Request a Brochure

Privacy Policy


Mitrefinch is a global provider of Workforce Management solutions for organisations that need to monitor and manage their workforce whilst controlling costs and administering employees; we operate from our main locations around the world with offices in the UK, USA, Canada and Australia.

Our Head Office is based in the UK where we need to comply with the new EU GDPR and Data Protection Act 2018 regulations which provide strict requirements regarding the use and storage of personal data and in many areas wider protection measures than stipulated under US or Canadian privacy laws.

This privacy policy explains what personal information we collect from you when you visit our website or are a recipient of our services. It has been drafted to comply with the requirements of UK and the EU regulation, but we also recognise the requirements of both Canadian privacy law under PIPEDA (Personal Information Protection and Electronic Documents Act) and the Privacy Act and The Fair Information Practices Principles of Federal and State privacy laws within USA.


Regardless from which country we operate, Mitrefinch, is committed to processing any personal information about its clients, staff, guests and visitors in ways that comply with its legal and regulatory obligations, and to being clear about what it does with their personal information.


This Policy applies to all personal data collected and maintained by Mitrefinch including client’s, staff, suppliers, guests, and visitor’s information.

Data collection

Mitrefinch Workforce Management solutions are designed for organisations that need to monitor and manage their workforce whilst controlling costs and administering employees. We use Time and Attendance, Rostering, Payroll, HR and Access Control Solutions.

Mitrefinch do not collect any sensitive or special category data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation) for its own purposes but may collect personal information which we receive when:

  • You enquire or make use of our services or systems
  • As a potential new client who wishes to use or consider our services or systems
  • You submit a CV or an application when seeking employment with us
  • You engage with our social media accounts, including LinkedIn and Twitter
  • Someone is recommended by a friend, a former employer, a former colleague or even a present employer.
  • Or you make an enquiry on our website

For our systems we may process the following types of personal information of, or from you:

  • Your name, address, email address, telephone number(s) and other contact details
  • Your company’s name, your position in the company; the company’s address, company’s email address and telephone number;
  • Details of employee names, and ID numbers from our client’s businesses
  • Multi-spectral fingerprint scans in the form of templates and mathematical algorithms of our client’s employees;
  • Your payment information in the form of bank account details;
  • Information obtained through electronic means such as IP address or cookies;
  • Information about your use of our information and communications systems.

How do we use the data we collect?

We are a data controller of personal data for our staff; visitors to our website; guests at our offices and personal contacts from our Business and Corporate clients. This information is used for legitimate interests or to fulfil our services as an employer or supplier of Workforce Management solutions.

We are a data processor of data for our clients who sign up to use our services or systems. Any data we use as part of these services and systems is under the data control of the client.

For the processing activities we undertake we collect your personal information for the following purposes:

  • For Internal record keeping and administration in our relationship with you;
  • For the performance of a contract to provide you with services that you may request from us;
  • To fulfil our obligations to our clients, prospective clients and staff;
  • To meet our legal and regulatory obligations;
  • For financial payments and administration;
  • To interact with users on social media platforms including LinkedIn, You Tube and Twitter.

We may process your personal information for more than one lawful ground depending on the specific purpose for which we are using your data. Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required, or permitted by law.

Where we process your data with your consent, we will do this in accordance with the EU GDPR and UK Data Protection Act 2018 or as permitted under Canadian PIPEDA or US Federal and State Laws. 

How do we collect this information?

We collect personal information:

  • Directly from clients: e.g. when you make an enquiry or purchase our services
  • From staff; through our recruitment process and contract of employment
  • From our clients and their employees;
  • From publicly available sources: g. networking, social media, internet services such as Linked In, direct referrals, other Corporate bodies
  • From our website: http://www.mitrefinch.co.uk

We are committed to keeping your information up to date as far as is reasonably possible. However, if you believe that we have made an error, then please contact us at dataprotection@mitrefinch.co.uk and we will use reasonable endeavours to correct.

Keeping your information safe and secure

Mitrefinch is committed to keeping personal information secure to protect it from being inappropriately or accidentally accessed, used, shared or destroyed, and against it being lost.

Data security is of utmost importance to us and we have achieved certification to ISO 27001, in the UK, externally validating the robustness of our information security systems.

