EU

Safeguards

UK GDPR, ISO 27001

Provider

Stripe

Purpose

Payment processing

Location

EU/US

Safeguards

PCI-DSS, SCCs

Provider

Xero

Purpose

PAYE payroll processing

Location

UK/AU

Safeguards

SOC 2, GDPR DPA

Provider

Meta (WhatsApp Business)

Purpose

Shift notifications, messaging

Location

Safeguards

SCCs, DPA

Provider

Twilio

Purpose

SMS notifications, OTP

Location

Safeguards

SCCs, GDPR DPA

Provider

AWS SES

Purpose

Transactional emails

Location

Safeguards

GDPR DPA, ISO 27001

Provider

HubSpot

Purpose

CRM, employer communications

Location

Safeguards

SCCs, ISO 27001

Provider

Freshdesk

Purpose

Support ticket management

Location

Safeguards

SCCs, SOC 2

Provider

n8n

Purpose

Workflow automation

Location

Safeguards

GDPR compliant

Provider

Anthropic (Claude)

Purpose

AI assistant processing

Location

Safeguards

DPA, no training on data

Provider

New Relic

Purpose

Observability and monitoring

Location

Safeguards

GDPR DPA, SOC 2

Provider

PagerDuty

Purpose

Incident management

Location

Safeguards

SCCs, SOC 2

Provider

Slack

Purpose

Internal communications

Location

Safeguards

SCCs, SOC 2

Provider

CharlieHR

Purpose

HRIS employee record sync

Location

Safeguards

GDPR DPA

Provider

Postcodes.io

Purpose

UK postcode geocoding

Location

Safeguards

Open data

5.2 Employers (Joint Controllers)

When you accept a shift, we share with that employer:

Your name, phone number, and email
Compliance status (RTW verified, training completed)
Attendance records (clock times, GPS coordinates if enabled)
Performance ratings from previous shifts

Joint Controller: Both Opus and the employer are responsible for your data during assignments. Contact the employer directly for their privacy practices.

5.3 Legal & Regulatory Authorities

HMRC: Tax and National Insurance reporting (legal obligation)
Home Office: Right to Work compliance verification
ICO: Data protection investigations if required
Law enforcement: If required by court order or statutory duty
The Pensions Regulator: Auto-enrolment compliance

6. International Transfers

Your data is primarily stored in UK/EU AWS regions. Some services involve transfers outside the UK:

Service	Destination	Safeguard
WhatsApp (Meta)	USA	UK Extension to EU-US DPF (if certified); SCCs or UK IDTA as fallback
Stripe	USA	UK Extension to EU-US DPF (if certified); SCCs or UK IDTA as fallback
Anthropic	USA	UK Extension to EU-US DPF (if certified); SCCs or UK IDTA as fallback
HubSpot	USA	UK Extension to EU-US DPF (if certified); SCCs or UK IDTA as fallback
Twilio	USA	UK Extension to EU-US DPF (if certified); SCCs or UK IDTA as fallback
Xero	Australia/UK	SCCs + GDPR DPA
Freshdesk	USA	UK Extension to EU-US DPF (if certified); SCCs or UK IDTA as fallback
eSignatures.io	UK/EU	UK adequacy (EEA); SCCs as fallback
PagerDuty	USA	UK Extension to EU-US DPF (if certified); SCCs or UK IDTA as fallback
Slack	USA	UK Extension to EU-US DPF (if certified); SCCs or UK IDTA as fallback

Service

WhatsApp (Meta)

