• Have a question?

  • Email: hello@nztworx.com

Contact Us

Privacy Policy

Privacy Policy

Last updated: 16 October 2025

This Privacy Notice explains how NZTWorx (“we”, “us”, “our”) collects and uses personal data when providing our services, including CIS Payroll, PAYE for Employers, Umbrella Payroll, HMRC Verification, Deduction Statements and the Contractor Portal. We process personal data in accordance with UK GDPR and the Data Protection Act 2018.

1. Who we are (Controller)

NZTWorx is the data controller for the processing described in this notice unless we state otherwise (for some client-specific activities we act as a processor). To contact us about privacy, email privacy@nztworx.com or use Contact Us.

2. Personal data we collect

  • Identity & contact: name, address, email, phone, date of birth.

  • CIS / tax details: UTR, NI number, company details, HMRC verification status and reference, deduction rate (gross/20%/30%).

  • Employment & payroll: timesheets/valuations, pay rates, deductions, pension enrolment, holiday, statutory pay events (SSP/SMP etc.).

  • Financial: bank details for payments, remittance preferences.

  • Documents: right-to-work, ID, insurance and related uploads (via portal or secure transfer).

  • Portal & technical: login data, logs, device/usage data, cookies/analytics as described in our Cookie Policy.

3. How we obtain data

We receive data from you, from your employer/agency/contractor, from HMRC (verification outcomes, RTI responses), pensions providers, and from our payment and IT service providers. We also generate records (e.g., statements, payslips, audit logs) while delivering services.

4. Purposes & lawful bases

  • Provide services & operate the Portal (perform a contract or take steps at your request).

  • HMRC compliance including CIS verification, CIS300 preparation/submission, RTI filings (legal obligation).

  • Security, fraud prevention, audit logs (legitimate interests to protect accounts, data and payments).

  • Service improvement and analytics (legitimate interests; where cookies apply we seek consent).

  • Marketing communications (consent or legitimate interests, with an unsubscribe option in each email).

5. Cookies & analytics

We use essential cookies to run the site and portal securely, and (with your consent) analytics cookies to understand usage and improve features. Manage preferences via your browser and our cookie controls. For details, see our Cookie Policy (coming soon) or contact us.

6. Sharing your data

We share data with HMRC, payment providers and banks, pension providers, insurers, IT hosting/support partners, and (where applicable) recruiters or end-hirers involved in your engagement. We require appropriate confidentiality, security and data protection commitments from our suppliers.

7. International transfers

Where data is transferred outside the UK/EEA, we use appropriate safeguards such as UK Addendum to the EU Standard Contractual Clauses or other lawful mechanisms, and assess risks relevant to the transfer.

8. Retention

We keep personal data only as long as necessary. Payroll and CIS records are generally retained for at least 6 years after the end of the relevant tax year (or longer where law or legitimate interests require). Portal account logs may have shorter retention aligned to security and audit needs.

9. Security

We apply technical and organisational measures including encryption in transit and at rest, access controls, least-privilege administration, 2FA options, monitoring, backups and vendor due diligence. Despite safeguards, no system is perfectly secure; please keep your credentials confidential and report suspected misuse immediately.

10. Your rights

Under UK GDPR you have rights of access, rectification, erasure, restriction, portability, and objection; and the right to withdraw consent where we rely on consent. To exercise these rights, contact privacy@nztworx.com. You also have the right to complain to the UK Information Commissioner’s Office (ICO).

11. Automated decision-making

We do not make decisions with legal or similarly significant effects based solely on automated processing. Automated checks (e.g., fraud indicators) may inform a manual review.

12. Children

Our services and portal are not intended for children. We do not knowingly collect data from individuals under 16 in the context of these services.

13. Acting as a processor

For some client instructions we act as a data processor. In those cases, we process personal data only on the client’s documented instructions and in line with our Data Processing Addendum (DPA). Clients remain responsible for their own legal bases and notices to workers.

14. Changes to this notice

We may update this notice to reflect legal, technical or business developments. We will post changes here and, where appropriate, notify you via the Portal or email.

15. Contact

Questions? Contact our team