Privacy Notice

This notice explains how personal data may be used when Entrustor is provided to support site operations, safety, compliance, workforce administration, gatehouse activity, visitors, vehicles, SOPs, checks and stock control.

Who This Notice Is For

This notice is for staff, contractors, agency workers, visitors, managers, administrators and other authorised users whose information may be processed through Entrustor.

Who Controls Your Data

In most cases, the organisation operating the site where Entrustor is used is the data controller for the personal data processed in that deployment. That organisation decides why the data is used, how long it is kept, who should have access to it and how individual rights requests are handled.

Where Entrustor is hosted, supported or configured for that organisation, A J RICHARDS HOLDINGS LIMITED trading in connection with Entrustor will usually act as a processor or sub-processor unless it is using the data for its own separate purposes.

Controller and Privacy Contacts

Privacy requests should normally be made to the organisation using Entrustor, because that organisation is usually the data controller for staff, visitor and operational records.

Platform or support questions can be raised with A J RICHARDS HOLDINGS LIMITED, Suite A, 82 James Carter Road, Mildenhall, Bury St. Edmunds, IP28 7DE, United Kingdom, by email at admin@entrustor.co.uk. Privacy and data requests are directed to Admin unless the relevant controller publishes a different contact route.

What Personal Data May Be Processed

Names, usernames, payroll numbers, employee identifiers and work contact details.
User roles, permissions, login-related records and account or site access information.
Attendance, staff sign-in, scan history, staff-on-site and late-reporting records.
Visitor records, visitor cards, badges and visitor access activity.
Vehicle registrations, gatehouse records, ANPR-related records where configured, trailer and yard records.
Training, licence, equipment, safety check, SOP viewing and SOP acknowledgement records.
Holiday requests, sickness records, HR notes or workforce administration records where those modules are enabled.
Email notification records, audit records and operational reporting information.

Where The Data Comes From

Directly from the individual, for example when they sign in, request leave, report sickness, acknowledge SOPs or submit forms.
From managers, gatehouse staff, HR or authorised administrators entering operational or compliance information.
From the controller's internal systems or imports, for example payroll, staff lists, shifts, training records or approved user accounts.
From site activity, scanners, cameras, badge systems, ANPR-related workflows or uploaded evidence where those functions are enabled.

Data We Do Not Normally Need

Home addresses.
Dates of birth.
Bank details or personal financial information.
National Insurance numbers unless separately configured or imported by the customer.
Personal profile information that is not needed for site operations.

Why Data Is Used

To manage site access, staff attendance, visitors and gatehouse activity.
To support health and safety, training, equipment and compliance checks.
To keep auditable records of SOPs, inspections, approvals and acknowledgements.
To manage workforce administration such as shifts, holidays and sickness where enabled.
To send operational notifications and maintain security or audit logs.

Lawful Basis

The organisation using Entrustor should identify the correct lawful basis for its own use of the system. This will commonly include legitimate interests, contractual necessity, legal obligations, or employment-related obligations depending on the process and the type of data involved.

Where health, sickness or other special category data is processed, the controller must also identify an appropriate Article 9 UK GDPR / EU GDPR condition and any additional Data Protection Act 2018 safeguards that apply.

Health and Sickness Records

Sickness or health-related records may be special category data under UK GDPR. Where those records are used, they should only be accessed by authorised users with a genuine need to view them, and the organisation using Entrustor should confirm the relevant Article 9 condition and any additional requirements under the Data Protection Act 2018.

How Data Is Protected

Access is controlled by login, role permissions and account or site separation.
Operational records are held in SQL Server and accessed through the Entrustor application.
Administrator, manager, HR and gatehouse access should be limited to authorised users.
Account and site permissions should be reviewed regularly.
Customers should use appropriate infrastructure, backup, password and access-control policies.

How Long Data Is Kept

Unless a shorter or longer period is required by the controller's own documented policy or by law, Entrustor deployment records are intended to be retained for 5 years. This includes visitor logs, attendance history, training records, SOP acknowledgements, fire and truck checks, holiday records, sickness records and audit logs.

HR records and similar workforce records should still be reviewed against the controller's own employment, legal and insurance obligations before relying on this default period in every case.

Who Data May Be Shared With

Data should only be shared with authorised users, the organisation operating the site, approved support providers, hosting or infrastructure providers, or others where there is a lawful reason to do so.

This may include IT support, hosting providers, communications providers, auditors, insurers, professional advisers or regulators where access is necessary and lawful.

International Transfers

Entrustor is intended to be hosted in a UK data centre environment. Based on the current stated setup, no suppliers outside the UK or EEA are intended to receive personal data. If this changes, the controller should ensure that a valid transfer mechanism and appropriate safeguards are put in place, such as an adequacy decision, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or EU Standard Contractual Clauses as applicable.

Is The Data Mandatory?

Some personal data will be needed for access control, attendance, health and safety, employment administration, operational assurance or legal compliance. If required information is not provided, the controller may not be able to create an account, permit site access, process a request, record a check or comply with its obligations.

Automated Decision-Making

Entrustor is primarily used as an operational record and workflow system. It is not intended to make solely automated decisions with legal or similarly significant effects on individuals. If a customer configures any automated rules or alerts, final decisions about employment, access or compliance action should remain subject to human review.

Your Rights

Individuals may have rights under UK GDPR, including the right to be informed, access their personal data, ask for inaccurate information to be corrected, request deletion or restriction in some circumstances, object to certain processing, request data portability where applicable, and ask not to be subject to unlawful automated decision-making.

Where processing relies on consent, individuals may also have the right to withdraw consent. Requests should normally be made to the organisation using Entrustor as the data controller, or to Admin where that is the contact route provided to individuals.

In the UK, individuals can complain to the Information Commissioner's Office at ico.org.uk. If the relevant controller is established in the EEA, individuals may also complain to their local supervisory authority.

Updates To This Notice

This notice should be reviewed whenever Entrustor modules, integrations, hosting arrangements, retention rules or processing purposes materially change.

Last updated: April 2026.