Destination

USA

Safeguard

UK Extension to EU-US DPF (if certified); SCCs or UK IDTA as fallback

Service

Stripe

Destination

USA

Safeguard

UK Extension to EU-US DPF (if certified); SCCs or UK IDTA as fallback

Service

Anthropic

Destination

USA

Safeguard

UK Extension to EU-US DPF (if certified); SCCs or UK IDTA as fallback

Service

HubSpot

Destination

USA

Safeguard

UK Extension to EU-US DPF (if certified); SCCs or UK IDTA as fallback

Service

Twilio

Destination

USA

Safeguard

UK Extension to EU-US DPF (if certified); SCCs or UK IDTA as fallback

Service

Xero

Destination

Australia/UK

Safeguard

SCCs + GDPR DPA

Service

Freshdesk

Destination

USA

Safeguard

UK Extension to EU-US DPF (if certified); SCCs or UK IDTA as fallback

Service

eSignatures.io

Destination

UK/EU

Safeguard

UK adequacy (EEA); SCCs as fallback

Service

PagerDuty

Destination

USA

Safeguard

UK Extension to EU-US DPF (if certified); SCCs or UK IDTA as fallback

Service

Slack

Destination

USA

Safeguard

UK Extension to EU-US DPF (if certified); SCCs or UK IDTA as fallback

SCCs = Standard Contractual Clauses approved by the UK ICO. Request copies at compliance@opusplatforms.co.uk

7. Data Retention

Data Type	Retention Period	Reason
Account data	Duration of account + 6 years	Legal claims, tax records
Right to Work documents	2 years after employment ends	UK Immigration Act requirement
Payroll & tax records	7 years	HMRC statutory requirement
Attendance records	6 years	Employment law, payroll disputes
Contracts (signed)	6 years after termination	Limitation Act 1980
DBS certificates	6 months after verification	DBS Code of Practice
DBS outcome record (date, level, result, certificate number)	Duration of employment + 6 months	Legitimate interest / employment obligation
DBS Update Service check log	Duration of employment + 6 months	Consent
Biometric data (selfie)	Not retained by Opus and deleted by the IDSP after verification	Not applicable
AI interaction logs	2 years	Audit, service improvement
AI tool execution audit logs	6 years	Employment law, governance compliance, ICO accountability
AI approval records	6 years	Governance compliance, employment law audit obligations
GPS location data	2 years	Legitimate interest (attendance verification)
Marketing consent	Until withdrawn	Ongoing consent
Support tickets	3 years after resolution	Service continuity

Data Type

Account data

Retention Period

Duration of account + 6 years

Reason

Legal claims, tax records

Data Type

Right to Work documents

Retention Period

2 years after employment ends

Reason

UK Immigration Act requirement

Data Type

Payroll & tax records

Retention Period

7 years

Reason

HMRC statutory requirement

Data Type

Attendance records

Retention Period

6 years

Reason

Employment law, payroll disputes

Data Type

Contracts (signed)

Retention Period

6 years after termination

Reason

Limitation Act 1980

Data Type

DBS certificates

Retention Period

6 months after verification

Reason

DBS Code of Practice

Data Type

DBS outcome record (date, level, result, certificate number)

Retention Period

Duration of employment + 6 months

Reason

Legitimate interest / employment obligation

Data Type

DBS Update Service check log

Retention Period

Duration of employment + 6 months

Reason

Consent

Data Type

Biometric data (selfie)

Retention Period

Not retained by Opus and deleted by the IDSP after verification

Reason

Not applicable

Data Type

AI interaction logs

Retention Period

2 years

Reason

Audit, service improvement

Data Type

AI tool execution audit logs

Retention Period

6 years

Reason

Employment law, governance compliance, ICO accountability

Data Type

AI approval records

Retention Period

6 years

Reason

Governance compliance, employment law audit obligations

Data Type

GPS location data

Retention Period

2 years

Reason

Legitimate interest (attendance verification)

Data Type

Marketing consent

Retention Period

Until withdrawn

Reason

Ongoing consent

Data Type

Support tickets

Retention Period

3 years after resolution

Reason

Service continuity

After retention periods expire, data is securely deleted or anonymized.

8. Your Rights Under UK GDPR

Access (Art. 15)

Request a copy of all data we hold about you. Free of charge, response within 1 month.

Rectification (Art. 16)

Request correction of inaccurate data. Update in account settings or contact us.

Erasure (Art. 17)

Request deletion when data is no longer needed. Some data retained for legal obligations.

Restriction (Art. 18)

Limit processing while disputes are investigated.

Portability (Art. 20)

Receive your data in machine-readable format (JSON) for transfer.

Object (Art. 21)

Object to processing based on legitimate interests or direct marketing.

How to Exercise Your Rights

• Online: Account Settings → Privacy → Data Rights
• Email: compliance@opusplatforms.co.uk
• Response time: Within 1 month (may extend to 3 months for complex requests)
• Verification: We may request ID to prevent unauthorised access

Automated Decision-Making

We do not use fully automated decision-making that produces legal effects. Our RAG compliance system uses deterministic rules, not AI profiling. You always have the right to human review of any compliance decision.

