Ceimless Technology Group Limited (trading as 123‑Works, “we”, “us”) explains here how we collect, use, disclose, and protect personal data when:

• You visit or use 123‑Works websites (e.g., www.123‑works.com) and pages we control;
• You create/administer a 123‑Works account;
• You use the 123‑Works web or mobile apps;
• You receive marketing communications from us;
• You apply for a job with us; or
• You interact with us in any other way described in this Policy.

Legal entity (Controller): Ceimless Technology Group Limited (Company No. 12464083) – Registered address: 10 Beaumont House, Redburn Road, Newcastle Upon Tyne, England, NE5 1NB – DPO: privacy@ceimless.com – ICO Ref: ZA929525.

Controller (Ceimless/123‑Works)

We are the Controller for personal data relating to our website visitors, prospective and existing customers, account owners/admins, billing contacts, support interactions, marketing recipients, and job applicants.

Processor (on behalf of customers)

For data that customers and their users upload or generate within 123‑Works (e.g., project records, timesheets, HR entries, documents, images, expenses, GPS check‑ins), we act as a Processor and process data only under customer instructions, the contract, and our DPA.

A) Data you provide to us (Controller)

• Account & contact data: name, business email, phone, job title, company, password (hashed), optional profile image.
• Billing & subscription: invoicing contacts, billing address, VAT number, POs, payment status (payment card data handled by our PCI provider; we do not store full card details).
• Support & success: messages, tickets, call notes/recordings (we’ll indicate when recording).
• Marketing preferences: consents, unsubscribes, preference‑centre choices.
• Recruitment: CVs/applications, interview notes, references, right‑to‑work checks (where lawful).

B) Data we collect automatically (Controller)

• Usage & device data: IP address, device, OS, browser, app version, referrer, pages viewed, actions taken, crash/error logs, telemetry.
• Cookies & similar tech: session/authentication/security cookies, analytics (consent‑based if enabled), preference cookies.

C) Customer content & workspace data (Processor)

• Business data: project/job records, workforce lists, timesheets, expenses, site attendance, HR notes, competency records, equipment logs, photos/docs, audit trails, comments.
• Location data (mobile apps): when enabled for features like expense/site context. Precision, storage, and retention depend on the feature (see Section 7).
• Special categories: not required by 123‑Works. If customers choose to store such data (e.g., health), they must have a valid lawful basis; we process it only per customer instructions.

Where we rely on consent, you can withdraw it at any time via the link in emails, your preference centre, or by contacting privacy@123‑works.com (routes to DPO).

We use cookies/SDKs to operate our sites and apps. Strictly necessary cookies run without consent. If we add analytics/marketing cookies in future, they will require consent and be listed in Annex A.

See Annex A – Cookie Policy for details.

We do not sell personal data. We share limited personal data with:

• Service providers/sub‑processors (e.g., hosting, email delivery, analytics if enabled, CRM, support desk, payments), bound by contract to protect data and act only on our instructions.
• Professional advisers (lawyers, accountants, auditors) under confidentiality.
• Authorities where required by law or to protect rights, safety, and security.
• Corporate transactions: in a merger/acquisition, data may transfer under appropriate safeguards.

Live list of sub‑processors: https://www.123‑works.com/sub‑processors

Some features are optional and may request device permissions:

• Location – to assist with expense pre‑fill and site presence where enabled.
• Camera/Photos – to attach receipts or site images.

You can enable/disable these in your device OS and in‑app settings. Lawful basis: Legitimate interests (streamlining record‑keeping) and/or Consent where required by your employer/customer. For employer‑mandated features, the employer is the Controller and must provide the necessary workforce notices.

Primary 123‑Works hosting is in the United Kingdom. Where limited data is transferred outside the UK/EEA (e.g., to specific providers), we use lawful safeguards such as:

• UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs;
• Adequacy decisions (e.g., UK‑US Data Bridge) where applicable;
• Additional technical/organisational measures (encryption, access controls).

We retain personal data only as long as necessary for the purposes set out and legal requirements. Typical periods include:

• Customer account data: subscription term + 12 months (unless you ask to delete sooner or your contract specifies differently).
• Customer content in workspaces (Processor): per your contract/DPA. Deleted data leaves active systems and then backups on a rolling schedule (typically 35–90 days).
• Support tickets: 24 months from last activity.
• Analytics/telemetry: up to 13 months (or shorter per consent settings).
• Marketing contacts: until you opt out or after 24 months of inactivity.
• Financial records: 6 years (statutory).
• Recruitment (unsuccessful): 12 months.

Where precise periods depend on your configuration or contract, your Master Service Agreement and DPA prevail. See also Annex C – Data Retention Schedule.

We apply appropriate technical and organisational measures including encryption (in transit/at rest), least‑privilege access, MFA for admin access, audit logging, network segmentation, continuous monitoring, vulnerability management, regular backups, and staff training. If a personal data breach is likely to result in risk to individuals’ rights and freedoms, we will assess and, where required, notify the ICO within 72 hours and affected customers/individuals without undue delay.

You have the right to access, rectify, erase (where applicable), restrict, object to processing (including direct marketing), data portability (where applicable), and to withdraw consent at any time (where we rely on consent).

To exercise your rights, contact privacy@ceimless.com. We may need to verify your identity. If your data is processed within a customer account, please contact your employer/account owner first — we will assist them as Processor.

You can lodge a complaint with the Information Commissioner’s Office (ICO): ico.org.uk — Tel: 0303 123 1113.

We may send B2B product updates, insights, and offers where permitted (consent or soft opt‑in). You can unsubscribe any time via the link in emails or by contacting us.

123‑Works is a business service and not intended for children. We do not knowingly collect personal data from anyone under 16 in a Controller capacity.

Our websites may contain links to third‑party sites. We are not responsible for their privacy practices. Please review their policies.

We may update this Policy from time to time. We will post the latest version here and, if the changes are material, notify you via email or in‑app. Last updated: 26 February 2026.

Ceimless Technology Group Limited (trading as 123‑Works)
Company number: 12464083
Registered address: 10 Beaumont House, Redburn Road, Newcastle Upon Tyne, England, NE5 1NB

Data Protection Officer: privacy@ceimless.com
ICO Registration Number: ZA929525

Summary: We use strictly necessary cookies (no consent required). If we enable analytics/marketing cookies in future, they will require consent and will be listed here.

1) Categories we use

• Strictly necessary – authentication/session security; load balancing; fraud prevention; cookie to remember your consent choices.
• Preferences – (none currently).
• Analytics – (none currently).
• Marketing/Attribution – (none currently).

2) Actual cookies used today

3) Managing cookies

You can manage or withdraw consent (if/when non‑essential cookies are introduced) via our banner or preference centre, and via your browser or device settings. For mobile SDKs, use in‑app toggles (where available) and OS privacy settings.

We use carefully selected providers to deliver 123‑Works. Each is bound by data protection terms and acts only under our instructions.

Live list: https://www.123‑works.com/sub‑processors

We will notify customers of material changes to this list in accordance with the DPA.

Customer content (Processor): retention and deletion are as per your contract/DPA and workspace settings. Backups roll off on a 35–90 day cycle.

• UK GDPR: UK General Data Protection Regulation.
• DPA 2018: UK Data Protection Act 2018.
• PECR: Privacy and Electronic Communications Regulations (cookies/marketing).
• Controller/Processor: As defined in UK GDPR Articles 4(7) and 4(8).
• Personal data: Any information relating to an identified or identifiable person.