Privacy Policy
This page explains how CherryPay collects, uses and protects personal data when you use our website, our paid tools and our free on-device tools.
This is a working draft and does not replace independent legal advice. You should review and adapt it with your professional advisers before relying on it as your formal privacy notice.
Who we are
In this policy, “we”, “us” and “our” mean CherryPay. We provide payroll support tools including a Holiday Pay Calculator, a Payroll CRM and specialist helper tools.
We are the organisation responsible for deciding how and why personal data is used when we act as a controller. When we process personal data only on behalf of our customers, we act as a processor. You can find more details about these roles below.
You can contact us about privacy or data protection by email at info@cherrypay.uk.
CherryPay Limited is a company registered in England and Wales with company number 16555956.
Scope of this policy
This policy applies to:
- The public CherryPay website at cherrypay.uk, including the contact form.
- The CherryPay account, identity and billing system that manages logins and subscriptions.
- The Holiday Pay Calculator application.
- The Payroll CRM application.
- Free tools that run on-device in your browser under
/tools/free/, such as the payroll helper and auto-enrolment helper.
It does not cover websites or services that are run by our customers, even if they use our tools. When you enter information about your own staff or clients into our tools, your organisation will normally be the controller for that data. We process it as a processor on your instructions.
Our role as controller and processor
When we are a controller
We act as a controller when we decide how and why to use personal data for our own purposes. This includes:
- Operating the public website and responding to contact form enquiries.
- Creating and managing user accounts and logins.
- Managing subscriptions and billing, including payments processed by Stripe.
- Monitoring use of the platform for security, abuse prevention and service improvement.
- Keeping business and financial records.
When we are a processor
We act as a processor when we handle personal data that our customers upload or enter into our tools about their own staff or clients. In these cases your organisation is the controller and we process personal data only:
- To provide the Holiday Pay Calculator and related reports.
- To provide the Payroll CRM and related communication, document and invoicing features.
- To provide free helper tools where you choose to import or paste data for processing in your browser or on our systems.
Our obligations as a processor are set out in the Data Processing Addendum, which forms part of our service terms. You can read it at: Data Processing Addendum.
What data we collect
Website, account and billing
From the public website, account system and billing tools we may collect:
- Contact form details – name, company, email address, phone number and the message you send us.
- Account and login details – username, email address, linked company or account id, password hash, and basic account metadata.
- Subscription details – plan codes, tool subscriptions, Stripe customer and subscription identifiers, price identifiers and related metadata.
- Technical and security data – IP address, browser type, device identifiers, access logs and error logs.
Holiday Pay Calculator
When your organisation uses the Holiday Pay Calculator we process data such as:
- Company configuration – company name, holiday year start date, week start day, default holiday entitlement and worker type settings.
- Employee details – name, employee reference, start date, leave date, working pattern, contracted hours, holiday entitlement, and (optionally) hourly rates.
- Weekly records – weekly hours worked, holiday hours, total earnings for the week, statuses and flags for whether weeks are excluded.
- Calculation logs – records of calculations run, parameters used and outputs generated, for audit and troubleshooting.
Payroll CRM
When your organisation uses the Payroll CRM we process data such as:
- Client company records – names, trading names, company numbers, UTRs, NI numbers where provided, contact names, email addresses and phone numbers.
- Contact and party records – names, email addresses, phone numbers, postal addresses, dates of birth, NI numbers and notes about relationships with client companies.
- Communication and document records – in-app messages, notes, reminders, uploaded files, document library entries, mail-merge outputs and attachments.
- Billing and invoicing – invoices, quotes, items and payments for work carried out for your clients.
Free tools on-device (/tools/free/)
Our free tools under /tools/free/, such as the payroll helper
and auto enrolment helper, are designed to work without creating customer
accounts or writing data into our main databases. They process data in
three main ways:
- Form inputs you enter – for example, employee pay and hours, tips data or CIS records used in calculators or CSV generators.
- Browser-based processing – calculations and CSV imports/exports are normally performed on your device using your web browser. For some tools we may use temporary files or server-side processing to create downloadable CSVs or summaries.
- Temporary storage – we may use browser storage (such as session cookies) or temporary server storage to keep your work in progress during a session. The intent is that you download or export the results and remain in control of the underlying data.
These helper tools are intended to help you stay compliant when paying employees and contractors. You should always review outputs carefully and keep your own records outside CherryPay.
How we use personal data and lawful bases
We only use personal data where we have a lawful basis under UK data protection law. Depending on the situation, this will usually be: performance of a contract, our legitimate interests, your consent, or a legal obligation. The table below summarises the main purposes.