A Data Protection Impact Assessment (DPIA) is maintained for our AI processing activities in accordance with UK GDPR Article 35 and ICO guidance on AI and data protection.

Your right to human review: You may request human review of any decision in which AI was involved by contacting compliance@opusplatforms.co.uk.

AI-Assisted Actions: Where AI proposes high-impact actions (e.g., payroll adjustments, compliance overrides, account suspensions), these are always routed to a human operator for explicit approval before execution. See §4.5 for our tiered governance framework.

Right to Withdraw Consent

Where we process your data based on consent (e.g., biometric verification, analytics cookies, talent pool participation), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Withdraw via Account Settings or email compliance@opusplatforms.co.uk.

9. Security Measures

✓

Encryption: TLS 1.3 in transit, AES-256 at rest (AWS KMS)

✓

Access Controls: Role-based access, MFA for staff, least privilege

✓

Authentication: bcrypt password hashing (12 rounds), JWT tokens

✓

Monitoring: AWS CloudWatch, intrusion detection, audit logs

✓

Incident Response: Breach notification within 72 hours per GDPR

✓

Vendor Security: All processors vetted for SOC 2 / ISO 27001

10. Cookies

We use essential cookies for authentication and security. Analytics cookies require your consent. See our full Cookie Policy for details.

Manage preferences anytime in Account Settings → Privacy.

11. Children's Privacy

Our services are for individuals 18+ (UK minimum working age for most roles). We do not knowingly collect data from children. If discovered, it will be deleted immediately.

12. Policy Changes

We may update this policy to reflect legal or service changes. For material changes:

We update the version number and date
We notify you via email for significant changes
We request renewed consent if legally required

Continued use after changes constitutes acceptance. Check back periodically for updates.

13. Contact & Complaints

Contact Opus

Email: compliance@opusplatforms.co.ukAddress: Unit 314b, 566 Cable Street, London, E1W 3HB

Complain to ICO

Information Commissioner's OfficeWycliffe House, Water Lane, Wilmslow, SK9 5AFPhone: 0303 123 1113ico.org.uk/make-a-complaint

We encourage you to contact us first so we can resolve your concern directly.

Version History

v2.6.0Mar 25, 2026Corrected biometric data lawful basis (§2.2: additional safeguard, Article 9(2)(g) UK GDPR + DPA 2018 Schedule 1 Part 2 Para 6 as primary basis + explicit consent via Document 6), expanded DBS lawful basis (§2.3: added Article 9(2)(b) + DPA 2018 Schedule 1 Para 1), added 3 missing retention rows (§7: DBS outcome record, DBS Update Service check log, biometric data not retained by Opus)

v2.5.0Mar 16, 2026Aligned AI governance tier table with ToS (§4.5), fixed eSignatures.io domain name

v2.4.0Mar 16, 2026Added language preference to data collected (§2.1), expanded training certificates to include professional certifications (§2.4: SIA, CSCS, driving licences), added AI translation disclosure (§4.3)

v2.3.0Mar 16, 2026Corrected Xero international transfer safeguard (§6: Australia does not have UK adequacy)

v2.2.1Mar 16, 2026Removed SendGrid, added CharlieHR as HRIS processor, added Twilio/Xero/Freshdesk to international transfers table

v2.2.0Mar 16, 2026Updated e-signature processor to eSignatures.io (§5.1), added New Relic/PagerDuty/Slack as processors (§5.1), aligned DBS retention with Code of Practice (§7: 3 years → 6 months), aligned AI log retention with DPIA (§7: 90 days → 2 years)

v2.1.0Mar 1, 2026Added AI governance framework disclosure (§4.5), model training transparency (§4.6), 6-year retention for governance logs (§7)

v2.0.0Feb 5, 2026Added AI Platform Assistant disclosure, complete third-party integrations

v1.1.0Jan 10, 2026Added student visa compliance, GPS tracking details

v1.0.0Nov 1, 2025Initial GDPR-compliant privacy policy

UK GDPR Compliant - This policy fulfills Articles 12, 13, and 14 transparency requirements.
Last reviewed: March 16, 2026 | Next review: September 2026