Last updated: 1 May 2025 ·
Effective date: 1 May 2025 ·
Version: 2.1
1. Who we are
Kore Payroll Limited ("Kore Payroll", "we", "us", or "our") is a company registered in England and Wales. We operate the korepayroll.co.uk website and the Kore Payroll application ("the Service").
We act as both a data controller (for data about our website visitors and account holders) and a data processor (for the payroll and employee data that our customers input into the Service on behalf of their employees).
Our Data Protection Officer can be contacted at: dpo@korepayroll.co.uk
2. Data we collect
2.1 Data you provide to us
- Account registration data — name, email address, company name, phone number, billing address.
- Payroll and employee data — when you use our Service on behalf of your employees, you input personal data including names, addresses, National Insurance numbers, tax codes, salary information, bank account details, and other payroll-related information. We process this data on your behalf as a data processor.
- Communications — messages you send us via contact forms, email, or in-app chat.
- Payment information — billing details processed by our payment provider (we do not store full card details).
2.2 Data we collect automatically
- Usage data — pages visited, features used, time spent, actions taken within the Service.
- Technical data — IP address, browser type and version, operating system, device identifiers, time zone.
- Cookies and similar technologies — see our Cookie Policy for full details.
2.3 Data from third parties
- Information from HMRC where we submit or receive data on your behalf via RTI.
- Information from pension providers where we submit auto-enrolment data.
3. How we use your data
We use the personal data we collect for the following purposes:
- Providing the Service — processing payroll, submitting RTI to HMRC, generating payslips and documents, managing pension auto-enrolment.
- Account management — creating and managing your account, verifying your identity, and communicating with you about your account.
- Billing and payments — processing subscription payments and sending invoices.
- Customer support — responding to your enquiries and resolving issues.
- Service improvement — analysing usage patterns to improve our features and user experience.
- Security and fraud prevention — monitoring for suspicious activity and protecting the integrity of the Service.
- Legal compliance — meeting our obligations under UK law, including HMRC requirements and data protection legislation.
- Marketing — with your consent, sending information about new features, updates, and offers. You can unsubscribe at any time.
4. Legal basis for processing
Under UK GDPR, we process personal data on the following legal bases:
- Contract performance — to provide the Service you have contracted for.
- Legal obligation — to comply with HMRC requirements, employment law, and data protection law.
- Legitimate interests — for fraud prevention, security monitoring, and service improvement.
- Consent — for marketing communications and non-essential cookies. You may withdraw consent at any time.
For employee payroll data that you input as our customer, you are the data controller and we process that data on the legal basis of our contract with you.
5. Who we share data with
We do not sell your personal data. We share data only in the following circumstances:
- HMRC — we submit RTI data (FPS and EPS) to HMRC on your instruction as part of the Service.
- Pension providers — we submit auto-enrolment contribution data to your chosen pension provider.
- Payment processors — we use Stripe to process subscription payments securely.
- Infrastructure providers — our Service is hosted in UK data centres. We use AWS services (UK region) for hosting and data storage.
- Analytics providers — we use privacy-focused analytics tools to understand how the Service is used. These tools do not receive personally identifiable information.
- Legal requirements — we may disclose data where required by law, court order, or regulatory authority.
- Business transfers — if Kore Payroll is acquired or merges with another business, your data may be transferred. We will notify you in advance.
All third-party processors we use are subject to appropriate Data Processing Agreements and bound to process data only on our instructions.
6. International data transfers
Your data is stored in UK data centres and does not routinely leave the United Kingdom. Where any transfer to a country outside the UK is necessary (for example, some cloud services), we ensure appropriate safeguards are in place, including:
- UK adequacy decisions for the destination country, or
- UK Standard Contractual Clauses (International Data Transfer Agreements).
7. How long we keep your data
- Payroll records — retained for 7 years from the end of the relevant tax year, in accordance with HMRC requirements.
- Account data — retained for the duration of your subscription plus 12 months after account closure, unless you request earlier deletion.
- Audit logs — retained for 7 years (required for compliance purposes).
- Marketing preferences — until you unsubscribe or withdraw consent.
- Contact form enquiries — 24 months from the date of contact.
8. Your rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access — to request a copy of the personal data we hold about you.
- Right to rectification — to request correction of inaccurate data.
- Right to erasure — to request deletion of your data in certain circumstances (note: some data must be retained for legal compliance).
- Right to restrict processing — to request that we limit how we use your data.
- Right to data portability — to receive your data in a structured, commonly-used, machine-readable format.
- Right to object — to object to processing based on legitimate interests or for direct marketing.
- Rights related to automated decision-making — Kore Payroll does not make decisions that legally or significantly affect you based solely on automated processing.
To exercise any of these rights, please contact us at dpo@korepayroll.co.uk. We will respond within 30 days. If you are unhappy with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
Note for employees: If you are an employee whose payroll data is processed by Kore Payroll on behalf of your employer, your employer is the data controller for that data. Please contact your employer in the first instance to exercise your rights.
9. Cookies
We use cookies and similar technologies on our website. Please see our Cookie Policy for full information about what cookies we use, why, and how to manage your preferences.
10. Security
We implement robust technical and organisational security measures to protect your data, including:
- AES-256 encryption at rest for all stored data.
- TLS 1.3 encryption for all data in transit.
- Role-based access controls and principle of least privilege.
- Annual third-party penetration testing.
- Employee security training and background checks.
- ISO 27001-aligned information security management.
See our full Security Policy for details. If you discover a security vulnerability, please report it responsibly to security@korepayroll.co.uk.
11. Children
The Kore Payroll Service is intended for use by businesses and is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child's data has been submitted, please contact us immediately.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice within the Service at least 30 days before the changes take effect. The "last updated" date at the top of this page reflects the most recent revision.
For any questions about this Privacy Policy or how we handle your personal data: