Sorry, you need to enable JavaScript to visit this website.

....

1. Privacy Notice – PRACI LTD

1.1 Effective Date: 19 February 2026

1.2 Last Updated: 19 February 2026

 

2. Who We Are

2.1 When we say "Praci", "we", "our" or "us", we mean PRACI LTD, a company incorporated and registered in the United Kingdom (Company No. 15822571).

2.2 Praci provides a secure, cloud-based workforce management platform enabling organisations to manage rota scheduling, attendance verification, task workflows, compliance management, timesheets, payroll-related workflows, and invoicing.

2.3 We operate across the United Kingdom, the European Union, and international markets.

2.4 For privacy-related enquiries, you can contact us using the following email addresses:

2.4.1 General Privacy: privacy@praci.io

2.4.2 GDPR & Data Rights: gdpr@praci.io

2.4.3 Support: help@praci.io

 

3. Scope of This Notice

3.1 This Privacy Notice explains how we collect, use, protect, retain, and share personal data in connection with our websites, mobile applications, APIs, integrations, and related services (the "Services").

3.2 "Personal data" means information relating to an identified or identifiable individual. This includes, for example, your name, email address, phone number, attendance records, location data (where enabled), and other data linked to you.

3.3 This notice applies to the following categories of individuals:

3.3.1 Workers using the platform

3.3.2 Supervisors and administrators

3.3.3 Client organisations

3.3.4 Website visitors

3.3.5 Prospective customers

3.3.6 API users

3.3.7 Event participants

 

4. When We Act as Controller and Processor

4.1 Praci acts as a Data Controller where we determine the purposes and means of processing personal data. This includes:

4.1.1 Account and subscription administration

4.1.2 Platform security and fraud prevention

4.1.3 Marketing communications (where applicable)

4.1.4 Website and service analytics

4.1.5 Compliance with legal and regulatory obligations

4.2 Client organisations may use Praci to manage personal data relating to their workforce or other third parties. In those cases:

4.2.1 The client organisation acts as the Data Controller.

4.2.2 Praci acts as a Data Processor under Article 28 GDPR.

4.2.3 We process personal data only on the documented instructions of the client organisation, subject to our contractual and legal obligations.

4.3 If you believe your personal data is being processed through a client organisation using Praci, you should contact that organisation directly in the first instance.

 

5. Personal Data We Process

5.1 The categories of personal data we process depend on how you interact with our Services.

 

5.2 Identity and Contact Data

5.2.1 Name

5.2.2 Email address

5.2.3 Telephone number

5.2.4 Job role

5.2.5 Organisation name

5.2.6 Profile image

 

5.3 Account and Authentication Data

5.3.1 Securely hashed login credentials

5.3.2 Account preferences

5.3.3 User roles and permissions

5.3.4 Subscription metadata

 

5.4 Workforce and Attendance Data

5.4.1 Check-in and check-out timestamps

5.4.2 Shift and rota records

5.4.3 Project or assignment identifiers

5.4.4 Location data (GPS, where enabled)

5.4.5 IP address

5.4.6 Device metadata

5.4.7 Network metadata (where enabled)

 

5.5 Biometric Data (Where Enabled)

5.5.1 Facial images captured during attendance verification events (check-in and check-out).

5.5.2 Encrypted biometric templates generated solely for identity verification.

5.5.3 Biometric data used for unique identification constitutes special category data under Article 9 GDPR.

5.5.4 Biometric data is used only for identity verification and is not used for AI training, profiling, or marketing purposes.

 

5.6 Financial Data

5.6.1 Billing address

5.6.2 VAT information (where applicable)

5.6.3 Invoice records

5.6.4 Payment confirmation metadata

5.6.5 Praci does not store full payment card numbers. Payment processing is handled by PCI-compliant providers.

 

5.7 Technical and Usage Data

5.7.1 Browser type and version

5.7.2 Operating system

5.7.3 Device identifiers

5.7.4 Platform interaction logs

5.7.5 API activity logs

 

5.8 Communications Data

5.8.1 Support communications

5.8.2 Feedback and survey responses

5.8.3 Other correspondence with Praci

 

6. How We Collect Personal Data

6.1 We collect personal data in the following ways:

6.2 Directly from you: when you register for an account, use our Services, contact support, or otherwise communicate with us.

6.3 Automatically: when you use our Services, we collect technical and usage data through secure logging, analytics, and monitoring tools.

6.4 From third parties: where relevant, we may receive personal data from client organisations, payment providers, identity verification partners, analytics providers, and integration partners.

 

7. Purposes for Which We Use Personal Data

7.1 We process personal data for the following purposes:

7.1.1 To provide and operate our Services, including attendance verification, rota scheduling, task and compliance workflows, reporting, and infrastructure management.

7.1.2 To maintain security and integrity of the platform, including fraud detection, access control, and threat prevention.

7.1.3 To communicate with users, including service updates, security alerts, billing notices, and support responses.

7.1.4 To improve and develop our Services, including system performance analysis and feature development in a proportionate and lawful manner.

7.1.5 To comply with legal and regulatory obligations, including tax, accounting, and lawful disclosures.

7.1.6 To send marketing communications where you have provided consent, with the ability to withdraw consent at any time.

 

8. Legal Bases for Processing

8.1 Where required under UK GDPR and EU GDPR, we rely on the following lawful bases for processing personal data:

8.1.1 Contract (Article 6(1)(b)) – to provide, operate, and manage the Services.

8.1.2 Legal Obligation (Article 6(1)(c)) – to meet regulatory, tax, and other legal obligations.

8.1.3 Legitimate Interests (Article 6(1)(f)) – to ensure security, prevent fraud, and improve our Services, where these interests are not overridden by your rights and freedoms.