| Purpose | Data involved | Lawful basis | Notes |
|---|---|---|---|
| Running the website and responding to enquiries |
|
Legitimate interests | To provide information about our services and respond to requests. |
| Creating and managing user accounts |
|
Contract | To provide access to CherryPay tools under our service terms. |
| Managing subscriptions and billing |
|
Contract and legal obligations | To charge for services, keep tax records and manage subscriptions. |
| Providing the Holiday Pay Calculator |
|
Contract (with our customer) | We process this data as a processor so our customer can calculate holiday pay correctly. |
| Providing the Payroll CRM |
|
Contract (with our customer) | We process this data as a processor so our customer can manage relationships and work for their clients. |
| Providing free on-device tools |
|
Legitimate interests | To operate calculators and helpers. We design these tools so data is processed on your device or in temporary working files. |
| Maintaining and improving the service |
|
Legitimate interests | To keep the platform secure, reliable and useful, without overriding your rights. |
| Sending service and legal notices |
|
Contract and legal obligations | For example, telling you about changes to this policy or to our terms. |
| Marketing our services |
|
Consent or legitimate interests | We will respect marketing preferences and offer an easy way to opt out. |
| Legal, regulatory and tax compliance |
|
Legal obligations | For example, to keep appropriate records for tax purposes and respond to lawful requests from authorities. |
Special category and criminal offence data
Our tools are not designed to capture special category data (such as health information, trade union membership or religious beliefs) or criminal offence data. We do not intentionally ask for this information, and you should avoid entering it into free text fields unless it is strictly necessary for your own legal obligations as an employer or adviser.
If you choose to record any special category or criminal offence data about your staff or clients in our tools, your organisation is responsible for having an appropriate lawful basis and condition for processing under UK data protection law. We will treat any such data as part of the records we process on your instructions as a processor.
Where data comes from
We collect personal data from:
- You – for example when you complete our contact form, create an account, enter data into a tool or contact us for support.
- Your organisation – when an account owner or administrator adds you as a user or imports data about staff and clients into our tools.
- Your use of the service – through logs of actions, access times, device and browser information.
- Third party providers – for example, Stripe provides us with payment confirmation details and billing identifiers (for example customer/subscription IDs). Stripe processes payment card details as a separate controller for payment processing.
Who we share data with
We do not sell personal data. We share it only with:
- Hosting and infrastructure providers who provide the servers, storage and networks that run CherryPay.
- Payment processors such as Stripe, act as an independent controller for payment data; we do not store your full card details.
- Email and communications providers used to send account emails, support replies and system notifications.
- Professional advisers such as lawyers, accountants and auditors, where needed to run our business.
- Authorities and regulators where we are legally required to do so, for example to prevent fraud or comply with a court order.
International data transfers
Our main systems are located in the UK or European Economic Area where possible. Some of our service providers may process data in other countries, for example where a provider is based outside the UK.
When we transfer personal data outside the UK, we will only do so where there is an appropriate safeguard in place, such as:
- An adequacy regulation made by the UK government; or
- Approved standard contractual clauses or an international data transfer addendum (IDTA) with the relevant provider.
How long we keep personal data
We keep personal data only for as long as we need it for the purposes set out in this policy, including any legal, accounting or reporting requirements. In practice this means:
- Website and contact form – enquiry emails and logs are normally kept for up to 24 months, unless needed longer for a particular case.
- Accounts and billing records – kept for the life of the account and then for up to 6 years after closure to comply with tax and accounting rules.
- Holiday Pay Calculator data – kept for as long as the customer’s subscription is active and for any data retention period configured by the customer in the application. After this, data may be deleted or anonymised in line with our retention procedures.
- Payroll CRM data – kept for as long as the customer maintains the records in the CRM and for a limited period after subscription end, unless deletion is requested earlier by the customer.
- Free on-device tools – inputs are intended to be temporary. Data is usually cleared when you close your browser session or delete any downloaded files and local storage entries.
We also keep system backups for a limited period. Backup copies are stored securely and are automatically overwritten on a rolling basis.
How we protect personal data
We take appropriate technical and organisational measures to protect personal data. These measures include:
- Using encrypted connections (HTTPS) for access to the site and tools where available.
- Applying access controls so only authorised staff and systems can access production data.
- Keeping software up to date and monitoring for security issues.
- Using strong password storage for user credentials.
- Maintaining logs and alerts to help detect and investigate incidents.
- Regularly backing up key systems so data can be restored in case of a technical problem.
No system can be completely secure. If we become aware of a personal data breach that is likely to result in a risk to you, we will investigate and notify you and any relevant regulator where we are required to do so.
Your rights
You have a number of rights in relation to your personal data under UK data protection law. These include the right to:
- Ask for a copy of the personal data we hold about you.
- Ask us to correct inaccurate or incomplete data.
- Ask us to delete personal data in some circumstances.
- Ask us to restrict or pause our use of your data in some circumstances.
- Object to our use of your data where we rely on legitimate interests.
- Ask for certain data to be provided in a portable format.
- Withdraw consent where we rely on consent (for example, some marketing).
You can exercise these rights by emailing info@cherrypay.uk. For data we process on behalf of a customer as a processor, we may ask you to contact that customer directly so that we can follow their instructions.
How to complain
If you have any concerns about how we use personal data, please contact us first using the details above so we can try to put things right.
You also have the right to complain to the Information Commissioner's Office (ICO), the UK data protection regulator. You can find details of how to contact the ICO at ico.org.uk.
Children
Our services are aimed at businesses and professional users. They are not intended for children. We do not knowingly collect personal data from children using the CherryPay website or tools.
Changes to this policy
We may update this policy from time to time to reflect changes in our services, how we use personal data or the law. If changes are important we will take reasonable steps to let you know.
This policy is version 1.0 and was last updated on 9 February 2026.