InkyHR Privacy Policy

Last updated: January 5, 2026

This Privacy Policy explains how Systematic Studios Ltd (company number [insert]) of 3 Bramhall Place, Storey’s Bar Road, Peterborough, Cambridgeshire, PE1 5YS (“Systematic Studios”, “InkyHR”, “we”, “us”, “our”) collects, uses, shares, and protects personal data when you visit our website, create an InkyHR account, or use the InkyHR service (together, the “Services”).

InkyHR is a brand operated by Systematic Studios Ltd. InkyHR is not a separate legal entity.

1. Who we are and how to contact us

Controller (general website & business contacts): Systematic Studios Ltd

Email: [privacy@inkyhr.co.uk / support@inkyhr.co.uk ]

Postal address: 3 Bramhall Place, Storey’s Bar Road, Peterborough, Cambridgeshire, PE1 5YS, United Kingdom

If you have questions about this Policy or want to exercise your rights, contact us using the details above.

2. Key roles: Customer vs InkyHR (Controller/Processor)

In many cases, InkyHR is used by an organisation (the “Customer”) to manage employee and HR information.

Customer as Controller: The Customer decides what employee/candidate data is entered into the Services and why. For that data, the Customer is typically the data controller.

InkyHR as Processor: For that same employee/candidate data, we typically act as a data processor and process the data only on the Customer’s instructions to provide the Services.

InkyHR as Controller (our own operations): We are a controller for certain data we collect and use for our own purposes, such as account admin contacts, billing contacts, website visitors, and support communications.

If you are an employee/end user and want to exercise rights relating to HR data your employer has placed into InkyHR, you should normally contact your employer first, because they control that data.

3. What personal data we collect

The personal data we collect depends on your relationship with us:

3.1 Website visitors

We may collect:

• Device and technical data (IP address, browser type/version, device identifiers, operating system)
• Usage data (pages viewed, time spent, referring URLs)
• Cookie and similar tracking data (see Cookies section)

3.2 Account administrators and business contacts (Customer users)

We may collect:

• Name, work email, work phone number, job title
• Organisation details (company name, address)
• Account login and security data (hashed passwords, authentication events, access logs)
• Communications (support tickets, emails, chat messages)

3.3 HR data uploaded to the Service (Customer Data)

Depending on Customer configuration, the Service may contain:

• Employee personal identifiers (name, email, employee ID, address, phone number)
• Employment details (role, department, manager, start date, status)
• HR records and documents uploaded by the Customer
• Notes and fields created by the Customer (which may include additional details)

Important: The Customer controls what HR data is uploaded. We recommend Customers avoid uploading unnecessary sensitive data.

3.4 Billing and payment data

We use Stripe to process payments. We may receive limited billing metadata (e.g., billing contact, invoice history, plan level, payment status). Payment card details are handled by Stripe and are not stored by us directly (except where Stripe provides tokenised references).

3.5 Support and troubleshooting data

When you contact support, we may collect:

• Contact details and communications
• System logs relevant to diagnosing issues
• Account configuration details needed to resolve requests

4. Special category data and criminal offence data

The Services are not designed to require special category data (such as health data, ethnicity, religion, union membership, biometrics) or criminal offence data.

However, HR systems can be used by Customers in ways that may include such data. Where a Customer chooses to store special category data in the Service, the Customer remains responsible for establishing a lawful basis and meeting additional legal requirements.

We do not intentionally require Customers to store special category data and recommend minimising it.

5. How we use personal data and our legal bases

We use personal data for the purposes below. Where UK GDPR applies, we rely on these legal bases:

5.1 To provide and operate the Services

Examples: account creation, authentication, feature delivery, service administration, user permissions, customer support.
Legal basis: performance of a contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)).

5.2 To manage subscriptions, billing, and payments

Examples: invoicing, payment confirmation, subscription changes, fraud prevention.
Legal basis: performance of a contract (Art. 6(1)(b)); legal obligation where applicable (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)).

5.3 To secure, maintain, and improve the Services

Examples: monitoring for abuse, access logs, debugging, performance and reliability improvements.
Legal basis: legitimate interests (Art. 6(1)(f)).

5.4 To communicate with you

Examples: service notices, support responses, security alerts, administrative messages.
Legal basis: performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)).

5.5 Marketing (where applicable)

Examples: sending product updates, newsletters, promotions to business contacts.
Legal basis: legitimate interests (Art. 6(1)(f)) or consent (Art. 6(1)(a)) where required by law.

