Legal & Compliance

Data Processing Policy

Version 1.0 Effective date: May 2026 Hours Saved Automation

1. About This Policy

This policy sets out how Hours Saved Automation ("I", "me") handles personal data and client data when providing bespoke software and data processing services. It is written in plain language, with the relevant UK GDPR terminology included where it matters.

I take data protection seriously. Any data you share with me in the course of a project is handled carefully, used only for the purpose you've given it to me for, and not retained once the work is complete.

2. The Roles: Controller and Processor

Under the UK General Data Protection Regulation (UK GDPR), there are two key roles when personal data is involved in a project:

Data Controller — the person or organisation that decides why and how personal data is used. In most projects, this is you, the client.
Data Processor — the person or organisation that handles personal data on behalf of the controller, following their instructions. In most projects, this is me.

When you share data with me to process as part of a project — for example, a folder of invoices containing customer names and addresses — I act as your data processor. I only process that data to complete the specific task you have instructed me to carry out.

3. What Data I May Process

Depending on the nature of the project, I may handle data that includes:

Business records such as invoices, purchase orders, or receipts
Contact information such as customer names, addresses, email addresses, or phone numbers
Financial figures, transaction records, or sales data
Employee or HR records
Any other data files you share with me for the purpose of a specific project

I will only process the data that is necessary to complete the work agreed — no more. This is in line with the principle of data minimisation under UK GDPR (Article 5(1)(c)).

4. How I Use Your Data

I process your data solely for the specified, explicit, and legitimate purpose for which you have shared it — as defined in the project scope we agree before work begins. I will not use it for any other purpose. This is in line with the principle of purpose limitation under UK GDPR (Article 5(1)(b)).

I do not sell, rent, share, or disclose your data to any third parties.

5. Data Retention — I Don't Keep Your Data

Once the finished software or output has been delivered and the project is complete, I permanently delete all copies of your data from my systems. I do not retain client data beyond project completion.

This is in line with the principle of storage limitation under UK GDPR (Article 5(1)(e)), which requires that personal data is kept no longer than is necessary for the purpose it was collected for.

During a project, your data is held only on my local, password-protected work machine. It is not uploaded to cloud storage or shared platforms unless explicitly agreed with you in advance.

Some projects may involve the use of AI models as part of the solution I build. Where this is the case, I will always make this clear and discuss it with you before work begins. Any AI models used are hosted within my own tenancy — meaning your data is processed within a controlled, private environment and is not sent to a public-facing AI service. Your data is not used to train any AI model, and no data is retained within any AI model at any point. The same data minimisation and deletion commitments described in this policy apply equally to any AI-assisted processing.

6. Security Measures

I take reasonable technical measures to keep your data secure during processing, including:

Password-protected devices with full-disk encryption
Secure, encrypted file transfer where data is shared digitally
No unnecessary copies of your data are made during the project
Data is deleted securely at project completion

These measures are proportionate to the nature of the data processed and are in line with Article 32 of UK GDPR, which requires appropriate technical and organisational security measures.

7. Your Responsibilities as Data Controller

As the data controller, you are responsible for ensuring that you have a lawful basis for sharing personal data with me to process. You should be satisfied that:

You have the right to share the data with a third-party processor
The processing I carry out on your behalf is covered by your own privacy notice or data protection obligations
You have obtained any necessary consents where required

8. Data Subject Rights

Under UK GDPR, individuals (data subjects) have rights over their personal data — including the right to access, correct, or request deletion of their data. As the data controller, you are responsible for handling such requests from your customers or contacts.

If a data subject request relates to data currently held by me as part of an active project, I will assist you in fulfilling that request promptly.

9. Data Processing Agreement

UK GDPR (Article 28) requires that where a controller uses a processor, there must be a written contract in place — known as a Data Processing Agreement (DPA).

For any project involving personal data, I am happy to put a simple DPA in place before work begins. This protects both of us and ensures we are clear on our respective responsibilities. Please raise this when we discuss your project if it applies.

10. Changes to This Policy

I may update this policy from time to time. The current version and effective date are shown at the top of this document. Material changes will be communicated to active clients directly.

Questions about this policy?

If you have any questions about how I handle your data, please get in touch:

James — james@hourssaved.co.uk

Hours Saved Automation is based in Ampthill, Bedfordshire, UK.