Legal

Privacy Policy

How we collect, use, and protect personal data under UK GDPR and the Data Protection Act 2018.

Who we are

Mellow is operated by Saltcore Group Ltd, registered in England and Wales. ICO registration number: ZC144145. Our platform is available at mellowhr.com. Questions about this policy: hello@mellowhr.com.

For data relating to our customers (employers who subscribe to Mellow), we act as the data controller. For employee data that employers upload and manage within the platform, the employer is the data controller and Mellow acts as a data processor. Our Data Processing Agreement governs this relationship.

What data we collect

Account data: Name, email address, organisation name, and password (hashed, never stored in plain text) when you register.

Employee data (processed on behalf of employers): Name, date of birth, National Insurance number, bank account details, salary, absence records, right-to-work documents, and other HR data uploaded by the employer. Sensitive fields are encrypted at rest.

Usage data: Log data, IP addresses, browser type, pages visited, and actions taken within the platform for security monitoring and product improvement.

Payment data: We use Paddle as our Merchant of Record. Paddle handles all payment card data. We receive billing metadata (subscription tier, employee count, invoice history) but never store card numbers.

Legal basis for processing

We rely on the following legal bases under UK GDPR Article 6:

  • Contract — to provide the Mellow service you have subscribed to.
  • Legitimate interests — for security monitoring, fraud prevention, and product improvement.
  • Legal obligation — to comply with HMRC requirements, Companies Act obligations, and other applicable UK law.
  • Consent — for marketing communications, which you can withdraw at any time.

For special category data (health information for absence management), we rely on UK GDPR Article 9(2)(b) — employment law obligations — and obtain explicit consent where required.

Data storage and security

All data is stored within EU-based cloud infrastructure. No personal data is transferred outside the UK/EEA without appropriate safeguards.

Personal data is encrypted at rest and in transit. Access is controlled and monitored, and the platform is regularly security-tested. We can share a detailed security overview with prospective customers under NDA.

How long we keep data

Account data: Retained for the duration of the subscription plus 30 days after cancellation (to allow data export), then deleted.

Payroll records: Retained for 6 years from the end of the tax year, in line with HMRC requirements.

Employment records: Retained for the duration of employment plus 6 years, in line with the Limitation Act 1980.

Audit logs: Retained for 7 years for compliance purposes.

Your rights under UK GDPR

You have the right to access, rectify, erase, port, restrict, or object to processing of your personal data. To exercise any right, contact hello@mellowhr.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Third-party processors

We use sub-processors under appropriate Data Processing Agreements, covering payment processing, cloud infrastructure (EU-based), AI inference, and transactional email. A current list of sub-processors is available on request.

Cookies

Mellow uses only strictly necessary cookies for authentication. We do not use tracking, advertising, or third-party analytics cookies. See our Cookie Policy for details.

Changes to this policy

We may update this policy to reflect changes in the law or our practices. We will notify customers of material changes by email.