You can opt out at any time.

5.6 To comply with legal obligations and enforce rights

Examples: responding to lawful requests, tax/accounting compliance, handling disputes.
Legal basis: legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)).

6. AI and automated processing

We use AI tools internally for development and productivity purposes (for example, assisting with code, documentation, or testing). At present, we do not offer an AI feature within the InkyHR product as a customer-facing capability.

We do not knowingly submit Customer HR data to third-party AI systems for model training. If our approach changes in future (for example, if we introduce AI features), we will update this Policy and, where required, provide additional disclosures and options.

We do not make decisions producing legal or similarly significant effects about individuals solely by automated means within the Services unless explicitly configured by the Customer and supported by the product (and any such functionality would be described in product documentation and/or supplemental terms).

7. Cookies and similar technologies

We may use cookies and similar technologies:

• Strictly necessary cookies for site functionality and security
• Analytics cookies to understand usage and improve the website (where enabled)
• Preference cookies to remember settings

Where required, we will provide cookie choices/consent mechanisms. You can also manage cookies via your browser settings, though disabling some cookies may affect functionality.

8. Who we share personal data with

We share personal data only as needed:

8.1 Service providers (processors)

We may share limited personal data with trusted providers who help us operate the Services, such as:

• Stripe (payments and billing)
• Email/support tooling (if used)
• Hosting/IT providers (currently primarily on-prem; may include UK/EU cloud providers in future)

We require providers to protect personal data and use it only to provide services to us.

8.2 Customer organisations

If you are a User under a Customer account, your activity and profile may be visible to that Customer’s administrators.

8.3 Legal and safety

We may disclose personal data to comply with law, respond to lawful requests, protect our rights, investigate fraud/security incidents, or protect users and the public.

8.4 Business transfers

If we are involved in a merger, acquisition, financing, reorganisation, or sale of assets, personal data may be disclosed as part of that transaction, subject to appropriate safeguards.

9. International users and cross-border transfers

We are UK-based and currently host Customer Data in the UK on premises controlled by us.

Because customers may be located outside the UK, personal data may be accessed from other countries by Customer Users. That access is controlled by the Customer.

If we transfer personal data outside the UK (or outside the EEA where applicable), we will implement appropriate safeguards (such as the UK International Data Transfer Agreement or other approved mechanisms) and update this Policy where needed.

10. Data security

We use reasonable technical and organisational measures designed to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

No system can be guaranteed 100% secure. Customers are responsible for using strong passwords, enabling available security features, and managing access appropriately.

11. How long we keep personal data

We retain personal data only for as long as necessary for the purposes described in this Policy, including to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements.

Typical retention principles:

• Account and billing records: retained as required for accounting/tax and contract purposes.
• Customer Data (HR data): retained for the duration of the subscription and then deleted after a short administrative retention period, unless the Customer exports it or law requires retention.
• Logs: retained for security and operational purposes for a limited period.

Exact retention periods may vary depending on the nature of the data and legal requirements.

12. Your rights

Depending on your location and the applicable law, you may have rights including:

• Access to personal data we hold about you
• Rectification of inaccurate data
• Erasure (deletion) in certain circumstances
• Restriction of processing in certain circumstances
• Objection to processing based on legitimate interests
• Data portability where processing is based on contract or consent and carried out by automated means
• Withdraw consent where processing is based on consent (without affecting prior lawful processing)

Employees / end users within a Customer account

If your employer (or another Customer) uses InkyHR and you are an employee/end user, many rights requests must be handled by that Customer as controller. We will assist the Customer as required.

13. Complaints

If you are in the UK and have concerns, you may lodge a complaint with the Information Commissioner’s Office (ICO). We encourage you to contact us first so we can try to resolve it.

14. Children’s privacy

The Services are intended for business use and are not directed to children. We do not knowingly collect personal data from children.

15. Changes to this Privacy Policy

We may update this Policy from time to time. We will post the updated version and revise the “Last updated” date. If changes are material, we will provide additional notice (for example, via email or within the Service).

16. How to contact us

For privacy questions or rights requests:

Systematic Studios Ltd (InkyHR) Email: [privacy@inkyhr.co.uk / support@inkyhr.co.uk ]
Address: 3 Bramhall Place, Storey’s Bar Road, Peterborough, Cambridgeshire, PE1 5YS, United Kingdom