8.1.4 Consent (Article 6(1)(a)) – for marketing communications and other processing where consent is expressly requested.

8.1.5 Explicit Consent (Article 9(2)(a)) – for biometric processing used for identity verification.

8.2 Where we rely on legitimate interests, we carry out appropriate balancing assessments to ensure your interests and fundamental rights are respected.

 

9. Biometric Processing and Proportionality

9.1 Biometric verification may be enabled by client organisations to support secure attendance verification.

9.2 Where biometric processing is enabled:

9.2.1 Facial images are captured during check-in and check-out events.

9.2.2 Images may be converted into encrypted biometric templates used solely for identity verification.

9.2.3 Raw images are not retained longer than necessary for verification and system integrity.

9.2.4 Biometric templates are stored securely and are not designed to be reverse-engineered back into images.

9.2.5 Biometric data is not used for AI training, profiling, or marketing, and is not sold to third parties.

9.3 Biometric processing is based on explicit consent and is limited to the purpose of identity verification. Alternative authentication methods are available so that biometric consent is not mandatory.

9.4 Consent for biometric processing can be withdrawn at any time, and such withdrawal will not result in discriminatory treatment.

9.5 We have conducted a Data Protection Impact Assessment (DPIA) in accordance with Article 35 GDPR, including an assessment of necessity, proportionality, and risk mitigation.

 

10. Automated Decision-Making Safeguards

10.1 Automated facial matching may be used during attendance verification.

10.2 However:

10.2.1 No legally or similarly significant decision is made solely by automated means.

10.2.2 Human review is available upon request.

10.2.3 Supervisors retain the ability to override system outcomes.

10.2.4 Automated verification alone does not independently determine disciplinary action.

10.3 These safeguards are designed to align with Article 22 GDPR.

 

11. Data Retention

11.1 We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.

11.1.1 Account data: for the duration of the active account plus 12 months.

11.1.2 Attendance records: up to 6 years.

11.1.3 Biometric data: deleted within 30 days of account closure, subject to system backup cycles.

11.1.4 Financial records: 6–7 years, or as required by applicable law.

11.1.5 Support data: 24 months.

11.1.6 Security logs: 12 months.

11.1.7 Backups: 30–90 day rolling deletion cycle.

11.2 After the relevant retention period expires, personal data is securely deleted or irreversibly anonymised.

 

12. Sharing Personal Data

12.1 We may share personal data with trusted third parties where necessary to operate our Services or meet legal obligations, including:

12.1.1 Cloud infrastructure providers.

12.1.2 Payment processors.

12.1.3 Identity verification providers.

12.1.4 Professional advisers, such as legal or accounting firms.

12.1.5 Regulators, law enforcement, or other authorities where legally required.

12.1.6 Prospective buyers or investors in connection with a proposed corporate transaction, subject to appropriate safeguards.

12.2 All third parties with whom we share personal data are contractually required to implement appropriate data protection and security measures.

 

13. International Transfers

13.1 Where personal data is transferred outside the United Kingdom or the European Economic Area (EEA), we implement appropriate safeguards, such as:

  • 13.1.1 Adequacy decisions issued by relevant authorities.
  • 13.1.2 Standard Contractual Clauses (SCCs) approved by the European Commission or UK authorities.
  • 13.1.3 UK International Data Transfer Agreements (IDTA), where applicable.

13.2 Transfer Impact Assessments are conducted where required to evaluate the risk and suitability of international transfers.

 

14. Security

14.1 We implement appropriate technical and organisational measures in accordance with Article 32 GDPR to protect personal data.

14.1.1 Encryption in transit (e.g. TLS).

14.1.2 Encryption at rest.

14.1.3 Role-based access controls.

14.1.4 Multi-factor authentication for administrative access.

14.1.5 Audit logging and monitoring.

14.1.6 Infrastructure segregation and environment hardening.

14.1.7 Regular security testing and vulnerability management.

14.1.8 Incident response procedures.

14.2 In the event of a personal data breach, we will comply with our obligations under Articles 33 and 34 GDPR, including notifying relevant supervisory authorities and affected individuals where legally required.

 

15. Your Data Protection Rights

15.1 Under data protection law, you have the following rights in relation to your personal data:

15.1.1 The right of access – to obtain confirmation and a copy of your personal data.

15.1.2 The right to rectification – to correct inaccurate or incomplete personal data.

15.1.3 The right to erasure – to request deletion of your personal data in certain circumstances.

15.1.4 The right to restrict processing – to request restriction of processing in certain circumstances.

15.1.5 The right to object – to object to certain types of processing, including processing based on legitimate interests.

15.1.6 The right to data portability – to receive your personal data in a structured, commonly used format and have it transmitted to another controller, where technically feasible.

15.1.7 The right to withdraw consent – where processing is based on consent, you may withdraw that consent at any time.

15.1.8 The right to request human review – where automated decision-making is used, to request human intervention and review of the decision.

15.2 You can exercise your rights by contacting us at gdpr@praci.io. We will respond within one month, subject to any lawful extensions.

15.3 You also have the right to lodge a complaint with your local supervisory authority, including the UK Information Commissioner’s Office (ICO).

 

16. Updates to This Notice

16.1 We may update this Privacy Notice from time to time to reflect changes in our processing activities, legal requirements, or industry best practices.

16.2 Where changes are material, we will provide appropriate notice, for example via email or in-platform notifications.

16.3 We encourage you to review this notice periodically to stay informed about how we process personal data.