Privacy Policy

Last Updated: 10 January 2026

1. Introduction

BigRockUK Limited ("BigRock", "we", "us", "our") operates TS@BigRock, a timesheet management service available at bigrock.uk.com and ts.bigrock.uk.com.

This Privacy Policy explains how we collect, use, share, and protect personal data when you use our service. We are committed to protecting your privacy and processing your data lawfully, fairly, and transparently in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

Data Controller

BigRockUK Limited

Company Registration: 16930391

Registered Address: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ

ICO Registration: ZC077176

Contact

General enquiries: ops@bigrock.uk.com

Data Protection Officer: dpo@bigrock.uk.com

2. Our Role: Controller and Processor

We act in different capacities depending on whose data we process:

As a Data Controller: We are the controller for personal data of account holders, organisation administrators, and billing contacts who register directly with us. We determine why and how this data is processed.

As a Data Processor: When organisations use TS@BigRock to manage their employees' timesheets, the organisation (our customer) is the data controller for their employee data. We process this data only on their instructions as a data processor. If you are an employee using TS@BigRock through your employer, your employer's privacy policy governs how your data is used, and you should direct any data protection queries to them.

We offer a Data Processing Agreement (DPA) to our business customers on request. Contact ops@bigrock.uk.com to obtain a copy.

3. Information We Collect

3.1 Account Holders and Organisation Representatives

When you register an organisation account, we collect:

  1. Full name
  2. Email address
  3. Organisation name
  4. Organisation address (after registration)
  5. Payment details (processed by Stripe — see Section 6)

3.2 Employee Data (Processed on Behalf of Customers)

When your employer uses TS@BigRock, the following data may be entered by your organisation's administrators:

  • Name and email address
  • Employee/payroll ID number
  • Standard weekly contract hours
  • Overtime entitlement status
  • Employment start and end dates
  • Line manager name
  • Annual leave entitlement
  • Timesheet entries: hours worked, projects, activities, notes
  • Attachments: files or screenshots uploaded with timesheet entries

We process this data solely to provide the timesheet service to your employer.

3.3 Information Collected Automatically

When you use our service, we automatically collect:

  • IP address
  • Browser type and version
  • Device information
  • Pages visited and features used
  • Timestamps and session duration
  • Error logs

We use AWS analytics to understand how the service is used and to improve performance.

3.4 AI Help Agent Data

Our service includes an AI-powered help agent (powered by Anthropic Claude) to assist users. When you use this feature, the following may be sent to Anthropic's API:

  • Your query or question
  • Relevant timesheet context
  • User configuration (e.g., weekly contract hours)
  • Any attachments you include (e.g., screenshots)

Conversation history exists only within your active chat session and is not stored after the session ends. Anthropic retains API inputs and outputs for up to 30 days for trust and safety purposes, in accordance with their privacy policy at anthropic.com/privacy. Anthropic does not use API data to train their models.

3.5 Cookies

We use cookies to operate our service. See our Cookie Policy at bigrock.uk.com/cookies for details.

4. How We Use Your Information

4.1 Account Holders and Organisation Representatives (Controller Activities)

Purpose: Creating and managing your account

Legal Basis: Performance of contract

Purpose: Processing subscription payments

Legal Basis: Performance of contract

Purpose: Sending service emails (verification, password reset, billing)

Legal Basis: Performance of contract

Purpose: Sending system updates and outage notifications

Legal Basis: Legitimate interest (service continuity)

Purpose: Providing customer support

Legal Basis: Performance of contract

Purpose: Preventing fraud and ensuring security

Legal Basis: Legitimate interest

Purpose: Complying with legal and tax obligations

Legal Basis: Legal obligation

Purpose: Sending new product or feature announcements

Legal Basis: Consent (opt-in only)

4.2 Employee Data (Processor Activities)

We process employee data solely to provide the timesheet service as instructed by the organisation (data controller). Processing includes:

  • Storing and displaying timesheet entries
  • Sending timesheet reminders and approval notifications
  • Generating reports for the organisation
  • Transmitting data to customer-configured integrations
  • Providing AI-assisted help when requested by the user

We do not use employee data for our own purposes, except as necessary to provide and secure the service.

5. Email Communications

5.1 Transactional Emails (Cannot Be Opted Out While Account Active)

All users receive:

  • Account verification emails
  • Password reset requests
  • Security alerts (e.g., login from new device)

Employees receive:

  • Missing timesheet reminders
  • Timesheet approval notifications

Organisation representatives/billing contacts receive:

  • Payment confirmations and invoices
  • Failed payment notifications
  • Subscription renewal reminders
  • System update and outage notifications

These emails are essential to service delivery and cannot be disabled while your account is active.

5.2 Marketing Emails (Opt-In Only)

Organisation representatives may choose to receive:

  • New product announcements
  • New feature updates

These require explicit opt-in consent. You can subscribe or unsubscribe at any time via your account settings or by clicking the unsubscribe link in any marketing email.

5.3 Email Delivery

Emails are sent via Amazon Simple Email Service (AWS SES). All emails include clear sender identification from bigrock.uk.com and comply with UK PECR and applicable anti-spam regulations.