Additionally, Mitrefinch takes reasonable steps to protect your personal information from unauthorised access, use, disclosure or loss, as follows:

  • We limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
  • We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
  • We dispose of your data in adherence with industry approved processes and timescales.
  • The website has security measures (including on-line and off-line physical, electronic and managerial safeguards) in place to protect against the loss, misuse, and alteration of the information under our control. As with any transmission over the Internet, however, there is always some element of risk involved in sending personal information on-line.

If you have any questions on the security of our website, you can request information from dataprotection@mitrefinch.co.uk

How long do we keep personal information?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Details of retention periods for other aspects of your personal information are available in our Retention Policy which is available dataprotection@mitrefinch.co.uk

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of Mitrefinch we will retain and securely destroy your personal information in accordance with our data retention policy or applicable laws and regulations.


Mitrefinch undertake marketing activity but processing only necessary to promote our business to clients and future clients. This is completed for our legitimate interests and will include:

  • Email promotions
  • Instant messaging where you have consented (under PECR you must have consent for text marketing)
  • Promotion and notification of our Events and webinars

Any marketing we undertake is made in a fully complaint manner as governed by data privacy regulations, with the contacts being given the option to opt out from such contact.

We may make unsolicited approaches and calling to new potential contacts or business clients, using prospect information held within our records or using information drawn from publicly available sources.

Any changes to our marketing activities will be updated in this Policy.

Readers and Biometrics

Mitrefinch does not collect or control Customer employee data. For Customers who use Mitrefinch terminals with a biometric or finger scanning device, the collection of Customer employee finger scan data is undertaken and controlled by the Customer. This data is used by the Customer for employee verification in connection with its employee timekeeping purposes. Such data consists solely of templates created from mathematical algorithms, not fingerprints.

Mitrefinch does not perform or control the collection of such data. Rather, Mitrefinch Customers collect such employee data through its use of the finger scanning devices and related software, and either store the data at the Customer controlled site or on secure space (in accordance with applicable law) made available by Mitrefinch in a cloud environment for that purpose.

If you would like more technical details of the systems and biometric data use in our systems please contact us at dataprotection@mitrefinch.co.uk

Third party access

Access to your personal information is only allowed when required by law or is required as part our fulfilling our service obligations.  We do not, and will never, sell or share your personal information with other third parties.

Should we need to transfer personal information to third parties located outside of USA or Canada, we will ensure that information is protected to a level which meets the requirements of the EU GDPR and UK Data Protection Act 2018 or as permitted under Canadian PIPEDA or US Federal and State Laws.

We are a subsidiary company of Mitrefinch Limited, with the Head Office located in the UK, and are a cloud-based service provider and data processor.  The storing and processing of personal information will be mainly in USA or Canada, as above, although access to this data may be granted to Mitrefinch Limited in the UK.  They in turn may allow access to our other subsidiary Companies and teams which are based in Australia.  Each of these subsidiary countries can request access to this data from the UK, where necessary, and where access is granted each will individually comply with data privacy legislation in their respective countries.

Please note that your data may be exported to, and stored and processed in, countries outside of the country in which you reside.  We use adequate physical, administrative, and technical processes, procedures and measures to protect your personal information from unauthorized use, disclosure, and/or access.

In principle we use third parties to:

  • Administer our staff records;
  • For screening and security checks;
  • For IT support and security;
  • Host and administer of our website;
  • To help us promote our business or advertise forthcoming events or webinars;
  • To achieve and renew our certified awards.

To receive information on the recipients of your data, please contact us at dataprotection@mitrefinch.co.uk

Website cookie

Mitrefinch make use of cookies to:

  • Help identify your computer; this helps us Compile aggregate data about site traffic and site interactions in order to offer better site experiences and tools in the future.
  • We may also use trusted third-party services that track this information on our behalf.
  • Understand and save user’s preferences for future visits.

For our complete Cookies policy please visit:


Google AdSense Advertising

Mitrefinch also use Google AdSense Advertising on our website.

Google, as a third-party vendor, uses cookies to serve ads on our site. Google’s use of the DART cookie enables it to serve ads to our users based on their visit to our site and other sites on the Internet. Users may opt out of the use of the DART cookie by visiting the Google ad and content network privacy policy.

