Privacy Policy

Who we are

Zapay (“we”, “us”, “our”) provides outsourced payroll (PAYE) services. We act as a data controller for our own site visitors and prospects, and typically as a data processor for payroll data we process on behalf of our clients (employers). Where we are a processor, our client’s privacy notice also applies.

Registered office: 123 High Street, Manchester, M1 2AB, United Kingdom. Email: contact us | Tel: 0330 341 1710

Personal data we collect

Depending on your relationship with us, we may process:

• Website enquiries: name, email, message content, company, phone.
• Client contact data: names, roles, business contact details, approvals and audit notes.
• Payroll data (as processor): employee identifiers, addresses, NI numbers, tax codes, pay/hours, benefits, student loans, statutory payments, pension selections, bank details (for payroll), joiner/leaver info.
• Portal usage: login times, access logs, device/IP (for security and audit).
• Technical data: cookies/analytics (see Cookies section).

We do not intentionally collect special category data unless required for payroll compliance (e.g., statutory pay evidence) and then only as instructed by clients and with appropriate safeguards.

How we use your data

• To respond to enquiries and provide proposals.
• To deliver payroll services: calculating pay, issuing payslips/P60/P45, filing RTI, processing pensions.
• To provide and secure the employee portal (authentication, access logs, fraud monitoring).
• To maintain records, audit trails and compliance with legal obligations (HMRC, The Pensions Regulator).
• To improve our services and website (aggregated analytics).

Legal bases (UK GDPR)

• Contract: to provide payroll and related services to our clients.
• Legal obligation: HMRC reporting, employment and pension law requirements.
• Legitimate interests: service quality, security, fraud prevention, client relationship management.
• Consent: where required for certain communications or optional cookies.

Sharing & processors

We may share data with trusted providers to deliver our services, under contracts that include confidentiality, security and UK GDPR terms. Typical categories include:

• Payroll software and secure document delivery (e-payslips/P60s).
• Email and communication tools (contact responses, notifications).
• Cloud hosting, backup and IT security providers.
• Accountants/auditors (where engaged by the client) and HMRC/The Pensions Regulator as required by law.

We do not sell personal data.

International transfers

If personal data is transferred outside the UK (or EEA), we use appropriate safeguards, such as the UK International Data Transfer Agreement/Addendum or other lawful transfer mechanisms, and apply additional technical and organisational measures where appropriate.

Data retention

We keep data only as long as necessary for the purpose collected and to meet legal/accounting requirements. Typical periods:

• Enquiries: up to 24 months from last contact.
• Client records & payroll audit: generally 6 years after contract end (or longer if required by law).
• Portal access logs: typically 12–24 months for security/audit (subject to client policy).

Security

We implement layered security: access controls, encryption in transit, hardened hosting, regular updates, backups, and least-privilege principles. Staff are trained on data protection and confidentiality. While no system is perfectly secure, we continually improve safeguards and monitor for threats.

Your rights

Subject to conditions and exemptions, you have the right to:

• Access your data and request a copy.
• Rectify inaccurate or incomplete data.
• Erase data (where no longer needed/where consent withdrawn).
• Restrict or object to certain processing.
• Data portability (where applicable).
• Withdraw consent (where processing is based on consent).

If we process your data as a processor for a client (your employer), please contact your employer first so we can work with them to fulfil your request.

Cookies

Our site uses strictly necessary cookies for core functionality (e.g., security, session). We may use optional analytics cookies to understand site usage. Where required, we seek consent via our cookie banner. You can change preferences at any time and control cookies via your browser settings. See our Cookie Policy for details.