6. Data Sharing

We do not sell your personal data. We share data only as follows:

6.1 Service Providers (Sub-Processors)

Amazon Web Services (AWS)

Purpose: Cloud hosting, database (Aurora PostgreSQL), authentication (Cognito), email delivery (SES)

Location: London (eu-west-2)

Safeguards: UK data residency

Stripe

Purpose: Payment processing

Location: USA

Safeguards: UK-US Data Bridge, SCCs

Anthropic

Purpose: AI help agent

Location: USA

Safeguards: SCCs, 30-day API retention only

We do not store payment card details. Stripe processes and stores payment information in accordance with PCI-DSS standards. See Stripe's privacy policy at stripe.com/privacy.

6.2 Customer-Configured Integrations

Organisation administrators may configure integrations to export timesheet data to third-party systems (e.g., payroll or accounting software). When configured:

  1. Data is transmitted from our servers to the customer-specified endpoint
  2. The customer is responsible for ensuring the receiving system is appropriate and lawful
  3. We act as a processor; the customer remains the controller for this data

6.3 Within Your Organisation

If you are an employee, your organisation's administrators and designated managers can access your timesheet data as part of normal service operation.

6.4 Legal Disclosure

We may disclose personal data if required by law, regulation, or legal process, or if necessary to:

  1. Comply with a court order or lawful government request
  2. Protect the rights, property, or safety of BigRock, our users, or the public
  3. Detect, prevent, or investigate fraud or security issues

Where legally permitted, we will notify affected customers before disclosing their data.

7. International Data Transfers

Your data is primarily stored in the United Kingdom (AWS London, eu-west-2).

Some of our service providers are based in the United States. When we transfer personal data outside the UK, we ensure appropriate safeguards are in place:

Stripe and Anthropic (USA): Transfers are protected by Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner. Stripe also participates in the UK Extension to the EU-US Data Privacy Framework.

We only transfer data to countries or organisations that provide adequate protection for your personal data.

8. Data Retention

Account holder data

Retention: Duration of subscription + 90 days, then deleted. Billing records retained for 6 years for tax/legal compliance.

Employee timesheet data

Retention: Duration of employer's subscription + 90 days, then deleted.

AI help agent conversations

Retention: Session only — deleted when chat session ends. Anthropic retains API data for up to 30 days.

Automatically collected data (logs)

Retention: 90 days

Backups

Retention: 35 days (automated backups are automatically purged)

When a subscription ends:

  1. Data remains accessible for 90 days to allow export or reactivation
  2. After 90 days, data is permanently deleted from live systems
  3. Backups containing deleted data are automatically purged within 35 days

Customers who wish to retain access to their historical data should maintain an active subscription.

9. Data Security

We implement appropriate technical and organisational measures to protect your data:

  1. Encryption in transit: TLS 1.2/1.3 for all connections
  2. Encryption at rest: AES-256 encryption for stored data
  3. Access controls: Role-based access, multi-factor authentication for administrative access
  4. Infrastructure: Hosted on AWS, which maintains ISO 27001, SOC 2, and other certifications
  5. Multi-tenancy isolation: Each organisation's data is logically separated
  6. Backup and recovery: Automated daily backups with 35-day retention
  7. Monitoring: Security monitoring and logging for incident detection

While we take security seriously, no system is completely secure. We encourage users to protect their login credentials and report any suspected security issues to ops@bigrock.uk.com.

10. Your Rights

10.1 Account Holders (Our Direct Customers)

Under UK data protection law, you have the right to:

  1. Access: Request a copy of your personal data
  2. Rectification: Correct inaccurate or incomplete data
  3. Erasure: Request deletion of your data (subject to legal retention requirements)
  4. Restriction: Limit how we process your data
  5. Portability: Receive your data in a structured, machine-readable format
  6. Object: Object to processing based on legitimate interests
  7. Withdraw consent: Where processing is based on consent (e.g., marketing emails)

To exercise these rights, contact dpo@bigrock.uk.com. We will respond within one month.

10.2 Employees (Where Your Employer Uses TS@BigRock)

If your employer uses TS@BigRock to process your data, your employer is the data controller. You should direct data protection requests (access, deletion, etc.) to your employer in the first instance.

We will assist your employer in responding to such requests as required by our Data Processing Agreement.

11. Complaints

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the UK Information Commissioner's Office:

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

ico.org.uk

Helpline: 0303 123 1113

We would appreciate the opportunity to address your concerns directly before you contact the ICO. Please email dpo@bigrock.uk.com.

12. Children

TS@BigRock is a business service intended for use by organisations and their employees. It is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

Minor changes: Posted to this page with an updated "Last Updated" date

Material changes: Notified via email to account holders at least 14 days before taking effect

Continued use of the service after changes take effect constitutes acceptance of the revised policy.

14. Contact Us

General enquiries: ops@bigrock.uk.com

Data protection enquiries: dpo@bigrock.uk.com

Administration: office@bigrock.uk.com

BigRockUK Limited

71-75 Shelton Street

Covent Garden

London WC2H 9JQ

United Kingdom

Company Registration: 16930391

ICO Registration: ZC077176