GDPR at CaterShift

The security and confidentiality of your data is our priority.

← Back to Home

Role under GDPR

Processor (you are the Controller)

UK focus

Built for UK hospitality teams

Data requests

Email: support@catershift.com

What is the GDPR and the UK Data Protection Act 2018?

The General Data Protection Regulation (GDPR) sets out rules on how personal data is processed and used. In the UK, the UK GDPR sits alongside and is supplemented by the Data Protection Act 2018 (DPA 2018). These frameworks emphasise transparency, accountability, and strong protection of individuals’ rights.

CaterShift provides features and controls to help you operate within these requirements; however, you should always review compliance with your legal counsel or Data Protection Officer (DPO).

Roles & Shared Responsibility

Your organisation is the Data Controller for personal data you enter into CaterShift (e.g., staff names, contact details, shift data). CaterShift acts as a Data Processor, processing that data on your documented instructions and under a Data Processing Agreement (DPA). As Controller, you determine the lawful basis, provide privacy notices, manage retention, and respond to data-subject requests.

CaterShift’s GDPR Commitments

Process personal data only on your documented instructions and within the scope of our DPA.
Implement appropriate technical and organisational measures proportionate to risk, including access controls, least-privilege practices, and auditability.
Support Controller obligations around deletion/return of data at contract end, except where retention is required by law.
Make available information necessary to demonstrate our compliance and support reasonable audits subject to the DPA.

Security Measures (Technical & Organisational)

We align our controls with industry practices for cloud SaaS, including identity and access management, role-based access, encryption in transit, secure development practices, and staff training. We regularly review our security posture and privacy safeguards.

Highlights

Role-based access and least-privilege internal admin controls.
Unique user accounts
Environment separation and change management for releases.
Monitoring and logging of application access and key events.
Vendor risk assessment for sub-processors (see below).

Your Lawful Basis & Special-Category Data

As Controller, you must determine a lawful basis under Article 6 (e.g., contract, legal obligation, legitimate interests, or consent where applicable) and take extra care with any special-category data (e.g., health) under Article 9. Keep processing necessary and proportionate to your stated purposes.

Data-Subject Rights We Help You Fulfil

We provide tools and support so you can respond to data-subject requests within legal timeframes.

Access & Portability

Export staff records you hold in CaterShift.

Rectification

Update inaccurate or incomplete records.

Erasure

Delete individuals’ data in line with your retention policy.

Restriction & Objection

Limit processing or cease non-essential processing upon request.

Need help with a request? Contact support@catershift.com.

Sub-Processors

We use reputable cloud providers and service partners to deliver CaterShift. Each sub-processor is assessed for security and privacy safeguards, and bound by GDPR-compliant terms, including confidentiality and appropriate technical and organisational measures. We maintain an up-to-date list and will notify you before material changes in accordance with our DPA.

International Data Transfers

Where personal data is transferred internationally, we rely on appropriate safeguards such as the UK Addendum to the EU Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms, as applicable.

Data Retention

You control how long to retain personal data in CaterShift according to your legal and business requirements. At contract end, we will delete or return personal data on your request, subject to legal holds and statutory retention.

Security Incidents & Breach Notification

We operate incident-response procedures for assessing, managing, and communicating security events. Where a notifiable personal-data breach occurs, we will notify you without undue delay and support your regulatory and data-subject communications, as required by law.

Related Policies

Privacy Notice and Cookie Policy (how we handle personal data as a Controller for our website/services).
Terms of Service.
Data Processing Agreement (DPA): available on request from support@catershift.com.

FAQs

Does CaterShift determine our lawful basis?

No. As Controller, your business selects the lawful basis (e.g., contract, legal obligation). We process data on your instructions under the DPA.

Can CaterShift help with a Data Subject Access Request (DSAR)?

Yes. You can export relevant data, correct inaccuracies, or request deletion in line with your policies. Contact us if you need support.

Is CaterShift GDPR-compliant?

We design and operate CaterShift with GDPR in mind and commit to processor obligations under the DPA, including appropriate security measures and support for Controller responsibilities.

Contact our Data Protection Lead

For GDPR queries, DPAs, or sub-processor details, email support@catershift.com.