We have implemented the following:

  • Remarketing with Google AdSense
  • Google Display Network Impression Reporting
  • Demographics and Interests Reporting

We along with third-party vendors, such as Google use first-party cookies (such as the Google Analytics cookies) and third-party cookies (such as the DoubleClick cookie) or other third-party identifiers together to compile data regarding user interactions with ad impressions, and other ad service functions as they relate to our website.

Opting out:

Users can set preferences for how Google advertises to you using the Google Ad Settings page. Alternatively, you can opt out by visiting the Network Advertising initiative opt out page or permanently using the Google Analytics opt Out Browser add on.

Links to other websites

Our website may contain links to other websites of interest. However, you should note that we do not have any control over these other websites. Once you have used any of these links to leave our site, therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting these sites and such sites are not governed by this privacy statement.

Controlling your personal information

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Under certain circumstances, you have rights under UK Data Protection Act 2018 (DPA) and the EU General Data Protection Regulation 2016/679 (GDPR) in relation to your personal information. You may have the right to:

  • Have access to individual’s specific information about our policies and practices relating to the management of personal information;
  • Access information held about you. Your right of access can be exercised in accordance with data protection law in your respective country; If you would like details or a copy of the information held on you please write to dataprotection@mitrefinch.co.uk
  • Object to us processing or ask us to restrict our processing of your personal information for any of the purposes listed in this policy, at any time.
  • Ask us to update and correct any out-of-date or incorrect personal information that we hold about you free of charge;
  • Ask us to erase your personal information (in certain circumstances). We will do our best to respond to such requests, but these are subject to certain limitations;
  • Request a transfer of your personal information (in certain circumstances).

If you wish to exercise any of the above rights or to review, verify, correct or question anything detailed in this policy or anything about your personal information, please contact our Data Protection Officer at dataprotection@mitrefinch.co.uk

California Online Privacy Protection Act

CalOPPA is the first state law in the nation to require commercial websites and online services to post a privacy policy. The law’s reach stretches well beyond California to require a person or company in the United States (and conceivably the world) that operates websites collecting personally identifiable information from California consumers to post a conspicuous privacy policy on its website stating exactly the information being collected and those individuals with whom it is being shared, and to comply with this policy. – See more at:


According to CalOPPA we agree to the following:

  • Users can visit our site anonymously
  • Once this privacy policy is created, we will add a link to it on our home page, or as a minimum on the first significant page after entering our website
  • Our Privacy Policy link includes the word ‘Privacy’ and can be easily be found on the page specified above.

Users will be notified of any privacy policy changes

  • On our Privacy Policy Page

Users are able to change their personal information

We honour do not track signals and do not track, plant cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place.

It’s also important to note that we do not allow third party behavioural tracking.


The CAN-SPAM Act is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have emails stopped from being sent to them, and spells out tough penalties for violations.

To be in accordance with CANSPAM we agree to the following:

  • If at any time you would like to unsubscribe from receiving future emails, you can email us at dataprotection@mitrefinch.co.uk
  • We will promptly remove you from ALL correspondence.
  • We do not specifically market to children under 13. 

Data from Children

Mitrefinch as a provider of services to business, corporate clients and organisations does not seek to collect individually identifiable information about or from children under 16 years of age.

If Mitrefinch learns that a child under the age of 16 has submitted personally identifiable information we will take all reasonable measures to delete such information from our databases and to not use such information for any purpose. COPPA (Children Online Privacy Protection Act)

When it comes to the collection of personal information from children under 13, the Children’s Online Privacy Protection Act (COPPA) puts parents in control.

The Federal Trade Commission, the nation’s consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children’s privacy and safety online.

How to contact us

We have appointed a Data Protection Officer who is responsible for overseeing data privacy. If you have any queries relating to this Privacy Policy, please feel free to contact them at dataprotection@mitrefinch.co.uk

Changes to our Privacy Policy:

We keep our privacy policy under regular review, and we will place any updates on this web page. This privacy policy was last updated in July 2020.

Start the conversation

Get in touch

Request a Brochure